Sent from ProtonMail mobile
-------- Original Message --------
On May 29, 2018, 03:34, Banking.my < banking.my@protonmail.ch> wrote:
I’ve been following secure phones for some time and I’ve formed an opinion about which added features do the best job of this. If I may, I’d like to suggest the following features; however, they may be somewhat controversial.
IMEI & IMSI change capability. These features ARE included in higher end secure phones. These can be sold and shipped worldwide, even the United States. This is accomplished by shipping the units, with these features unactivated, requiring the end-user to activate them, relieving the manufacturer of all liability.
IMEI change is pretty straight forward and I assume you know the details; but IMSI change is a different animal. IMSI change is accomplished by sandboxing the SIM card, in a virtual machine. The IMSI reported to the network can then be changed, without changing the phone number associated with the actual SIM card. Also, there’s another reason for sandboxing the SIM card. They’ve been hacked. Specifically, the Java Card module in the SIM card has been hacked; and this was done using an invisible binary SMS, which never shows in the inbox.
Please give this some thought, as it can be done legally.
Thanks
3 Likes
I was about to comment on this being outlawed from my country’s (UK) perspective, but reading the relevant law (http://www.legislation.gov.uk/ukpga/2002/31/data.xht?view=snippet&wrap=true) indicates to me that it doesn’t actually seem forbidden if the device manufacturer gives permission. Admittedly, I’m nowhere near nor have any intentions of being a lawyer, and I don’t know whether “device manufacturer” here would refer to Purism (for the phone as a whole) or whoever it is that makes the modem module. I also don’t know where other countries stand - perhaps their acronyms won’t have allowed such an exception in their relevant laws.
There are also other issues here - if you use a random IMEI generator, you might pick one which is on the global blacklist (which was designed for when phones are reported stolen) which will obviously cause bad things. Or, you might chance upon an IMEI which is currently in use, something which will also throw up a huge red flag in their system (or just bring the whole thing down). Finally, you’d actually need to be able to change that kind of thing on the modem module - I can’t imagine that many manufacturers allow this.
All that said, I still think that it would be a pretty neat thing to have.
IMSI changing… that would absolutely require the co-operation of your telecoms provider. I did have a little wall of text written up here (in short, each IMSI has its own encryption key, you can’t get that key out of the SIM card, you’d have to ask your telecoms provider for a whole array of IMSIs each with their own key), but after thinking about it a bit and discovering the existence of something called “remote SIM provisioning”, I don’t really know what to say here.
IMEI change is pretty common. Some strategies are random on boot-up and selecting all zeros for a dual SIM unit. It is claimed, that this last strategy guarantees that a cell phone cannot be hijacked, over the network. This can be done on Android phones, by first rooting it, then installing the “Xposed Framework” and installing one of several “Device ID Changer” apps or modules. I don’t think the risk is that great because if that IMEI is in use or owned by a stolen phone, the call will probably just not go through; and if it does, it’s going to be changed on the next call anyway, unless you’re using all zeros. If that’s the case, breath easy.
The IMSI change strategies, employed by a company that will remain nameless for the moment, does this all on the phone, without remote provisioning, by “cloning” the sim card in the “heap,” them applying the mod to the “virtual” sim card. I’ve read, that it uses an algorithm for this, completely on the phone, without network access. I’ll give you a hint. The model is called the v.3 advanced. I plan on buying one, or reselling eventually; and I don’t want these guys to get any grief. That said, this unit is state- of-the-art, all features and NO hype.
2 Likes
This particular method here only changes what the phone’s OS reports to any applications that you’re running. It doesn’t do anything to the modem and you’re still registered on the phone’s network using the hardware’s original IMEI.
It was possible, at least in some early Android phones, to lose your IMEI via filesystem corruption (there are several threads on the XDA forums about this problem) but I seem to recall that this for some reason was confined purely to US phones (something to do with how the CDMA network functions?) and doesn’t seem to happen any more, indicating that they must have moved the relevant data away from anything user-accessible.
For explicit and deliberate changes, it can be done on (some?) Qualcomm devices using a piece of diagnostic software called QPST. This required a hard restart between changes (there is no reason for the IMEI to change during normal operation, so I imagine that they load it once during bootup and don’t waste CPU cycles and power on repeatedly checking it), but I suppose that it might be possible if the Librem 5 has a QC-based modem and that the process for changing this can be reverse-engineered. Hard-resetting the modem should be easy enough if it’s in an M.2 slot - the power chip should be able to handle that.
In any case, a constantly changing IMEI for a single IMSI is highly abnormal behaviour and should throw up huge warning flags in any decent automated monitoring system. The heap idea of yours is interesting and might slow down detection of this if you cycle through the IMSIs, but I’d hesitate to say more without knowing exactly what it is. It’s definitely feasible - it’s obviously possible for the network to supply you directly with the master key and IMSI pairs (which you can then just store somewhere), otherwise reprogrammable eSIMs (eg. Apple Watch) won’t work. The problem is that again, there’s a mapping of IMSIs to phone number somewhere and that I don’t imagine that it’s too hard for that mapping to be queried.