Copying the identity of one phone or SIM to another phone or SIM is known as sim or mobile phone cloning. The bill for usage goes to legitimate subscriber.

1. MOBILE & SIM CARD
CLONING

2. Warning.
MOBILE & SIM CLONING2
These slide is only for education purpose.
No SIM card or Mobile phone is cloned .
My purpose is to draw attention towards security
vulnerabilities in GSM and mobile communication.

3. MOBILE & SIM CLONING
Contents
1. Introduction
2. What is phone or SIM cloning?
3. What is the Purpose of cloning?
4. Requirements for cloning
5. How cell phone cloning is done?
6. Mobile station
7. Base Transceiver station
8. GSM authentication
9. COMP 128 and A5
10. Process of SIM cloning
11. Man in the middle attack
12. How to know your phone or SIM is cloned?
13. Preventive measures
14. What can be done by cloned SIM or phone?
15. References
3

4. 1. INTRODUCTION
MOBILE & SIM CLONING
Nearly 1 billion telecom subscriber worldwide.
Estimated that worldwide mobile phone fraud will
reach $40 billion dollars soon.
US Law enforcement agents have found that 80%
of drug dealers arrested in US using cloned
mobile phones.
Pablo Escobar the top Columbian drug dealer
was tracked down by monitoring his mobile
phone activity.
4

5. 2. What is cell phone or SIM
cloning?
MOBILE & SIM CLONING
Copying the identity of one phone or SIM to
another phone or SIM.
The bill for usage goes to legitimate subscriber.
5

6. 3. What is the Purpose of
cloning?
MOBILE & SIM CLONING
Making fraudulent phone calls
Getting owner messages.
Using internet on owners bill
Using phone to commit a crime.
Getting personal information of owner.
Listening owner calls.
To tease anybody etc.
6

7. 4. Requirements for phone cloning?
MOBILE & SIM CLONING
ESN ( Electronic Serial Number):
Unique number Loaded when phone is
manufactured.
Cannot be changed or tempered.
MIN ( Mobile Identification number)
Every subscriber provides a MIN to its user.
It is a unique number.
ESN/MIN pairs can be discovered in several
ways:
Sniffing the cellular phone ( need physical access to
phone)
Hacking cellular company database7

8. 5. How cell cloning is done?
MOBILE & SIM CLONING
Cloning involves modifying or replacing the
EPROM in the phone with a new chip which
would allow you to configure an ESN ( Electronic
serial number) via a software (eg. PATAGONIA).
Then you would also have to change MIN (Mobile
identification number) by the same software.
When we had successfully changed the ESN/MIN
pair, your phone is an effective clone of other
phone.[2]
8

9. 6. MOBILE STATION
MOBILE & SIM CLONING
Consist of Mobile Equipment and
SIM.
Mobile equipment has
IMEI – International Mobile
Equipment Identity
9

10. SIM(Subscriber Identity
module)
MOBILE & SIM CLONING
SIM provides details printed
on the surface :
Name of the Network Provider
Unique ID Number
Personal Identification Number
(PIN)
4 digit code set at point of
manufacture that can be changed
by the Subscriber.
Usually 3 attempts before SIM is
blocked
Pin Unblocking Key (PUK)
8 digit code set by manufacturer
Maximum 10 attempts before SIM
is permanently blocked
10

11. MOBILE & SIM CLONING
KI (Subscriber identification key)
Size is 128 bits (16 bytes)
loaded in SIM hardware can not be changed
(read only).
Goal
Authenticate subscriber to network
Create a session key
IMSI (International mobile subscriber
identity)
Unique for every subscriber. [3]
11
SIM Contd…

12. 7. Base Transceiver Station (BTS)
MOBILE & SIM CLONING
The network element which
handles the radio interface to the
mobile station. The BTS is the radio
equipment (transceivers and
antennas) needed to service each
cell in the network.
12

