Company Outs Itself as Source of Stolen Apple Device IDs
CREDIT: Alberto Barbati/Apple Inc. Composite by SecurityNewsDaily.
Updated 6:15 p.m. ET Monday: BlueToad has posted a statement on its official blog. Scroll to the bottom for more.
A small Florida company has come forward as the source of the 1 million Apple device IDs that were leaked last week by an Anonymous-affiliated hacktivist group.
"That's 100 percent confidence level, it's our data," Paul DeHart, chief executive officer of Orlando-based BlueToad Inc., told NBC News.
DeHart told NBC News' Kerry Sanders and Bob Sullivan that his company had found a 98 percent correlation between the leaked data and BlueToad's own database of Apple universal device identifiers (UDIDs).
"As soon as we found out we were involved and victimized, we approached the appropriate law-enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this,” DeHart told NBC News.
David Schuetz, a consultant in the Northern Virginia office of New York-based mobile-security company Intrepidus Group, approached BlueToad last Wednesday (Sept. 5) with evidence that their database was the source of the UDID data dump. Schuetz posted a detailed account of his methods on his company blog.
On Sept. 3, a message in the name of the Anonymous spinoff group Anti-Sec was posted on the online bulletin board Pastebin. It gave instructions for downloading and decrypting a cache of 1,000,001 Apple UDIDs, which the message said had been stolen in March from the laptop of an FBI agent.
DeHart told NBC News that he had no idea whether the data had indeed turned up on an FBI computer, but said that it had been stolen from BlueToad "in the past two weeks." (Schuetz, however, mentioned in his blog posting that he'd found online a password-data dump for BlueToad dating from March 14.)
Last week, the FBI denied any knowledge of a data breach, and Apple denied it had provided any UDIDs to the FBI.
"I had no idea the impact this would ultimately cause," DeHart told NBC News. "We're pretty apologetic to the people who relied on us to keep this information secure."
BlueToad makes smartphone apps for publishers of traditional printed media, such as newspapers, magazines, brochures and catalogs. It would not name its clients for NBC News.
Apple UDIDs are burned into each iPhone, iPad and iPod Touch. Transmitted over the Internet, they identify specific gadgets to Apple and to iOS app developers.
By themselves, UDIDs should not present any security risk to the owners of the affected devices. But New Zealand-based security researcher Aldo Cortesi last year showed that developers who don't follow Apple's guidelines sometimes post personal user information alongside UDIDs online, allowing third parties to link one set of data to the other.
Apple has cracked down on misuse of UDIDs by developers and will be phasing out their use by apps in iOS 6, its next version of its mobile operating system, due this fall.
UPDATE: Later Monday, BlueToad posted a statement on its official blog regarding the incident.
"A little more than a week ago, BlueToad was the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet," wrote president and CEO Paul DeHart.
"Although we successfully defend against thousands of cyber attacks each day, this determined criminal attack ultimately resulted in a breach to a portion of our systems," DeHart wrote. "We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again."
"BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, Social Security numbers or medical information," DeHart said. "Upon Apple's recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs. We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base."