Sep 4, 2012

Apple UDIDs Compromised: What You Need to Know

News broke this morning that AntiSec publicly posted 1,000,001 Apple UDIDs (Universal Device IDs) allegedly retrieved from an FBI computer. The group claims that in addition to a supposed 12 million UDIDs, it also gathered usernames, device names, push tokens, zip codes, cell phone numbers, and addresses for the corresponding UDIDs in the original leak, although they were not made public with the sampling that was posted.

At this point there's a fair amount of speculation about the situation, but we wanted to clarify what LastPass users should know:
  • We released a tool: https://lastpass.com/udid to check if your UDID was on the list. Note that yours could still be one of the alleged 11 million not publicly released, so caution is still recommended.
  • The leaked UDIDs in and of themselves do not pose a serious risk to users. However, there's cause for concern when UDIDs are paired with personally-identifiable information, which the hackers indicate they have in the original data set, although there's no proof at this time. Combined with your name, address, mobile number, and the types of Apple devices you own, identity theft and social engineering are potential threats.
  • Apple has moved away from allowing apps to utilize the UDID for their own purposes, but has only recently enforced this on updates. Services could still be utilizing the UDID as their entire authentication, which means you enable a certain device (UDID) to have access to the service. An attacker who has your UDID could gain access to those accounts, it's likely not highly sensitive data but could still pose a risk to tracing a UDID to a specific individual.
  • The leak is not a threat to LastPass user accounts. LastPass used to utilize the UDID as a secondary factor for logging in on iOS, instead of your standard secondary factor (ie your YubiKey), but late last year we switched to a random identifier that we store on the device that is independent of the UDID, and all old UDIDs were disabled.
The best steps LastPass users can take at this time:
  • Although passwords were not on the list of data supposedly compromised, it's never a bad time to check that your passwords are strong and unique. Run the LastPass Security Check (in the LastPass icon's Tools menu) to identify any weak and duplicate passwords, and prioritize updating them.
  • Consider enabling the free credit monitoring service to monitor for any signs of identity theft.
  • Enable multifactor authentication for added protection of your LastPass account.
  • Do not give any personal information to anyone purporting to be from Apple or other services unless you explicitly contacted them, whether via phone, email, or notifications on your device.
We'll continue to monitor the situation and update our users if any other details come to light.

12 comments:

  1. None of this really helps you with the Feds though :D

    ReplyDelete
  2. Another great informative post. Thanks LP!

    ReplyDelete
  3. I'd be interested to know why the FBI has all of this information.

    ReplyDelete
    Replies
    1. I've been into computers hardcore for about a decade and a half. I work in data now. I <3 command line.

      First and foremost because a lot of it is public information-- because you put it in places that people like me can find it.

      Also, a way the authorities gather information is by investigating criminals. You think the FBI shreds the criminal's hard drives and then throws the data away? Nope, they 'investigate' and then process the data which is usually stored-- if it isn't more trouble than it is worth. I know I am in that data, you probably are too.

      Delete
  4. The FBI has this information for the same reason that the TSA can grope you at the airport... BECAUSE WE LET THEM.

    ReplyDelete
    Replies
    1. You have to choose your right balance. We actively trade some of our privacy for convenience. --Here you are on the innerwebs leaving your identifiable information on lastpass.com to post about letting people have information. Please go disconnect from everything and then march straight into the wilderness where people like you belong. Unless, you like trading your privacy for convenience. In that case sit down and shut up.

      This is not the place to complain about the TSA.

      Delete
  5. The FBI is denying that the information came from them and said they do not collect this information. There's no evidence either way.

    ReplyDelete
  6. Hello NEW WORLD ORDER...... Goodbye civil rights!!!!!

    ReplyDelete
  7. I don't have iTunes and can't run it on Linux.... how could I check my UDID?

    ReplyDelete
    Replies
    1. Try an app like: http://itunes.apple.com/us/app/udid-sender/id306603975?mt=8

      Delete
  8. Thanks for pointing out that Lastpass moved away from UDIDs as a secondary identifier, as well. I was actually concerned about that, because I remembered the setting...

    ReplyDelete
  9. These posts are helpful for those of us who might not understand the significance of each scare story.

    ReplyDelete