The hacker group Anonymous announced on Pastebin that it had acquired 12 million iOS user IDs from an FBI agent’s computer. Yes, one agent; one computer. Anonymous has released 1 million of the IDs along and the corresponding personal information.
So the answer is: maybe a lot more than you like.
Anonymous obtained the unique device identification numbers (UDID) from the laptop of Supervisor Special Agent Christopher K. Stangl through a known Java vulnerability. And the associated information? It includes things like user names, street addresses, zip codes, and cell phone numbers. Maybe we should ask what don’t they know about us.
According to ReadWriteWeb:
If the Anonymous list of UDIDs is real (and it looks like it is), the most pertinent question is what the FBI, and Stangl in particular, were doing with those numbers. Knowing the UDID of an iOS device could lead to tracking of that device and the credit card or social accounts it is tied to. Earlier this year, Apple shut off UDID access to App Store developers because of the potential abuse of privacy that UDIDs afford. The use of UDIDs could allow marketers and advertisers to track user location and other activities on the user’s device. That information could be very lucrative for advertisers and marketers. Apparently, it could also be useful to the FBI.
Aldo Cortesi, a coder and security consultant in New Zealand, has been preaching about the dangerous use of UDIDs for several years. He has long expected a dump of millions of UDIDs by enterprising hackers.
“I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked … and here we are,” Cortesi wrote on his personal website.
Anonymous agrees with Cortesi that establishing UDIDs was a bad idea from the beginning. “[We] always thought it was a really bad idea. That hardware coded IDs for devices concept should be eradicated from any device on the market in the future,” Anonymous wrote.
For all its loud and disjointed rhetoric, the data leak put an exclamation point on the issue of FBI tracking and Apple’s use of UDIDs. Anonymous released the 1 million UDIDs to attract attention of the FBI, Apple, federal governments and large corporations. It is safe to say that the group has their attention now.
The FBI denies that anything like this has happened and they issued a press release and tweeted the following:
Don’t know about you, but I find this to be TOTALLY NOT REASSURING.