While I like the sentiment of the article, I think most people are not aware of how hostile baseband firmwares are implemented on most SoCs that phones come with. Usually the cell tower handshakes that make you trackable can't be put off, meaning the modem will run in sleep mode even when you are in airplane mode (which is kinda funny considering the dangers of air travel, right? Right?).
Are there actually smartphones without an IMEI and with a Wi-Fi card only, preferrably not a Broadcom one?
Can you please give any sources? While it sounds plausible and interesting it's nothing more than a wild conspiracy theory without some background information.
meaning the modem will run in sleep mode even when you are in airplane mode
AFAIK this is not true at least for the Mediatek 65xx and early 67xx platforms; I've analysed the firmware and hardware on those. They actually power off the modem and rest of the RF system when in airplane mode. The modem only boots up and starts searching for a signal when you take it out of airplane mode, which is why it takes a noticeable time (10-30 seconds, depending on how many bands are enabled) to get a signal. If your phone goes from airplane mode to having a signal and immediately capable of calling, then I suspect it's one where the modem is not truly turned off.
I haven't inspected Broadcom, Qualcomm, or Spreadtrum in any detail to say whether they do things differently.
Are there actually smartphones without an IMEI
Look for a "tablet" or anything else without the word "phone" in it if you just want a touchscreen portable computer. An IMEI is obligatory to connect to cellular networks, in much the same way as a MAC address is to Ethernet and WiFi.
I have the feeling that whenever you are on an airport (and maybe railway stations too) they cross your IMEI with the boarding pass info. I believe that in the UK police use some middle-man towers, which name I have forgotten, to collect as much data as possible.
In many countries you need a valid government ID document to activate a mobile service which means burners do not really exist in those places.
Unless you bought a pixel, graphene’d it and then paid a homeless person to activate a pre-paid data only sim which you would top up with vouchers paid in cash and used a von and international voip service…
True on the Government ID document but most of the times the portal to activate would allow for any sort of numbers as long as it was in a proper format - whether or not it was valid.
These allow for self activation, have a lockout of 5 failed attempts or so and can be done via sim card codes (not SMS, but you interact with a program on the simcard and low level carrier services.)
I was surprised when a SIM I purchased on Amazon was not only able to connect in China but was also able to bypass the great firewall. I wonder how these travel sims get round the government regulations.
> In many countries you need a valid government ID document to activate a mobile service which means burners do not really exist in those places.
Buying prepaid SIMs from tourists or foreign students returning home is a reasonable easy workaround for that - at least if you're the sort of person who meets and befriends those sort of people.
Downloading GPS assist data obviously isn't, and plenty of phones use wifi scanning as a way to augment GPS position fixes, but this seemed a strange callout. Am I missing something?
One thing I didn't see covered is to never have your "real phone" and your "burner phone" on you (or in the same location) at the same time while powered.
Easy enough to say "Gee...these 2 phones are always together or nearby when activated" or "this phone shuts off right before this one powers up".
Although, I suspect there are a few other ways to determine identity easier. Such as tracking the device identifier and then looking up nearby public facing cameras.
The Dumphone Finder (https://josebriones.org/dumbphone-finder) referenced there is useful, too, if you need to get a phone a 90 year old person has a chance of being able to use.
If you need to communicate with people in your area and not be tracked; MeshCore software with LoRa hardware like the this https://lilygo.cc/en-ca/products/t-lora-pager is something to consider. Text only, completely offline
When I was working at EFF, I started writing (but never finished) a couple of essays along the lines of "the degree of trackability of mobile phones is an unfortunate accident, and we should fix it".
It basically comes from routing requirements (especially to receive incoming phone calls) combined with billing requirements (to make people pay for their connectivity) combined with the empirical requirement to see which base station a device is connected to, and which other base stations can see it at a given moment.
If you aggregate all of that data, then you know a (geographically moderate-resolution) complete history of where almost all people have been at almost all times, and patterns of their habits and whom they probably recurrently spent time with.
