You down with UDID? Yeah, now you know me… my location and app activities

[Editor: If you’ve been following any tech news lately, you’ve likely come across the he-said she-said purported breach of FBI data that led to a million Apple iPhone unique device identifiers (UDIDs) being released into the wild. We asked local security expert and founder of GadgetTrak, Ken Westin, what the big deal was. Here’s what he had to say.]

It was announced this week by the hacker group AntiSec that they compromised a laptop belonging to Supervisor Special Agent Christopher K. Stangl from the FBI taking advantage of vulnerability in Java that allowed them to gain access files on his system. The data they claim to have downloaded allegedly holds more than 12 million UDIDs ( Uniqe Device Identifiers) from Apple iOS devices.

Although there is cause for concern, there is no reason to panic… yet. The UDID is a unique number that identifies a given iOS device, a bit like a serial number. Simply having this number alone would not be an issue, as they are fairly anonymous.

However the file in question also maps UDIDs to names, phone numbers, zip codes, addresses in some cases. The UDIDs then are no longer anonymous but linked to their respective owners.

The UDID number has been used/misused by developers over the last few years to identify devices for advertisements, analytics and other purposes. The Internet is chock full of databases that map UDIDs to usernames, activities, location data, game scores, ad clicks as well as Facebook and other social media profiles. Even if you deleted an application from your phone the data can still persist in the Cloud.

So as we see more data breached, sold and shared, data will be mapped to previously anonymous data related to activities, location and app usage. So the damage of the breach consists of the possibility that connections that may not have existed before will be bridged and more robust profiles of targets available.

(Thumbnail image courtesy of Yutaka Tsutano. Used under Creative Commons.)

  1. The UDID is going away, so in the future it will be less of an issue, until of course someone discovers a loophole. It would be interesting though to map multiple devices to a user. It might provide some interesting demographic data. What does it mean if a user has multiple iOS devices? Probably makes more money than me, possibly a family, increased probability of being a Mac user, all useful information for nefarious or marketing purposes.

  2. Worth noting that since the UDID is per device, as soon as someone upgrades to a new device (such as the iPhone 5), the trail ends… until there is another leak.

Comments are closed.