The UDID leak is a privacy catastrophe
corte.siAfter reading this, I'm still a bit confused as to why this is a catastrophe?
Should we change our paypal passwords? Or worry about getting more spam? etc Why should an end user (eg my mom) care?
I'm not saying there aren't serious repercussions, just having a hard time seeing exactly what they are.
Have a quick read through the posts linked in the article this story points to. I show that using just a UDID, you could access the user's geolocation, games they played, private messages and friends lists on many of the affected social networks, and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts. This is with _just_ a UDID. Some of the companies I notified a year ago are still vulnerable today. And remember, I only looked at social gaming networks - small slice of the app ecosystem. I know that there are similar systemic issues in many other places. So yes, this is definitely a catastrophe.
Unfortunately, there's just not much an ordinary user can do. There's no way for a user to tell if an app accesses and broadcasts their UDID (if you're an expert you can use mitmproxy or a similar tool), and certainly no way to tell if the UDID is being used safely. I would recommend de-linking your social media accounts from all apps unless you know they're safe, but that's the kind of drastic advice that people tend not to take.
Thanks for that. Not super worried about people knowing my location or games I played :p
However, this is of interest:
>and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts
How is that possible? Are we going to see mass defacements/malware links or other bad stuff on Twitter and Facebook as a result?
Also what is meant by 'take over'? Surely it doesn't mean from a UDID alone, a hacker could log into that associated account with full permissions?
I'm assuming any scripted attack would only have the permissions that any other FB/Twitter app has, and could be blocked in App settings if it started doing 'bad stuff'?
I found vulnerabilities in two social gaming networks that let you take control of people's Facebook and Twitter accounts using _just_ the UDID. I never published the details of these vulnerabilities, but you can find an official acknowledgement from at least one of these companies (Chillingo of Angry Birds fame) in this WSJ piece:
http://blogs.wsj.com/digits/2011/09/19/privacy-risk-found-on...
By "Take control of..." you mean "act with the permissions of the app", I assume? I can't see how Angry Birds the app would ever have full control over my Facebook account unless there's a catastrophic vuln. in the Facebook API.
Angry Birds was made by Rovio, not Chillingo.
Chillingo is a publisher of 3rd rate knockoffs.
Chillingo is the publisher of the original Angry Birds, and it's their social network (which is integrated with Angry Birds and therefore on millions of devices) that had the vulnerability.
I think this proves that Apple's UDIDs are a horrible, insecure system. That is a privacy catastrophe.
Not really. The UDID itself is not a "horrible, insecure system", it's just a unique identifier. It's the app developers who came up with the horrible, insecure systems due to how they used the UDID.
The problem is that the developers do not understand how to engineer secure systems. Take away the UDID and their systems will still be broken, just in a different way.
That said, it does pose an interesting question as to what Apple could have done to prevent this eventuality. One possibility would have been not to expose a global device ID to developers, but instead to generate a per-app (or maybe per-developer-key) ID. That would have made such a leak extremely difficult, and would have isolated the damage to whatever vulnerabilities were present in a single app.
You're right that these developers would have made something broken regardless of whether this problem existed, but Apple should try not to give them enough rope to hang themselves. What's fascinating is that "globally visible unique identifier" turns out to be just enough rope.
No, the UDID is a privacy catastrophe.
UDID is a few years old is it not? It's surprising it took people this long to figure this out.
Apple has been telling devs to move away from it for a least a year.
Yeah and there was an outcry over that, and nobody saying "Good decision." As Microsoft learned in the '90s, when you're on top nobody's going to do anything but rip on you.
No more so than, say, a MAC address. The problem wasn't UDID, it's what people were doing with it.
Given that the UDID has been deprecated in iOS5 and Apple are now rejecting apps that use it, I'd be interested to see what level of actual vulnerability there is these days.
You're the first I've heard say this. Would you mind passing a link along?
Straight from Apple's documentation: https://developer.apple.com/library/ios/#documentation/UIKit...
Thanks!
If they've deprecated the feature, are they doing anything instead to accomplish the same effect as the UDID?
They aren't actually rejectIng apps. But yes, they're replacing it with something akin to androidid. Check the uidevice doc for ios6 if you have it.
