> The combination of the ICCID and the IMSI basically tells the mobile network, “hey, this person paid for a plan.”
As far as I remember, the ICCID never actually appears in standard network messaging. It might be possible for the network to request it, but it's not part of a standard 2/3/4/5g attach.
The piece seemed to miss two major uses for the IMEI (or I missed it when reading), which were working around vendor bugs and allowing emergency calling.
Radio firmware and state machines have always had weird bugs, and even when it conforms to standards (some of which are extremely interpretable), does very weird things in the real world. Pre-smartphone, being able to update phone and radio firmware was extremely rare, so it was common for the networks instead to implement workarounds on a manufacturer or handset basis. Having a hardware ID that identified this was extremely useful.
GSM (and onward) actually supports a handset attaching to a network, even without a SIM card, for the sake of emergency calling. It needs some form of unique identifier for this to work. As much as it could (potentially, entirely redefining the stack) generated UUIDs, it makes some sense for these unique IDs to persist across roaming/sessions/reboots.
Fun fact: Lots of cellular modem/routers have the easy ability to change IMEI. Doing so is a fairly common practice in the rural internet community. i.e., those using cellular for their internet access either because cable / fiber or an official cellular option like T-Mobile home internet is unavailable or they're mobile in an RV.
These people are not trying to do anything particularly nefarious but they do it so that they can use a phone or tablet plan in a router. Unlimited or high GB plans for routers and hotspots are expensive and there are not many options.
There are lots of reasonably priced, easy to get unlimited phone and tablet plans but if you put a phone SIM in a router it might work for while until the carrier detects that you have the SIM in an unauthorized device. The "solution" to that is to activate on a spare phone and then change the router IMEI to match the phone. Don't use both devices at the same time. The carrier now thinks the router is a phone.
The legally of it is somewhat unclear so it's talked about quietly on various forums using words like "magic configuration", "giving your router an identity crisis" etc.
It's a bit of a cat and mouse game because IMEI is probably not the only way to identify an unauthorized device but so far it seems to be the main way.
Interesting thread - as someone that used to be in carrier space...
IMEI - we only really cared about the TAC prefix, as this identifies the device type, which is mapped to capabilities for services.
IMSI - this is usually in the SIM card (UICC), and mapped out specifically within the uSIM/SIM application inside the card. This is aligned with the Billing/Rate Plan for services that the subscriber is set up with.
TMSI - this is usually what the network uses to page you and also deliver singaling over the NAS via the SGs interface for devices that do not support IMS/VoLTE
ICCID - this ID's the card itself, for SIM cards, it always starts with 89 as this designates the card as telephony related as a physical UICC - remember, there are other types of UICC's such as CHIP based Credit Cards, which start with a different number.
MSISDN - this is the number that you dial and send SMS to - in legacy systems, it can also be referred to as the MDN
Fun Fact that was skipped in the article - IMEI's that start with 99 are special, as these indicate that the Device is both GSM/UMTS/LTE and CDMA/EVDO capable, and generally those IMEI's will align closely with the CDMA MEID's, but they were not required to. The "99" range wasn't just Apple, but was used in the early days of dual-mode across most vendors as it helped facilitate session handovers from C2K to any 3GPP based service. For C2K, on the IMSI front, most devices would use IMSI_T (True IMSI based on the SIM card IMSIef) but some used IMSI_M which was based on the legacy MIN.
Legacy - there is the ESN in CDMA, but this is very legacy, and was largely superseded by MEID - for Legacy Support, pESN could be derived from MEID, however at the high risk of collisions...
Android defaults to sending the IMSI (SIM ID) to Google.
> SUPL is used as part of the A-GPS (Assisted GPS) system to get a faster Time to First Fix. The problem is that Android's implementation automatically sends the IMSI (ID of the SIM card) to the SUPL provider for no apparent reason. And because Google is the default provider it's a big breach of privacy.
If you buy a phone in Turkey, it's IMEI is registered to a gov authority and you can use / transfer it as you wish.
If you happen to buy one from another country, it will be locked after 60 days of use and no carrier will connect it after that. You can use your passport to to prove that it was not imported commercially but you brought it with you and register it. For $1000 (yeah). And it is locked to your ID. Can't transfer it to someone else.
IMEI cloning from an already registered donor phone was a thing and maybe it still is but as far as I can tell, high end phones pretty much lock it tightly.
BTW, this also affects a lot of other stuff. Can't buy a gps dog tracker from amazon. Can't buy a gsm module for your arduiono etc...
