Recent rumours suggest that Apple repair service (as well as authorised repair services) will no longer repair devices marked as “missing”. What benefit do device registries and unique serial numbers present, what has Apple specifically announced, and does this mean that companies could be tracking devices unknowingly to consumers?

What benefit do device registries and unique serial numbers present?

It can be advantageous for manufacturers to incorporate a unique serial number into each device for some applications. Such unique IDs can be used for security purposes to authenticate a device, they can be used for data tracking whereby a UID points to a specific database of data gathered by the device in question, and they can be used to specifically identify the owner of a device.

But incorporating UIDs is something that is typically done on networked devices, those of high value, or those that can have a UID assigned with ease. In the case of networked devices, UIDs are typically found in the form of a MAC address which is a 48-bit number whereby the first three octets are assigned by The IEEE, and the second three octets are assigned by the license holder (i.e. the manufacturer). MAC addresses are required to be unique as this is used by a network switch to route packets correctly; two conflicting MAC addresses will cause collisions in the network protocol.

In the case of high-value products, attaching a UID allows a manufacturer to keep track of the product. Such tracking data can include the distributor sold to, technical specifications of the device, modifications to the device, and the eventual owner.

In the case of easy assignment, parts that can have a UID burned into them via laser, printed, or etched can be useful for tracking batches, their quality, and any unique modifications to that part. Furthermore, the use of UID on cheap parts can help authenticate if a product is made from entirely original parts. For example, the serial number printed on a smartphone’s screen could be made to match the serial number of the motherboard, phone case, and processor. If anyone of these is different, then the product is known to have been modified and thus void any warranty it has.

Apple rumoured it will no longer be fixing devices marked as “missing”

Recently, MacRumors reported that an internal Apple memo has stated that both Apple and its authorised repair services will no longer repair devices marked as missing. Simply put, Apple devices all carry unique serial numbers and digital fingerprints that allow Apple to identify the owner of every device, and this data is linked to the GSMA device registry. If a device shows up on the GSMA device registry as missing, then Apple will refuse to repair the device until the individual who brought in the device can prove it is theirs.

It is believed that the intention behind the rumoured policy is to prevent the repair of potentially stolen property that could allow thieves to access personal data, including photos, videos, and website login details. This would make sense considering the degree to which Apple protects the privacy of their customers (even to the point of refusing to help the FBI in ongoing cases).

If the memo is true, it does raise the question of whether Apple has been repairing phones that are reported as missing? Surely, a device that is known to be missing should be held until the rightful owner can collect their device while reporting the individual who requested its repair?

Could companies be secretly tracking devices through unique serial numbers?

We know that UIDs can be highly advantageous when protecting devices against theft, ensuring that only authorised software is used, device authentication, and network routing, but the idea of a database with every known device and its UID does raise some serious privacy questions.

A registry of devices that can mark entries as missing could just as easily be used for storing other data related to the device, including names, addresses, phone numbers, and even the last known GPS location. Even if direct personal information such as an owner’s name is removed, if the UID of a device can be obtained, then it is the only entry that is needed to be able to look up data pertaining to that individual.

A company may justify the storage of data such as last known GPS and IP for the sake of “theft protection”, but regardless of whether that data is being used honestly or not, it will undoubtedly become the target of cybercriminals or, worse, governments. If there is one thing that is true, it’s nearly impossible to fully predict how data can be used, and the idea of storing devices on a central database raises serious questions on privacy.