[HN Gopher] The IMEI Code: Your phone's other number
___________________________________________________________________
The IMEI Code: Your phone's other number
Author : shortformblog
Score : 112 points
Date : 2024-04-29 18:39 UTC (1 days ago)
(HTM) web link (tedium.co)
(TXT) w3m dump (tedium.co)
| BuildTheRobots wrote:
| Couple of thoughts
|
| > The combination of the ICCID and the IMSI basically tells the
| mobile network, "hey, this person paid for a plan."
|
| As far as I remember, the ICCID never actually appears in
| standard network messaging. It might be possible for the network
| to request it, but it's not part of a standard 2/3/4/5g attach.
|
| The piece seemed to miss two major uses for the IMEI (or I missed
| it when reading), which were working around vendor bugs and
| allowing emergency calling.
|
| Radio firmware and state machines have always had weird bugs, and
| even when it conforms to standards (some of which are extremely
| interpretable), does very weird things in the real world. Pre-
| smartphone, being able to update phone and radio firmware was
| extremely rare, so it was common for the networks instead to
| implement workarounds on a manufacturer or handset basis. Having
| a hardware ID that identified this was extremely useful.
|
| GSM (and onward) actually supports a handset attaching to a
| network, even without a SIM card, for the sake of emergency
| calling. It needs some form of unique identifier for this to
| work. As much as it could (potentially, entirely redefining the
| stack) generated UUIDs, it makes some sense for these unique IDs
| to persist across roaming/sessions/reboots.
| heilhippo wrote:
| https://arcelect.com/GSM%20Developer%20Guide%20-%20GSM%20AT%...
| lxgr wrote:
| > As far as I remember, the ICCID never actually appears in
| standard network messaging.
|
| Yeah, that would be the IMSI (which a given SIM card can have
| multiple of, e.g. for switching to a more beneficial home
| network while roaming!)
|
| The ICCID is useful for identifying a given physical SIM card
| (e.g. so that the phone can link a given user-selected profile
| name to it/the associated phone line for a "preferred line for
| contact" indicator in dual-SIM phones), and probably also as an
| identifier when dynamically assigning a new IMSI over the air.
|
| > for the sake of emergency calling
|
| The IMEI can indeed be an identifier of last resort for
| emergency calls. I wonder if some countries use it to block
| abuse/spam calls to emergency services, or more importantly,
| why some others aren't?
|
| In Germany, for example, SIM-less emergency calls are no longer
| possible, supposedly due to many people calling the local
| emergency number to test whether a used phone is in working
| condition without inserting a SIM card... I don't know what
| they're doing with the IMSI in that case, and if it's locking
| these callers out, why they can't do the same for the IMEI.
| tjohns wrote:
| At least in the US, the 911 infrastructure is dated.
|
| In older systems, your caller ID is sent using in-band DTMF
| tones, which are decoded by the dispatch computer.
|
| On newer E-911 systems they get some additional digital
| address data from the telephone network, but the record
| format wasn't designed with VoIP or cellular in mind. So in
| those cases, the telephone network sends a virtual number and
| the dispatch computer does a seperate out-of-band lookup with
| the VoIP/cellular company using that number as a key to get
| your location.
|
| The whole emergency calling system is layers upon layers of
| hacks. While they can bolt additional functionality on if
| they're creative, it's more likely a given feature is _not_
| implemented. There's a good chance that by the time the call
| gets to dispatchers, the IMEI/IMSI isn't displayed anywhere
| and they just see a random virtual number.
| londons_explore wrote:
| The fact the IMEI is generally not editable seems like a massive
| privacy hole.
|
| Just let people edit it. Then I can be someone new every day and
| nobody can track me.
|
| Mac address randomization does that for wifi. Now do the same for
| mobile networks.
| kevincox wrote:
| I really want mobile networks to accept their role as dumb data
| pipes. I should be able to just provide a password or
| certificate and connect. No IEMI, no SIM.
|
| And while we are at it stop tunneling my data back "home" when
| I travel. I don't want increased latency.
