You are on page 1of 38

Mobile Phone Cloning

CHAPTER 1 INTRODUCTION
Today every one of us is familiar with cell phones. At present approximately every fifth person in the world is using cell-phone. It is a very great technological revolution and is enhancing day by day. Slowly but surely, technology is showing up its ugly face too. Mobile services have and will be subject to fraud. Mobile communication is readily available for several years, and is a major business today. It provides a valuable service to those who are willing to pay a considerable premium over a fixed line phone, to be able to walk and talk freely. Because of its usefulness and the money involved in the business, it is subject to fraud and criminal interest. Today its increasingly being used by new-age criminals in a variety of ways- the latest is MOBILE-PHONE CLONING. Millions of mobile phone users be at GSM or CDMA, run the risk of having their phones cloned. And the worst part is that there isnt much we can do to prevent this. A resident of Moradabad was arrested from South Delhi some time back for cloning mobile phones and providing ISD facility by using those cloned phones. So, some features of mobile communication make it an alluring target for criminals. It is relatively a new invention, so not all people are quite familiar with its possibilities, in good or in bad. Its newness also means intense competition among all mobile phone operators as

they try to attract the customers. Both of these provide the opportunity for the criminally inclined to try and make profit out of the situation.

According to media reports, recently the Delhi (India) police arrested a person with 20 cellphones, a laptop, a SIM scanner, and a writer. The accused was running an exchange illegally wherein he cloned CDMA based cell phones. He used software named Patagonia for the cloning and provided cheap international calls to Indian immigrants in West Asia.

Mobile Phone Cloning

CHAPTER 2 HISTORY
The early 1990s were boom times for eavesdroppers. Any curious teenager with a 100 Tandy Scanner could listen in to nearly any analogue mobile phone call. As a result, Cabinet Ministers, company chiefs and celebrities routinely found their most intimate conversations published in the next day's tabloids Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's with a commonly available modification for the Motorola "brick" phones, such as the Classic, the Ultra Classic, and the Model 8000. In Korea where the wireless penetration rate reaches 75 percent, mobile fraud is increasingly becoming a challenge for law enforcement, reports The Korea Herald. "The government will mandate that mobile-phone operators allocate unique identification codes to the handsets of their new subscribers starting next month, to counter against mobilephone fraud stemming from stolen and cloned phones. "The electronic serial numbers on mobile phones have become vulnerable targets for theft, with "phone-cloners" replicating the code on an copied telephone and enabling the users to make telephone calls which are then billed to the original subscriber. More than 2,000 phone-cloning cases were reported to authorities during the Jan.-July period last year, according to the Communication Ministry. Under Korea's telecommunication law, those who produced cloned phones face a maximum of three years in prison or 20 million won fine." "The MIC has detected a total of 1,940 cloned phones from last November to June this year and the monthly figure is on the rise.

Mobile Phone Cloning

Interesting an article in CNN dated December 1996 on cell phone cloning - Thieves are charging calls to the accounts of unknowing cell phone customers. The scam is known as cloning. Thieves capture the signal of a legitimate call, and then electronically duplicate the cell phone number. Hardly a single day passes without cloning making headlines here in Korea. This time, it is about cell phones, not stem cells involving the troubled scientist Hwang Woo-suk. Korea Times reports. "The Central Radio Management Office (CRMO) Monday said it had seized 6,574 illegallycloned handsets last year, roughly eight times more than 858 in 2004. Experts point out the cloned phones is problematic when they are in the hands of criminals who might use them to conceal their identity while committing crimes through the handheld gadgets. The cloned phones also raise the concern that they might be used to overhear conversations of legitimate phone owners. "

Figure 2.1: Cloned cell phones graph

Mobile Phone Cloning

The Rise and Fall of the Cloned Phone When cell phones became popular, criminals found ways to clone them so that they could use them without paying any bills. They used scanners near airports and hotels to capture the numbers that each phone transmits in order to send and receive calls. They then created "clones" of the original phones by re-programming the numbers into phones they had stolen. The original phone would then be charged for calls made by the clone. This rapidly became big business. The top line in the graph shows that the cloning losses for all cell phone companies increased quite rapidly from June 1992 to June 1996 when they totaled nearly $450 million for the previous 6 months. (The losses were the charges that the phone companies wiped off the bills of legitimate subscribers whose phones were cloned.) At this point, the phone companies began to introduce a variety of technologies that made it much more difficult to steal phone numbers and to use a clone. There was a rapid reduction in cloning so that, by December 1999, it was all but eliminated. Incidentally, the second most common form of cell phone fraud, "subscription fraud" (opening an account with a false name and address), did not skyrocket when cloning was closed down, as displacement doomsters would predict. This could be because cloning was easy to "massproduce" by organized criminals, whereas subscription fraud is not.

