> The combination of the ICCID and the IMSI basically tells the mobile network, “hey, this person paid for a plan.”
As far as I remember, the ICCID never actually appears in standard network messaging. It might be possible for the network to request it, but it's not part of a standard 2/3/4/5g attach.
The piece seemed to miss two major uses for the IMEI (or I missed it when reading), which were working around vendor bugs and allowing emergency calling.
Radio firmware and state machines have always had weird bugs, and even when it conforms to standards (some of which are extremely interpretable), does very weird things in the real world. Pre-smartphone, being able to update phone and radio firmware was extremely rare, so it was common for the networks instead to implement workarounds on a manufacturer or handset basis. Having a hardware ID that identified this was extremely useful.
GSM (and onward) actually supports a handset attaching to a network, even without a SIM card, for the sake of emergency calling. It needs some form of unique identifier for this to work. As much as it could (potentially, entirely redefining the stack) generated UUIDs, it makes some sense for these unique IDs to persist across roaming/sessions/reboots.
> Radio firmware and state machines have always had weird bugs, and even when it conforms to standards (some of which are extremely interpretable), does very weird things in the real world. Pre-smartphone, being able to update phone and radio firmware was extremely rare, so it was common for the networks instead to implement workarounds on a manufacturer or handset basis. Having a hardware ID that identified this was extremely useful
Now that it’s common for devices to be updated regularly, they will typically send an extended form of the IMEI to the network called the IMEISV, which is the same as the IMEI except the final check digit is replaced with a two-digit code indicating the current software version (SV = Software Version).
> As far as I remember, the ICCID never actually appears in standard network messaging.
Yeah, that would be the IMSI (which a given SIM card can have multiple of, e.g. for switching to a more beneficial home network while roaming!)
The ICCID is useful for identifying a given physical SIM card (e.g. so that the phone can link a given user-selected profile name to it/the associated phone line for a "preferred line for contact" indicator in dual-SIM phones), and probably also as an identifier when dynamically assigning a new IMSI over the air.
> for the sake of emergency calling
The IMEI can indeed be an identifier of last resort for emergency calls. I wonder if some countries use it to block abuse/spam calls to emergency services, or more importantly, why some others aren't?
In Germany, for example, SIM-less emergency calls are no longer possible, supposedly due to many people calling the local emergency number to test whether a used phone is in working condition without inserting a SIM card... I don't know what they're doing with the IMSI in that case, and if it's locking these callers out, why they can't do the same for the IMEI.
Fun fact: Lots of cellular modem/routers have the easy ability to change IMEI. Doing so is a fairly common practice in the rural internet community. i.e., those using cellular for their internet access either because cable / fiber or an official cellular option like T-Mobile home internet is unavailable or they're mobile in an RV.
These people are not trying to do anything particularly nefarious but they do it so that they can use a phone or tablet plan in a router. Unlimited or high GB plans for routers and hotspots are expensive and there are not many options.
There are lots of reasonably priced, easy to get unlimited phone and tablet plans but if you put a phone SIM in a router it might work for while until the carrier detects that you have the SIM in an unauthorized device. The "solution" to that is to activate on a spare phone and then change the router IMEI to match the phone. Don't use both devices at the same time. The carrier now thinks the router is a phone.
The legally of it is somewhat unclear so it's talked about quietly on various forums using words like "magic configuration", "giving your router an identity crisis" etc.
It's a bit of a cat and mouse game because IMEI is probably not the only way to identify an unauthorized device but so far it seems to be the main way.
I remember back in the 00's on AT&T getting an unlimited data plan addon for a dumb phone was like $15/mo or something while adding it for a smartphone was like $40 or more. They would enforce it by checking your IMEI and seeing if it was one of the smartphones they sold.
Buying an unlocked phone of a model AT&T didn't sell seemed to never trigger the "you're using a smartphone" check. Fun times with some cheap 3G back in the day.
Passive TCP/IP fingerprinting might tell a lot about the device. You could probably easily tell apart an iPad and a router. But if IMEI checking catches 95% of plan cheaters, it's probably not worth implementing more checks (more checks = more cost and infrastructure to maintain, is it cheaper than the lost revenue?).
This said, I find it insane that there are such plans. The cost of a connection should be the same whatever the device behind is.
