grandeduc - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Verizon's mobile persistent cookie is more trick than treat

News roundup: Verizon gave its mobile users an early Halloween trick: a cookie that cannot be erased, despite a number of privacy concerns. Also: compromising an air-gapped computer over the air; an alleged government-funded hack against a CBS reporter and more.

Verizon Wireless handed out an early Halloween trick this year by adding a unique identifier to the Web traffic of its mobile users. Unlike other trackers users may be familiar with (namely cookies), this tracker cannot be deleted.

The company claims it collects data from its users, including postal addresses, device types and languages, and demographic data such as gender, age and interests, as part of its Relevant Mobile Advertising Program and Precision ID marketing service. The process involves inserting a Unique Identifier Header (UIDH) -- a string of letters, numbers and characters -- into the HTTP headers of users ' Web requests.

These persistent cookies monitor actions including which websites are visited and how long a user spends on a site. Verizon sells this data to marketers to deliver better targeted ads. According to numerous sources, Verizon has been using UIDHs since 2012, but the issue has only drawn the attention of security and privacy experts this week.

The fact that the persistent cookies have been inserted on mobile Web transactions without the owners' knowledge for such a length of time is just the tip of the iceberg. Verizon users are able to opt out of its Relevant Mobile Advertising program, but they are unable to permanently remove the UIDH from their device; opting out of the program only prohibits Verizon from selling their data. Since the UIDH cannot be deleted, it is still incorporated into any Web data transaction sent over the Verizon Wireless LTE, 3G or 4G networks.

Experts say that because the cookie cannot be removed, it could have unintended consequences on users' data security and privacy. Web servers still receive the UIDHs, and site owners -- or malicious actors -- could potentially build a profile around this ID without a user's consent. While Verizon spokeswoman Debra Lewis told Wired that the company changes user UIDHs frequently to prevent malicious use, the frequency of the change is currently unconfirmed.

The ethics of forcing a UIDH on users without their consent -- as well as not offering a complete opt-out option -- and not to mention what can be done with the information if it falls into the wrong hands (or if it has happened already) has yet to be determined.

According to security expert Graham Cluley, no security app or browser add-on will protect Verizon's 123 million customers subjected to persistent cookies. To prevent a UIDH from being transmitted, users should either connect to the Internet via a VPN or Wi-Fi network or, if use of the carrier network is necessary, only visit HTTPS websites.

Security researcher Kenneth White created a website to help users check whether their devices are sending out UIDH codes.

Forbes recently reported that AT&T is working on its own Relevant Advertising code insertion program, but unlike Verizon, AT&T will not insert the UIDH into headers for its users if they opt out of the program.

In other news

  • A presentation at the International Malware Conference MalCon 2014 by security researchers from Ben-Gurion University in Israel this week revealed how data from an air-gapped computer can be leaked to a compromised mobile device over radio frequencies. The proof-of-concept malware, nicknamed AirHopper, involved infecting a target computer to send radio signals to a mobile device that captured the data. Researchers aimed to dispel the myth that data exfiltration from an air-gapped network was impossible and to "start a discussion on how to mitigate this newly presented risk." A video demonstrating the attack can be viewed here.
  • The book by former CBS News reporter Sharyl Attkisson has not been released yet, but is already making headlines due to allegations that a "government-related entity" spied on her and planted fake documents and malware on her computer. Attkisson, who left CBS News earlier this year over a dispute that it wouldn't run her stories portraying the Obama administration in an unfavorable light, wrote in Stonewalled: My Fight for Truth Against the Forces of Obstruction, Intimidation and Harassment in Obama's Washington that hackers breached both her personal computer and work-issued laptop with a phishing email in February 2012, and that attack was "redone" twice through a satellite hookup and Wi-Fi connection. The spyware reportedly tracked her keystrokes, emails, passwords and Skype account. The book will be released next Tuesday by publisher Harper Books.
  • Lumeta Corp. and Tripwire Inc. announced Thursday the integration of the Tripwire IP360 vulnerability management system with Lumeta's IPsonar network situational awareness technology. Reggie Best, chief product officer for Lumeta, stated that the combination allows the companies to "offer our customers a comprehensive foundation of network intelligence against which they can better manage network security risk."

Next Steps

Check out SearchSecurity's comprehensive mobile security guide.

Learn more about implementing an air gap system, intrusion detection and prevention, and the latest in enterprise vulnerability management.

Dig Deeper on BYOD and mobile device security best practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you believe Verizon Wireless's UIDH persistent cookie represents a security or privacy risk?
Verizon knows of course that every cookie it emplaces in violation of personal data security is a self logging claim on corporate resources.

Easy as Lexus Nexus to find where that info resides and record it every day until the class action suit.

Nice going Verizon legal staff. Too bad for Verizon stock holders that they chose to fight rather than switch.