Home > Technology > Is your smartphone telling every website you visit your telephone number?

Is your smartphone telling every website you visit your telephone number?

January 25, 2012 Leave a comment Go to comments

nakedsecurity

O2 mobile users in the UK are venting on Twitter today, fuming at their discovery that their phone number is being shared with every website that they visit over the network.

O2 customer tweets

I found a colleague who owns an iPhone on the O2 network, and we tried it out for ourselves. Making sure we turned off his WiFi connection, we used the O2 mobile network to access the web.

Phone number revealed

Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID.

Closeup of phone number

O2′s response so far is to tell concerned Twitter users that it is investigating the issue.

 

Well, maybe I can be of some assistance. Because, although the problem is getting a lot of people’s attention today, it’s actually been known about for almost two years at least.

Back in March 2010, Berlin student Collin Mulliner revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled “Privacy Leaks in Mobile Phone Internet Access”.

My colleague Chet Wisniewski discussed Mulliner’s research at the time and it was also reported in the technology press.

It’s hard to understand why a mobile phone network operator would think it is necessary to transmit their customers’ mobile phone numbers to the website they visit. My guess is that it’s more likely to be a cock-up than malice which caused this data to be leaked – but what’s worse is that the problem is still present almost two years after it was first discovered.

It’s certainly easy to imagine how the information could be abused – for instance, if your mobile phone number is scooped up, it could then be used to SMS text spam you.

Occasional Naked Security contributor Terence Eden has made a video demonstrating the problem:

So, the big question is are other mobile networks – including those in other countries – also doing this?

If you want to know if your smartphone is revealing your phone number when you browse websites, you can test for yourself by visiting this demo page by Collin Mulliner: www.mulliner.org/pc.cgi

If it comes up green, you’re all clear. But if you see red, well.. maybe you’ll be seeing red with your mobile phone operator too.

(Remember, you have to turn off WiFi before you test. That way, your phone is forced to use your mobile phone network for the connection.)

About these ads
Categories: Technology Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 288 other followers

%d bloggers like this: