Paid Advertising
web application security lab

Moto Q9 DoS and Fingerprinting

So I got a new smart phone, which has been highly entertaining when I’m stuck in airports, or waiting for meetings or whatever. It’s a Moto-Q9. Boy is it sexy - lots of features, fairly fast. It kinda reminds me of what Windows95 used to be - usable but not fast. It has the new version of Microsoft’s mobile operating system on there with direct push on there (similar to Blackberry which saves battery life, I’m sure, for real time email), a 2mega pixel camera, etc… etc… Fun little toy. So id and I were driving around town and I was messing with my phone as he drove and it suddenly occurred to me, I had never really toyed with the browser. So I start messing around with the settings, and of course turn off JavaScript. But then I realized, I had never tested it with JavaScript turned on. That’s when I went to Mr. T. What did Mr. T do to the Moto Q9 (which is running Opera, by the way)? It crashed it immediately.

So then I start messing around with it, and I narrow it down to one of the things that’s more legacy than anything, the now fixed, MS mhtml bug. Uh oh. Yup, the mhtml bug appears to crash mobile Opera instantly. So back to keeping JS turned off, I guess (I haven’t tested if there is another way to cause the crash using a redirection or an iframe, but it takes a long time to test, so I’ll leave that to another day).

Then I start messing with the other options, like the “Identify as” function. With it turned to “handheld device” the user agent reads, “MOT-Q9/01.04.35R Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; Smartphone; 320×240) Opera 8.65 UP.Link/″. Eesh! It gives my actual device type! So then I turn the setting to “desktop computer” it turns to “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Opera 8.65 [en] UP.Link/″. Okay, fair enough, that appears to be the more secure setting as at least it doesn’t say the revision and model number of the phone.

That is, of course, until you look at the rest of the headers:

HTTP_ACCEPT = application/xhtml+xml, application/vnd.wap.xhtml+xml, text/html, text/vnd.wap.wml, application/vnd.wap.wmlc, */*,text/x-hdml,image/mng,image/x-mng,video/mng,video/x-mng,image/bmp,text/html
HTTP_ACCEPT_CHARSET = iso-8859-1, utf-8, utf-16, *;q=0.1,*
HTTP_ACCEPT_ENCODING = deflate, gzip
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Opera 8.65 [en] UP.Link/
HTTP_VIA = 1.1 alnmagr1fe09WAP2-mbl

Okay, so now we know my provider how big my screen is, that it’s a mobile device of course (the reference to wap), but more importantly we get the actual profile of the phone in the RDF file with all the settings, so you know exactly what may or may not work against the phone! Geez! Talk about giving up too much info! I hardly consider myself a cell phone hacker (for that you’ll need to talk with the Flexilis guys) but in 5 minutes I found all that - that’s not a good start. Whelp, so much for surfing from my phone!

10 Responses to “Moto Q9 DoS and Fingerprinting”

  1. David Says:

    Well, to be fair, developing internet applications (and even CSS layouts) for phones isn’t particularly easy for anything remotely advanced because of the many levels of options supported.

    Projects out there try to identify phones as best they can so you (as a developer) can provide an optimal experience to any phone user. Of course, this is easier if the phone can identify itself.

    Even if standards were imposed you’d still have to support earlier phones. So I suppose it’s user experience versus security - and we all know which one wins there :)

  2. RSnake Says:

    Hahah, I agree, it’s not easy, but really, I’m okay if pages don’t render on my phone. I’d _much_ rather be secure personally. Maybe most people don’t care, but at least give me the option to opt out of the information disclosure.

  3. Maximinus Says:

    I’ve recently upgraded to a SonyEricsson W950i - and I’ve had a bit of a play around with the browser, as you do. Inspired by this revelation, I quickly chucked up a php script onto my server so that I could easily check the headers, and visited it on my phone (which also runs a mobile version of Opera). I found that it provides the following information in the headers: Make, model, firmware version, Symbian version, Opera version, the fact that it’s a WAP-capable device, the WAP profile in RDF format, X-Nokia-CONNECTION_MODE: TCP, X-Nokia-BEARER: GPRS, X-Nokia-gateway-id (this includes the version number and build of this), my carrier, a fuller version string for the gateway software, the fact that it’s passed through Squid, the version of Squid it’s passed through and my IP address on my carrier’s network.

    What’s even worse is that there isn’t an option to make it identify as a non-mobile device or change the information sent in any way - it’s literally all or nothing.

    I certainly understand the problems faced when trying to develop websites which work on cellphones; but also like RSnake, I don’t really care if the formatting’s not perfect on my phone - I’d rather not be giving out quite so much information (even if some of it isn’t really of any use to potential hackers). When I’m wearing my web developer hat, I’m happy if the site is usable on cellphones; I don’t really mind terribly if the layout is not how I’d ideally like.

  4. SethF Says:

    Pocket IE - Current and older PIE bugs. PIE on WM6 contains local file disclosure bug that allows you to determine what programs are installed.


    The biggest issue for these mobile devices is patches. When a bug is found in one of the ROM programs, what are the chances it will get installed in the end users device?

  5. kaneda Says:

    Your post inspired me to check out my own XDA. I have a Dopod 838 Pro (HTC rebranded) and using the IE browser (Windows Mobile 6 build) shows that Mr. T does not appear to load correctly.

    The browser gets as far as showing the title “Master Reconnaissance Tool”, then stops after 20-30 seconds.


    So I fire up the java manager and then select Opera Mini, try Mr. T again, and opera mini hovers at the 40% mark for a while before returning correctly.

    Interesting tidbits from Opera:

    * Under Opera Mini, all plugins that Mr. T looks for come up as “enabled”
    * Even though with Opera Mini bouncing through Opera’s servers, the env. variable HTTP_X_FORWARDED_FOR is set to the real IP of the mobile device
    * Seems to be an unused env. variable called HTTP_X_OPERAMINI_PHONE which was set to ? # ?

    (Using Opera Mini 4)

  6. Hallvord R. M. Steen Says:

    Wow. I guess it will take some work to convince phone operator companies that less information disclosure would be a good thing! I don’t really see a point in creating a setting for it to be honest. We have to find the right balance that will give web devs some information they need to serve something they think will look good (at Opera we think the answer is CSS Media Queries though, which you’ll admit looks much safer :-) ) and not disclose information that is “abusable”, somehow.. A setting would protect the 0.001% of mobile phone users who were technical enough to understand it, yet do nothing for the rest.

  7. Spider Says:

    Have you considered minimo, the mozilla offering for mobile devices? I’ve given up on smart phones myself, so I can’t test it very well. But, it is open source, so someone could theoretically change the information it provides to websites.

  8. Opus345 Says:

    Hmmm. Now you got me thinking about what my XO (OLPC - One Laptop Per Child) is giving up. When they send it back with a new keyboard, I will give it a try.

  9. Finite Says:

    And what is this all about?!


    Presumably some sort of (hashed?) version of your subscriber number? It appears to be a hostname, but it didn’t resolve when I tried it.

    In any case, it sure does look like a cookie-less unique ID, which is its own class of privacy failure.

    (Am I missing something, or did everyone else in this thread miss this header in the original post?)

  10. RSnake Says:

    I have no idea what that is, but I agree, it’s bad looking. I noticed it as well, but beyond the network, I’m unsure of what it means, but indeed it does seem to stay the same when I look at it over time. So yes, this could easily be used as a cookieless tracking method.