Figure 2.2:Semi Annual Fraud Dollar Losses

Mobile Phone Cloning

CHAPTER 3 GSM AND CDMA MOBILE PHONE SETS

CDMA is one of the newer digital technologies used in Canada, the US, Australia, and some South-eastern Asian countries (e.g. Hong Kong and South Korea). CDMA differs from GSM and TDMA (Time Division Multiple Access) by its use of spread spectrum techniques for transmitting voice or data over the air. Rather than dividing the radio frequency spectrum into separate user channels by frequency slices or time slots, spread spectrum technology separates users by assigning them digital codes within the same broad spectrum. Advantages of CDMA include higher user capacity and immunity from interference by other signals.

GSM is a digital mobile telephone system that is widely used in Europe and other parts of the world. GSM uses a variation of TDMA and is the most widely used of the three digital wireless telephone technologies. GSM digitizes and compresses data, then sends it down a channel with two other streams of user data, each in its own time slot. It operates at either the 900 MHz or 1,800 MHz frequency band. Some other important terms whose knowledge is necessary are IMEI SIM ESN MIN So, first things first, the IMEI is an abbreviation for International Mobile Equipment

Identifier, this is a 10 digit universally unique number of our GSM handset. I use the term Universally Unique because there cannot be 2 mobile phones having the same IMEI no. This is a very valuable number and used in tracking mobile phones. Second comes SIM, which stands for Subscriber Identification Module. The sim has survived and evolved. Earlier the mobiles had the entire sim card to be inserted in them such sims are called IDG-1 Sims. The other in which we small part of the card which has the chip is inserted in the mobile and is known as PLUG-IN Sims.
5

Mobile Phone Cloning

Basically the SIM provides storage of subscriber related information of three types: Fixed data stored before the subscription is sold Temporary network data Service related data. ESN mean Electronic Serial Number. This number is loaded when the phone number is manufactured. This number cannot be tampered or changes by the user or subscriber. if this number is known a mobile can be cloned easily. Personal Identification Number (PIN). Every subscriber provides a Personal Identification Number (PIN) to its user. This is a unique number. If PIN and ESN are known a mobile phone can be cloned in seconds using some softwares like Patagonia, which is used to clone CDMA phones. ESN is same as the IMEI but is used in CDMA handsets. MIN stands for Mobile Identification Number, which is the same as the SIM of GSM. The basic difference between a CDMA handset and a GSM handset is that a CDMA handset has no sim i.e. the CDMA handset uses MIN as its Sim, which cannot be replaced as in GSM. The MIN chip is embedded in the CDMA hand set.

Mobile Phone Cloning

CHAPTER 4 WORKING OF CELL PHONE


Cell phones send radio frequency transmissions through the air on two distinct channels, one for voice communications and the other for control signals. When a cellular phone makes a call, it normally transmits its Electronic Security Number (ESN), Mobile Identification Number (MIN), its Station Class Mark (SCM) and the number called in a short burst of data. This burst is the short buzz you hear after you press the SEND button and before the tower catches the data. These four things are the components the cellular provider uses to ensure that the phone is programmed to be billed and that it also has the identity of both the customer and the phone. MIN and ESN is collectively known as the Pair which is used for the cell phone identification. When the cell site receives the pair signal, it determines if the requester is a legitimate registered user by comparing the requestor's pair to a cellular subscriber list. Once the cellular telephone's pair has been recognized, the cell site emits a control signal to permit the subscriber to place calls at will. This process, known as Anonymous Registration, is carried out each time the telephone is turned on or picked up by a new cell site.

Mobile Phone Cloning

Figure 4.1: Cell Phone Working Procedure

4.1. SECURITY VULNERABILITIES IN CELL PHONE.


Your cellular telephone has three major security vulnerabilities: Monitoring of your conversations while using the

phone. Your phone being turned into a microphone to monitor

conversations in the vicinity of your phone while the phone is inactive. Cloning or the use of your phone number by others to

make calls that are charged to your account. The best defense against these three major vulnerabilities of cell phones is very simple -- do not use the cell phone. If you must use a cell phone, you can reduce the risk by following these guidelines:
8

Mobile Phone Cloning

Because a cellular phone can be turned into a microphone without your knowledge, do not carry a cellular phone into any classified area or other area where sensitive discussions are held. (This is prohibited in many offices that handle classified or sensitive information.)

Turn your cellular telephone on only when you need to place a call. Turn it off after placing the call. Do not give your cellular phone number to anyone and don't use your cell phone for receiving calls, as that requires leaving it on all the time. Ask your friends and associates to page you if they need to talk with you. You can then return the page by using your cellular telephone.

Do not discuss sensitive information on a cellular phone. When you call someone from your cell phone, consider advising them you are calling from a cell phone that is vulnerable to monitoring, and that you will be speaking generally and not get into sensitive matters.

Do not leave your cellular telephone unattended. If your cell phone is vehicle-mounted, turn it off before permitting valet parking attendants to park the car, even if the telephone automatically locks when the car's ignition is turned off.

Avoid using your cellular telephone within several miles of the airport, stadium, mall, or other heavy traffic locations. These are areas where radio hobbyists use scanners for random monitoring. If they come across an interesting conversation, your number may be marked for regular selective monitoring.

