@GrapheneOS and anyone concerned with prospective security enhancements.

I'm at the evaluation stage in which I'm trying to figure out which "secure" OS to use with which phone. GrapheneOS caught my attention because it seems to offer most of the advantages of Android without the Googleware. I've been reading the forum here, trying to figure out what it does and doesn't offer. I'm encouraged to learn that it has certain features such as per-profile network access denial (which isn't a perfect exfiltration block but goes a very long way) and per-connection (whatever "connection" means) wifi MAC address randomization. (It's funny how my existing Android phone makes the same claim, but the MAC never seems to change. Untested crap!) However, there are some other features which it doesn't seem to include, which would be extremely useful. Your feedback is invited. Apologies if some of these issues have already been addressed, but I haven't been able to determine that in my limited browsing of the forum.

  • Warning popups on every attempt to enable location, WAN (i.e. airplane mode exit), wifi, or Bluetooth. (And definitely, all disabled by default on first boot, lest you accidentally tie the phone to your personal identity when you carelessly flash the firmware in your living room.) It's only too easy to tap one of these buttons by mistake. I'd want a dialog to come up asking me if I really want to enable one of these hazardous features. (People who don't want this could then check the "don't warn me again" box, or reenable the warning in the settings.)

  • IMEI randomization. Perhaps this violates ITU standards because in theory it would allow me to impersonate another user, but in the worst case, a dropdown with 100 of them from which to choose would be quite sufficient. It's also fine if I need to reboot in order for the changes to take effect. What's definitely NOT OK is being chained to the same IMEI throughout the life of the phone. That makes it super easy to track my location and know that "me" is the same "me" who hangs out "over there". Yes, this can all be done with traffic analysis anyway (even if it's all onion routed), but that demands a degree of intelligence competency that not all adversaries have. For example, various drug cartels are known to have installed their own base stations so they hunt their competitors, which is easily facilitated via constant IMEI. I suspect the answer to this is "We can't do this because it's the property of the baseband module". To which my response is "How might we hope to obtain a phone with a noncompliant baseband module and an OS IMEI override function?" Heck, even 2 baseband modeules, each with its own IMEI, would a marketable start.

  • Antenna timeout. This is the poor man's solution to the constant IMEI problem: I wish I could set a timer in the settings that automatically shuts down all antennas after some number of minutes (just like the screen lock timeout). It's a real pain to have to walk around holding my phone in my hand so I don't forget to enter airplane mode when I finish a phone conversation. It would be more convenient to keep it in my pocket but not have to worry that I might forget, and end up taking a 5G tracking device back home with me.

  • Location spoofing. It would be nice to freeze my location at the hotel long after I've checked out. Some apps apparently check for movement, so adding a bit of dither over time would help. Ideally, I'd want location recording and looped playback (but that's major so I don't expect it). Just disabling location isn't always good enough because certain apps refuse to function under such regimes. So like: location on, off, or frozen and dithered.

  • Location timeout. Same thing as antenna timeout but for autodisabling location (or entering frozen dither) after so many minutes.

  • Wifi environment blocking. I think GrapheneOS already does this, but I haven't been able to find any specific guarantee. In other words, I don't want any app to know the SSID to which I'm connected, or any SSID in the vicinity (which is a proxy for location).

  • Local IMEI and phone number blocking. Can I prevent apps from learning this information? Probably, but I'm not sure how. (For example, Google lets you create some fixed number of accounts per year, per phone. How are they enforcing this? Maybe they don't send your IMEI to their servers, but either way, they're obviously tagging the phone.) Ultimately, it's all but impossible to prevent apps (or profiles, in the broader sense) from fingerprinting your phone. But cutting off access to these variables (or providing random values every time) would be a step in the right direction if that's not already the case.

  • Bluetooth ID customization. I'm no expert on this, but it seems to me that Bluetooth entails a device descriptor string, a connection PIN, and a MAC. Being able to change all these would be helpful. However, I realize that apps would need access to the names of connected devices so for example a blood glucose monitor app knows which one to talk to. The most rigorous implementation would allow me to specify which individual devices a given profile could know about.

  • This isn't a feature, as such, but it would be nice to have a guarantee somewhere (maybe already in some doc I'm unaware of) which says that airplane mode means: (1) You don't get any 5G emissions, ever. Not when you reboot. Not when you patch your OS (which iOS violates upon every major version number upgrade, rebooting with the antennas blaring). Not on the way to a power down (not even if "send last location" happens to be enabled). No IMEI leakage due to baseband module testing during powerup or powerdown. No single-bit pings. No WAN photons, period. (2) Turning it off only enables WAN. It doesn't do the nutty iOS thing of enabling wifi or Bluetooth when you exit it. But it's fine if wifi and Bluetooth get disabled as a side effect when entering the mode, which could come in handy when one wants to silence the phone ASAP.

