Description
The International Mobile Equipment Identity (IMEI) is a critical identifier in mobile telecommunications, serving as a permanent, factory-assigned serial number for a mobile station (MS). It is a 15-digit decimal number, structured into several distinct parts. The first eight digits constitute the Type Allocation Code (TAC), which identifies the device model and its manufacturer. The following six digits are the unique serial number (SNR) assigned by the manufacturer. The final digit is a Luhn algorithm-based check digit (CD), used to validate the sequence of the preceding 14 digits. The IMEI is programmed into the device's firmware or hardware during manufacturing and is not intended to be changed by the user.
From a network operations perspective, the IMEI is reported by the device to the network during initial registration and attachment procedures. The network can request the IMEI via specific signaling messages, such as the Identity Request in NAS (Non-Access Stratum) procedures. The serving network entity, typically the MME in LTE or the AMF in 5G, can then forward this IMEI to the Equipment Identity Register (EIR) or a similar network function. The EIR contains lists (white, grey, black) against which the reported IMEI is checked. This process enables the network operator to permit, monitor, or deny service based on the device's status, such as blocking service to devices reported as stolen.
The IMEI's role extends beyond simple identification. It is a cornerstone for lawful interception, fraud prevention, and device analytics. For lawful interception, authorities may use the IMEI to uniquely identify a target device for surveillance. In fraud prevention, operators use IMEI blacklists to disable stolen phones across their networks, significantly reducing the resale value of stolen property and deterring theft. Furthermore, aggregated IMEI data helps manufacturers and operators analyze device populations, model penetration, and plan for network technology support (e.g., gauging the number of 5G-capable devices on the network). Its standardized format ensures global interoperability, allowing a device's identity to be recognized and processed consistently across different operators and countries.
Purpose & Motivation
The IMEI was created to solve the fundamental problem of uniquely and permanently identifying the physical mobile equipment itself, independent of the user's subscription (which is identified by the IMSI on the SIM/USIM). Prior to its standardization, there was no reliable, global method for networks to identify device types or track individual hardware units. This limitation made it difficult to combat mobile phone theft, as a stolen phone could simply be used with a different SIM card. It also hindered accurate device analytics and made implementing device-specific policies or restrictions nearly impossible.
The introduction of the IMEI in 3GPP Release 99 provided a standardized, tamper-resistant identifier that is hard-coded into the device. This allowed for the creation of centralized Equipment Identity Registers (EIRs), where operators could share lists of stolen devices. A key motivation was to protect consumers and operators by reducing the incentive for phone theft, thereby enhancing overall network security. Furthermore, it enabled regulatory compliance for device type approval and provided a mechanism for network operators to manage device access, for instance, by barring devices that are not type-approved for their network or that pose a security risk.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (22 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the specifications introduced clarifications and corrections to the 5GS mobile identity IE, including resolving editor's notes on its maximum length and completing its definition in messages. The release also included a correction on the 5GS mobile identity IE name itself. Furthermore, it addressed the threat of terminal identity manipulation by acknowledging scenarios where users may modify a terminal's IMEI to gain unauthorized access to services.
- Storing of MPS indicator in non-volatile memory of mobile TS 24.501CR0123
- Clarification on UE identities used for registration TS 24.501CR0452
- Resolution of editor's note on maximum length of the 5GS mobile identity IE TS 24.501CR0503
- Completion of mobile identity IE definition in messages TS 24.501CR0574
- UAC - providing access identities for barring checks of AS triggered access attempts TS 24.501CR0577
- Correction on 5GS mobile identity IE name TS 24.501CR0766
In Release 16, a key update for the IMEI function was that it was explicitly defined as not required for User Equipment (UEs) that access the 5G system via non-3GPP access only. Furthermore, the release formally clarified support for both IMEI and IMEISV identity formats within the system specifications.
- Update of validity conditions for access identities 1 and 2 TS 24.501CR0851
- Clarifications on the validity of access identities TS 24.501CR0949
- IMEI not required for non-3GPP only UEs TS 24.501CR1348
- Re-ordering of text on the applicability of access identities TS 24.501CR1353
- Octet alignment for 5G-GUTI in 5GS mobile identity IE TS 24.501CR1583
- IMEI and IMEISV formats support TS 24.501CR1732
+ 2 more changes
In Release 17, specific enhancements were made to the IMEI function to address the threat of terminal identity manipulation, as identified in the security analysis. The release introduced clarifications for the use of UE identities within procedures like the Remote UE report, ensuring robust handling against masquerading attacks. Furthermore, it resolved encoding errors in identity information elements to improve the integrity of terminal identity data across the system.
