Alice bought a refurbished phone off ebay. It came from another far, far away country, but final shipping was US Mail tracked to their home address. In non-descriptive, undisturbed packaging. If they turn this phone on and connect to WiFi, and cell tower without SIM (emergency calls only), how are IMEI, WiFi MAC, and Serial Number tied to them personally? How quickly does it happen? Or was it already done by the post office or associates, by automated scanning with the phone off, like RFID? FYI, Alice is non-violent, but she wants to have phone calls and messaging not tied to her personally, during protests. Is it possible?
The usual answer: It depends on Alice’s threat model.
- The ordinary neighbor of Alice wouldn’t likely be able to identify anything.
- A local attacker could at least try to identify the specific WiFi chip in Alice’s phone to get its MAC address (e.g., evil twin attacks).
- An attacker with lots of time could permanently observe all wireless traffic in Alice’s neighborhood (e.g., Bluetooth, WiFi, LTE). This could lead to the connection of the WiFi chip and IMEI.
(What potentially happened during the transport of the phone is a wild guess.)
However, it could also be the case that the original phone manufacturer stores all serial numbers, hardware addresses, etc. of each manufactured phone in a central repository. If this is the case, then there is a direct connection between every single chip in the phone. If the attacker can access this repository and records of the GSM network operators, then it is likely easy to get Alice’s approximate location (IMEI). Combined with the local attacks shown above, a highly-motivated attacker would be likely able to pinpoint Alice if the phone is frequently in use (IMEI + other hardware addresses).
In summary, a script kiddie won’t be able to locate Alice. On the other hand, law enforcement agencies or other state actors could do this. However, there are lots of “if” statements here.