If your cellular service company offers personal identification numbers (PIN), consider using one. Although cellular PIN services are cumbersome and require that you input your PIN for every call, they are an effective means of thwarting cloning.

Mobile Phone Cloning

4.2. LOOP HOLES IN CELL PHONE NETWORKS


ESN/MIN data is NOT encrypted on the way to the MSC (Mobile Switching Centre) for further authentication. Thus, scanning the airwaves for this data if you wish to clone a phone. By changing ESN and MIN, the cellular carrier will accept the call and bill it to either a wrong account or provide service based on the fact that it is NOT a disconnected receiver. It will also look at the other two components, in order to insure that it is actually a cellular phone and to forward billing information to that carrier. The Station Class Mark can also be changed if you wish to prevent the cellular carrier from determining the type of phone that is placing the call. By providing the cellular tower with a false SCM, the cellular carrier, the FCC, or whoever happens to chase down cellular fraud is often looking for a particular phone which in reality is not the phone they are looking for. The Number Assignment Module (NAM) also has the SIDH (System Identification for Home System) number programmed into it. The transmittal of the SIDH number tells the carrier where to forward the billing information to in case the user is "roaming". The SIDH table tells the major cities and their identifying numbers. Changing an SIDH is programming job that takes only minutes, but be aware that the ESN is still sent to the cellular phone company. After they realize that the ESN is connected to either a fake number or a phone that is not in the network, they will block service. They only way around this is to reprogram the ESN.

10

Mobile Phone Cloning

CHAPTER 5 MOBILE PHONE CLONING


Mobile phone cloning is copying the identity of one cellphone to another cellphone. The cellphones can be re-configured so that the calls are billed to other persons. The identification numbers of a victim cellphone user is stolen and re-programmed into another cellphone. Each cellular phone has a unique pair of identification numbers Electronic Serial Number (ESN) and Mobile Identification Number (MIN). These numbers can be cloned without the knowledge of the subscriber or the carrier through the use of electronic scanning devices.

Cellular thieves can capture ESN & MIN pair using devices such as cellphone ESN reader or DDI (Digital Data Interpreters) by monitoring the radio wave transmissions from the cell phones of legitimate subscribers.The ESN & MIN are then transferred into another cellphone using a computer loaded with specialised software, or a copycat box, a device specially made to clone phones. There are other devices also such as Plugs and ES-Pros which are as small as a calculator that do not require computers or copycat boxes for cloning. The entire programming process takes 10-15 minutes per phone. Cloning is possible in both GSM and CDMA technologies.

Figure 5.1: Cloning a Cell Phone Any call made with cloned phone are billed and traced to a legitimate cellphone account. Innocent subscribers end up with unexplained monthly cellphone bills. If you get your
11

Mobile Phone Cloning

cellphone bill unexpectedly high, you must check the details of billing where you may find numbers whom you never called. If so, It is possible that your cellphone has been cloned and someone else is making calls using your identity.

Many criminals use cloned cellphones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace. Cloned phones are often used to make long distance calls, even to foreign countries.

Figure 5.2:Mobile Cloning (Nokia 1100) Pre-paid users are at lesser risk, not because their cell phones can't be cloned technically but because the misuse would be quickly detected and would be limited. Cell phone cloning has been taking place throughout the world for long although it was reported in India this year only when police arrested people related to this crime in Delhi and Mumbai. Cloning occurs most frequently in areas of high cell phone usage -- valet parking lots, airports, shopping malls, concert halls, sports stadiums, and high-congestion traffic areas in metropolitan cities.

12

Mobile Phone Cloning

Figure 5.3: Cellular phone cloning

5.1. HOW DO I KNOW THAT MY PHONE IS GETTING CLONED?


Cellular fraud became a serious problem which occurred at a rather high rate. Although today's modern digital networks and cell handset manufacturers have taken extraordinary steps toward making cell phone fraud more difficult, there are some ill-intentioned individuals who continue to find ways to circumvent even the highest state of modern technology. Cell phone cloning is one of the most notorious methods of cell phone fraud, and the customer must monitor cellular usage on a regular basis. Thankfully, cellular providers keep excellent records of all numbers called from your handset on a monthly basis. Use a computer connected to the Internet and visit your cellular provider's website. Sign up for your provider's online account management system so you can have immediate access to your billing and use information, even before your paper bill arrives by mail. Take special note of any times where you may be unable to use your phone. Since a cloned cell phone appears identical to yours, you may discover that you are given

13

Mobile Phone Cloning

messages stating that the mobile number is already in use, or you may find that you are unable to initiate or receive calls while the clone is being used by the perpetrator.

Figure 5.1.1.Clone Identification Record the times, dates and frequency of these "cell usage blackouts" you may be experiencing and, if they are occurring for long durations and repeatedly throughout each day, contact your cellular provider with your concerns that you feel your phone may have been cloned. Cooperate with your cellular provider if asked for your permission for the company to initiate a detailed audit of your cell usage. The company will send you a highly detailed list of phone calls sent or received on your account over the month, and your provider will most likely ask that you highlight all numbers, dates and times which you are unfamiliar with.