- Fix of encoding errors in 5GS mobile identity IE TS 24.501CR2597
- Missing pending NSSAI and rejected NSSAI(s) for the failed or revoked NSSAA for no duplicated PLMN identities or SNPN identities TS 24.501CR3013
- Access identities when UE accesses SNPN using PLMN subscription TS 24.501CR4138
- Resolving the ENs related to the UE Identities used in the Remote UE report procedure TS 24.501CR4614
In Release 18, the IMEI function was enhanced to address security threats related to terminal identity manipulation, as identified in the threat analysis. The updates specifically account for the threat where users may modify the IMEI of a terminal to use it with a valid USIM for unauthorized service access. Furthermore, the release introduced considerations for equivalent Standalone Non-Public Network (SNPN) usage in the context of mobile identity selection and access identities.
In Release 19, the IMEI function was updated to address the specific threat of terminal identity manipulation, where users may modify the IMEI of a terminal to use it with a valid USIM for unauthorized service access. This builds upon the foundational security principles by explicitly countering active attacks that involve tampering with terminal equipment identities. The release also included general corrections to mobile identity handling within the 5GS architecture.
Explore further
Broader topics and technologies where IMEI plays a role.
Defining Specifications
3GPP specifications that define or reference IMEI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 21.133 v1400 | 3G Security Requirements | Rel-5 |
| TR 21.905 vj00 | 3GPP Technical Terms and Definitions | Rel-19 |
| TS 22.022 vj00 | ME Personalisation Features for GSM/3G | Rel-19 |
| TR 22.944 vj00 | UE Functionality Split Scenarios and Requirements | Rel-19 |
| TS 23.171 v1300 | LCS Stage 2 Specification for UMTS | Rel-4 |
| TS 23.271 vj00 | LCS Stage 2 Specification | Rel-19 |
| TS 24.229 vj50 | IMS call control protocol based on SIP and SDP | Rel-19 |
| TS 24.259 vj00 | Personal Network Management (PNM) Protocol Details | Rel-19 |
| TS 24.484 vj30 | MCS Configuration Management | Rel-19 |
| TS 24.501 vj50 | 5G NAS Protocols Specification | Rel-19 |
| TS 25.331 vj00 | UTRAN RRC Protocol Specification | Rel-19 |
| TS 25.413 vj00 | Radio Access Network Application Part (RANAP) | Rel-19 |
| TR 25.931 vj00 | UTRAN Signalling Procedures Examples | Rel-19 |
| TS 27.007 vj40 | AT Command Set for UE | Rel-19 |
| TS 29.172 vj00 | EPC LCS Protocol (ELP) specification | Rel-19 |
| TS 29.275 vj00 | PMIPv6 Mobility & Tunnelling Protocols Stage 3 | Rel-19 |
| TS 32.240 vj40 | Charging Management Architecture & Principles | Rel-19 |
| TS 32.250 vj00 | Circuit Switched Offline Charging | Rel-19 |
| TS 32.251 vj00 | PS Domain Charging Management | Rel-19 |
| TS 32.272 vj00 | Charging for Push-to-Talk over Cellular (PoC) | Rel-19 |
| TS 32.278 vj00 | Monitoring Events Offline Charging Specification | Rel-19 |
| TS 32.293 vj00 | Proxy Function in Domestic Service Provider | Rel-19 |
| TS 32.401 vj00 | Performance Management Concept & Requirements | Rel-19 |
| TS 32.808 v1800 | Common User Profile Storage Framework | Rel-8 |
| TS 32.849 vd00 | IMS Roaming Charging Study | Rel-13 |
| TS 32.850 ve00 | IMS Charging Correlation Methods Study | Rel-14 |
| TS 33.107 vj00 | Lawful Interception Architecture & Functions | Rel-19 |
| TS 33.108 vj00 | LI Handover Interface Specification | Rel-19 |
| TS 33.401 vj10 | EPS Security Architecture | Rel-19 |
| TS 36.331 vj00 | LTE RRC Protocol Specification | Rel-19 |
| TS 41.033 ve00 | GSM Lawful Interception Interface Requirements | Rel-14 |
| TS 52.402 vj00 | GSM Performance Management Measurements | Rel-19 |