Sophos Cloud Optix
O2 mobile users in the UK are venting on Twitter today, fuming at their discovery that their phone number is being shared with every website that they visit over the network.
I found a colleague who owns an iPhone on the O2 network, and we tried it out for ourselves. Making sure we turned off his WiFi connection, we used the O2 mobile network to access the web.
Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID.
O2’s response so far is to tell concerned Twitter users that it is investigating the issue.
@lewispeckover we're investigating this as we speak with our internal teams, we'll get back to you as soon as possible.
— O2 in the UK (@O2) January 25, 2012
Well, maybe I can be of some assistance. Because, although the problem is getting a lot of people’s attention today, it’s actually been known about for almost two years at least.
Back in March 2010, Berlin student Collin Mulliner revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled “Privacy Leaks in Mobile Phone Internet Access”.
My colleague Chet Wisniewski discussed Mulliner’s research at the time and it was also reported in the technology press.
It’s hard to understand why a mobile phone network operator would think it is necessary to transmit their customers’ mobile phone numbers to the website they visit. My guess is that it’s more likely to be a cock-up than malice which caused this data to be leaked – but what’s worse is that the problem is still present almost two years after it was first discovered.
It’s certainly easy to imagine how the information could be abused – for instance, if your mobile phone number is scooped up, it could then be used to SMS text spam you.
Occasional Naked Security contributor Terence Eden has made a video demonstrating the problem:
So, the big question is are other mobile networks – including those in other countries – also doing this?
If you want to know if your smartphone is revealing your phone number when you browse websites, you can test for yourself by visiting this demo page by Collin Mulliner: www.mulliner.org/pc.cgi
If it comes up green, you’re all clear. But if you see red, well.. maybe you’ll be seeing red with your mobile phone operator too.
(Remember, you have to turn off WiFi before you test. That way, your phone is forced to use your mobile phone network for the connection.)
Update: O2 says that the problem is now fixed and has published an explanation of what went wrong.
Doesn't look like Vodafone are affected – or at least, my SE Xperia Arc passes the test
@Matt, it's not a handset issue, it's an operator issue. O2, and not the phone itself, are modifying the request headers sent when your mobile browser requests a webpage, and inserting your number. This looks like a transparent proxy configuration set to a debug mode, but it still begs the point as to why it has been left on for all this time.
Vodafone users ARE affected, at least in Italy. The page is green just because Vodafone blacklists some sites and whitelists others (i.e. those paying for this “services”. To them). If I go to other webpage, I can clearly see: “If you click on the link, a paid subscription service will be activated on number xxx” (my phone number). Why are they doing this? For two reasons:
1) the aforementioned “paid digital services”. It’s extremely frequent here in italy. Most of them are fraudulent.
2) sites can collect your phone number to send SMS spam or they sell the number list to call centres.
It’s very laughful that the EU obliged every site to warn about cookies, but does NOTHING about this widespread problem. A cookie is a privacy problem, but, instead, YOUR MOBILE NUMBER (connected also with your browsing habits/history) is not?!?
From what I remember, every Iphone carrier must have an Apple box that all itraffic is sent through. This is where the UP_CALLING_LINE_ID is usually dumped, so Apple can see usage data. (Always been the case, read the small print).
My guess is 02, in there hurry to get Apple onboard never felt the need to close this and happily send all that data out unaware.
What bollox. There's nothing like that in the small print.
Plus O2 is doing this for all phones (and even dongles), not just the iPhone.
Other carriers don't have this issue.
Another vote for Vodafone being clear (on a Samsung Galaxy S2)
My Nokia E6 on vodafone uk is not affected. Looks like vodafone has patched this hole
My Blackberry on O2 passes the test.
I've got a galaxy s2 with 02 but doesn't seem to be affected when I try out the test website.
Same here with a Galaxy S. No problems at all.
Looks like it affects all o2's virtual network like tesco and giffgaff etc o2 have commented on there own forum confirming the investigation and there twitter feed is swamped
just tested on O2 using Android & Opera mini and it is not displaying any number, however the default android browser is passing it 😮
Opera uses it's own proxy, that's the reason you got Opera Mini right?!
Here's a discussion on the Nokia dev forum from 2004 on finding mobile numbers in HTTP headers: http://www.developer.nokia.com/Community/Discussi… – this is clearly not a new issue. Bad luck O2 for being the chumps to fall foul of it the day Twitter had nothing better to do.
