Security experts and privacy groups have long criticised Apple’s decision to have their mobile devices assigned with permanent, unique identifiers called UDIDs. On Tuesday, those critics’ fears came to pass when the Anonymous-aligned hacktivist group AntiSec released a list of 1 million device IDs, allegedly pulled from an unencrypted file found on the laptop of an FBI agent.
AntiSec’s stated goal in posting the IDs was to expose that the FBI had them in the first place. But since the true source of the trove is now stuck in deadlock (Apple has denied handing over the IDs, and the FBI asserts it never had them in the first place), the more pressing matter has been exactly how UDIDs put the privacy and security of iOS device owners at risk — and how they don’t.
In a recent article posted on CNET, Frank Heidt, chief executive of Leviathan Security claimed that with a UDID, a push token, and a device name, an attacker “could arbitrarily load an app on your phone.” But Alex Radocea, a senior engineer at CrowdStrike, says that’s not true.
“There’s been a lot of misinformation.”
“There’s been a lot of misinformation,” Radocea told The Verge over the phone. Just as AntiSec released their list of device IDs, he and his team posted the results of their examination of the iOS version of FinSpy Mobile, a strain of the infamous FinFisher spyware that was recently found targeting political dissidents.
In their report, CrowdStrike points out that the spyware is using ad-hoc distribution, a method usually reserved for testing which uses UDIDs to bypass Apple’s application signing process. But that doesn’t mean that a UDID is the magic bullet for remotely installing malware on a device without the user’s knowledge, Radocea says.
“The main thing is that user interaction is required to install these applications,” he clarified. “They cannot be silently or arbitrarily installed, as the CNET article alleges.” In a blog post written shortly after news hit of AntiSec’s release, the ACLU similarly suggested that UDIDs could be used to secretly infect devices with the spyware.
In the case of FinSpy, even if its exfiltration payloads were loaded onto a device some other way, the only sample they’ve observed — provided by University of Toronto’s Citizen Lab — has not been fully “weaponized,” meaning it’s missing the privilege escalation exploit needed to get kernel access and leak data from a device. However, CrowdStrike says it is definitely possible that “armed” samples of the spyware exist somewhere in the wild, and urges anyone with information to get in contact.
“The sandbox is not easy to get out of,” Radocea said, referring to the third party application wrapper that Apple uses to keep apps away from other sensitive areas of the system. “So the fact is that the UDID itself doesn’t buy that much. Just the ability to create an ad-hoc app.”
UDIDs can be exploited to find names, demographic information, geolocation, and more
UDIDs are persistent, software-readable serial numbers hard-baked into iOS devices like iPads and iPhones. By themselves they’re just harmless-looking strings of 40 alphanumeric characters, but researchers have shown in the past that they are ripe for abuse, and can be exploited to find names, demographic information, geolocation, and more.
Aldo Cortesi, a New Zealand-based security researcher, has been especially vocal on the issue. Last year, he demonstrated how a UDID can be used to get GPS coordinates and even Facebook profile links by making unauthenticated API calls to the social gaming platform OpenFeint. Later on, he found that it was even possible to use UDIDs to take over user accounts on OpenFeint, Zynga, and other social gaming platforms.
The underlying problem is that once UDIDs are out in the wild, the only way to get rid of them is buying a new device. Other platforms like Android have device IDs that change after a factory reset. But Apple’s UDIDs are persistent, and users of those devices have no way to change or erase them if their IDs become compromised.
once UDIDs are out in the wild, the only way to get rid of them is buying a new device
Strangely enough, these same concerns came up way back in 1999 with the release of Intel’s Pentium III chip. Those chips came with a similar kind of persistent identifier, which was later disabled by Intel after consumer and privacy groups complained to the FTC.
Both Apple and OpenFeint have also faced a series of (short-lived) class action lawsuits as a result. In response, Apple has wisely begun forbidding mobile apps and games from reading them — but not before a massive collection of UDIDs had already been heavily traded among advertisers and other unscrupulous third parties.
A study from 2010 [PDF] found that 68 percent of apps in two of the App Store’s top categories at that time were reading device owners’ UDIDs and transmitting them in the clear to third party servers without the user’s knowledge or consent. Cortesi wrote a man-in-the-middle tool that shows this process in action, allowing a user to watch in real-time as the snitching apps send UDIDs and other data to third parties over HTTP traffic. So much data has been gathered by these apps that one plausible theory suggests the contents of the AntiSec dump may point to a common culprit.
The good news is that in responding to the leak, Apple said that UDIDs will be replaced by a new set of APIs in iOS 6. But since they’re not going away entirely, it would still greatly behoove you to check if your device’s ID has been compromised.