Interesting thread - as someone that used to be in carrier space...
IMEI - we only really cared about the TAC prefix, as this identifies the device type, which is mapped to capabilities for services.
IMSI - this is usually in the SIM card (UICC), and mapped out specifically within the uSIM/SIM application inside the card. This is aligned with the Billing/Rate Plan for services that the subscriber is set up with.
TMSI - this is usually what the network uses to page you and also deliver singaling over the NAS via the SGs interface for devices that do not support IMS/VoLTE
ICCID - this ID's the card itself, for SIM cards, it always starts with 89 as this designates the card as telephony related as a physical UICC - remember, there are other types of UICC's such as CHIP based Credit Cards, which start with a different number.
MSISDN - this is the number that you dial and send SMS to - in legacy systems, it can also be referred to as the MDN
Fun Fact that was skipped in the article - IMEI's that start with 99 are special, as these indicate that the Device is both GSM/UMTS/LTE and CDMA/EVDO capable, and generally those IMEI's will align closely with the CDMA MEID's, but they were not required to. The "99" range wasn't just Apple, but was used in the early days of dual-mode across most vendors as it helped facilitate session handovers from C2K to any 3GPP based service. For C2K, on the IMSI front, most devices would use IMSI_T (True IMSI based on the SIM card IMSIef) but some used IMSI_M which was based on the legacy MIN.
Legacy - there is the ESN in CDMA, but this is very legacy, and was largely superseded by MEID - for Legacy Support, pESN could be derived from MEID, however at the high risk of collisions...
Android defaults to sending the IMSI (SIM ID) to Google.
> SUPL is used as part of the A-GPS (Assisted GPS) system to get a faster Time to First Fix. The problem is that Android's implementation automatically sends the IMSI (ID of the SIM card) to the SUPL provider for no apparent reason. And because Google is the default provider it's a big breach of privacy.
If you buy a phone in Turkey, it's IMEI is registered to a gov authority and you can use / transfer it as you wish.
If you happen to buy one from another country, it will be locked after 60 days of use and no carrier will connect it after that. You can use your passport to to prove that it was not imported commercially but you brought it with you and register it. For $1000 (yeah). And it is locked to your ID. Can't transfer it to someone else.
IMEI cloning from an already registered donor phone was a thing and maybe it still is but as far as I can tell, high end phones pretty much lock it tightly.
BTW, this also affects a lot of other stuff. Can't buy a gps dog tracker from amazon. Can't buy a gsm module for your arduiono etc...
My car has a connectivity system where it provides internet to the in car infotainment system and also allows me to open doors etc remotely. It only recently became operational when the distributor finally managed to register the IMEI numbers. A lot of companies do not bother (Mercedes, BMW etc are equipped with similar systems, not operational)
SMS specifications include "Type 0" messages, also known as Silent SMS. These messages don't trigger any even on the phone when received, but they do send back an ACK that includes IMSI metadata. Silent SM, are literally defined in the RFC and primarily used to covertly track user locations without judicial oversight.
GSM, SS7, etc. are massive privacy holes _by design_.
I think I’m more concerned with the fact that the carriers know the IMEI of phones and claim that they can do nothing about stolen phones. That was the beginning of the end of my infatuation with the mobile space.
I should have been well positioned for early retirement during the early smart phone gold rush but was just so put off by the Ma Bell feeling of the mobile industry that I had exited before most people had even entered.
I really want mobile networks to accept their role as dumb data pipes. I should be able to just provide a password or certificate and connect. No IEMI, no SIM.
And while we are at it stop tunneling my data back "home" when I travel. I don't want increased latency.
Many a year ago, when the iPhone was new and Android was on version 1.6. Sprint offered the SERO plan, an unlimited plan for friends and family. When smartphones hit, they would no longer allow the SERO unlimited plan to transfer to the new phones.
The HTC phones had a Qualcomm radio that, with the right tooling, one could write all 0s to the IMEI (or the CDMA equivalent) register. Then you could write any IMEI to the register. That worked well for a few years.
SERO was one of the Sprint Rate Plans, the other was the Pioneer Plan for early adopters on SprintPCS
HTC got into a bit of trouble with the carriers on the whole IMEI/MEID rewrite mess at the end of the day. With Qualcomm, that was an NVITEM that was supposed to be read-only.
