8
2007
Your GPRS mobile is spying on you!
One of the great things about the Internet is anonymity; one can surf the net without disclosing who he/she is and where he comes from (OK, your IP address can be used to track you, but then unless you go through the long process of getting your ISP to yield details about the IP address, such means can be safely ruled out). Also people using a shared IP address can be more anonymous. In Qatar, there is just one ISP with only one IP address. How can one trace an individual net-surfer from only that information?
No wonder, people expect to have the same kind of anonymity while surfing the web through their mobile devices too. The mobile operator does give you a shared IP address. Though surfing through mobile phones is still very painful in India (3KBps download speeds aren’t that great), mobile Internet access through GPRS is becoming cheaper every passing month; Airtel offers a HTTP only package for just Rs. 99 per month which would encourage more people to at least try mobile web surfing. But cheap access doesn’t translate into secure access.
I always used to wonder how various websites like Yahoo, Rediff et al could get access to mobile subscriber data and charge them for their products and services. So I created a small servlet at http://www.myjavaserver.com/servlet/proteus.SmallFiles.WmlHead. And the results turned out to be shocking. I accessed the page from my friend’s phone and this is what I saw (the number was not masked, it has been done so to protect his privacy.
Host : www.myjavaserver.com X-Wap-Profile : "http://wap.sonyericsson.com/UAprof/W700iR101.xml" Accept-Language : en Accept : application/vnd.wap.xhtml+xml, application/vnd.wap.wmlc, application/xhtml+xml, image/gif, */*, text/vnd.wap.wml User-Agent : SonyEricssonW700i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset : * Accept-Encoding : deflate, gzip TE : deflate, gzip MSISDN : 9198xxxxxxxx WAP-Connection : Stack-Type=HTTP Cookie : $Version=0;User-Identity-Forward-msisdn=9198xxxxxxxx;User-Identity-Forward-ppp-username=void;Bearer-Type=w-TCP;wtls-security-level=none;network-access-type=CSD;nas-ip-address=10.151.1.18;apn=airtelfun.com;imsi=404490016894720;Called-station-id=airtelfun.com;accounting-session-id=3D5FF84246578127;accounting-authentication-method=2;sgsn-ip-address=125.19.6.40 SCRIPT_URL : /servlet/proteus.SmallFiles.WmlHead SCRIPT_URI : http://www.myjavaserver.com/servlet/proteus.SmallFiles.WmlHead Remote Address : 203.145.131.158 Remote Host : 203.145.131.158 Server Name : www.myjavaserver.com Protocol : HTTP/1.1>
This is from Airtel network in Andhra Pradesh, India. As one can see it is transmitting your mobile number in plain text as well as your mobile operator information to each and every website you visit. It also has your IMSI number which, about which Wikipedia says "In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a randomly generated TMSI is sent instead.". This is potentially a great way for spammers to send you spam SMSs or track your surfing habits. They can put in a 0 X 0 pixel image on web pages and track you without you having to visit their site. Though much of this is what they can do through normal browsers on computers, here they can personally identify you through your phone number. You can visit the link given above to verify what headers you ISP is attaching to your outbound requests over GPRS. It is a WML page so even the oldest browsers should be able to open it.
It would be futile to even talk to your Customer Care guys about this, write to your ISP about this and ask them WHY they are exposing you to dangers which involve endangering your privacy. As a defence against this, you can use an anonymizing proxy like Opera Mini which will hide your information, but prevention is better than cure!
Source for the Java Servlet is available here .
Remember you need to access the URL with your Mobile phones , accessing through your normal browser will display the header information of your PC Browser. Also you need a GPRS connection that allows you to surf external sites and not just those of your service provider’s.
For the curious, I have also added a Java Servlet that displays the headers sent by your PC browsers here. The source for this one is available here.
[...] Your GPRS mobile is spying on you! [...]
It has been more than one year since I’ve activated my Airtel G.P.R.S. service and > six months with HUTCH world; And till date, there hasn’t been a “single” spam message or call. So what if it is forwarding my IMSI number here and there if it’s not bothering me?
Regards
(Siddharth Razdan)
A reason for this may be the abysmally low number of GPRS users in India. But are you willing to risk exposing your confidential information to arbitrary websites on the internet? You are careful enough not to give your phone number to just anyone (I guess that’s why you are not receiving any spam calls or messages), but it seems strange that you are OK with arbitrary sites accessing your mobile number etc.!
IMHO it is just a matter of time before spammers recognize the opportunities afforded by cell phones and start capitalizing on it. Affiliate banners and ad services are some of the ways, that come to my mind, how spammers could get information which can personally identify you.
And plus its a trail of your surfing habits which can easily be used against you.
So what if it is forwarding my IMSI number here and there
Its also forwarding your mobile phone number if you dont know , plus till now i assume you are seeing the operator’s own sites.
[-(
@siddharth - i see you reject logical reasoning :-?
Two very intelligent geek brothers hitting me hard and that too at the same moment. What do you expect, Ankit?
Regards
(Siddharth Razdan)
Anyway, my point was that the word “potential” is still lurking around with the dangers of using GPRS. As I’ve said earlier, I do get any spam on my cell and neither of my friends who use similar services. That implies, the opportunities aren’t yet identified by the crackers. So, at least for today, there isn’t any need for me and for the companies to create a filter for cell phones.
Also, I’d like to tell you that it’s not only the operator’s site that I’m visiting from my phone, there are a host of other sites too.
Regards
(Siddharth Razdan)
ankit how can we protect our privacy.is tat really imp and wat r the possible problems tat can happen for not having privacy
sorry for that silly question.i did’nt read ur content properly.but still i didn’t get how to protect our privacy can u plz elaborate
no way to protect the privacy , unless you put enough pressure on Airtel , Airtel is forwarding your mobile number so there isnt much you can do but FORCE airtel to change their technology. Spreading awareness is the best you can do.
