Wireless Web Privacy -- Test your phone

Some wireless web browsers reveal your phone number to web servers you visit. As a result, advertisers can obtain your phone number to annoy you by running up your airtime. There is as of yet no way to disable this feature. Below I summarize the problem and provide a simple script to test if your phone is vulnerable. Note, SprintPCS users should not complain because you signed away your rights by accepting the "callerID cannot be disabled in the Wireless Web" section of your customer agreement.

The UP.Browser mini-web browser found on phones such as Qualcomm's QCP-1960 with SprintPCS cause your phone number to be broadcast in HTTP request headers. Whether your phone number is broadcast depends on your carrier. At the time of writing, SprintPCS still reveals phone numbers.

The press finally wrote about this privacy problem on CNet and the SF Chronicle.

Test your phone. Download the code.

If you have a wireless web phone, enter this URL on your phone to test if your phone number gets revealed:

snafu.mit.edu/i

To access this URL on your web phone, start the mini-browser and choose "Go to" from the main menu. Then type in the URL. The phone should display "HDML Privacy" after visiting the URL. At this point, hitting the appropriate button for OK will test your phone and display your phone number if the script can detect it.

Note that the script will not work unless you have the UP.Browser. You are welcome to download my short HDML Java Servlet. However, in return I ask that you let me know of any bugs you find in my code. Feel free to make improvements. I do not claim that the code is efficient, secure, correct, yada yada.

So my phone is vulnerable. Now what?

Wait. Hopefully the fix requires changes only on the UP.Link server. Your carrier will probably get rid of the phone number from HTTP headers soon. Otherwise only visit web sites that you trust not to use or disclose your phone number. Unfortunately, there is yet no mechanism to verify the authenticity of web servers from a wireless web phone.

Example HTTP request headers of a vulnerable phone

My wife's Qualcomm QCP-1960 web phone did reveal her number (output changed to 6171234567):

(~/)%  nc -l -p 8000
GET / HTTP/1.0
x-up-uplink: up2.upl.sprintpcs.com
x-up-fax-accepts: none
x-up-fax-limit: 0
User-Agent: UP.Browser/3.01-QC31 UP.Link/3.2.1.4
x-up-devcap-charset: US-ASCII
Accept: application/x-hdmlc, application/x-up-alert, 
application/x-up-cacheop, application/x-up-device, 
application/x-up-digestentry,  text/x-hdml;version=3.0, 
text/x-hdml;version=2.0, text/html,text/x-wap.wml,text/vnd.wap.wml, */*
Accept-Charset: US-ASCII, UTF-8, *
Accept-Encoding: 7bit, 8bit, binary
x-up-subno: 6171234567_up2.upl.sprintpcs.com
Accept-Language: en
Connection: Keep-Alive
Host: wmm.mit.edu

As you can see, the phone number exists in the x-up-subno header. Luckily a phone with a real TCP/IP connection such as the PDQ palm pilot phone does not have this particular problem.

At the time of writing, SprintPCS, Yahoo, and phone.com have not given me any helpful responses. Because this issue hit the media headlines, sending email to companies probably won't help much besides take away their time. So please give the developers a break by allowing them time to fix the problem.

Warnings sent to various organizations

Here's the dialog between me and various organizations when I tried to disable this feature. It's strange that Keith Paglusch claimed no knowledge of customer complaints. Sounds as if user feedback doesn't make it up the chain of command.

From: DoNotReply@sprintspectrum.com
Date: Mon, 14 Feb 2000 17:07:37 -0600 (CST)
Subject: Sprint PCS Case #641763 Notification
Sender: DoNotReply@sprintspectrum.com
To: fubob

Dear Mr. Fu:

Welcome to the Sprint PCS web site.  You are correct.  Sprint PCS does
not give out subscriber phone numbers.  The information that you refer
to in your message is provided through Yahoo.  When your PCS phone
number is displayed on the header while accessing web servers, it is
Yahoo's way of knowing which customer to bill.  Your concern regarding
the possible invasion of privacy should be directed to Yahoo.  There
should be an area on their home page where you may direct questions.
Thank you for using the Sprint PCS web site.

Sheila S.



Thank you for submitting your request from the Sprint PCS web site. If
you have any other questions or comments, please visit us again at
http://www.SprintPCS.com/

--------

From: fubob
To: Yahoo Support
Date: Feb 26, 2000

Hi,

How can I disable yahoo's forwarding
of my phone number within the HTTP headers of my mini-browser?

The SprintPCS help desk told me to contact you about a privacy problem
when using a mini browser on my Qualcomm 1960 phone.

SprintPCS says that you subcontract the "Up.Link" server which
translates my mini browser requests to HTTP requests.  I noticed that
within the HTTP headers from the Up.Link server, my phone number is
embedded.  In other words, advertisers are collecting my phone number.
Had I used a non-wireless browser, advertisers would only know my IP
address and wouldn't have a way to run up my cell phone air time.
Already I know of one instance where a person called a phone number in
the HTTP headers.  How can I turn this off?

Kevin E. Fu (fubob)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html

--------

To: support@phone.com
cc: fubob
Subject: diabling phone number cookie in x-up-subno HTTP header
Date: Sat, 26 Feb 2000 12:20:07 EST
From: Kevin Fu fubob

Hi,

How can I disable either the Up.Link server or Up.Browser mini-browser
from giving out my phone number?  What's the wireless web equivalent
of *67?

Kevin E. Fu (fubob)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html

HDML

For more fun with HDML, see the SIPB HDML script.


Maintained by Kevin Fu