How to Create a Practical Burner Phone for the Average User
by gh057
Introduction
On January 31, 2022, the Internet Crime Complaint Center (IC3) released a Private Industry Notification (PIN) warning athletes and attendees of the 2022 Olympic Games in Beijing to "Keep their personal cell phones at home and use a temporary phone while at the Games1"
In essence, the IC3 is encouraging the use of what is commonly known as a "burner phone."
This is solid advice for anyone who is entering an untrusted environment or who requires personal privacy above and beyond basic common sense rules. However, how does one go about creating such a device?
When you hear the term "burner phone," what do you think of? Possibly some informant in a crime drama television episode phoning in a tip from the edge of the Hudson River and then throwing the phone in a nearby trash can? Burner phones are often depicted as a tool for those looking to evade law enforcement or to snitch on organized crime. However, they have many practical purposes for the average user and are legal to create and maintain. In this article, I will walk you through the steps to create and maintain a burner phone for when you need (or want) an extra layer of protection and privacy.
A Quick Disclaimer
I am in no way endorsing, encouraging, or supporting illegal activity or behavior.
None of the tips and techniques that I am outlining in this article will be a major challenge for law enforcement to overcome and should not be viewed as such. The intended purpose of this article is to give the average user knowledge needed to safely and effectively create a temporary mobile device, commonly referred to as a burner phone, for those times when they might be entering an untrusted environment or require personal privacy above and beyond basic common sense rules. Use of any knowledge gained from this article is at your own risk and discretion.
So... Why Do I Need This?
The devices that we carry with us contain so much more than just a bunch of phone numbers.
Unlike the phones from 30 years ago, our modern mobile devices contain our financial information, health information, contacts, likes and dislikes, and so much more; a virtual treasure trove of information which attracts both the good and the bad.
When you join a social media site, a public Wi-Fi network, or share your information at a conference, do you really know what happens with that information? Do you really know where that information is stored and who it is ultimately shared with?
The reality of our modern lives is that the only person that we can trust to truly protect our data is ourselves. Protecting our data does not just mean not posting it on social media sites. It also includes protecting data that is sent along with any websites that we visit or any services that we use. Having a burner phone enables you to put one level of separation between yourself and those you don't yet fully trust by utilizing a device that is not registered to you with accounts that are not attributable to you. Remember the old adage: "Trust, but verify."
So how does this help in an environment like Beijing?
With a burner phone, the assumption is that the phone will eventually become compromised, so you should keep your personal information off the burner phone and use temporary email addresses and social media accounts which, if compromised, will not impact you negatively; you can simply throw those accounts away and create new ones. Remember, it's called a burner phone because you can use it and then you can lose it.
Step 0: Wait, Do I Even Need a Burner Phone? Can't I Just Use an App with My Current Phone?
- Pros: Apps can be easily downloaded and you don't need additional hardware to use them.
- Cons: Apps installed on your personal mobile device have the same International Mobile Equipment Identifier (IMEI) and can be very quickly traced back to you or used to track you.
The easiest solution, of course, is to use an app (like Burner or Hushed) with the phone that you currently already have.
Depending upon you needs, this may be sufficient. If you're simply looking to create a solution so that you can maintain some level of anonymity when buying and selling through local online markets or when dating via social networks, this may be all that you need. However, when it comes to untrusted environments like the Olympic Games in Beijing this would be the worst choice. The device itself is still your personal device with your personal apps and personal usage history on it. Should something happen to that device, it is, as they say, "game over."
Step 1: Get the Phone
The very first step in creating a burner phone is getting the actual phone!
There are many places where you can obtain these devices and I outline some of them below with pros and cons.
An Old Phone You Currently Own
- Pros: It's free, it's immediately available, and you can start creating right away.
- Cons: Depending upon where you got it, the IMEI may be tied to you personally, which means there's still a chance that the phone can be traced back to you or track you.
Much like the app solution above, if you have an extra phone lying around, this is a pretty easy solution if it fits your needs.
However, when it comes to untrusted environments like the Olympic Games in Beijing, this would not be the best choice. Depending where you got the phone (i.e., were you the original purchaser and was the phone purchased new), the IMEI number can still be traced back to you and if you are easily searchable online, you can still be targeted. In addition to that, many services capture the IMEI number of devices to ensure uniqueness, meaning that even if you use the same device with two different accounts for a particular service, associations can be made. The whole idea of the burner phone is to subvert electronic identification.
Purchased New/Used From a Retailer
- Pros: It's new so you know that it will function the way that you expect and it has a return policy if you're not happy.
- Cons: It's not the cheapest route to go. There is a purchase history linking you to that device.
If you can justify the cost and you don't care that the purchase history of the device can be linked back to you, then this is a solid way to go.
You get the luxury of knowing that you bought a new device, one with an expected state of quality and functionality without having to risk your safety (discussed next). Phones purchased this way are typically more expensive then the next option since quality and functionality assurances can be made.
