1. Introduction
Privacy leakage has always been an important topic in the field of information security. A user’s geographical location and phone number are also the type of privacy that is heavily protected by developers. However, in recent years, there have been many incidents of privacy leakage on the Internet in these two aspects. In terms of geographical location privacy, a user’s geographical location is often obtained by mobile ads, a mobile operating system platform, and app (application) developers who are devoted to providing location-based functions and services [
1,
2]. Some researchers found that, due to the lack of effective means of protection, when some apps provide nearby users’ location information for a user, the nearby users’ accurate geographical location can be leaked [
3,
4,
5,
6]. Some researchers even revealed that the access control strategies of location information in many mobile operating systems are ineffective or inefficient, leading to users being faced with the threat of geographical location information being stolen by malicious apps [
7].
In terms of phone number privacy, with the popularity of mobile phones, a mobile phone number is used by more and more network systems as a means of binding users’ identity [
8]. User privacy stored in the system database, such as users’ phone numbers, is often stolen by attackers who successfully invade the system database [
9,
10]. Some malicious mobile phone apps even aim at stealing phone numbers stored in the address book [
11,
12]. Besides, some researchers found that the use of a mobile phone number as one of the user’s login credentials will face many security threats, such as the leakage of mobile phone numbers [
13,
14,
15], identity camouflage [
16], and the disclosure of users’ identity information [
17,
18].
Although users’ geographical location privacy and mobile phone number privacy are being paid increasing attention by researchers, few people care about the problems that may be caused by the combination of the two privacy leakage problems. In fact, as the allocation of mobile phone numbers is related to geographical location, the leakage of geographical location can help break users’ mobile phone numbers. This paper first studies the exposure of geographical location and mobile phone number in some software products that are widely used by people; then, it takes the largest entertainment webcast platform in China, YY, as an example, and the role of geographic location leakage for mobile phone number breaking is shown.
The contribution of this paper includes the following three aspects:
(1) Users’ geographical location privacy is effectively associated with mobile phone number privacy. A new form of network attack breaking users’ mobile phone numbers with the aid of users’ geographical location is proposed. We apply this method of breaking users’ mobile phone number into one of the most popular entertainment webcast platforms “YY” in China, and break any YY user’s mobile phone number. We extend the application scope of the traditional user location positioning method based on trilateration localization algorithm and upgrade its harm, and the harm of privacy leakage of user’s geographical location is further enlarged.
(2) An effective exploration of the brute-force technique is carried out, and a more practical brute-force technique of a user’s mobile phone number is proposed. Through the query of the user’s mobile phone number with a mask and inferring mobile phone number attribution according to the user’s geographical location, the user’s mobile phone number can be reduced to a certain range, the test set of brute force is reduced, and the efficiency of breaking users’ mobile phone number is increased. It makes the brute-force technique of users’ mobile phone number more practical.
(3) According to the technique of breaking a user’s mobile phone number based on geographical location, the corresponding security defense methods are proposed, which can be used as a reference for developers to protect users’ privacy.
8. Security Precaution Suggestions
In this paper, we proposed a new form of network attack, breaking a user’s mobile phone number based on geographical location, and took the largest entertainment webcast platform in China “YY” as the test object to test the effectiveness of our methods. The related security vulnerabilities were reported to the manufacturers and have been repaired in time, and we also received thanks from the manufacturers. Experimental results show that this form of network attack is practical and feasible. As similar security problems exist in many software products, in order to effectively prevent this form of attack and protect the users’ information security, we put forward some suggestions for security precautions here:
(1) Protect users’ geographical location privacy
We previously mentioned that the attacker could retrieve a user’s geographical location from two aspects; namely, the location information shown in the personal homepage and the geographical location leaked by some functions of the software (e.g., the “nearby user” function). For the former, a user can completely decide whether to show their geographical location in the personal homepage. For the latter, due to the lack of effective security precautions, a user’s location could be calculated by attackers through trilateration localization. Many software products have not even set a functional option to let users prohibit location displaying, by which users can decide whether to allow other users to find them through the software (e.g., a user prohibits location displaying and makes the other users unable to find them with the “nearby user” function). Besides, we think the developer should identify the client’s coordinate camouflage behavior effectively, or take effective distance ambiguity measures to fuzzily process the distance data returned by the server, which makes it difficult for the attacker to calculate a user’s accurate location coordinates through the method of trilateration localization.
(2) Restrict the external exposure of user’s mobile phone number
Some software products expose parts of a user’s mobile phone number just for enhancing user experience, rather than intentionally leaking user’s privacy, and developers are often unaware of the dangers. Not exposing any mobile phone number digits may lead to poor user experience for some functions. For instance, if no phone number hints are given in the password-retrieving function, users who have more than one phone number may forget their registered mobile phone number, leading to a failure in getting the password back. Therefore, developers must take account of two aspects—user experience and information security. Our suggestion is that developers should expose the digits of mobile phone numbers to users as little as possible, and try to expose some of the first seven digits of the mobile phone number. Because these digits are related to carrier and geographical location and their possible combinations are already very limited, exposing some of their digits has little contribution to reducing the test set of mobile phone numbers, which is used for brute force. On the contrary, the exposure of each digit in the last four digits will reduce the test set for 90%, which has a big contribution to reducing the test set. Therefore, developers should try to avoid the exposure of the last four digits of a mobile phone number.
