Tuesday, July 26, 2011

Hashing IMEI numbers does not protect privacy

In an effort to protect the privacy of users, mobile apps sometimes hash the user’s IMEI number prior to sending it to a server. We found that hashing IMEIs does not protect the privacy of users, even with the use of cryptographically secure hash functions. This result is due to the fundamental structure of IMEI numbers.

IMEI numbers and privacy concerns


Each modern cell phone has a private IMEI number—a 15-digit number that uniquely identifies the device on the cellular network. IMEIs are primarily useful for tracking stolen devices. As a secondary use, IMEIs are often re-purposed as user IDs in mobile applications.

Using IMEIs as user IDs represents a threat to privacy because it enables unrelated applications to compare notes on your behavior. For example, say I use two unrelated applications published by two different corporations: a web-browser app and an email app. The web-browser app knows which websites I visit (but not my real name), whereas the email app knows my real name (but not which websites I visit). If both apps use the IMEI as my user ID then the corporations can easily compare notes since they both share a common ID that uniquely identifies me. My privacy is threatened since it is possible for my browsing habits to be tied to my real name.

IMEI numbers can also help attackers spoof your identity. For example, a voicemail app might have the security feature that it only delivers voicemail to the user’s specific cell phone (as opposed to allowing the user to check their voicemail from multiple devices). One way the voicemail app might authenticate the phone is by checking that the phone’s IMEI number matches the user’s registered IMEI number. If an attacker learns the IMEI number of a particular user, it can help them impersonate that user and access their voicemail.

IMEI leakage

We recently behaviorally analyzed 10,000 apps from the Android Market for a mobile-malware survey for Black Hat 2011. To the best of our knowledge this study represents the largest behavioral analysis of Android apps to date. In agreement with previous studies (such as TaintDroid and Taming), we found that Android apps often leak IMEI numbers over the web. We observed that at least 8% of apps leaked the user’s IMEI number. 93% of those apps leaked IMEI numbers in the clear. In the other 7 percent, the apps hashed the IMEI with either MD5 or SHA-256—presumably in an attempt to protect user privacy.

Hashing the IMEI may seem like a good way to protect the privacy of users, since it is supposed to be difficult to reverse a hash value to obtain on original message. However, the inherent structure of IMEI numbers makes them vulnerable to reversing via lookup tables.

Background: lookup tables

Cryptographic hash functions should be irreversible. That is, it should be easy to generate a hash value from an original message but infeasible to reverse a hash value back to an original message. However, if the original messages are not sufficiently random, then hashing can be defeated using lookup tables—which are essentially dictionaries that map hash values back to original messages.

To generate a lookup table for IMEIs you simply need to go through a list of IMEIs, generating the hash value for each IMEI. Then to reverse a hash value, you simply look up the corresponding IMEI in the table. (For improved space efficiency you can use a rainbow table in place of a lookup table.)

First five entries in one of the iPhone lookup tables
Hashed IMEIs are vulnerable to lookup tables

Complete lookup tables are usually infeasible to build because there are so many possible entries. And at a first glance, it seems infeasible to build a useful lookup table for IMEI hashes. There are 1015 = one quadrillion possible IMEI values, necessitating 1015 entries.

For most adversaries, it would require a prohibitive amount of computation to create such a large lookup table. On my 8-core 2.26 GHz machine, I can hash 8 million IMEI numbers in about 2 seconds, using the SHA-1 cryptographic hash function. At that rate it would take about 8 years to compute all the hashes for a complete lookup table.

However, IMEI numbers are not distributed uniformly at random. The first 8 digits of an IMEI represent the Type Allocation Code (TAC), which is determined by the model of the phone. For example, because I have an HTC Thunderbolt, the first 8 digits of my IMEI are 99000032. Although this is the most significant portion of my IMEI number, it is not private information; knowing the model of my phone (or guessing the model) is sufficient to guess most of my IMEI number.

After the 8-digit TAC there are 6 digits that uniquely identify the specific cellular device. In the screen shot of my phone, I x’ed out those 6 digits to protect my privacy. These 6 digits are the only digits that are difficult for an attacker to guess. After those 6 digits the last digit is a Luhn-checksum digit, which is computed as a function of the first 14 digits. Thus, in a 15-digit IMEI number there is a relatively low amount of randomness.

