Have a quick read through the posts linked in the article this story points to. I show that using just a UDID, you could access the user's geolocation, games they played, private messages and friends lists on many of the affected social networks, and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts. This is with _just_ a UDID. Some of the companies I notified a year ago are still vulnerable today. And remember, I only looked at social gaming networks - small slice of the app ecosystem. I know that there are similar systemic issues in many other places. So yes, this is definitely a catastrophe.
Unfortunately, there's just not much an ordinary user can do. There's no way for a user to tell if an app accesses and broadcasts their UDID (if you're an expert you can use mitmproxy or a similar tool), and certainly no way to tell if the UDID is being used safely. I would recommend de-linking your social media accounts from all apps unless you know they're safe, but that's the kind of drastic advice that people tend not to take.
Thanks for that. Not super worried about people knowing my location or games I played :p
However, this is of interest:
>and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts
How is that possible? Are we going to see mass defacements/malware links or other bad stuff on Twitter and Facebook as a result?
Also what is meant by 'take over'? Surely it doesn't mean from a UDID alone, a hacker could log into that associated account with full permissions?
I'm assuming any scripted attack would only have the permissions that any other FB/Twitter app has, and could be blocked in App settings if it started doing 'bad stuff'?
I found vulnerabilities in two social gaming networks that let you take control of people's Facebook and Twitter accounts using _just_ the UDID. I never published the details of these vulnerabilities, but you can find an official acknowledgement from at least one of these companies (Chillingo of Angry Birds fame) in this WSJ piece:
By "Take control of..." you mean "act with the permissions of the app", I assume? I can't see how Angry Birds the app would ever have full control over my Facebook account unless there's a catastrophic vuln. in the Facebook API.
Chillingo is the publisher of the original Angry Birds, and it's their social network (which is integrated with Angry Birds and therefore on millions of devices) that had the vulnerability.
Not really. The UDID itself is not a "horrible, insecure system", it's just a unique identifier. It's the app developers who came up with the horrible, insecure systems due to how they used the UDID.
The problem is that the developers do not understand how to engineer secure systems. Take away the UDID and their systems will still be broken, just in a different way.
That said, it does pose an interesting question as to what Apple could have done to prevent this eventuality. One possibility would have been not to expose a global device ID to developers, but instead to generate a per-app (or maybe per-developer-key) ID. That would have made such a leak extremely difficult, and would have isolated the damage to whatever vulnerabilities were present in a single app.
You're right that these developers would have made something broken regardless of whether this problem existed, but Apple should try not to give them enough rope to hang themselves. What's fascinating is that "globally visible unique identifier" turns out to be just enough rope.
Yeah and there was an outcry over that, and nobody saying "Good decision." As Microsoft learned in the '90s, when you're on top nobody's going to do anything but rip on you.
Given that the UDID has been deprecated in iOS5 and Apple are now rejecting apps that use it, I'd be interested to see what level of actual vulnerability there is these days.
They aren't actually rejectIng apps. But yes, they're replacing it with something akin to androidid. Check the uidevice doc for ios6 if you have it.
The real problem is the lack Of referral tags on installs. Android got this right I think. As it is ever advertiser uses a different hash of some Id whih means I have to store every possible identifier in plain text to hash later. Considering we have 3 million udids, Mac address, etc... This particular leak is unimportant.
> If your UDID is contained in the list, take a minute to help us identify the traitor that did give your information to the FBI without any your agreement and without warrant !
Wouldn't it also be useful to gather information about who WASN'T on the list and what Apps they have? Maybe device type as well.
Seeing as this is only 1 million sampled from a claimed 12 million list, that wouldn't be that useful since it's possible their UUID is just on the other part of the list.
It affects anyone who lives in a society that is being tracked by their government.
It may be a good thing that the FBI can better track criminals, but if it is used to track political dissidents or to monitor foreign or unpopular companies it should be a concern for us all.
I'm not saying this is happening now, but we should be wary of going down that path.
If you've been exposed take some time to help us identify who gave this UDID's to the FBI. (Already working with 3 exposed device owners)
http://news.ycombinator.com/item?id=4473833
Sorry, I don't think this strategy is workable. Consider - 74% of apps I tested sent the UDID to one or more upstream servers. Furthermore, Flurry alone received UDIDs from 15% of apps I tested. That's just one aggregator, and they surely have nearly 100% of UDIDs on file. The APNS tokens narrow it down somewhat, but not too much. It's also not at at all clear that there is a single source involved - this could be an amalgamation of a number of sources.
Apple has provided a number of replacements for UDID, that address some of the UDID uses without it being as much of a privacy problem. It's all still under NDA, so I posted my summary on the Apple's developer forums (iOS developer login required): https://devforums.apple.com/message/723147
Has anyone verified that this UDID leak isn't just the old "Goatse Security" leak re-branded? I'm not saying I have any evidence to that, but it seems strange that the "ownage" document didn't mention anything about how the hack was done.
Along those lines, has there been any talk of the attack vector? To get a list like this, it would seem that AT&T (as was the case with "Goatse Security") or Apple would need to be compromised to get this list.
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
"NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
If you disallow an app from sending you push notifications, will it still have your UDID/Device ID? Or if you never enable it, does the app & app server never get it?
Push notifications don't use the UDID. They use a different token. UDIDs can be requested without user consent by applications, although that functionality is supposedly deprecated from iOS 5 onwards.
Yes, sorry - I'm on the road at the moment, and wrote that in a rush. Part of the problem is that there's not much users can do at this stage. The ecosystem of companies that use and abuse UDIDs is fragmented, and each service that relies on UDIDs for identification or authentication can have its own unique problems. I guess it would be possible to start aggressively releasing a list of services that users should close their accounts on, but that would also be a shopping list for bad guys out to take advantage of this situation.
No, you need a push token, which is a combination of device id and app id, and is only generated when the user authorizes the app for remote notifications. Additionally, you need a certificate on the server that is authorized to send messages to that app id.
Should we change our paypal passwords? Or worry about getting more spam? etc Why should an end user (eg my mom) care?
I'm not saying there aren't serious repercussions, just having a hard time seeing exactly what they are.