My car has a connectivity system where it provides internet to the in car infotainment system and also allows me to open doors etc remotely. It only recently became operational when the distributor finally managed to register the IMEI numbers. A lot of companies do not bother (Mercedes, BMW etc are equipped with similar systems, not operational)
BuildTheRobots ·21 days ago
> The combination of the ICCID and the IMSI basically tells the mobile network, “hey, this person paid for a plan.”
As far as I remember, the ICCID never actually appears in standard network messaging. It might be possible for the network to request it, but it's not part of a standard 2/3/4/5g attach.
The piece seemed to miss two major uses for the IMEI (or I missed it when reading), which were working around vendor bugs and allowing emergency calling.
Radio firmware and state machines have always had weird bugs, and even when it conforms to standards (some of which are extremely interpretable), does very weird things in the real world. Pre-smartphone, being able to update phone and radio firmware was extremely rare, so it was common for the networks instead to implement workarounds on a manufacturer or handset basis. Having a hardware ID that identified this was extremely useful.
GSM (and onward) actually supports a handset attaching to a network, even without a SIM card, for the sake of emergency calling. It needs some form of unique identifier for this to work. As much as it could (potentially, entirely redefining the stack) generated UUIDs, it makes some sense for these unique IDs to persist across roaming/sessions/reboots.
Show replies
ztetranz ·20 days ago
These people are not trying to do anything particularly nefarious but they do it so that they can use a phone or tablet plan in a router. Unlimited or high GB plans for routers and hotspots are expensive and there are not many options.
There are lots of reasonably priced, easy to get unlimited phone and tablet plans but if you put a phone SIM in a router it might work for while until the carrier detects that you have the SIM in an unauthorized device. The "solution" to that is to activate on a spare phone and then change the router IMEI to match the phone. Don't use both devices at the same time. The carrier now thinks the router is a phone.
The legally of it is somewhat unclear so it's talked about quietly on various forums using words like "magic configuration", "giving your router an identity crisis" etc.
It's a bit of a cat and mouse game because IMEI is probably not the only way to identify an unauthorized device but so far it seems to be the main way.
Show replies
sfx2000 ·20 days ago
IMEI - we only really cared about the TAC prefix, as this identifies the device type, which is mapped to capabilities for services.
IMSI - this is usually in the SIM card (UICC), and mapped out specifically within the uSIM/SIM application inside the card. This is aligned with the Billing/Rate Plan for services that the subscriber is set up with.
TMSI - this is usually what the network uses to page you and also deliver singaling over the NAS via the SGs interface for devices that do not support IMS/VoLTE
ICCID - this ID's the card itself, for SIM cards, it always starts with 89 as this designates the card as telephony related as a physical UICC - remember, there are other types of UICC's such as CHIP based Credit Cards, which start with a different number.
MSISDN - this is the number that you dial and send SMS to - in legacy systems, it can also be referred to as the MDN
Fun Fact that was skipped in the article - IMEI's that start with 99 are special, as these indicate that the Device is both GSM/UMTS/LTE and CDMA/EVDO capable, and generally those IMEI's will align closely with the CDMA MEID's, but they were not required to. The "99" range wasn't just Apple, but was used in the early days of dual-mode across most vendors as it helped facilitate session handovers from C2K to any 3GPP based service. For C2K, on the IMSI front, most devices would use IMSI_T (True IMSI based on the SIM card IMSIef) but some used IMSI_M which was based on the legacy MIN.
Legacy - there is the ESN in CDMA, but this is very legacy, and was largely superseded by MEID - for Legacy Support, pESN could be derived from MEID, however at the high risk of collisions...
xjay ·21 days ago
> SUPL is used as part of the A-GPS (Assisted GPS) system to get a faster Time to First Fix. The problem is that Android's implementation automatically sends the IMSI (ID of the SIM card) to the SUPL provider for no apparent reason. And because Google is the default provider it's a big breach of privacy.
https://github.com/Magisk-Modules-Alt-Repo/supl-replacer
https://en.wikipedia.org/wiki/Assisted_GNSS
Show replies
eknkc ·20 days ago
If you happen to buy one from another country, it will be locked after 60 days of use and no carrier will connect it after that. You can use your passport to to prove that it was not imported commercially but you brought it with you and register it. For $1000 (yeah). And it is locked to your ID. Can't transfer it to someone else.
IMEI cloning from an already registered donor phone was a thing and maybe it still is but as far as I can tell, high end phones pretty much lock it tightly.
BTW, this also affects a lot of other stuff. Can't buy a gps dog tracker from amazon. Can't buy a gsm module for your arduiono etc...
My car has a connectivity system where it provides internet to the in car infotainment system and also allows me to open doors etc remotely. It only recently became operational when the distributor finally managed to register the IMEI numbers. A lot of companies do not bother (Mercedes, BMW etc are equipped with similar systems, not operational)
Show replies