Have a quick read through the posts linked in the article this story points to. I show that using just a UDID, you could access the user's geolocation, games they played, private messages and friends lists on many of the affected social networks, and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts. This is with _just_ a UDID. Some of the companies I notified a year ago are still vulnerable today. And remember, I only looked at social gaming networks - small slice of the app ecosystem. I know that there are similar systemic issues in many other places. So yes, this is definitely a catastrophe.
Unfortunately, there's just not much an ordinary user can do. There's no way for a user to tell if an app accesses and broadcasts their UDID (if you're an expert you can use mitmproxy or a similar tool), and certainly no way to tell if the UDID is being used safely. I would recommend de-linking your social media accounts from all apps unless you know they're safe, but that's the kind of drastic advice that people tend not to take.
Given that the UDID has been deprecated in iOS5 and Apple are now rejecting apps that use it, I'd be interested to see what level of actual vulnerability there is these days.
> If your UDID is contained in the list, take a minute to help us identify the traitor that did give your information to the FBI without any your agreement and without warrant !
Wouldn't it also be useful to gather information about who WASN'T on the list and what Apps they have? Maybe device type as well.
Seeing as this is only 1 million sampled from a claimed 12 million list, that wouldn't be that useful since it's possible their UUID is just on the other part of the list.
If you've been exposed take some time to help us identify who gave this UDID's to the FBI. (Already working with 3 exposed device owners)
http://news.ycombinator.com/item?id=4473833
Sorry, I don't think this strategy is workable. Consider - 74% of apps I tested sent the UDID to one or more upstream servers. Furthermore, Flurry alone received UDIDs from 15% of apps I tested. That's just one aggregator, and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it down somewhat, but not too much. It's also not at at all clear that there is a single source involved - this could be an amalgamation of a number of sources.
Apple has provided a number of replacements for UDID, that address some of the UDID uses without it being as much of a privacy problem. It's all still under NDA, so I posted my summary on the Apple's developer forums (iOS developer login required): https://devforums.apple.com/message/723147
Has anyone verified that this UDID leak isn't just the old "Goatse Security" leak re-branded? I'm not saying I have any evidence to that, but it seems strange that the "ownage" document didn't mention anything about how the hack was done.
Along those lines, has there been any talk of the attack vector? To get a list like this, it would seem that AT&T (as was the case with "Goatse Security") or Apple would need to be compromised to get this list.
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
If you disallow an app from sending you push notifications, will it still have your UDID/Device ID? Or if you never enable it, does the app & app server never get it?
Push notifications don't use the UDID. They use a different token. UDIDs can be requested without user consent by applications, although that functionality is supposedly deprecated from iOS 5 onwards.
Yes, sorry - I'm on the road at the moment, and wrote that in a rush. Part of the problem is that there's not much users can do at this stage. The ecosystem of companies that use and abuse UDIDs is fragmented, and each service that relies on UDIDs for identification or authentication can have its own unique problems. I guess it would be possible to start aggressively releasing a list of services that users should close their accounts on, but that would also be a shopping list for bad guys out to take advantage of this situation.
No, you need a push token, which is a combination of device id and app id, and is only generated when the user authorizes the app for remote notifications. Additionally, you need a certificate on the server that is authorized to send messages to that app id.
[+] [-] wamatt|13 years ago|reply
Should we change our paypal passwords? Or worry about getting more spam? etc Why should an end user (eg my mom) care?
I'm not saying there aren't serious repercussions, just having a hard time seeing exactly what they are.
[+] [-] cortesi|13 years ago|reply
Unfortunately, there's just not much an ordinary user can do. There's no way for a user to tell if an app accesses and broadcasts their UDID (if you're an expert you can use mitmproxy or a similar tool), and certainly no way to tell if the UDID is being used safely. I would recommend de-linking your social media accounts from all apps unless you know they're safe, but that's the kind of drastic advice that people tend not to take.
[+] [-] api|13 years ago|reply
[+] [-] mtgx|13 years ago|reply
[+] [-] eridius|13 years ago|reply
[+] [-] prof_hobart|13 years ago|reply
[+] [-] tomrod|13 years ago|reply
[+] [-] lekashman|13 years ago|reply
[+] [-] dekz|13 years ago|reply
Wouldn't it also be useful to gather information about who WASN'T on the list and what Apps they have? Maybe device type as well.
[+] [-] jordanthoms|13 years ago|reply
[+] [-] evan_|13 years ago|reply
Interesting use of the word "traitor" to mean "person who cooperates with the Government".
[+] [-] FredericJ|13 years ago|reply
[+] [-] ganley|13 years ago|reply
[+] [-] bornhuetter|13 years ago|reply
[+] [-] FredericJ|13 years ago|reply
[+] [-] cortesi|13 years ago|reply
See this post for the source of these figures:
http://corte.si/posts/security/apple-udid-survey/index.html
[+] [-] DenisM|13 years ago|reply
Apple has provided a number of replacements for UDID, that address some of the UDID uses without it being as much of a privacy problem. It's all still under NDA, so I posted my summary on the Apple's developer forums (iOS developer login required): https://devforums.apple.com/message/723147
[+] [-] david_shaw|13 years ago|reply
Along those lines, has there been any talk of the attack vector? To get a list like this, it would seem that AT&T (as was the case with "Goatse Security") or Apple would need to be compromised to get this list.
[+] [-] patdennis|13 years ago|reply
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
[+] [-] cortesi|13 years ago|reply
[+] [-] robbiep|13 years ago|reply
[+] [-] objclxt|13 years ago|reply
[+] [-] panacea|13 years ago|reply
[+] [-] cortesi|13 years ago|reply
[+] [-] gmac|13 years ago|reply
It's also worth noting that Apple has deprecated the UDID, and new and updated apps are no longer able to access it.
[+] [-] nodesocket|13 years ago|reply
[+] [-] sgman|13 years ago|reply
[+] [-] ideawave|13 years ago|reply