Not all of this data has to be collectable, because these things could be disaggregated by introducing different protocol layers. For example, you could pay the mobile company for data connectivity, but use cryptographic blinding mechanisms so that it doesn't know which specific subscriber obtained connectivity at a particular place and time. (Those blinding mechanisms could be implemented inside of SIM cards, so the SIM card's task is to cryptographically prove "I am a SIM card of a current paying subscriber of carrier X" rather than "I am SIM card number 42d1b5c0".) You could have device hardware IDs be ephemeral rather than permanent. Actual messaging and call services could all be "over the top" (as phone industry jargon puts it), provided by people who are not the phone company itself.
This disaggregation is a straightforward improvement from a privacy point of view because it prevents companies from knowing things about you that they didn't need to know in order to provide services.
Meanwhile, in the world we live in, we see governments trying to make it harder to make phones less trackable, by putting legal restrictions on changing hardware addresses, or requiring legal ID in order to establish service. I imagine that an additional cryptographic indirection layer in SIMs to prevent carriers from linking a permanent identifier to a network registration (or specific data use) would also be banned in some places if it were invented.
This shouldn't be inevitable. One thing that made me think about this was when there was a little scandal (which I was a small part of) about companies tracking device wifi MAC addresses for commercial purposes. There was a little industry that would try to recognize people and build commercial profiles based on recognizing that the same device was present (in fact, at the time, even if it didn't actually connect to the wifi -- because a typical wifi-enabled mobile device was sending broadcast wifi probe packets that included its MAC address). So Apple was like "this is a bad use of MAC addresses, which only exist to distinguish devices that happen to be on the LAN at the same time, and perhaps to allow network administrators to assign permanent IP addresses to specific devices", and they made iPhones randomize wifi MAC addresses for some purposes, mostly fixing that particular issue.
We could think just the same way about GSM networks: "these identifiers exist for specific protocol reasons; using them for device or user tracking is an abuse that should be mitigated technically".
Thanks for sharing. I figured it is extremely difficult to spoof or disaggregate the data by ourselves, given the SIM tracking wifi tracking thing basically 7/24, or is there a way to fix it?
And also be aware of "shoulder surfing", which is different today in 2 ways it wasn't in the past.
In the past, the risk was something like someone looking at you type in your PIN on a bank ATM, or maybe your password on an computer keyboard.
Today, shoulder surfing is mainly different in 2 ways: (1) near-ubiquitous high-resolution surveillance camera networks, which can be places/scale and capture images that humans practically didn't; and (2) with machine learning, they don't even need to see what buttons you press, only see movements of your arm.
(Randomizing button positions on a touchscreen can help, and also help fight forensics like traces your fingers leave for where they touch. But randomization means you need to be able to see your screen, which reduces the ways you have to hide your screen from the view of others.)
In addition to surveillance cameras and video of movement, AI can also determine what keys your pressing on a keyboard of an airgapped computer, merely by the sounds you make when you type
1. starting with threat modeling (though they don't call it that);
2. mentioning that your OPSEC affects not only you but also people connected to you; and
3. mentioning that maybe you should just leave the device at home (because it's basically a surveillance machine that you pay for).
(A more common article format would be to unload a pile of supposed security&privacy measures without putting them into context, and wouldn't properly set expectations for what that gives you. Neither of which is very helpful, and can be very counterproductive.)
Step one is already difficult here in Australia: to do so you must hand over your personal details and ID. At least that was true for anything with a SIM card for sale back in the 2010s
So the “step 0” was “find a retailer who didn’t follow the rules”, and they’d usually be a corner store selling handsets or SIM cards by the bucket load to all sorts of interesting characters
eSim erodes privacy? Well, that sucks, because how long until Apple, Samsung, and Google decide the Sim slot should go the way of the 3.5mm headphone jack?
Movies make it seem anyone can walk into any store in a trenchcoat and walk out with a burner phone ready to go. I get the service part (you can buy prepaid SIMs in cash). What about the phone?
