IMEI Security

Paul Gosden
Director of Devices & Smart Card Groups, GSM Association April 24, 2009
Restricted - Confidential Information GSM Association 2009

International Mobile Equipment Identity (IMEI)

IMEI - a 15-digit decimal number used to identify equipment when it is used on a GSM/3G mobile phone network. IMEI must be unique Manufacturers must ensure no duplication of IMEI. The GSM Association (GSMA) is responsible for allocating IMEIs, and records all of the IMEIs that it has allocated in its IMEI database. The IMEI database stores basic information associated with the IMEI: manufacturer name model identifier some technical capabilities (e.g. frequency bands, power class)

GSM Association 2009

IMEI Database

Access to GSMA members (GSM/3G network operators across the world and to qualified industry parties), regulators and police Network operators use the data to determine types of devices being used by their customers, and what features they support, so that they can offer and support the latest services to these customers. Also supports a "black list: IMEIs associated with GSM/3G equipment to be denied service because lost, stolen, faulty or otherwise unsuitable for use. a central system for network operators to share their individual black lists so that devices denied service (blacklisted) by one network will not work on other networks.

GSM Association 2009

IMEI Format

RRXXXXXXYYYYYYA Type Allocation Code (TAC) = RRXXXXXX (allocated by body appointed by GSMA) RR identifies the allocating body Serial Number = YYYYYY (allocated by manufacturer) Check digit = A (calculated by manufacturer) Allocating bodies RR = 01 = PTCRB / CTIA RR = 35 = BABT RR = 86 = TAF (China) RR = 91 = MSAI (India) RR = 98 = BABT for multi mode 3GPP/3GPP2 equipment RR = 99 = TIA for multi mode 3GPP/3GPP2 equipment
GSM Association 2009

Mobile Phone Crime

GSM and 3G devices are subject to theft Mobile phones are used in criminal activities GSMA IMEI database is used as a tool to combat crime by identifying individual phone types and black listing. The GSMA co-operates with police forces around the world. Many mobile network operators deploy Equipment Identity Registers and black lists in their networks and connect them to the IMEI DB as a means of reducing phone crime. There are over 40 operators connected to the IMEI database from: Belgium, Germany, Norway, Chile, Greece, Portugal, Cyprus, Hungary, South Africa, Czech Republic, Ireland, Spain, Denmark, Italy, Sweden, Finland, Kenya, United Kingdom, France, Malta Some countries have made changing IMEI without manufacturers authority a criminal offence, eg UK
GSM Association 2009

Current Problems

GSM/3G equipment with no IMEI Manufactured with an all-zero IMEI GSM/3G equipment with the same IMEI Allocation of IMEI by unauthorised organisations by manufacturers who do not apply to GSM Association or organisations acting on their behalf by unauthorised organisations claiming to represent the GSM industry The above makes it difficult to black list individual mobile phones to help prevent mobile phone crime

GSM Association 2009

Terminals with no IMEI

IMEI applications have been received from established GSM manufacturers, applying for IMEI for the first time, having manufactured GSM phones for several years Reasons given included the market did not require IMEIs before Current problem markets: India

Estimates of 25,000,000 GSM handsets with no IMEI have been reported

Middle East Africa

GSM Association 2009

Terminals with the same IMEI

TAC 13579024 has not been allocated by the GSMA IMEI 135790246811220 has appeared on several UK crime reports Black listed several times by UK networks only to be unblocked by another network sometime later A service provider has collected figures about subscribers handsets with this TAC (over 1,300,000 handsets with TAC 13579024), eg Afghanistan: 75687, Bangladesh: 302206, Algeria: 11171, Dominican Republic: 1687, Kenya: 24378, Jordan: 23360, Pakistan: 545883, Egypt: 324964, Niger: 14598, Tunis: 31524, Uganda: 3021 In Australia, 6,500 handsets with IMEI 135790246811220. The network operator has been instructed to block this IMEI and is trying to find the legal requirement that handsets must have a unique IMEI as justification for blocking these handsets from the network.
GSM Association 2009

Terminals with unregistered IMEI

In Uganda, a network operator has reported that the number of TACs on its network that are not in the GSMA IMEI database is greater than the number of TACs registered in the GSMA IMEI database

GSM Association 2009

Regulating IMEI

A single, unique IMEI allocated by the GSM Association, or by an organisation acting on its behalf, and recorded in the IMEI database, aids law enforcement agencies If the requirement for a unique IMEI allocated by the GSM Association, or by an organisation acting on its behalf, were a regulatory requirement, then network operators can justifiably refuse to connect equipment for which the IMEI is not registered in the GSMAs IMEI database and would encourage the use of properly allocated IMEIs

GSM Association 2009

Proposal

Formally recognise within a European Commission Decision the organisation responsible for IMEI allocation: the GSM Association and organisations appointed by the GSM Association to act on its behalf Make the requirement for a unique IMEI an R&TTE Directive Article 3.3 (d) requirement Create an R&TTE Directive Article 3.3 (d) Harmonised Standard Define the IMEI requirements in the Harmonised Standard

GSM Association 2009