14

Mobile Phone Cloning

CHAPTER 6 CLONING FRAUD


The Cellular Telecommunications Industry Association (CTIA) estimates that financial losses in due to cloning fraud are between $600 million and $900 million in the United States. Some subscribers of Reliance had to suffer because their phone was cloned. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government.

6.1. COSTS OF FRAUD


Publicly available figures for the costs of fraud have many uses,so the reader should know a few things before believing them to be correct. Cost figures are published by the operators themselves, by various organizations such as the Cellular Telecommunications Industry Association, and by governmental institutions.

Hard and soft currency


Costs of mobile phone fraud can be divided into two classes, soft currency and hard currency. Soft currency is a theoretical figure. It is derived from the lost revenue due to illegal use of the services. It is based on the assumption that the illegal user would have paid for the services he used without permission. This assumption does not hold always. The same assumption is usually made with the figures for music, computer software and movie piracy.

Hard currency is real money. It is money that the operator has to pay someone else. For example, when a mobile phone user of operator A roams in operator B's network, operator A pays to the operator B for the use of his network. Hard currency can also be lost on premium services, that is, services with higher than regular tariffs.

15

Mobile Phone Cloning

Uses of cost estimates


Cost estimates of fraud have several uses. On one hand, the operators can use high fraud figures to gain more favorable legislation from the government on the basis that the current situation is so detrimental to their business, hoping that stricter legislation will act as a deterrent to criminals. In the USA, a new strict law was amended, making it illegal to own a scanner or a cell phone programmer with the intent to defraud, use, own, or traffic counterfeit phones, with maximum sentences of up to 10 to 15 years in prison. On the other hand, low fraud figures are good publicity for the operator. It gives an impression of a secure network, so customers are not afraid to use their phones. Also, low fraud means less hassle to the customers who, in the end, end up paying for fraud through the service fees.

6.2. FRAUD EXAMPLES Example: Roaming fraud


In this type of fraud, stolen and cloned mobile phones are used to make international calls and in roaming, possibly abroad. Once a suitable subscription has been acquired, it can be used for call selling locally or it can be used to place calls in a roaming network.

In roaming a subscriber to operator A can use operator B's network and services, provided that the operators have made a roaming agreement. Roaming, especially international roaming, and international calls in general, are usually expensive, and therefore subject to criminal interest and fraud. Roaming fraud is a hard currency problem because the roaming user's operator has to pay to the operator of the roaming network for the roaming user's use, whether or not the user pays his bills. Therefore, operators have taken measures to limit the costs of roaming fraud.

The main problem behind roaming fraud is the delay in the communication of billing information between the operators. The delay has been shortened from 72 to 24 hours. The information is transferred with EDI (Electronic Data Interchange) or by tape. An example of
16

Mobile Phone Cloning

roaming fraud is: SIM cards were taken out of the phones acquired with false identities, mailed abroad where they were used in call selling operations, with call lengths averaging 10-12 hours. According to the guidelines of the GSM Memorandum of Understanding, a call report of a user exceeding 100 SDR 1 units a day must be delivered to the home network within 24 hours. Should GSM cloning become a major problem, the importance of timely communication between the roaming operators will become critical in avoiding fraud losses. Already, clearing houses have been set up to offer billing and billing information services to roaming operators.

Example: Criminal users


Mobile communication provided by a mobile phone is a valuable tool for criminals, just as it is for ordinary people. Criminals, however, have more reason to worry about the operator knowing their location than regular users. Mobile operators can find out the location of a mobile phone, with varying accuracy. In areas where base station density is high, for example in cities, the accuracy can be a few hundred meters, whereas in rural regions the accuracy is a few kilometers. In GSM systems, the phone has a unique identifier (IMEI, International Mobile Equipment Identity) as well as a SIM containing the subscriber information (IMSI, International Mobile Subscriber Identity).

Depending on the legislation of each country, the law enforcement can get this information from the operator, possibly in real time. Therefore, it makes sense for a criminal to use one or more stolen or cloned phones to gain anonymity and to make it harder to track them. By constantly using the one and the same phone and SIM card, it is easy to track the criminal's movement. Using some tools (e.g. Wintesla), it is possible to change the IMEI of one's phone. This will make the network think that the same SIM is used in different phones when, in reality, it is the same phone. A Radio Frequency Fingerprinting system can identify the phone as being the same one. Therefore, criminals use subscriptions that can not be connected to them (i.e. cloned or stolen subscriptions, or a subscription for a fake identity) and several different phones.

17

Mobile Phone Cloning

This type of fraud can be prevented by offering a suitable service, such as prepaid subscriptions. In prepaid subscriptions, the customer pays up front a certain sum, for instance 350Rs., and uses the subscription as long as there are credits left, after which he can buy more credits or take another prepaid subscription.