I feel like any article on burner phones that glosses over acquisition with "buy phone and service in cash" misses the point.
Buying a phone anonymously is much harder than "just cash". Most places demand name & address for sign-up, and if you're unlucky want to see an ID.
You really should think through where and how you buy, how to find the "off the back of a truck" places, where to get SIMs, how to pay for renewal in untraceable money and without a CC, etc.
Are satellite phones under the same microscope as cell phones? Are they broadcasting on all the different cell/wifi/bt frequencies or do they just connect to a satellite? Are they GPS tagged?
Also if you want one-way “location less” communication, the old alphanumeric pager network is still available.
I think those messages are simply broadcast across the network (which at least in the US is national). There’s evidence of a message being sent, none about whether it was received or where it was received.
Cash is likely tracked too these days, if you get it from an ATM for sure, or maybe it is for some modern tills. So learn to busk before you think about buying a burner phone.
48 comments
[ 2.7 ms ] story [ 68.1 ms ] threadAre there actually smartphones without an IMEI and with a Wi-Fi card only, preferrably not a Broadcom one?
The risk was that mobile networks could not handle moving many devices from one cell to another at high speeds (during takeoff and landing).
AFAIK this is not true at least for the Mediatek 65xx and early 67xx platforms; I've analysed the firmware and hardware on those. They actually power off the modem and rest of the RF system when in airplane mode. The modem only boots up and starts searching for a signal when you take it out of airplane mode, which is why it takes a noticeable time (10-30 seconds, depending on how many bands are enabled) to get a signal. If your phone goes from airplane mode to having a signal and immediately capable of calling, then I suspect it's one where the modem is not truly turned off.
I haven't inspected Broadcom, Qualcomm, or Spreadtrum in any detail to say whether they do things differently.
Are there actually smartphones without an IMEI
Look for a "tablet" or anything else without the word "phone" in it if you just want a touchscreen portable computer. An IMEI is obligatory to connect to cellular networks, in much the same way as a MAC address is to Ethernet and WiFi.
Maybe an old iPod Touch that can still run a VOIP program?
Unless you bought a pixel, graphene’d it and then paid a homeless person to activate a pre-paid data only sim which you would top up with vouchers paid in cash and used a von and international voip service…
A lot of effort though
These allow for self activation, have a lockout of 5 failed attempts or so and can be done via sim card codes (not SMS, but you interact with a program on the simcard and low level carrier services.)
Buying prepaid SIMs from tourists or foreign students returning home is a reasonable easy workaround for that - at least if you're the sort of person who meets and befriends those sort of people.
GPS is a passive technology, no?
Downloading GPS assist data obviously isn't, and plenty of phones use wifi scanning as a way to augment GPS position fixes, but this seemed a strange callout. Am I missing something?
> Unfortunately, due to technical issues outside of our control, we have to shut down our subscription services.
Easy enough to say "Gee...these 2 phones are always together or nearby when activated" or "this phone shuts off right before this one powers up".
Although, I suspect there are a few other ways to determine identity easier. Such as tracking the device identifier and then looking up nearby public facing cameras.
It basically comes from routing requirements (especially to receive incoming phone calls) combined with billing requirements (to make people pay for their connectivity) combined with the empirical requirement to see which base station a device is connected to, and which other base stations can see it at a given moment.
If you aggregate all of that data, then you know a (geographically moderate-resolution) complete history of where almost all people have been at almost all times, and patterns of their habits and whom they probably recurrently spent time with.
Not all of this data has to be collectable, because these things could be disaggregated by introducing different protocol layers. For example, you could pay the mobile company for data connectivity, but use cryptographic blinding mechanisms so that it doesn't know which specific subscriber obtained connectivity at a particular place and time. (Those blinding mechanisms could be implemented inside of SIM cards, so the SIM card's task is to cryptographically prove "I am a SIM card of a current paying subscriber of carrier X" rather than "I am SIM card number 42d1b5c0".) You could have device hardware IDs be ephemeral rather than permanent. Actual messaging and call services could all be "over the top" (as phone industry jargon puts it), provided by people who are not the phone company itself.
