Darth Null, aka David Schuetz (a security researcher at Intrepidus) had been looking at the leaked UDID data. He noticed a small number of duplicates, and began to think an app developer might be involved. “They’d naturally test multiple apps for their company, each of which should have a different device token,” he blogged yesterday. He looked closer. By the end of the day he “had identified nineteen different devices, each tied to BlueToad in some way. One, appearing four times, is twice named ‘Hutch’ (their CIO), and twice named ‘Paul’s gift to Brad’ (Paul being the first name of the CEO, and Brad being their Chief Creative Officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the Director of Digital Services, the lead System Admin, and a Senior Developer.”
He contacted BlueToad, and suggested they might be involved. BlueToad soon publicly confirmed that the data had indeed come from them. CEO Paul DeHart told NBC News that his engineers downloaded the leaked database and compared it to their own dataset – finding a 98% correlation. “That’s 100 percent confidence level, it's our data,” he said. “As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.” BlueToad’s internal investigation concluded that the data had been stolen from them “in the past two weeks.” He also said that less than 2 million UDIDs were involved, not the 12 million claimed by AntiSec.
This information throws doubt on AntiSec’s claim that it had stolen the data from the FBI (who had earlier denied that it ever had the data). So far, however, researchers are not absolutely ruling out the possibility that the data had somehow ended up with the FBI; although “Timing-wise, (AntiSec’s) story doesn't make sense,” said DeHart. He told Reuters that BlueToad now understands how the hack was perpetrated, and had passed the information to law enforcement. “We haven't tied it to a person at least as of yet... but we were able to figure out essentially what happened, tied to a lot of things and we've passed that information on (to the FBI),” DeHart said.
But wherever the data came from, it has still ended up in the public domain. On its own it is of little danger to Apple users. “I don't see that the combination of a UDID and the pet-name of an iGadget would be useful to an attacker in itself,” Mac security researcher David Harley told Infosecurity. “He would need to be able to tie them to more specific personal data in order to get any illicit access to user accounts. If he had some kind of direct access to the device, or was able to match the UDID to one in other leaked data, that would be more worrying. Of course, it's claimed that the attackers in this case have access to more comprehensive data on many more iGadget users, but since their claim of FBI involvement now looks significantly more doubtful, so do their other claims.”
Meanwhile, Apple itself has stopped allowing apps to gather UDIDs – a process that has been evolving for some time, and is not connected to this episode.