The researchers have notified OS makers, mobile operators, and trade group GSMA of their findings, and Apple has already added "conservative" peer support for the Auto Wi-Fi authentication in iOS 10.
In conservative peer mode, the device will only respond to requests for permanent identity when no pseudonym identity is available, so after a user has connected to an operator's legitimate Wi-Fi network once and authenticated using its IMSI, no spoofed access point will later be able to force the device to expose it.
OS makers and operators have acknowledged the problem, but there's no easy way to fix it, the researchers said. There are Extensible Authentication Protocol (EAP) authentication methods that work over Transport Layer Security and are encrypted, but they need to be supported in both mobile OSes and operators' systems. Deploying certificate-based infrastructure requires investments and is harder to maintain, they said.
Wi-Fi calling suffers from a similar problem. This technology allows users to make voice calls over Wi-Fi by connecting to the operator's Edge Packet Data Gateway (EPDG) using the encrypted IPsec protocol. This is different from voice over IP apps like WhatsApp or Skype.
Wi-Fi calling is supported on iOS and Android devices and uses the Internet Key Exchange Protocol (IKEv2) for authentication. Like Wi-Fi auto connect, the IKEv2 authentication is also based on identities like the IMSI number, which are exchanged over EAP-AKA.
EAP-AKA exchanges are encrypted, but are not protected by a certificate, which means they're exposed to man-in-the-middle attacks that could recover the IMSI number, the researchers said.
The good news is that Wi-Fi calling can be disabled on the device by the user, while Auto Wi-Fi can only be disabled when such a network is in range.
Leaking IMSI numbers is a privacy concern because there are services on the Internet that allow matching them to phone numbers, and finding the identity of a phone number's owner is not hard.
In general, IMSI numbers can be used to track and identify who has been in a certain place at a certain time. For example, authorities in a country where freedom of speech is not well respected could use them to identify participants of an unauthorized protest.
Sign up for CIO Asia eNewsletters.