Phone cloning IMEI hacking

This is an issue that is affecting quite a few people. Criminals use a person’s imei to stalk, hurt, and steal from people.

How does the librem 5 intercept?

There was already one case where someone claimed continual abuse by an officer that had access to phone cloning tech.

Apple deleted my post several times. They literally won’t let my discussion take place on their forum. In fact, give it a try yourself.

What does this question mean?

On the Librem 5, the IMEI is stored on the modem card. It is trivial for the Librem 5 to ask the modem card what the IMEI is.

It may be unknown how to ask the modem card to override the IMEI. (It may be illegal to change the IMEI in some countries.)

There may be nothing that the Librem 5 can do that will affect whether the IMEI is transmitted to the mobile network which the Librem 5 is registered on. You would assume that the IMEI is transmitted to the mobile network.

Of course, unlike most phones, you can buy as many spare modem cards as you want and thereby change your IMEI (in theory).


SO what happens is when the phone is cloned through the imei. All texts, calls, microphone(can be switched on), and internet traffic is intercepted.

If the librem 5 can be manipulated in such a way, changing modems is useless. Making librem not so secure in that department.

IMEI is the global identifier of the phone (modem). It needs to be transmitted for a phone to work in a normal phone network. Can’t be helped. There are of course special networks etc. but let’s not go there now.

IMEI cloning, is not what you learn from movies, it does not clone your phone’s content. It creates a duplicate IMEI to the network, a copy of your address that receives the same connection. For some reason the network standards don’t seem to care if there is more than one and send everything duplicate [edit add: old networks don’t, newer have tried to make it more difficult]. That is why SMS and voice over phone can be intercepted and heard (often referred to as IMSI catching, type of man in the middle eavesdropping), as they use the phone network. But you can’t control the original phone with IMEI alone. If you are using a messaging app that uses data (as the network connection is a separate layer) on the other hand… I’m not sure, but I doubt that data can be intercepted, and at least with E2EE it can’t be read (because the MITM would need the encryption keys too).

There are some (droid) apps that claim to identify IMSI-catchers but those have limits as they are not able to access firmware (… which I guess could work better in L5). Changing the modem is a countermeasure option on L5, which is better than other phones, but not a very convenient or cheap one (compared to likes of this phone, at least). In theory, it seems IMEI randomization is possible to do, but is it possible on the L5’s modems and what would the network provider (or local law) think…?

Anyway, if you have something very private to talk, you don’t do it over the phone and/or in plain english - or even in english.

[edit to add: there was another thread about hijacking SIMs to attack 2FA and I’d see that this could also be used for that - probably more damaging than eavesdropping - as open SMS 2FA is not really secure (although a bit better than not)]


imsi triangulation and temporary ease dropping isn’t the issue. Once you have the I m e i you can be stalked, and the microphone can be manipulated. Good insight though overall.

I still don’t know how this correlates to librem phones

how do you know that newer operators make it hard for device duplication, what do you know?

What systems do they have in place.?

2FA is a f+++ing joke. Banks and credit companies should be sued for forcing Everyone to use their dumb app with 2fa.

There a good ways to do 2FA and then there are… the rest. Open SMS is among the latter. Most dedicated apps are inconvenient too.

IMEI and IMSI by themselves do not let you manipulate mic (as in, hear what the original phone is doing when no call is made), it only let’s you hear what is said during a phonecall. You need a lot more to activate it (IMEI may help but then again, it was never meant to be a security feature, only a global identifier).

I didn’t say operators. I meant network standards: 2G and 3G are old and more easily hackable than UMTS, 4G/LTE or 5G. Problems persist because new phones still connect to old networks.

There is little correlation to L5 as such, although IMEI changes with the modem (and that was already commented on). On L5 you can use a (reasonably) secure E2EE chat app on a (reasonably) secure device, I guess. I was thinking this thread could be moved to “General security chat” area.

Especially not when the microphone is cut off with the physical switch!

IMEI is not much more that an IP address or an Ethernet MAC. It’s not very useful, except to manipulate data in transit - as far as I know (but I know very little about this area).

