33

If it is a secret then why is it visible on the box, invoice and the back of the phone? If it is not a secret then why does it have to be blurred when it gets posted online?

enter image description here

AviD
  • 72,138
  • 22
  • 136
  • 218
Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • 1
    IMEI is basicly for Identifying the phone, when you make contact with a cell tower (or satalite), it broadcasts your IMEI, and ofcourse the stream coming from the SIM card, to indentify you with the provider(s) :3... more @ https://en.wikipedia.org/wiki/International_Mobile_Station_Equipment_Identity – Lighty Oct 28 '14 at 11:15
  • 24
    There is a difference between needing to be kept locally secret (someone in the shop could read it before it gets to you) and avoiding having it published to everyone and their dog. There is nothing to say it **has** to be blurred online. That's just good risk management. Like blurring your address if you posted up a picture of a letter to you. – Rory Alsop Oct 28 '14 at 12:17
  • 1
    I am not sure if they still do it, but whatsapp was "secured" with your IMEI, thus if anyone had that, they had your whatsapp account. – PlasmaHH Oct 28 '14 at 16:37
  • 1
    IMEI is a GUID. – AStopher Oct 28 '14 at 17:53
  • 1
    same reason why you would want to blur your license plate when distributing pics of your car – ratchet freak Oct 29 '14 at 11:29
  • 2
    @ratchetfreak I don't know the reason behind that either – Ulkoma Oct 29 '14 at 11:33
  • Related: [What happens if an attacker steals my phone's IMEI number?](https://security.stackexchange.com/q/91751/32746) – WhiteWinterWolf Jul 06 '16 at 12:31

3 Answers3

21

As @Lighty said, the IMEI is a unique identifier for your phone (not the SIM card though, that would be the IMSI).

You can think of it as an equivalent to a MAC address in Ethernet. The IMEI could be spoofed to impersonate you / your phone. Your phone could get traced in a network using the IMEI (It actually is to maintain your connection). The IMEI is also used to find stolen phones, by comparing it to the IMEI DB of the GSM Alliance, for example.

Thus, to protect your idendity, and limit tracing to legitimate usages, it may well be worth it to not spread the IMEI out in public.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • 2
    It's also used by phone companies for tracking warranty application. You may get a few instances of fixes or recalls per phone. This is generally tracked via the IMEI in my experience. – Nate Diamond Oct 28 '14 at 17:05
  • 1
    To build on what @NateDiamond said, it is also used by mobile carriers to lock a mobile to their network. – AStopher Oct 28 '14 at 17:54
21

IMEI is like a GUID (Global Unique Identifier), that identifies your unique handset. Your carrier can blacklist your IMEI by instructing the GSM Alliance to do so, so that the mobile can't connect to any networks, usually in the case the handset is lost or stolen.

Your handset's IMEI is sent in the handshake process when connecting to a network, and can be searched in the global database by your carrier to identify the make & model of your device. This is useful as it allows the carrier to send over the correct internet/MMS configuration settings automatically, and may turn off promotional messages your carrier may send promoting the newest device if you already have that device.

You would not want to reveal your IMEI for the following reasons:

  1. Criminals can use an IMEI to do, well, criminal stuff
  2. It makes your device vulnerable and can be hacked

Scenarios:

  • A device manufacturer discovers that the battery in some devices can spontaneously combust and explode. The device manufacturer offers a replacement process whereupon if you present your IMEI you are eligible for a free replacement device. Unfortunately a criminal got hold of your IMEI and claimed the free device, but as the IMEI has already been claimed, you can't claim a new free handset.
  • A hacker knows how much you are worth, and bad news, they have your IMEI. Through a simple SIM-unlocking site they can obtain the make and model of the device, and maybe the operating system version residing on it. They can now proceed to send you some spam/dodgy way of installing spyware onto your device. They can now steal your data and thus, your wealth.
Marcel
  • 3,494
  • 1
  • 18
  • 35
AStopher
  • 777
  • 6
  • 18
  • IMEIs look like they have 15 digits, which isn't enough to store the 128 bits a GUID has. Are they the same or do they just serve similar purposes? – Nick T Oct 29 '14 at 04:34
  • @NickT: Well, they are similar in terms that they are unique, and allow to identify a single entity. – Marcel Oct 29 '14 at 06:16
  • 2
    It is possible in the UK to phone a national centre that blocks phones across all carriers. If given your IMEI it may be possible for an internet troll to phone the centre up and get your phone blacklisted which would be undesirable. Similar services may exist in other regions. – Stu W Oct 29 '14 at 11:03
  • @StuW The likelihood any one can phone up and request a device be blacklisted with _just_ the IMEI without any other proof of ownership seems highly unlikely to me :) Here in Canada, only the network service providers can get a device blacklisted. – prasanthv Sep 07 '16 at 14:23
  • @prasanthv you used to be able to use immobilise to report them as stolen on the uk national shared operator database if you know the make, model and imei. Make and model may be derived from first 6 digits. https://www.immobilise.com/help/registermobilephone not sure if still true. Perhaps the legit user can get the device delisted by their network / with proof of purchase though... – Stu W Sep 07 '16 at 15:47
  • 1
    @prasanthv given the monkeys that work at mobile carriers it won't surprise at me at all. There are stories of attackers completely taking over accounts and issuing new SIMs via social engineering so simply blacklisting a phone should be way easier. – André Borie Nov 28 '16 at 00:01
  • Well @AndréBorie god damnnit :( – prasanthv Nov 28 '16 at 16:52
1

If someone is sufficiently savvy with hardware and software, they could also potentially add a free-and-clear IMEI (say yours that you published online) to attach to a phone they stole from somebody or one that is used by a specific service provider. (some providers get pissy if they find out you unlocked their devices for example and will either deny you service or blacklist your IMEI for doing it specifically to a phone you got from them, or even claim you violated a user agreement and try to sue you) This is used sometimes in the process of unlocking devices (some software suggests that you go down to walmart, buy a 'throw away' phone just for the distinct -- but different-from-original -- IMEI. then after unlocking your device, you throw the one you bought away as only one device can use a given IMEI at any one time) So you publish yours, someone else with either the right kind of flash-able device or good hardware/software skills attaches it to their device (to get around billing issues, or unlock it or hide it as stolen) and then gets service on it before you do. When you try to enable yours, it already shows up as active somewhere else. You're SOL