I tried the private telephone network intended to hide your identity

0

Piracy. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.

On Friday, 5142 was the last four digits of my IMSI, the unique code linked to my SIM card, according to an app on my phone. This code is what telecom giants and surveillance providers often use to track phones, and by extension people, as they go about their business.

In the app, I then pressed a “Change ID” button. About a minute later, my IMSI had changed. The last four digits were now 5206, the app said. To third parties who may spy on IMSIs, such as those who use a suitcase-sized spying technology called IMSI catcher that detects unique codes in a certain area, or a network that might provide data related to this IMSI to the authorities, I might as well be a new person, depending on the capabilities of the device.

This is PGPP, or Pretty Good Phone Privacy, a new pseudo-telephone network that aims to add an extra layer of privacy on top of traditional heavy-duty telecommunications and surveillance networks. The tool certainly does not solve the privacy problem on phones as a whole – this problem is complex, with several parts such as the operating system, hardware, etc. – but it could help protect against the kind of persistent surveillance that everyone is subjected to by simply being connected to a telephone network.

In my testing, it looks like the service might be suitable for those who want to add an extra layer or two of protection to their data and identity when using mobile phone networks. PGPP probably won’t fully help against targeted attacks – the developers are clear that this is not the intention. But if you want something that lets you use phone networks a bit more comfortably, PGPP might be a nice option, albeit still in its infancy and sometimes buggy.

Do you know of any other privacy-focused phones or new ways to track phones? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox or email [email protected] .

“Our goal is to counteract the current bulk data collection in the network, which has focused on IMSIs and IPs,” said Paul Schmitt, a researcher at Princeton University and the originator of the PGPP with Barath Raghavan of the University of Southern California. The pair presented research on PGPP at the respected Usenix Security Symposium last year and have now deployed PGPP in beta. “We believe PGPP raises the bar for mobile privacy significantly,” Schmitt added. The pair offers PGPP under the company name INVISV.

On the user side, PGPP comes in the form of an application. A user downloads it, pays for a subscription, and then runs through a mostly automated setup process that downloads an eSim to their phone. An eSim is a digital SIM card; instead of having to place a physical card inside the phone, the device downloads all the necessary information online. From there, the user is connected to the PGPP network and can change their IMSI at will in the app a number of times per month, depending on their subscription. The Pro plan costs $90 per month and includes 30 IMSI exchanges per month with unlimited data, and the Core plan costs $40 which includes 8 IMSI exchanges and 9 GB of data. That’s it, you don’t pay a more traditional carrier extra.

There are many mobile virtual network operators (MVNOs), which are companies that sell telecommunications services but use the infrastructure instead of more traditional mobile network operators. PGPP is neither. Schmitt pitched it more as an eSIM app. INVISV is buying eSIMS from Telna, a Canadian-based telecommunications service provider, which in turn has agreements with mobile operators in various countries, Schmitt explained. Telna, for example, receives a pool of IMSIs from the Polish telecommunications company Play. When Motherboard started the Signal sign-up process, the app automatically filled in the number to receive a verification code with the Polish country prefix +48. Since phones on the PGPP network technically don’t have phone numbers, users would need to find another way to sign up for Signal on such a device (Raghavan said INVISV will add an incoming SMS-only service for this type of verification). The motherboard managed to download and receive multiple voice calls on Wickr, another encrypted app now owned by Amazon.

pgpp-app.png

Beyond the protections offered by PGPP around the IMSI exchange, the service comes with a second part that INVISV calls “Relay”. This is closer to something like Apple’s recently announced “iCloud Private Relay”, which sends users’ Internet traffic through two points before reaching the wider Internet, hiding users’ IP address and other information to third parties. iCloud Private Relay is only for users browsing the web in Safari and, of course, only applies to Apple devices. Meanwhile, PGPP’s passthrough “provides two-hop IP privacy for the entire phone,” Schmitt said.

