On FBI and Your UDID

So, today there was a rather significant data leak posted by the folks at Antisec who apparently managed to breach a system of an FBI agent and leaked 1 million of those records to the web.

Oops.

At first I was skeptical as there was no corroboration but, once I pulled the data and started hunting though it I found some people were in there that I knew and was able to confirm that some of their devices were in fact included. The UDID or Apple unique device ID is tied to iPhones or iPads.

Rob Lemos confirmed that one of his iPads was in fact in the list of dumped UDIDs from the compromised FBI system.

I was in the process of posting a searchable db of the affected data but, I suffered through a bunch of memory errors and was about to five up when I found http://dazzlepod.com/apple/. You can use that link to do partial searches and (possibly) find your UDID. I was happy to note that the only people I could validate in the file were in fact US citizens. I would have been seriously annoyed if I was in there.

So, how does one go about finding the information if they want to test the data?

From Pastebin:

Download links:

http://freakshare.com/files/6gw0653b/Rxdzz.txt.html
http://u32.extabit.com/go/28du69vxbo4ix/?upld=1
http://d01.megashares.com/dl/22GofmH/Rxdzz.txt
http://minus.com/l3Q9eDctVSXW3
https://minus.com/mFEx56uOa
http://uploadany.com/?d=50452CCA1
http://www.ziddu.com/download/20266246/Rxdzz.txt.html
hxxp://www.sendmyway.com/2bmtivv6vhub/Rxdzz.txt.html

HOW TO GET THE CANDY ONCE YOU HAVE DOWNLOADED THE FILE

first check the file MD5:
e7d0984f7bb632ee19d8dda1337e9fba

(lol yes, a “1337” there for the lulz, God is in the detail)

then decrypt the file using openssl:
openssl aes-256-cbc -d -a -in file.txt -out decryptedfile.tar.gz

password is:
antis3cs5clockTea#579d8c28d34af73fea4354f5386a06a6

then uncompress:
tar -xvzf decryptedfile.tar.gz

and then check file integrity using the MD5 included in the password u used to
decrypt before:
579d8c28d34af73fea4354f5386a06a6
^ yeah that one.

OK, now you have the data or at the very least a way to check for your UDID. The question that comes to mind is…how did the FBI get this information in the first place?

From AFP:

Johannes Ullrich of the SANS Internet Storm Center said it was difficult to verify the report.
“There is nothing else in the file that would implicate the FBI. So this data may very well come from another source. But it is not clear who would have a file like this,” he told AFP.

Ullrich said it is unclear why the FBI, if the report were true, would have the data.

“The size of the file… would imply a widespread, not a targeted tracking operation, or the file was just kept in case any of the users in the file needs to be tracked,” he said.

“The significance of this breach very much hinges on the source, which as far as I know, hasn’t been authenticated yet. The data is, however, real based on some of the reports that people do find their own UDID in the file.”

Sure, the FBI will likely not comment on this leak for a while. But, if in fact this turns out to be real (as I’m thinking it may be) who gave them this data?

It should be noted that this is only a subset of the data that was leaked.

Was it Apple? Was it an app author that divulged this information? Is there a common denominator among the apps people have installed?

The search for the needle in the haystack begins.

(Image used under CC from e_monk)

UPDATE: The plot thickens…

…and then