Researcher: Mobile number leaks common but inappropriate

A mobile device security researcher who recently announced a privacy loophole in the way data is transmitted during mobile Web surfing sessions, has indicated that the problem is widespread.

At the CanSecWest security conference last month, Collin Mulliner, a PhD student at Technical University Berlin, Germany, said confidential data can be leaked due to the addition of HTTP headers at the operator's HTTP proxy or gateway. Proxies are used to reformat Web pages to suit a smaller screen size.

Data that is commonly revealed include an MSISDN (mobile subscriber integrated services digital network number) or phone number, IMSI (international mobile subscriber identity) or unique SIM card number, IMEI (international mobile equipment identity) or unique phone ID, access point name and customer account number or ID.

Several of the operators cited in his presentation include Orange from the United Kingdom, Bharat Sanchar Nigam of India and Rogers Wireless in Canada.

Mulliner told ZDNet Asia in a follow-up e-mail that the data leakage issue is not limited to those listed in his presentation but affects "more or less" one operator in every country. He did not disclose if any other operator in Asia is on his expanding list.

According to Mulliner, mobile operators normally add the information in order to support third-party service providers, which may use MSISDN to identify and bill customers for services.

"The problem is that some mobile operators don't care if the private information of their customers gets leaked to the whole Internet and therefore they don't configure the Web proxies in the correct way," said Mulliner. "Privacy-aware operators make sure the information is added only when customers connect to these special service providers and not the whole Internet."

The problem, he added, also affects nearly all phones. Common phone brands that emerged during Mulliner's logging of HTTP headers for over a year included LG, Nokia, Samsung and Sony Ericsson. HTC phones running Windows Mobile were also found to be associated with the problem.

Smartphones such as Apple's iPhone or Android-based phones typically don't use proxies by default. But if a proxy was configured and the operator inserts customer data, the same issue would occur, he pointed out.

Onus on operators
Industry observers ZDNet Asia interviewed said operators have a responsibility to protect customer information and privacy.

According to F-Secure's senior security response manager Chia Wing Fei, mobile numbers have the "best returns on investment" for cybercriminals as they are targets for SMS spam.

On the other hand, there are other methods of harvesting mobile phone numbers for SMS spamming, he noted in an e-mail. One way is to offer free wallpapers and ringtones via Web sites, where users can download on the condition that they give out their number.

"Nevertheless, such information should not be leaked by the operator in the first place and I can't seem to think of any good reason why it should be included in the Web requests," he said. "The rule of thumb for securing your network or data would be to first deny all and then allow only what is necessary after doing a proper and thorough evaluation."

John Strand, CEO of Danish analyst firm Strand Consult, added that the problem highlighted by Mulliner is one which "can be easily solved by the operator" as it specifies what information flows through its gateway.

Citing the example of Telenor in Norway, he said a customer who chooses to use the operator's billing system for a premium service providing ringtones or games is assigned a special ID instead. In some cases, the operator would send the MSISDN to the content provider.

However, Strand said the company does not rule out that "there are a lot of operators [that] do not do much" to prevent the MSISDN from being accessible.

Over in Singapore, a SingTel spokesperson told ZDNet Asia that the telco is "aware" of the matter. "SingTel does not share any customer information when they access or browse generic Internet content via a mobile phone. We have put in place stringent measures to safeguard our customers' information," she added.

Fellow mobile operator M1 provided a similar response. "We treat customers' particulars as private and confidential and do not disclose them to external parties," the spokesperson said. "When our customers surf the Web on their mobile devices, their MSISDN, IMEI or IMSI are not revealed."

StarHub did not respond for the story.

"Upon visiting Mulliner's site, an Android-based HTC Hero obtains a red page which signals the customer may have a privacy infringement problem."

Mulliner, who created a page to let users check if their mobile numbers have been revealed, said there were 12,000 visits to the site in March, and about 1,500 this month. At the time of writing, however, the page was not accessible.

When ZDNet Asia ran Mulliner's Web site for users to check the information captured by HTTP headers on two StarHub-powered smartphones, the results were mixed.

When the site was accessed via an Android-based HTC Hero, this displayed a red page signaling a problem. Entering the same site using Apple's iPhone via both the Safari and Opera Mini browsers showed green. The reason for this may be due to the practice by operators of using different proxies for different customers, a premise outlined in Mulliner's presentation.