• Off Topic

  • Is IMEI deanonymizing you on every reboot?

The golden rule of phone privacy is that you never turn on your WAN anywhere near places attached to your name, or other devices that have ever connected to the internet in such places, or those of your social connections, or even taxi drivers who collect you from such places. Otherwise I can offer a mountain of ways that you can be deanonymized, sometimes down to your passport number. Not that Huawei telco equipment would do that because their website said it doesn't. But just theoretically, I mean.

Which brings me to a very important point: IMEI is immutable. It's a tag on your ass. (Nobel Peace Prize for the first vendor to offer an escape from 1984!) This implies that, in order to follow the above golden rule, you must never allow your phone to utter it, even once, unless YOU explicitly enable WAN access. I am worried that this assumption may be violated in a manner beyond your control:

First of all, suppose you have an Android phone which has been in airplane mode for a long time. It's therefore "safe" to go ahead and replace its firmware with GrapheneOS, which overall is probably a great idea. You're not stupid so you don't do this at home, in order to distance a phone running the (very rare) GrapheneOS from your home wifi (and for that matter your leaky VPN). You show up at a random coffee shop miles from your home. Now you boot up your laptop (with full battery) and connect to the shop wifi. Or perhaps you boot your other phone and hotspot your laptop to WAN. Either way, you just deanonymized yourself because you broadcast either your laptop wifi MAC or your other phone's IMEI. So if you're smarter still, you would disable your laptop wifi before leaving home, and buy a plug-and-play USB wifi dongle on the way to the coffee shop. And by the way, you rode your bike there (in dark or at least cloudy conditions) because you realize that a taxi driver's cellphone is just a proxy for your own location, connecting your home to the coffee shop.

So far so good, Sherlock! You boot up your laptop, connect to the Graphene OS site, and start the install process. As part of that process, the phone needs to reboot. Uh oh, here we go...

Scenario 1

GrapheneOS starts its first boot. It first initializes the baseband module and tells it search for WAN networks, blurting out the IMEI in the process. If you ever use the phone again, it will be tied to the coffee shop. If you cut corners on any of the above steps, well, too bad, you're irrevocably deanonymized. Hopefully the coffee shop camera isn't hacked, in which case all of that prep work is for nothing if the video is being connected to a face recognition database somewhere (not that a small company like Alibaba would be able to do that, obviously). Let's just punt on that one and pray that such threats aren't yet pervasive in 2023. Just don't sit next to that guy playing TikTok, or for that matter at the table right under one of the store's many cameras.

Scenario 2

GrapheneOS starts its first boot. It knows that it shouldn't enable WAN unless and until you instruct it to do so. However, your baseband module was designed by security ignoramuses. As soon as it powers on, it automatically broadcasts its IMEI as part of its hardwired initialization process. Game over.

Scenario 3

The previous scenarios are just fiction. I'm a fool for being so wrong, and we can all rejoice.

So, hive brain, which one is it...?

    I have no answer for you, but I applaud you for giving an understandable and to my eyes complete manual for anonymous GOS installation for the threat models that require it. Thank you!

      I would be out of my league trying to figure out which scenario applies to which classes of hardware devices out there, but this post piqued my interest as I've just read this 2019 paper and started chasing after apps that use the READ_PHONE_STATE Android permission.

      Though as I begin my journey into figuring out what threat model if any makes sense for someone like myself, I'd certainly love to hear about some of the ways one might be deanonymized down to their passport number because of something like chatty WAN-supporting hardware.

        • [deleted]

        • Post #4

        lbc but this post piqued my interest as I've just read this 2019 paper and started chasing after apps that use the READ_PHONE_STATE Android permission.

        Can apps access hardware identifiers?

        As of Android 10, apps cannot obtain permission to access non-resettable hardware identifiers such as the serial number, MAC addresses, IMEIs/MEIDs, SIM card serial numbers and subscriber IDs. Only privileged apps included in the base system with READ_PRIVILEGED_PHONE_STATE whitelisted can access these hardware identifiers. Apps targeting Android 10 will receive a SecurityException and older apps will receive an empty value for compatibility.

