The Havoc of a Device Identifier – Apple UDIDs

Most users of the iPhone are completely unaware that Apple has assigned their individual devices a Unique Device Identifier (UDID).  While such an identifier contains numerous privacy implications, it was not until recently that the general public became acutely aware of these UDIDs.  In a post on Pastebin, on September 4, 2012, the hacker group AntiSec announced that they had obtained a file containing over twelve million Apple UDIDs from a FBI laptop.  While the FBI quickly denied this, stating that the laptop was not hacked and that the FBI did not hold such a file, this event led to several articles by numerous tech and law blogs diving into the topic of UDIDs and what these identifiers actually means for iPod Touch, iPhone and iPad users. (In addition, it is possible that non-Apple devices also contain a similar identifier to the UDID and the public has not been made aware of this yet.)
   

One such article, featured on The Verge, focused on what one is capable of doing when they obtain a user’s UDID.  It should be noted before delving into the various privacy problems that results from UDIDs existing that Apple has announced that UDIDs will be replaced by “a new set of APIs” in iOS 6 (released on 9/19/2012), the newest operating system for iPhone and the iPad.  However, it is unclear just what sort of information these new APIs will contain.  The writer of The Verge article, Joshua Kopstein, points out that it is unclear what exactly someone could do with a UDID and industry experts disagree as to the extent of harm that can come solely from a UDID: 

In a recent article posted on CNET, Frank Heidt, chief executive of Leviathan Security claimed that with a UDID, a push token, and a device name, an attacker "could arbitrarily load an app on your phone." But Alex Radocea, a senior engineer at CrowdStrike, says that’s not true.

"There’s been a lot of misinformation," Radocea told The Verge over the phone. Just as AntiSec released their list of device IDs, he and his team posted the results of their examination of the iOS version of FinSpy Mobile, a strain of the infamous FinFisher spyware that was recently found targeting political dissidents.

In their report, CrowdStrike points out that the spyware is using ad-hoc distribution, a method usually reserved for testing which uses UDIDs to bypass Apple’s application signing process. But that doesn’t mean that a UDID is the magic bullet for remotely installing malware on a device without the user’s knowledge, Radocea says.

"The main thing is that user interaction is required to install these applications," he clarified. "They cannot be silently or arbitrarily installed, as the CNET article alleges." In a blog post written shortly after news hit of AntiSec’s release, the ACLU similarly suggested that UDIDs could be used to secretly infect devices with the spyware.

Kopstein goes on to further discuss how in the past UDIDs have been used to access the geographic information of an individual user.  In addition, the UDID is solely in the control of Apple, and the only way for an individual to get a new UDID is to get a new iPod Touch, iPhone or iPad. 

What exactly the release of these 12 million UDID truly means is still unclear, but if nothing else, this release has raised public awareness of the issue.  (There is also a large concern over whether or not the FBI actually had these 12 million UDIDs, what the FBI was doing with this data, and if they truly did have the file, why was it being stored on a laptop that was so easily hacked?) And, as discussed earlier, Apple is removing the UDID from the newest version of its operating system.  However, the fact remains that millions of iPod Touches, iPhones and iPads contain a unique identifier over which the user has no control and which can do uncertain things to a user’s personal device

Via The Verge
(Written by Brett Alazraki, Fall 2012 IBLT Entrepreneurship Assistance Fellow)