“Like Apple, we’re partnering with Fastly for the second hop that comes out on the internet. With Relay, we wanted to create something that works and can be used by anyone and offers more protection than a VPN (since VPNs are architecturally centralized, not decoupled, so they are controlled by a single company with a single vantage point),” he added.

Together, the IMSI exchange and relay provide a set of tools that will generally increase user privacy on the Internet to some degree.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content from our biggest stories.

If the federal government knocks on the door and asks for PGPP user data, INVISV says it won’t have much private information to provide in response to data requests.

“We have discussed this with our lawyers in preparation (we are too small to have lawyers on staff/in-house counsel) – our process is to assess whether the request is an actual legal order that we are bound by, and only if so do we proceed to the next step which is to review the contents of the command.We have very little information that we could provide, and a lot of this is related to the decoupling we have designed in the system,” Schmitt said.

INVISV is able to see partial information about credit cards and when the subscription was paid for, as part of their use of payment processor Stripe, Schmitt said. “But we don’t know any identifying information about the phone from which the subscription was purchased (the user can do this on a VPN, on a public WiFi hotspot, etc.).” Raghavan added that it is possible for users to pay with a prepaid card if they wish. These can be purchased with cash, creating another layer of obfuscation over the user’s identity.

“Common requests (as far as we know) from agencies are along the lines of “provide us with information about this IMSI | MSISDN [phone number] | IP adress.’ We don’t have useful information for any of these three,” Schmitt said.

Agencies might try to obtain information from other parties, such as the underlying telecommunications companies that have the infrastructure on which PGPP piggybacks. And finally, every device always has an IMEI. These are different from IMSIs in that they are a unique code built into every phone that, depending on the situation, can be used to identify a device.

“They’re likely to be able to get data that way [by going to the telecommunications companies]- more than we have – but we believe we have made bulk collection more difficult. Mobile operators sometimes ask for IMEIs to check against the stolen handset’s database, and this happens from the mobile core right to the phone’s baseband chip, which is outside of what we can control.” , Schmitt said, and added that for bulk tracking “IMSIs are currently used for this purpose, along with phone numbers (MSISDN). This does not mean that the IMEI cannot be used in this way in the future, but it takes a long time for large mobile operators to adapt to new technologies.

Karsten Nohl, a security researcher at SRLabs who has focused on telecommunications security, told Motherboard in an email: “The mobile network can still track based on IMEI.”

app-tray.png

Of course, PGPP does not deal with other data collection from mobile phones independent of the telephone network itself, such as those carried out by the Google Android operating system. In recent years, law enforcement has increasingly served so-called reverse location data warrants against Google, where officials request information about all devices that were in a particular location at a specific time. . This information is collected from Google itself and from Android’s location tracking capability.

So to mitigate this I then installed PGPP on a GrapheneOS phone. GrapheneOS is a heavily redesigned version of Android that removes much of the OS’s monitoring capability. By default, this also includes the Google Play Store, but users can download it to access apps if they wish. Raghavan sent me the APK of PGPP itself to install, so I didn’t have to grab it from the Play Store, but most users would have to do that or download it from a third-party site.

The only adjustment needed to run PGPP on a GrapheneOS phone was that I had to “enable privileged eSIM management”, a toggle in the GrapheneOS settings. Daniel Micay, who is behind GrapheneOS, told me that eSIM activation partly uses a Google service, but “it’s not a risk beyond the fact that they are aware that this device activates eSim” .

Asked about the benefits of PGPP more generally, Micay said he thought “it would only be helpful if you kept switching phones to get new IMEIs”.

Constantly swapping phones is an extreme position, however. For someone who wants to introduce additional friction so that a third party can identify their phone activity to their true identity, PGPP can still provide some of that.

“This is actually something I’ve wanted for a while, I’m on a data only plan from T-Mobile, but as many privacy advocates will point out, it’s not really helpful because of the IMSI tracking,” Lucky225, a phone phreak and privacy advocate who has previously found gaping security issues with telecom networks, Motherboard said in an online chat.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Share.

Comments are closed.