The fact that there are potentially 12 million UDIDs that have been compromised, and what is in these UDIDs that can be potentially harmful to the owner of the devices is what is relevant
(PRWEB) September 16, 2012
The recent announcement of the supposed hack of FBI agent supervisors’ laptop has received a lot of attention in the media. “The actual hack that is,” according to Michael Maxstead, the CEO of VPNReviewz, an online security and privacy education and review site. He says that, “While everybody talked about the actual hack, and the ensuing denial by the FBI, and the soon following Blue Toad Mobile admission, few discussed exactly what can be discerned from these Unique Device Identifiers, (UDIDs,) what they’re for, and most importantly, how to secure the device so your data is safe.”
What’s In A UDID
Whether or not the UDIDs came from a compromised FBI computer is a little irrelevant, according to Maxstead. “The fact that there are potentially 12 million UDIDs that have been compromised, and what is in these UDIDs that can be potentially harmful to the owner of the devices is what is relevant,” he said. Some of the apps that use the UDID transmit GPS and IP data, purchase info, and surfing habits, as well as phone numbers, and a lot of other data that could potentially identify the owners and users are transmitted he warns. “It is a small matter for any hacker to take the data disclosed by these IDs, find the Facebook, Twitter, or any other social media account, then start mining enough data to easily steal someone’s identity.” And that’s just the start of what he has found out.
Maxstead points out a private study of the UDID data sets conducted by Aldo Cortesi, a private security researcher, that shows that at least 84% of the apps tested shipped data to at least one domain, with more than 20% contacting at least 2 domains. On the scary end of the spectrum, iDestroy contacted 14 domains. Another disturbing find of the study was that more than 45% of the apps sent potentially sensitive data unencrypted, while only 54% used https encryption. Further findings disclosed said that the companies getting the data most often were Apple, iTunes, Dataflurry, and OpenFeint, and the data they are getting is often sensitive information.
More About The Leak
“Up to this point,” Maxstead said, “the leaked UDIDs have been stripped of any personally identifiable information, or redacted.” But UsenetReviewz, a Usenet community website, staffers point out that AntiSec only released 1 million IDs to prove their point. On that note, Mr. Maxstead said that, “The claim is that there are still at least 11 million more out there floating around.” He is also adamant about the irrelevance of who or how the data was obtained, “It is much more important to recover from the leak, quit using these UDIDs, and secure the connections so this can’t happen again.” Maxstead claims,”if it truly was taken from an FBI computer, we already know what they were doing with it, spying on Americans. But as for the others using the information, that is up for debate, but probably just advertisement and sales targeting, but you just never know.” He explains that due to the inherent security concerns with the UDID system early on in the game, Apple to start refusing apps using the UDID system.
Was Your UDID On The List
According to UsenetReviewz, this part will take a little effort on the part of the user, but determination of your UDID is a simple matter, and finding out if it is on the list of leaked devices requires a bit more, it is also a simple matter...and well worth it.
First: Determine The Device UDID – There are a few apps that can assist you with this, but if like Maxstead, more apps accessing the devices UDID aren't desired, here's what to do:
- First open iTunes, then connect your device to a computer.
- Select the device from the sources list.
- Then click on the devices’ serial number and the UDID will be revealed.
Next: Determine if the recovered UDID is on the list. Downloading the PDF and searching it through it can be a very laborious task, but the secured tool that Lastpass. Only the first 5 number/letters from the UDID will be required, which actually contains 40 characters, so no personally identifiable information will be given to the LastPass website. The list of numbers that is returned will start with the same 5 digits, in numerical/alphabetic order, and will be more easily searchable by hand. One thing that the VPNReviewz CEO reminds us, is that only the 1,000,001 numbers that were disclosed will be searched, he said, “There are more than 11 million more numbers out there that haven’t been released.” He said, “that part of the file won’t be searched. So, if your number doesn’t show up on the list you still aren’t out of the woods…your number may not have been included in the release”
Keep Your Identity Safe
In order to prevent your identity from being compromised in the future, the VPNReviewz CEO recommends that internet users employ an encrypted proxy or a personal Virtual Private Network, (VPN.) While the data that is transmitted by the UDID can be limited and restricted, not all the apps that use the data have been eliminated totally. Using a VPN or proxy will disguise location data, and encrypting the transmission will keep anyone trying to intercept the communication out. “It isn’t the total answer,” he said, “additional measures would be to go through the apps on the device, and restricting the data they can get, and eliminating the ones that the user doesn’t have any control over…hopefully nothing serious happens except a bunch of hackers accusing a government agency of something they vehemently deny…”