People have social security numbers but iPhones have UDIDs - unique numbers assigned by Apple and used by mobile app companies to secure personal information and user accounts. That means you don’t want your UDID to fall into the wrong hands, or it to be part of the 1,000,001 published online last night by activist hackers saying they are part of a 12 million strong collection stolen from the FBI. The UDIDs released appear to be real, with many iPhone users tweeting today that their devices numbers were on the list.
The leak is potentially serious. An iPhone user is very unlikely to ever see their UDID, but research has shown that most apps collect an iPhone’s UDID and transmit it back to their developer and some app developers use it to control which device can access account information. Security consultant Aldo Cortesi showed last year that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account. In a post responding to the news of the leaked list he wrote:
“When speaking to people about this, I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”
Hacker group AntiSec, part of Anonymous, released the UDIDs along with a gloating note claiming they were stolen from “Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team”. However the FBI told Reuters that:
“At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
The note also claims that the full list contained just over 12 million UDIDs, many accompanied by additional personal information:
“user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”
Despite the FBI’s statement, it’s unclear whether the full story of how the UDIDs were leaked will be made public. Apple certainly has all UDIDs on file, but many other companies such as app developers will have their own. Law enforcement may well have some UDIDs, and could request them from companies holding them. But hackers may also have gone directly to the source, for example compromising an app developer or mobile ad company to steal their database of UDIDs and user information.
The breach will likely to Apple quietly beginning to restrict the way apps may access a device’s UDID. The company has already signaled to ad companies that they should stop using them to track users (See “Mobile-Ad Firms Seek New Ways to Track You”).
Updated 5.25pm ET to add the FBI’s statement.