With this knowledge in mind an adversary can follow a common attack pattern: build lookup tables only for the most common TAC numbers. Since a relatively small number of mobile devices dominates the market, the attacker only needs to build the lookup tables for the most popular TAC numbers.

Attack Demonstration

To demonstrate the practicality of this attack I built 105 lookup tables for 105 different iPhone TACs, using the SHA-1 hash function. Each table took up 55 megabytes of space, yielding 5.6 gigabytes in total (which is larger than the theoretical minimum since I stored data as ASCII). On an 8-core 2.26 GHz machine it took my simple Python script about six and a half minutes to build the iPhone lookup tables. With these tables built I was able to instantly reverse the IMEI hashes for all the iPhones in our office.

Recommendations

We recommend that mobile apps refrain from sending hashes of IMEIs over the web. It is easy for attackers to generate IMEI numbers when given the hash values of IMEIs—even for cryptographically secure hash functions. Salting the hash function (adding random bits to the input) helps to obscure the IMEIs further. However, if the adversary knows the salt value and the model of the phone (or can guesses well), it is easy to rebuild custom lookup tables.

In order to prevent apps from having the ability to compare notes on their users, apps need to refrain from basing their user IDs on device IDs altogether. Even if IMEIs were not vulnerable to lookup tables, two different app publishers could de-anonymize users by hashing the IMEI in the same way.

Last but not least, we recommend attending our Black Hat talk on August 4, where we will present other interesting findings from our dynamic analysis of 10,000 Android apps. ;-)

56 comments:

  1. Great blog article about this topic, I have been lately in your blog once or twice now. I just wanted to say my thanks for the information provided here.
    hosting companies

    ReplyDelete
    Replies
    1. it is no doubt the article is informative. I was no information about IMEI before reading that post.
      Keyword | dissertation writers

      Delete
  2. Hola soy el webmaster del blog http://noticiasquepensar.blogspot.com El blog esta dedicado a las noticias mas curiosas, insólitas, destacadas, divertidas e interesantes del panorama mundial, nacional y regional. Te va a gustar. SIGUEME!! Yo te empiezo a seguir a partir de YA!

    ReplyDelete
  3. http://www.youtube.com/watch?feature=player_detailpage&v=zXKV78VERio

    ReplyDelete
  4. http://zh-cn.facebook.com/people/Judy-Lee/100003223673316

    ReplyDelete
  5. Your blog is very good!!

    Look at this!! Is very helpful be okay.

    Click I have already come

    ReplyDelete
  6. http://aiosoftwarescollection.blogspot.com

    ReplyDelete
  7. Nice blog, hi friend, i found that there is one website offering free puzzle games. Just take one minute to sign up then you will receive one free puzzle game. Its URL is http://www.684899.com/en/CosmicCreature/project_1.htm Click the below button of the page to get in. I've done it and now i am enjoying it.

    ReplyDelete
  8. Your blog is very good!!

    Look at this!! Is very helpful be okay.

    Click I have already come

    ReplyDelete
  9. It's a really interesting video. Who received a face convey so happy
    Will?

    ReplyDelete
  10. I wondered who I'd love to take a look at

    ReplyDelete
  11. http://youtu.be/AufWWR_WIf8
    This chance may not come a gain

    ReplyDelete
  12. Replies
    1. They're different types of sights that people possess regarding houses. But there are different variations of people who feel that their house should be away from other people a far away and as we all get off town centers the cost of land regarding houses that is associated with actual estate’s lessens.
      nursingschoolintexas.net
      nursingschoolinpa.net

      Delete
  13. great
    good
    www.programs-kingdom.blogspot.com

    ReplyDelete
  14. Your blog is very good~

    Look at this!! Good video

    Click "good news"

    ReplyDelete
  15. Smartphones have valuable information stored on them and they are increasingly being used for mobile commerce, including mobile banking and retail transactions. Mobile web browsers are as robust as their desktop counterparts, with JavaScript interpreters and third-party plug in support, which results in increased attack surface. Smart phones are using common software packages, and the vulnerabilities in them will definitely be misused over time.
    sciatic nerve pain
    sciatica pain relief

    ReplyDelete
  16. Your blog is very good~

    Look at this!! Good video

    Click "good news"

    ReplyDelete
  17. Hi,
    I can increase your blog or website visitor 1000 -2000 & more monthly

    if you are interest contact me following

    sunnynsa at gmail com

    Best Wisher
    Shah Riaz
    SEO &Online Marketing Expert.

