Somebody knows my imei

[413x3]

If someone bad knows my imei number, say an x-gf who's crazy, what can they do and should I be worried about my phone being tracked or text msg's read? Is it possible to call tmobile and have them change it?

 

[Martimus]

Welcome to the Android Forums!

If I'm not mistaken changing the IMEI on a phone is illegal...

 

[413x3]

Thanks! But can t-mobile change it for me?

 

[mikedt]

Thanks! But can t-mobile change it for me?

No, and in many countries it's a criminal offence to change a phone's IMEI, Mobile Telephones (Re-programming) Act in the UK. Want a different IMEI, you'll have to get a new phone.

 

[takeshi]

If someone bad knows my imei number, say an x-gf who's crazy, what can they do and should I be worried about my phone being tracked or text msg's read?

It's unlikely. If she works for TMO and is willing to risk her job then there might be some cause for concern.

Is it possible to call tmobile and have them change it?

Not unless you buy another phone from them.

 

[libCivil]

No, and in many countries it's a criminal offence to change a phone's IMEI, Mobile Telephones (Re-programming) Act in the UK. Want a different IMEI, you'll have to get a new phone.

Presumably that law predates IMEI abuses, like Google collecting users IMEI numbers, and using them as a new kind of global SSN (slave surveillance number). From an ethical standpoint, changing your IMEI number after Google surreptitiously takes it is being street wise.

Ryhipkiss (a user here) said "A lot of damage can be done if the IMEI number lands in the wrong hands." Would be interesting to hear what all can be done. A unique number in itself is damaging when it's used to id people (considering phones are single user devices).

And to answer the question, you don't need t-mobile to change it. Users on this board have reported being able the change the IMEI number by flashing the ROM.

 

[Slug]

From an ethical standpoint, changing your IMEI number after Google surreptitiously takes it is being street wise.

Ethics have nothing to do with it. As already stated, in many countries changing the IEMI is a criminal offence that will earn the perp jail time. As such, discussion of it is prohibited by our Site Rules.

Users on this board have reported being able the change the IMEI number by flashing the ROM.

You've stated this claim in several posts now. I'm interested in where you saw this as to my knowledge it's simply impossible - the IEMI is completely unrelated to the handset's firmware.

 

[A.Nonymous]

There's a far more common number that's associated with your identity and tied to your phone than your IMEI - your actual phone number. Most people will do anything to keep from changing it as it tends to be a PITA to do so and it follows them from one phone to another. Google does not "steal" your IMEI. There's no reason to do so. They can track you far more easily by just looking at what your Gmail account is doing. Why would they want your IMEI?

 

[lunatic59]

An IMEI is a serialized identifier for the mobile networks to identify a piece of hardware similar to the MAC address of your router, IP address of your domain or the license plate on the back of your car. As far as I am aware, it is not protected by any privacy laws. Knowing that your IMEI is XXXX-XXXXX-XXXXX is similar to knowing your phone number or the street address of your house.

 

[A.Nonymous]

An IMEI is a serialized identifier for the mobile networks to identify a piece of hardware similar to the MAC address of your router, IP address of your domain or the license plate on the back of your car. As far as I am aware, it is not protected by any privacy laws. Knowing that your IMEI is XXXX-XXXXX-XXXXX is similar to knowing your phone number or the street address of your house.

The difference is that if I know your phone number I can call and harass you. If I know your address, I can drive by and paintball your house. I don't know what damage I could possibly do to you by knowing your IMEI.

 

[rui-no-onna]

The difference is that if I know your phone number I can call and harass you. If I know your address, I can drive by and paintball your house. I don't know what damage I could possibly do to you by knowing your IMEI.

Worst thing I can think of (that's still practical to do) is report the phone as stolen so the networks will block it.

Another thing I can think of, spoof the IMEI on another phone and use that phone for illegal activity.

Alas, neither option is particularly smart.

 

[libCivil]

The difference is that if I know your phone number I can call and harass you. If I know your address, I can drive by and paintball your house. I don't know what damage I could possibly do to you by knowing your IMEI.

