60

For instance do they know whether you're using an iPhone or Samsung?

Anders
  • 64,406
  • 24
  • 178
  • 215
Alexander A
  • 669
  • 1
  • 5
  • 6
  • 11
    yes, even without the user-agent, and without device fingerprinting, just by the logs. for example you can tell chrome from firefox by the way they fetch video. i'm sure phones are the same. – dandavis Jan 08 '18 at 09:02
  • Thanks. How long would you say ISPs store data and user activity history – Alexander A Jan 08 '18 at 09:03
  • 3
    they don't say. given the cost of data storage, it's safe to assume indefinitely. Data mining algos are always getting better, so why not have more data? Is losing a long-term insight worth a few hundred MBs? – dandavis Jan 08 '18 at 09:05
  • This guy who worked at many ISPs said that they store user history for a maximum of 5 years, I'm not sure where to get a definite answer – Alexander A Jan 08 '18 at 09:11
  • 2
    @AlexanderA - That will depend heavily on Jurisdiction. ISPs in some places could be legally required to hold data for a minimum of X years meanwhile in another there could be a maximum legal retention. – Hector Jan 08 '18 at 10:58
  • What about ISPs in the UK or Turkey for instance – Alexander A Jan 08 '18 at 11:04
  • 3
    Given that HTTPS is being used always more, I doubt that the user agent scan will be alive forever – usr-local-ΕΨΗΕΛΩΝ Jan 08 '18 at 13:41
  • 1
    Use TOR for browsing and the ISP will not know your device. Or VPN. – i486 Jan 08 '18 at 14:11
  • 1
    Apparently, you can also fingerprint the OS through its TCP/IP stack implementation. See https://github.com/cesarghali/OS-Fingerprinting and https://nmap.org/book/osdetect.html. – ComFreek Jan 08 '18 at 14:21
  • How often would you guys guess a small ISP monitors its users activity – Alexander A Jan 08 '18 at 15:35
  • Have you ever gotten a popup on Chrome mobile where it shows your exact model and android version? Because it's pretty obvious that the ISP could get it if a random advertisement can get it. – LateralTerminal Jan 08 '18 at 18:27
  • 1
    The ISP might even learn a lot from DNS queries for update.(vendor-or-device).com or other specifics – Hagen von Eitzen Jan 08 '18 at 21:13
  • 2
    @LateralTerminal A random ad might be running JavaScript on your device. Your ISP generally won't be, unless they're performing some kind of content injection. One doesn't really imply the other. – Chris Hayes Jan 09 '18 at 04:59
  • @ChrisHayes Well I learned something new – LateralTerminal Jan 09 '18 at 13:58
  • "What about ISPs in the UK or Turkey" -- this is a different question, really, but: in the UK there is legislation that *may* require ISPs to keep logs for 2 years. It doesn't require them to keep enough information to identify devices (although phones will have their IMEI attached, so it could be determined later). There is also legislation that requires any company holding personal data to register it with a government agency (the Information Commisioner's Office), allowing you to inspect details of what they store and for how long. You can also request access to the data for a small fee. – Jules Jan 09 '18 at 23:44
  • For how long are IMEI's attached – Alexander A Jan 10 '18 at 06:06
  • My wifi router does a really good job at showing a diagram of every device in my house despite the fact that I've never told it what they were (i.e. it knows I have an AppleTV, HP Printer, etc.. etc..). A lot of people use routers provided by their ISP inside their own private networks. You couldn't possibly make their job any easier to monitor all of your devices. – Reactgular Jan 10 '18 at 18:01

3 Answers3

62

Depends on the device and if you have taken any steps to hide it. Most devices by default put a lot of identifying information in the User-Agent header on outgoing HTTP/S requests. For HTTP requests these will be visible to anyone with wire access. For example for Android from here -

Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

And for iPhones -

Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25

Mobile carriers/providers meanwhile have access to your IMEI which uniquely identifies your device.