These type of information has been blocked by wireless carriers in China in order to stop so called “free WAP” application which is collecting these type of information then make profit by sending ads. The wireless value add business is no so developed in India and should be good opportunity for those smart guys like Rohit. I am going to check in USA to see if the waireless carriers are stupid enough for open such great opportunity.
:-?
>-
Oh Wow!
Nice and very useful information you have shared. That really can be of a business thing for those spammers.
I am @ delhi, and do get calls from those adv. n mktin ppl nowadays atleast 3-4 a week and its growing.
They access it either via web but I am not sure about
Mobiles.Do you know what is this :
:-w
[9eaec58155f2e0e9a339]. I got lots of these from some sites index with mobile nos.?
May be for Mr.Razdan his privacy is not so important, but for me it is. Nowadays, you can see certain pages on the internet, being indexed by search spiders which expose so much information, without we being knowing that it is ours.
Thanks for this unusual but really useful information.
KAPIL
:x
Your phone number is no longer private
A shocking revelation of how mobile operators in India, such as Airtel with an utter disregard for privacy are inviting spammers and tele-marketers by forwarding your phone number to every site you visit via GPRS.
Btw, who inserts these headers, Browser or the Operator ? Because on a WAP2.0 site(xhtml) I dont see any such headers, are they specific to WML based sites ?
cheers,
amit.
It can be done at either end, but generally it is the browser.
But then, if your browser adds the headers, they are only meant for your service provider, say, for billing purposes etc. My point is that why can’t the provider block them, and not allow the headers to go unfiltered to every site that the person visits on the net. Anyway, you are accessing the net through your ISP’s proxy server and not directly (even for the full GPRS), so the ISP can setup an anonymous proxy instead of a transparent one, don’t you agree?
Plus if you are using Opera Mini, it is using Opera’s proxy server to access the webpage and so you will not see your mobile information, only the originating IP address (as X-ForwardedFor) will be visible.
BTW how are you trying to view the headers?
Rohit..
The above problem is pretty handset specific.
I tested it on my Motorola A780 Linux-based smartphone..
It only gives away the Browser Id and Platform ID plus the usual Encodings, etc information.
Its Better to petition Sony-Ericsson to disable this default information leaking policy.
Actually Vimal, even the operator doesn’t remove the MSDN if your browser adds it for his help. Btw this should have made things more clear.
It is not the browser inserting that information. It is the operator’s WAP GW.
Also, I find it a bit surprising that you went through the trouble of masking out the MSISDN from the log, but you left the IMSI in the clear. FYI, the IMSI is WAY more valuable than an MSISDN.
Thanks for pointing that out, it just emphasizes the importance of the IMSI.
The IMSI number is a fake! For the curious, 3 digits have been changed in the number. I masked the MSISDN only as it gives the actual phone number of the person on Airtel’s network.
So even if I had replaced it with a random number, some poor guy who would be having that number would curse me
Regarding your other statement, I still think it is the browser (especially the ones that come by default on the phone’s firmware) that inserts the info. I have a Palm Treo and its browser doesn’t append any information when I go to that page.
Trust me: it is the WAP GW.
The palm is a device which can render HTML pages, so it is very likely that it is NOT configured to send its packets through the WAP GW, and therefore, the headers are not inserted.
We have all kinds of cellphones in the lab (including a PALM treo 650), and I have yet to see any device (or, really, an application on a device) which inserts this information into HTTP packets. In fact, I am not sure this information is even made available to applications running on the handset.
Hmmm, interesting. Then why doesn’t the gateway attach the headers to the data sent by the Palm Treo?
As I said before, the treo is likely NOT configured to send its packets throught the gateway. Hence, the gateway does not see the packets and is therefore not able to insert the headers.
BTW, if I were your friend, I would call the wireless operator and complain about this information being sent out. The WAP GW can be configured to only share the information with specific websites. It sounds to me like the wireless operator had some kind of deal with particular websites or even a website of its own, to share the MSISDN/IMSI. However, the operator got lazy and instead of provisioning the gateway to share the info with just one website, it just provisioned it to share it with all.
The complaint falls on deaf ears here, I tried reasoning with Airtel and all I got was a huh?
I think I understand what you mean here. Most of the phones that I have encountered use something like a WAP proxy to communicate with the websites. The Treo on the other hand doesn’t have a setting for a WAP proxy, rather has fields for just an assigned IP address and a DNS server address; so I reckon that the procedure is different.
Thanks for bringing that up!
I tried your code and got a blank value for all the unusual headers. I tested it with a few of our Nokia and Sony devices. I dont think the number is transferred. Or may be only with a few devices.
From what I know, this depends on the Mobile Operator. I had got the headers mentioned above from Airtel AP during January last year. Don’t know if they have rectified this yet…
I also tried this with my friends iPhone on a AT&T connection and it doesn’t leak any headers to websites. Guess it is just a matter of properly configuring your gateway.
So anyways it works now maybe I just can’t add up
So what I wanted to say was I’m from Australia and I can concur that the MSISDN provided in the Header is controlled at the WAP GW. I’m quite sure all the phone providers in Australia are blocking this info. It’s either privacy laws or greed. Why I say greed is because they want to be able to sell this information to companies etc.
Hey Rohit,
Do you mean that using Opera mini would somewhat protect our privacy..?
To an extent ‘yes’. It masks your IP address and all custom headers sent through your mobile device. Of course, Opera still gets this information as all your data and requests pass through its servers. Additionally, surfing through Opera Mini allows Opera to track your surfing habits. I guess it is still better to trust Opera rather than trust arbitrary websites with your identifying information.
thanks Buddy…