Burner Phone 101
70 comments
·August 20, 2025schoen
eduction
Stellar reasoning.
Did you ever get to the point of hypothesizing good ways to align incentives to make this happen? It is hard to tell (having not thought much about it) whether this is a “smart well meaning engineers need to make new standards” problem, a “we need to harness the power of corporate greed problem,” or something else.
mikeytown2
If you need to communicate with people in your area and not be tracked; MeshCore software with LoRa hardware like the this https://lilygo.cc/en-ca/products/t-lora-pager is something to consider. Text only, completely offline
greesil
Yes!!! I've been wanting to make something like this for a long time. But unless the firmware is open source I wouldn't trust this for anything secure. But this looks like a dev kit so I can do whatever I want.
lm28469
There are other alternatives https://meshtastic.org
mikeytown2
It's mostly open source. https://github.com/meshcore-dev/MeshCore They have a couple minor things that are paid features.
XorNot
If you need to do this then start by figuring out why you need to do it, and adjust your approach too your threat model.
Because the most significant evidence we have lately is that in-person meetings or dead drops and other low tech means are how you avoid being tracked.
Turning on any sort of radio transmitter is just turning on a big flash light into the sky.
Turning on anything relatively uncommon is even worse: normal people have cellphones and use them. They don't use LoRa devices, there aren't a lot of LoRa devices and someone who only uses LoRa devices will stand out in any dataset.
nickthegreek
> Because the most significant evidence we have lately is that in-person meetings or dead drops and other low tech means are how you avoid being tracked.
How many cameras did you just go by? did you have your cell phone on you? how many networks did it connect too? how many bluetooth broadcasts did it passively send out? Not being tracked and being in public are slowly becoming an untenable duo.
Eisenstein
Except that your texts go out to everyone on the mesh network.
supersour
These look pretty fun, have you played with them much? What kind of range can you get?
mikeytown2
Range is line of sight. If you can see it, even if 100 miles away, odds are it'll work. Seattle area has one of the better networks for MeshCore. Tacoma to Vancouver BC is the range for semi reliable messaging
hypercube33
Don't the different frequency bands change that a lot? iirc these are all lower frequency so they can cut through foliage better than say 5ghz wi-fi
bronco21016
I’ve tried them on snowmobile trails. With the vegetation the range was about a mile.
Range can be 100+ miles though if you can establish line of sight. Depending on the scenario, a high elevation repeater could give several mobile devices pretty significant range.
Ccecil
One thing I didn't see covered is to never have your "real phone" and your "burner phone" on you (or in the same location) at the same time while powered.
Easy enough to say "Gee...these 2 phones are always together or nearby when activated" or "this phone shuts off right before this one powers up".
Although, I suspect there are a few other ways to determine identity easier. Such as tracking the device identifier and then looking up nearby public facing cameras.
theothertimcook
In many countries you need a valid government ID document to activate a mobile service which means burners do not really exist in those places.
Unless you bought a pixel, graphene’d it and then paid a homeless person to activate a pre-paid data only sim which you would top up with vouchers paid in cash and used a von and international voip service…
A lot of effort though
tim333
Silent link esims are quite good for getting your phone to work on any country or network. I have one, not for privacy but more for better phone coverage and it works pretty well. No ID and you pay in crypto - btc/monero etc. (https://silent.link/)
For me the main use is that I'm on o2 in the UK, but if in some dead spot with no signal I can flip the sim settings and connect via EE or whatever.
CryptoBanker
>For me the main use is that I'm on o2 in the UK, but if in some dead spot with no signal I can flip the sim settings and connect via EE or whatever.
Why not just get an EE SIM if that's your main use?
asyx
Not from the UK but in Germany we have the same issue where there is T-Mobile (best coverage), Vodafone (good coverage) and o2 (worst coverage) and there are simply some remote areas where anything but T-Mobile doesn’t have coverage.
And the easy answer is that T-Mobile, or rather the parent Telekom, is a terrible company best known for right now for getting the government to agree that they can cancel your existing internet contract to make switching easier when they want to catch you as a fiber customer but actually all they’re doing is sending a marketing company around Germany (Raider Marketing) to lie to your grandma to sign contracts for the Telekom or just cancel your existing internet contract because they think with a bit of pressure they can get you to sign up with them.
Alternatively, they are also known for the worst peering on existence because they have the crazy idea that they can charge tenfold what other ISPs take for peering because they are the Telekom…
In summary, the Telekom is such a terrible company that I’d rather not give them any money and if I needed T-Mobile coverage I’d rather get a foreign eSIM and rely on roaming than giving them a single cent.
rootsudo
True on the Government ID document but most of the times the portal to activate would allow for any sort of numbers as long as it was in a proper format - whether or not it was valid.