    ReplyDelete
  18. It's a good article in which your viewpoints are in total agreement with mine. As a wife-to-be who is going to have this susanbridalshop wedding dress on, I am grateful to you for your guidance and introduction of the susan bridal shop wedding dress. I'd like to show your article to my intimatefriend who has just bought this wedding dress recently

    ReplyDelete
  19. I 'm strongly for your opinions about this Mori Lee 2515 in your article. It seems that you know a lot about the Mori Lee 2514. Are you willing to promote Mori Lee 2513? I can help you make money out of it. The profit of the Mori Lee 2512 I am selling is very high. You can make several hundred dollars in promoting one article. If you have interest, you can contact me.

    ReplyDelete
  20. Excellent article!I will be married soon. Can you tell me where I can buy a Mori Lee 4810 at a low price

    ReplyDelete
  21. Excellent article!The Mori Lee 6605 showed in the picture are very beautiful. Can you tell me where I can buy a Mori Lee 6604 at a low price

    ReplyDelete
  22. I was really searching for such a nice post...Thanks for sharing such a nice information, its beneficial for me...Keep sharing more.
    Mobile Apps Development USA

    ReplyDelete
  23. There are many totally free cellphone blog. Along with the cell phone messaging blog that are not totally free simply cost a smaller volume. Notably, the two totally free in addition to not-free blog allow you to mail totally free mail messages in order to your friends and family wherever many people stay on earth.
    cheap mobile apps

    ReplyDelete
  24. This is a very interesting post. I have been looking for this stuff for many days. Thank you for sharing excellent informations. I will tell my friends to visit your site. Anyway this is a very great post. I have bookmark your site and I am waiting for your next post.
    easterndrugs
    nobledrugsstore

    ReplyDelete
  25. It look a good blog about IMEI and privacy any way good job. Pak Reseller

    ReplyDelete
  26. I was really looking for such a good publish...Thanks for discussing such a awesome details, its valuable for me...Keep discussing more.

    Upcoming Verizon Phones

    ReplyDelete
  27. I understand that IMEI serial is just a set of numbers and that won't help users in any way. I will keep looking for some good apps to keep my mobile device safe.

    manage my bills online

    ReplyDelete
  28. I was working on my dissertation when I realized that I just wouldn’t have time to write it. I looked on Google and searched for a provider of the service I was looking for. WHen I found , it looked really legitimate at first. I went through their blog, samples and other site pages and I was really convinced that this company was going to hook me up with a decent writer. So, before I bought I actually searched for “ Reviews” and “” to make sure that other people did not get ripped off. I found a few pissed off complaints, but nothing major that a business doesn’t face. I decided to give them an honest chance.

    Scam Review

    Well, I paid roughly $600 for a dissertation to be done in a few weeks. The writer made my a bit nervous because he didn’t seem to have very good grammar in his messages, although he had very high ratings and had done over sixty orders. But after getting my first draft, I realized that I was just another scam victim. The paper made no sense, my professor told me that I was going to fail if I brought him any more garbage like that. He saw right through my whole plan because the quality of writing was so poor.

    I quickly realized that my writer was NOT American. He did not speak English and certainly could not write well. Despite this, I went back to and asked for a revision from a different writer. They didn’t want to help me and told me that “this is just their system” and it’s community oriented with ratings. I asked myself, if this guy had such a high rating, what would a low rating writer look like?