You could create a database of people who are in a particular political party, using the IMEI as a key (harmless in itself). Someone else could make a database of employees using IMEI as a primary key (again, harmless in itself). Someone could then put the two databases together (buy, sell, trade them), and in aggregate decide who to let go when it comes time to do layoffs. It doesn't take much imagination to realize how far data collection and aggregation goes when the same primary key becomes a part of multiple databases.

A number seems pretty innocuous to those unaware of the evolution of social security numbers in the U.S. These were simply a number with a single purpose, a unique key into someones social security records. Harmless, right? Today, the same SSN number is used for practically everything, including authenticating ones identity for bank transactions.

 

[rui-no-onna]

You could create a database of people who are in a particular political party, using the IMEI as a key (harmless in itself). Someone else could make a database of employees using IMEI as a primary key (again, harmless in itself). Someone could then put the two databases together (buy, sell, trade them), and in aggregate decide who to let go when it comes time to do layoffs. It doesn't take much imagination to realize how far data collection and aggregation goes when the same primary key becomes a part of multiple databases.

Frankly, I wonder how useful IMEI's would be for that. I change phones every 20 months or so (basically when I'm upgrade eligible) and I currently have 4 phones I use at the moment.

I'd be more concerned of a list with my phone number or address than one with one of my phones' IMEI. I've had my cell phone number for 5 years. In that same time period, I've used 5 different phones in conjunction with that phone number.

 

[A.Nonymous]

Worst thing I can think of (that's still practical to do) is report the phone as stolen so the networks will block it.

Another thing I can think of, spoof the IMEI on another phone and use that phone for illegal activity.

Alas, neither option is particularly smart.

You can't report the phone stolen unless you're the account holder. If I can convince your carrier that I'm the account holder I don't need the IMEI do I? Wouldn't I simply call them, convince them I'm you and tell them the phone associated with XYZ number is stolen? I've never reported a phone as stolen, but I don't think the carrier would expect you to know the IMEI.

The second I could see happening, but wouldn't be the most practical thing in the world with so many burner cell phones available. It would have to be someone who had an active interest in framing you for something and was an evil genius to boot. Another reason to fear my goateed counter-part.

You could create a database of people who are in a particular political party, using the IMEI as a key (harmless in itself). Someone else could make a database of employees using IMEI as a primary key (again, harmless in itself). Someone could then put the two databases together (buy, sell, trade them), and in aggregate decide who to let go when it comes time to do layoffs. It doesn't take much imagination to realize how far data collection and aggregation goes when the same primary key becomes a part of multiple databases.

A number seems pretty innocuous to those unaware of the evolution of social security numbers in the U.S. These were simply a number with a single purpose, a unique key into someones social security records. Harmless, right? Today, the same SSN number is used for practically everything, including authenticating ones identity for bank transactions.

In both of those cases the information is useless. Only Google would have the capabilities to do such a thing and has no idea when the device changes hands. Without that, the information is useless. The number is not permanently tied to one person making it useless as a personal identifier.

 

[rui-no-onna]

You can't report the phone stolen unless you're the account holder. If I can convince your carrier that I'm the account holder I don't need the IMEI do I? Wouldn't I simply call them, convince them I'm you and tell them the phone associated with XYZ number is stolen? I've never reported a phone as stolen, but I don't think the carrier would expect you to know the IMEI.

In some countries, you can report a phone as stolen to a central body (ala-FCC) so the phone is blacklisted by all GSM providers. In countries where prepaid is the norm and it's easy to just switch SIM cards, that's the only recourse to deal with stolen phones (pre-smartphone era and apps like LookOut/Plan B). Granted, if this is postpaid where you need to prove your identity to the customer service rep by giving the last 4 of your SSN, you've got bigger problems than just someone having your IMEI. Of course, getting them to block the IMEI if you're on prepaid (even in the US) is easier as you wouldn't really have to prove your identity. When I activated my GoPhone, the only thing that was required of me was the zip code (presumably for assigning a phone number with the correct area code). If you refill your account with cards bought from Walmart, etc, and don't ever use your credit/debit card, you never give the carrier any identifying info aside from perhaps the phone numbers you call.

