1 Million Apple UDIDs Leaked Online Last Night

Last night, the hacking group AntiSec posted 1 million UDIDs online, claiming they have 11 million more, and that they had stolen them from an FBI laptop in March, when they exploited a Java vulnerability.

UDIDUnique Device ID

Think of it like a serial number for your iOS device, the fingerprint of your phone or iPad.  It is a unique, 40-character alpha-numeric number, and is used by Apple, ad networks, and app developers to identity devices.

It has long been touted as insecure (it’s sent back to app developers un-encrypted), and Apple started to phase it out in April.

Your UDID doesn’t mean much on its own, it’s like your driver’s licence number but without information like your name, address, etc.  However, according the AntiSec, they found more information attached to the numbers, but stripped it out before posting them online, which I think is kind of them.

From Forbes.com:

If the UDIDs are determined to be real, just what that means about law enforcement and Apple users’ privacy isn’t entirely clear. Much more than passwords or even email addresses, UDIDs are already spread around the Internet by app developers and advertisers–a study by one privacy researcher in 2011 found that 74% of the apps he tested sent a user’s UDID to a remote server. But the same researcher also found that five out of seven social gaming networks he tested allowed users to log in with only their UDID, making a stolen UDID equivalent to a stolen password.

How to find your UDID number

You have to do this on your computer, it’s not displayed on your iPhone.

Connect your phone to your computer.  Open iTunes, click on your device in the left column, this screen will look familiar.

Click “Serial Number’, and the number to the right will change to your UUID.  You won’t be able to copy & paste this, you’ll have to record it manually.

Next step is to check if yours was one of the million posted online.

The Next Web has created a tool to see your number was on the leaked list.

TWO THINGS  TO KNOW BEFORE YOU DO THIS.

YES, I’M YELLING HERE

1I can’t guarantee you this is safe.  I don’t know Next Web. What I do know though, is I found this link posted on Twitter by Mikko Hypponen, whom I met and interviewed last year at DefCon 19, who is one of the world’s leading experts in information security.    I felt confident enough to enter mine.  Best I can do, guys.

2 Don’t paste your entire UUID into the box.  Next Web says they’re not storing the UDIDs, but continues that they’re also not being encrypted during this process.  The best thing to do is not enter your entire number; I entered only the first half of mine, good enough.

Click here to check yours.  Mine came back not leaked, and looked like this:

What do do if your UDID has been leaked?  

Call Apple.

Further Reading

Forbes

Lifehacker – definition of a UDID

Corte.si

TechCrunch

 

UPDATE: 6:40pm

The FBI has replied to the claim, made by AntiSec, that it is “totally false”. Privacy-advocacy groups are freaking out. AntiSec then said it won’t say another word, until journalist Adrian Chen poses in a tutu, on the Gawker homepage for 24 hours.

And so he did.

The hashtag #FBI has been trending on Twitter all day, that’s rare.  If you’re following the story out there, be careful what you click.

Gizmodo posted a good article, “Why You Shouldn’t Freak Out if Hackers Leaked Your Apple Device ID

True or not, you probably thought about your online security more today than in a long time, so good.  Your online life is very valuable, treat and protect it accordingly.  

And I learned about being a part of the news cycle.

 

 

Edit Photos Before You Upload

I always blur out licence plates, often faces, you’ve never seen a kid here; I err on the side of caution.

You may not notice the information you’re giving away in a photo. Often it’s something in the background that sinks you.

I use an offline editor (like Photoshop) to edit before uploading.

If I’m using an online editor, like Picasa, I assume the file I’m altering is also available in its original form on some server, somewhere.  Whether or not I post that photo, doesn’t matter, it still exists.

When editing, take the time to smudge and obscure, using many strokes of the mouse.

And absolutely do not use the swirl effect; all you have to do is reverse it, and look:

 (photo via Wikipedia)

Interpol used this exact technique to locate and arrest a child molester , “Mr Swirl”, back in 2007.

I remember being in a room full of people when that came across the TV, and I said, “oh he used the Photoshop swirl to hide his face, reverse it”.  Then the news story continued, and people looked at me like I was a wizard (easy crowd, totally milked it).

 

 

 

 

Watch Out for the Window Reflection

Windows act like giant mirrors at night.

You can’t tell by this photo, but his screen was crystal clear.  I went along on his digital camera shopping trip during my Happy Meal.

Then the most Canadian thing happened.

He left his gear, and went outside to smoke, he’s the *

(although I love the Canadian-ness above, leaving your laptop unattended is a terrible idea. Even if you think you’re close enough to react in time, you’re not.)