Last Week on My Mac: The UUID conspiracy

Who today needs conspiracy theories? Isn’t real life sufficiently conspiratorial yet?

Over the last few months, though, various websites and self-declared Mac experts have been expressing concerns about Apple’s extensive use of UUIDs on Macs and iOS devices. I won’t amplify their conspiracy theories with links here, but consider one of the many issues which they raise: that Apple generates device UUIDs from “a hash of the globally unique serial number, WiFi MAC address and, if applicable, IMEI, IMSI, ICCID, MSISDN etc” which is in turn linked by Apple with the credit card used for purchase, the purchaser’s name and email address.

I presume this same line of thinking led one reader to comment here that they recommend Mac users to generate themselves a new user UUID “to fix issues” – an act which can only be disruptive if not destructive for that user’s Mac account, because of its effects on Open Directory, and more.

I have explained in detail what a UUID is: a Universally Unique Identifier, a 16-byte number normally presented in a standard hex format, such as 1234a678-1b34-1c34-1d34-1234567890ab.

The two which are known as UUIDs but are actually rather different are the device Hardware UUID, which uniquely identifies every Mac, iOS device, Watch, Apple TV, and most other hardware products supplied by Apple, and your User UUID, which is unique to you and different on each Mac, etc.

macOS and iOS use genuine UUIDs very extensively, in internal databases, logs, and pretty well everywhere that they might want to refer to across different subsystems or over time. For these, Apple’s operating systems use RFC 4122 version 4 random byte format, in which six bits are taken up with variant and version data, but the remaining 122 bits are randomly generated.

Hardware and User UUIDs are not as randomly-generated. Some are assigned quite strictly, and far from unique. For example, a Guest User UUID is invariably FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000C9, and the HFS+ disk partition type is always 48465300-0000-11AA-AA11-00306543ECAC. Apple doesn’t document which UUID-like identifiers are generated using the normal randomising process, and which are the result of non-random mechanisms such as hashing other identifiers.

There is a clue as to what happens with User UUIDs, though, in that you can generate new ones on demand – or at least you could do so prior to High Sierra – in the Advanced Options for user accounts in the Users & Groups pane. If a User UUID was a simple hash of a fixed set of serial and other ID numbers, then the hash function would return the same UUID given identical inputs. So some, at least, of the macOS User UUID is randomly-generated.

So what if my Mac does send Apple my Mac’s Hardware UUID, and my User UUID? My Mac is already logged into iCloud and other Apple services using my Apple ID, which links with Apple Pay, which together have my credit card details, name, address, and email address. My iCloud account also holds details of all my Apple hardware, its serial numbers, dates of purchase, AppleCare status, and a whole lot more.

If you use macOS and/or iOS with an Apple ID, then Apple knows exactly who you are without having to somehow reverse a partially-randomised hash to convert your Hardware or User UUID back into personal account details. If you don’t like that, and feel that you can’t trust Apple with such details, then you’re almost certainly better off running Linux, and making no online purchases of any kind. There’s no conspiracy here: it’s what you sign up to when you connect to iCloud and Apple’s other services.

Ah – but even if you run Linux, you’ll find that the userspace tools for ext2/ext3/ext4 file systems, LUKS encrypted partitions, GNOME, and KDE all use UUIDs, which are even computed using the same code as in macOS.

Not only that, but I think the conspiracy theorists have got their UUIDs and UDIDs in a muddle. iOS devices also have a Unique Device ID, which is assigned to the motherboard of the device, and is effectively a hardware serial number. It is computed by hashing together the hardware serial number, the IMEI or ECID, the Wi-Fi MAC address, and Bluetooth MAC address, which results in a 20 byte number.

Macs don’t have a UDID, although they seem to use a hardware ID based on their Ethernet MAC address, at least, as anyone who has ‘lost’ their Ethernet port on a Mac has experienced.

What emerges from a more careful examination of the actual facts about Apple IDs, UUIDs, and UDIDs is that this part of the conspiracy theory is confused bluster. And until someone can show how you can reverse any of these IDs to reveal information which Apple wouldn’t otherwise have about a user, I think we should just ignore them, and keep tracking the very real conspiracies which are going on around us today.