Meet the guy who cracked the case of the stolen iPhone IDs
FORTUNE — Last week, the AltSec hacker group claimed it found 1 million UDIDs — the numbers by with Apple AAPL identifies iOS devices — on an FBI agent’s laptop. They used the purported discovery as evidence that the U.S. government was engaged in widespread surveillance of its citizens through their smartphones.
On Monday, NBC News reported that that the numbers did not come from the FBI, but rather from the servers BlueToad, an Orlando, FL-based company that distributes digital magazine content to iPhones and iPads.
How do they know?
Because of the work of a lone mobile security expert named David Schuetz. NBC and Blue Toad asked Schuetz not to write about how he cracked the case until Monday so that Blue Toad could release a statement and NBC could have its exclusive.
With the embargo lifted, Schuetz has now posted the details of his work on his Intrepidus Security website. The key: The usually large number of repeats he discovered within the 1 million UDIDs.
It was a neat piece of digital sleuthing, and it makes for a cool detective story. A sample:
As this was the kids’ first day of school, we went out for a nice dinner to celebrate. While there, I thought more about what I’d found, and decided to roll the dice: I sent an email to BlueToad, using the email address on their website. I didn’t say much, just that there’d been a breach involving UDID and push tokens, and I’ve found some interesting data that suggest they may be involved. After returning home, I spent another four hours digging for more.
By the time I went to bed, I had identified nineteen different devices, each tied to BlueToad in some way. One, appearing four times, is twice named “Hutch” (their CIO), and twice named “Paul’s gift to Brad” (Paul being the first name of the CEO, and Brad being their Chief Creative Officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the Director of Digital Services, the lead System Admin, and a Senior Developer.
This felt really significant. But as I started writing up my notes, doubt crept in. What are some other explanations? Perhaps everyone at the company uses a common suite of applications. Like the same timesheet app, for example. Then of course they’d all appear in the data. But even still, I couldn’t shake the feeling that I’m onto something.
You can read the rest of Schuetz’ step-by-step account here. He also makes a brief appearance at the end of the segment that aired Monday evening on NBC Nightly News,