What potential dangers arise from a mass iOS UDID leak?

Now that more "truth" has come out, this leak was from a third party company, Blue Toad and by all reputable accounts, the leak did not in fact contain the either volume of UDID or the additional personal data that would strike anyone as "concerning." The leak was of data collected according to the existing policy by Apple and the app store and is not at all unique as hundreds of companies will have that volume and type of data due to the past use of UDID to identify customers.

The leaked document itself is mostly harmless from a technical standpoint, but quite shocking if you expected to be private and now have some details exposed publicly.

It contains one line with the following types of information for each device that is purported to be listed:

UDID, APNS token, device name, device type

Unless you are a programmer and run a service that could push a message through Apple's push notification service (APNS), then you can't really take any action whatsoever based on the leaked file.

If you do have records of transactions that list a UDID or a device name / type and wanted to confirm another piece of information, this file could be used to link two pieces of information together if you already had that information.

The real security ramifications are that this "leak" is from a spreadsheet file that supposedly contains 12 million entries - not the million that were leaked. The best information we have (if you believe the words of the release text which has some mild profanity if you care about that sort of thing) is that the real data that was stolen also had very personal information like zip codes, telephone numbers, addresses and full names of people associated with the UDID and APNS tokens.

That sort of information in a the hands of a skilled person (government employee, hacker, or simply an engineer with a grudge against you) is something that could do damage to most of us in terms of violating our privacy. Nothing in this release would seem to compromise the security of your using the device - but it does make things that would normally be seen as anonymous less so if the FBI is regularly carrying around lists of millions of subscriber information that would let them tie logs of application use to a specific device or a specific person.

The worst case event with the data leaked today would be someone who has already registered with Apple to send push notifications could perhaps attempt to send unsolicited messages to the million devices (assuming the APNS tokens are still valid) or otherwise correlate a device name with an UDID if they had access to sensitive logs or a database from a developer or another entity. This leak doesn't allow remote access in the way that knowing a password and user ID would.


As bmike notes, UDID on it's own isn't particularly damaging. However if the attackers are able to compromise other databases where UDID is used, the combination could yield quite a bit of identifying personal information, as this article from May, 2012 lays out: De-anonymizing Apple UDIDs with OpenFeint.

As with the recent highly-publicized Mat Honan hack, one security breach on it's own may not be overly troublesome, but the damage can grow exponential if the attackers can breach another service you use.