Web Development

Why are websites getting your mobile-phone number?

Are mobile-service providers leaking data into traffic destined for web servers? That's what a research analyst set out to prove.

Collin Mulliner, researcher at Technische Universitaet Berlin, Group for Security in Telecommunications, believes mobile-service providers are injecting personally-discernible information such as MSISDN, IMSI, and IMEI into HTTP traffic being sent to websites.

It started several years ago when Collin read that mobile phones were leaking private data via HTTP headers -- but the author provided no evidence. That didn't sit well with Collin, so he took it upon himself to prove or disprove the claims. He explains how he became involved.

Mulliner: During 2008, while working with Mobile Web and Wireless Access Protocol (WAP), I stumbled across a forum where people were discussing the possibility of leaks. Nobody could make up their mind if this was happening or not. So I started investigating.

I host a website where people can download games for the Java 2 Micro Edition platform. It's popular enough that a mobile-gaming website embeds screen shots of my games. So, every time a visitor loads a relevant page at the gaming website, a request is sent to my web server -- providing lots of relevant traffic. All I had to do was add logging to see if the reports of leakage were true.

Kassner: Collin, you compiled your research in a paper. What were your major talking points? Mulliner: There were three:
  • Private data is leaked by mobile operators around the world.
  • Anybody owning a website accessed from a mobile phone has the ability to collect personal information about the mobile visitor.
  • This type of leak hasn't received any attention until now; nobody knew what to look for.
Kassner: You specify that the phone's MSISDN, IMSI, and IMEI are being leaked. Why is leaking this information a bad thing? Mulliner: The MSISDN is directly linked to the person who owns the phone. If the MSISDN is known:
  • It becomes possible to find the owner's name -- not a good thing if the website is malicious.
  • It becomes possible to send SMS messages to visitors -- for spamming or malicious reasons.

All three values can be used to track individuals across websites, the MSISDN being the most significant. It rarely changes, even when a new phone is purchased. Most people want to keep the same number for convenience.

Kassner: The paper states the sensitive information is being leaked by the mobile operators. How did you come to that conclusion? Mulliner: A mobile phone does not store all the data that shows up in the various headers -- subscriber number (X-UP-SUBNO), for example.

Also, I did not capture any log entries displaying the MSISDN from smart phones such as iPhone or Android-based phones. That is most likely because either phone does not normally use HTTP proxies by default; the only possible explanation was HTTP/WAP proxies were adding the relevant HTTP headers.

The following slide is a graph comparing the number of captured mobile phone MSISDNs per country.

Kassner: I noticed that your research was conducted in 2010. Why is it only now being mentioned by tech-media outlets? Mulliner: My research was of recent interest because some guy in the UK found that mobile-service provider O2 leaked MSISDNs to websites. So people started researching the cause for this and found that I had already done extensive study on the subject.

Why send the MSISDN?

I'm trying to understand why any website would need my mobile telephone number, and if they did, why not ask for it directly on the web page. Here's how O2 responded to a similar question on their website:

"Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the Internet, and enables website owners to optimize the site you see.

When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons:

  • To manage age verification, which manages access to adult content.
  • To enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased.
  • To identify customers using O2 services, such as My O2 and Priority Moments."
Kassner: One thing I am unclear on is whether the information is given to every website or if the website needs to request the specific HTTP headers. In either case, the person using the phone does not have a clue.

To help in that regard, Collin created a web-based app that determines if a mobile phone/service combination is leaking data. Here's his description of how it works.

Mulliner: My test web page (enter the URL into your mobile web browser) captures all HTTP headers being sent to it. The back-end server app compares these headers to those in a database I have created. If it finds a header of interest, the app will post the header and provide a visual alert. Green means the header is not leaking information and red means it is. Kassner: I have included a slide from your presentation.

Would you describe what we are looking at?

Mulliner: The slide indicates that the connected mobile device is leaking private information. In this case, the mobile phone number is leaked through the "X-UP-CALLING-LINE-ID" HTTP header. Kassner: I have visited your home website. You are prolific when it comes to researching mobile-device security. Do you have anything else that you would like the readers to know about? Mulliner: Mobile devices share a lot of security issues with traditional computing devices - so the same common sense approaches apply. Some hints specific to mobile devices would be:
  • Don't call back strange phone numbers that appear to have called you.
  • Actually check the requested permissions when installing applications.

Most applications and games should not require access to the phone functionality -- no need to make calls or send SMS messages. This functionality will only be requested by very special applications or malware.

