Thursday, October 23, 2014

Verizon Wireless injecting tracking UIDH header into HTTP requests

Reading Hacker News today, I found a frightening post on Verizon Wireless injecting tracking UIDs into HTTP requests. The upshot is that Verizon Wireless is sending a unique identifier for you to each and every unencrypted website you visit, which means that advertisers (or worse) can track everywhere you have been. This occurs even if you opt out of all the Verizon tracking, use a privacy mode in your browser, enable Do Not Track, use a different browser, send your own bogus UIDH header, change to a new phone, or use a tethered laptop for browsing. The only known solution is to encrypt all your browsing. You can do this using HTTPS Everywhere, but this only works if the website supports HTTPS. The best solution is to use full encryption using a VPN like Tunnelbear or TOR. More details follow.

First a little bit of background. When your browser accesses a webpage, it uses a protocol called HTTP to talk with the server hosting the webpage. As part of the request, your browser sends some header fields which provide information about what you want to get back. This includes your IP address and some information about your browser which can actually be enough to uniquely identify you. To see some of the information your browser is sending, check out your request headers here or here.

Verizon Wireless is adding its own header, X-UIDH, which includes a unique identifier that it sends to the webpage. You can check whether your phone is getting the header added here or here. Just make sure you turn off wifi before running the test. Verizon has two patents on the subject: Obtaining targeted services using a unique identification header (uidh) and Multi-factor authentication using a unique identification header (uidh). The most illuminating part is Figure 5 from the first patent:

It becomes very clear that all this is intentional, which was confirmed by my call to Verizon. I talked with a representative of Verizon Wireless, and once they understood the situation they offered several (ineffective) solutions. (1) Use HTTPS instead of HTTP. Naturally, this will only work for the small subset of web services that provide HTTPS. (2) Use Do-Not-Track in the browser. However, my testing showed this had no effect. (2) Use a privacy mode. Again, this had no effect. After talking with a supervisor, the representative then told me that this behavior is normal and expected. Moreover, he claimed that the UIDH header and a standard HTTP connection are a sign to the webserver that you are a good internet citizen, and not a hacker trying to do something untoward. This was a blatant misrepresentation of why some websites do not support HTTPS. After further discussion he ended up agreeing with me, but said there was nothing he could do to help.

What can we do? First off, this is already being exploited in the wild so start using a VPN. Next, let's get Verizon Wireless to change this policy. Do your own testing, tell your friends, and post your complaints online! There is already a bunch on UIDH on Twitter.