Why It Matters That Apple Device IDs Were Leaked
People have social security numbers but iPhones have UDIDs - unique numbers assigned by Apple and used by mobile app companies to secure personal information and user accounts. That means you don’t want your UDID to fall into the wrong hands, or it to be part of the 1,000,001 published online last night by activist hackers saying they are part of a 12 million strong collection stolen from the FBI. The UDIDs released appear to be real, with many iPhone users tweeting today that their devices numbers were on the list.
The leak is potentially serious. An iPhone user is very unlikely to ever see their UDID, but research has shown that most apps collect an iPhone’s UDID and transmit it back to their developer and some app developers use it to control which device can access account information. Security consultant Aldo Cortesi showed last year that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account. In a post responding to the news of the leaked list he wrote:
“When speaking to people about this, I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”
Hacker group AntiSec, part of Anonymous, released the UDIDs along with a gloating note claiming they were stolen from “Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team”. However the FBI told Reuters that:
“At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
The note also claims that the full list contained just over 12 million UDIDs, many accompanied by additional personal information:
“user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”
Despite the FBI’s statement, it’s unclear whether the full story of how the UDIDs were leaked will be made public. Apple certainly has all UDIDs on file, but many other companies such as app developers will have their own. Law enforcement may well have some UDIDs, and could request them from companies holding them. But hackers may also have gone directly to the source, for example compromising an app developer or mobile ad company to steal their database of UDIDs and user information.
The breach will likely to Apple quietly beginning to restrict the way apps may access a device’s UDID. The company has already signaled to ad companies that they should stop using them to track users (See “Mobile-Ad Firms Seek New Ways to Track You”).
Updated 5.25pm ET to add the FBI’s statement.
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Deep learning pioneer Geoffrey Hinton has quit Google
Hinton will be speaking at EmTech Digital on Wednesday.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.