| londons_explore wrote:
| And while we're at it, how come if I have a phone without a
| sim I can't at least navigate to a carrier webpage to buy an
| esim?
|
| The phone could pop up a menu saying "Here are the available
| networks", and you pick one, connect and it says "Welcome to
| AT&T, enter credit card number here", and you type a number
| and hit OK and you're connected.
|
| Oh wait - just like Wifi!! Why are mobile networks so far
| behind?
| btgeekboy wrote:
| Kinda like this? https://en.m.wikipedia.org/wiki/Apple_SIM
| kbolino wrote:
| How would a networking stack with no hardware addresses even
| work? The next hop needs a way to reach back to you, before
| you can negotiate anything fancy like passwords or
| certificates. Even IPv6 SLAAC starts with a hardware address.
| londons_explore wrote:
| rand()?
| kbolino wrote:
| A MAC address is 48 bits and an IMEI is about the same
| entropy-wise. That's not nearly enough room to avoid
| duplicates (even SLAAC requires duplicate address
| detection, and IPv6 has a lot more bits to work with).
| You'd need a whole new layer 2 protocol, though to be
| fair you might be able to strip it down to just doing
| collision detection/avoidance and leave addressing up to
| layer 3 with IPv6, but that's not going to be any kind of
| backwards compatible or interoperable.
| boznz wrote:
| Surely the uniqueness is only required at the bottom end
| of the stack before the first 'router' ie the cell tower
| baby_souffle wrote:
| > Surely the uniqueness is only required at the bottom
| end of the stack before the first 'router' ie the cell
| tower
|
| Not if you need to send a message to $thatUniquePhone.
|
| Over simplifying considerably, but if a land line places
| a call to a mobile, the "220-1234 calling for 220-7890"
| message enters the network. The `220-7890` phone number
| needs to map to the unique modem address so you can look
| up which tower the call setup data should be sent to. If
| - by sheer coincidence - I also have your MAC address and
| am attached to a tower 3 states away... which tower(s) do
| you forward the call setup data to?!
| vdqtp3 wrote:
| > which tower(s) do you forward the call setup data
|
| Whichever one has most recently communicated with the
| user in question (based on the credentials or certificate
| provided, in the original example)
| ixwt wrote:
| > And while we are at it stop tunneling my data back "home"
| when I travel.
|
| Oddly enough, I found this to be a plus when I traveled to
| China for work. My data was unmolested by the Great Firewall
| of China. I was able to get on websites with my mobile data
| that I couldn't when using wifi in the hotels.
| techsupporter wrote:
| > And while we are at it stop tunneling my data back "home"
| when I travel. I don't want increased latency.
|
| You might not, but a whole lot of customers who aren't as
| technically sophisticated did. When T-Mobile first started
| doing included international data roaming, they didn't tunnel
| back. That caused a lot of confusion from customers who
| didn't realize why stuff they expected to work, like checking
| their bank balance, didn't. (It also made throttling speeds a
| lot more difficult.)
|
| So to fix that, T-Mobile tunnels you back to a few endpoints
| in the States. Banking apps are generally happy, as are
| Netflix and Spotify. Most customers are happy because their
| phone "just works" the same as it "always has".
|
| For those of us who want to avoid the latency, we get a local
| SIM for data (if possible).
| gsich wrote:
| Only if you also change your SIM every day.
| londons_explore wrote:
| As a man who currently has 13 esims in his phone...
| mytailorisrich wrote:
| There is no privacy concern, really, as this is unique to the
| device, not subscriber, and only shared with the network
| operator, who obviously already "tracks" the subscriber through
| the SIM , which contains the subscriber identifier (IMSI).
|
| On the other hand, the IMEI in principle makes tracking and
| disabling of stolen devices easy.
|
| By the way, in the UK it is actually an offence to change the
| IMEI [1]
|
| [1] https://www.legislation.gov.uk/ukpga/2002/31/section/1
| toast0 wrote:
| The IMEI also allows a network operator to track a device
| across multiple sims. And I think it's also shared with
| roaming operators if roaming happens.
