Skip to Content

Why It Matters That Apple Device IDs Were Leaked

Accounts for mobile apps and social accounts could be at risk.
September 4, 2012

People have social security numbers but iPhones have UDIDs - unique numbers assigned by Apple and used by mobile app companies to secure personal information and user accounts. That means you don’t want your UDID to fall into the wrong hands, or it to be part of the 1,000,001 published online last night by activist hackers saying they are part of a 12 million strong collection stolen from the FBI. The UDIDs released appear to be real, with many iPhone users tweeting today that their devices numbers were on the list.

The leak is potentially serious. An iPhone user is very unlikely to ever see their UDID, but research has shown that most apps collect an iPhone’s UDID and transmit it back to their developer and some app developers use it to control which device can access account information. Security consultant Aldo Cortesi showed last year that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account. In a post responding to the news of the leaked list he wrote:

“When speaking to people about this, I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”

Hacker group AntiSec, part of Anonymous, released the UDIDs along with a gloating note claiming they were stolen from “Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team”. However the FBI told Reuters that:

“At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

The note also claims that the full list contained just over 12 million UDIDs, many accompanied by additional personal information:

“user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Despite the FBI’s statement, it’s unclear whether the full story of how the UDIDs were leaked will be made public. Apple certainly has all UDIDs on file, but many other companies such as app developers will have their own. Law enforcement may well have some UDIDs, and could request them from companies holding them. But hackers may also have gone directly to the source, for example compromising an app developer or mobile ad company to steal their database of UDIDs and user information.

The breach will likely to Apple quietly beginning to restrict the way apps may access a device’s UDID. The company has already signaled to ad companies that they should stop using them to track users (See “Mobile-Ad Firms Seek New Ways to Track You”).

Updated 5.25pm ET to add the FBI’s statement.

Keep Reading

Most Popular

VR is as good as psychedelics at helping people reach transcendence

On key metrics, a VR experience elicited a response indistinguishable from subjects who took medium doses of LSD or magic mushrooms.

This nanoparticle could be the key to a universal covid vaccine

Ending the covid pandemic might well require a vaccine that protects against any new strains. Researchers may have found a strategy that will work.

How do strong muscles keep your brain healthy?

There’s a robust molecular language being spoken between your muscles and your brain.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.