Viewpoint: Making sense of the Apple ID codes leak

BBC News, Chris Valasek, Security analyst, Coverity, 5 September 2012

Antisec claimed it sourced the UDID codes from an FBI agent's laptop, but
the US agency said there was "no evidence" it was the source

Related Stories 

• FBI denies leak of Apple codes
• Lifting the lid on Anti-Sec
• Antisec hackers hit police store

Many are wondering how the recently leaked list of unique device identifiers (UDIDs) from the hacktivist group Antisec will personally affect them. You may be asking: should I be concerned?

First of all, an Apple UDID is just a unique number given to every device, such as an iPhone or iPad.

They are very similar to vehicle identification numbers given to cars, which are unique to each vehicle, helping to track its history, albeit without any information encoded.

The only association of UDID and personal information is provided when setting up a device on iTunes, not directly encoded into the serial number itself.

The UDID ensures that each device has a serial number that uniquely identifies it. This ID is sometimes, against Apple's recommendations, used by App developers for tracking a device.

For example, imagine a grocery list app that inappropriately uses the UDID of the device in a request for authentication, instead of a username and password.

This app may also expose certain application programming interfaces (APIs) for Twitter or Facebook, letting the app-user declare his or her favourite groceries via social media.

The app could also use the UDID for ad-tracking as well, ensuring that items of interest will be displayed based on the consumers habits.

Ditching the identifiers

If attackers had a UDID and knew of apps that used them inappropriately, they could potentially use it to compromise the privacy of an end user.

Having a UDID in no way gives the bad guys the ability to actively compromise an Apple device.

It is possible that the UDID could be used by certain apps to acquire personal information or potentially impersonate a user, but it does not provide any direct control or access to your iPhone/iPad.

Apple is moving away from the UDID, to something less device-specific such as core foundation universally unique identifiers (CFUUIDs).

Cause for concern?

Apple has not directly stated why they are making this move but I'd speculate that they wanted a unique identifier that was not necessarily linked to a physical device, which probably creates a headache for App developers and ad networks relying on the UDID for user association.

So, the answer to the question "Should I be concerned" is: Slightly.

Right now the true abilities of leveraging a UDID by an attacker are pretty grey.

There appears to be some apps out there that rely solely on UDID for linking personal information, but many do not.

As the UDID saga unfolds, we will see which apps incorrectly use the UDIDs to link to personal information and can more accurately identify the threat.

Honestly, there are many more threats out there to PC and Mac users that should be more concerning. Attackers are still quite focused on client-side exploitation via browsers, document readers, and their plug-ins.

Chris Valasek is a senior security researcher at Coverity, which develops products to check software for coding errors. He is also chairman of SummerCon, the US's oldest hacker convention.