These allow for self activation, have a lockout of 5 failed attempts or so and can be done via sim card codes (not SMS, but you interact with a program on the simcard and low level carrier services.)
blitzar
Just track the hardware. A couple of days of normal usage and should be able to assign a 99% probability on you being the owner of that phone.
eptcyka
You should never turn on your burner in a place where you use your regular phone, duh.
SoftTalker
Even using it in the same city, would only require time and maybe a bit more correlation to identify an individual.
XorNot
And yet realistically you also probably don't turn it on except when you're within about 50 miles of your home.
And this is while you're flagging yourself heavily by (1) using a phone which is easily identified as a burner and (2) using it intermittently which means you're trying not to be tracked.
So you've already substantially identified yourself in any dataset.
forgotusername6
I was surprised when a SIM I purchased on Amazon was not only able to connect in China but was also able to bypass the great firewall. I wonder how these travel sims get round the government regulations.
kelnos
It's because the government regulations only apply to Chinese citizens. My first trip to China was back in the '00s, and I went for work. I was also surprised to find that my home SIM worked just fine there without any interference from the Great Firewall.
Roaming works somewhat unintuitively from what you'd expect. You do indeed connect to the local mobile network, but all of your data traffic is tunneled back to your home wireless provider's PoP. I realized this once I checked what websites I was visiting saw as my public IP address, and it was an address from a network in Texas!
So China's Great Firewall can't actually inspect or block your traffic while you're traveling, and using roaming on your home mobile network's SIM. It's all sent over the equivalent of a VPN to your home soil before going out to the public internet. This iswhy latency can be pretty bad while roaming.
numpad0
They just don't enforce the exact same restrictions on roaming users. I suppose there are risks of tourists spilling the beans, so to speak, they just don't view that as a severe unmitigated risk.
julcol
When you ROAM, you traffic abroad is routed to your home country ( for security reasons among other things) and then off to the internet from there. You can check that your public IP, when roaming, is an IP from your cellco.....unsure if there are any changes with 5G though.
You are not bypassing any firewall as your traffic is actually happening at home. If you access local sites, traffic is coming from home.
4gotunameagain
> which means burners do not really exist in those places.
This is very wrong. In Germany you can go to any shady kiosk in a big city and buy a pre activated SIM card invariably registered to some Arabic or Pakistani name.
You can buy it in cash. Completely untraceable if you take care of CCTV.
breppp
Going to buy a prepaid SIM registered under an arabic name in europe is probably the safest way of getting traced by a government
cedws
IMEI + cell tower triangulation easily makes it traceable. If the authorities want to find you, they can.
lazide
Once they know to look for you, sure, which is why you use a disposable phone and actually dispose of it before anyone has a reason to look for that specific one. That’s literally the whole point.
They might go an ask Achmed some hard questions later, but he’s long since left the country and never met you anyway.
Phelinofist
How does GrapheneOS help in that?
kelnos
It doesn't specifically help with obtaining a SIM without presenting ID, but it does help make it easier to avoid later leaking your true identity to Google/Apple/etc. once you start using the phone.
hopelite
Seems like an excellent business model for the homeless.
aaron695
[dead]
girvo
> Buy phone & service in cash
Step one is already difficult here in Australia: to do so you must hand over your personal details and ID. At least that was true for anything with a SIM card for sale back in the 2010s
So the “step 0” was “find a retailer who didn’t follow the rules”, and they’d usually be a corner store selling handsets or SIM cards by the bucket load to all sorts of interesting characters
metadat
eSim erodes privacy? Well, that sucks, because how long until Apple, Samsung, and Google decide the Sim slot should go the way of the 3.5mm headphone jack?
neilv
Kudos to this article for:
1. starting with threat modeling (though they don't call it that);
2. mentioning that your OPSEC affects not only you but also people connected to you; and
3. mentioning that maybe you should just leave the device at home (because it's basically a surveillance machine that you pay for).
(A more common article format would be to unload a pile of supposed security&privacy measures without putting them into context, and wouldn't properly set expectations for what that gives you. Neither of which is very helpful, and can be very counterproductive.)
torcete
I have the feeling that whenever you are on an airport (and maybe railway stations too) they cross your IMEI with the boarding pass info. I believe that in the UK police use some middle-man towers, which name I have forgotten, to collect as much data as possible.
vaylian
You are probably thinking of a stingray https://en.wikipedia.org/wiki/Stingray_phone_tracker
h4ck_th3_pl4n3t
While I like the sentiment of the article, I think most people are not aware of how hostile baseband firmwares are implemented on most SoCs that phones come with. Usually the cell tower handshakes that make you trackable can't be put off, meaning the modem will run in sleep mode even when you are in airplane mode (which is kinda funny considering the dangers of air travel, right? Right?).