I realize that GrapheneOS is freely available, and as such, we can't just expect things to happen even if the team itself wants them to. My goal here is just to provide some prospective features to contemplate adding in the future (or to be rebutted because they already exist in some way).

    tmwqjr What's definitely NOT OK is being chained to the same IMEI throughout the life of the phone. [...] I suspect the answer to this is "We can't do this because it's the property of the baseband module". To which my response is "How might we hope to obtain a phone with a noncompliant baseband module and an OS IMEI override function?"

    I suspect that for the foreseeable future the most practical way for you to switch IMEIs will be buying a bunch of phones on eBay and rotating them. That's aside from the question of what government attention you might attract by having a stream of IMEIs at your location.

    Another option might be an IMEI-free device such as the Pixel Tablet.

    Bluetooth ID customization. I'm no expert on this, but it seems to me that Bluetooth entails a device descriptor string, a connection PIN, and a MAC. Being able to change all these would be helpful.

    I believe changing your Bluetooth MAC would unpair you from all existing pairings. Is that your intent?

    Overall I suspect some things on your list may happen within a few years (e.g., location spoofing) but some are genuinely unlikely within that time frame (changing IMEIs). Some might be advanced if you were in a position to dig into the code and provide patches.

      Re: IMEIs, from the GOS site:

      It is not possible to change the IMEI on a production device and GrapheneOS will never add support for this.

      https://grapheneos.org/usage#carrier-functionality

      I'd be interested to hear more about the hurdles that GOS faces regarding IMEI changes. What's the motivation for the use of the word "never"?

        Titan_M2 when I was a kid I found a phone that bad been blacklisted, I took it to the phone repair shop and he said it had been black listed.

        When I asked if he could change the IMEI
        He informed me that is what terrorists do, so basically if you are caught with a phone that has the wrong IMEI then you'll be classed as a terrorist

          de0u You brought up a good point. I hadn't considered the IMSI Titan_M2 . Given that IMSI, ICCID, and MSISDN all travel with the SIM and not the phone, it seems like what we want is an IMEI that's a hash of the SIM data somehow, but with some fixups that make it plausible, i.e. recent model-year popular phone brand. That way, when you pop in the same SIM, you get the same IMEI. That being said, if the GrapheneOS answer to dynamic IMEI is "never" (thanks zzz I had not seen that note), then, yes, the best practical solution is to carry N phones obtained from random street vendors, and never switch between them within a small radius of time and space. Then use them purely as wifi hotspots for your actual GrapheneOS phone. This should protect you from cartel-level deanonymization (but it won't keep you private from first world intelligence services because they have way more information to leverage).

          As to Bluetooth, the more I think about it, the more I'm convinced that it's irrevocably insecure just like IMEI but worse, because even if you change the phone's ID or PIN, your Bluetooth-enabled headset or whatever still identifies itself in the same way. I assume by default that the world is loaded with devices that attempt to pair with whatever walks by, if only to extract a fingerprintable reply and thus map people to locations. Therefore perhaps it's less important to enable the alteration of the metadata on the phone itself.

          I'm not expert enough to provide patches, so unfortunately all I can do is sit here and beg for features. But I'm happy with that if the discussion eventually produces a net benefit to the innocent majority. I'm not blind to the fact that privacy tech benefits the bad guys, too. It's a lesser-of-evils tradeoff.

          L8437 As to having a "wrong" IMEI and being flagged as a terrorist, the above solution is a perfectly legit, if awkward, workaround (because even malware-laden used phones have original factory IMEIs). And even so, it's hard to see someone getting arrested for an IMEI hack, even if it's technically illegal. Well, maybe under some authoritarian regimes. The thing is, criminals are so sophisticated these days that you have to think like one just to protect yourself in certain jurisdictions. It's an information arms race with no compelling offramps.

          Changing IMEI in almost all threat models is security/privacy theater - even if you changed it, it doesn't slow down a knowledgeable actor from continually identifying you because there are several other identifiers in the cellular network that don't change.

          Changing IMEI leaves IMSI, phone number, ICCID, MSISDN the same. If you managed to change IMSI at the same time from something like PGPP then you still leave the rest untouched. If cellular network tracking is of your concern, GrapheneOS tells you in their guides to avoid it entirely or use Airplane Mode.

          Some services like Silent Link broadcast less information by using a foreign data provider on Roaming, but that would make you appear like you are a foreign user roaming instead.

          zzz What's the motivation for the use of the word "never"?

