September 5, 2012

Apple And FBI Deny Responsibility For Leaked UDID Numbers

Michael Harper for - Your Universe Online

The big news yesterday (well, before Apple brilliantly announced their September 12th iPhone announcement) came from hacker group AntiSec (an arm of Anonymous) about the alleged theft of 12 million Apple UDIDs. AntiSec said they stripped these UDIDs of any personal information and posted 1 million of these unique identifiers on several sites online. The group claimed to have lifted a file from an FBI agent´s Dell laptop and posted the resulting 1 million IDs as a way to “audit” the FBI´s security. “We all know by now they make Internet insecure on purpose to help their bottom line. But it´s a shitty job, especially since they decided to hunt us down and jail our friends,” wrote a spokesperson for the hacking group.

The common refrain after this news story went public was loud and clear: “Why does the FBI have these UDIDs, anyway?”

Apple issued a response to All Things D today, essentially saying even if the FBI has these UDIDs, they didn´t get them from Apple.

“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” said Natalie Kerris, an Apple spokeswoman speaking to All Things D.

The FBI, too, has also issued its own statement about the AntiSec leak of UDIDs.

In a brief statement, the FBI is calling this entire story false, saying, “At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

Apple originally used these UDIDs as a way to identify specific phones, giving developers the ability to know which phones have used their app. These UDIDs came in handy to battle app piracy, as well as offering users a bit of convenience. For instance, if a user downloaded an app and used it for a bit but accidentally deleted it, these UDIDs would allow that user to install the app again and use it as if the app had never been deleted before. Developers then began to send these UDIDs to advertisers to provide extra information about these users to specifically tailor ads. Apple then began to reject any apps which utilized these UDIDs instead of implementing other, unique identifiers which also enhanced privacy and remained unique to that developer´s app.

According to Apple´s statement, iOS 6 will completely get rid of these UDIDs as they roll out another way to uniquely identify each individual device.

Even though both Apple and the FBI have washed their hands of this debacle, the fact remains that AntiSec has actual UDIDs in their possession. A quick check of Twitter shows that more than one person has said their UDIDs were a part of the leak.

Though many have said these UDIDs aren´t that dangerous in the hands of these hackers, one blogger has been railing against the use of UDIDs for over a year. On their own, these UDIDs aren´t linked to your actual identity. Yet, Aldo Cortesi discovered in May 2011 that these UDIDs could be used to find personal information through the OpenFeint gaming network, information such as location, account name and even Facebook profile pictures and URLs.

Though OpenFeint has since closed this hole, these UDIDs can still be de-anonymized to yield some personal information. Yesterday, Cortesi wrote about the leak, saying: “When speaking to people about this, I've often been asked "What's the worst that can happen?". My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are.”