Tom Simonite

A View from Tom Simonite

Why It Matters That Apple Device IDs Were Leaked

Accounts for mobile apps and social accounts could be at risk.

  • September 4, 2012

People have social security numbers but iPhones have UDIDs - unique numbers assigned by Apple and used by mobile app companies to secure personal information and user accounts. That means you don’t want your UDID to fall into the wrong hands, or it to be part of the 1,000,001 published online last night by activist hackers saying they are part of a 12 million strong collection stolen from the FBI. The UDIDs released appear to be real, with many iPhone users tweeting today that their devices numbers were on the list.

The leak is potentially serious. An iPhone user is very unlikely to ever see their UDID, but research has shown that most apps collect an iPhone’s UDID and transmit it back to their developer and some app developers use it to control which device can access account information. Security consultant Aldo Cortesi showed last year that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account. In a post responding to the news of the leaked list he wrote:

“When speaking to people about this, I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”

Hacker group AntiSec, part of Anonymous, released the UDIDs along with a gloating note claiming they were stolen from “Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team”. However the FBI told Reuters that:

“At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

The note also claims that the full list contained just over 12 million UDIDs, many accompanied by additional personal information:

“user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Despite the FBI’s statement, it’s unclear whether the full story of how the UDIDs were leaked will be made public. Apple certainly has all UDIDs on file, but many other companies such as app developers will have their own. Law enforcement may well have some UDIDs, and could request them from companies holding them. But hackers may also have gone directly to the source, for example compromising an app developer or mobile ad company to steal their database of UDIDs and user information.

The breach will likely to Apple quietly beginning to restrict the way apps may access a device’s UDID. The company has already signaled to ad companies that they should stop using them to track users (See “Mobile-Ad Firms Seek New Ways to Track You”).

Updated 5.25pm ET to add the FBI’s statement.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.