| NoImmatureAdHom wrote:
| "There is no privacy concern, really..." Except for the
| network operator, who needs to track a _SIM card_ not a
| phone, but who can track you across networks and SIM cards if
| he has the IMEI. There is no reason the IMEI needs to be
| stable.
|
| The network operator does NOT need to know who you are, even
| if you live in a repressive country that mandates tying ID to
| mobile phone lines. Get a SIM card in person and top up in
| cash, or use a virtual credit card, or pay in cryptocurrency
| for an eSIM, or get a subscription in a less oppressive
| country and roam.
|
| Invisv is a great suggestion.
| least wrote:
| This is 100% a privacy concern if you're dealing with state
| level actors.
| ale42 wrote:
| They can track you with or without the IMEI. Next
| identifier is the IMSI read from your SIM card and I guess
| you're not replacing it every day...
| least wrote:
| Disclaimer: used to work in SIGINT, so please treat
| anything I say about this with appropriate skepticism.
|
| There are people that for various reasons do cycle out
| their SIM card frequently as a means to avoid tracking.
| This is ineffective. Changing the IMEI/discarding devices
| entirely is more effective.
| hughesjj wrote:
| Any immutable id is inherently a privacy concern. Network
| operators are ISP's, and ISP's have been known to do things
| like hijack unresolvable DNS entries to a search page with
| ads. The network operator knows who you are and what imei was
| associated with your account.
|
| I wouldn't be surprised if there were some 'ghost'/virtual
| profiles associated to an imei similar to how Facebook would
| do with the like button
| ementally wrote:
| You can, but it is not that easy and you also need to change
| your IMSI.
|
| https://invisv.com/pgpp/ for IMSI (not available worldwide)
|
| https://github.com/srlabs/blue-merle for IMEI, a nice guide
| written by them explaining how it works
| https://raw.githubusercontent.com/srlabs/blue-merle/main/Doc...
|
| You can follow this thread for more info
| https://discuss.privacyguides.net/t/cell-towers-tracking-net...
| hinkley wrote:
| I think I'm more concerned with the fact that the carriers know
| the IMEI of phones and claim that they can do nothing about
| stolen phones. That was the beginning of the end of my
| infatuation with the mobile space.
|
| I should have been well positioned for early retirement during
| the early smart phone gold rush but was just so put off by the
| Ma Bell feeling of the mobile industry that I had exited before
| most people had even entered.
| fencepost wrote:
| _I think I'm more concerned with the fact that the carriers
| know the IMEI of phones and claim that they can do nothing
| about stolen phones._
|
| Maybe once upon a time, but I'm pretty sure stolen devices
| can be blacklisted from networks these days.
| nolan879 wrote:
| Carriers have been blacklisting IMEIs for at least 10+
| years. Since phones tended to be carrier-locked back then
| you couldn't go to a new carrier without being in good
| standing to get your device's unlock code from the old
| carrier. Now that devices are available unlocked by
| default, it is probably harder since it would require
| carriers to communicate IMEIs?
| ale42 wrote:
| Not sure, I think that there are international lists of
| stolen IMEIs. Maybe it's just in Europe, though.
| lesuorac wrote:
| I believe the point is that they could've been blacklisted
| from the start and instead carriers would just put up their
| hands say "there's nothing we can do" despite there being
| something they can do.
|
| It's like when your apple laptop gets stolen and then
| starts using your applecare support and apple won't help
| you get it back.
|
| Of course, if you decided not to pay your phone bill I'm
| sure that device would get blackslisted real fast.
| londons_explore wrote:
| In Kazakhstan, when a phone is used on a mobile network for
| the first time, the IMEI of the phone gets locked to that
| mobile network and that sim card. When you buy the sim card,
| they photocopy your passport/ID card.
|
| No other sim will work in it until you take _that_ photo ID
| /passport to the mobile companies office to have it unlocked.
| The photo id (even if expired) becomes the unlock code for
| the phone.
|
| Made phone theft drop to pretty much zero.
| medo-bear wrote:
| > Made phone theft drop to pretty much zero
|
| Use a nuke to kill a fly?
