IMEI numbers and privacy concerns
Each modern cell phone has a private IMEI number—a 15-digit number that uniquely identifies the device on the cellular network. IMEIs are primarily useful for tracking stolen devices. As a secondary use, IMEIs are often re-purposed as user IDs in mobile applications.
Using IMEIs as user IDs represents a threat to privacy because it enables unrelated applications to compare notes on your behavior. For example, say I use two unrelated applications published by two different corporations: a web-browser app and an email app. The web-browser app knows which websites I visit (but not my real name), whereas the email app knows my real name (but not which websites I visit). If both apps use the IMEI as my user ID then the corporations can easily compare notes since they both share a common ID that uniquely identifies me. My privacy is threatened since it is possible for my browsing habits to be tied to my real name.
IMEI numbers can also help attackers spoof your identity. For example, a voicemail app might have the security feature that it only delivers voicemail to the user’s specific cell phone (as opposed to allowing the user to check their voicemail from multiple devices). One way the voicemail app might authenticate the phone is by checking that the phone’s IMEI number matches the user’s registered IMEI number. If an attacker learns the IMEI number of a particular user, it can help them impersonate that user and access their voicemail.
IMEI numbers can also help attackers spoof your identity. For example, a voicemail app might have the security feature that it only delivers voicemail to the user’s specific cell phone (as opposed to allowing the user to check their voicemail from multiple devices). One way the voicemail app might authenticate the phone is by checking that the phone’s IMEI number matches the user’s registered IMEI number. If an attacker learns the IMEI number of a particular user, it can help them impersonate that user and access their voicemail.
IMEI leakage
We recently behaviorally analyzed 10,000 apps from the Android Market for a mobile-malware survey for Black Hat 2011. To the best of our knowledge this study represents the largest behavioral analysis of Android apps to date. In agreement with previous studies (such as TaintDroid and Taming), we found that Android apps often leak IMEI numbers over the web. We observed that at least 8% of apps leaked the user’s IMEI number. 93% of those apps leaked IMEI numbers in the clear. In the other 7 percent, the apps hashed the IMEI with either MD5 or SHA-256—presumably in an attempt to protect user privacy.
Hashing the IMEI may seem like a good way to protect the privacy of users, since it is supposed to be difficult to reverse a hash value to obtain on original message. However, the inherent structure of IMEI numbers makes them vulnerable to reversing via lookup tables.
We recently behaviorally analyzed 10,000 apps from the Android Market for a mobile-malware survey for Black Hat 2011. To the best of our knowledge this study represents the largest behavioral analysis of Android apps to date. In agreement with previous studies (such as TaintDroid and Taming), we found that Android apps often leak IMEI numbers over the web. We observed that at least 8% of apps leaked the user’s IMEI number. 93% of those apps leaked IMEI numbers in the clear. In the other 7 percent, the apps hashed the IMEI with either MD5 or SHA-256—presumably in an attempt to protect user privacy.
Hashing the IMEI may seem like a good way to protect the privacy of users, since it is supposed to be difficult to reverse a hash value to obtain on original message. However, the inherent structure of IMEI numbers makes them vulnerable to reversing via lookup tables.
Background: lookup tables
Cryptographic hash functions should be irreversible. That is, it should be easy to generate a hash value from an original message but infeasible to reverse a hash value back to an original message. However, if the original messages are not sufficiently random, then hashing can be defeated using lookup tables—which are essentially dictionaries that map hash values back to original messages.
To generate a lookup table for IMEIs you simply need to go through a list of IMEIs, generating the hash value for each IMEI. Then to reverse a hash value, you simply look up the corresponding IMEI in the table. (For improved space efficiency you can use a rainbow table in place of a lookup table.)
However, IMEI numbers are not distributed uniformly at random. The first 8 digits of an IMEI represent the Type Allocation Code (TAC), which is determined by the model of the phone. For example, because I have an HTC Thunderbolt, the first 8 digits of my IMEI are 99000032. Although this is the most significant portion of my IMEI number, it is not private information; knowing the model of my phone (or guessing the model) is sufficient to guess most of my IMEI number.
After the 8-digit TAC there are 6 digits that uniquely identify the specific cellular device. In the screen shot of my phone, I x’ed out those 6 digits to protect my privacy. These 6 digits are the only digits that are difficult for an attacker to guess. After those 6 digits the last digit is a Luhn-checksum digit, which is computed as a function of the first 14 digits. Thus, in a 15-digit IMEI number there is a relatively low amount of randomness.
