
13,500 Vivo Smartphones found running on same IMEI number - vvpvijay
https://androidrookies.com/a-whopping-13500-vivo-smartphones-found-running-on-same-imei-number/
======
rafaelturk
This is actually good. IMEI is a unique number that can identify each device.
And is huge privacy issue as it can be used against the user, can individually
track each user.

IMEI is not required when placing calls or transferring data since this is
securely managed by the GSM chip.

~~~
Klinky
Are you sure this would not cause problems if two devices with the same IMEI
were on the same tower, or even same provider? It might look fishy having
multiple dups floating around on your network.

If one of these devices gets IMEI blacklisted, now all 13.5K devices are
blacklisted... Not so good.

~~~
stefan_
Providers issue SIM (subscriber identity module) cards to uniquely
authenticate subscribers to their network. Why do you need something that is
constant across SIM cards? It's superfluous identifying information (GDPR
wants a word!).

~~~
derefr
Anti-theft. The device itself needs an identifier, so that if someone steals
_your_ device—immediately turning it off, re-flashing the OS, and putting
_their_ SIM in it, before booting it back up—then the network will still have
some identifier to recognize the device itself by, so that it can say “nope,
that’s stolen” and refuse to let it onto the network (thus disincentivizing
stealing cellphones in the first place.)

I believe network-IMEI-registration isn’t the primary mechanism by which
modern phone anti-theft works by, though, since the device-owner is free to
change the phone’s _network-reported_ IMEI (much like you can change an
Ethernet controller’s _network-reported_ MAC address.) I might be wrong here,
though; the phone’s baseband _might_ come up with its burned-in IMEI and check
for validity with the server, _before_ switching to any application-processor-
requested IMEI. (You can get around _that_ by just booting up the phone in a
Faraday cage—but having to do that every time would definitely decrease the
black-market resale value.)

For iOS, at least, I think the anti-theft works by getting onto wi-fi each
time the SIM changes and asking some activation server about the validity of
[some other internal static device-ID that can’t be tampered with in this
way]. Not so sure what, if anything, Android does (Android’s case is harder,
since for phones with an unlocked bootloader, you can always flash an altered
firmware that _has_ no anti-theft logic.)

~~~
mindslight
The same anti-theft argument could be used to justify building surveillance
tech into any object, and yet our society seems to function just fine without
it. I've never had my phone stolen, and I don't know anybody who has even just
_lost_ their phone more than once. Yet we all get tracked _every single day_
due to this user-hostile design.

Also for most phones it's trivial to change the IMEI to resell the phone, or
simply part it out. Which sure, are more things manufacturers see as bugs, to
the frustration of legitimate activity - hence Right to Repair. The majority
of the world is honest. Let's not build ourselves into a prison just to
fallaciously protect against the few who aren't.

~~~
derefr
> I've never had my phone stolen, and I don't know anybody who has even just
> lost their phone more than once.

Errr, to be clear, the _reason_ that phones don’t get stolen is that there
_are_ anti-theft measures in place.

People steal similar types of item (e.g. car stereos, game consoles, Blu-ray
players) _all the time_. There’s no reason _other than anti-theft measures_
that phones as a type of item would be stolen any _less_ than these other
categories. (They’d actually be stolen _far more_ , since they’re small/easy
to slip into one’s clothes/not a weird thing to be carrying around; and are
often found just left on tables at cafes or hanging out of people’s back
pockets. They’re like cash, basically.)

It’s the same reason that people steal bicycles more often than they steal
cars. Bicycles, despite being worth much less, are just _much easier to
steal_.

> The majority of the world is honest.

Do you live in a city? I’ve had my bicycle stolen _five times now_. I’ve also
been mugged twice. I’ve never had my phone stolen, though—because it’s
worthless to the sort of dumb criminals who steal things just to hawk them on
the street, rather than to fence them.

It doesn’t require a large fraction of the world to be dishonest, to result in
most people in the world having crimes committed against them. A thief will
steal from far more than one person in their thieving career. Especially in
regimes where the computed ROI for going after certain types of thief (e.g.
homeless, drug-addicted thieves) is negative (i.e. their prison housing costs
society more than their thieving does, apparently), and so they’re never held
for more than a day or two.