Example of a technical method: Cloning


Cloning of analog mobile phones was a major problem until operators and equipment manufacturers took measures to make it more difficult. Analog mobile phone systems include AMPS (Advanced Mobile Phone System), used mainly in the USA, TACS, a version of AMPS used for instance in the UK, and NMT, used in Scandinavia. These systems had similar issues, so only one of them is presented.

AMPS, the analog mobile phone system used in the USA was in the beginning very vulnerable to cloning. Each phone has an Electronic Serial Number (ESN), identifying the phone, as well as a Mobile Identification Number (MIN), which includes the telephone number of the phone. As the acronyms indicate, these are used to identify the subscriber.

18

Mobile Phone Cloning

Figure 6.2.1: Cellular counterfeiting

When placing a call, the phone transmits both the ESN and the MIN to the network. These were, however, sent in the clear, so anyone with a suitable scanner could receive them. The eavesdropped codes would then be programmed into another phone, effectively cloning the original subscription. Any calls made on this cloned phone would be charged on the original customer. Because of the relative ease of cloning these analog mobile phones, the cloning became a major problem. An example of the detailed instructions available on the Internet is: in which the writer describes how to modify a specific model of a scanner to receive the cellular frequencies. Also necessary software and instructions for cloning the subscriptions are provided.

19

Mobile Phone Cloning

CHAPTER 7 HOW IS CELL CLONING DONE?

Cloning involved modifying or replacing the EPROM in the phone with a new chip, which would allow one to configure an ESN (Electronic Serial Number) via software. The MIN (Mobile Identification Number) would also have to be changed. After successfully changing the ESN/MIN pair, the phone would become an effective clone of the other phone. Cloning required access to ESN and MIN pairs. ESN/MIN pairs were discovered in several ways:

Sniffing the cellular network Trashing cellular companies or cellular resellers

Hacking cellular companies or cellular resellers

Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older phones that can be cloned are more difficult to find and newer phones have not been successfully reverse engineered. Cloning has been successfully demonstrated under GSM, but the process is not easy and currently remains in the realm of serious hobbyists and researchers. Furthermore, cloning as a means of escaping the law is difficult because of the additional feature of a radio fingerprint that is present in every mobile phones transmission signal. This fingerprint remains the same even if the ESN or MIN are changed. Mobile phone companies can use the mismatch in the fingerprints and the ESN and MIN to identify fraud cases.

20

Mobile Phone Cloning

7.1. CLONING CDMA CELL PHONES


Cellular telephone thieves monitor the radio frequency spectrum and steal the cell phone pair as it is being anonymously registered with a cell site. The technology uses spread-spectrum techniques to share bands with multiple conversations. Subscriber information is also encrypted and transmitted digitally. CDMA handsets are particularly vulnerable to cloning, according to experts. First generation mobile cellular networks allowed fraudsters to pull subscription data (such as ESN and MIN) from the analog air interface and use this data to clone phones. A device called as DDI, Digital Data Interface (which comes in various formats from the more expensive stand-alone box, to a device which interfaces with your 800 MHz capable scanner and a PC) can be used to get pairs by simply making the device mobile and sitting in a busy traffic area (freeway overpass) and collect all the data you need. The stolen ESN and MIN were then fed into a new CDMA handset, whose existing program was erased with the help of downloaded software. The buyer then programs them into new phones which will have the same number as that of the original subscriber.

PATAGONIA
Patagonia is software available in the market which is used to clone CDMA phone. Using this software a cloner can take over the control of a CDMA phone i.e. cloning of phone. There are other Softwares available in the market to clone GSM phone. This softwares are easily available in the market. A SIM can be cloned again and again and they can be used at different places. Messages and calls sent by cloned phones can be tracked. However, if the accused manages to also clone the IMEI number of the handset, for which softwares are available, there is no way he can be traced.

21

Mobile Phone Cloning

CDMA WORKSHOP
CDMA Workshop is a professional universal and all-in-one service software, developed to work with any CDMA 450/800/1900/EVDO(1xEVDO)/etc phones, smart phones, fixed terminals, data cards/modems based on any Qualcomm chipsets. It is the necessary tool for easy and fast programming or re-programming CDMA phones to any network, making clones, unlocking, reading and changing ESN and MEID, security codes, such as: user lock, SPC, MSL, FSC, OTKSL, Minlock, etc.. authentication security codes, such as: A-key, SSD_A, SSD_B.. and many other things. CDMA Workshop combines all major functions and operations which are necessary for full-functional work with CDMA phones and it is a must have software for every serious technician, cellular/repair shops and dealers.

Supported Windows: Win 95/98/ME, NT, 2000, XP, 2003, Vista, Windows 7 (x32 and x64) Supported Interfaces: COM (serial), USB, USB-to-COM converters, any kind of Uniboxe.

