Antisec has reportedly released a million Apple device UDIDs, which it claims to have taken from the 12 million it got from a breach of an FBI laptop. That is kind of terrifying for a variety of reasons, but let’s just focus on the one you care most about: What is a UDID, and how might yours being exposed affect you?
What’s a UDID?
Let’s start with the basics. The UDID is the Unique Device Identifier for your iOS device. It’s essentially the serial number of your phone, and every iPhone, iPod, and iPad has one. By itself, it means nothing; it’s just an identifier. Up until recently, developers primarily used the UDID as a universal way of storing information about your phone. For example, an app might store your preferences by UDID (UDID X likes its settings this way; UDID Y likes them that way). You use your iPad differently from your iPhone; a UDID helps your apps accommodate that.
But developer interest in your UDID isn’t entirely altruistic. Think of it as the centre point of a spiderweb. It’s used by a number of advertising companies to cross reference which apps you use, and target ads to you — not much different from Google or Facebook using targeted advertising. Each app you use that sends UDID-specific data to a database is like another strand added to the web, connected at the centre, the touchpoint.
So what’s the problem?
Here’s the thing: The information stored by apps using your UDID can be anything. UDID was the reference point for the contact information that Path took from phones early this year. Tweetbot used it to store notification settings. Some apps and networks even allow login using just the UDID — though that seems to be mainly social gaming networks.
If someone had access to all of the databases of all of the apps out there, they would be able to pull all of your usernames, your email address, histories, friends, and habits into a deeply disturbing web of your mobile usage.
How bad is it, really?
But that’s not what’s happening here. What was leaked appears to be a list of users and information gathered from just one app, or a few — NOT a cross-section of the UDID on every single app you use. It’s one or two stands of the spider web, along with the central touchpoint. That’s almost certainly not enough to pull together the whole of your online identity and put that out there for the public to see. This is not the worst case scenario.
So while it’s still plenty disconcerting that “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, mobile phone numbers, addresses, etc.” are out there, there’s nothing in it (specifically, email addresses and passwords) that could upend your digital life. That’s the good news.
The bad news? All things equal, you’d probably rather not share all of that super freely. So, yes, you should be alert about this breach if your phone’s UDID is on that list. Change your passwords, take the normal precautions. But take heart that this hack didn’t unleash the full fury of information your UDID identified holds.