Breach of Florida app publisher was cause of Apple UDID release, not FBI

Last week's breach of Apple Unique Device Identifiers (UDIDs) was down to a Florida-based publisher rather than an FBI laptop.

A report by NBC News, stated that the Florida publishing company Blue Toad said that the million-record database of UDIDs were stolen from its servers two weeks ago, contradicting hacker claims that they were stolen from an FBI agent's laptop in March.

Blue Toad CEO Paul DeHart said that technicians at his firm downloaded the data released by Anonymous and compared it to the company's own database and found a 98 per cent correlation between the two datasets and took responsibility for the breach.

DeHart said an outside researcher contacted Blue Toad and suggested the data might have come from there. He said he was "pretty apologetic to the people who relied on us to keep this information secure".

He could not rule out the possibility that the data stolen from his company's servers was shared with others, and eventually made its way onto an FBI computer. He also said that he does not know who took the data and could not comment, citing an ongoing investigation. The hacking group Antisec had claimed responsibility in a lengthy statement.

David Schuetz, a security consultant at the Intrepidus Group, was the outside researcher who contacted Blue Toad, and detailed his research of the data. He said that after hearing the news, he surmised that comparing apps against multiple devices might help narrow down the source.

Following work comparing the data, it was suggested to him that there might be multiple apps' data, meaning it could be a game or advertising company, and shortly after he found what seemed to be the source of the breach.

“I had decided to look more closely at the most frequently repeated device IDs, on the theory that perhaps that would belong to a developer. They'd naturally test multiple apps for their company, each of which should have a different device token,” he said.

After further research, he found Blue Toad and contacted them about the breach and said that he had found some interesting data that suggested they might be involved.

He said: “By the time I went to bed, I had identified 19 different devices, each tied to Blue Toad in some way. One, appearing four times, is twice named ‘Hutch' (their CIO), and twice named 'Paul's gift to Brad' (Paul being the first name of the CEO, and Brad being their chief creative officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the director of digital services, the lead system admin, and a senior developer.

“This felt really significant. But as I started writing up my notes, doubt crept in. What are some other explanations? Perhaps everyone at the company uses a common suite of applications, [such as] the same timesheet app, for example. Then of course they'd all appear in the data. But even still, I couldn't shake the feeling that I'm onto something.

“I'm still not completely clear on all the technical details. Was Blue Toad really the source of the breach? How did the data get to the FBI (if it really did at all)? Or is it possible this is just a secondary breach, not even related to the UDID leak, and it was just a coincidence that I noticed? Finally, why haven't I noticed any of their applications in the (very few) lists of apps I've received?”

An FBI statement, released after the post of the data, said: "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

Apple also publicly denied giving the information to the FBI and said that it began rejecting apps that access UDIDs earlier this year after phasing them out with the introduction of iOS 5.

Apple spokesperson Natalie Kerris told All Things D that: “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organisation.

“Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of UDID and will soon be banning the use of UDID.”

Sign up to our newsletters