*As @Anders points out there are also service fingerprinting techniques. Any connection to a manufacturer related applications/service could be an indicator. As could profiling of data patterns (a simple approach would be fingerprinting device update files). I initially leaned towards user-agents because the original question asked about ISP's / this approach can be used no matter how the device is connected (i.e. IMEI is only visible to your carrier unless they forward it on. User-Agent would be visible on non-encrypted requests from any internet connection - WiFi, ADSL etc).

Community
  • 1
Hector
  • 10,893
  • 3
  • 41
  • 44
  • 1
    Does the IMEI part apply to Samsung as well – Alexander A Jan 08 '18 at 08:05
  • 7
    @AlexanderA - Yes. IMEI is universal across all "standard" modern devices (anything 3GPP compliant) including but not limited to anything GSM (2G), UMTS/HSPA/EDGE (3G) or LTE (4G) compliant. On many devices you can change/spoof your IMEI but this is in many jurisdictions highly illegal. I also wouldn't be surprised it networks could detect and block duplicate IMEI's. – Hector Jan 08 '18 at 08:34
  • 2
    [WhatIsMyBrowser.com's User Agents](https://developers.whatismybrowser.com/useragents/explore/operating_platform/) might be a good reference and it also includes Windows Phone, Blackberry, and many others. – Andrew T. Jan 08 '18 at 08:42
  • Please do not use comments for discussion or to ask new questions. – Rory Alsop Jan 09 '18 at 07:21
42

I worked for an ISP and yes we do. We know many things about your systems in the house.

A lot of them we learn from the router that we provide you, from vendor Mac addresses, from various headers you send out.

We also know who's computer belongs to whom and what kind of device it is(I think from MAC ADDR Mac Vendor Lookup) maybe IMEI as from comment above. We also know domain names on the device , what networking schema you have, passwords you have on the router.

I think if you were to avoid these things, you could:

  1. Don't use an ISP provided router.
  2. Use a VPN
  3. change headers

I several times would call customers to let them know that we cut their service becasue they were torrenting . They would say they weren't... The argument would always stopped when I pointed the exact computer that was torrenting

EDIT perhaps something weird to add. We know what you use on your computer too (at least what speaks to the internet) . I could see what you people torrented and with what tool too, Usually Utorrent. I could see what torrenting sites they went too IIRC.

Edit : To answer from comment "How to not use ISP provided router" in most cases after setup from your ISP, just have your router clone the mac address of the WAN interface if your ISP's router.

Edit 2: The ISPs that I am talking about are U.S market owners only. Despite having lived in Europe, I cannot confirm this ability within the European or other ISPs.

LUser
  • 824
  • 6
  • 12
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/71586/discussion-on-answer-by-aperturesecurity-does-your-isp-know-what-type-of-phone-c). – Rory Alsop Jan 12 '18 at 16:07
8

Short answer: YES

How?

MAC ADDRESS & TCP/IP stack profiling

ISP provided routers have access to your phones MAC address which is unique to your device and thus the manufacture of your device ... possibly even down to the model version or range of model versions of your device.

On some devices the MAC address can be spoofed, however, you would need root access on the device in question

The way your device communicates to various types of packets will allow for profiling of the device (both hardware & software) see here.

Alternatively you could use your own router ... which is preferable for numerous other reasons as well (speed, price, security)

HTTP (not https see here) packet header's User-Agent string

As Hector posted here user agent strings from your browser have quite a bit of identifying information in them (OS type, OS version, Browser type, Browser version, etc).

This string can be spoofed, there are various addons or settings in both Chrome and Firefox that can be used to change this string to anything you want, however, apps on your phone can make http requests of there own and may provide User-Agent strings that you can not directly control

Servers your phone accesses

You use your phone, and thus that usage causes your phone to contact various servers. Encrypted or not, the addresses of these servers is provided so as to allow for routing of the message to the destination. That being said, if you open the google play store (android), the iStore (iOS), your phone checks for automatic updates, the malware and or ad servers contacted ... your ISP will see this traffic and could pick up quite a bit of information just based on the addresses contacted and the amount of traffic sent/received from each server.

A VPN could be used to encrypt all of this communication (as long as none of these automatic update api calls are done before the OS full starts and VPN kicks in.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40