This is actually good. IMEI is a unique number that can identify each device. And is huge privacy issue as it can be used against the user, can individually track each user.
IMEI is not required when placing calls or transferring data since this is securely managed by the GSM chip.
Are you sure this would not cause problems if two devices with the same IMEI were on the same tower, or even same provider? It might look fishy having multiple dups floating around on your network.
If one of these devices gets IMEI blacklisted, now all 13.5K devices are blacklisted... Not so good.
At least in LTE, the IMEI isn't a necessary part of connection setup. The network identifies the user seeking to connect by a temporary identifier if one of those is allocated or by the IMSI if that's all the user has. After the network and user pass a mutual authentication procedure, the core network may optionally ask for IMEI.
The identifiers actually used over the air are the IMSI (normally written once at the SIM factory and never changed, used as a fallback if no other identity is available), the TMSI (assigned by the core network when the user attaches, can be reassigned at every attach, service request (return from idle to active state), or mobility event that the core knows about), and RNTI (assigned by each cell, changes at each handover, used to address each downlink transmission to the mobile and I think included in the CRC in each uplink transmission from the mobile).
If you just receive a random transmission off the air, you can get the RNTI; if you receive an initial signaling message to the core network you'll get the current TMSI if assigned; you'll see the IMSI only in case of a new SIM or a SIM where the core network has forgotten who it assigned that TMSI to.
There are also some temporary identifiers between the cell and the core network allocated when the cell starts talking to a mobile and released when the mobile goes idle, but these never reach the mobile.
The core knows the IMSI and optionally IMEI of everyone connected. In normal operation, each cell only knows some temporary identifiers (it has the opportunity to record IMSI if the mobile sends it, but the mobile doesn't normally do that).
All the details are available from 3gpp.org, and I can be more specific about which section of which doc if anyone actually cares.
From what I understand, IMEI really isn’t used for much these days in modern signalling protocols (and even OS anti-theft logic), precisely because it’s been left up to manufacturers to allocate IMEIs, and some manufacturers are dumb and make mistakes like this.
For MAC addresses (also mfgr-allocated) mistakes like this are “fine”, because MAC addresses are layer-2 (switch-local) and therefore a collision will translate to a direct, customer-visible problem: they’ll buy two of the same device, and then their LAN will start acting wonky. As such, market forces will address dumb Ethernet equipment mfgrs, pushing them out of the market as customers stop buying them.
But the people buying cellular handsets aren’t the same people running the network, so there are no market forces in play to push back against dumb handset mfgrs. Instead, the network operators must just play with the hand they’re dealt; and that means coming up with alternative strategies for managing handset connectivity that don’t involve the theoretical primary key (IMEI) but instead make use of other unique keys (e.g. IMSI) that are also included in the connection handshake.
> mfg came from manufacturing; its existence meant that some people started using it for manufacturer as well; but having a g in the abbreviation without one in the word bothered people, so they added an r to make it mfgr.
This leads me to wish there was a well-researched blog for abbreviation/initialism/acronym etymologies, the way https://grammarphobia.com/ is for English word etmologies. But I guess there aren't that many of these that are in need of explanation; usually they're pretty obvious.
> But I guess there aren't that many of these that are in need of explanation; usually they're pretty obvious.
Something that always amuses me is that the two-letter abbreviation for Shanghai is SH. I find this funny because it seems so natural from an English perspective.
In fact, of course, nobody cares what English speakers think about a Chinese abbreviation of a Chinese name, and the H in the abbreviation refers to the second H in the word, not the first.
I think mfg usually stands for manufacturing. So it seems he's talking about manufacturingers. Not sure what the difference is between that and manufacturer though.
It is a real issue in the sense that phones reported lost or stolen to carriers results in an IMEI ban. It doesn't matter what the technical advantages to the end user are, what matters is if a carrier suddenly decides to shut off a thousand phones because they made an assumption about the nature of IMEIs that is expected to always be true.
In today's world of activation locked iPhones being far more effective in preventing theft than IMEI banning, it's time to get rid of privacy breaking things like IMEIs.
Providers issue SIM (subscriber identity module) cards to uniquely authenticate subscribers to their network. Why do you need something that is constant across SIM cards? It's superfluous identifying information (GDPR wants a word!).
Anti-theft. The device itself needs an identifier, so that if someone steals your device—immediately turning it off, re-flashing the OS, and putting their SIM in it, before booting it back up—then the network will still have some identifier to recognize the device itself by, so that it can say “nope, that’s stolen” and refuse to let it onto the network (thus disincentivizing stealing cellphones in the first place.)
