What is the risk of leaking IMEI / IMSI numbers over a network

Question

Should I worry if a developer programmed an app to send IMEI / IMSI number of the phone where the app is installed back to him? What can an attacker do with such information?

Answer 1

The IMEI is a unique worldwide identifier for the phone (the hardware element), while the IMSI is a unique worldwide identifier for the SIM card (so it more-or-less maps to the human user who owns it). See this page. Both are sent "as is" over the air, and thus can be obtained by any attacker with an antenna and located in the vicinity. Knowledge of the IMEI and/or IMSI of some user does not give extra ways to break into the communications of that user; they are not secret values.

However...

There may be a slight privacy concern about IMEI and IMSI, in that they allow to "track" user habits:

• An application could generate a random unique identifier each time it is installed on a phone. However, by using the IMEI, the application can tell whether it is re-installed on a given phone; it can also be used to cross-reference the table of known installed application instances with cell phone locations obtained through passive radio listening from some base station.

• The IMSI "follows" the user when he switches phones (he transfers his SIM card from his old phone to his new phone).

I can imagine an app which is linked to some "account" on a server; using the IMSI allows the server to more easily automate "relinking" the app when the user switches phones. By the same reason, users can feel that their privacy is breached in that they would like to be able to re-install their app and/or switch phones to "start anew" with a distinct account which is not linkable to their own account.

To a large extent, users can consider their IMSI to be the phone equivalent of their email address. An app which automatically send the IMSI to a server is as much a security or privacy issue as a software application which automatically sends the user email to a remote server; many people would feel uncomfortable at the latter, and it begs the question of why it is done in the first place.

---

Of course, if an app does something stupid like using the IMEI or IMSI as an authentication token, e.g. a kind of password to access data on a remote server, then learning the IMEI or IMSI opens access to that data. But that's what you get when you use non-secret data as if it was secret.

Answer 2

Regarding IMSI disclosure: First of all IMSI is the heart of your subscription plan. If the attacker knows the IMSI, the very first consequence is location privacy breach. Meaning that using IMSI, you can try to find the approximate location of the victim by exploiting the signalling protocols such as SS7. These kind of attacks can be performed just by knowing the victim's phone number. I would highly recommend you to read the article "Locate- Trace -Manipulate" or the elaborative comprehensive summary as per this thesis. Secondly, knowing IMSI could lead to even worse attacks (in the same context of SS7) to intercept your calls, SMS messages, and many more.

Regarding IMEI disclosure: IMEI is the heart of your phone handset. It is mostly used to authenticate in terms of criminal activities to verify whether a call has been made from a specific handset. So at worst cases, one can use a victim's IMEI in a crafty manner to make illegitimate cellular activities.

But an interesting thing to notice is, when you first switch on your phone ( or turn off from the FLIGHT MODE), IMEI will be sent so that the network can verify that the handset requesting cellular services is not a stolen handset. To do so, the network checks the IMEI number against the Equipment Identity Register (EIR) so see whether the handset is in the blacklist.

Now let us see what can an attacker do by knowing IMSI as well as IMEI: Search in the Internet for "Unblocking Stolen Mobile Phones using SS7-MAP vulnerabilities, which exploits the relationship between IMEI and IMSI for EIR access. As per the presentation , an attacker can unblock stolen mobile phones and make it a legitimate handset in the white market of second hand phones.

P.S: There are lot more on attacks using IMSI and IMEI on the Radio Access Network(RAN) i.e. the air interface.

Answer 3

IMEI is not an authenticated identity of mobile terminal. It can be changed to impersonate other mobiles quite easily. Think of it as an MAC address equivalent. IMSI is an authenticated permanent identity of mobile subscription. IMSI is easily obtainable over the air during the Initial Attach procedure. In subsequent Network Attach procedures IMSI is being replaced by a pseudonym, TMSI, which the mobile and network can map to IMSI. However, a false base station can overpower the legitimate cellular network and pretend not to be able to map TMSI to IMSI. In that case, the mobile will have to submit its IMSI. Knowing IMSI allows tracking of subscriber.

Answer 4

The IMEI identifies your equipment, and the IMSI identifies your chip. In other words, they can both be used to identify you and your current location, which is another way of saying they can be used to say that you are not in location X. That information could be used in many ways, of course.

Networks often behave differently in different places (countries) depending on how modern the networks are, etc. Sometimes there is a large degree of variance in how the IMEI and IMSI are passed.

The IMEI and IMSI can be used in tandem with other data. Whether you should be concerned boils down to your personal security needs.

So, to answer your question: someone with extremely high security needs who suspects or knows they are being targeted, such as a diplomat, would best pay attention to all metacontent which could identify him or her. Yes, it is dangerous, and phones, as everyone knows, tend to contain a lot of important personal information such as contacts, photos, SMS messages, etc.

In the news, we can read about malware injection that can happen once a phone has been identified.