        Since these restrictions became standard, GrapheneOS only makes a small change to remove a legacy form of access to the serial number by legacy apps, which was still around for compatibility. It used to need more extensive changes such as disallowing access to the serial number but those restrictions are now standard.

        Apps can determine the model of the device (such as it being a Pixel 6) either directly or indirectly through the properties of the hardware and software. There isn't a way to avoid this short of the OS supporting running apps in a virtual machine with limited functionality and hardware acceleration. Hiding the CPU/SoC model would require not even using basic hardware virtualization support and these things could probably still be detected via performance measurements.

        • lbc replied to this.

            [deleted] Thanks! Feeling silly, as I'd read this FAQ more than once but it contains so much knowledge that it's hard to assimilate all of it before tying it to practical concerns.

              tmwqjr

              I don't know the exact process that occurs, but here's how you can (perhaps) anonymously obtain a GOS phone and complete thr setup anonymously.

              (Keep in mind this is for speculation purposes only for high-caliber threat models. this is not an endorsement of criminal activity, nor is it advice on how to commit a crime.)

              -Purchase your Pixel with cash. Dont withdraw all of the money from your bank at once, though. Depending on your threat model, that could be suspicious.

              -Wrap the phone in multiple layers of tinfoil/place it in a faraday cage.

              -Arrive at the coffee shop on your bike/other mode of low-radar transportation. From within the Faraday cage, boot the phone, and immediately place it in airplane mode. This may be near impossible to accomplish in the way I've described because exposing the screen to setup the device could lead to some signal leakage, so I'm open to ideas. Anyway.

              -Setup device and enable debugging and OEM unlock.

              -Boot your laptop on a Linux OS with a browser that is compatible with the GOS web installer that is configured to connect to the TOR network. I dont know if the regular TOR browser will work for this. I haven't tried.

              -keep the phone as concealed within the Faraday cage as possible as you do the install process. This may still leak a signal so ymmv but this is the best I can come up with off the top of my hesd. Just make sure the phone is always in airplane mode on GOS and only use WiFi.

              If I'm wrong about any things please let me know.

                  N1b You're very welcome. Pass it on to socially responsible people.

                  Here's a bonus factoid: some VPNs allow naked source IPs to leak out of the device until they manage to start their app. It's insane that this is even possible but it's due to stupid race conditions in the whole scheme. Those few million bits are invaluable to traffic analysis.

                    lbc The short answer is: if a data set is feasible to collect and worth the money to sell or exploit, then assume it's being done.

                    The passport number thing is like this (and obviously just one of many deanonymization routes):

                    You started using your GrapheneOS phone in Argentina. Let's say for sake of argument that you connect to a 5G tower down there with a base station provided by Huawei. At bare minimum, I would expect your IMEI to be relayed over the internet to some servers in China. Using triangulation, we could even get your location, but it's enough just to know you're hanging out in Buenos Aires. Now you decide it's time to go on that safari trip you've been dreaming about. So you book your tickets, and a month later, you pop out in Kenya. You're not an idiot, so you never turn on your WAN anywhere near the airport or the connected taxis, let alone while passing through immigration. You might have connected to the airport wifi, but with MAC randomization that should be OK. (As in, you're immune to trivial deanonymization, and instead an attacker would need to apply costly traffic timing and sizing analysis to "see" you through your VPN or whatever). But...

                    How many people from Argentina do you think left the country on September 1 and arrived in Kenya on September 2? I dunno but probably just YOU! Now if the telco infrastructure in Kenya is also Huawei, or any other company which connects to those same servers in China, then you can see where this is going. "Ah ha! The guy with IMEI number X must have been someone one the plane that left Argentina on September 1." Now all you need to do is eventually fly back home, and it's checkmate! Why? Well, a simple logical-and function of the passenger manifests will reveal you. If you happen to have backdoor access to Kenya's immigration servers (not that you would find any reporting of that online) then it's game over right there. Otherwise they might have to wait til you check in to a hotel or make the unforgivable error of registering a SIM card in your own name, in order for your passport number to get ejected to some endpoint which is a bit more accessible.

