We know what UDID last summer
The alleged theft of 12 million unique Apple device ID numbers by hackers has serious privacy implications, but the real culprit in this crime is Apple itself.
This much we know: Earlier this week hackers from the Anonymous offshoot Antisec posted exactly one million and one unique Apple IDs online, along with the names of the devices and a few tidbits of personal information about their owners. We know these numbers are genuine because several Web commenters at Hacker News and other sites have verified that the unique IDs assigned to their iPhones and iPads are among those posted.
Beyond that, though, things start to get fuzzy. Antisec claims that these numbers -- known as Unique Data Item Descriptions, or UDIDs – were among 12.3 million it managed to steal from a laptop belonging to FBI agent Christopher Stangl last March. The FBI begs to differ, claiming a) it never got hacked, and b) never had possession of those 12 million numbers in the first place. Apple also officially denies handing over these IDs to the feds or anyone else.
If Antisec is telling the truth, then the FBI and Apple have some serious ‘splaining to do. But even if this is yet another quasi-practical joke being pulled by the Anons to implicate the feds just for lulz, it’s clear Antisec got those numbers from somewhere. It also seems that in many cases these numbers were anything but anonymous, containing along with them names, email addresses, cell phone numbers, ZIP codes, and more.
By themselves, UDIDs are harmless, the way a random 10-digit number is harmless. Attach the unique number to someone’s identity – or figure out that those 10 digits are really someone’s Social Security Number -- and the fun begins. But the biggest abusers of UDIDs aren’t hackers or, as far as we know, federal agents; they’re app makers and advertising networks.
In 2010, security researcher Erik Smith looked at 57 of the most popular apps available in the iTunes Store and found that 68 percent of them captured the device’s UDID and sent it back to the app’s servers or to advertisers. Another 18 percent encrypted the data sent upstream so it was impossible to determine whether the unique IDs were being transmitted. Smith wrote:
A substantial number of applications collect both the phone’s UDID and some form of user login data which ties to a stored user account. These applications, such as Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. This ability, combined with the demonstrated widespread collection of UDID usage data, illustrates the ease of real-time user tracking…. Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies.
In other words, a UDID becomes a kind of super cookie that can never be deleted and is for all practical purposes invisible to users. Apple eventually saw the light last year and began forbidding app makers from accessing UDIDs on iDevices, but not before millions of unique IDs were hoovered up by app makers and their advertising partners.
So it seems clear that the original source of these UDIDs is an app maker. A subsequent tweet from one of the Twitter accounts controlled by Anonymous seems to spell this out:
People whose UDID was on the list released by AntiSec might want to compare their installed apps. A common culprit might be found.
What can a hacker (or a federal agent) do with your UDID by itself? Not much. Combine it with other bits of information about you, though, and it becomes a tool for social engineering. Whoever has this information knows you own an iPhone or an iPad, which makes you more affluent than the average Jane or Joe. They may have your cell phone or email address, allowing them to target you specifically for scams or send you links to malware or phishing sites. Someone with just a little information and malicious intent can do an awful lot of damage if they choose to.
But that isn’t the real crime here. The real crime was Apple’s unique ID scheme, which made something like this possible.
TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.