However, even if you pay cash,there is a purchase history linking you to this device, whether it's a receipt of the purchase or surveillance video of you entering the retailer at the time of purchase. If that is a concern, then this may not be the best option. Remember, outside of the purchase history, unless you associate the IMEI of this device with a preexisting mobile account, this device is not associated with you.
Make sure to follow the steps about purchasing a Subscriber Identifier Module (SIM) card below to keep it that way.
Local Online Marketplace (i.e., Craigslist)
- Pros: The device IMEI will not be linked to you, there is no purchase history if you pay with cash, and, if you use a burner phone app and/or burner email address for communications with the seller, there is little traceable sales history of the transaction.
- Cons: In recent years, Craigslist and other local online marketplaces have seen their fair share of crime associated with meeting a stranger in public. In addition, you don't know what was done with the phone prior to buying it.
The next better solution (and one that I have employed regularly) is to buy a device, only with cash, by way of a local online marketplace like Craigslist.
The device IMEI will not be associated with you or anyone you know, unless you have the awkward misfortune of finding out that the seller is actually someone you know. However, you don't know what was done with the device prior to you getting it, meaning, you don't know if the seller is lying to you about its condition, its repair history, if it was stolen, or even if it's truly unlocked. This said, in all my experiences of buying and selling online, I can count on one hand the number of times that I've bought a lemon from someone and it's never been with a mobile device.
A note to mention here is that these local online marketplaces have seen their fair share of crime associated with the transactions occurring from petty theft (i.e., "snatch and grab") to physical assaults. When meeting a complete stranger in public, you should always follow best practices for personal safety, no matter how nice the person seems to be.
Wait, What About the Device Itself? What Platform Should I Choose?
This is largely a matter of personal preference.
In general, the rule of thumb is that if you want to make heavy modifications to the platform, then Android is the way to go. However, if you want something that will generally have a fairly secure operating system out of the box and requires little modification, then iOS may be your best bet. In either case, the steps below, unless otherwise specified, will work for either platform.
Android Alternatives - A Quick Plug for CalyxOS
Google Android is an open-source platform.
Anyone can download it, make modifications, and create something new, possibly something with a greater emphasis on security and privacy. This was the goal of the team who built CalyxOS. If you like Android but would like something a bit more privacy focused, then I recommend CalyxOS. The platform is very stable and the flashing process is virtually painless. If you want to know more, visit the Calyx website (calyxos.org).
There are many alternatives to the standard Google Android platform out there, including Ubuntu Touch (ubuntu-touch.io) and GrapheneOS (grapheneos.org), which I've heard that a lot of folks like (you can find some of these alternatives listed here: alternativeto.net/software/calyxos)
I haven't experimented with many of these, but I encourage you all to try them out if you're curious. For the average user who prefers an easier setup process with sizable gains, CalyxOS is a great alternative to the standard Android platform.
Step 2: Obtain a SIM Card
There are a few key steps that are legitimately required in order to ensure that protection and privacy are maintained. I outline them below. The overall goal is to minimize how much association, if any, can be made between you and the purchase of the SIM card.
SIM Card Type Depends on the Phone... and Your Needs
There are two prevailing radio technologies: Code-Division Multiple Access (CDMA) and Global System for Mobile Communications (GSM).
Most phones these days, especially outside of the U.S., use GSM. However, some U.S. carriers, like Verizon, also support CDMA. The SIM card that you buy will have to be compatible with the technology that the phone requires. In addition, there is a difference between SIM cards intended for 4G phones and those that are intended for 5G phones. Make absolutely sure that the SIM card you buy is properly matched to the phone you are planning on using.
Pre-Pay is the Way
Regardless of what the sales person tells you about the option being "more expensive" or "a pain to maintain," this is what you want to do.
For most burner phones, you only need their use for a short time, so having a prepaid solution makes sense. These solutions allow you to add more funds to them should you need to, or you can simply let that SIM card expire and buy a new one.
How Much Data? How Much Talk Time?
Remember what the intent of this device is.
This is an emergency "use when needed" phone. In other words, you shouldn't need to match your current personal usage with this phone. However, there's nothing stopping you if you wish to do that; you're just going to pay a lot more for it. Typically, a few hundred minutes of talk time and a gigabyte or so of data is plenty for a relatively short-term need and, of course as mentioned above, you can always add more funds to the prepay solution as needed.
Pay in Cash
This one is fairly straightforward and it should be noted that the same technique will be interwoven throughout this article multiple times.
If you pay for a SIM card in cash, then there is not an association between you, your credit card, and the purchase of the SIM card. Typically, I go into a mobile provider with about $100 in hand to make this purchase, but it ends up being around $40. The reason for the overage is that you don't want to be caught off-guard by a difference in the price and not have a cash-based means to cover it.
No, You Do Not Have to Give Your Name
This is one where not everyone is going to feel comfortable having this conversation.
Keep in mind that it's in the salesperson's best interest, and by association the retailer's best interest, to ask for your name, birth date, or other personally identifiable information.