With this knowledge in mind an adversary can follow a common attack pattern: build lookup tables only for the most common TAC numbers. Since a relatively small number of mobile devices dominates the market, the attacker only needs to build the lookup tables for the most popular TAC numbers.
Attack Demonstration
To demonstrate the practicality of this attack I built 105 lookup tables for 105 different iPhone TACs, using the SHA-1 hash function. Each table took up 55 megabytes of space, yielding 5.6 gigabytes in total (which is larger than the theoretical minimum since I stored data as ASCII). On an 8-core 2.26 GHz machine it took my simple Python script about six and a half minutes to build the iPhone lookup tables. With these tables built I was able to instantly reverse the IMEI hashes for all the iPhones in our office.
Cryptographic hash functions should be irreversible. That is, it should be easy to generate a hash value from an original message but infeasible to reverse a hash value back to an original message. However, if the original messages are not sufficiently random, then hashing can be defeated using lookup tables—which are essentially dictionaries that map hash values back to original messages.
To generate a lookup table for IMEIs you simply need to go through a list of IMEIs, generating the hash value for each IMEI. Then to reverse a hash value, you simply look up the corresponding IMEI in the table. (For improved space efficiency you can use a rainbow table in place of a lookup table.)
First five entries in one of the iPhone lookup tables
Hashed IMEIs are vulnerable to lookup tables
Complete lookup tables are usually infeasible to build because there are so many possible entries. And at a first glance, it seems infeasible to build a useful lookup table for IMEI hashes. There are 1015 = one quadrillion possible IMEI values, necessitating 1015 entries.
Complete lookup tables are usually infeasible to build because there are so many possible entries. And at a first glance, it seems infeasible to build a useful lookup table for IMEI hashes. There are 1015 = one quadrillion possible IMEI values, necessitating 1015 entries.
For most adversaries, it would require a prohibitive amount of computation to create such a large lookup table. On my 8-core 2.26 GHz machine, I can hash 8 million IMEI numbers in about 2 seconds, using the SHA-1 cryptographic hash function. At that rate it would take about 8 years to compute all the hashes for a complete lookup table.
However, IMEI numbers are not distributed uniformly at random. The first 8 digits of an IMEI represent the Type Allocation Code (TAC), which is determined by the model of the phone. For example, because I have an HTC Thunderbolt, the first 8 digits of my IMEI are 99000032. Although this is the most significant portion of my IMEI number, it is not private information; knowing the model of my phone (or guessing the model) is sufficient to guess most of my IMEI number.
After the 8-digit TAC there are 6 digits that uniquely identify the specific cellular device. In the screen shot of my phone, I x’ed out those 6 digits to protect my privacy. These 6 digits are the only digits that are difficult for an attacker to guess. After those 6 digits the last digit is a Luhn-checksum digit, which is computed as a function of the first 14 digits. Thus, in a 15-digit IMEI number there is a relatively low amount of randomness.
With this knowledge in mind an adversary can follow a common attack pattern: build lookup tables only for the most common TAC numbers. Since a relatively small number of mobile devices dominates the market, the attacker only needs to build the lookup tables for the most popular TAC numbers.
Attack Demonstration
To demonstrate the practicality of this attack I built 105 lookup tables for 105 different iPhone TACs, using the SHA-1 hash function. Each table took up 55 megabytes of space, yielding 5.6 gigabytes in total (which is larger than the theoretical minimum since I stored data as ASCII). On an 8-core 2.26 GHz machine it took my simple Python script about six and a half minutes to build the iPhone lookup tables. With these tables built I was able to instantly reverse the IMEI hashes for all the iPhones in our office.
Recommendations
We recommend that mobile apps refrain from sending hashes of IMEIs over the web. It is easy for attackers to generate IMEI numbers when given the hash values of IMEIs—even for cryptographically secure hash functions. Salting the hash function (adding random bits to the input) helps to obscure the IMEIs further. However, if the adversary knows the salt value and the model of the phone (or can guesses well), it is easy to rebuild custom lookup tables.
In order to prevent apps from having the ability to compare notes on their users, apps need to refrain from basing their user IDs on device IDs altogether. Even if IMEIs were not vulnerable to lookup tables, two different app publishers could de-anonymize users by hashing the IMEI in the same way.
Last but not least, we recommend attending our Black Hat talk on August 4, where we will present other interesting findings from our dynamic analysis of 10,000 Android apps. ;-)
We recommend that mobile apps refrain from sending hashes of IMEIs over the web. It is easy for attackers to generate IMEI numbers when given the hash values of IMEIs—even for cryptographically secure hash functions. Salting the hash function (adding random bits to the input) helps to obscure the IMEIs further. However, if the adversary knows the salt value and the model of the phone (or can guesses well), it is easy to rebuild custom lookup tables.