The real problem is the lack Of referral tags on installs. Android got this right I think. As it is ever advertiser uses a different hash of some Id whih means I have to store every possible identifier in plain text to hash later. Considering we have 3 million udids, Mac address, etc... This particular leak is unimportant.
Are you sure that they aren't rejecting? I've read a fair few stories like this - http://thenextweb.com/apple/2012/03/29/confirmed-apple-now-r... - that seem to suggest that they are.
> If your UDID is contained in the list, take a minute to help us identify the traitor that did give your information to the FBI without any your agreement and without warrant !
Wouldn't it also be useful to gather information about who WASN'T on the list and what Apps they have? Maybe device type as well.
Seeing as this is only 1 million sampled from a claimed 12 million list, that wouldn't be that useful since it's possible their UUID is just on the other part of the list.
> identify the traitor that did give your information to the FBI
Interesting use of the word "traitor" to mean "person who cooperates with the Government".
The device type is given in the leak
Sorry I meant in relation to the UDID's not in the list.
If I don't play games, much less belong to any social gaming networks, does this affect me at all?
Indirectly it affects all of us.
*that have iDevices.
It affects anyone who lives in a society that is being tracked by their government.
It may be a good thing that the FBI can better track criminals, but if it is used to track political dissidents or to monitor foreign or unpopular companies it should be a concern for us all.
I'm not saying this is happening now, but we should be wary of going down that path.
Remember that this was just one agent's computer. We shouldn't forget too quickly about the Carrier IQ fiasco.
If you've been exposed take some time to help us identify who gave this UDID's to the FBI. (Already working with 3 exposed device owners) http://news.ycombinator.com/item?id=4473833
Sorry, I don't think this strategy is workable. Consider - 74% of apps I tested sent the UDID to one or more upstream servers. Furthermore, Flurry alone received UDIDs from 15% of apps I tested. That's just one aggregator, and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it down somewhat, but not too much. It's also not at at all clear that there is a single source involved - this could be an amalgamation of a number of sources.
See this post for the source of these figures:
A quick reminder for iOS developers:
Apple has provided a number of replacements for UDID, that address some of the UDID uses without it being as much of a privacy problem. It's all still under NDA, so I posted my summary on the Apple's developer forums (iOS developer login required): https://devforums.apple.com/message/723147
Has anyone verified that this UDID leak isn't just the old "Goatse Security" leak re-branded? I'm not saying I have any evidence to that, but it seems strange that the "ownage" document didn't mention anything about how the hack was done.
Along those lines, has there been any talk of the attack vector? To get a list like this, it would seem that AT&T (as was the case with "Goatse Security") or Apple would need to be compromised to get this list.
They did mention the vulnerability they used
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Weev's AT&T adventure had nothing to do with UDIDs, and involved only about 100k records.
If you disallow an app from sending you push notifications, will it still have your UDID/Device ID? Or if you never enable it, does the app & app server never get it?
Push notifications don't use the UDID. They use a different token. UDIDs can be requested without user consent by applications, although that functionality is supposedly deprecated from iOS 5 onwards.
thanks for clarifying
That ended ubruptly and without much in the way of resolution?
Yes, sorry - I'm on the road at the moment, and wrote that in a rush. Part of the problem is that there's not much users can do at this stage. The ecosystem of companies that use and abuse UDIDs is fragmented, and each service that relies on UDIDs for identification or authentication can have its own unique problems. I guess it would be possible to start aggressively releasing a list of services that users should close their accounts on, but that would also be a shopping list for bad guys out to take advantage of this situation.
The post adds approximately nothing to the headline.
It's also worth noting that Apple has deprecated the UDID, and new and updated apps are no longer able to access it.
Forgive me if I am mistaken, but don't all you need is a UDID to send a push message to a device? I.E. via Urban Airship.
No, you need a push token, which is a combination of device id and app id, and is only generated when the user authorizes the app for remote notifications. Additionally, you need a certificate on the server that is authorized to send messages to that app id.
The push token is static for the device installation: it is not in combination with the "app id".
http://stackoverflow.com/questions/2338267/is-the-apn-device...
Yeah, but the certificate used to push is.
Effectively, it's the same result: you can only push to one app with one set of credentials, and credentials are not shared between apps.
Good to know, thanks for the explanation.
The server is really slow, is this being run an an FBI laptop? (asking for people to upload their UDID)