          Because the IMEI is burned into the (isolated) hardware and cannot be changed. In most cases changing the IMEI is only possible either by a reverse engineering process or an exploit on that hardware. Any 'IMEI change' Xposed module etc are just changing the IMEI value that apps in the operating system see. It is extremely unlikely for an exploit like this to exist that doesn't end up being a cause for other security issues in that hardware. GrapheneOS will always patch firmware for security.

          There are cellular routers with IMEI change firmware (like what SRlabs have done with research: https://github.com/srlabs/blue-merle) but again, you'd need to constantly change SIM to actually make discovery difficult, which also comes with the costs of sourcing several SIMs.

          Only really old cellphones are the majority of phones to have an exploited and reverse engineered baseband. OsmocomBB are an open-source GSM baseband firmware used to replace firmware in old Motorola phones that had their baseband processor's register-level instruction manual leaked. They're not used for spoofing but rather for cellular network snooping and analysis.

          There are tons of "products" sold by unknown (probably criminal-oriented) organisations who try to sell products advertising privacy features and do not transparently disclose their methods of how their "security" works, which comes down to modding old, insecure garbage or try and focus on making communications with the cellular network 'secure' which simply is impossible because of how flawed the network is.

          The security-conscious avoid the network completely or use an implementation made to avoid trusting that network. Think about what people use instead of phones:

          High-security government communications run their own fixed networks to deploy phones instead: https://communications.sectra.com/product/mobile-communication-up-to-secret/

          If they use a cellular network, they use a solution that involves encrypting between the two phones:
          https://www.electrospaces.net/2012/06/highly-secure-mobile-phones.html

          Law enforcements use encrypted radio systems like TETRA instead of phones: https://www.sigidwiki.com/wiki/Terrestrial_Trunked_Radio_(TETRA)

          UK Government use an Internet-based messaging service (WhatsApp, I know, terrible) instead of a cellular network: https://www.bbc.co.uk/news/uk-wales-65776560

          The Pixel Tablet has no cellular radio so you can have the GrapheneOS experience without this risk.

          I advice you to buy a Mudi 4G portable router and flash it with blue merle:

          https://github.com/srlabs/blue-merle/issues

          It has IMEI randomization and everytime when you put a new SIM card in it it will change your IMEI address. Like other people told, changing your IMEI without changing your IMSI (sim card) is not good. So everytime you change your IMEI make sure to use a new fresh sim card in it.

            7 months later

            de0u government attention you might attract by having a stream of IMEIs at your location.

            In reality this is not a concern in most situations, since it is totally common to have countless IMEIs connected to a tower from the same area as all the service provider normally see is how many and what IEMI are conected within a 50-150m radius area from a given basestation (in cities there are multiple story buildings, so it means up to thousands at once...). Imagine smartphone repair shops, shoping malls, retail stores etc... 100k IMEI a day on a single tower... if not more.

            Maybe in specific cases, in rural areas with 2 user on a tower, and if ther eis a targeted search for someone or something suspicios, they may notice like ten new IMEIs in the middle of the woods.... or if LE targets someone and triangulates the target (not in the middle of a shopping mall or a 100 home condo tower...) than they may find sus if dozens of new IMEIs pop up at the same location that they are actively monitoring 24/7.

            What might be actually sus is when a sus target changes IMEI or IMSI "too frequently" but even in this case the target was already sus and monitored to begin with :) So it just becames twice as much sus :D GSM shops use the same SIM for over a year for thousands of devices (IMEIs) for testing... but LE is not breaking their doors.

            • de0u replied to this.

              easthvan GSM shops use the same SIM for over a year for thousands of devices (IMEIs) for testing... but LE is not breaking their doors.

              Good point!

              I have a question about VOLTE and VOWifi.

              Afaik you have a permanent VPN connection to the provider. When using regular phone network, there would be no connection in airplane mode.

              If primary idea is to avoid connecting to the provider, should one not use VOWifi?

              And this is useless (for this purpose, not for security which is probably better as less connection is done over insecure protocols) when using cell data internet probably, right?

              a year later

              Hathaway_Noa what kind of imei would this software generate? First three elements or so stand for the device manufacturer or the device model. Anywhay it's device specific. A HLI-Net MudiV2 would ship with an imei associated with GLI-net. Will this software create an imei then that is also related to GLI-Net? Or will it be random? And: even if its possible to change the imei and IMSI aren't there a ocean full of other things to keep in mind in order to not being flagged as a person who changed his imei? Aren't there way more things that make you stick out the crowd (from ISP/network analysis perspective) if you change your imei this way?