Final thoughts

Whether or not personally-discernible information -- MSISDN, IMSI, and IMIE -- is added appears to be decided by the mobile-service provider, then injected upstream of the mobile device -- two concepts I was not aware of.

With Collin's help, I am now and my hope is you are as well.

Update: I was confused as to which phone models were affected by this. So, I asked Collin. He responded:

"It is not about the kind of phone, but if the operator uses a transparent proxy."

It seems the onus is on the mobile-service operator.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

15 comments
Mohammad Oweis
Mohammad Oweis

Thanks for this very important article. I live in Jordan, i did tried from two GSM operators and was able to see my phone number and what country from both of them :( that's awful. I will contact our corporate account manager at one of the operators and see what they will say ?!

HAL 9000
HAL 9000

[i]To manage age verification, which manages access to adult content.[/i] What else beside the Number is actually available here? The Phone Number alone would not give the Users Age. Or have I missed the entire point? Col

Michael Kassner
Michael Kassner

Your profile says you are in the US. Those are the reports I am particularly interested in. And the carrier is Sprint? When you mentioned nothing of interest, I assume the color of the screen was green and not red? Any other information you may think helpful, please mention it. I'm researching a lead right now -- it seems more telcos are looking at using HTTP proxies. So this could get interesting.

l_creech
l_creech

Running stock EL30 Gingerbread with Sprint Proxy service showed nothing of interest, running the slightly older EI22 (still had CarrierIQ and Sprint Proxy) showed my phone number. CynaogenMod 7 Nightly 39 (AOSP* Gingerbread) for Epic 4G shows nothing of interest. CyanogenMod 9 Alpha-1 (AOSP* Ice Cream Sandwich) for Epic 4G shows nothing of interest. Tempted to Odin back to Froyo and see what it was leaking, but not likely to as I far prefer CyanogenMod 9. *AOSP = Android Open Source Project

OPITSTUDENT
OPITSTUDENT

Hello Michael, Thanks for sharing! Privacy is a Hot topic right now. Security is more important now than ever before. I ran the site on my phone and everything checked out ok. I'm going to check my tablet later on. Have you tried running the site on your mobile device?

Michael Kassner
Michael Kassner

I assume the website can associate a person's name, age, and phone number. So, sending the MSISDN is all that is required. But, that doesn't mean the information is that of the person using the phone. I suspect it's just enough to CYA.

l_creech
l_creech

Yes, I'm in western Washington just south of Seattle most of the time. Carrier is indeed Sprint. nothing of interest means I got a green backgound as opposed to a red background when my phone number popped up. As for the use of proxies, this would let the carriers essentially ban rooted users from tethering for free as they could intercept browser headers. As long as that is all they used it for, I wouldn't mind. Then again I pay for Simply Everything Unlimited (99), data pack (10), insurance (8), and tethering (35), plus all the associated taxes and fees.

Michael Kassner
Michael Kassner

If I may ask, what carrier are you using? Mine were clean as well. I use AT&T. I'm trying to find out if there is a way to determine if a carrier is using a HTTP proxy and correlate that to what the members are finding. -

HAL 9000
HAL 9000

How much of this is Dictated by the Country you live in? Most of the Middle East wants to Kill Off RIM because they are unable to Monitor any E Mails sent through that system and RIM has changed their Network to accommodate these Countries. I very much doubt that they are the only Countries to complain too but that's another story. ;) As I'm no longer involved with it I can not help but wonder just how much of all these Telephony Transactions are actually Monitored by the Authorities and exactly what Information they get. It's bound to be a lot more detailed that what the Telco's willingly hand out to anyone who asks. ;) Col

OPITSTUDENT
OPITSTUDENT

Sure. My carrier is T-Mobile. If they were using an HTTP proxy server that would be interesting? I wonder if anyone knows how to find out if an HTTP proxy is being used. Please let us know what you find. Thanks!

Mohammad Oweis
Mohammad Oweis

Unfortunately, i did not get an answer. So, i shared this article with my friends in Facebook and very soon on Linkedin, maybe someone can find or do something (or at least know about this). I guess that the GMS operators are forced to do this, so the authorities can track anyone. About RIM, BB is used widely, so i think they already have a solution to monitor it, otherwise they will not allow it ;) They monitor everything, so they will not allow BB to pass from their fingers :)

Michael Kassner
Michael Kassner

I'm going to ask Collin if green means an HTTP proxy is not in use or if there are no headers that he is interested in showing up.

Editor's Picks