Is there any entity or procedure that actually proves what a phone is what it claims to be?
Unfortunately, neither IMEI, Serial Number or a combination of both can assert this.
I bought a Samsung S24 a week ago off Facebook Marketplace. It was in the box and everything. I cross checked both the IMEIs and also the Serial Number with the #06# test. I even checked them online. Did all the tests, #0# and even downloaded Samsung members. Paid for the phone, convinced it was a genuine one.
Upon registering it and using it, it becomes very clear the phone is fake and is at best a clone. The camera is nowhere near the S24 and does not have the features. It heats up after charging and does not keep charge. It runs slower than a 10 year Android once you are signed it.
when you run diagnostics, it shows all the specs of an S24 Ultra. How do I know this? I went and got another S24 Ultra from the store and they are worlds apart.
So my question is, if you are buying a phone from a reseller or someone, is there any way of definitely asserting whether it is authentic?
I’m sorry that this happened to you. The debugging and tear down sound like they would make for an extremely interesting blog post though. I encourage you to write it up and post it here - I’d definitely read it.
This is typically where consumer rights laws come into play and a key advantage of buying first hand from a “real” business rather than an individual or third party. At least there you have someone you can easily hold to account.
You need to price in the risk factor when purchasing where such legislation doesn’t apply or isn’t easy to enforce.
Also a rare UK success story in brute force lawmaking. People used to hack phones IMEI all the time, lots of utils available. Then anything relating to changing an imei was heavily punished and it all stopped. Nobody would host a utility or a guide or even mention it on a forum. If you did mention it you were banned. It was almost instant.
it will generally start with a 35, which is unused as a country calling code
It's "unused" because several country codes start with 35: Ireland, Portugal, Luxembourg, Iceland... (This doesn't mean that phones are actually manufactured there... I have a phone with an IMEI starting in 354 and it's definitely not manufactured in Iceland...)
Yeah, they seem to be confusing that with IMSIs or ICCIDs, which are indeed namespaced by mobile country code and international calling code respectively.
Based on what other commenters have already pointed out, this seems to be a quite sloppily researched article.
I remember some telco guy saying “the IMEI is unique until it isn’t.”
We always wondered if you could crash part of a cell network by dropping in 8192 phones with the same IMEI. Everyone needs to deal with non unique identifiers, but the question is how many do they expect?
FYI this is a problem on Ethernet, when you get boards that haven’t been initialized. Things don’t like multiple MAC addresses with 0s.
I'm interested in the general thrust, but this article is sloppy at best.
> Check digit: The final digit is essentially used to validate the prior 14 digits with an algorithm. Similar digits exist in other types of identifier codes, such as the Universal Product Code (UPC) and the International Standard Book Number (ISBN). The algorithm that the mobile industry uses, the Luhn algorithm, is also used for social security numbers and credit card numbers.
No, just no. SSNs (in the US) don't have check digits.
Also:
> Then there are network identifier numbers—the MAC address bestowed upon you by your WiFi network or mobile provider
Huh? This nonsense ("bestowed upon") serves only to confuse. This is bad tech journalism: it fails to inform the masses, and is transparently worthless to experts.
The geographic aspect of SSNs no longer applies either. My kids have SSNs that start with different digits than my own which was assigned under the old regime where the first digit indicated where the SSN was issued.
I prefer to buy second hand iPhones for my family, and usually use Amazon. But the last couple of iPhones haven't been able to connect to the cellular network at all.
Digging into it, it seems they've been IMEI blocked – i.e. reported stolen. Sending them back to Amazon is always such a pain because it means a visit to the post office.
I have been looking for information like this for a while. Thank you!
Follow up, does the IMEI number get broadcast when you connect, or is it a searchable bit of information accessible by apps, et al?
Im wondering how anonymous you can be if youre making all the right privacy moves, but your phone is still essentially giving you up because your IMEI number is traceable back to you.
Very interesting!
Super cool to see it can be used against theft.
AFAIK some apps misuse it, though. If Snapchat detects a modified phone (root for example) at any point, it might block your IMEI. (As far as the internet is concerned, they're very secretive about it) Which is a horrible decision, since a phone might be re-locked and refurbished, handed down to someone else, etc.