Figure7.1.1 CDMA Workshop


22

Mobile Phone Cloning

7.2. CLONING GSM PHONES


GSM handsets, on the contrary, are safer, according to experts. Every GSM phone has a 15 digit electronic serial number (referred to as the IMEI). It is not a particularly secret bit of information and you dont need to take any care to keep it private. The important information is the IMSI, which is stored on the removable SIM card that carries all your subscriber information, roaming database and so on. GSM employs a fairly sophisticated asymmetric-key cryptosystem for over-the-air transmission of subscriber information. Cloning a SIM using information captured over-the-air is therefore difficult, though not impossible. As long as you dont lose your SIM card, youre safe with GSM. GSM carriers use the COMP128 authentication algorithm for the SIM, authentication center and network which make GSM a far secure technology. GSM networks which are considered to be impregnable can also be hacked. The process is simple: a SIM card is inserted into a reader. After connecting it to the computer using data cables, the card details were transferred into the PC. Then, using freely available encryption software on the Net, the card details can be encrypted on to a blank smart card. The result: A cloned cell phone is ready for misuse.

Figure 7.2.1: SIM CLONE

23

Mobile Phone Cloning

CHAPTER 8 IDENTIFYING THE ESN IN YOUR CELLULAR PHONE

Depending on what model phone you have, the ESN will be located on a PROM.

The

PROM is programmed at the factory, and installed usually with the security fuse blown to prevent tampering. The code on the PROM might possibly be obtained by unsoldering it from the cellular phone, putting it in a PROM reader, and then obtaining a memory map of the chip. The PROM is going to have from sixteen to twenty-eight leads coming from it. It is a bipolar PROM. The majority of phones will accept the National Semiconductor 32x8 PROM, which will hold the ESN and cannot be reprogrammed. If the ESN is known on the phone, it is possible to trace the memory map by installing the PROM into a reader, and obtaining the fuse map from the PROM by triggering the "READ MASTER" switch of the PROM programmer. In addition, most PROM programming systems include verifies and compare switch to allow you to compare the programming of one PROM with another. As said earlier, the ESN is uniformly black with sixteen to twenty-eight leads emanating from its rectangular body, or square shaped body. If it is the dual-in-line package chip, (usually found in transportable and installed phones), it is rectangular. If it is the plastic leaded chip carrier (PLCC), it will be square and have a much smaller appearance. Functionally, they are the same chip, but the PLCC is used with hand held cellular phones because of the need for reduced size circuitry.

8.1 ESN REPLACEMENT


De-solder the ESN chip. Solder in a zero insertion force (ZIF) replacement, so that replacement chip can be changed easily. After the ZIF socket has been successfully soldered in, reinsert the ESN and attempt to make a phone call (Be sure the NAM is programmed correctly). If it doesn't, check the leads on the ZIF to insure that you have soldered them correctly.
24

Mobile Phone Cloning

After that, insert your ESN into your PROM reader and make sure it provides some sort of reading. You should use the search mode to look for the manufacturers serial number to identify the address on the PROM where to reprogram the ESN.

8.2. EQUIPMENT REQUIRED FOR CLONING


IBM-PC/XT/AT Computer or clone(you supply) EPROM programmer and suitable adapter (if required) to read/ write the chips you are using.(you supply)

Editing software to modify and save files changes (typically supplied with EPROM Burner) Supplied by EPROM Burner manufacturer plus we supply extra software for editing (binary and hex file editors).

Instructions for reprogramming each phone (from CELLULAR PROGRAMMERS BIBLE)

Programming Cables for each particular Cellular Phone, such as Motorola Flip, etc. Printed Instructions for making programming cables are included in Cellular Hackers Bible Volume 2.

Cellular Hackers Bible Volume 6, $ 35.00.

8.3. PROCEDURE FOR CLONING DIFFERENT PHONES:


Read and make file of master phones PROM or EEPROM using BURNER Read and make file of clone phones PROM or EEPROM using BURNER Print both files for hardcopy Locate information to be swapped in both files i.e., ESN, MIN, SIDH, etc. Swap data (above) from master in to clone file using printed hardcopies as reference Compute checksum on completed clone file (use software supplied with EPROM Burner)

Insert checksum into clone file at proper location. Burn new PROM or EEPROM with modified clone file Install new chip into clone phone and reassemble.
25

Mobile Phone Cloning


Turn on power. Clone phone will now power-up. Reprogram clone using reprogramming instructions from CELLULAR PROGRAMMERS BIBLE.

You can change all information from the handset except the ESN, typically. Phone is now a "CLONE" of master.

8.4. CLONING PROCEDURE FOR IDENTICAL PHONES:


Copy EPROM or EEPROM or PROM holding ESN Information Make duplicate copy of this chip

Insert the duplicate into second phone. Reprogram as necessary (usually not required). If phones are EE3 models (Moto), the ESN can

only be removed or reprogrammed with

the use of a "Copycat" device. These devices

are no longer advertised for sale in this country as this law has forcesd sellers of such devices to remove them from the marketplace.

