Monday, March 28, 2016

Checking for a super Cookied

Checking known AT&T, Verizon, Sprint, Bell Canada & Vodacom Unique Identifier beacons... 

Tested on: Fri Mar 20 11:43:15 EDT 2015 Browser/agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F5047f Safari/600.1.4 Do Not Track: Enabled Broadcast UID: IP address: 

*Please ensure that you're connecting via LTE/4G/3G, and not over WiFi. (If re-checking, make sure to refresh the page, or wait a few minutes to test again).

If there is a label X-ACR or X-UIDH in the Broadcast UID field at the top of this page, your carrier is actively sending tracking beacons to every web site you visit and every app you use that communicate via HTTP.

If there are other values in the UID field, it is possible unique identifiers are present (I'm currently searching for over a dozen wireless carriers signatures).

Note: Viewing this page with Google Mobile Chrome, Opera Mini, or inside of apps like Flipboard can mask tracking beacons (meaning they wouldn't be detected, even though they are present).

For technical details, see Jonathan Mayer's post or recent coverage at Wired.

Update 11-10-2014:

I think we've struck a nerve here—nearly 1.4 million sniff tests on the site so far, and over 40,000 AT&T and Verizon UIDs were detected in the past two weeks. After a couple of weeks, my own AT&T and Verizon devices stopped transmitting unique IDs, so maybe the OptOuts are finally beginning to be honored. If you didn't see it, there was a nice write up in the New York Times on Friday, as well as a follow-up in Wired on the story. But I think one of the best quotes last week was this in the Washington Post: "Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers". If you've emailed and haven't heard back from me, my apologies—my inbox has been flooded with inquries and comments. Please do feel free to reach out to me on Twitter or mail and I'll do my best to get back with you. I'm working on a proper write-up to the story, with full details of the methodology and metrics, as well as suggestions on how to improve your security and privacy on line. Spoiler: A good VPN or proxy service can be one useful tool in protecting yourself. Stay safe folks! 

Update 10-31-2014:

To date, there have been 1,147,875 sniffer tests run. Wow! If you haven't seen it, Propublica's piece yesterday has some of the best technical coverage in recent days. Forbes had follow up coverage as well, including both Verizon and AT&T's latest public statements, which are, effectively, that although you can Opt-Out, the UID beacons will continue to be sent. The carriers continue to focus on their internal and ad partner use of the trackers, omitting the crucial fact that any web site or app service using HTTP are also sent your tracker.

If you want a chuckle, take a look at this 2008 article from the Washington Post in which both Verizon and AT&T executives pledged to the US Senate to "Refrain from tracking users online".

As for me, my Verizon UIDH finally changed to a new value, after remaining persistent for 8 days. As Jacob Hoffman-Andrews has written, once a site has associated their own cookie to your UID, it is trivial to create a "bootstrapped" permanent cookie to you, even across week-long rotating carrier IDs. The AT&T ACR has several components, and my 358-character string has remained the same over 9 days now.

Update 10-29-2014: Forbes broke a story last night AT&T Says It's 'Testing' Unique Tracker On Customers' Smartphones. Worth a read. Based on my latest testing, and direct reports from colleagues in the security community and others, the AT&T Opt Out settings do not seem to have any noticeable effect. In my case, 350 characters of the X-ACR tag have persisted over 5 days, even after multiple IP reassignments, and even during a business trip 550+ miles away from home.

Update 10-28-2014: It is not clear if one of the T-Mobile beacons is unique or is derrived from the device model id, but I'm including it in the broadcast string to reflect what was sent.

Update 10-27-2014: My original motivation for this test page arose after reading several ad industry write-ups on Verizon's PrecisionID technology and practices, in particular the fact that in most cases, even after opting out of marketing options via Privacy settings, Verizon continues to inject trackers to every HTTP connection made from your device, whether it's an Access Point, mobile hotspot, tablet or mobile phone.

We are seeing clear evidence across the country of both consumer and enterprise devices having network traffic altered through these tracking beacon headers.

Most importantly, when present, AT&T and Verizon tracking beacons persist even after changing locations or IP addresses, and do so in spite of any browser privacy settings.

In response to many questions about the best defense you can take (short of changing providers), my advice is to use HTTPS wherever possible, or (better) use a VPN service, or possibly a proxy service. Unfortunately, no browser plug-in is going to be 100% effective unless you strictly visit HTTPS sites or trust the plug-in proxy provider. In the case of HTTPS, a VPN or proxy, the HTTP network headers cannot be modified/injected by your cellular ISP.

I recommend raising awareness to your friends and colleagues, as sunshine is probably the best defense here.

Feel free contact me on Twitter: @kennwhite or mail:
admin @ opencryptoaudit . org

The information above is not logged. This test page will probably disappear in a few days. Please behave.

No comments:

Post a Comment