This disaggregation is a straightforward improvement from a privacy point of view because it prevents companies from knowing things about you that they didn't need to know in order to provide services.
Meanwhile, in the world we live in, we see governments trying to make it harder to make phones less trackable, by putting legal restrictions on changing hardware addresses, or requiring legal ID in order to establish service. I imagine that an additional cryptographic indirection layer in SIMs to prevent carriers from linking a permanent identifier to a network registration (or specific data use) would also be banned in some places if it were invented.
This shouldn't be inevitable. One thing that made me think about this was when there was a little scandal (which I was a small part of) about companies tracking device wifi MAC addresses for commercial purposes. There was a little industry that would try to recognize people and build commercial profiles based on recognizing that the same device was present (in fact, at the time, even if it didn't actually connect to the wifi -- because a typical wifi-enabled mobile device was sending broadcast wifi probe packets that included its MAC address). So Apple was like "this is a bad use of MAC addresses, which only exist to distinguish devices that happen to be on the LAN at the same time, and perhaps to allow network administrators to assign permanent IP addresses to specific devices", and they made iPhones randomize wifi MAC addresses for some purposes, mostly fixing that particular issue.
We could think just the same way about GSM networks: "these identifiers exist for specific protocol reasons; using them for device or user tracking is an abuse that should be mitigated technically".
And also be aware of "shoulder surfing", which is different today in 2 ways it wasn't in the past.
In the past, the risk was something like someone looking at you type in your PIN on a bank ATM, or maybe your password on an computer keyboard.
Today, shoulder surfing is mainly different in 2 ways: (1) near-ubiquitous high-resolution surveillance camera networks, which can be places/scale and capture images that humans practically didn't; and (2) with machine learning, they don't even need to see what buttons you press, only see movements of your arm.
(Randomizing button positions on a touchscreen can help, and also help fight forensics like traces your fingers leave for where they touch. But randomization means you need to be able to see your screen, which reduces the ways you have to hide your screen from the view of others.)
Every time you type your PIN - that's an opportunity to snoop it.
Neither will protect you against rubber hose cryptography.
1. starting with threat modeling (though they don't call it that);
2. mentioning that your OPSEC affects not only you but also people connected to you; and
3. mentioning that maybe you should just leave the device at home (because it's basically a surveillance machine that you pay for).
(A more common article format would be to unload a pile of supposed security&privacy measures without putting them into context, and wouldn't properly set expectations for what that gives you. Neither of which is very helpful, and can be very counterproductive.)
Step one is already difficult here in Australia: to do so you must hand over your personal details and ID. At least that was true for anything with a SIM card for sale back in the 2010s
So the “step 0” was “find a retailer who didn’t follow the rules”, and they’d usually be a corner store selling handsets or SIM cards by the bucket load to all sorts of interesting characters
Movies make it seem anyone can walk into any store in a trenchcoat and walk out with a burner phone ready to go. I get the service part (you can buy prepaid SIMs in cash). What about the phone?
https://blogs.dsu.edu/digforce/2023/08/23/bfu-and-afu-lock-s...
Buying a phone anonymously is much harder than "just cash". Most places demand name & address for sign-up, and if you're unlucky want to see an ID.
You really should think through where and how you buy, how to find the "off the back of a truck" places, where to get SIMs, how to pay for renewal in untraceable money and without a CC, etc.
For example, can you just walk into Best Buy with cash?
Also if you want one-way “location less” communication, the old alphanumeric pager network is still available.
I think those messages are simply broadcast across the network (which at least in the US is national). There’s evidence of a message being sent, none about whether it was received or where it was received.
Most OPSEC failures are due to leakages which is a failure of compartmentalisation.
It’s either got too much stuff on it or not enough stuff on it.
Cash is likely tracked too these days, if you get it from an ATM for sure, or maybe it is for some modern tills. So learn to busk before you think about buying a burner phone.