@research could you tell about the situations you’re afraid of? Perhaps it will be easier to answer your questions if you give examples.


I don’t even know whether this is correct. Hence why it is referred to as IMSI catching, not IMEI catching. The secret keys involved are on the SIM card.

Also, it depends what your threat model is. If a state actor is deploying IMSI catchers against you then in most countries the mobile network operators are so under the thumb of the government that one way or another if the government wants to intercept your calls or SMSs or MMSs then it will happen.

So I guess the assumption in this topic is that the threat is from a well-resourced and sophisticated malicious party who is not the government.

[citation needed] :wink:

If some of the above concerns you, the onus is on you to use end-to-end encryption (E2EE), which means that intercepting internet traffic is less of an issue and means that you would never send an SMS/MMS and never make a voice call. Instead you would use secure E2EE alternatives.

I am not convinced that the microphone can be switched on by this particular attack.

From that link:

Section 3.2.3: Why aren’t users alerted that encryption is off?

According to the GSM specifications, cell phone users are supposed to be notified when encryption is disabled, and in some markets they used to be. However, this caused a lot of confusion because:

  1. People would travel with their phones to places where cell towers were configured very differently (e.g. in some countries cell network encryption is banned) and it would cause a “Warning: encryption disabled” pop-up to come up a lot.
  2. Cell towers everywhere were misconfigured, also causing this pop-up to appear a lot.

These issues led to many confused consumers and support calls to mobile carriers, resulting in the warning ultimately being disabled.

That leads to the obvious questions for the Librem 5
  • is it technically possible for the phone software to know when this kind of downgrade attack is going on / is it technically possible for the phone software to know what level of encryption is applying to communication between the modem and the tower (or fake tower)?
  • is it available in the GUI for reporting and/or confirmation?


While “confused customers” may be a weak justification for warnings not happening (and may or may not be the real justification), Librem 5 customers are the kind of customers who would want that warning available methinks.

coupled with pegasus yeah. Mics can be accessed.

I mean its apparent by now librem 5 has the same backdoor issues every phone has. Turning off the mic makes sense. But in the case of freely talking about say, sensitive business information it doesn’t offer security.

That’s why I emphasised “this particular”.

Bottom lines:

If you run spyware on the phone, software controls will often be ineffective.

If there are vulnerabilities in the phone’s software, software controls will often be ineffective.

(Obviously also, if your phone is running spyware then there is no need for anything at all like a Stingray. Everything can be intercepted on the device itself.)

On the Librem 5, no amount of spyware or even a serious kernel vulnerability can override the microphone’s hardware kill switch.

That said, every effort should be made to avoid serious vulnerabilities and the software architecture should be chosen to limit the damage caused by the failure of one part.

Mind you, the L5 has no backdoor. The phone network has the “backdoor”. If you want to use a phone network without this property, you’re going to have to build a new one.

You still haven’t given examples, so I still have little clue what you’re trying to say – and you seem to be confused about the role the phone plays here.


While I’m also not sure what exactly are the attacks you are afraid of, some things are certain:

  • the microphone of the L5 can neither be remotely activated (if switched off), nor can it be silently, secretly tapped (if switched on)
  • of course, a regular phone call (or a SMS text message) should always be considered insecure, just like sending postcards. That’s a problem of the network standards, not of any phone
  • this can be easily circumvented by using messengers like matrix, signal, threema… for text and voice messages

In case you don’t happen to understand how the latter can be more secure than the former, it’s simple:
Traditionally, your data is hosed trough the phone network with essentially no protection:
      your call and text data

For anybody with sufficient knowledge and capability, it looks essentially like this:
      your call and text data

With good messengers you get:
      your call and text data

So, the attacker might well be able to see the data transmitted on the phone network, but that is essentially just e2e-encrypted garbage.

The question then becomes: is the phone on the other side trustworthy?
If Alice has an untampered L5 and Bob has some cheap Android that came with spyware preinstalled, the best e2e encryption will help you nothing.
After the data has securely travelled from Alice to Bob, Malice will just steal it from Bob.