8.5. HOW TO PREVENT CELL CLONING?


Uniquely identifies a mobile unit within a wireless carrier's network. The MIN often can be dialed from other wireless or wire line networks. The number differs from the electronic serial number (ESN), which is the unit number assigned by a phone manufacturer. MINs and ESNs can be checked electronically to help prevent fraud. Mobiles should never be trusted for communicating/storing confidential information. Always set a Pin that's required before the phone can be used. Check that all mobile devices are covered by a corporate security policy. Ensure one person is responsible for keeping tabs on who has what equipment and that they update the central register. How do service providers handle reports of cloned phones?
26

Mobile Phone Cloning

Legitimate subscribers who have their phones cloned will receive bills with charges for calls they didnt make. Sometimes these charges amount to several thousands of dollars in addition to the legitimate charges. Typically, the service provider will assume the cost of these additional fraudulent calls. However, to keep the cloned phone from containing to receive service, the service provider will terminate the legitimate phone subscription. The subscriber is then required to activate a new subscription with a different phone number requiring reprogramming of the phone, along with the additional headaches that do along with phone number changes.

8.5.1. WHAT EXACTLY IS AUTHENTICATION?


Authentication is a mathematical process by which identical calculations are performed in both the network and the mobile phone. These calculations use secret information (known as a "key") preprogrammed into both the mobile phone and the network before service is activated. Cloners typically have no access to this secret information (i.e., the key), and therefore cannot obtain the same results to the calculations. A legitimate mobile phone will produce the same calculated result as the network. The mobile phone's result is sent to the network and compared with the network's results. If they match, the phone is not a "clone."

8.5.2. ARE THESE METHODS EFFECTIVE?


Yes, for the most part. However, Authentication is the most robust and reliable method for preventing cloning fraud and it is the only industry "standard" method for eliminating cloning. The fact that it is standardized means that all mobile telecommunications networks using IS-41 can support Authentication. There is no need to add proprietary equipment, software, or communications protocols to the networks to prevent cloning fraud.

27

Mobile Phone Cloning

IS MY PHONE AUTHENTICATION CAPABLE?


If the phone supports TDMA or CDMA digital radio, then yes. Otherwise, it depends on how old the phone is and the make and model. Almost all phones manufactured since the beginning of 1996 support the Authentication function. The best bet is to check with your service

28

Mobile Phone Cloning

CHAPTER 9 ROLE OF SERVICE PROVIDER TO COMBAT CLONING FRAUD


They are using many methods such as RF Fingerprinting, subscriber behavior profiling, and Authentication. RF Fingerprinting is a method to uniquely identify mobile phones based on certain unique radio frequency transmission characteristics that are essentially "fingerprints" of the radio being used. Subscriber behavior profiling is used to predict possible fraudulent use of mobile service based on the types of calls previously made by the subscriber. Calls that are not typical of the subscriber's past usage are flagged as potentially fraudulent and appropriate actions can be taken.

Authentication has advantages over these technologies in that it is the only industry standardized procedure that is transparent to the user, a technology that can effectively combat roamer fraud, and is a prevention system as opposed to a detection system.

9.1. Interim Standard Number.41


IS-41(Interim Standard No. 41) is a document prescribing standards for

communications between mobile networks. The standard was developed by the Telecommunications Industry Association (TIA) and is used primarily throughout North America as well as many Latin American countries and Asia. The IS-41 network communications standard supports AMPS, NAMPS, TDMA, and CDMA radio technologies. IS-41 is the standard that defines the methods for automatic roaming, handoff between systems, and for performing Authentication.

29

Mobile Phone Cloning

9.2. IMPACT OF CLONING


Each year, the mobile phone industry loses millions of dollars in revenue because of the criminal actions of persons who are able to reconfigure mobile phones so that their calls are billed to other phones owned by innocent third persons. Often these cloned phones are used to place hundreds of calls, often long distance, even to foreign countries, resulting in thousands of dollars in airtime and long distance charges. Cellular telephone companies do not require their customers to pay for any charges illegally made to their account, no matter how great the cost. But some portion of the cost of these illegal telephone calls is passed along to cellular telephone consumers as a whole . Many criminals use cloned cellular telephones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace.This phenomenon is especially prevalent in drug crimes. Drug dealers need to be in constant contact with their sources of supply and their confederates on the streets. Traffickers acquire cloned phones at a minimum cost, make dozens of calls, and then throw the phone away after as little as a days' use. In the same way, criminals who pose a threat to our national security, such as terrorists, have been known to use cloned phones to thwart law enforcement efforts aimed at tracking their whereabouts.

9.3. ARE OUR CELL PHONES SECURED?


Too many users treat their mobile phones as gadgets rather than as business assets covered by corporate security policy. Did you realize there's a lucrative black market in stolen and "cloned" Sim cards? This is possible because Sims are not network specific and, though tamper-proof, their security is flawed. In fact, a Sim can be cloned many times and the resulting cards used in numerous phones, each feeding illegally off the same bill. But there are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it.

