Phone-Based Profiling: Identifiers Which Make It Possible

What distinguishes our phone from the others in the digital world are the virtual identifiers. We all carry at least half a dozen in our smartphones, some even more. Some are permanent, others are temporary, some can be changed  – but most of them are essential, needed for the service which we receive. Everything from making a phone call to shopping online wouldn’t be possible if we did not have a unique identifier assigned to our device. However, the same identifiers can be used to profile the user and here we explain how it can be done.

Mobile Network Identifiers

Phone Number (Mobile Station International Subscriber Directory Number, MSISDN)

Phone number is one of the oldest identifiers out there and we use it on a daily basis. However there are numbers of ways how it can be exploited. Most common include:

  • SMShing – form of fraud in which the attacker sends a malicious SMS message to the target. The message will usually appear to be from a reliable source and will contain a link which will lead to a malicious website. Most common SMShing attacks are related to personal or financial information extraction.
  • Vishing – part of the phishing attack in which the attackers call their target and attempt to extract information. Usually the attackers use VoIP service and spoof the calling number, which makes the tracing difficult or impossible.
  • SIM swapping – many services today offer 2FA option over SMS and some validate the identity of the customer by calling them and asking a set of “secret” questions. In a SIM swapping attack, the attacker acquires a brand new SIM card carrying the same phone number as his target. Victim’s old SIM card gets cancelled and from that moment on, the attacker is in full control. All linked 2FA messages or verification calls will now arrive to the attacker who will have time to exploit them until the victim realizes that something is wrong with their phone.
  • Address book sharing –  many applications today ask for the permission to access Users’ phonebooks. In some cases, once the access is obtained, this information will be sold to 3rd parties or used to build and enrich their own services. E.g. Truecaller app shows caller id (names/nicknames) even if the person which is calling us is not in our phonebook.

International Mobile Subscriber Identity (IMSI)

IMSI is the unique number assigned to the SIM card. It is used by the network operator in some cases but still rarely transmitted (sent) from the phone to the network.

There are limited ways of exploiting IMSI numbers and in most cases such operations would be carried out by law enforcement organizations. Well-known attacks against IMSI numbers include:

  • IMSI Catchers – device capable of emulating real-life mobile network and reading the identifiers (IMSI, IMEI) of the mobile phones which attempt to connect to it. IMSI catchers transmit signal identical to the one being transmitted from the legitimate cell tower, and lure the mobile phones to register to it. The spectrum of features available in IMSI catchers declined over the years as the encryption in mobile networks grew stronger. However they still remain widely used by law enforcement organizations worldwide. There are open source tools available which allow anyone with certain knowledge in programming and RF theory to build a small scale IMSI catcher. (Not) Surprisingly, low-level systems could be found on sale even on prominent e-commerce sites, such as Alibaba.
  • SS7 Network Attack – it’s an exploit that takes advantage of weakness  in the design of Signaling System 7 (SS7), which are the signaling protocols used in telecom networks. Once inside, the attacker can eavesdrop, monitor, track or redirect traffic to/from his target which is identified by the IMSI number.

International Mobile Equipment Identity (IMEI)

IMEI numbers are the unique identifiers of the phones. Each mobile device has a unique IMEI  and multi-SIM phones will have multiple IMEIs. In terms of security, IMEI is not widely exploited because it’s not as relevant as IMSI but still can be seen by IMSI catchers and used to profile a specific target.

Wireless Identifiers

WiFi MAC Address

WiFi MAC address is the unique identifier of the wireless network card installed in our phone. MAC address is used to associate specific physical device (wireless network card) to the router. Since it’s unique and it’s transmitted over the air, anyone could in theory track the device by its MAC address. Another privacy issue emerges from the so called probe requests. Those are broadcast messages in which the phone transmits SSIDs of known WiFi networks in attempt to find a matching one to which it can connect to. The attacker can listen to the probe request messages and derive a list of WiFi networks to which his target has previously connected. Using a service such as https://wigle.net/index networks can be translated into geolocations, and voila – your location history is exposed.

However, around 2014/2015 Apple, Android and Microsoft introduced the concept of MAC address randomization as a default option. This means that the phone will spoof the MAC address during every broadcast (including probe request) and association to the access point. This makes tracking and profiling much harder to accomplish and is a step in the right direction for privacy protection.

Bluetooth MAC address

It’s a concept very similar to WiFi MAC address. Bluetooth MAC address is a unique identifier of the bluetooth device but it too is randomized nowadays. This is the reason why we choose to trust and pair some devices, e.g. our speakers, earphones etc. and only in these connections, the phone will send the real MAC address.