I believe network-IMEI-registration isn’t the primary mechanism by which modern phone anti-theft works by, though, since the device-owner is free to change the phone’s network-reported IMEI (much like you can change an Ethernet controller’s network-reported MAC address.) I might be wrong here, though; the phone’s baseband might come up with its burned-in IMEI and check for validity with the server, before switching to any application-processor-requested IMEI. (You can get around that by just booting up the phone in a Faraday cage—but having to do that every time would definitely decrease the black-market resale value.)
For iOS, at least, I think the anti-theft works by getting onto wi-fi each time the SIM changes and asking some activation server about the validity of [some other internal static device-ID that can’t be tampered with in this way]. Not so sure what, if anything, Android does (Android’s case is harder, since for phones with an unlocked bootloader, you can always flash an altered firmware that has no anti-theft logic.)
The same anti-theft argument could be used to justify building surveillance tech into any object, and yet our society seems to function just fine without it. I've never had my phone stolen, and I don't know anybody who has even just lost their phone more than once. Yet we all get tracked every single day due to this user-hostile design.
Also for most phones it's trivial to change the IMEI to resell the phone, or simply part it out. Which sure, are more things manufacturers see as bugs, to the frustration of legitimate activity - hence Right to Repair. The majority of the world is honest. Let's not build ourselves into a prison just to fallaciously protect against the few who aren't.
> I've never had my phone stolen, and I don't know anybody who has even just lost their phone more than once.
Errr, to be clear, the reason that phones don’t get stolen is that there are anti-theft measures in place.
People steal similar types of item (e.g. car stereos, game consoles, Blu-ray players) all the time. There’s no reason other than anti-theft measures that phones as a type of item would be stolen any less than these other categories. (They’d actually be stolen far more, since they’re small/easy to slip into one’s clothes/not a weird thing to be carrying around; and are often found just left on tables at cafes or hanging out of people’s back pockets. They’re like cash, basically.)
It’s the same reason that people steal bicycles more often than they steal cars. Bicycles, despite being worth much less, are just much easier to steal.
> The majority of the world is honest.
Do you live in a city? I’ve had my bicycle stolen five times now. I’ve also been mugged twice. I’ve never had my phone stolen, though—because it’s worthless to the sort of dumb criminals who steal things just to hawk them on the street, rather than to fence them.
It doesn’t require a large fraction of the world to be dishonest, to result in most people in the world having crimes committed against them. A thief will steal from far more than one person in their thieving career. Especially in regimes where the computed ROI for going after certain types of thief (e.g. homeless, drug-addicted thieves) is negative (i.e. their prison housing costs society more than their thieving does, apparently), and so they’re never held for more than a day or two.
> Errr, to be clear, the reason that phones don’t get stolen is that there are anti-theft measures in place.
Activation lock actually helps to reduce phone theft, but IMEI blacklisting is basically totally worthless. It's way too easy to change a phone's IMEI for it to be useful, and you often don't even have to do that, since just taking the phone to a foreign country is often enough to evade the blacklist.
When I did live in the city, I never had my bike stolen. But that's also because I didn't do things like ride my nicer road bike for a night out, but rather had a $40 beater with a lock that cost a similar amount. Also I avoided weak poles, and always took the front wheel off.
Bikes are actually a great analogy. Even though bike thefts are a concern, I still wouldn't want any of my bikes to have a built in location tracking to discourage theft! I'd rather suffer the mitigations I mentioned above, and consider losing a beater bike as part of the cost of transportation, than have my movements permanently recorded.
Similarly, I did and still do have no problem carrying a few hundred dollars cash. In general, remaining an autonomous individual requires being in possession of things of value that you control. Relying on some overarching system to take care of them for you results in that system inherently controlling you.
Trust me, the #1 reason why phones don't get stolen is because they are physically difficult to steal. If a well-connected thief steals your phone (and there are a lot of well-connected thieves), they will not have much of an issue getting them sold. Then the phone will either be parted out or flashed out of any anti-theft, depending on market demand.
There are two types of thieves: thieves that operate as part of a professional thieving ring; and thieves that operate alone, intending to directly hawk/pawn/trade/use what they’ve stolen.
Most thefts are committed by thieves who operate alone. (This is verifiable at least for my own country; I asked a crime-statistics analyst friend of mine.) Thus, most deterrence is focused on deterring the thieves who act alone.
