New documents by NSA leaker Edward Snowden were published this weekend by German newspaper Der Spiegel, giving us new insight into how the GCHQ tracked iPhone users without their consent.
Rather than tap specific exploits that GCHQ’s U.S. counterpart, NSA, relied on in order to compromise the iPhone’s software, GCHQ surveilled targets by following a device’s UDID across different services.
They were even able to pull data from the device itself when syncing with a compromised computer took place.
GCHQ, an acronym for The Government Communications Headquarters, is a British intelligence and security organization responsible for providing signals intelligence and information assurance to the British government and armed forces.
GCHQ wrote in its November 2010 report, posted here by Der Spiegel as a PDF document, that UDIDs allowed the organization to “follow the same device as it synced with a compromised machine, browsed the web (exposing it to the agency’s Safari exploit) or sent data to a broader tracking system like AdMob.”
Exposing the device’s UDID allowed GCHQ’s researchers to identify the person using it, the newspaper wrote.
UDID, or Unique Device Identifier, is a 40-character long identifier that developers used to implement to test their apps on permitted devices, by listing their UDIDs on the iTunes Connect portal.
Your device’s UDID is easily accessible in iTunes, when the device is connected, by clicking on the Serial Number field in the Info pane.
Because some developers and ad networks were misusing UDIDs, and responding to security concerns, Apple in the summer of 2012 started rolling out new tracking tools that permit developers to gather usage data on their apps without using UDIDs.