Smartphone Privacy Snafu: U.K. Carrier Broadcasts Numbers

Mobile provider O2 said it has patched problem that shared phone numbers with websites. But users of the Orange network in Spain report similar issues.
10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)

Is your mobile phone carrier disclosing your smartphone's telephone number to every website you visit?

The short answer was yes, at least for subscribers to O2 in the United Kingdom who were accessing data via a 3G or WAP--although not Wi-Fi--connection. O2 is Britain's second-largest mobile network operator, part of Telefonica, which is the world's fourth-largest mobile network operator.

The telephone number-sharing problem was first disclosed Wednesday by system administrator Lewis Peckover on Twitter: "User-agent header ID's the device. Passing mobile number to third party sites is not ok! Seems like a data protection act breach to me?" Users of other services that piggyback on the O2 network, for example from GiffGaff and Tesco, were also affected.

On Wednesday, O2 said via Twitter it was investigating the issue. Later in the day, it then said that it had fixed the problem, which dated to January 10, 2012. It also released a statement acknowledging that there had been "potential for disclosure of customers' mobile phone numbers to further website owners." The company said the error stemmed from routine network maintenance, reported Wired.

"Security is of the utmost importance to us and we take the protection of our customers' data extremely seriously," said the O2 statement.

[ Mobile carrier security concerns aren't limited to the U.K. Read Carrier IQ: Mobile App Crap Must Stop. ]

The U.K. Information Commissioner, which enforces the country's data protection and privacy laws, released a statement Wednesday saying that it's investigating the alleged breach. "When people visit a website via their mobile phone they would not expect their number to be made available to that website," it said. "We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."

Meanwhile, O2 Wednesday also provided a detailed overview of the incident, which it characterized as a "one-off." The company also said that it was "putting in additional measures to prevent a reoccurrence," and was working with the Information Commissioner, as well as Britain's communications regulator. But O2 said customers would only be compensated for the telephone-number-sharing error if they could "demonstrate material loss."

Graham Cluley, senior technology consultant at Sophos, said in a blog post Wednesday that he'd confirmed the telephone-number-sharing problem prior to O2 fixing it, after he tested a colleague's iPhone that operates on the O2 mobile network. "Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID."

"It's hard to understand why a mobile phone network operator would think it is necessary to transmit their customers' mobile phone numbers to the website they visit," said Cluley, noting that the information could easily be abused by spammers. "If your mobile phone number is scooped up, it could then be used to SMS text-spam you," he said.

O2, however, has clarified that in two types of cases it continues to share telephone numbers. The first is with "trusted partners"--for example, when customers purchase add-on ringtones, wallpaper, or other content that gets delivered straight to devices. "We carefully vet these sites and only work with them under contractual obligation, to ensure your mobile phone number is only used to bill you," said O2.

The telephone numbers are also used for age-verification purposes, to comply with Britain's child-protection regulations. "For those customers who have not verified with us that they are over 18, we share your number with and, who then verify your age before you are able to access sites with over-18 content," according to O2. "Your number is not shared further than these two partners."

But Cluley also questioned why such a privacy breach occurred, two years after a security researcher disclosed these exact types of issues. Indeed, the underlying problem was first detailed in 2010 by Collin Mulliner, then a student in Berlin, in "Privacy Leaks in Mobile Phone Internet Access," a paper he presented at the CanSecWest conference in Vancouver. Notably, Mulliner was one of the first researchers to use fuzzing--submitting random or unexpected data to applications or devices--to find vulnerabilities in mobile phones.

Worried that your phone might also be disclosing private data? Mulliner has created a privacy checker for mobile phone users (be sure to disable Wi-Fi before browsing to the site), which assesses whether a device is over-sharing (triggers a red page) or seems to be okay (cues a green page).

Thanks to that tool, people have found that O2 in Britain hasn't been the only mobile network operator inappropriately disclosing private data. Notably, elEconomista reported Wednesday that two owners of Samsung-built Android smartphones that use the mobile network operator Orange in Spain had discovered a similar data privacy issue. But a user of an iPhone on the same network reported no inappropriate data disclosure, suggesting that the problem, at least there, may be somewhat device-specific.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)