• GeneralSolved

  • Can carrier or SIM card owner remotely wipe my phone

Many SIM card providers say that if you report your SIM card or phone IMEI as stolen, they can remotely wipe your phone. My employer offers SIM cards they pay for, but they say that by using their SIM card, you agree to give them permission to remotely wipe your phone if they believe it has been stolen.

Does this remote wipe based on SIM or IMEI work on GrapheneOS, or does GrapheneOS block that?

Are there other capabilities that the carrier or registered SIM card owner can do like this? I know the GrapheneOS documentation says they block most configuration pushing to device, but are there other things?

Am I correct to assume the carrier or registered SIM card owner cannot fetch any data from the device remotely, such as list of installed apps or list of files on the device?

    It was my understanding that the network would block your phone's access to the general mobile networks, using your IMEI as the reference. However, you could take it to a country that does not comply with that self regulation, whereupon it would work.
    Now if your employer, or whoever, had installed an appropriate app, and Cerberus used to do it, then they could do all sorts of things remotely, provided it was still connected to the network. Therefore you couldn't report it gone, and then mess with it. But you could make it useless then report it

      PaulDavis I didn't understand it as my employer requiring me to install any specific app at all, and someone I know reported their phone stolen once (private SIM card, not employer one), and the SIM card provider said they will both trigger remote wipe, and block IMEI from connecting, but couldn't promise either would work.

      Let's say that my employer does require an app to do this. Can any app installed on a GrapheneOS device trigger the wipe procedure, or is special permissions needed for that, which I as the user must grant?

        Okay, I searched around a little, and on modern Android and iPhone devices it seems remote wipe can only be triggered through something called MDM, or FindMyDevice functionality. The websites I found also says that companies almost always require you enroll your device to MDM, whatever that means, so maybe my employer would to.

        Is it correct that GrapheneOS does not have any built-in support for either MDM or FindMyDevice functionality, and thus no built-in support for remote wiping of device at all? Is is correct that if I only use a private SIM card (not employer one), no one at all can remotely wipe my phone? I also still wonder if my carrier can see what apps I have installed. I guess not?

          ryrona My employer offers SIM cards they pay for, but they say that by using their SIM card, you agree to give them permission to remotely wipe your phone if they believe it has been stolen.

          This is the same as the Intel Management Engine for laptops via the Google Admin console.
          Add company-owned devices to the inventory
          Google Workspace admin

          Does this remote wipe based on SIM or IMEI work on GrapheneOS, or does GrapheneOS block that?

          No, remote access is not possible by default with GrapheneOS. Even access like 'Find My Device' is not possible.

            ryrona

            MDM is a very popular thing. Pretty much any company which issues their employees laptops or mobile devices of any kind will be managed (MDM = Mobile Device Management) by the company through MDM.

            Your assumption about using a private sim is not necessarily correct. It's possible that through an MDM you wouldn't even be able to use a private or secondary sim as they would disallow it.

            If a device has an MDM on it that basically means the device will use any available network connection to "phone home" for the sake of validation. If the device serial number/IMEI has been blacklisted or selected for remote wipe, the device is toast.

              ryrona Is it correct that GrapheneOS does not have any built-in support for either MDM or FindMyDevice functionality, and thus no built-in support for remote wiping of device at all?

              I believe GrapheneOS does include MDM support but most MDM solutions won't install correctly: https://discuss.grapheneos.org/d/4411-does-gos-play-well-with-mdm-for-corporateenterprise-environments/2

              The way a GrapheneOS user can be protected against an MDM wiping the device is to refuse to install an MDM.

                ryrona you agree to give them permission to remotely wipe your phone if they believe it has been stolen.

                Most likely this (wipe) will/can be done by the app part of MDM enrollment, in which you need to provide Device Admin permissions during the installation, otherwise the enrollment will not complete.
                Some email apps (Exchange) also ask for Device Admin to install. This can be part of the company policy enforced for mobile devices.

                  Theoretically, the mobile operator can do it in a hacky way other than using MDM, for example by AT command triggered by SMS Type 0 (which is often confused with "Class 0") or some hacky WAP/MMS msg IF the mobile device is vulnerable.

                  Thank you all for your responses. Sounds like I don't have to worry about remote wipe as long as I myself avoid enrolling my phone to an MDM system.

                  Wiping the device requires granting an app device admin permissions, as is the case with MDM apps etc.

                  It cannot be done if you don't install such an app on your system, no.