James Rosewell writes:
The mobile techie community has known about mobile networks and indeed some handsets providing unique information about mobile devices and customers for a long time. Collin Mulliner, a graduate student at the Technische Universitat Berlin, has recently bought the issue to the attention of the public during a talk at the CanSecWest conference in Vancouver.
Information such as IMEI and Mobile Phone Number is passed to web servers accessed by a mobile device or Mobile Network Operator (MNO) proxy server in hidden fields called HTTP Headers. The amount of information, format and ultimately usability of the information varies between MNO and mobile device. Practically, the inconsistency of the information makes it of little practical use to web sites. The apparent random nature of the information provided indicates MNOs haven’t really thought through how they’re configuring their gateways and proxies.
The following table shows the HTTP Header (hidden fields) provided by a mobile request received at thefonecast.com yesterday. Notice the x-up-calling-line-id field that contains the mobile number of the requesting device. (We've removed the mobile number from this example). This particular request was provided via the ZXWAP Gateway from ZTE.
|
Header Field
|
Value
|
|
Connection
|
Keep-Alive
|
|
Via
|
ZXWAP GateWay,ZTE Technologies
|
|
Accept
|
text/html,text/css,multipart/mixed,application/java-archive, application/java, application/x-java-archive, text/vnd.sun.j2me.app-descriptor, application/vnd.oma.drm.message, application/vnd.oma.drm.content, application/vnd.oma.dd+xml, application/vnd.oma.drm.rights+xml, application/vnd.oma.drm.rights+wbxml, application/x-nokia-widget, */*
|
|
Accept-Charset
|
iso-8859-1, utf-8; q=0.7, *; q=0.7
|
|
Accept-Encoding
|
gzip, deflate, x-gzip, identity; q=0.9
|
|
Accept-Language
|
en;q=1.0,id;q=0.5,vi;q=0.5
|
|
Host
|
wap.socmobi.com
|
|
User-Agent
|
Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Samsung/SGH-i450/DBGL3 Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413
|
|
x-up-calling-line-id
|
XXXXXXXXXX
|
The real point is that MNOs are seen to be taking liberties with customers personal information. There are many practical uses to providing this personal information “behind the scenes”. For example:
· A web site that requests a telephone number can default the telephone number field to the mobile number provided by the mobile network reducing the amount of data the user needs to enter.
· Multiple interactions can be related to one another without requiring explicit authentication.
On a darker note, once a malicious web site has a mobile number, the text message inbox would become the next target for spam.
Many people will be unhappy with this personal information being provided without consent. MNOs need to establish a clear and consistent policy around the dissemination of such information and ensure customers are in control of the personal information their mobile phone is giving out.