Apple UDID Leak: There’s No Proof (Yet) Of FBI Involvement, But Here’s Why You Should Still Care

12 million Apple UDIDs (unique device identifiers) may be in the wild, or at least that’s the claim from the hacker group Antisec, which has released a sampling of that data, allegedly retrieved from an FBI laptop computer. The actual leak, however, did not include 12 million records – it included 1 million and one records. The group also claimed that they stripped out personally identifiable data, including names, phone numbers and addresses.

But the news of the leak has raised many questions: where did it come from, for example? It’s clearly not a case of Apple simply handing over personal data to the FBI. But was the FBI involved? [Update: The FBI says it was not.] Was there a particular leaky app or service involved, too? And, the most burning question of them all: Why on earth should I care?

For starters, there’s no proof at this time that the leak came from the FBI, that personally identifiable info was also involved, that there are actually 11 million other records sitting in a spreadsheet somewhere, or that this is not the case of older data leak being re-released for any other reason than to simply stir the pot. Those are just Antisec’s claims. The data is being examined now by a number of industry and security experts, though, so we should eventually know whether we can rule out any other known leaks as the source.

Apple has been taking steps to phase out developer access to the UDID due to privacy concerns. In August 2011, the company announced that with iOS 5, it would deprecate the UDID. (UDIDs are alphanumeric strings that are unique to each Apple device). The developer community has since begun to implement a variety of more secure means to do what the UDID previously allowed for – power advertising and store data about an app’s users. But enforcement of the change has been slow – Apple has still been approving apps with UDIDs, and most of the iOS traffic today supports the UDID, says Craig Palli is vice president of Client Services & Business Development at mobile marketing technology company Fiksu.

WHERE DID THE LEAK COME FROM?

At this time, we don’t know where the data came from. Antisec claims it’s from a March hack of an FBI PC, but offers no proof. UDIDs themselves are not date-able externally, so only Apple would know when the devices in question were originally sold. According to Wayne Chang, co-founder of Crashytics, a company which had developed one of the above-mentioned UDID alternatives, the source of the data is definitely mysterious. “For it to be a third-party app, it had to be one that also collected lots of personal information,” he says, “or was very clever to record and report the user’s ‘Me’ address book card, which is now finally protected by iOS but was not previously. Another possibility is that this data was sniffed over the wire and assembled from the multitude of apps that send portions of this data in cleartext.”

That latter option is the more worrisome possibility – if the FBI is involved, and if it’s sniffing data, that’s an incredible reveal – too bad Antisec has not yet proven that definitively.

The size of the leak – let’s say it is 12 million – doesn’t help us pinpoint the source any further. Many apps and services have 12 million or more users, and although networks like social gaming platform OpenFeint have mishandled UDID info in the past, they did not appear to have names and contact numbers on file. Plus, the addition of the push tokens are curious, Chang notes. There are only two ways to get a push token: via an app that asked and the user agreed, or, the token being sniffed off the network. “So, if it came from an app, it’s an app that required push notifications. If it didn’t come from an app, then it was aggregated data and each of the fields was populated from different sources,” says Chang.

Aldo Cortesi, CEO of security consultancy Nullcube, has been tracking the UDID situation for some time. He feels such a leak was bound to happen.”The upshot is that UDIDs are aggregated by many companies in many places – perhaps thousands of individual databases – and it only takes one leak to cause a major problem,” says Cortesi. “So although the source of the information in this case was surprising – I would have expected a simple hack of, say, a games company – a leak of this kind was almost inevitable.” He also speculates that it just as easily could have come from UDID aggregators – meaning, services that work with a cross-section of developers for the purpose of providing analytics, or, like OpenFeint, a social gaming platform.

But he agrees that given the information we have on hand, pinpointing the source of the leak will be difficult. Only if Antisec chooses to release the other data (names, addresses, etc.) would we have a chance to establish where the leak originated, he says.

WHY DOES THIS MATTER?

In general, UDIDs in and of themselves are not very valuable. It’s only when they’re tied to other information that there’s risk to end users. But it’s irresponsible to store them in a spreadsheet accompanied by user names, addresses and phone numbers, Chang points out. Plus, he adds, “if your name is on the list, you could be sent push notifications, apps could theoretically know your home address or phone number. Companies that are looking to build a profile off you will now have even more complete data for those 12 million,” he says. So, if Antisec does have personal info on file as they claim, there could be trouble.

Ouriel Ohayon, co-founder of AppsFire, which also backed a popular UDID alternative in the wake of Apple’s deprecation of the identifier, agrees that there’s not a major issue with a UDID leak alone. “I don’t see where the privacy issue is since UDIDs are random numbers and don’t reveal a thing about a user or device,” he says. In our earlier report, however, TechCrunch’s John Biggs says that he was able to identify individuals based on this data, but it was not a direct 1-to-1 identifier.

Cortesi urges caution, though. “If your UDID is on the list, you have reason to be very concerned,” he says. “When I looked at this issue [in the past], I showed how using only a UDID, it was possible to get access to private user information including friends lists, geolocation, information on what games you were playing and who you were chatting to. I was even able to take over Facebook and Twitter accounts, again using just a UDID,” he says. He points out that those problems were made possible by vulnerabilities in social gaming networks and he alerted them to the vulnerabilities prior to release of his findings. “There’s no reason to believe that the rest of the app ecosystem is more secure than the small section I examined closely. I’m worried that there may be similar issues out there waiting to be exploited, and that this database will give someone the ability to do so at a very large scale,” Cortesi warns.

Unfortunately, for now, it’s unclear what individuals can do. According to Graham Cluley of security firm Sophos, there are webpages that have been set up to check whether your UDID is on the list of those exposed. “But all you can do then is hold tight and hope that the hackers don’t publish further identifying information.”

UPDATE: 5 PM ET – the FBI says it was not the source of the breach, even tweeting the claims were “totally false.”