    At this point, I realized that I wasn’t going to get a good paper from so I just decided to get my money back and write it myself. But their support people didn’t want to help me get my money back for the poor job. They even threatened me by saying that they will file for copyright suit if I didn’t shut my mouth. Well, I am a computer science nerd and know how to build websites. I guess they just pissed off the wrong person. I cut my losses and let them take my money, but I have to make sure that others don’t get ripped off like I did.

    2 THOUGHTS ON “ REVIEW”
    McKenzie on June 9, 2013 at 1:07 AM said:
    Thanks for a great website. I found the link on

    Reply ↓
    Joe on August 17, 2013 at 4:25 PM said:
    Sorry, take great care while choosing writing help companies.

    ReplyDelete
  29. I agree with you. This post is truly inspiring. I like your post and everything you share with us is current and very informative, I want to bookmark the page so I can return here from you that you have done a fantastic job.
    agen bola, agen sbobet, agen ibcbet, agen bola, sbobet, agen bola

    ReplyDelete
  30. Through this post, we know that your good knowledge in playing with all the pieces was very helpful. You have a clever yet attractive way of writing.Window AC Repair

    ReplyDelete
  31. This is the first I saw a very good article, because in him there are many materials that sanggat important for us to know and I will wait anymore info you provide in general is my bisah understand what you mean thank ya the info. Marriage Halls in Mumbai

    ReplyDelete
  32. I'm excited to discover this page. I want to thank you for ones time just for this wonderful read!! I definitely really liked every part of it and I have you saved as a favorite to look at new stuff on your blog.AC Repair in Mumbai

    ReplyDelete
  33. This is a really good post. Must admit that you are amongst the best bloggers I have read. Thanks for posting this informative article.I really enjoyed when i read this here a lots of use information and many topics to read and share. Steel Dealers

    ReplyDelete
  34. Shop 2013 hot original Japanese Kigurumi animal onesies, Kigurumi animal pyjamas for men,women and baby are here to fit your coplay or costume.
    animal onesies
    totoro onesie
    pikachu onesie

    ReplyDelete
  35. I really enjoyed the quality information. I will bookmark your blog and have my friends check up here often. Cheap Towels Wholesale

    ReplyDelete
  36. Exceptional article I adore your current write-up really like the method that you identified as much as possible, you are doing a great career a lot of some others as if you as a result of that will type of educational websites present awareness for you to you linked to several things. My spouse and i go through other sorts of exciting websites through your internet websites along with My business is a whole lot fascinated along with your blogs abilities, My partner and i additionally started to create websites and this also kind sites actually support me away. When i witout a doubt bookmarked the webpage in addition to distributed your current internet websites to help my own fellow workers not simply everyone although these people like the blogs skills, hope people create much more fascinating blogs such as this a single as well as good luck for your upcoming sites.

    Jimmy Wilson from Drive Movie Jacket

    ReplyDelete
  37. This can be amazing. Both of us watch this idea peace of mind when we are shocked. We’re fascinated by one of these pieces. Solitary appreciate your particular suggestion, and significance the effort inside this. Please keep enhancing. These are reall… bola tangkas, taruhan bola

    ReplyDelete
  38. Franchises UK
    I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog.

    ReplyDelete
  39. In my opinion, this is a very useful tips and can be used by me in writing activities. I think it is something that can create a blog that I have visited by many internet users.Franchises UK

    ReplyDelete
  40. Nice article. Indeed. If you have free time, please visit my website.

    ReplyDelete
  41. Assuming that this book is fiction, you can portray the setting and in the event that it was viable or not.

    http://www.propaperswriting.com/

    ReplyDelete
  42. Analysis: Revisit your rating or review and clarify how you landed there.

    http://www.propaperswriting.com/cheap-essay-online/

    ReplyDelete
  43. Looking forward to another great blog. Good luck to the author. all the best.
    Good article! Thank you so much for sharing this post. Your views truly open my mind. I will share it with other people.
    Shuvo,
    Clipping Path

    ReplyDelete
  44. iabetes as a systemic metabolic disease, use of prescription drugs should be strictly complied with

