When David Schuetz woke up last Friday, little did he think he’d be a central figure in clearing the FBI’s good name, much less end up on the NBC Nightly News, but that’s exactly what happened.
Schuetz, a senior consultant with Intrepidus Group, put his best detective hat on last week and pieced together enough evidence to determine that BlueToad, a Florida based technology provider for digital publishers, was at the heart of a data breach that exposed 12 million Apple unique device IDs–and not the United States’ top law enforcement agency.
On Sept. 3, AntiSec, an offshoot of the Anonymous hacker collective posted more than 1 million Apple UDIDs to Pastebin, claiming to have stolen more than 12 million from an FBI agent’s laptop in March. AntiSec claimed to have personal mailing addresses and phone numbers, in addition to the UDIDs and device tokens for the Apple Push Notification Service (APNS) for numerous types of Apple devices such as iPhones, iPads and iPod Touches.
The FBI quickly denied it was the source of the breach. Schuetz, a self-proclaimed puzzle solver who goes by Darth Null on Twitter , couldn’t resist a review of the data on Pastebin in an attempt to find the source. He quickly learned that there were about 15,000 duplicate device IDs among the records, many attached to different device tokens. After soliciting some opinions on Twitter, consensus was reached that the repeated device IDs could belong to a developer testing applications. A closer look at some of the repeat device names called out BlueToad and some of its executives and senior technoogy people by name.
Schuetz began to suspect he’d found the source.
BlueToad builds upwards of 2,000 digital editions of publications for 10,000 publishers monthly, utilizing technology to convert PDFs to Flash or HTML versions for online viewing, including on applications for the iPad and iPhone. Schuetz reached out to the company, indicating he had evidence they were tied to the breach; he had identified 19 different devices tied to BlueToad, including devices tied to their CEO and CIO. To say he was 100% sure at that point was an overstatement.
“I wouldn’t say doubt is gnawing at me. But I received lists of applications from three or four people who were on the list, and I didn’t see any BlueToad apps on that list. But they might’ve deleted the apps, or maybe there was an app that BlueToad no longer sells. It’s just odd, and I’ve heard a few similar cases from other people on Twitter (not many),” Shuetz said in an email exchange with Threatpost. “Then again, with a million devices, there are bound to be a few anomalies. Also, I haven’t seen any technical proof. It’s just prudent, with any claim that you can’t independently verify, to be cautious. [BlueToad] say they found ‘98% correlation’ between the data sets, but I’m not sure exactly what that means, what methodology they used to arrive at that conclusion. I’m inclined to trust them, and have no reason to doubt them, but it’s just not something we explicitly know.”
He continued poking around and eventually found a password dump online for BlueToad dated March 14, the same week AntiSec said it had breached the FBI computer. Any hesitancy Schuetz had regarding BlueToad’s connection to the breach was evaporating.
In the meantime, BlueToad CIO Hutch Hicken reached out twice to Schuetz, the second time confirming that the company was confident they were the source of the breach and shared some technical details with Schuetz. He also informed him Kerry Sanders of NBC was with him and wanted to fly to Schuetz that night for an on-camera interview, which aired last night.
“It was a surreal way to conclude what started out largely as another puzzle hunt,” Schuetz wrote in a blogpost Friday. “I’m glad to have been able to help.”
Yesterday, BlueToad CEO Paul DeHart publicly confirmed via the company’s blog that it was the source of the breach and that it had contacted law enforcement and was cooperating in the investigation. DeHart also said the vulnerability that was exploited had been fixed and that a third-party security company had been hired to help BlueToad.
“We understand and respect the privacy concerns surrounding the data that was stolen from our system. BlueToad believes the risk that the stolen data can be used to harm app users is very low,” DeHart said. “But that certainly doesn’t lessen our resolve to ensure that all data is protected and kept from those who seek to illegally obtain it.”
He added that BlueToad has never collected personal information such as credit card or Social Security numbers and that the UDIDs that were taken were collected and stored as a general practice. He said that BlueToad is following a recommendation from Apple to discontinue the practice of reporting UDIDs.
“We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base,” he said.
Schuetz said an attacker isn’t likely to be able to do much with the UDIDs beyond tracking device locations. A more realistic risk, he said, comes from the information devices share alongside the UDID and what might happen to that data once it’s with a third party.
“For example, I’ve noticed a weather application on the phone that provides UDID and location to third-party advertising servers. When I enabled location services for that app, I presumed it was simply to get data customized for my location,” he said. “For it to share the location with a third party seems like a serious breach of privacy (and this wasn’t a dumbed down location — it exactly identified my location, right down to the side of the house I was on.”