Bluetooth became the cornerstone technology for COVID-19 contact tracing worldwide. Once it was endorsed by Google and Apple, the concept gained necessary momentum to spread globally and in April 2020 it became a productized solution.

Recently we wrote an article about Singapore’s contact tracing app called TraceTogether. You can find it here: Is TraceTogether a Threat to Our Privacy? Well, No!

Advertisement ID (AID)

The advertisement ID is a unique identifier assigned to a device with the purpose of tracking and serving advertisements. It is a random number and does not identify the user or the device. It exists in both major mobile OS – iOS where it’s called IDFA (ID for Advertising) and Android where it’s called AAID (Android Advertising ID). Unlike most of the other identifiers mentioned here, it can be changed by the user easily in the advertisement settings. In its current form has been around roughly since 2012. In a more complex scenarios AID can be de-anonymized and allow for global tracking of a user but it would require continuous monitoring, data interception and correlation – something not easily done even by an advanced attacker.

In 2017 researchers in the University of Washington coined the term ADINT which stands for Advertisement Intelligence and takes the known form of the standard intelligence gathering methods (e.g. HUMINT for human intelligence, SIGINT for signal intelligence etc.). They showed how easy is to monitor a target just by knowing their AID. Since it can be widely implemented, they believed it can grow into it’s own discipline – hence ADINT.

It’s interesting to note that amid the pandemic some companies started offering solutions for predicting the spread of COVID-19 based on mass advertisement data.

Other Identifiers

Cookies

Another way to target a specific user is via web cookies. They were designed as a mechanism for websites to remember stateful information or to record the user’s browsing activity. Many websites today use cookies as a method of implementing a business function (e.g. online shopping) or to deliver more personalized content. Cookies can be easily deleted but there are some nasty variants like supercookie and evercookie which are difficult to find and delete and which can be used in malicious activities. Documents leaked by Edward Snowden showed that evercookies were used by NSA to track TOR users.

Fingerprinting

device fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. OS type, browser model, language and keyboard settings, browser add-ons are just some of the information we send out while normally browsing the web. The more add-ons we add to our web browser, the more unique our fingerprint becomes. You can use services like PanOtiClick to find out how unique your device is: https://panopticlick.eff.org/

StationX lists some additional interesting ways to test your system and yourself against data leaks (reference in the footnotes).

What Should I Do Now?

The intention of this article was not to raise concern, but to educate. We can protect our privacy more easily if we understand the underlying technology. But we live in a connected world, where sensitive data is shared on social media, where our digital assistant listens to every word we say (even when they shouldn’t) and where we use smart devices to manage even the very private aspects of our lives. So this article just barely scratches the surface, but we’ll revisit this topic in some of our upcoming releases.

Have a tip or story to share? Get in touch!

Resources

Smishing 101 and Defenses

https://blog.knowbe4.com/smishing-101-and-defenses

Vishing

https://www.social-engineer.org/framework/attack-vectors/vishing/

Sim Swapping

https://www.grahamcluley.com/tag/sim-swap/

Capturing Beacons and Probe Requests of Public WiFi Access Points – The Why, How, and Stats

https://blog.samcater.com/capturing-beacons-and-probe-requests-of-public-wifi-access-points-the-why-how-and-stats/

September 28, 2017

Tracking Anonymized Bluetooth Devices

http://people.bu.edu/staro/Tracking_Anonymized_Bluetooth_Devices__PoPETS_Camera_Ready_.pdf

Tracking Anonymized Bluetooth Devices:

http://people.bu.edu/staro/Tracking_Anonymized_Bluetooth_Devices__PoPETS_Camera_Ready_.pdf

ADINT: Using Targeted Advertising for Personal Surveillance

https://adint.cs.washington.edu/

How To Switch Off Apple’s iPhone Tracking System In iOS 7

https://www.businessinsider.com/how-to-switch-off-idfa-iphone-tracking-in-ios-7-2013-6?IR=T

How to reset your advertising ID on Android

https://www.ghacks.net/2015/04/20/how-to-reset-your-advertising-id-on-android/

Evercookie

https://en.wikipedia.org/wiki/Evercookie

SuperCookie

https://searchsecurity.techtarget.com/definition/supercookie

Browser Privacy, Security and Tracking test sites

https://www.stationx.net/browser-privacy-security-and-tracking-test-sites/

Amazon now lets you opt-out of having humans review your Alexa conversations

https://www.grahamcluley.com/amazon-now-lets-you-opt-out-of-having-humans-review-your-alexa-conversations/

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.