| madeofpalk wrote:
| In Australia, you can report your phone as stolen and it
| becomes IMEI blocked, not able to be used on Australian phone
| networks.
|
| https://amta.org.au/lost-and-stolen-mobiles/
|
| https://amta.org.au/check-the-status-of-your-handset/
| apienx wrote:
| SMS specifications include "Type 0" messages, also known as
| Silent SMS. These messages don't trigger any even on the phone
| when received, but they do send back an ACK that includes IMSI
| metadata. Silent SM, are literally defined in the RFC and
| primarily used to covertly track user locations without
| judicial oversight.
|
| GSM, SS7, etc. are massive privacy holes _by design_.
| ParanoidShroom wrote:
| They are primarily used for configuring your visual voicemail
| lol. Stop the hyperbolic statements.
| walterbell wrote:
| Can they be disabled/blocked on the device, when not needed
| because the user has disabled "visual voicemail" with their
| carrier?
| skyyler wrote:
| https://www.heise.de/news/Zoll-BKA-und-Verfassungsschutz-
| ver...
|
| Not sure where you get your information, but these are
| routinely used by police to covertly track targets.
| squigz wrote:
| Could you elaborate on this? What is a 'visual voicemail'?
| What would a 'silent SMS' have to do with that?
| advisedwang wrote:
| Visual voicemail is where an app on your phone can show
| you a list of voicemails and you can click a button to
| play them, as opposed to you having to dial a number to
| access voicemail (the old "press 2 to hear the next
| message" stuff).
| lxgr wrote:
| I'm not sure if Visual Voicemail really uses silent SMS,
| but even older phones had a series of indicators such as
| "voicemail waiting", "message waiting" etc. which the
| network could control via binary SMS payloads.
|
| By sending one that clears all of them in a network that
| doesn't use them (or sending one equivalent to the
| current state for one that does), you can achieve the
| outcome of initiating SMS-MT (mobile-terminated) delivery
| to a given ME (phone) without any user notification.
|
| SMS delivery by necessity involves paging the device,
| revealing its location at a finer level (base station
| instead of paging area).
|
| So I wouldn't say silent SMS were designed as a spying
| tool, but they're one out of several ways to silently
| "ping" a phone and force it to communicate with the
| network without having to wait for it to cross location
| area boundaries, get or make a call etc.
| WirelessGigabit wrote:
| I remember using one of those dongles with a SIM card that
| you could talk to with an API and use that to send flash SMS.
| Full screen warnings to friends. Only option was 'OK' and the
| text was gone afterwards.
| ale42 wrote:
| My old Nokia C2-01 allows sending them from the menu ;-)
| ian0 wrote:
| Silent SMS is an incredibly convoluted and impractical way of
| trying to figure out someones location.
|
| The whole purpose of mobile networks is to track a devices
| location (so you can route data to/from it!). Of course its
| easy to do it if your the operator or someone who has
| compromised it.
| breakfastduck wrote:
| they WANT you to be stuck with it because then they can track
| you no matter what
| ale42 wrote:
| Mobile phones are a massive privacy hole. Almost by definition.
|
| And smartphones 10 times more (or more, depends on how many
| apps you installed, almost all of them include some sort of
| trackers).
|
| IMEI is (almost) the last of my privacy problems.
| lxgr wrote:
| Definitely don't let people edit it. iOS and Android don't
| allow picking your own MAC address for good reasons - people
| would inevitably pick 12:34:56, 00:00:00 etc. and cause
| problems for themselves and others.
|
| To increase privacy, either randomize it (but make it much
| longer at the same time to avoid collisions) and/or remove it
| from as many signalling contexts as possible and keep it as a
| device-local identifier only (which then probably also doesn't
| have to be unique across manufacturers).
| ementally wrote:
| You can use https://github.com/srlabs/blue-merle if you want to
| change your IMEI
|
| >The blue-merle software package enhances anonymity and reduces
| forensic traceability of the GL-E750 / Mudi 4G mobile wi-fi
| router ("Mudi router")
|
| >Mobile Equipment Identity (IMEI) changer
|
| >Media Access Control (MAC) address log wiper
|
| >Basic Service Set Identifier (BSSID) randomization
|
| >MAC Address randomization
| soylentcola wrote:
| Looks like it only works on their portable router (a separate
| device) unless I missed something. A sort of proxy for your
| phone I guess?