The second I could see happening, but wouldn't be the most practical thing in the world with so many burner cell phones available. It would have to be someone who had an active interest in framing you for something and was an evil genius to boot. Another reason to fear my goateed counter-part.

Well, the OP was asking about what harm someone with his IMEI number might be able to do. He never said whether that person was an idiot or an evil criminal mastermind.

 

[libCivil]

The difference is that if I know your phone number I can call and harass you. If I know your address, I can drive by and paintball your house. I don't know what damage I could possibly do to you by knowing your IMEI.

One can get the physical address using the IMEI. Here's how:

Google's street view data collection created a database of physical locations, which were linked to MAC addresses of (open and closed) routers. Google also has data on where you live (from a variety of data: satnav usage, IP proximity, where you have google checkout orders shipped, region specific searches, etc). Now Google has your IMEI.

Sample scenario:

Stalking, angry, ex-lover gets ahold of your phone and dials *#06# surreptitiously. She goes to her close friend who happens to be a google employee, and says take this IMEI number, and find out where he sleeps, where he hangs out, and look into his google checkout account to find out what he's buying, and gather his emails.. find out his other gmail accounts (i.e. the ones i don't know about) because they're all conveniently associated within google anyway. Also grab his google voicemail transcriptions for me.

 

[libCivil]

Frankly, I wonder how useful IMEI's would be for that. I change phones every 20 months or so (basically when I'm upgrade eligible) and I currently have 4 phones I use at the moment.

Frequent phone changes are no hinderance for logging. Consider IP addresses. Some people have a different IP every day, but the logs won't fail to reveal that you were allocated a particular IP address at a particular time. Since most people keep their phone for at least a couple years, it's really a negligible cost for google to keep logs that go several decades back -- further back than useful, thus fully covering the who period of which the information collection can cause malicious disclosure.

I'd be more concerned of a list with my phone number or address than one with one of my phones' IMEI.

Those lists are now linked to your IMEI. So getting one piece of information is a key to getting the next. Now anyone who gets your IMEI and has sufficient skill, influence, or corporation position can use it to get the whole motherload of information.

 

[A.Nonymous]

One can get the physical address using the IMEI. Here's how:

Google's street view data collection created a database of physical locations, which were linked to MAC addresses of (open and closed) routers. Google also has data on where you live (from a variety of data: satnav usage, IP proximity, where you have google checkout orders shipped, region specific searches, etc). Now Google has your IMEI.

I ran my IMEI in a google search. It came up with no results. That's my old phone that I've been using for the past 1.5 years. I ran a search on my phone that I got earlier this week. No results either. So I really question whether you can get your address from the IMEI. Not to mention the fact that your IMEI is not tied to any person. It's tied to a phone. Just saying.

Sample scenario:

Stalking, angry, ex-lover gets ahold of your phone and dials *#06# surreptitiously. She goes to her close friend who happens to be a google employee, and says take this IMEI number, and find out where he sleeps, where he hangs out, and look into his google checkout account to find out what he's buying, and gather his emails.. find out his other gmail accounts (i.e. the ones i don't know about) because they're all conveniently associated within google anyway. Also grab his google voicemail transcriptions for me.

So you have an angry ex-lover and a friend who is willing to get fired and face criminal charges? How is this different than if the friend works in a bank. They could put false information on your credit report, steal your SSN, take out loans in your name and never repay them and drain your account of money. That is a huge headache. They can flat out steal your actual identity which they can't do with your IMEI. I would be way more scared of the ex who has a bank friend willing to get fired and go to jail than the ex who has a Google friend willing to do the same.

 

[libCivil]

I ran my IMEI in a google search. It came up with no results.

You got no results because you're doing it wrong. If you want the information for free, you'll have to go beyond the google search field at google.com.

So you have an angry ex-lover and a friend who is willing to get fired and face criminal charges?

