UPDATED: BlueToad Publishing Identifies Itself As Source of Leaked Apple UDID
UPDATE: Friday, September 14
Apple's Gold Master (Final Candidate) release of iOS 6 was delievered to developers on Wednesday, September 12. The release includes a user setting which can limit the amount and type of device tracking advertisers, developers and other third-parties can conduct. The new setting is labeled "Limit Ad Tracking", and is toggled off by default.
The change presents a challenge for advertisers and third parties to implement non-permanent and non-personally identifiable device identification should they wish to serve up more customized advertising. As covered in our original article, some advertisers opt to pay a premium for ads tied to individual device-specific data.
The release notes for the iOS 6 GM also state:
"iOS 6 introduces the Advertising Identifier, a non-permanent, non-personal, device identifier, that advertising networks will use to give you more control over advertisers’ ability to use tracking methods. If you choose to limit ad tracking, advertising networks using the Advertising Identifier may no longer gather information to serve you targeted ads. In the future all advertising networks will be required to use the Advertising Identifier. However, until advertising networks transition to using the Advertising Identifier you may still receive targeted ads from other networks."
Plainly put, components of what Apple's UDID system have been used for in the past have been replaced by Advertising Identifier tokens, which developers and brands will need to include in their releases to bring a level of ad targeting to their products.
We'll follow up with more details on the effects of the Advertising Identifier change to magazine media as information becomes available.
Late last week news broke that hacker group AntiSec had obtained 12 million Apple device UDIDs (Unique Device Identifier) and was releasing the first million as shot over the bow of the FBI. Many wondered how AntiSec had gotten the UDIDs, leading to a flurry of back and forth statements from the FBI and Apple. Yesterday we learned that virtually all of the UDIDs came from the systems of Orlando, Florida digital publishing vendor BlueToad, who counts many magazine media companies as its clients.
A New York Times article published on September 10th outlines BlueToad’s version of the story:
“We decided to come forward to apologize to our customers, partners and the public in general that this got out there,” says Paul DeHart, BlueToad’s Chief Executive. “We face thousands of attacks every day that we’ve been successful at defending. This one happened to get through.”
Seems plausable, but a Wall Street Journal article published today tells a bit more of the story:
"The information was sent by the company, BlueToad Inc., in 'cleartext'—without encryption to hide it—violating widely accepted computer-security practices."
Reading the above, you may want to board up your windows, grab the canned food and burn your iPads for warmth, but it’s really not that grim. The truth is that most companies small and large regularly face security threats originating from the web, with the vast majority fending them off so users are safe and secure. In this instance, access was gained due to lax security practices, which isn’t great, but what exactly is a UDID?
The UDID, or Unique Device Identifier, is a series of numbers and letters that has been used by Apple and developers to uniquely identify a customer’s iPhone, iPod touch and iPad. Every iOS device has one, and in the past, it was used by developers to tie a specific device to a specific service, like a lock and key – a download, edition or piece of data that was granted a one-time access, or was tied to the device in some way, would be associated with the UDID. It can also be used to make an anonymous one-to-one relationship between an ad view and the user, which in the case of magazines, could let a 3rd party know which articles you read, and how long you spent on each one. Indeed, some advertisers were more apt to pay higher rates to brands using this type of association. After the privacy concerns raised last year about GPS tracking and personal information being accessed and transmitted by apps, Apple voluntarily elected to stop developers from accessing and using UDIDs to tie a specific user to a device, and has since put forward a better solution, which will debut with the release of iOS6 later this month.
This means that virtually every app a user has downloaded, or updated recently, no longer broadcasts its UDID, and never will again. UDID is an older ID system which Apple is no longer supporting, and no longer accepts into their app store. Sure, that’s all well and good, but what does it mean to have one’s device ID out there NOW? Here are the facts on what having a user’s UDID means, and what it cannot do.
- There is nothing present in the UDID that inherently links it with a user’s name, personal information, or financial information.
- Hackers cannot use a UDID to access user information.
- User’s info can only be accessed with an AppleID and password.
- Hackers cannot gain remote access to, or install software on, a user’s device using a UDID
In fact, in order for a UDID to be used maliciously, the “hacker” would need to:
- Register an Apple Developer account
- Manually enter each UDID into Apple’s Developer portal
- Develop, submit, and have approved by Apple an iOS app (that Apple would absolutely not release, and then would deactivate the offending developer account)
- Add that app to each of the developer accounts they’ve made in order to be able to generate a link or share a file that users would have to drag into their iTunes, or have their device enrolled in an MDM (Mobile Device Management) service to receive over the air updates.
- If the user’s device is enrolled in an MDM, the hacker would need to forge a push notification from the MDM, AND forge the user’s response back (yes, please install this wonderful malware).
- And, depending on how a user has their phone configured, a device password or prompt would need to be entered in order for the app to access the user’s personal information.
The Rube Goldberg machine that would be needed to make this happen would win several awards. So while it’s troubling that the UDIDs were able to be obtained (head over here to see the story of how this unfolded) there’s not much a hacker can do with the device ID’s unless they’re sitting right next to you.
At the moment, the UDID theft story is a juicy one, but a lot of sizzle—no steak, and we'll see what BlueToad discloses next. It does shed light on a subject that, up to now, was the hot topic in the Apple community, agencies, and the magazine media brands, but hadn’t been widely discussed outside of the developer community.
Posted by: Ethan Grey, VP/Digital, MPA