September 05, 2012, 9:42 PM — This much we know: Earlier this week hackers from the Anonymous offshoot Antisec posted exactly one million and one unique Apple IDs online, along with the names of the devices and a few tidbits of personal information about their owners. We know these numbers are genuine because several Web commenters at Hacker News and other sites have verified that the unique IDs assigned to their iPhones and iPads are among those posted.
Beyond that, though, things start to get fuzzy. Antisec claims that these numbers -- known as Unique Data Item Descriptions, or UDIDs – were among 12.3 million it managed to steal from a laptop belonging to FBI agent Christopher Stangl last March. The FBI begs to differ, claiming a) it never got hacked, and b) never had possession of those 12 million numbers in the first place. Apple also officially denies handing over these IDs to the feds or anyone else.
If Antisec is telling the truth, then the FBI and Apple have some serious ‘splaining to do. But even if this is yet another quasi-practical joke being pulled by the Anons to implicate the feds just for lulz, it’s clear Antisec got those numbers from somewhere. It also seems that in many cases these numbers were anything but anonymous, containing along with them names, email addresses, cell phone numbers, ZIP codes, and more.
By themselves, UDIDs are harmless, the way a random 10-digit number is harmless. Attach the unique number to someone’s identity – or figure out that those 10 digits are really someone’s Social Security Number -- and the fun begins. But the biggest abusers of UDIDs aren’t hackers or, as far as we know, federal agents; they’re app makers and advertising networks.
In 2010, security researcher Erik Smith looked at 57 of the most popular apps available in the iTunes Store and found that 68 percent of them captured the device’s UDID and sent it back to the app’s servers or to advertisers. Another 18 percent encrypted the data sent upstream so it was impossible to determine whether the unique IDs were being transmitted. Smith wrote: