Hacktivist group leaks 1m Apple UUIDs

Metaratings
05 Sep 2012
00:00
Article

Last night hacktivist group Anitsec released one million and one Apple iOS IDs, device names and push notification tokens that it claims was taken from an FBI laptop.

Antisec said it was releasing the details as a publicity stunt to make people stop and realise the level of state surveillance that is going on in the modern world.

While some mainstream media quickly reported it as an hacker attack on privacy and Apple’s security, it was neither. Antisec said it removed any personally identifiable information from the subset released.

The file, the group claims, was gained during the second week of March 2012 from a Dell Vostro notebook owned by a special agent Christopher Strangl. The group claims to have used a known Java exploit to access the notebook, and while browsing through its contents found a file named, “NCFTA_iOS_devices_intel.csv.

This purportedly turned out to be a list of over 12 million Apple iOS devices with not just the UDID, device name and Apple push notification service tokens, but also the postal codes, telephone numbers, addresses and other personal details.

The list leaked, it must be stressed, only includes three fields without the personal information.

I downloaded the file, unencrypted it with the key that was posted, and got a huge plain text file with those three fields.

Using a simple XML request, I then used openfeint to see what each of the UDIDs were up to. Nothing sinister, but I did spent hours looking through the latest Fruit Ninja scores of lots of strangers, the time they last played, their username in the game (or any of a variety of other games that uses openfeint) and whether they were playing the game right now or not.

As long as you know how to use a Linux command line, all of that was trivial.

Had this file been released before May last year, that same query would also give out the GPS coordinates and in some cases, the Facebook profile of that same user. However, those glaring breaches of privacy were since plugged by openfeint.

Related content

Tags: