
The UDID leak is a privacy catastrophe - gnufs
http://corte.si/posts/security/udid-leak.html
======
wamatt
After reading this, I'm still a bit confused as to why this is a catastrophe?

Should we change our paypal passwords? Or worry about getting more spam? etc
Why should an end user (eg my mom) care?

I'm not saying there aren't serious repercussions, just having a hard time
seeing exactly what they are.

~~~
cortesi
Have a quick read through the posts linked in the article this story points
to. I show that using just a UDID, you could access the user's geolocation,
games they played, private messages and friends lists on many of the affected
social networks, and in some cases (which affected millions of users)
completely take over Twitter and Facebook accounts. This is with _just_ a
UDID. Some of the companies I notified a year ago are still vulnerable today.
And remember, I only looked at social gaming networks - small slice of the app
ecosystem. I know that there are similar systemic issues in many other places.
So yes, this is definitely a catastrophe.

Unfortunately, there's just not much an ordinary user can do. There's no way
for a user to tell if an app accesses and broadcasts their UDID (if you're an
expert you can use mitmproxy or a similar tool), and certainly no way to tell
if the UDID is being used safely. I would recommend de-linking your social
media accounts from all apps unless you know they're safe, but that's the kind
of drastic advice that people tend not to take.

~~~
wamatt
Thanks for that. Not super worried about people knowing my location or games I
played :p

However, this is of interest:

 _> and in some cases (which affected millions of users) completely take over
Twitter and Facebook accounts_

How is that possible? Are we going to see mass defacements/malware links or
other bad stuff on Twitter and Facebook as a result?

Also what is meant by 'take over'? Surely it doesn't mean from a UDID alone, a
hacker could log into that associated account with full permissions?

I'm assuming any scripted attack would only have the permissions that any
other FB/Twitter app has, and could be blocked in App settings if it started
doing 'bad stuff'?

~~~
cortesi
I found vulnerabilities in two social gaming networks that let you take
control of people's Facebook and Twitter accounts using _just_ the UDID. I
never published the details of these vulnerabilities, but you can find an
official acknowledgement from at least one of these companies (Chillingo of
Angry Birds fame) in this WSJ piece:

[http://blogs.wsj.com/digits/2011/09/19/privacy-risk-found-
on...](http://blogs.wsj.com/digits/2011/09/19/privacy-risk-found-on-cellphone-
games/)

~~~
TylerE
Angry Birds was made by Rovio, not Chillingo.

Chillingo is a publisher of 3rd rate knockoffs.

~~~
cortesi
Chillingo is the publisher of the original Angry Birds, and it's their social
network (which is integrated with Angry Birds and therefore on millions of
devices) that had the vulnerability.

------
api
No, the UDID is a privacy catastrophe.

~~~
mtgx
UDID is a few years old is it not? It's surprising it took people this long to
figure this out.

~~~
sigzero
Apple has been telling devs to move away from it for a least a year.

~~~
ebbv
Yeah and there was an outcry over that, and nobody saying "Good decision." As
Microsoft learned in the '90s, when you're on top nobody's going to do
anything but rip on you.

------
prof_hobart
Given that the UDID has been deprecated in iOS5 and Apple are now rejecting
apps that use it, I'd be interested to see what level of actual vulnerability
there is these days.

~~~
lekashman
If they've deprecated the feature, are they doing anything instead to
accomplish the same effect as the UDID?

~~~
idunno246
They aren't actually rejectIng apps. But yes, they're replacing it with
something akin to androidid. Check the uidevice doc for ios6 if you have it.

The real problem is the lack Of referral tags on installs. Android got this
right I think. As it is ever advertiser uses a different hash of some Id whih
means I have to store every possible identifier in plain text to hash later.
Considering we have 3 million udids, Mac address, etc... This particular leak
is unimportant.

~~~
prof_hobart
Are you sure that they aren't rejecting? I've read a fair few stories like
this - [http://thenextweb.com/apple/2012/03/29/confirmed-apple-
now-r...](http://thenextweb.com/apple/2012/03/29/confirmed-apple-now-
rejecting-apps-for-use-of-udid-start-finding-alternatives/) \- that seem to
suggest that they are.

------
dekz
> If your UDID is contained in the list, take a minute to help us identify the
> traitor that did give your information to the FBI without any your agreement
> and without warrant !

Wouldn't it also be useful to gather information about who WASN'T on the list
and what Apps they have? Maybe device type as well.