~~~
sudosysgen
Trust me, the #1 reason why phones don't get stolen is because they are
physically difficult to steal. If a well-connected thief steals your phone
(and there are a lot of well-connected thieves), they will not have much of an
issue getting them sold. Then the phone will either be parted out or flashed
out of any anti-theft, depending on market demand.

~~~
derefr
There are two types of thieves: thieves that operate as part of a professional
thieving ring; and thieves that operate alone, intending to directly
hawk/pawn/trade/use what they’ve stolen.

 _Most_ thefts are committed by thieves who operate alone. (This is verifiable
at least for my own country; I asked a crime-statistics analyst friend of
mine.) Thus, most deterrence is focused on deterring the thieves who act
alone.

This is the same reason that “security locks” aren’t actually proof against
professional thieves. They’re not _meant_ to deter thieving rings; they’re
just meant to deter the thieves who are acting alone. Such thieves might have
watched a tutorial or two on YouTube on lock-picking, and they might have
picked up a lock-picking set from AliExpress; but they don’t have (and aren’t
willing/able to invest in) the sort of lock-picking skills/tools that
professionals have (e.g. slide-hammers, impact drivers, etc.) so an average
security lock will be enough to stymie them.

Same with clubs on cars: no proof against professional thieving rings, but
good enough to make a thief acting alone look elsewhere.

Just like there is a qualitative difference in how people treat things that
are “free” vs. “$0.01”, there is a qualitative difference in theft rates
between “no security” and “trivial security.” Most property crimes are spur-
of-the-moment, committed by people who didn’t come prepared to steal
something, but just see an opportunity to take something and feel the need to
have it. Put a trivial barrier in the way of taking things, and those spur-of-
the-moment crimes committed by “amateur thieves” go away.

~~~
sudosysgen
Sure. But in my experience, all it takes is for you to know a guy that knows a
guy and it's done. The type of people in the socio-economic situation that
makes it so that they would steal phones often leads them to have that kind of
contact.

In any case, maybe that is not so much the case in the US. But this certainly
is the case in Europe; a very, very large percentage of stolen phones are sent
to facilities that will part them out or unlock them.

It also is true that someone selling a locked phone on Kijiji is likely to end
up selling it to someone who has the skill or who knows someone that can
unlock it.

~~~
derefr
> a very, very large percentage of stolen phones are sent to facilities that
> will part them out or unlock them.

But again, that's post-hoc statistics. You're looking at the world that
already _has_ the trivial disincentive against amateur thieving. So of course
you'll see most stolen phones being stolen by professionals—the amateur
thieves are already not bothering, so if a phone is being stolen at this
point, it's being stolen by a professional thief!

In a world _without_ that disincentive, the statistics would skew very
differently.

I again compare to the market for stolen bicycles. Yes, there are professional
thieves with "bicycle chop shops" et al. But there are also crackheads
carrying around bolt-cutters who just want to take a bike they walk by, ride
it back to the ghetto, and then sell it for $20 to a street passerby to buy
their next fix. Most cities have a large bike-theft problem, and it's mostly
from _this_ kind of thief, not from professional thieves. Any "security bike
lock"—i.e. any bike lock you can't just snip through with bolt cutters—stops
this kind of thief.

Look at New York City, for example. There are two types of bikes in NYC: those
with security locks, and those that get stolen the instant they're left alone
for ten minutes. The security lock wouldn't deter a professional thief—but a
professional thief _prioritizes_ , stealing fancy bikes from e.g. university
sports department bike parkades, and won't bother with your average commuter
bike. The crackhead does not prioritize. They just want $20, and your bike is
probably worth $20.

~~~
sudosysgen
If you are a crackhead, the economics of stealing a cellphone are already very
poor. It is much more profitable to steal peoples' bicycles or even copper
tubes than it is to steal a cellphone, because stealing a cellphone is a pain
in the ass since it's almost always in your pocket.

