Collin Mulliner, researcher at Technische Universitaet Berlin, Group for Security in Telecommunications, believes mobile-service providers are injecting personally-discernible information such as MSISDN, IMSI, and IMEI into HTTP traffic being sent to websites.

It started several years ago when Collin read that mobile phones were leaking private data via HTTP headers — but the author provided no evidence. That didn’t sit well with Collin, so he took it upon himself to prove or disprove the claims. He explains how he became involved.

Mulliner: During 2008, while working with Mobile Web and Wireless Access Protocol (WAP), I stumbled across a forum where people were discussing the possibility of leaks. Nobody could make up their mind if this was happening or not. So I started investigating.

I host a website where people can download games for the Java 2 Micro Edition platform. It’s popular enough that a mobile-gaming website embeds screen shots of my games. So, every time a visitor loads a relevant page at the gaming website, a request is sent to my web server — providing lots of relevant traffic. All I had to do was add logging to see if the reports of leakage were true.

Kassner: Collin, you compiled your research in a paper. What were your major talking points?
Mulliner: There were three:

  • Private data is leaked by mobile operators around the world.
  • Anybody owning a website accessed from a mobile phone has the ability to collect personal information about the mobile visitor.
  • This type of leak hasn’t received any attention until now; nobody knew what to look for.

Kassner: You specify that the phone’s MSISDN, IMSI, and IMEI are being leaked. Why is leaking this information a bad thing?
Mulliner: The MSISDN is directly linked to the person who owns the phone. If the MSISDN is known:

  • It becomes possible to find the owner’s name — not a good thing if the website is malicious.
  • It becomes possible to send SMS messages to visitors — for spamming or malicious reasons.

All three values can be used to track individuals across websites, the MSISDN being the most significant. It rarely changes, even when a new phone is purchased. Most people want to keep the same number for convenience.

Kassner: The paper states the sensitive information is being leaked by the mobile operators. How did you come to that conclusion?

Mulliner: A mobile phone does not store all the data that shows up in the various headers — subscriber number (X-UP-SUBNO), for example.

Also, I did not capture any log entries displaying the MSISDN from smart phones such as iPhone or Android-based phones. That is most likely because either phone does not normally use HTTP proxies by default; the only possible explanation was HTTP/WAP proxies were adding the relevant HTTP headers.

The following slide is a graph comparing the number of captured mobile phone MSISDNs per country.

Kassner: I noticed that your research was conducted in 2010. Why is it only now being mentioned by tech-media outlets?
Mulliner: My research was of recent interest because some guy in the UK found that mobile-service provider O2 leaked MSISDNs to websites. So people started researching the cause for this and found that I had already done extensive study on the subject.

Why send the MSISDN?

I’m trying to understand why any website would need my mobile telephone number, and if they did, why not ask for it directly on the web page. Here’s how O2 responded to a similar question on their website:

“Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the Internet, and enables website owners to optimize the site you see.

When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons:

  • To manage age verification, which manages access to adult content.
  • To enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased.
  • To identify customers using O2 services, such as My O2 and Priority Moments.”

Kassner: One thing I am unclear on is whether the information is given to every website or if the website needs to request the specific HTTP headers. In either case, the person using the phone does not have a clue.

To help in that regard, Collin created a web-based app that determines if a mobile phone/service combination is leaking data. Here’s his description of how it works.

Mulliner: My test web page (enter the URL into your mobile web browser) captures all HTTP headers being sent to it. The back-end server app compares these headers to those in a database I have created. If it finds a header of interest, the app will post the header and provide a visual alert. Green means the header is not leaking information and red means it is.
Kassner: I have included a slide from your presentation.

Would you describe what we are looking at?

Mulliner: The slide indicates that the connected mobile device is leaking private information. In this case, the mobile phone number is leaked through the “X-UP-CALLING-LINE-ID” HTTP header.
Kassner: I have visited your home website. You are prolific when it comes to researching mobile-device security. Do you have anything else that you would like the readers to know about?
Mulliner: Mobile devices share a lot of security issues with traditional computing devices – so the same common sense approaches apply. Some hints specific to mobile devices would be:

  • Don’t call back strange phone numbers that appear to have called you.
  • Actually check the requested permissions when installing applications.

Most applications and games should not require access to the phone functionality — no need to make calls or send SMS messages. This functionality will only be requested by very special applications or malware.

Final thoughts

Whether or not personally-discernible information — MSISDN, IMSI, and IMIE — is added appears to be decided by the mobile-service provider, then injected upstream of the mobile device — two concepts I was not aware of.

With Collin’s help, I am now and my hope is you are as well.

Update: I was confused as to which phone models were affected by this. So, I asked Collin. He responded:

“It is not about the kind of phone, but if the operator uses a transparent proxy.”

It seems the onus is on the mobile-service operator.