In order to prevent apps from having the ability to compare notes on their users, apps need to refrain from basing their user IDs on device IDs altogether. Even if IMEIs were not vulnerable to lookup tables, two different app publishers could de-anonymize users by hashing the IMEI in the same way.
Last but not least, we recommend attending our Black Hat talk on August 4, where we will present other interesting findings from our dynamic analysis of 10,000 Android apps. ;-)
Great blog article about this topic, I have been lately in your blog once or twice now. I just wanted to say my thanks for the information provided here.
ReplyDeletehosting companies
Hola soy el webmaster del blog http://noticiasquepensar.blogspot.com El blog esta dedicado a las noticias mas curiosas, insólitas, destacadas, divertidas e interesantes del panorama mundial, nacional y regional. Te va a gustar. SIGUEME!! Yo te empiezo a seguir a partir de YA!
ReplyDeletehttp://www.youtube.com/watch?feature=player_detailpage&v=zXKV78VERio
ReplyDeletehttp://zh-cn.facebook.com/people/Judy-Lee/100003223673316
ReplyDeleteYour blog is very good!!
ReplyDeleteLook at this!! Is very helpful be okay.
Click I have already come
i have already come
ReplyDeletehttp://aiosoftwarescollection.blogspot.com
ReplyDeleteNice blog, hi friend, i found that there is one website offering free puzzle games. Just take one minute to sign up then you will receive one free puzzle game. Its URL is http://www.684899.com/en/CosmicCreature/project_1.htm Click the below button of the page to get in. I've done it and now i am enjoying it.
ReplyDeleteYour blog is very good!!
ReplyDeleteLook at this!! Is very helpful be okay.
Click I have already come
It's a really interesting video. Who received a face convey so happy
ReplyDeleteWill?
I wondered who I'd love to take a look at
ReplyDeletehttp://youtu.be/AufWWR_WIf8
ReplyDeleteThis chance may not come a gain
thanks for you info,
ReplyDeletenice site..............
ReplyDeletegreat
ReplyDeletegood
www.programs-kingdom.blogspot.com
Your blog is very good~
ReplyDeleteLook at this!! Good video
Click "good news"
Smartphones have valuable information stored on them and they are increasingly being used for mobile commerce, including mobile banking and retail transactions. Mobile web browsers are as robust as their desktop counterparts, with JavaScript interpreters and third-party plug in support, which results in increased attack surface. Smart phones are using common software packages, and the vulnerabilities in them will definitely be misused over time.
ReplyDeletesciatic nerve pain
sciatica pain relief
Your blog is very good~
ReplyDeleteLook at this!! Good video
Click "good news"
Hi,
ReplyDeleteI can increase your blog or website visitor 1000 -2000 & more monthly
if you are interest contact me following
sunnynsa at gmail com
Best Wisher
Shah Riaz
SEO &Online Marketing Expert.
White One wedding dress|San Patrick wedding dress|Bari Jay wedding dress|Jacquelin Bridal dress|Caramia wedding dress
ReplyDeletesac à main Louis Vuitton|Louis Vuitton sac à main|lv sac à main|sac lv pas cher|sac à main lv
ReplyDeleteReplica Louis Vuitton Bags |Replica Louis Vuitton handbag|Replica Louis Vuitton Belts|Replica Louis Vuitton Wallets|Replica Louis Vuitton Luggages
ReplyDeleteIt's a good article in which your viewpoints are in total agreement with mine. As a wife-to-be who is going to have this susanbridalshop wedding dress on, I am grateful to you for your guidance and introduction of the susan bridal shop wedding dress. I'd like to show your article to my intimatefriend who has just bought this wedding dress recently
ReplyDeleteI 'm strongly for your opinions about this Mori Lee 2515 in your article. It seems that you know a lot about the Mori Lee 2514. Are you willing to promote Mori Lee 2513? I can help you make money out of it. The profit of the Mori Lee 2512 I am selling is very high. You can make several hundred dollars in promoting one article. If you have interest, you can contact me.
ReplyDeleteExcellent article!I will be married soon. Can you tell me where I can buy a Mori Lee 4810 at a low price
ReplyDeleteExcellent article!The Mori Lee 6605 showed in the picture are very beautiful. Can you tell me where I can buy a Mori Lee 6604 at a low price
ReplyDelete