The selection process for phones is already there: unless you are a _very
good_ thief, you're not stealing cellphones. That's because realistically your
two ways of stealing a cellphone is either skillful pick-
pocketing/misdirection, or muggings. Now if you're a crackhead, mugging people
is not a very good idea for obvious reasons, and the subtler ways of stealing
a cellphone _already select for experienced thieves_.

The number one reason why bikes are stolen so much is not because they are
easy to steal, it is because there is essentially no risk of getting caught.
No one will give a shit if you're stealing a bike, and so even professional
bike thieves will simply pop your lock with a Ramset gun without a care in the
world and be on their merry way hours before you even notice. Whereas stealing
a cellphone, unless very skillful, requires direct confrontation, which is not
an issue.

>But again, that's post-hoc statistics. You're looking at the world that
already has the trivial disincentive against amateur thieving. So of course
you'll see most stolen phones being stolen by professionals—the amateur
thieves are already not bothering, so if a phone is being stolen at this
point, it's being stolen by a professional thief!

I seriously disagree for the reasons I outlined above. The kind of people that
would steal phones are the kind of people that know how to offload it. Again,
maybe this is different in the US, but _anyone_ with shady friends here could
figure out how to fence a stolen phone. It's really not nearly as exclusive as
you might think. I personally know two people I could offload a stolen phone
(that I entered into contact via my elementary school of all places), and I am
very, very, very far from being the kind of person that needs to steal phones
in order to subsist. The hardest crime I ever did was to give my friend a USB
key with mp3s of Akon in 2011.

And even if it wasn't the case, do you really think a crackhead would not try
to steal a phone anyways? Of course they would, and they could probably figure
out a way to fence it for 20$ or so. They just don't want to because stealing
something that is either in your pocket or in your hands 24/7 is way too much
risk for way too little reward.

------
biktor_gj
Well, probably this was the result of some corruption in a parameter in the
flash. On the early days of the Samsung Galaxy phones if you broke part of the
efs partition the modem couldn't read the IMEI and would fall back to a
generic one. This looks quite the same

Though with 13000 devices affected either it was a problem in manufacturing or
someone in the Service Center was not doing the job too well...

~~~
ndesaulniers
I've done "First Articles of Inspection" (FAI) for Pixel phones at the factory
where they're being made. Basically take the very first handful of devices off
the line after software provisioning and run them through a litany of software
checks, including that the IMEIs are unique. Then we do this for another bunch
of random samples. The factories are unique experiences.

Hard to imagine for me how this could have happened. I don't know precisely
how IMEIs are provisioned or stored, but I suspect they can be changed in
software.

Trying to sell a used phone on line is tricky. Legitimate buyers may want the
IMEI to check it's not a reported stolen phone. Illegitimate buyers may want a
known good one to replace one on a reported stolen phone.

Carriers can blacklist IMEIs from their network (that's a threat they use for
certification; they want to make sure families of devices are well behaved).

One of my phones was blacklisted from a carrier a few years ago. They said it
was reported stolen. I brought them the receipt; I bought it new in box. They
said it was reported stolen by a carrier in a foreign country. I'd been there,
maybe ten years earlier, and never with that phone. The local carrier I was a
customer of said they couldn't remove the block, since it was reported stolen
by a foreign carrier. Seems fishy how carriers work together to ban IMEIs but
do nothing to verify reports of stolen devices.

I'm not sure carriers would ban this IMEI if it's tied to 13.5k phones, but
I'm sure they're not happy.

------
RyJones
If you buy cheap Bluetooth OBD-II dongles, you'll find they all have the same
addresses. That's why you can't buy two dongles and use them in two cars
without re-associating each time, for instance.

If you buy the $150 dongles, they have valid addresses like you would expect.

------
OliverJones
Picking a fight with a national telecom regulatory authority from a country
other than your own seems like a poor business choice. Their customs people
will seize all your products and Boston Tea Party them. They'll probably keep
doing that even after you fix the problem.

I wonder: is there a dialect of English in India in which this post follows
rules of grammar? I found it uncanny-valley hard to read.

~~~
rajup
Nah It's just poor grammar.

