Last night, the hacking group AntiSec posted 1 million UDIDs online, claiming they have 11 million more, and that they had stolen them from an FBI laptop in March, when they exploited a Java vulnerability.
UDID – Unique Device ID
Think of it like a serial number for your iOS device, the fingerprint of your phone or iPad. It is a unique, 40-character alpha-numeric number, and is used by Apple, ad networks, and app developers to identity devices.
It has long been touted as insecure (it’s sent back to app developers un-encrypted), and Apple started to phase it out in April.
Your UDID doesn’t mean much on its own, it’s like your driver’s licence number but without information like your name, address, etc. However, according the AntiSec, they found more information attached to the numbers, but stripped it out before posting them online, which I think is kind of them.
From Forbes.com:
If the UDIDs are determined to be real, just what that means about law enforcement and Apple users’ privacy isn’t entirely clear. Much more than passwords or even email addresses, UDIDs are already spread around the Internet by app developers and advertisers–a study by one privacy researcher in 2011 found that 74% of the apps he tested sent a user’s UDID to a remote server. But the same researcher also found that five out of seven social gaming networks he tested allowed users to log in with only their UDID, making a stolen UDID equivalent to a stolen password.
How to find your UDID number
You have to do this on your computer, it’s not displayed on your iPhone.
Connect your phone to your computer. Open iTunes, click on your device in the left column, this screen will look familiar.
Click “Serial Number’, and the number to the right will change to your UUID. You won’t be able to copy & paste this, you’ll have to record it manually.
Next step is to check if yours was one of the million posted online.
The Next Web has created a tool to see your number was on the leaked list.
TWO THINGS TO KNOW BEFORE YOU DO THIS.
YES, I’M YELLING HERE
1 – I can’t guarantee you this is safe. I don’t know Next Web. What I do know though, is I found this link posted on Twitter by Mikko Hypponen, whom I met and interviewed last year at DefCon 19, who is one of the world’s leading experts in information security. I felt confident enough to enter mine. Best I can do, guys.
2 – Don’t paste your entire UUID into the box. Next Web says they’re not storing the UDIDs, but continues that they’re also not being encrypted during this process. The best thing to do is not enter your entire number; I entered only the first half of mine, good enough.
Click here to check yours. Mine came back not leaked, and looked like this:
What do do if your UDID has been leaked?
Call Apple.
Further Reading
Lifehacker – definition of a UDID
UPDATE: 6:40pm
The FBI has replied to the claim, made by AntiSec, that it is “totally false”. Privacy-advocacy groups are freaking out. AntiSec then said it won’t say another word, until journalist Adrian Chen poses in a tutu, on the Gawker homepage for 24 hours.
The hashtag #FBI has been trending on Twitter all day, that’s rare. If you’re following the story out there, be careful what you click.
Gizmodo posted a good article, “Why You Shouldn’t Freak Out if Hackers Leaked Your Apple Device ID”
True or not, you probably thought about your online security more today than in a long time, so good. Your online life is very valuable, treat and protect it accordingly.
And I learned about being a part of the news cycle.
That was neat: I saw the news about the leak early this morning, there were about 4 stories online, by the time I hit publish on mine, 350+
— KeriBlog (@KeriBlog) September 4, 2012