| KenArrari wrote:
| If someone knows your IMEI can they track you?
| kbolino wrote:
| Not from the other side of a wide-area network, but if they are
| continuously in close proximity to you, or can effectively
| monitor everywhere (three letter agency), then yes. Of course,
| there are other ways to track you.
| harshaxnim wrote:
| Can you elaborate on what you meant by trackable when they're
| "continously in close proximity to you"?
| p_l wrote:
| Snooping, or hijacking, the radio pathway between you and
| your network operator.
| aspenmayer wrote:
| https://en.wikipedia.org/wiki/IMSI-catcher
| lxgr wrote:
| I think this is only true for older mobile networks. In 4G
| and 5G, I don't think the IMEI is part of any unencrypted
| radio message anymore.
|
| Even the IMSI is only used when absolutely necessary, i.e.
| for the initial attachment procedure when cold starting a
| device or entering a new routing area; after that, it's
| replaced by an alias called TMSI to make tracking phone users
| a bit harder.
|
| New Android versions will supposedly have a switch in their
| settings to show a warning every time the IMEI or IMSI is
| transmitted in plantext [1].
|
| [1] https://cs.android.com/android/platform/superproject/main
| /+/...
| spiesd wrote:
| I'm interested in the general thrust, but this article is sloppy
| at best.
|
| > Check digit: The final digit is essentially used to validate
| the prior 14 digits with an algorithm. Similar digits exist in
| other types of identifier codes, such as the Universal Product
| Code (UPC) and the International Standard Book Number (ISBN). The
| algorithm that the mobile industry uses, the Luhn algorithm, is
| also used for social security numbers and credit card numbers.
|
| No, just no. SSNs (in the US) don't have check digits.
|
| Also:
|
| > Then there are network identifier numbers--the MAC address
| bestowed upon you by your WiFi network or mobile provider
|
| Huh? This nonsense ("bestowed upon") serves only to confuse. This
| is bad tech journalism: it fails to inform the masses, and is
| transparently worthless to experts.
| toxik wrote:
| Many non-American SSN systems do have check digits.
| cesarb wrote:
| The Brazilian CPF (our equivalent to the SSN) goes up to
| eleven (literally) by including not one, but _two_ check
| digits; IIRC, the first one (the tenth digit) is computed
| over the first nine digits, and the second one (the eleventh
| digit) is computed over the first ten digits.
| dhosek wrote:
| The geographic aspect of SSNs no longer applies either. My kids
| have SSNs that start with different digits than my own which
| was assigned under the old regime where the first digit
| indicated where the SSN was issued.
| xjay wrote:
| Android defaults to sending the IMSI (SIM ID) to Google.
|
| > SUPL is used as part of the A-GPS (Assisted GPS) system to get
| a faster Time to First Fix. The problem is that Android's
| implementation automatically sends the IMSI (ID of the SIM card)
| to the SUPL provider for no apparent reason. And because Google
| is the default provider it's a big breach of privacy.
|
| https://github.com/Magisk-Modules-Alt-Repo/supl-replacer
|
| https://en.wikipedia.org/wiki/Assisted_GNSS
| ale42 wrote:
| From the article: it will generally start with
| a 35, which is unused as a country calling code
|
| It's "unused" because several country codes _start_ with 35:
| Ireland, Portugal, Luxembourg, Iceland... (This doesn 't mean
| that phones are actually manufactured there... I have a phone
| with an IMEI starting in 354 and it's definitely not manufactured
| in Iceland...)
| lxgr wrote:
| Yeah, they seem to be confusing that with IMSIs or ICCIDs,
| which are indeed namespaced by mobile country code and
| international calling code respectively.
|
| Based on what other commenters have already pointed out, this
| seems to be a quite sloppily researched article.
___________________________________________________________________
(page generated 2024-04-30 23:00 UTC)