What is the risk of leaking IMEI / IMSI numbers over a network

The IMEI is a unique worldwide identifier for the phone (the hardware element), while the IMSI is a unique worldwide identifier for the SIM card (so it more-or-less maps to the human user who owns it). See this page. Both are sent "as is" over the air, and thus can be obtained by any attacker with an antenna and located in the vicinity. Knowledge of the IMEI and/or IMSI of some user does not give extra ways to break into the communications of that user; they are not secret values.

However...

There may be a slight privacy concern about IMEI and IMSI, in that they allow to "track" user habits:

  • An application could generate a random unique identifier each time it is installed on a phone. However, by using the IMEI, the application can tell whether it is re-installed on a given phone; it can also be used to cross-reference the table of known installed application instances with cell phone locations obtained through passive radio listening from some base station.

  • The IMSI "follows" the user when he switches phones (he transfers his SIM card from his old phone to his new phone).

I can imagine an app which is linked to some "account" on a server; using the IMSI allows the server to more easily automate "relinking" the app when the user switches phones. By the same reason, users can feel that their privacy is breached in that they would like to be able to re-install their app and/or switch phones to "start anew" with a distinct account which is not linkable to their own account.

To a large extent, users can consider their IMSI to be the phone equivalent of their email address. An app which automatically send the IMSI to a server is as much a security or privacy issue as a software application which automatically sends the user email to a remote server; many people would feel uncomfortable at the latter, and it begs the question of why it is done in the first place.


Of course, if an app does something stupid like using the IMEI or IMSI as an authentication token, e.g. a kind of password to access data on a remote server, then learning the IMEI or IMSI opens access to that data. But that's what you get when you use non-secret data as if it was secret.


Regarding IMSI disclosure: First of all IMSI is the heart of your subscription plan. If the attacker knows the IMSI, the very first consequence is location privacy breach. Meaning that using IMSI, you can try to find the approximate location of the victim by exploiting the signalling protocols such as SS7. These kind of attacks can be performed just by knowing the victim's phone number. I would highly recommend you to read the article "Locate- Trace -Manipulate" or the elaborative comprehensive summary as per this thesis. Secondly, knowing IMSI could lead to even worse attacks (in the same context of SS7) to intercept your calls, SMS messages, and many more.

Regarding IMEI disclosure: IMEI is the heart of your phone handset. It is mostly used to authenticate in terms of criminal activities to verify whether a call has been made from a specific handset. So at worst cases, one can use a victim's IMEI in a crafty manner to make illegitimate cellular activities.

But an interesting thing to notice is, when you first switch on your phone ( or turn off from the FLIGHT MODE), IMEI will be sent so that the network can verify that the handset requesting cellular services is not a stolen handset. To do so, the network checks the IMEI number against the Equipment Identity Register (EIR) so see whether the handset is in the blacklist.

Now let us see what can an attacker do by knowing IMSI as well as IMEI: Search in the Internet for "Unblocking Stolen Mobile Phones using SS7-MAP vulnerabilities, which exploits the relationship between IMEI and IMSI for EIR access. As per the presentation , an attacker can unblock stolen mobile phones and make it a legitimate handset in the white market of second hand phones.

P.S: There are lot more on attacks using IMSI and IMEI on the Radio Access Network(RAN) i.e. the air interface.

Tags:

Mobile

Privacy