Of course. Google has fired several people already for snooping in gmail accounts. And that's just those who actually did something stupid with the information - something that put a spotlight on google, essentially forcing google to take corrective actions.

How is this different than if the friend works in a bank. They could put false information on your credit report,

Now you're thinking. Indeed, information can be harvested from any database. This is why you should only allow disclosure of information needed for the task at hand. This is why in network security the "rule of least privilege" trumps. The principle is simple and obvious. If access to information is not needed to accomplish the task, then it's foolish give excess access. It's a needless risk.

steal your SSN,

So you recognize that damage can be done using a primary key to a database in one case, but not another. Why is that? SSNs only became damaging because they proliferated beyond the one database they were created for (as IMEIs have).

take out loans in your name and never repay them and drain your account of money. That is a huge headache. They can flat out steal your actual identity which they can't do with your IMEI.

Sure they can. Your IMEI (coupled with a span of time it's used) is as much your identity as your SSN. Even more so, because your finances are less about your identity than your social life.. where you sleep, work, eat, who you talk to, what you say, etc. And SSNs and IMEI are linked together so either can be obtained from the other. Your SSN is on your bank accounts, and thus electronic transactions, which are then linked to your phone purchase and your mobile phone payments, your mobile phone banking transactions, and ultimately your IMEI.

I would be way more scared of the ex who has a bank friend willing to get fired and go to jail than the ex who has a Google friend willing to do the same.

One case is orthoganal to the other. Many people and relationships in the world are potentially damaging. To say that one is not the single most damaging (as far as you can imagine) and then concluding that another case must be harmless is to create a false dichotomy. You have far more protection from banking damage than what can be done with information about where you live, along with social information to fuel the fire. Your bank doesn't generally know who your latest lover is, or what's being said to who -- pretty boring information for an emotional stalker, compared to Google's treasure trove of intimately personal data. Money is also protected by Regulation E. What's protecting you from physical attack by a nut case bent on destroying you, for example?

And look at the corporations. Anything damaging done to your finances through misuse of information is generally illegal, and is recoverable with some effort. But when your personal/social information is traded without a data protection act, it can be used in countless damaging (but legal) ways.. you have no recourse.

 

[rui-no-onna]

One case is orthoganal to the other. Many people and relationships in the world are potentially damaging. To say that one is not the single most damaging (as far as you can imagine) and then concluding that another case must be harmless is to create a false dichotomy. You have far more protection from banking damage than what can be done with information about where you live, along with social information to fuel the fire. Your bank doesn't generally know who your latest lover is, or what's being said to who -- pretty boring information for an emotional stalker, compared to Google's treasure trove of intimately personal data. Money is also protected by Regulation E. What's protecting you from physical attack by a nut case bent on destroying you, for example?

And look at the corporations. Anything damaging done to your finances through misuse of information is generally illegal, and is recoverable with some effort. But when your personal/social information is traded without a data protection act, it can be used in countless damaging (but legal) ways.. you have no recourse.

Seriously, if you're that paranoid, you shouldn't be using the internet or a smartphone.

 

[novox77]

I can see all y'all's IP addresses. Be afraid.

 

[jerofld]

You've stated this claim in several posts now. I'm interested in where you saw this as to my knowledge it's simply impossible - the IEMI is completely unrelated to the handset's firmware.

I'd imagine one could with terminal emulator and enough initiative to find the right command. CDMA Workshop may be another avenue for those with CDMA based devices.

But changing IMEI would probably cause your device to not be able to send or receive any calls, texts, or data. Making it into a media player instead of a cell phone.

 

[MyNamesTooLong]

The difference is that if I know your phone number I can call and harass you. If I know your address, I can drive by and paintball your house. I don't know what damage I could possibly do to you by knowing your IMEI.

Cause paranoia and force him to post about you knowing on the internet?

 

[A.Nonymous]

You got no results because you're doing it wrong. If you want the information for free, you'll have to go beyond the google search field at google.com.

Fair enough. Can you offer specific directions of where I need to go? You're alleging that people can track me via my IMEI that Google has on file. I'm very interested in looking up my IMEI to see exactly how much info I can get from it.

