01 Nov 2014

Verizon Headers (UIDH): Basics and Avoidance Measures

tl;dr - Use a VPN (answer to many questions).

Verizon and other major cellphone carriers are inserting tracking tokens into all our requests made from smartphone. And if you tether your phone as a hotspot, it’s adding tracking tokens there as well.

Verizon states that the Opt-Out form on their website only disconnects your unique id being associated with demographics data.

There are a couple good websites for checking if your cell data is being injected with the tracking header. My favorite is by researcher Ken White: link.

But if you want to check it on your own hardware, here’s the tiny sinatra application I setup:

Start that up by installing Sinatra gem & then running ruby app.rb.

Next, go through the hassle of pointing your phone at it. I did this by using ngrok. Start that up with ngrok 4567 where 4567 is the default port for app.rb’s Sinatra Webrick server.

Note the output from ngrok 4567

We want the line that says Forwarding http://a5c92a1.ngrok.com. We’ll use that url when setting up proxy on Android cell phone.

Now, make sure you’re not on Wifi data, and visit the output from Ngrok in your cell phone’s browser (ie http://a5c92a1.ngrok.com for me, yours will be different).

Tada! Thanks Verizon for tagging every web request with a header :-/.

So, what can we do to protect against this?

First off, sites using HTTPS aren’t susceptible to this header inject. But that leaves a good chunk of the internet that’s vulnerable. Also, when using Wifi data Verizon can’t inject the headers because our data isn’t going through their network.

I tried two different methods for dealing with this, first was to setup a Squid Proxy that strips UIDH values from requests before passing them along. This worked, but isn’t as robust as the alternate solution, which is to use a VPN on cellphone. If you’re using an iPhone, GetCloak is a nice service run by good people. It will route your traffic through their VPN. I’m currently using their app on OSX for easy VPN that avoids leaking lots of data when in coffeeshops.

With an Android phone, you need to be a bit more savvy. Your convenient option is to ask GetCloak nicely for their unsupported/unofficial OpenVPN endpoint. I set it up on my cellphone by using OpenVPN.app. Very straight forward setup. The alternative would be to setup your own VPN endpoint, which was more work to get it properly forwarding all traffic.

So the short answer to Verizon spying on users? Use a VPN. And switch providers when there’s a company actively resisting such despicable practices.