    Diabetes as a systemic metabolic disease, use of prescription drugs should be strictly complied with , expert advice , so as not to aggravate or delay treatment. Due to the current situation of domestic abuse of antibiotics still exists ,Gatifloxacin hydrochloride,seriously affecting the health of consumers , and for patients with diabetes , the use of antibiotics may also face the risk of blood disorders , leading to the occurrence of various complications.
    Professor Mei-Shu Lai from Taipei College of Public Health , National Taiwan University, and his team conducted a study that found that diabetic patients with oral fluoroquinolones face higher risk of serious blood disorders , Gatifloxacin mesylate,and taking fluoroquinolones different types, different risk of hypoglycemia . The findings , published online on August 14 this year, the "Clinical infectious diseases" magazine.
    Clinically used fluoroquinolones mainly norfloxacin, pefloxacin , etc. , in recent years , and continue to develop multi- fluorinated quinolones and listing of new varieties . If lomefloxacin (Lomefloxacin), Clotrimazole,Fleroxacin (Fleroxacin multi norfloxacin ) and difloxacin (Difloxacin double norfloxacin ) , etc., commonly used in clinical treatment of urinary tract , intestinal , respiratory and skin and soft tissue , abdominal , bone and joint and other infections.
    In fact, the United States, " New England Journal of Medicine" website has published research reports that are currently widely used antibiotic gatifloxacin (gatifloxacin) have caused side effects in patients with abnormal blood sugar , blood sugar can lead to increased or decreased . Gatifloxacin belongs to the fluoroquinolone class of broad-spectrum antibiotic drugs in one . According to Mei-Shu Lai and other researchers and other shows that taking fluoroquinolones according to the different types , different risk of hypoglycemia , low blood sugar associated with moxifloxacin most common.


    Medchemexpress Can provide the above product,its website:www.medchemexpress.com

    ReplyDelete
  45. Thank you so much for sharing this post. i like this post. http://www.watchrew.com

    ReplyDelete
  46. iabetes as a systemic metabolic disease, use of prescription drugs should be strictly complied with

    Diabetes as a systemic metabolic disease, use of prescription drugs should be strictly complied with , expert advice , so as not to aggravate or delay treatment. Due to the current situation of domestic abuse of antibiotics still exists ,Gatifloxacin hydrochloride,seriously affecting the health of consumers , and for patients with diabetes , the use of antibiotics may also face the risk of blood disorders , leading to the occurrence of various complications.
    Professor Mei-Shu Lai from Taipei College of Public Health , National Taiwan University, and his team conducted a study that found that diabetic patients with oral fluoroquinolones face higher risk of serious blood disorders , Gatifloxacin mesylate,and taking fluoroquinolones different types, different risk of hypoglycemia . The findings , published online on August 14 this year, the "Clinical infectious diseases" magazine.
    Clinically used fluoroquinolones mainly norfloxacin, pefloxacin , etc. , in recent years , and continue to develop multi- fluorinated quinolones and listing of new varieties . If lomefloxacin (Lomefloxacin), Clotrimazole,Fleroxacin (Fleroxacin multi norfloxacin ) and difloxacin (Difloxacin double norfloxacin ) , etc., commonly used in clinical treatment of urinary tract , intestinal , respiratory and skin and soft tissue , abdominal , bone and joint and other infections.
    In fact, the United States, " New England Journal of Medicine" website has published research reports that are currently widely used antibiotic gatifloxacin (gatifloxacin) have caused side effects in patients with abnormal blood sugar , blood sugar can lead to increased or decreased . Gatifloxacin belongs to the fluoroquinolone class of broad-spectrum antibiotic drugs in one . According to Mei-Shu Lai and other researchers and other shows that taking fluoroquinolones according to the different types , different risk of hypoglycemia , low blood sugar associated with moxifloxacin most common.


    Medchemexpress Can provide the above product,its website:www.medchemexpress.com

    ReplyDelete
  47. Talk about some excellent news replica handbags, dudes. Not only does it seem like Bill Ted 3 is actually happening, but stars Keanu Reeves and Alex Winter replica wathces are attached to reprise their roles and according to a new Vulture report, Dean Parisot is attached to gucci replica direct.

    ReplyDelete
  48. A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. I was exactly searching for. Thanks for such post and please keep it up. Great. Garter Springs

    ReplyDelete