~~~
FredericJ
The device type is given in the leak

~~~
dekz
Sorry I meant in relation to the UDID's not in the list.

------
ganley
If I don't play games, much less belong to any social gaming networks, does
this affect me at all?

~~~
bornhuetter
Indirectly it affects all of us.

~~~
_cbdev
*that have iDevices.

~~~
bornhuetter
It affects anyone who lives in a society that is being tracked by their
government.

It may be a good thing that the FBI can better track criminals, but if it is
used to track political dissidents or to monitor foreign or unpopular
companies it should be a concern for us all.

I'm not saying this is happening now, but we should be wary of going down that
path.

------
FredericJ
If you've been exposed take some time to help us identify who gave this UDID's
to the FBI. (Already working with 3 exposed device owners)
<http://news.ycombinator.com/item?id=4473833>

~~~
cortesi
Sorry, I don't think this strategy is workable. Consider - 74% of apps I
tested sent the UDID to one or more upstream servers. Furthermore, Flurry
alone received UDIDs from 15% of apps I tested. That's just one aggregator,
and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it
down somewhat, but not too much. It's also not at at all clear that there is a
single source involved - this could be an amalgamation of a number of sources.

See this post for the source of these figures:

<http://corte.si/posts/security/apple-udid-survey/index.html>

------
DenisM
A quick reminder for iOS developers:

Apple has provided a number of replacements for UDID, that address some of the
UDID uses without it being as much of a privacy problem. It's all still under
NDA, so I posted my summary on the Apple's developer forums (iOS developer
login required): <https://devforums.apple.com/message/723147>

------
david_shaw
Has anyone verified that this UDID leak isn't just the old "Goatse Security"
leak re-branded? I'm not saying I have any evidence to that, but it seems
strange that the "ownage" document didn't mention anything about how the hack
was done.

Along those lines, has there been any talk of the attack vector? To get a list
like this, it would seem that AT&T (as was the case with "Goatse Security") or
Apple would need to be compromised to get this list.

~~~
patdennis
They did mention the vulnerability they used

 _During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some
files were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of
device, type of device, Apple Push Notification Service tokens, zipcodes,
cellphone numbers, addresses, etc. the personal details fields referring to
people appears many times empty leaving the whole list incompleted on many
parts. no other file on the same folder makes mention about this list or its
purpose._

------
robbiep
If you disallow an app from sending you push notifications, will it still have
your UDID/Device ID? Or if you never enable it, does the app & app server
never get it?

~~~
objclxt
Push notifications don't use the UDID. They use a different token. UDIDs can
be requested without user consent by applications, although that functionality
is supposedly deprecated from iOS 5 onwards.

~~~
robbiep
thanks for clarifying

------
panacea
That ended ubruptly and without much in the way of resolution?

~~~
cortesi
Yes, sorry - I'm on the road at the moment, and wrote that in a rush. Part of
the problem is that there's not much users can do at this stage. The ecosystem
of companies that use and abuse UDIDs is fragmented, and each service that
relies on UDIDs for identification or authentication can have its own unique
problems. I guess it would be possible to start aggressively releasing a list
of services that users should close their accounts on, but that would also be
a shopping list for bad guys out to take advantage of this situation.

------
gmac
The post adds approximately nothing to the headline.

It's also worth noting that Apple has deprecated the UDID, and new and updated
apps are no longer able to access it.

------
nodesocket
Forgive me if I am mistaken, but don't all you need is a UDID to send a push
message to a device? I.E. via Urban Airship.

~~~
sgman
No, you need a push token, which is a combination of device id and app id, and
is only generated when the user authorizes the app for remote notifications.
Additionally, you need a certificate on the server that is authorized to send
messages to that app id.

~~~
saurik
The push token is static for the device installation: it is not in combination
with the "app id".

[http://stackoverflow.com/questions/2338267/is-the-apn-
device...](http://stackoverflow.com/questions/2338267/is-the-apn-device-token-
unique-to-each-individual-app)

~~~
erichocean
Yeah, but the certificate used to push _is_.

Effectively, it's the same result: you can only push to one app with one set
of credentials, and credentials are not shared between apps.

------
ideawave
The server is really slow, is this being run an an FBI laptop? (asking for
people to upload their UDID)

