Apple ID code leak 'sourced to US firm BlueToad'

BlueToad BlueToad said it discovered the breach shortly after Antisec published the ID codes

Related Stories

A digital publishing firm has said it believed it was the source of Apple device ID codes posted to the internet.

Hackers who identified themselves as being part of the Antisec movement published more than one million unique device identifiers (UDID) last week.

They claimed the material had come from a laptop belonging to an FBI officer - something the agency denied.

Florida-based firm BlueToad apologised for the leak adding that it thought the risk to iOS users was "very low".

"When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to co-operate with their ongoing criminal investigation of the parties responsible for the criminal attack and the posting of the information," the firm's chief executive, Paul DeHart, wrote on his company's blog.

The FBI confirmed to Reuters that "it certainly does appear that BlueToad was where the information was actually compromised".

Privacy threat

UDIDs are a unique 40-character string given to iPhones and iPads to help Apple distinguish the machines.

Although it is against Apple's guidelines, some app developers use the codes to identify devices to avoid resorting to usernames and passwords.

If attackers exploited a list of UDIDs and knew which apps used them inappropriately, they could, in theory, compromise users' privacy.

Apple plans to introduce an alternative system and no longer accepts apps in its store that collect the codes.

"With iOS 6 we introduced a new set of APIs [application program interfaces] meant to replace the use of the UDID and will soon be banning the use of UDID," a spokesman told the BBC.

"As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type. Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer."

Named agent

The Antisec post had suggested a list of 12.4 million UDIDs had been extracted from an FBI agent's laptop along with matching usernames, mobile numbers and other personal details. The group released a file containing one million codes as proof.

Antisec and Anonymous logos Antisec are an offshoot of Anonymous dedicated to highlighting computer security issues

The implication was that the FBI might have been using them to spy on Apple device owners.

The news had the potential to be particularly damaging as the agent named - Christopher Stangl, from the agency's Regional Cyber Action Team - had represented it in public at security conferences.

However, the FBI strongly denied the allegation shortly after it was made, publishing a tweet that read: "We never had the info in question. Bottom Line: TOTALLY FALSE."

Antisec attacked

BlueToad has subsequently added that less than two million Apple device name and UDID codes had been stolen, rather than the claim of 12 million codes and other personal information.

One security expert suggested the news would undermine future claims by Antisec.

"Whatever credibility they had has certainly been damaged by making a claim that appears to be entirely false and having totally misrepresented their abilities," said Rik Ferguson, director of security research at Trend Micro.

"They must have known this would be exposed at some point.

"They had probably hoped that it would only be after the FBI had carried out a longer internal audit to confirm it had not been compromised, resulting in confusion and expense in the meantime."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories


Features & Analysis

BBC Future

(US Navy)

The world’s noisiest spy plane

The Soviet giant that still soldiers on


  • BatteriesClick Watch

    More power to your phone - the lithium-ion batteries that could last twice as long

Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.