                    But why would "they" care? The Chinese don't, so long as you're not a bother to them, and hey, you're just a guy going on a safari. But imagine if they could then go to either government involved, and say, "Here's a pile of location data tagged with IMEI. For a small price per IMEI, we'll show you all the places they've been, and when, to the extent that they've connected to our poisoned telco equipment. Then it's all up to you how you want to exploit the people attached to them."

                    It all starts with exfiltrating all the intel that your "cheap and efficient" security devices capture, including all your telco equipment. Then do a bunch of correlation analysis. But...

                    Modern intelligence fusion over there already makes a mockery of my scenario here. This is really trivial shit. And obviously Huawei isn't the only busybody around, but rather just the most infamous one.

                    • lbc replied to this.
                    • lbc likes this.

                        88dotorg I get where you're coming from. Out-of-the-box GrapheneOS definitely has its market niche. It's a convenience-vs-security thing. The thing is, I think the majority of such companies are legit, but now I have yet another party that I need to trust. Trusting GrapheneOS to be free of supply chain attacks is already a big ask (and I'm mostly satisfied in that regard). Now I have to trust this vendor, and obviously the mail system. I'm personally so not brave. If nothing else, it would be hard to avoid tying the device to my address.

                        And if it's not obvious, the only way to buy a phone or anything connected to it is with cash, bitcoin from untraceable sources, or privacy coins.

                          Albus_DumbleDork I'm not sure how easy it would be to fit in at a coffee shop if you're carrying around phone wrapped in tinfoil, but probably there are similar strategies, like hanging out in the bushes across the street, if you know the coffee shop wifi password and can manage enough bandwidth to finish the process before your laptop dies. Or if you're super lucky to find an open wifi. I'm also really unsure of how effective the Faraday cage would be, but it might be enough to prevent you from reaching the nearest tower. In theory, you only need to keep it wrapped during reboots (because airplane mode might be temporarily ignored, deliberately or not).

                          Regular Tor browser does not provide Tor routing outside the browser itself. There are other ways to do it, but probably not worth the trouble (and it fingerprints you as the only Tor user in town). As long as you follow the low-radar transport rule (and ideally will never visit the coffee shop, or use that USB wifi dongle, more than once), you should be anonymous, as much as that still means anything in 2023.

                          And and please please change your phone's name before (under the previous OS) and after (under GrapheneOS once you've left the shop) the install! Mandatory! And definitely don't enable hotspotting on any device with the same SSID that appears elsewhere in space and time.

                              tmwqjr In my opinion, grapheneOS, of the operating systems on the market, is the best of what I have used in terms of security and privacy, both in terms of hardware and the system itself. If I am in Argentina or any country and I want to install the grafheOS operating system, I would install it in a remote place, a town, etc., I would use the phone via Wi-Fi and in airplane mode, the latter when I am not using it, I would use a disposable computer. just to download the GOS system. What is your solution about this, everything is lost? or is there any possibility?

                                tmwqjr If you happen to have backdoor access to Kenya's immigration servers
                                I see! No need to convince me how plausible that is, I just didn't think you were referring to state actors. (Or other above-the-law type of private actors.) And you're right, "intelligence fusion" as you so elegantly put it makes this not only plausible in concept but trivial in practice over there. And I'm worried that we are not so far behind over here.

                                tmwqjr for your passport number to get ejected to some endpoint
                                I'm more curious about how this might work.

                                tmwqjr imagine if they could then go to either government involved, and say, "Here's a pile of location data tagged with IMEI.
                                To my understanding this is what data brokers are known to do, at least in the USA. I'm more bothered by this type of thing than by the idea of being monitored or investigated by some nation's intelligence service.

                                      • [deleted]

                                      • Post #14
                                      • Edited

                                      Albus_DumbleDork I dont know if the regular TOR browser will work for this.

                                      Firefox does not support WebUSB [1], and since Tor (Browser) is based on Firefox [2], It does not support WebUSB either.

                                        I've locked this thread, as it has not been a high quality discussion, and instead includes a lot of speculation. I suggest searching through this Forum to find previous conversations on related topics.