 |
| Antisec claimed it sourced the UDID codes from an FBI agent's laptop, but the US agency said there was "no evidence" it was the source |
Related
Stories
Many are
wondering how the recently leaked list of unique device identifiers (UDIDs)
from the hacktivist group Antisec will personally affect them. You may be
asking: should I be concerned?
First of
all, an Apple UDID is just a unique number given to every device, such as an
iPhone or iPad.
They are
very similar to vehicle identification numbers given to cars, which are unique
to each vehicle, helping to track its history, albeit without any information
encoded.
The only
association of UDID and personal information is provided when setting up a
device on iTunes, not directly encoded into the serial number itself.
The UDID
ensures that each device has a serial number that uniquely identifies it. This
ID is sometimes, against Apple's recommendations, used by App developers for
tracking a device.
For
example, imagine a grocery list app that inappropriately uses the UDID of the
device in a request for authentication, instead of a username and password.
This app
may also expose certain application programming interfaces (APIs) for Twitter
or Facebook, letting the app-user declare his or her favourite groceries via
social media.
The app
could also use the UDID for ad-tracking as well, ensuring that items of
interest will be displayed based on the consumers habits.
Ditching
the identifiers
If attackers
had a UDID and knew of apps that used them inappropriately, they could
potentially use it to compromise the privacy of an end user.
Having a
UDID in no way gives the bad guys the ability to actively compromise an Apple
device.
It is
possible that the UDID could be used by certain apps to acquire personal
information or potentially impersonate a user, but it does not provide any
direct control or access to your iPhone/iPad.
Apple is
moving away from the UDID, to something less device-specific such as core
foundation universally unique identifiers (CFUUIDs).
Cause for
concern?
Apple has
not directly stated why they are making this move but I'd speculate that they
wanted a unique identifier that was not necessarily linked to a physical
device, which probably creates a headache for App developers and ad networks
relying on the UDID for user association.
So, the
answer to the question "Should I be concerned" is: Slightly.
Right now
the true abilities of leveraging a UDID by an attacker are pretty grey.
There
appears to be some apps out there that rely solely on UDID for linking personal
information, but many do not.
As the UDID
saga unfolds, we will see which apps incorrectly use the UDIDs to link to
personal information and can more accurately identify the threat.
Honestly,
there are many more threats out there to PC and Mac users that should be more
concerning. Attackers are still quite focused on client-side exploitation via
browsers, document readers, and their plug-ins.
Chris
Valasek is a senior security researcher at Coverity, which develops products to
check software for coding errors. He is also chairman of SummerCon, the US's
oldest hacker convention.
No comments:
Post a Comment