This is the same reason that “security locks” aren’t actually proof against professional thieves. They’re not meant to deter thieving rings; they’re just meant to deter the thieves who are acting alone. Such thieves might have watched a tutorial or two on YouTube on lock-picking, and they might have picked up a lock-picking set from AliExpress; but they don’t have (and aren’t willing/able to invest in) the sort of lock-picking skills/tools that professionals have (e.g. slide-hammers, impact drivers, etc.) so an average security lock will be enough to stymie them.
Same with clubs on cars: no proof against professional thieving rings, but good enough to make a thief acting alone look elsewhere.
Just like there is a qualitative difference in how people treat things that are “free” vs. “$0.01”, there is a qualitative difference in theft rates between “no security” and “trivial security.” Most property crimes are spur-of-the-moment, committed by people who didn’t come prepared to steal something, but just see an opportunity to take something and feel the need to have it. Put a trivial barrier in the way of taking things, and those spur-of-the-moment crimes committed by “amateur thieves” go away.
Sure. But in my experience, all it takes is for you to know a guy that knows a guy and it's done. The type of people in the socio-economic situation that makes it so that they would steal phones often leads them to have that kind of contact.
In any case, maybe that is not so much the case in the US. But this certainly is the case in Europe; a very, very large percentage of stolen phones are sent to facilities that will part them out or unlock them.
It also is true that someone selling a locked phone on Kijiji is likely to end up selling it to someone who has the skill or who knows someone that can unlock it.
> a very, very large percentage of stolen phones are sent to facilities that will part them out or unlock them.
But again, that's post-hoc statistics. You're looking at the world that already has the trivial disincentive against amateur thieving. So of course you'll see most stolen phones being stolen by professionals—the amateur thieves are already not bothering, so if a phone is being stolen at this point, it's being stolen by a professional thief!
In a world without that disincentive, the statistics would skew very differently.
I again compare to the market for stolen bicycles. Yes, there are professional thieves with "bicycle chop shops" et al. But there are also crackheads carrying around bolt-cutters who just want to take a bike they walk by, ride it back to the ghetto, and then sell it for $20 to a street passerby to buy their next fix. Most cities have a large bike-theft problem, and it's mostly from this kind of thief, not from professional thieves. Any "security bike lock"—i.e. any bike lock you can't just snip through with bolt cutters—stops this kind of thief.
Look at New York City, for example. There are two types of bikes in NYC: those with security locks, and those that get stolen the instant they're left alone for ten minutes. The security lock wouldn't deter a professional thief—but a professional thief prioritizes, stealing fancy bikes from e.g. university sports department bike parkades, and won't bother with your average commuter bike. The crackhead does not prioritize. They just want $20, and your bike is probably worth $20.
If you are a crackhead, the economics of stealing a cellphone are already very poor. It is much more profitable to steal peoples' bicycles or even copper tubes than it is to steal a cellphone, because stealing a cellphone is a pain in the ass since it's almost always in your pocket.
The selection process for phones is already there: unless you are a very good thief, you're not stealing cellphones. That's because realistically your two ways of stealing a cellphone is either skillful pick-pocketing/misdirection, or muggings. Now if you're a crackhead, mugging people is not a very good idea for obvious reasons, and the subtler ways of stealing a cellphone already select for experienced thieves.
The number one reason why bikes are stolen so much is not because they are easy to steal, it is because there is essentially no risk of getting caught. No one will give a shit if you're stealing a bike, and so even professional bike thieves will simply pop your lock with a Ramset gun without a care in the world and be on their merry way hours before you even notice. Whereas stealing a cellphone, unless very skillful, requires direct confrontation, which is not an issue.
>But again, that's post-hoc statistics. You're looking at the world that already has the trivial disincentive against amateur thieving. So of course you'll see most stolen phones being stolen by professionals—the amateur thieves are already not bothering, so if a phone is being stolen at this point, it's being stolen by a professional thief!
I seriously disagree for the reasons I outlined above. The kind of people that would steal phones are the kind of people that know how to offload it. Again, maybe this is different in the US, but anyone with shady friends here could figure out how to fence a stolen phone. It's really not nearly as exclusive as you might think. I personally know two people I could offload a stolen phone (that I entered into contact via my elementary school of all places), and I am very, very, very far from being the kind of person that needs to steal phones in order to subsist. The hardest crime I ever did was to give my friend a USB key with mp3s of Akon in 2011.
