Fun with IMEI (was testing the free calypso software)

Michael Spacefalcon msokolov at ivan.Harhan.ORG
Tue Feb 4 01:23:54 CET 2014


Norayr Chilingarian <norayr at arnet.am> wrote:

> Does anyone know what will happen in a cellular network where there is
> more than one device has the same IMEI. In other words, if we all
> could change our IMEI numbers, and use one imaginary number, are there
> technical reasons for network to not work.

joerg Reisenweber <joerg at openmoko.org> responded:

: no technical but organizational. Usually that IMEI gets an instant ban, and
: a fat bold red alarm logline in carrier's network logs.

Yup, if all of us were to use the same IMEI number, it would be far
too easy for our enemies to ban that one single number.

> I mean, MAC address is used on a physical layer, so if two network
> cards connected to the same switch have same MAC adresses, network
> won't work. I guess switch will down both ports connected to those
> devices.

The analogy between IMEIs and Ethernet MAC addresses is a good one
from a manufacturing/management perspective, but not in terms of
network protocol usage.  Unlike MAC addresses, IMEIs are not used for
any kind of addressing or routing anywhere in the network, only as a
"management" identifier that is unnecessary in the strict technical
sense.

But from the perspective of a device manufacturer (which I will become
soon, hopefully), IMEIs are just like Ethernet MAC addresses: the
nominal requirement is that each be world-unique for all time (a rule
that gets broken in reality with both MAC addresses and IMEIs), a
manufacturer has to buy a range (supposedly "fresh" and unused) from a
central registry, and then number individual produced units out of
that range.

> But I don't know how IMEI's work. Are they technically necessary so
> that 3G/gsm network can be operational, or they are only used to
> identify (and track) customers by devices?

The latter.

Before everyone starts changing their IMEIs just for the heck of it,
let's analyze *rationally* how tracking works - or rather, what is the
total set of data elements available to carriers (and their gov't
partners etc) for tracking users, and how these data elements inter-
relate.

If you like maintaining a long-term-constant phone number at which
your family and friends can reach you (i.e., the whole purpose for
having a cellphone, at least for me), and you have a long-term-stable
SIM card associated with that long-term-constant phone number, then it
doesn't really matter if your IMEI is also constant or if you send the
output of a PRNG (or even a TRNG) to the network as your IMEISV every
time your phone/modem fw does the "register" operation.  The constant
SIM card with its IMSI, as well as the associated MSISDN (phone number
for your family and friends to call you at), is what tells the network
that "you" are still the same "you", no matter what device you use or
what IMEISV it transmits.  Yes, you can deregister from the network,
then re-register with a different IMEI, making it look like you turned
your phone off, moved your SIM card to another phone, then came back
online with the latter - but what would be the point?

Instead, there are only two scenarios I can think of in which it would
make sense to change the IMEI of a GSM device:

1. If you really want to "disappear w/o trace", such that you discard
   your old SIM, get a new SIM (prepaid, presumably) with a different
   phone number (and deliberately make yourself unreachable at your
   old one), and you want to make it look like the user of the new SIM
   is a different person from the user of the old SIM - in this case
   the same IMEI would indeed give you away, so you might want to
   change it in this case.

If the above applies to you (and it does *not* apply to me, as changing
phone numbers constantly would defeat the whole purpose of a cellphone
for me), then you need to be careful to change your IMEI *at exactly
the same time* when you change your SIM - if there is any time skew
between these two changes, such that a network sees {old IMEI, new SIM}
or {new IMEI, old SIM} at any time, even just once, your anonymity
effort will be instantly brought to naught!  If you want to do this, I
would recommend pulling your old SIM out first, throwing it away, then
doing the IMEI changing operation on the SIM-less modem, and then
finally inserting your new SIM.

2. Changing one's IMEI may be necessary if your "legitimate" IMEI from
   the manufacturer of your GSM device has been wrongfully banned or
   blocked by some GSM network you wish to use, and you need to use
   some non-blocked IMEI in order to get on the network.

The wrongful ban scenario is particularly frightening when applied to
whole classes of devices, rather than individual units.  The first 8
digits of the IMEI comprise the Type Allocation Code (TAC), which is
supposed to be allocated per each device type.  Hence if all
manufacturers involved played by the rules (of which I have no
knowledge), then every IMEI beginning with 35278901 is supposed to be
a Pirelli DP-L10, every IMEI beginning with 35465101 is supposed to be
an Openmoko GTA02, and so on.

What if some repressive network operator decides to block all IMEIs
belonging to easy-to-hack Calypso devices, e.g., block all IMEIs
beginning with 35278901 or 35465101, on the reasoning that "only a
criminal would want to use one of these phones"?  In that case we will
need to lie to that network and pretend to be some Apple/Samsung/etc
device in order to get GSM service, i.e., use an IMEI from one of
those "sheeple device" ranges.

VLR,
SF



More information about the community mailing list