------
mindslight
Very nice! I presume the phones still work too, otherwise this would have been
caught much sooner. The existence of the IMEI is, at this point, a deliberate
security flaw that has been pushed onto us by governmental standards bodies,
and cemented into law. A secure mobile protocol would not have fixed
identifiers, and would instead identify endpoints with a nonce that rotated
over time and base station.

~~~
sudosysgen
Indeed. There is no valid technical reason for IMEIs to be unique, except for
already very tenuous anti-theft perpetuation which is really a very minor
factor.

~~~
mschuster91
Not to forget the surveillance stingrays. They (and dragnet data fishing)
become useless with rotating device identifiers.

~~~
opless
Stingrays tend to capture both IMEI and IMSI. This is GSM, which is used by
99% of the world.

IMSI then can be taken to the carrier and the account holder details will be
released by a warrant.

An IMEI (which in most countries it will be illegal to change/clone) only
identifies the hardware.

So swapping SIMs between phones don’t help to do anything apart from
identifying a number of phones that you have access to.

3/4/5G phones will always drop back to 2G if it sees a 2G service whilst
3/4/5G frequencies are jammed.

So you need to realise that phones by design are tracking devices, and stock
up on those burner phones and never switch them on near your home :)

~~~
sudosysgen
In truth though, it is not very difficult to get a hold of an IMSI that does
not refer to you, via an anonymous SIM cards you can get a hold of a few
different ways. And it is not very difficult to find the maintenance service
menu of your phone and disable everything except 4G and 5G either. However, it
is much simpler to just leave your SIM card at home and use other means of
access :)

~~~
opless
Not all phones have access to baseband controls, and I’ve never seen a “turn
off 2G” option, but yes you can turn off 3/4G.

It’s easy to get a burner phone in some countries, but many you need a
passport or government-issued ID to even get a prepaid SIM! Let alone a phone!

Governments really don’t like citizenry to be anonymous.

~~~
sudosysgen
For example on my LG V30, I can go to the dialer and enter :

    
    
        *#*#4636#*#*
    

I can then go into "Phone info" and set the radio to "LTE only" or
"LTE/WCDMA", and if there is no 2G/3G/etc... I will not be have any service.
[1]

This also works for most android phones, with small exceptions.

[1] : [https://ibb.co/JvZVHXF](https://ibb.co/JvZVHXF)

~~~
opless
Also there’s other ways of leaking your IMSIs, EAP-SIM and carrier wifi for
example.

No idea yet how widespread the implementation is as I’m teaching myself all of
this in my spare time!

~~~
sudosysgen
EAP-SIM and Carrier WiFi is also not very difficult to disable. In any case,
an IMSI leak is not as bad as an IMEI leak.

~~~
opless
Also ... define “not difficult to disable” when it’s not exposed in the UI.

A *# code doesn’t count here also ;)

~~~
sudosysgen
For me, not difficult to disable means that it takes less than 15 minutes to
do so. difficult to disable would take hours and require specific knowledge.

------
jokoon
Isn't that some high level kind of fraud? At the same time, I think it would
easily be caught, so I'm a little confused if it's incompetence or maybe a
mistake?

Does that mean they bribed somebody working at a factory? I'm not sure what
could be gained by this. Having an "untraceable", replaceable phone? Wouldn't
those be easily blacklisted once it's discovered?

------
dingle_thunk
Soo what happens if someone reports this IMEI as stolen? Does it take down
15300 phones?

------
diminish
Do we really need IMEI or SIM Cards? \- Some countries use IMEI for tracking &
disallowing certain phones bought in some other country \- SIM Card also seem
to just create problems to people.

~~~
zamadatix
IMEI is only needed if you want to track hardware. Physicals SIMs are not
needed (and eSIM is a thing now) but some form of the "Subscriber Identity"
part of SIM is needed unless you are operating the carrier for free to all
with a phone.

------
xsmasher
Not surprising; This isn't the first time a hardware manufacturer has screwed
this up.

At a mobile game dev company we had a hardcoded list of bogus IMEI numbers. If
a device returned an IMEI that was on the blacklist, we'd use another method
to identify the device.

------
demarq
another programming assumption gone.

