06-27-2017Today is :  
Index of Loop Work....

Networking Education Quickie

VPN setup

Bonded VDSL modems

SSL errors

Email DMARC explained by Krebs

So, there are two different components to a phone:

1. The phone (IMEI)
2. The SIM (IMSI)

The value of the SIM is in being able to hack 2FA systems.
The value of the phone is for pure resale.

If someone doesn’t know you, then stealing the phone is mostly for its resale value. If someone is trying to hack your life (@mat style), then the value is in the SIM because that enables them to capture 2FA responses.

Note: for a thief, there’s probably slightly more risk in the SIM, in that it enables police to find them. If you watch modern TV shows/Movies about people on the run, one thing the good shows will do is take out the SIM — because that’s what ties the phone to your account. While powered on phone not in airplane mode with your SIM in it is in an area with coverage anywhere in the world, its home operator (e.g. AT&T) effectively knows where it is and can be asked to track it (which is pretty much exactly what you want to do if you’re trying to find your thief) — not to GPS accuracy levels, but with triangulation, to reasonable levels.

Once that SIM is removed, the phone no longer talks to your home network, it can talk to no-network, or the network of whichever SIM is inserted, and that operator has no reason to believe it’s stolen. There is an IMEI blacklist [1] (but, do you know your IMEI? your carrier should be keeping logs of it, but…).

It’s pretty hard for me to imagine the thieves described in this article as being interested in attacking the potential value of an IMSI, I’d expect them to just try to convert the phone (without SIM) into cash by selling it (sans SIM).

I’m not sure how well the IMEI blacklisting process works. An interesting DoS attack would be to report someone else’s phone’s IMEI as stolen.

Remember that it’s legal for you to sell your phone to someone else, so effectively an IMEI is transferrable.
Similarly, it’s possible to change the name on an account and thus transfer the IMSI to another individual (or just add an “authorized user” or an “informally authorized user”).

* Verizon is/was special, in that while it runs a CDMA network, it has phones which don’t require SIMs, and instead it effectively binds the CDMA equivalent of the IMEI directly to your account.