Hacker group releases 1 million unique Apple device ID – what does this mean for your privacy?

Apple UDIDAfter breaching an FBI agent’s laptop and finding over 12 million people’s personal information, the hacker group AntiSec redacted and published 1 million unique device identifiers (UDIDs) yesterday. Click here to check if your device was on the list. Note that you’ll need your device’s UDID, which you can find by connecting your device to a computer, opening iTunes, clicking on your device, and then clicking the “Summary” tab. The summary tab will display the device’s serial number, but clicking on the serial number will change it to the UDID.

In a statement, AntiSec says the original data they found on the agent’s computer contained UDIDs, “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses,” and more. AntiSec removed most personally-identifiable information before publishing, but kept the UDID, Apple Push Notification Service (APNS) tokens, device type, and name.

Your UDID is a string of numbers and letters that serves as a unique identifier for your device. With it, anyone can see that a particular device belongs to you. App push notifications work by sending notifications to a particular device, identified by the UDID. UDIDs can lead to uncovering additional, linked personal information, including logins, passwords, and past GPS locations. Apple and several App developers have been sued over using UDIDs to track users across different apps. After Apple received widespread criticism for creating the UDID system because of the privacy risks it created, they banned app creators from using UDIDs in March 2012. 

Privacy implications of the UDID breach

The biggest privacy concern around the breach of UDID’s is that a lot of people–like app developers, data resellers, and mobile analytics companies–are aggregating personal information that’s associated with UDIDs, so knowing a UDID means you can easily find a lot more information about the person who owns that device. OpenFeint, a large mobile social gaming network, has de-anonymize UDIDs, linking them to usernames, email addresses, GPS locations, and even Facebook profiles. MacRumors reported in March 2012 that “While the UDID doesn’t specifically identify a user, the sharing of UDIDs across ad networks and apps can help piece together a valuable picture of activity and interests of the user of a specific device.”

What if your device was hacked?

Unfortunately, there’s not much you can do if your UDID was one of the 1 million that AntiSec released. It’s your device’s permanent fingerprint: the only thing you can do to change is is get a new device. And because UDIDs are tied to additional personal information, including user names, device names, notification tokens, cell phone numbers and addresses, you’re at greater risk of identity theft. In the future, never use your personal information in the name you give your device, like “John Smith’s iPhone:” it’s unnecessary, and it exposes more of your data during a breach.

It’s also possible that malicious app developers could abuse push notifications by hyper-targeting single individuals with things like fake iOS updates. We’ve seen the same kind of thing happen with the shift from phishing emails to spear phishing emails, where attackers use a target’s personal information to make the email seem more convincing.

This breach should also caution users about committing your entire digital life to a single device or service provider. Avoid putting all your eggs in one company’s basket–like having an iPhone, iPad, and iPod Touch–so that a breach on one device isn’t crippling to the others. With our mobile devices, we’re being asked to put our entire digital lives in the hands of the device manufacturers and wireless carriers, and with more personal information than they’ve ever had before.

The realities of data-sharing between private companies and law enforcement

AntiSecAntiSec published a subset of this information to make the point that the FBI frequently uses private companies like Apple as data sources for surveillance. The name of the file containing the information was “NCFTA_iOS_devices_intel.csv,” which has led to speculation that Apple is sharing its users’ personal information with the FBI through the National Cyber-Forensics and Training Association (NCFTA), which “functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime.” The question they’re posing is, “Why did the FBI have all this information in the first place?”

Consumers share their information with sites and companies that they trust, but the same companies hand that information over to law enforcement millions of times each year. Companies have little ability to deny a valid request. In July 2012, Massachusetts Congressman Markey published an accounting that wireless companies like Verizon and AT&T received 1.3 million requests for customer cell phone information, like text messages and GPS records, in 2011. Google had to turn over personal data on 11,385 users in the past 6 months. Law enforcement can obtain anyone’s archived emails for about $25.

A company’s options are 1), adopt pro-privacy policies, including storing the minimum amount of personal information required by law so that they have almost nothing of interest to give to law enforcement when asked; 2), challenge the request for being unreasonable, as Twitter has done with a demand for an Occupy Wall Street protestor’s past tweets; 3), alert the customer whose data is being requested so that customer can take up his or her own legal action; or 4), continue storing and selling customer data, hand it over whenever law enforcement asks, and don’t publish or alert consumers, which is unfortunately the option that most companies currently take.

The reality here is that Apple wasn’t hacked: a single FBI agent’s computer that happened to have Apple customer data on it was. In that sense, Apple’s no more at fault than any of the hundreds of companies that law enforcement regularly forces to turn over users’ personal information.




6 comments shared on this article:

  • htp says:

    “the only thing you can do is get a new device”
    convenient this is happening just before the Apple-thingamajig Version 5 is coming out.

    if it’s true, that an FBI computer was the source (this could just be part of the game), and you’re on the list, then the FBI had an eye on you, for some reason.

    • Sarah Downey says:

      Turns out it was a third-party app developer named Blue Toad that was hacked and the source of the breach. But yeah, it’s pretty convenient that it happened right before the iPhone 5 went on sale!

  • Lisa Ostella says:

    I have not noticed any information from Apple yet about what devices had information released. Apple has a large amount of iPads that work with medical devices such as Medtronic diabetic pumps as well as iPads issued to children at schools. The release of any of this data violates HIPPA as well as COPPA. If it was really BlueToad, Inc., that Apple transferred the data to, then they are selling user information to a 3rd party advertisers.

  • cakefordinner says:

    The original article was a a rumor which has since been proven to be mostly false. Neither the FBI nor Apple was ever involved. The claim by the hacker group Anonymous, that an FBI agent’s laptop had UDIDs/was hacked was completely false.

    The actual hack was what the previous poster mentioned (developer Blue Toad). What was obtained were iPhone Device IDs, NOT user IDs, which are virtually useless without an individual’s other information and direct access to the actual device.

    This was a scare tactic that majorly backfired on Anonymous – many (I) will find it almost impossible to believe anything they say, now.

    Latest info: http://www.forbes.com/sites/parmyolson/2012/09/04/fbi-agents-laptop-hacked-to-grab-12-million-apple-ids-anonymous-claims/

    • Lisa Ostella says:

      Thank you for the link, cakefordinner. I missed that article at Forbes. But I’m confused. The article you linked did say they were Apple UDIDs. The article did not say it was isolated to mobile phones. Matter of fact, the Forbes article author says 3 of his devices were listed in the data release. Have you since seen different information? If so, please, if you don’t mind, post another link.

      Thanks!

  • Quez says:

    However, if only one million of the 12 million were released by the AntiSec, that leave 11 million people who can’t check theirs anyway.

Leave a Reply

Your email address will not be published.

Comment