Are there actually smartphones without an IMEI and with a Wi-Fi card only, preferrably not a Broadcom one?
userbinator
meaning the modem will run in sleep mode even when you are in airplane mode
AFAIK this is not true at least for the Mediatek 65xx and early 67xx platforms; I've analysed the firmware and hardware on those. They actually power off the modem and rest of the RF system when in airplane mode. The modem only boots up and starts searching for a signal when you take it out of airplane mode, which is why it takes a noticeable time (10-30 seconds, depending on how many bands are enabled) to get a signal. If your phone goes from airplane mode to having a signal and immediately capable of calling, then I suspect it's one where the modem is not truly turned off.
I haven't inspected Broadcom, Qualcomm, or Spreadtrum in any detail to say whether they do things differently.
Are there actually smartphones without an IMEI
Look for a "tablet" or anything else without the word "phone" in it if you just want a touchscreen portable computer. An IMEI is obligatory to connect to cellular networks, in much the same way as a MAC address is to Ethernet and WiFi.
arendtio
As far as I remember, the whole 'turn off your phone on a plane' was just a precautionary measure and is not a real technical problem nowadays.
The risk was that mobile networks could not handle moving many devices from one cell to another at high speeds (during takeoff and landing).
SahAssar
How would that be different for trains? Trains would have similar numbers or more devices, moving at a similar speed (for high speed trains compared to planes at take-off/landing).
kelnos
I think part of the issue is that cell tower antennas are designed for talking to devices on the ground or at very low altitudes (like those you'd experience in a tall building). So a cell tower's capacity for talking to lots of somethings directly above it, thousands of feet up, is much lower than talking to lots of somethings below it or adjacent to it.
reaperducer
As far as I remember, the whole 'turn off your phone on a plane' was just a precautionary measure and is not a real technical problem nowadays.
My memory is that it was necessary at the time when lots of people started taking phones on airplanes because the wiring/navigation wasn't shielded against a transmitter that might be actually inside the aircraft.
Since then, plane electronics are better insulated making it less of a problem.
tonyarkles
There are another two issues that aren’t technical, which are starting to come up again now that Internet access is rapidly becoming available and good onboard aircraft:
- People not paying attention to/ignoring the instructions of the FAs during safety briefings and emergencies due to being engaged in a phone call.
- People being assholes and talking on the phone, bothering the person stuck in the seat next to them.
On all of the flights I’ve been on recently the preflight brief has been crystal clear that you can do whatever you want on the internet connection except have voice calls.
KeybInterrupt
You might be looking for an android based Media player device.
But they are likely not ideal for the use case...
reaperducer
Are there actually smartphones without an IMEI and with a Wi-Fi card only, preferrably not a Broadcom one?
Maybe an old iPod Touch that can still run a VOIP program?
madethemcry
Can you please give any sources? While it sounds plausible and interesting it's nothing more than a wild conspiracy theory without some background information.
h4ck_th3_pl4n3t
Buy a broadcom smartphone. Turn bluetooth off, and set it to airplane mode. Then Bluepwn your device, with bluetooth turned off.
Funny how airplane mode didn't work.
That's just one of the quirks. Baseband and what qualcomm is tracking is way worse.
I recommend buying an old Motorola Calypso device and fiddling with osmocomBB, you can DIY an IMSI catcher pretty easily. And you'll be mind blown how many class0 SMS you'll receive per day, just for tracking you. Back in the days you could track people's phones remotely but the popularity of HushSMS and other tools made cell providers block class0 SMS not sent by themselves.
This wiki article is a nice overview: https://github.com/CellularPrivacy/Android-IMSI-Catcher-Dete...
mjg59
You made the assertion that basebands remain in contact with towers even in airplane mode, and so can be tracked. Someone asked for supporting evidence for that claim. You've responded with examples and links to different issues. It's a fairly extraordinary claim (it's not one I'd heard before - it's clear that other radios may remain alive for various purposes even when airplane mode is switched on, given that you can use wifi and bluetooth on planes, but you're the first person I've heard make this claim about the cellular radio), and you haven't provided any evidence to back it up at all.
kelnos
Saying more words and then linking to a page from an IMSI catcher's wiki (where it doesn't talk about radio on/off states) isn't exactly "providing sources".