”Other” isn’t really correct, is it? The IMEI is your phone’s number, your phone number isn’t tied to a phone, but is your user name/chat handle with your provider.
[+] [-] BuildTheRobots|1 year ago|reply
> The combination of the ICCID and the IMSI basically tells the mobile network, “hey, this person paid for a plan.”
As far as I remember, the ICCID never actually appears in standard network messaging. It might be possible for the network to request it, but it's not part of a standard 2/3/4/5g attach.
The piece seemed to miss two major uses for the IMEI (or I missed it when reading), which were working around vendor bugs and allowing emergency calling.
Radio firmware and state machines have always had weird bugs, and even when it conforms to standards (some of which are extremely interpretable), does very weird things in the real world. Pre-smartphone, being able to update phone and radio firmware was extremely rare, so it was common for the networks instead to implement workarounds on a manufacturer or handset basis. Having a hardware ID that identified this was extremely useful.
GSM (and onward) actually supports a handset attaching to a network, even without a SIM card, for the sake of emergency calling. It needs some form of unique identifier for this to work. As much as it could (potentially, entirely redefining the stack) generated UUIDs, it makes some sense for these unique IDs to persist across roaming/sessions/reboots.
[+] [-] kevvok|1 year ago|reply
Now that it’s common for devices to be updated regularly, they will typically send an extended form of the IMEI to the network called the IMEISV, which is the same as the IMEI except the final check digit is replaced with a two-digit code indicating the current software version (SV = Software Version).
[+] [-] lxgr|1 year ago|reply
Yeah, that would be the IMSI (which a given SIM card can have multiple of, e.g. for switching to a more beneficial home network while roaming!)
The ICCID is useful for identifying a given physical SIM card (e.g. so that the phone can link a given user-selected profile name to it/the associated phone line for a "preferred line for contact" indicator in dual-SIM phones), and probably also as an identifier when dynamically assigning a new IMSI over the air.
> for the sake of emergency calling
The IMEI can indeed be an identifier of last resort for emergency calls. I wonder if some countries use it to block abuse/spam calls to emergency services, or more importantly, why some others aren't?
In Germany, for example, SIM-less emergency calls are no longer possible, supposedly due to many people calling the local emergency number to test whether a used phone is in working condition without inserting a SIM card... I don't know what they're doing with the IMSI in that case, and if it's locking these callers out, why they can't do the same for the IMEI.
[+] [-] heilhippo|1 year ago|reply
[deleted]
[+] [-] ztetranz|1 year ago|reply
These people are not trying to do anything particularly nefarious but they do it so that they can use a phone or tablet plan in a router. Unlimited or high GB plans for routers and hotspots are expensive and there are not many options.
There are lots of reasonably priced, easy to get unlimited phone and tablet plans but if you put a phone SIM in a router it might work for while until the carrier detects that you have the SIM in an unauthorized device. The "solution" to that is to activate on a spare phone and then change the router IMEI to match the phone. Don't use both devices at the same time. The carrier now thinks the router is a phone.
The legally of it is somewhat unclear so it's talked about quietly on various forums using words like "magic configuration", "giving your router an identity crisis" etc.
It's a bit of a cat and mouse game because IMEI is probably not the only way to identify an unauthorized device but so far it seems to be the main way.
[+] [-] vel0city|1 year ago|reply
Buying an unlocked phone of a model AT&T didn't sell seemed to never trigger the "you're using a smartphone" check. Fun times with some cheap 3G back in the day.
[+] [-] sambazi|1 year ago|reply
reminds me of changing mac address to get around data caps in the student dorm network
[+] [-] ale42|1 year ago|reply
This said, I find it insane that there are such plans. The cost of a connection should be the same whatever the device behind is.
[+] [-] hiatus|1 year ago|reply
[+] [-] sfx2000|1 year ago|reply
IMEI - we only really cared about the TAC prefix, as this identifies the device type, which is mapped to capabilities for services.
IMSI - this is usually in the SIM card (UICC), and mapped out specifically within the uSIM/SIM application inside the card. This is aligned with the Billing/Rate Plan for services that the subscriber is set up with.