Twitter had nothing better to do. Oh we'll remember that when we get scammed/spammed because O2 were too lax/stupid to close the gap. Granted it's not as important as world hunger or the latest celebrity to lose their knickers, but some of us do care.
I just did the test through mulliner as you suggested and my screen came up green.
I'm with T-Mobile NL,
All clear with iPhone 4S and AT&T (USA).
I used to work in the mobile website industry, and it is a standard feature of most mobile networks, but usualy only if the webiste signs an agreement with the network. Sometimes other information is also avalable such as the user's location, what sort of contract they are on, and if they have proved they are old enough to view pornography.
The mobile website wants the costomer phone number so that they can track individual users through their site, and recognise them when they return. This is sometimes done just for statistics and adverts, but mostly it is done to create user accounts for subscriptions or paid for content. Phone numbers are prefered over cookes for this becuase many older phones don't support cookes, or will delete them frequently, and also because phone numbers are hard to spoof or change, and and can be traced back to an individual user in case of fraud or abuse. It is also used for reverse SMS billing on some sites. (This is where you pay for content by receving one or more premium rate text messages).
What generaly happens is that a mobile website will request certain information be passed along from the mobile network, and will offer to share revenue in return. If the network agrees, then the IP address of the web server in question will be added to a white list at the network and the information will be supplied.
Different networks have different rules on what will be supplied under what curcumstances. For example I did some work with Teliasonera in Finland, and they would only supply one of the mobile number or the users location, but not both, and if a web page contained adult materal you had to set a number of headers to indicate what type (from their list of categories) and they would block it from the user at their end if necessary.
I suspect what has happend in the case of O2 is that something has broken in their systems, so they are passing along phone numbers in the http headers to all websites when they should not. I doubt they would want to do that by default as it is a usefull for them to take a cut from mobile website revenues.
I'm with o2 and mine turned red – and so have I – am NOT impressed at all and I hope they sort this put or I will be changing network!
Orange is fine – just checked. O2 twitter guy earning his $$$ today!
What, for battling someone else's incompetence?
My BB Torch (I'm with O2) came back green, would've been annoyed if not!
I'm ok here with Talkmobile (virtual over Vodaphone). Useful test page though – the build in Android browser leaks my exact phone make, whereas Opera mobile doesn't.
And couldn't you have included a QR code for the URL, save us all typing it in?
I made the link clickable! No need for a QR code. 🙂
not so helpful if you're reading from your laptop, and of course I can't visit from my phone otherwise you might take my phone number and call me 😉 (kidding)
So send an email to your phone and click on the link, I did works just fine.
Motorola Droid X – Verizon US – GREEN
Here, Phil, let me Google that for you…
http://goo.gl/266Y3
Click that on your computer and you'll get the QR code for http://www.mulliner.org/pc.cgi which you can scan using your phone.
For future reference, you can make anything into a QR code using the lengthy URL that the goo.gl link redirects to; just replace =http://www.mulliner.org/pc.cgi at the end with =whateverURLyouwanttomakeintoaQRcode
You're welcome. =)
GiffGaff customer here (They use 02's network) on a new Nokia Lumia 800, just ran the test and it's clean.
AT&T, South Carolina, US, comes up green.
Neither my default browser nor FF for android are revealing my number. I'm on O2?
Your smartphone isnt the issue here, the O2 NETWORK is appending the data as your web request travels out to the internet.
Changing your APN settings to the below seems to take a different route through the operator network (or just applies different policies on the gateway) and prevents the header being appended;
APN: mobile.o2.co.uk
Username: bypass
Password: password
That doesn't work for me *every* time. Forcing a network reconnect using the above settings results in number being reported while, after another reconnect, doesn't. The results are annoyingly random for me at least!
Verizon wireless seems unaffected 🙂
If you reconnect to O2 often enough (e.g. toggle flight mode) you end up getting a route that doesn't report your number… until your device reconnects without you noticing of course.
so, how do you change your iPhone settings to NOT reveal your cell number?
My o2 Blackberry on the default browser passed the test – green light.
Vodafone Blackberry is all okay, came back green
Rogers Canada on Windows Phone 7.5 here. Thankfully no phone number being transmitted.
This is such a huge breach of privacy.
We just tested a Blackberry and a HTC Snap on Mobilicity (Toronto, ON, Canada) and neither transmits the phone number using Internet Exploder or Blackberry Browser.
