Security implications of CPID Pixel phones

TempCpidEnquiry

My current Pixel 4a 5G is end of life and while looking for a newer pixel phone in Pakistan I have come across some phones which have their IMEI swapped with the cheaper phones' IMEI in order to avoid the heavy taxes by PTA(almost 50% of the actual cost of phone in some cases).
The process called CPID is apparently rootless and done over the air.

I am wondering whether I should consider these CPID activated phones for my graphene OS use. I don't know whether the IMEI will persist after flashing the graphene OS and I am not sure about the security implications of having an IMEI swapped through some shady patches.
Cost of CPID is less than half of the PTA Tax.

Can anyone please explain what CPID actually does and what are the security implications behind it. Also I would purchase a brand new Pixel 8 or even 9 but the taxes are too high in Pakistan, so I'm considering used 6a or 7a with PTA taxes paid(by me), unless this CPID thing is okay to do security wise.

de0u

TempCpidEnquiry Can anyone please explain what CPID actually does and what are the security implications behind it.

Without knowing exactly what they're doing it's hard to say what the implications are, and it's unlikely they'll say what they're doing.

One thing to keep in mind is that a motivated and careful carrier can detect a smartphone with a bogus flip-phone IMEI, because a smartphone accesses the network differently.

Blastoidea

That is not something I would do, but many will disagree.

Just because you can make an argument for it, does not make it a good idea.

TempCpidEnquiry

Blastoidea are you saying this because it's less ethical or less secure? I'm a bit confused.

Blastoidea

TempCpidEnquiry
I think changing an IMEI is bad juju.

Just my quaint gut feeling.

TempCpidEnquiry

You are all right but I think I did not formulate my question correctly so here is the question.
Provided that there are some tools that allow people to "officially" change the IMEI of pixel devices does that change disturb the integrity of the OS? After installing graphene OS will it give me some errors related to that?
And what other things can those same tools do to the Pixel device, especially in terms of security violation.

As far as I know the process of changing the IMEI is you go to their website, give them your IMEI and some money and they swap your IMEI with another phone's IMEI. Now this process does not involve handing over their device physically so they only have your IMEI and the changed IMEI. I am less concerned about the government knowing about this change because IMEI is unique anyways whether it's the genuine one or the replaced one. But I am more concerned about whether those tools could possibly do some other changes that affect the security and privacy of my grapheneos device. Should I be worried about that?

It should also be noted that the CPID way of changing IMEI is not just for pixels. It is widely used for Samsung devices and I think iPhones as well.
Changing the IMEI used to be a rooted process before so I never considered it an option because I do not like my device to be rooted but now that it is rootless and now that all the devices in the market are CPID already due to customer demand I am not sure what to do.

Thank you for your interest and help so far.

de0u

TempCpidEnquiry As far as I know the process of changing the IMEI is you go to their website, give them your IMEI and some money and they swap your IMEI with another phone's IMEI. Now this process does not involve handing over their device physically so they only have your IMEI and the changed IMEI.

How could that work? Your phone's IMEI is stored in the phone. How would you imagine that somebody just knowing your phone's IMEI would be able to change it?

I watched a little bit of a randomly-chosen YouTube video. It seemed to me as if maybe the process included enabling adb access from a computer, and then perhaps running an app on the computer to enable some anonymous person to have privileged access to the phone. If so, what would happen after that is unclear. Offhand it's not clear that would be a safe process.

TempCpidEnquiry I am less concerned about the government knowing about this change because IMEI is unique anyways whether it's the genuine one or the replaced one.

I don't understand this part. Again, devices have various behavioral characteristics that differ in detectable ways. If somebody swapped car license plates between a Honda miniMOTO motorcycle and a Tesla Cybertruck, would people be fooled? Would a toll collector at a bridge agreeably charge the Cybertruck a discount toll because it had a license plate from a miniMOTO? Phone models differ in ways that aren't visible to the naked eye, but are visible to a cellular carrier.

TempCpidEnquiry

de0u How could that work? Your phone's IMEI is stored in the phone. How would you imagine that somebody just knowing your phone's IMEI would be able to change it?

As per my limited understanding it's done using leaked official pixel software and over the air. But that's just what the sellers say.

TempCpidEnquiry

What i meant was that I'm less concerned about the government knowing I have swapped IMEI and more concerned about what other things those CPID service people could do to the phone.
You are right that we can't really hide it and motivated enough cellular providers can and will detect it.

About CPID process and it involving ADB, I'm not sure and I consider it shady too. I will stay away from CPID.

Getting a little off topic but another way is that i buy a non PTA pixel (whose taxes have not been paid), cellular won't work on it after two months grace period. And I buy another Chinese phone with large battery to work as my normal calls/sms plus 24/7 hotspot.
Is that setup going to reduce the security and privacy benefits of graphene os? Or maybe enhance it?
Basically the Chinese phone will be debloated and act as a dumb 4g device. And pixel will be always on airplane mode WiFi only device.

GrapheneOS

TempCpidEnquiry Sounds like a scam rather than something legitimate. Does not come across as something real at all.

thmf

mg95 I dont know any more details, I asked the seller and they also don't know how the IMEI was swapped

Since even the seller doesn't know what they are talking about, I guess this may be relevant:
https://discuss.grapheneos.org/d/18900-security-implications-of-cpid-pixel-phones

I'll quote the message by GrapheneOS project account which is closer to the end of the thread and is the most relevant part of it all:

GrapheneOS Sounds like a scam rather than something legitimate. Does not come across as something real at all.

https://discuss.grapheneos.org/d/18900-security-implications-of-cpid-pixel-phones/10

TempCpidEnquiry

It's hard to find even genuine boxed pixel here, people make copies of Google pixel boxes and sell counterfeit pixels in them. So IMEI swap being an illegal yet working thing is understandable to me.

The market is saturated with these phones and it's not for me.

So I'm stuck with my pixel 4a5g until new pixels come out and hopefully prices drop.
I also want to get an ultrasonic fingerprint sensor pixel as I've read the normal one doesn't work with privacy protector, so I guess some wait is necessary. (Pixel 9 costs double it's global price here)

the_outlaw

@TempCpidEnquiry Hey mate. I have something to discuss with you. Lemme know if you find any possible CPID approval way out there. The process is legit. I am currently doing some research on this stuff. Actually I've worked on a similar project before but that was related to unlocking a carrier locked pixel device which according to my knowledge nobody was doing and I got my 4a 5G unlocked and officially PTA approved ans have been using it since then. For your information, all that happens in the CPID method is that they manipulate your requests to the carrier which somehow makes them believe that you're using some other phone. The thing you're asking related to the OS changing and CPID affecting that is highly impossible cuz it hasn't got anything to do with that. However, my reasearch is still not complete. I am unlocking a Pixel 6 Pro now but the same service that I disabled to unlock the 4a 5G isn't actually turning off permanently. It keeps getting locked after like 2 or 3 days. But if I somehow get it CPID in between that time. I might crack the loop and get a carrier locked pixel working just like I got my own phone. So we can have a chat if there is any info you might be wanting to share that you have come accross lately. [removed]

Removed Instagram username.

grapheneosenjoyer1233

Did anyone actually try flashing grapheneOS on a CPID pixel? did it work?