Viewpoint: Making sense of the Apple ID codes leak

Apple iPhone Antisec claimed it sourced the UDID codes from an FBI agent's laptop, but the US agency said there was "no evidence" it was the source

Related Stories

Many are wondering how the recently leaked list of unique device identifiers (UDIDs) from the hacktivist group Antisec will personally affect them. You may be asking: should I be concerned?

First of all, an Apple UDID is just a unique number given to every device, such as an iPhone or iPad.

They are very similar to vehicle identification numbers given to cars, which are unique to each vehicle, helping to track its history, albeit without any information encoded.

The only association of UDID and personal information is provided when setting up a device on iTunes, not directly encoded into the serial number itself.

The UDID ensures that each device has a serial number that uniquely identifies it. This ID is sometimes, against Apple's recommendations, used by App developers for tracking a device.

For example, imagine a grocery list app that inappropriately uses the UDID of the device in a request for authentication, instead of a username and password.

This app may also expose certain application programming interfaces (APIs) for Twitter or Facebook, letting the app-user declare his or her favourite groceries via social media.

The app could also use the UDID for ad-tracking as well, ensuring that items of interest will be displayed based on the consumers' habits.

Ditching the identifiers

If attackers had a UDID and knew of apps that used them inappropriately, they could potentially use it to compromise the privacy of an end user.

Having a UDID in no way gives the bad guys the ability to actively compromise an Apple device.

It is possible that the UDID could be used by certain apps to acquire personal information or potentially impersonate a user, but it does not provide any direct control or access to your iPhone/iPad.

Apple is moving away from the UDID, to something less device-specific such as core foundation universally unique identifiers (CFUUIDs).

Cause for concern?

Apple has not directly stated why they are making this move but I'd speculate that they wanted a unique identifier that was not necessarily linked to a physical device, which probably creates a headache for App developers and ad networks relying on the UDID for user association.

So, the answer to the question "Should I be concerned" is: Slightly.

Right now the true abilities of leveraging a UDID by an attacker are pretty grey.

There appears to be some apps out there that rely solely on UDID for linking personal information, but many do not.

As the UDID saga unfolds, we will see which apps incorrectly use the UDIDs to link to personal information and can more accurately identify the threat.

Honestly, there are many more threats out there to PC and Mac users that should be more concerning. Attackers are still quite focused on client-side exploitation via browsers, document readers, and their plug-ins.

Chris Valasek is a senior security researcher at Coverity, which develops products to check software for coding errors. He is also chairman of SummerCon, the US's oldest hacker convention.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Getty Images)

Robot ships: Poised to set sail?

Computer-control, far out to sea Read more...

Programmes

  • Tourists wearing bikinis in MajorcaThe Travel Show Watch

    Why wearing a bikini could land you with a fine on the Spanish island of Majorca

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.