Every carrier stores your location under data retention laws.
They call it national security. We call it mass surveillance.
Privacy is not a privilege. It is a right they chose to violate.
The problem
Your Mudi broadcasts four unique identifiers every second. Each one is a thread. Pull any thread and you unravel the user: IMEI ties them to a device, BSSID pins them on a map, MAC links their sessions, client DB inventories their contacts.
Attack surface
IMEI
Hardware serial. Persists across SIM swaps. Retained by carriers. Links all identities to one device.
BSSID
In every beacon frame. Indexed by WiGLE, Google, Apple. Passive collection = GPS coordinates.
WAN MAC
Visible to upstream APs. Static across reboots. Correlates sessions across locations.
Client DB
Every connected device logged to flash. Seizure = complete device inventory.
Carrier GPS
LPP/SUPL/RRLP: carrier silently requests your coordinates. Modem responds without user consent.
System logs
syslog, dmesg, shell history. Device seizure reveals full IMEI change history with timestamps.
Countermeasures
| Vector | Exposure | Action |
|---|---|---|
| IMEI | Carrier tracking | Band-aligned TAC prefixes + Luhn-valid serial (random.choices, 10^6 keyspace) |
| BSSID | Geolocation DBs | Randomized every boot |
| WAN MAC | AP logging | Randomized every boot |
| Client DB | Device seizure | Shredded + tmpfs (RAM only) |
| Carrier GPS | Silent location | LPP/SUPL/RRLP disabled at boot via AT+QGPSCFG |
| Logs | Forensics | syslog, dmesg, shell history wiped at boot, after IMEI change, and at shutdown |
| DNS | Session correlation | dnsmasq cache flushed after IMEI change |
Procedure
Deployment
Lineage
Fork of blue-merle
(Security Research Labs, 2022)
Fixes: TAC/band fingerprinting (Issue #1), IMEI entropy loss (random.sample), syslog IMEI leak, carrier GPS tracking (LPP/SUPL/RRLP)