TMSI - this is usually what the network uses to page you and also deliver singaling over the NAS via the SGs interface for devices that do not support IMS/VoLTE
ICCID - this ID's the card itself, for SIM cards, it always starts with 89 as this designates the card as telephony related as a physical UICC - remember, there are other types of UICC's such as CHIP based Credit Cards, which start with a different number.
MSISDN - this is the number that you dial and send SMS to - in legacy systems, it can also be referred to as the MDN
Fun Fact that was skipped in the article - IMEI's that start with 99 are special, as these indicate that the Device is both GSM/UMTS/LTE and CDMA/EVDO capable, and generally those IMEI's will align closely with the CDMA MEID's, but they were not required to. The "99" range wasn't just Apple, but was used in the early days of dual-mode across most vendors as it helped facilitate session handovers from C2K to any 3GPP based service. For C2K, on the IMSI front, most devices would use IMSI_T (True IMSI based on the SIM card IMSIef) but some used IMSI_M which was based on the legacy MIN.
Legacy - there is the ESN in CDMA, but this is very legacy, and was largely superseded by MEID - for Legacy Support, pESN could be derived from MEID, however at the high risk of collisions...
[+] [-] xjay|1 year ago|reply
> SUPL is used as part of the A-GPS (Assisted GPS) system to get a faster Time to First Fix. The problem is that Android's implementation automatically sends the IMSI (ID of the SIM card) to the SUPL provider for no apparent reason. And because Google is the default provider it's a big breach of privacy.
https://github.com/Magisk-Modules-Alt-Repo/supl-replacer
https://en.wikipedia.org/wiki/Assisted_GNSS
[+] [-] _rdvw|1 year ago|reply
[+] [-] sambazi|1 year ago|reply
[+] [-] eknkc|1 year ago|reply
If you happen to buy one from another country, it will be locked after 60 days of use and no carrier will connect it after that. You can use your passport to to prove that it was not imported commercially but you brought it with you and register it. For $1000 (yeah). And it is locked to your ID. Can't transfer it to someone else.
IMEI cloning from an already registered donor phone was a thing and maybe it still is but as far as I can tell, high end phones pretty much lock it tightly.
BTW, this also affects a lot of other stuff. Can't buy a gps dog tracker from amazon. Can't buy a gsm module for your arduiono etc...
My car has a connectivity system where it provides internet to the in car infotainment system and also allows me to open doors etc remotely. It only recently became operational when the distributor finally managed to register the IMEI numbers. A lot of companies do not bother (Mercedes, BMW etc are equipped with similar systems, not operational)
[+] [-] vegetablepotpie|1 year ago|reply
What do you mean by that? Ostensibly I can.
https://www.adafruit.com/product/2687
Note: it’s on back order, but in theory I would be able to buy a GSM module for my Arduino.
[+] [-] slim|1 year ago|reply
[+] [-] londons_explore|1 year ago|reply
Just let people edit it. Then I can be someone new every day and nobody can track me.
Mac address randomization does that for wifi. Now do the same for mobile networks.
[+] [-] apienx|1 year ago|reply
GSM, SS7, etc. are massive privacy holes _by design_.
[+] [-] hinkley|1 year ago|reply
I should have been well positioned for early retirement during the early smart phone gold rush but was just so put off by the Ma Bell feeling of the mobile industry that I had exited before most people had even entered.
[+] [-] kevincox|1 year ago|reply
And while we are at it stop tunneling my data back "home" when I travel. I don't want increased latency.
[+] [-] ementally|1 year ago|reply
https://invisv.com/pgpp/ for IMSI (not available worldwide)
https://github.com/srlabs/blue-merle for IMEI, a nice guide written by them explaining how it works https://raw.githubusercontent.com/srlabs/blue-merle/main/Doc...
You can follow this thread for more info https://discuss.privacyguides.net/t/cell-towers-tracking-net...
[+] [-] thedougd|1 year ago|reply
The HTC phones had a Qualcomm radio that, with the right tooling, one could write all 0s to the IMEI (or the CDMA equivalent) register. Then you could write any IMEI to the register. That worked well for a few years.
[+] [-] sfx2000|1 year ago|reply
HTC got into a bit of trouble with the carriers on the whole IMEI/MEID rewrite mess at the end of the day. With Qualcomm, that was an NVITEM that was supposed to be read-only.
