One of the top stories in iOS security this week has been the apparent breach and loss of Apple iOS device UDID (Unique Device Identifiers). The hacktivist group AntiSec claimed that it had successfully penetrated the personal computing device of an FBI employee and extracted the UDID’s from the laptop. AntiSec released 1,000,001 of the stolen UDIDs as proof of its stolen booty, and claimed that it was exposing an FBI domestic spying program on individuals with Apple iOS devices. Thus far, both the FBI and Apple have (predictably) stated that there was no indication of any intrusion or loss of data. What has been confirmed is the authenticity of the actual UDID numbers.
If the UDIDs are valid (and you can check to see if your UDID has been compromised here), and they came from neither Apple nor the FBI, where did they come from? Clearly someone, somewhere, really messed up big time in letting these UDID numbers get out into the wild.
There is good news and bad news in this situation. The bad news is that with your UDID, you can be targeted with extremely specific fraud attempts, even from within apps that you already own … so be very very cautious what you tap on from now until forever. Forever you ask? Yep. The other piece of bad news is that if your UDID is among those compromised, there isn’t anything you can do about it. One suggestion is to go to your Apple store and see if they will allow you to exchange your device for a different identical device. The good news is that the UDID by itself is relatively useless unless used with other information. Also, with iOS 6 and in new app store app-submission rules, the UDID will no longer be used and will ultimately become irrelevant.
