Roundup: Apple UDIDs

'A lazy implementation.'

Get It Try It

CUPERTINO (Rixstep) — Apple designers are having a good run of it. New Zealander Aldo Cortesi's been warning about Apple's issue with UDIDs for sometime, calling Apple's implementation 'lazy'. The scheme made it patently easy for websites and app makers to mine personal info. He even published an article exposing how easy it was to 'game' Apple's Game Centre.

Suddenly by 3 September it's no longer something AAPL fans can shrug off: AntiSec published 1,000,001 UDIDs belonging to Apple iPads and iPhones. The dump was part of a tranche of over 12,000,000 they'd got from a spreadsheet on the laptop of one FBI agent Christopher Stangl, who purportedly had user names, device names, device types, Apple push notification service tokens, zip codes, mobile phone numbers, and addresses.

If you want to better understand what UDIDs are all about, listen to Cortesi's interview (link below).

The Next Web have published a 'safe' way to see if your Apple UDID's been leaked - but this of course covers only the one million UDIDs published by AntiSec and not the over 12,000,000 in the hands of the FBI. So yes, it's somewhat lame.

But is it possible to know if your Apple UDID is in the hands of the FBI? Yes! That's easy!

As simple as that.

See Also
Par:AnoIA: Decrypted AntiSec file
cortesi: How UDIDs are used: a survey
cortesi: Why the Apple UDID had to die
cortesi: The UDID leak is a privacy catastrophe
cortesi: mitmproxy: A 30-second client playback example
cortesi: mitmproxy: Breaking Apple's Game Center with replay

Pastebin: SPECIAL #FFF EDITION - ANONYMOUS
NBC News: Hackers leak 1 million Apple device IDs
PSKL: An Analysis of Application Transmission of iPhone UDIDs
The Next Web: Here's how to check if your Apple device UDID has been compromised by the AntiSec leak
CBS News: Anonymous hackers claim to have obtained 12 million iPhone and iPad IDs from FBI computer

Network Security Podcast: Interview with Aldo Cortesi