And even if it wasn't the case, do you really think a crackhead would not try to steal a phone anyways? Of course they would, and they could probably figure out a way to fence it for 20$ or so. They just don't want to because stealing something that is either in your pocket or in your hands 24/7 is way too much risk for way too little reward.
From what I've seen, the former also seems to heavily spam Craigslist et al "buying locked phones and for parts phones" and "won't ask where you got them, imei reported lost stolen ok" and the latter quite commonly sells it to them for quick, below market, cash.
Stolen phones used to be worth a lot more before Apple threw iCloud locks on and the IMEI blacklists became a thing. Now a stolen phone is mostly only valuable for parts if it isn't fenced quickly, so there's really not the same incentive there used to be.
The only thing IMEI blacklisting has succeeded in doing is making it a bitch to buy phones on the used market. At any time the seller could do insurance fraud and claim the phone is stolen and now that phone is (domestically) a tablet at best and the purchaser is left with no recourse. At least with a vendor system like iCloud, there's a fast way to make sure the phone's signed out when you do a purchase on Craiglist or other third party site.
At some point we're going to be looking at titling phones (I'm amazed Apple hasn't done so yet) if we ever want to see a used phone market without insurance requirements happen again.
Right now, if you buy a phone and it ends up on the blacklist after the return period, you can find a service that changes the IMEI or figure it out yourself if you can stand to wade through forum FUD. Since a significant number of blacklisted phones are from broken finance contracts, a phone simply being in the blacklist does not imply that it was stolen - a broken finance contract is a civil matter purely between the carrier and the original owner. Therefore, rewriting the IMEI on such a phone is completely legal, at least in the US.
Whereas if phones had titles, then a financed phone could have a legal encumbrance recorded on that title after you thought you'd bought it outright, and changing the IMEI to get out from that would be illegal. Phones are not incorporeal, immovable, expensive, or dangerous devices. Lacking all of the usual justifications for existing title systems, heading away from draconian registration makes more sense than heading towards it.
The vast majority of stolen phones see their parts sold. Of those that don't, I know of a few people in major phone theft hubs that will change your IMEI (to name them, Derb Ghlef in Morocco, though I am sure it is also done in Shezhen and other such similar places). How they do it exactly I am not sure, I imagine that involves flashing the baseband through JTAG connectors. In any case, that is quite a cheap process.
You will notice this happen - If your phone is stolen in Europe, it will almost invariably end up later in North Africa, then disappear entirely shortly after. Similar stories for stolen phones in NA, I'm sure.
As for iOS anti-theft, that also can be defeated in various ways.
In any case, anti-theft is not a proper justification for IMEIs being unique. Any anti-theft in a device that has been integrally stolen will be bypassed. These phones get fenced to people in third world countries with very very good reverse-engineering and electronics skills, and it only takes one to find out how to bypass any given issue. And worse comes to worst, they will sell the parts and still make a few hundred dollars out of your phone.
It might make things difficult for emergency calls without a SIM? It's been a while since I looked at protocol spec around that, I don't know if you can get a TMSI without an IMSI, if you can, things would probably be OK as long as two phones didn't turn on and access the same tower at once.
It's like the MAC address of your smartphone WiFi radio. Yes, you'll get problems if there are two identical ones in the same cell, but in practice randomizing the MAC works perfectly fine.
This is actually not good. There is an IMEI database which can be used to prevent stolen phones from attaching to a network. If this IMEI is added, all of these devices will be prevented from registering.
Having been working in telco, it is known that this DB is of no use because not all telco operators are participating. The stolen phone gets shipped very quickly oversea/outside of the country defeating completely this database.
You can actually fake the IMEI number on some phones. Be advised that this is a crime in several jurisdictions. (The UK being one of them if I remember correctly)
Well, probably this was the result of some corruption in a parameter in the flash. On the early days of the Samsung Galaxy phones if you broke part of the efs partition the modem couldn't read the IMEI and would fall back to a generic one. This looks quite the same
Though with 13000 devices affected either it was a problem in manufacturing or someone in the Service Center was not doing the job too well...
I've done "First Articles of Inspection" (FAI) for Pixel phones at the factory where they're being made. Basically take the very first handful of devices off the line after software provisioning and run them through a litany of software checks, including that the IMEIs are unique. Then we do this for another bunch of random samples. The factories are unique experiences.
Hard to imagine for me how this could have happened. I don't know precisely how IMEIs are provisioned or stored, but I suspect they can be changed in software.