[+] [-] m463|1 year ago|reply
EDIT: "Over 13,000 Vivo phones found to be using same IMEI number"
https://www.techradar.com/news/over-13000-vivo-phones-found-...
[+] [-] chirau|1 year ago|reply
Unfortunately, neither IMEI, Serial Number or a combination of both can assert this.
I bought a Samsung S24 a week ago off Facebook Marketplace. It was in the box and everything. I cross checked both the IMEIs and also the Serial Number with the #06# test. I even checked them online. Did all the tests, #0# and even downloaded Samsung members. Paid for the phone, convinced it was a genuine one.
Upon registering it and using it, it becomes very clear the phone is fake and is at best a clone. The camera is nowhere near the S24 and does not have the features. It heats up after charging and does not keep charge. It runs slower than a 10 year Android once you are signed it.
when you run diagnostics, it shows all the specs of an S24 Ultra. How do I know this? I went and got another S24 Ultra from the store and they are worlds apart.
So my question is, if you are buying a phone from a reseller or someone, is there any way of definitely asserting whether it is authentic?
[+] [-] tschwimmer|1 year ago|reply
[+] [-] yardstick|1 year ago|reply
You need to price in the risk factor when purchasing where such legislation doesn’t apply or isn’t easy to enforce.
[+] [-] sfx2000|1 year ago|reply
[+] [-] numpad0|1 year ago|reply
[+] [-] gandalfian|1 year ago|reply
[+] [-] ykonstant|1 year ago|reply
[+] [-] smcin|1 year ago|reply
[+] [-] ale42|1 year ago|reply
[+] [-] lxgr|1 year ago|reply
Based on what other commenters have already pointed out, this seems to be a quite sloppily researched article.
[+] [-] mannyv|1 year ago|reply
We always wondered if you could crash part of a cell network by dropping in 8192 phones with the same IMEI. Everyone needs to deal with non unique identifiers, but the question is how many do they expect?
FYI this is a problem on Ethernet, when you get boards that haven’t been initialized. Things don’t like multiple MAC addresses with 0s.
[+] [-] spiesd|1 year ago|reply
> Check digit: The final digit is essentially used to validate the prior 14 digits with an algorithm. Similar digits exist in other types of identifier codes, such as the Universal Product Code (UPC) and the International Standard Book Number (ISBN). The algorithm that the mobile industry uses, the Luhn algorithm, is also used for social security numbers and credit card numbers.
No, just no. SSNs (in the US) don't have check digits.
Also:
> Then there are network identifier numbers—the MAC address bestowed upon you by your WiFi network or mobile provider
Huh? This nonsense ("bestowed upon") serves only to confuse. This is bad tech journalism: it fails to inform the masses, and is transparently worthless to experts.
[+] [-] toxik|1 year ago|reply
[+] [-] dhosek|1 year ago|reply
[+] [-] 0898|1 year ago|reply
Digging into it, it seems they've been IMEI blocked – i.e. reported stolen. Sending them back to Amazon is always such a pain because it means a visit to the post office.
[+] [-] ementally|1 year ago|reply
>The blue-merle software package enhances anonymity and reduces forensic traceability of the GL-E750 / Mudi 4G mobile wi-fi router ("Mudi router")
>Mobile Equipment Identity (IMEI) changer
>Media Access Control (MAC) address log wiper
>Basic Service Set Identifier (BSSID) randomization
>MAC Address randomization
[+] [-] username135|1 year ago|reply
Follow up, does the IMEI number get broadcast when you connect, or is it a searchable bit of information accessible by apps, et al?
Im wondering how anonymous you can be if youre making all the right privacy moves, but your phone is still essentially giving you up because your IMEI number is traceable back to you.
[+] [-] calrain|1 year ago|reply
Say... to help identify if a specific phone comes around, or what phone/s were around when a break in occurred?
[+] [-] lozank|1 year ago|reply
[+] [-] Havoc|1 year ago|reply
Phones seem to switch off wifi regularly for energy savings, so not particularly useful for detecting iphones at home for home presence automations
[+] [-] Someone|1 year ago|reply
[+] [-] BXLE_1-1-BitIs1|1 year ago|reply