aja12
Baseband SoC running their own OS independent from Android/iOS and staying asleep (while still listening for incoming signals) is very much no longer in conspiracy theory territory and more an established fact now. I don't have the source at hand but it's in one of the standards. And the purpose is very clear: LEA like Interpol must be able to locate any IMEI at any point if in tower range, regardless of the power state of the "main" OS
dahart
I don’t doubt SoCs have their own micro-OS, but I too would love to see a reliable source showing phones connect to towers when powered off. Wouldn’t this, at a minimum, violate FAA/EASA rules? Google tells me the cellular radio in an iPhone has no power when in airplane mode or when off.
escaine
Surely this is really easy to prove by putting a phone into an anechoic chamber and using a spectrum analyser to show that it's still TXing?
pdesi
Even in airplane mode?
tenacious_tuna
> Radios off (GPS/Wi-Fi/Bluetooth) unless needed
GPS is a passive technology, no?
Downloading GPS assist data obviously isn't, and plenty of phones use wifi scanning as a way to augment GPS position fixes, but this seemed a strange callout. Am I missing something?
netrap
if the phone is confiscated it could be saving GPS automatically, i guess
kelnos
This stood out from me as odd from the article too, but that's definitely a plausible explanation.
I could easily see a phone with some sort of location tracking saving GPS data points internally until it can reach a network again to send them out.
fortran77
The Dumphone Finder (https://josebriones.org/dumbphone-finder) referenced there is useful, too, if you need to get a phone a 90 year old person has a chance of being able to use.
neilv
> Strong PIN, not biometrics
And also be aware of "shoulder surfing", which is different today in 2 ways it wasn't in the past.
In the past, the risk was something like someone looking at you type in your PIN on a bank ATM, or maybe your password on an computer keyboard.
Today, shoulder surfing is mainly different in 2 ways: (1) near-ubiquitous high-resolution surveillance camera networks, which can be places/scale and capture images that humans practically didn't; and (2) with machine learning, they don't even need to see what buttons you press, only see movements of your arm.
(Randomizing button positions on a touchscreen can help, and also help fight forensics like traces your fingers leave for where they touch. But randomization means you need to be able to see your screen, which reduces the ways you have to hide your screen from the view of others.)
When I was working at EFF, I started writing (but never finished) a couple of essays along the lines of "the degree of trackability of mobile phones is an unfortunate accident, and we should fix it".
It basically comes from routing requirements (especially to receive incoming phone calls) combined with billing requirements (to make people pay for their connectivity) combined with the empirical requirement to see which base station a device is connected to, and which other base stations can see it at a given moment.
If you aggregate all of that data, then you know a (geographically moderate-resolution) complete history of where almost all people have been at almost all times, and patterns of their habits and whom they probably recurrently spent time with.
Not all of this data has to be collectable, because these things could be disaggregated by introducing different protocol layers. For example, you could pay the mobile company for data connectivity, but use cryptographic blinding mechanisms so that it doesn't know which specific subscriber obtained connectivity at a particular place and time. (Those blinding mechanisms could be implemented inside of SIM cards, so the SIM card's task is to cryptographically prove "I am a SIM card of a current paying subscriber of carrier X" rather than "I am SIM card number 42d1b5c0".) You could have device hardware IDs be ephemeral rather than permanent. Actual messaging and call services could all be "over the top" (as phone industry jargon puts it), provided by people who are not the phone company itself.
This disaggregation is a straightforward improvement from a privacy point of view because it prevents companies from knowing things about you that they didn't need to know in order to provide services.
Meanwhile, in the world we live in, we see governments trying to make it harder to make phones less trackable, by putting legal restrictions on changing hardware addresses, or requiring legal ID in order to establish service. I imagine that an additional cryptographic indirection layer in SIMs to prevent carriers from linking a permanent identifier to a network registration (or specific data use) would also be banned in some places if it were invented.
This shouldn't be inevitable. One thing that made me think about this was when there was a little scandal (which I was a small part of) about companies tracking device wifi MAC addresses for commercial purposes. There was a little industry that would try to recognize people and build commercial profiles based on recognizing that the same device was present (in fact, at the time, even if it didn't actually connect to the wifi -- because a typical wifi-enabled mobile device was sending broadcast wifi probe packets that included its MAC address). So Apple was like "this is a bad use of MAC addresses, which only exist to distinguish devices that happen to be on the LAN at the same time, and perhaps to allow network administrators to assign permanent IP addresses to specific devices", and they made iPhones randomize wifi MAC addresses for some purposes, mostly fixing that particular issue.
We could think just the same way about GSM networks: "these identifiers exist for specific protocol reasons; using them for device or user tracking is an abuse that should be mitigated technically".