During the course of this year, there have been a number of minor security-based controversies that have revolved around third-party app developers building functionality into their apps to capture and upload the Unique Identifier (UDID) of the device to their own servers. Till the time this knowledge became public, there was uproar from specific sections of the iOS community, and although the UDID itself doesn’t really represent a significant risk when placed in the wrong hands, the latest UDID-based news is sure to be a cause for concern for a large number of iPhone and iPad owners.
The infamous group known as AntiSec has released a dump that contains over one million Unique Identifiers, pulled directly from Apple devices in the wild. That news itself isn’t a huge worry, but as you dig deeper into the where these UDIDs actually came from and how they got their hands on the file that contains them, it gets significantly worse. The UDIDs, which are a series of letters and numbers that uniquely identify an Apple iOS device, were bundled into a file on an official FBI laptop which the team managed to compromise.
In March of this year, a Dell Vostro laptop which reportedly belonged to an FBI agent in the regional Cyber Action Team was compromised using the AtomicReferenceArray vulnerability in Java, through which a number of files on his desktop were copied. The CSV file actually contained over twelve million entries, that also contained information such as cell numbers, names and addresses and push notification tokens, although all of this information wasn’t present for each entry. The group has decided internally to only release one million of the held identifiers, stating that although they actually hold details of 12,000,000 million devices, they “decided a million would be enough to release“.
There hasn’t been any indication as to why the FBI was holding this information about such a large number of Apple iOS devices, or what it was going to be used for. The immediate conspiracy theory reaction is that the info was being used to track the owners of the devices involved, but considering it’s unlikely we will ever see official acknowledgement, it’s feasible to assume we will never know. In recent times, Apple has been blocking developer access to the UDID of a device, signaling their intention to likely move away from this method of device identification. Maybe this is the kick they need to speed that process along.
If you want to find out if your device was in the list of the AntiSec leak, you can simply head over to TheNextWeb where you can enter your device’s UDID and find out if you were one of the few unlucky ones.