13. 8. GSM authentication
MOBILE & SIM CLONING13

14. GSM authentication
Contd…..
MOBILE & SIM CLONING
The base station sends a 16 byte random number say
RAND.
The SIM card get this RAND and uses the KI(secret
number) to feed to A3A8 (COMP-128) whose output is a
12 byte long number say OUTPUT.
OUTPUT is split into two parts , upper 4 bytes is called as
SRES(authentication key) and lower 8 byte as Kc
(encryption key).
SRES is send to Base Transceiver Station as
Authentication response. Where the operator uses the
same algorithm because he knows our KI and match the
SRES then we are authenticated.
The Kc is sent to Mobile which is used as encryption key
for A5 algorithm.[1]
14

15. 9. COMP – 128 and A5 algorithms
MOBILE & SIM CLONING
COMP 128 algorithm is used to generate the Encryption
key (Kc) and Authentication key (SRES).
There are three versions of COMP algorithms
In V1 last and second last byte of Kc is 0x00.
In V2 last byte of Kc is 0x00.
In V3 bytes may be anything between 0x00 to 0xFF
which is the most secured one.
A5 algorithm is used to encrypt the voice over-the-air
communication.[1]
15

16. 10. SIM Cloning Process
MOBILE & SIM CLONING
Things required : Blank SIM card ,SIM Card Reader and a software to
generate the content for blank SIM. (Can be bought from www.ebay.in
,www.alibaba.com etc.)
Step 1: Remove the SIM from your phone, place it in the SIM card reader.
Step 2 :Read the KI code and IMSI
Read SIM card for KI and IMSI using software
Once KI and IMSI is found ,save your cracked SIM information to a
.dat file.
16

17. SIM Cloning Process
contd……..
MOBILE & SIM CLONING
Disadvantage:
Need physical access to the SIM card for at least 30
minutes.
Step 3: Writing to blank card
Put the blank card in the reader.
Select write to SIM.
Select .dat file you saved before.
It will take about 10 minutes to write it.
your card is cloned.
If you try to make 2 calls at the same time, one will
go through, the other will say call failed, and both
phones will get the same messages, text and voice,
and both will receive the same calls, but only one can
talk at a time. [4]
17

18. 11. MAN IN THE MIDDLE attack
MOBILE & SIM CLONING
In GSM only subscriber is authenticated with the network
but there is no way by which a network can be
authenticated. Anybody can not get whether the network
is reliable or not.
It is possible for the network to order the MS to switch on
and off encryption at times of high loading.
This signal can be spoofed using a man-in-the-middle
attack.
18

19. MOBILE & SIM CLONING
Operator BTSLegitimate Subscriber Man-in-the-
middle
1. Attempt toregister usingencryption
3. Authenticates
Spoofing BTS
Spoofing MS
2. Passesontheregistrationrequest
4. Passesonauthentication
5. Dialsanumber
6. RequestsMSswitchoff encryption 7. Encryptsthenpassesonthecall request
8. Call proceedswit MIMeavesdropping
19

20. 12. How to know your phone or SIM
is cloned?
MOBILE & SIM CLONING
Frequent wrong number phone calls to your phone.
Difficulty in placing outgoing calls.
Difficulty in retrieving voice mail messages.
Incoming call constantly receiving busy signals.
Increased bill amount.
20

21. 13. Preventive measures
MOBILE & SIM CLONING
Always set a PIN in the SIM card.
Always set up security code in the phone.
Switch to 3G SIM card which are more secured
then 2G.
21

22. 15. References
MOBILE & SIM CLONING
Research papers
[1] Security in the GSM network Marcin
Olawski
[2] CDG Document 138 Version 0.34
CDMA Development Group, 575 Anton Boulevard, Suite
560 Costa Mesa, California 92626
[3] Design of a Routing Mechanism to Provide Multiple
Mobile Network Service on a Single SIM Card
Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh. A
Websites
[4] http://www.hackingprojects.net/2013/04/secrets-of-
sim.html
[5] http://www.wikipedia.com
22

23. MOBILE & SIM CLONING23