Orange and T Mobile on an HTC Desire are green as grass. Unlike O2 who should be red in the face. Twats.
My BB curve on O2 UK is absolutely fine. I use both the phones built in browser and opera mini, both returned green. Although I would have been pretty peeved if I had discovered otherwise, the reason I use opera is because it is proxy based so it circumvents O2's ridiculous age control policy (I'm 21 by the way). Although the age limit is set at 18 for obvious reasons I get fed up of asking them to remove it and then it coming back after a few months. But that's a whole different issue….
With companies like O2 who needs hackers?
I just tested my phone (HTC Desire S) tethered to my PC on the Three(3) network using the mulliner.org test and it was not passing the telephone number.
However, it is interesting that when I connect to the Three website and look for my account information the site knows what sim card (and phone number) I am using and directs me to my account without me having to type it in. So I assume that identifying info is being sent, perhaps there is more info embeded in the data. It is possible that the IP address is associated with the account in the Three network so that it can obviously track usage for billing or blocking (under 18's). I wonder if this info might also be interogated by any website you access? I am sure hackers out there will be able to tell us.
I suspect it is both the smartphone AND the network, in this case iPhone on O2-UK. My HTC Desire doesn't pass my number whether it's on O2(Giffgaff) or Orange – I tried both SIMs.
Or has anyone seen O2 passing over their number on any other handset?
I'm waiting for someone to take an iPhone that shows red when tested on O2 and try it on a different network. (Yes, it'll have to be unlocked!)
I’m on 3 Mobile UK with the iPhone4 and came back green, no leaks or problems… Think I’d be quite upset of I were a O2 customer. It’s not easy to block spam messages and even more hassle changing your number!
My o2 is fine, checked from my Blackberry 9300.
On O2 UK, my BlackBerry comes up green. I suspect that all BlackBerry/RIM devices will be OK as they use different (their own?) gateways and therefore don't include that header information. Good news for BlackBerry …. makes a change !
iPhone 3Gs and AT&T in the U.S. is fine.
Vodafone NL on a HTC Desire returned green.
I just tested my iPhone 3G on O2 & it was fine.
Vodafone Au on GS2 is green. Tried 2 browsers.
Vodafone Hungary is green 🙂
Here in Pakistan with Telenor, it turned RED along with my phone number,,, wtf!!! Time to talk to my network operator :/
NSA hacked all the Cisco routers in Pakistan’s network giving them real access to practically everyone, while also allowing NSA to silently redirect targeted users to web services they control for SIGINT.
All mobile phones are affected by privacy issues. Your IMSI, IMEI, MSISDN, IP, HTTP USER-AGENT, Wap Profile, cookies, headers and location can all be obtained fairly easily by analyzing GET and POST requests along with the HTTP header sent to a web server by your phone’s browser and also the Response returned from the web server. By combining client GET and POST requests with server Responses, the NSA, GCHQ and plenty of other rogues can capture your MSISDN, along with IMSI, IMEI, your IP, phone number, and many other unique identifiers.
The Three network in the UK is a-ok, I came up green.
I can confirm that Vodafone UK is also not effected by this, made even clearer by a "No Obvious Problems Detected" at the top of the page. On Windows Phone Nokia Lumia 800.
My Sony Ericsson K800i passed the test. I'm on T-Mobile UK. BTW, I thought O2 fixed this already?
No problems here with T-mobile Nokia Lumia 800
AT&T legal terms in the US states it outright: “Caller ID blocking is not available when using Data Services, and your wireless number is transmitted to Internet sites you visit.”
T-mobile Failed miserably!!
I have recently read that some carriers only transmit the phone numbers to the websites who pay for it. So even if you look clean on the test page, that might only mean your carrier isn’t sending the phone number for every request, but only to the ones requesting websites who pay the toll.
O2 has not fixed it. I was target of premium rate texts without consent and without know. Just browsing through a free website and instantly without clicking on any adverts, I received a premium rate text saying that I have been charged.
Exact same thing has just happened to me! I don’t know whether to reply stop or not?
Very interesting topic I never really thought about websites being able to gain access to my cell phone number when I’m browsing the internet.
I had this issue with O2 TODAY …………… 15th September 2018 – so NO they have not ‘fixed’ the problem
I got a spam text after browsing a door handle hardware site in China and was told I had ‘subscribed’ to a £4.50 GBP per week site
I had NOT clicked ANY subscibe button !!!!!