Of course. Google has fired several people already for snooping in gmail accounts. And that's just those who actually did something stupid with the information - something that put a spotlight on google, essentially forcing google to take corrective actions.

And banks have fired people for doing the same thing. So I shouldn't trust them either?

Now you're thinking. Indeed, information can be harvested from any database. This is why you should only allow disclosure of information needed for the task at hand. This is why in network security the "rule of least privilege" trumps. The principle is simple and obvious. If access to information is not needed to accomplish the task, then it's foolish give excess access. It's a needless risk.

It's needless paranoia IMO.

So you recognize that damage can be done using a primary key to a database in one case, but not another. Why is that? SSNs only became damaging because they proliferated beyond the one database they were created for (as IMEIs have).

No one tracks people by their IMEIs. No one does. Again, the reason is simple - phones are not tied to people. SSNs are. You are issued one SSN. It belongs to you until the day you die. IMEIs are no more unique to people than MAC addresses on computers or VINs on your car or the MAC on your BT headset. Why in the world would someone track you by your IMEI when there are things far more easily available and far more unique like your name/DOB, your SSN, your phone number or even your email address?

Sure they can. Your IMEI (coupled with a span of time it's used) is as much your identity as your SSN. Even more so, because your finances are less about your identity than your social life.. where you sleep, work, eat, who you talk to, what you say, etc. And SSNs and IMEI are linked together so either can be obtained from the other. Your SSN is on your bank accounts, and thus electronic transactions, which are then linked to your phone purchase and your mobile phone payments, your mobile phone banking transactions, and ultimately your IMEI.

Can you point me to a place where I can look up my SSN and find the IMEI of my phone? Otherwise I call BS on this. It's paranoia.

One case is orthoganal to the other. Many people and relationships in the world are potentially damaging. To say that one is not the single most damaging (as far as you can imagine) and then concluding that another case must be harmless is to create a false dichotomy. You have far more protection from banking damage than what can be done with information about where you live, along with social information to fuel the fire. Your bank doesn't generally know who your latest lover is, or what's being said to who -- pretty boring information for an emotional stalker, compared to Google's treasure trove of intimately personal data. Money is also protected by Regulation E. What's protecting you from physical attack by a nut case bent on destroying you, for example?

You know what I'm going to do if I want to find your address? I'll follow you home one night. Why? Because on a scale of 1-10 with 1 being easy and 10 being difficult, following you home undetected is probably a 3. Setting up a complex system to track your IMEI for a period of time so I can find you is a 10.

A vindictive bank employee is far scarier than a vindictive Google employee because it's far more likely to happen and it's not even that likely. You are arguing that I should be extremely concerned about something that has next to no chance at all of happening to me. By that logic I should re-inforce the roof of my house with titanium just in case it gets hit by a meteor.

And look at the corporations. Anything damaging done to your finances through misuse of information is generally illegal, and is recoverable with some effort. But when your personal/social information is traded without a data protection act, it can be used in countless damaging (but legal) ways.. you have no recourse.

An example of a possible damaging but legal use of my personal data please?

 

[libCivil]

Fair enough. Can you offer specific directions of where I need to go?

Why would I need to? The data is collected. Of course there are countless ways to attack a database, motivate someone else to attack a database, or simply buy access from a party willing to share for the right price.

You're alleging that people can track me via my IMEI that Google has on file. I'm very interested in looking up my IMEI to see exactly how much info I can get from it.

When you say "lookup", which database are you interested in? Start there.

And banks have fired people for doing the same thing. So I shouldn't trust them either?

No, of course not - not with data they don't need. If your bank asks you who you are meeting for dinner, don't trust them -- they don't need that information to be a custodian of your bank account. Again, the rule of least privilege trumps.

It's needless paranoia IMO.

It's mitigation of needless information disclosure. Submitting a needless information disclosure is not street wise - it's naive from an information security standpoint.

No one tracks people by their IMEIs. No one does.

