Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

Why It Matters That Apple Device IDs Were Leaked

Accounts for mobile apps and social accounts could be at risk.

  • September 4, 2012

People have social security numbers but iPhones have UDIDs - unique numbers assigned by Apple and used by mobile app companies to secure personal information and user accounts. That means you don’t want your UDID to fall into the wrong hands, or it to be part of the 1,000,001 published online last night by activist hackers saying they are part of a 12 million strong collection stolen from the FBI. The UDIDs released appear to be real, with many iPhone users tweeting today that their devices numbers were on the list.

The leak is potentially serious. An iPhone user is very unlikely to ever see their UDID, but research has shown that most apps collect an iPhone’s UDID and transmit it back to their developer and some app developers use it to control which device can access account information. Security consultant Aldo Cortesi showed last year that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account. In a post responding to the news of the leaked list he wrote:

“When speaking to people about this, I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”

Hacker group AntiSec, part of Anonymous, released the UDIDs along with a gloating note claiming they were stolen from “Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team”. However the FBI told Reuters that:

“At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

The note also claims that the full list contained just over 12 million UDIDs, many accompanied by additional personal information:

“user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Despite the FBI’s statement, it’s unclear whether the full story of how the UDIDs were leaked will be made public. Apple certainly has all UDIDs on file, but many other companies such as app developers will have their own. Law enforcement may well have some UDIDs, and could request them from companies holding them. But hackers may also have gone directly to the source, for example compromising an app developer or mobile ad company to steal their database of UDIDs and user information.

The breach will likely to Apple quietly beginning to restrict the way apps may access a device’s UDID. The company has already signaled to ad companies that they should stop using them to track users (See “Mobile-Ad Firms Seek New Ways to Track You”).

Updated 5.25pm ET to add the FBI’s statement.

Be the leader your company needs. Implement ethical AI.
Join us at EmTech Digital 2019.

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.