(3) Take effective access control to the client
According to the introduction of
Section 2.2, the method of breaking a user’s mobile phone number based on geographical location needs the attacker to use the enumeration (brute-force) method to frequently send requests to the server to try a variety of possibilities for a user’s mobile phone number. Therefore, the server should be able to effectively identify the client’s malicious behavior of frequent request sending, and restrict it to prevent user’s mobile phone number from being broken.
Author Contributions
Conceptualization, H.Y.; Methodology, H.Y.; Software, H.G.; Validation, H.G. and X.M.; Formal Analysis, H.Y.; Investigation, H.G.; Resources, X.M.; Data Curation, X.M.; Writing-Original Draft Preparation, H.Y.; Writing-Review & Editing, H.G.; Visualization, X.M.; Supervision, H.Y.; Project Administration, H.Y.; Funding Acquisition, H.Y.
Funding
This research was funded by Nanhu Scholars Program for Young Scholars of XYNU.
Conflicts of Interest
The authors declare no conflict of interest.
References
- Andrienko, G.; Gkoulalas-Divanis, A.; Gruteser, M. Report from Dagstuhl: The liberation of mobile location data and its implications for privacy research. ACM SIGMOBILE Mob. Comput. Commun. Rev. 2013, 17, 7–18. [Google Scholar] [CrossRef]
- Kushwaha, A.; Kushwaha, V. Location based services using android mobile operating system. Int. J. Adv. Eng. Technol. 2011, 1, 14–20. [Google Scholar]
- Li, M.; Zhu, H.; Gao, Z.; Chen, S.; Yu, L.; Hu, S.; Ren, K. All your location are belong to us: Breaking mobile social networks for automated user location tracking. In Proceedings of the 15th ACM International Symposium on Mobile ad Hoc Networking and Computing, Philadelphia, PA, USA, 11–14 August 2014; pp. 154–196. [Google Scholar]
- Polakis, I.; Argyros, G.; Petsios, T.; Sivakorn, S.; Keromytis, A.D. Where’s Wally?: Precise user discovery attacks in location proximity services. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 817–828. [Google Scholar]
- Xue, M.; Liu, Y.; Ross, K.W.; Qian, H. I know where you are: Thwarting privacy protection in location-based social discovery services. In Proceedings of the 2015 IEEE Conference on Computer Communications Workshops, Hong Kong, China, 26 April–1 May 2015; pp. 179–184. [Google Scholar]
- Hoang, N.P.; Asano, Y.; Yoshikawa, M. Your neighbors are my spies: Location and other privacy concerns in dating apps. In Proceedings of the 18th International Conference on Advanced Communication Technology, Pyeongchang, Korea, 31 January–3 February 2016; pp. 715–721. [Google Scholar]
- Fawaz, K.; Feng, H.; Kang, G.S. Anatomization and protection of mobile apps’ location privacy threats. In Proceedings of the 24th USENIX Security Symposium, Washington, DC, USA, 12–14 August 2015; pp. 753–768. [Google Scholar]
- Hallsteinsen, S.; Jorstad, I.; Thanh, D.V. Using the mobile phone as a security token for unified authentication. In Proceedings of the 2nd International Conference on Systems and Networks Communications, Cap Esterel, France, 25–31 August 2007; p. 68. [Google Scholar]
- Bertino, E.; Sandhu, R. Database security—Concepts, approaches, and challenges. IEEE Trans. Dependable Secur. Comput. 2005, 2, 2–19. [Google Scholar] [CrossRef]
- Halfond, W.G.J.; Viegas, J.; Orso, A. A classification of SQL-injection attacks and countermeasures. In Proceedings of the 2006 IEEE International Symposium on Secure Software Engineering, McLean, VA, USA, 13–15 March 2006. [Google Scholar]
- Fleizach, C.; Liljenstam, M.; Johansson, P.; Voelker, G.M.; Mehes, A. Can you infect me now?: Malware propagation in mobile phone networks. In Proceedings of the 5th ACM Workshop on Recurring Malcode, Alexandria, VA, USA, 2 November 2007; pp. 61–68. [Google Scholar]
- Felt, A.P.; Finifter, M.; Chin, E.; Hanna, S.; Wagner, D. A survey of mobile malware in the wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, Chicago, IL, USA, 17 October 2011; pp. 3–14. [Google Scholar]
- Cheng, Y.; Ying, L.; Jiao, S.; Su, P.; Feng, D. Bind your phone number with caution: Automated user profiling through address book matching on smartphone. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, Hangzhou, China, 8–10 May 2013; pp. 335–340. [Google Scholar]
- Kim, E.; Park, K.; Kim, H.; Song, J. Design and analysis of enumeration attacks on finding friends with phone numbers: A case study with KakaoTalk. Comput. Secur. 2015, 52, 267–275. [Google Scholar] [CrossRef]