Trying to sell a used phone on line is tricky. Legitimate buyers may want the IMEI to check it's not a reported stolen phone. Illegitimate buyers may want a known good one to replace one on a reported stolen phone.
Carriers can blacklist IMEIs from their network (that's a threat they use for certification; they want to make sure families of devices are well behaved).
One of my phones was blacklisted from a carrier a few years ago. They said it was reported stolen. I brought them the receipt; I bought it new in box. They said it was reported stolen by a carrier in a foreign country. I'd been there, maybe ten years earlier, and never with that phone. The local carrier I was a customer of said they couldn't remove the block, since it was reported stolen by a foreign carrier. Seems fishy how carriers work together to ban IMEIs but do nothing to verify reports of stolen devices.
I'm not sure carriers would ban this IMEI if it's tied to 13.5k phones, but I'm sure they're not happy.
If you buy cheap Bluetooth OBD-II dongles, you'll find they all have the same addresses. That's why you can't buy two dongles and use them in two cars without re-associating each time, for instance.
If you buy the $150 dongles, they have valid addresses like you would expect.
Picking a fight with a national telecom regulatory authority from a country other than your own seems like a poor business choice. Their customs people will seize all your products and Boston Tea Party them. They'll probably keep doing that even after you fix the problem.
I wonder: is there a dialect of English in India in which this post follows rules of grammar? I found it uncanny-valley hard to read.
Very nice! I presume the phones still work too, otherwise this would have been caught much sooner. The existence of the IMEI is, at this point, a deliberate security flaw that has been pushed onto us by governmental standards bodies, and cemented into law. A secure mobile protocol would not have fixed identifiers, and would instead identify endpoints with a nonce that rotated over time and base station.
I agree. Vendors are perfectly happy to randomize MAC addresses when scanning for WiFi access points, but apparently not willing to use the same algorithm when connecting to the cell network. I get that it makes many things easier when you have a persistent unique ID, but it is by no means required to control access to the physical layer. You can just randomly generate a number, and then authenticate with actual credentials.
Indeed. There is no valid technical reason for IMEIs to be unique, except for already very tenuous anti-theft perpetuation which is really a very minor factor.
In truth though, it is not very difficult to get a hold of an IMSI that does not refer to you, via an anonymous SIM cards you can get a hold of a few different ways. And it is not very difficult to find the maintenance service menu of your phone and disable everything except 4G and 5G either. However, it is much simpler to just leave your SIM card at home and use other means of access :)
For me, not difficult to disable means that it takes less than 15 minutes to do so. difficult to disable would take hours and require specific knowledge.
That’s one reasonably obscure network. As far as I can tell it’s Indian - if memory serves that country has no cryptography on their gsm networks and can demand keys at will. Even blackberry gave them access to their secure network.
And if the state has access, you’re one social engineering step away from the keys to the kingdom shrug
I think GSM security is less relevant than ever, specially in India. More and more people are using Whatsapp and Messenger instead of voice calls. SMS is literally non-existent. Since Whatsapp is end to end encrypted, the carrier/govt simply cannot look at the contents.
PS: I wonder why you'd call one of the world's largest LTE networks "obscure". Number of Jio users is probably comparable to entire population of USA.
> Jio, obscure to the western world, where Vodafone, T-mobile, Telefonica, and AT&T are fairly well known across the world. I get it’s the third largest carrier but is only serving the one country.
> GSM security, is everything. Getting the metadata of who you are and where you are, and being able to capture that passively is pretty sensitive metadata, I’m sure you’d agree.
Isn't that some high level kind of fraud? At the same time, I think it would easily be caught, so I'm a little confused if it's incompetence or maybe a mistake?
Does that mean they bribed somebody working at a factory? I'm not sure what could be gained by this. Having an "untraceable", replaceable phone? Wouldn't those be easily blacklisted once it's discovered?
Do we really need IMEI or SIM Cards?
- Some countries use IMEI for tracking & disallowing certain phones bought in some other country
- SIM Card also seem to just create problems to people.
IMEI is only needed if you want to track hardware. Physicals SIMs are not needed (and eSIM is a thing now) but some form of the "Subscriber Identity" part of SIM is needed unless you are operating the carrier for free to all with a phone.
Not surprising; This isn't the first time a hardware manufacturer has screwed this up.
At a mobile game dev company we had a hardcoded list of bogus IMEI numbers. If a device returned an IMEI that was on the blacklist, we'd use another method to identify the device.
IMEI is not required when placing calls or transferring data since this is securely managed by the GSM chip.