Except Google. Except your phone carrier. Except some other non-google apps that harvest the data, needlessly.

Again, the reason is simple - phones are not tied to people.

Of course they are. These are single user devices. They supply data to their single user, who produces data. This data is linked to the IMEI of the device. The device is associated to the IMEI.

SSNs are. You are issued one SSN.

Actually you are issued multiple different slave surveillance numbers potentially from one government and certainly from different other governments you have a relationship with. One SSN in the US, another number like an SSN in another country, just as you are issued one IMEI per device per person. Your point?

It belongs to you until the day you die.

Logs don't care whether you've died or not. A number can last till death, or it can last for a year, either way it's still a primary key linking you to data for a duration of time.

IMEIs are no more unique to people than MAC addresses on computers or VINs on your car or the MAC on your BT headset.

Of course there is varying degrees of uniqueness. The SSN 078-05-1120 is used by many. Uniquely issued, but this can be manipulated. MAC addresses are also uniquely issued - no two are the same. MAC addresses can be altered, but what's issued is unique. Anyone can decide to start using uniquely issued MAC addresses as a primary key, and collect whatever data they want under that key. Same for VINs. These are unique numbers, and can be utilized to reference the data of an individual person (even if it perverts the original intent). You're letting intent control how you view the number, instead of understanding how utilitarians are making use of it.

Why in the world would someone track you by your IMEI when there are things far more easily available and far more unique like your name/DOB, your SSN, your phone number or even your email address?

How do you figure "easier"? It depends on the context. It's far easier for google to harvest an IMEI from device they have code running on, than to surreptitiously harvest an SSN. With SSNs already the centerpiece of identity theft, it would be a stupid legal risk for Google, as opposed to simply re-purposing something else to creep in as their own kind of SSN.

Can you point me to a place where I can look up my SSN and find the IMEI of my phone?

What part of the chain in the linked data are you having trouble accepting? We'll go from there.

Otherwise I call BS on this. It's paranoia.

Actually what you're replying to is fact. It's verifiable. Paranoia is a mental state, not a defense for objecting to facts. The data is traceable, or it's not. Try not to rely on emotional arguments. Tell us why you think the traceability is absent, and we can go from there.

You know what I'm going to do if I want to find your address? I'll follow you home one night. Why? Because on a scale of 1-10 with 1 being easy and 10 being difficult, following you home undetected is probably a 3.

You're presuming you've found your target to begin with. In some cases that's the end game, and the most difficult bit of information to get. Online stalkers start with much less than your present location.

Setting up a complex system to track your IMEI for a period of time so I can find you is a 10.

The system is can be complex, but the adversary needs not be. One can break into a WEP-secured wifi AP without knowing the first detail about the system. The work has been done by others.. insiders, or skilled hackers, those with more patience.. you just need to be able to use whatever mechanism is made available to you. Or hire someone else to go through the "level 10 difficulty" process.

A vindictive bank employee is far scarier than a vindictive Google employee because it's far more likely to happen

Frequency is only part of a threat assessment measurement. I might have a higher frequency for spilling coffee, that doesn't make it a greater damage. Getting hit by a train is pretty damaging, even though the probability is low. I'll favor 100 coffee spills over one single train hit.

You are arguing that I should be extremely concerned about something that has next to no chance at all of happening to me.

Not sure where you get "extreme" concern from. Should you lose sleep over it? No. But should you be foolish enough to needlessly disclose a unique number to all apps that ask, linking a significant portion of your social life to a number, of course not. It's just being street wise- just like you don't sign your messages on this forum with your real name and SSN.

By that logic I should re-inforce the roof of my house with titanium just in case it gets hit by a meteor.

Now you're using appeal to probability logic, and failing to balance cost with risk. You can use this flawed logic to justify any number of security-naive choices.

An example of a possible damaging but legal use of my personal data please?

Someone who has pics of you drunk and nude while harassing someone posts them publicly with the caption "model employee of XYZ employer", and it gets a big spotlight. Perfectly legal, as is the termination of your job that follows.. yet quite damaging.