- Gupta, S.; Gupta, P.; Ahamad, M.; Kumaraguru, P. Exploiting phone numbers and cross-application features in targeted mobile attacks. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, Vienna, Austria, 24 October 2016; pp. 73–82. [Google Scholar]
- Schrittwieser, S.; Fruehwirt, P.; Kieseberg, P.; Leithner, M.; Mulazzani, M.; Huber, M.; Weippl, E. Guess who is texting you? Evaluating the security of smartphone messaging applications. In Proceedings of the 19th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, 5–8 February 2012. [Google Scholar]
- Kim, E.; Park, K.; Kim, H.; Song, J. I’ve got your number: Harvesting users’ personal data via contacts sync for the KakaoTalk Messenger. In Proceedings of the 15th International Workshop on Information Security Applications, Jeju Island, Korea, 25–27 August 2014. [Google Scholar]
- Gupta, S. Emerging threats abusing phone numbers exploiting cross-platform features. In Proceedings of the 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, San Francisco, CA, USA, 18–21 August 2016; pp. 1339–1341. [Google Scholar]
- Murphy, W.; Hereman, W. Determination of a Position in Three Dimensions Using Trilateration and Approximate Distances; Technical Report: MCS-95-07; Department of Mathematical and Computer Sciences, Colorado School of Mines: Golden, CO, USA, 1995. [Google Scholar]
Figure 1.
The leakage of the relationship between mobile phone number and user ID.
Figure 2.
Structure of the mobile phone number in China.
Figure 3.
The construction process of the test set of the first seven digits (TS-7D).
Figure 4.
The process of breaking a user’s mobile phone number.
Figure 5.
Interface display of leakage of user’s geographical location.
Figure 6.
Displayed precision and actual precision of distance data.
Figure 7.
User interfaces of leakage of parts of a user’s mobile phone number.
Figure 8.
Login model of YYPay.
Figure 9.
Overall process of breaking a YY user’s mobile phone number.
Figure 10.
Example of the spherical distance-calculation method.
Figure 11.
Location calculation based on symmetry.
Figure 12.
Construction schematic of the test set of mobile phone number.
Figure 13.
Time-series diagram of the login attempts of a single-server IP.
Figure 14.
Time-series diagram of the login attempts of 8 server IP rotation.
Figure 15.
Statistics of the login effect within one hour of 8 server IP rotation.
Figure 16.
Model of channel information query.
Figure 17.
The relationship between distance and localization error.
Figure 18.
Flowchart of trilateration localization.
Figure 19.
Sectional statistical chart of the fans of the 100 webcasters.
Figure 20.
Time distribution for the 88 webcasters’ latest login on the YY mobile app.
Figure 21.
Geographical location distribution of the 88 webcasters’ latest login.
Figure 22.
The effect of mobile phone number breaking.
Table 1.
The exposure of user’s geographical location and mobile phone number of seven apps.
App | Ways of Exposing Geographical Location | Number of Digits Be Exposed | Ways of Exposing Mobile Phone Number |
---|
Sina Weibo | Personal homepage | 6 | Retrieve password |
Alipay | Personal homepage | 5 | Retrieve password |
KuGou | Citywide user search | 6 | Retrieve password |
QQ | Personal homepage, nearby user search | 3 | Retrieve password |
Baidu Account | Citywide user search | 5 | Retrieve password |
360 Account | Citywide user search | 6 | Retrieve password |
YY | Personal homepage, location of the user’s recent login | 5 | Retrieve password, recharge for others |
Table 2.
Distribution of the first three digits of mobile phone number of the three carriers.
Carrier | First Three Digits of Mobile Phone Number |
---|
China Unicom | 139, 138, 137, 136, 135, 134, 159, 158, 157, 150, 151, 152, 147, 188, 187, 182, 183, 184, 178 |
China Mobile | 130, 131, 132, 156, 155, 186, 185, 145, 176 |
China Telecom | 133, 153, 189, 180, 181, 177 |
Table 3.
YY user login and registration methods.
Platform | Login Method | Registration Method |
---|
PC-end Software | YY account number, mobile phone number, username, email | Mobile phone number, username, email |
Mobile App | YY account number, mobile phone number, Username, email, Weibo, WeChat, QQ, mobile phone verification code | Mobile phone number |
Webpage | YY account number, mobile phone number, username, email, Weibo, WeChat, QQ | Mobile phone number, email |
Table 4.
Location information statistics of the geographical locations of the 100 webcasters.
| L1 | L1 = Null | L1 ≠ Null | Total |
---|
L2 | |
---|
L2 = Null | 26 | 38 (L1 = L2) | 88 |
24 (L1 ≠ L2) |
L2 ≠ Null | 2 | 10 | 12 |
Total | 28 | 72 | 100 |
© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).