Hackers recently released millions of Apple's Unique Device Identifiers (UDIDs) on the Web. What exactly are these UDIDs, and what security risk do stolen UDIDs pose?
Ask a Question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Every iPhone, iPad and iPod Touch has a Unique Device Identifier (UDID), which is a 40-character alphanumeric identifier that is unique to each device. To find the UDID of any iOS device, connect it to a computer and select it when it appears under devices in iTunes. The summary page shows the serial number, which when clicked switches to the UDID. A UDID can't be deleted or changed, and users have no way to stop a device from transmitting its UDID.
UDIDs are used to associate a device to an iOS developer account so that developers can install and test their apps before releasing them. Connecting the UDID to a developer account also allows that device to install beta releases of iOS for testing. Apple also uses the UDID to associate devices to a user's Apple ID, which allows devices to automatically download and install apps or music purchased from the App Store or iTunes. This enables Apple to route push notifications and iMessages to the correct device, too.
The UDID is meant to be used as an anonymized token and therefore be of little use to hackers or identity thieves. However, a research paper released in October 2010 showed that many developers and apps were collecting UDIDs along with other personally identifiable information, such as names, user names, passwords, and how, when and where the device was used. This represents a risk to user privacy, as it's possible to de-anonymize such a collection of data by linking it with other information available on the Internet. Security consultant Aldo Cortesi showed how to de-anonymize Apple UDIDs sent to OpenFeint, the mobile social gaming company.
This risk to user privacy is one reason Apple decided to limit the use of UDIDs in iOS 5. Instead, developers were instructed to generate a unique identifier that is only accessible by a single app when needed. With iOS 6, Apple introduced a new set of APIs to replace the use of the UDID with the intention of banning its use altogether.
The looming privacy risk of a UDID security leak became real when the hacking group Anonymous published a list of a million UDIDs that it claimed it stole from the FBI as part of its AntiSec campaign. In actuality, the UDIDs were stolen from digital publishing company BlueToad, which was able to match its own data against the list released by Anonymous (though BlueToad says it holds nowhere near the alleged 12 million UDIDs that Anonymous claims to have in its possession). Anonymous also claims it has the user names, device names and phone numbers of the users affected, though they are yet to release them. Even though Apple is phasing out the use of UDIDs, there are still many large data sets of UDIDs out there, possibly linked to sensitive user information.
This was first published in February 2013