This way they can sell you more stuff. However, there is no law that requires you to give your name, your contact information, or even show a government-issued ID. Regardless of how much they may push, you do not have to give this information. If they are truly adamant, just find another retailer who will sell you what you need; it's not worth the argument.
Also, getting loud and combative draws attention to you and, if you haven't noticed, this entire article is focused on doing just the opposite. I've been everyone from "Mark Jones" to "Jesus Christy" (yes, really) just to give them a name when they wouldn't give up. Please note I've been told that the TracFone requires personally identifiable information to be activated. For this reason, I typically only use the big four (Verizon, Sprint, T-Mobile, and AT&T) because they've been consistent in the past.
Definitely Make Sure the Card Works Before Leaving the Retailer
Using the above process, this creates an "all sales are final" situation.
So to avoid burning through good cash, it's best to make sure that everything works before you leave the retailer. Simply plugging in the SIM card and checking connectivity is all you really have to do. There may be a few hours delay with the phone actually being able to make calls due to setup within the system (the salesperson should inform you of this), but the phone itself should immediately connect to the provider.
Step 3: Add Funds to the App Store
Let's face it, there are some apps that we all rely on for stability and security, and many of those are not free.
The easiest way to purchase these apps is through the platform's app store, however, that requires a credit card or pre-purchased funds. It's the latter option that we are going to employ here. Simply go down to your local pharmacy, grocery store, or big box retailer and purchase a gift card (again with cash) for that platform app store. Typically, I default to $50 just to cover my needs and any services those apps may require, but this is a personal preference.
Step 4: Create New Account Exclusive For This Phone
The final step is to create new accounts for all of the services that you want to use, and this is the key: zero association to you.
This means a new platform account (i.e., Google or Apple), new email addresses, new social media accounts, etc. Make sure to turn on two-factor authentication because while we hope that this device is not compromised, we should operate with the assumption that it is or soon will be. Do not allow anyone who you know in your personal or professional life to contact you on this device with their personal or professional accounts. The only accounts that should interface with you on this device should be other "burner only" accounts.
Wrap-Up/Best Practices
Congratulations!
If you reached this point, then there's a high likelihood that you successfully created a customized burner phone for your privacy and security needs. However, the journey is not over. There are some basic best practices to keep in mind when using and maintaining your new burner phone so that you maintain as much of a separation between you and that device as possible.
Never Use Personal Accounts With a Burner Phone
As mentioned above, personal accounts are, well, personal (hence the name).
These accounts should stay far away from the burner phone in any capacity. In other words, don't use personal accounts on the burner phone, link burner accounts to personal accounts on social media, or converse with individuals that you know in your personal life from your burner account to their personal account. Be vigilant; we're only human and mistakes happen, but those mistakes are sometimes costly.
Never Connect the Device to Your Home or Work Wireless Network
If there's simply one thing to not do, this would be it.
The process of creating a burner phone takes time, effort, and funds. The hope is that when you're done, you have a tool which you can rely on reasonably well for privacy and security. However, if you go ahead and ruin that by associating it with your home or work wireless network, then your efforts will be all for naught. If you need to update it and you require a wireless network, any good coffeehouse or community center should work just fine. Additionally, if the device was just in an untrusted environment, the last thing that you want is for it to auto-connect to your home or work wireless network.
Do Not Have Both Your Personal Phone and Your Burner Phone On at the Same Time
This issue would be more of a concern for those who are going to a place where the potential hostility may be local or national law enforcement, but is generally a practice that I employ whenever I go to an untrusted environment.
If you don't trust the environment enough to use your personal device, then you shouldn't trust your personal device to be on in said environment. Instead, power down your phone and store it safely in a Faraday bag. Additionally, burner phones can be associated with you if both the burner phone and your personal phone are pinging the same cell towers at the same time. The covert nature of the burner phone is significantly reduced if the owner of said burner phone can be reasonably identified.
After Returning Home, Wipe the Phone
Once you return to a secure environment like your home or place of work, it's time to wipe the phone.
Yep, factory wipe that sucker!
Assuming that you didn't use the phone to store any sort of files like photos, videos, audio recordings, etc., your loss will be negligible. All you will have to do is set up the phone again with the same accounts you already have access to. If you did take photos, videos, or generate other types of documentation that you wish to keep, you will have to go through additional measures to ensure that those files are extracted in a safe manner, which is beyond the scope of this article.
In Closing...
I hope that this article was helpful for you.
Burner phones are a common tool that I employ to keep myself, my data, and my privacy as intact as possible when I am knowingly entering an untrusted environment.
While they may have gotten a bit of a seedy reputation from television and movies, they are an effective way of reducing your risk and I highly encourage their use.
- Federal Bureau of Investigation "Private Industry Notification: Potential for Malicious Cyber Activities to Disrupt the 2022 Beijing Winter Olympics and Paralympics" (20220131-001)