You Down with UDID? Yeah, You Know Me...

Thursday, September 13, 2012

Tripwire Inc


Article by Ken Westin

It was announced recently by the hacker group AntiSec that they compromised a laptop belonging to Supervisor Special Agent Christopher K. Stangl from the FBI taking advantage of vulnerability in Java that allowed them to gain access files on his system.

The data they claim to have downloaded allegedly holds more than 12 million UDIDs ( Uniqe Device Identifiers) from Apple iOS devices.

Although there is cause for concern, there is no reason to panic… yet. The UDID is a unique number that identifies a given iOS device, a bit like a serial number. Simply having this number alone would not be an issue, as they are fairly anonymous.

Apple UDID iOS AntiSec hack

However the file in question also maps UDIDs to names, phone numbers, zip codes, addresses in some cases. The UDIDs then are no longer anonymous but linked to their respective owners.

The UDID number has been used/misused by developers over the last few years to identify devices for advertisements, analytics and other purposes.

The Internet is chock full of databases that map UDIDs to usernames, activities, location data, game scores, ad clicks as well as Facebook and other social media profiles. Even if you deleted an application from your phone the data can still persist in the Cloud.

So as we see more data breached, sold and shared, data will be mapped to previously anonymous data related to activities, location and app usage.

So the damage of the breach consists of the possibility that connections that may not have existed before will be bridged and more robust profiles of targets available.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Security Awareness
Information Security
Apple Privacy Social Media geo-location breach Tracking AntiSec UDID
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.