30

Mobile Phone Cloning

With the shift to GSM digital - which now covers almost the entire UK mobile sector - the phone companies assure us that the bad old days are over. Mobile phones, they say, are secure and privacy friendly.
This is not entirely true. While the amateur scanner menace has been largely exterminated, there is now more potential than ever before for privacy invasion.

The alleged security of GSM relies on the myth that encryption - the mathematical scrambling of our conversations - makes it impossible for anyone to intercept and understand our words. And while this claim looks good on paper, it does not stand up to scrutiny. The reality is that the encryption has deliberately been made insecure. Many encrypted calls can therefore be intercepted and decrypted with a laptop computer.

Is fixed telephone network safer than mobile phone?


The answer is yes. In spite of this, the security functions which prevent eavesdropping and unauthorized uses are emphasized by the mobile phone companies. The existing mobile Communication networks are not safer than the fixed Telephone networks. They only offer protection against the new forms of abuse

31

Mobile Phone Cloning

CHAPTER 10 METHODS TO BAN CELL PHONE CLONING


Cellular operators in many countries have deployed various technologies to tackle this menace. Some of them are as follows: There's the Duplicate Detection Method where the network sees the same phone in several places at the same time. Reactions include shutting them all off, so that the real customer will contact the operator because he has lost the service he is paying for. Velocity Trap is another test to check the situation, whereby the mobile phone seems to be moving at impossible or most unlikely speeds. For example, if a call is first made in Delhi, and five minutes later, another call is made but this time in Chennai, there must be two phones with the same identity on the network. Some operators also use Radio Frequency Fingerprinting, originally a military technology. Even identical radio equipment has a distinguishing `fingerprint', so the network software stores and compares fingerprints for all the phones that it sees. This way, it will spot the clones with the same identity, but different fingerprints. Usage Profiling is another way wherein profiles of customers' phone usage are kept, and when discrepancies are noticed, the customer is contacted. For example, if a customer normally makes only local network calls but is suddenly placing calls to foreign countries for hours of airtime, it indicates a possible clone. On the other hand, the consumers can check regularly the unbilled amount details. Users with ILD facility need to be more careful as fraudsters attempt to make as many international calls as possible within a short time due to fear of getting caught. Since ILD rates are higher than other calls, fraudsters try to derive maximum benefits in the shortest time. If your cellular service company offers Personal Identification Numbers

(PIN), consider using it. Although cellular PIN services are cumbersome and require
that you input youre PIN for every call, they are an effective means of thwarting cloning.

32

Mobile Phone Cloning

The Central Forensic Laboratory at Hyderabad has developed software to detect cloned mobile phones. The laboratory helped Delhi Police identify two such cloned mobile phones recovered recently. Called the Speaker Identification Technique, the software enables one to recognize the voice of a person by acoustics analysis, using a computerized speech laboratory machine. For the process, developed by Dr S.K. Jain, a voice sample of four seconds is adequate for an accurate result. The best detection measure available in CDMA today is the A Key Feature. The A key is a secret 20 digit number unique to the handset given by the manufacturer to the service provider only. This number is loaded in the Authentication Center for each mobile. As this number is not displayed in mobile parameters this cannot be copied. Whenever the call is originated / terminated from a mobile with authentication active, the network checks for the originality of the set using this secret key. If the data matches at both mobile and network end the call is allowed to go through otherwise it is dropped. Avoid using your cellular telephone within several miles of the airport, stadium, mall, or other heavy traffic locations. These are areas where radio hobbyists use scanners for random monitoring. If they come across an interesting conversation, your number may be marked for regular selective monitoring. However, all these methods are only good at detecting cloning, not preventing damage. A better solution is to add authentication to the system. But this requires upgrades to users' and operators' equipment before they can be used.

33

Mobile Phone Cloning

10.1. WHAT CAN BE DONE?


With technically sophisticated thieves, customers are relatively helpless against cellular phone fraud. Usually they became aware of the fraud only once receiving their phone bill.

Service providers have adopted certain measures to prevent cellular fraud. These include encryption, blocking, blacklisting, user verification and traffic analysis: Encryption is regarded as the most effective way to prevent cellular fraud as it prevents eavesdropping on cellular calls and makes it nearly impossible for thieves to steal Electronic Serial Number (ESN) and Personal Identification Number (PIN) pairs. Blocking is used by service providers to protect themselves from high risk callers. For example, international calls can be made only with prior approval. In some countries only users with major credit cards and good credit ratings are allowed to make long distance calls.

Blacklisting of stolen phones is another mechanism to prevent unauthorized use. An Equipment Identity Register (EIR) enables network operators to disable stolen cellular phones on networks around the world.

User verification using Personal Identification Number (PIN) codes is one method for customer protection against cellular phone fraud.

Tests conducted have proved that United States found that having a PIN code reduced fraud by more than 80%.

Traffic analysis detects cellular fraud by using artificial intelligence software to detect suspicious calling patterns, such as a sudden increase in the length of calls or a sudden increase in the number of international calls.

The software also determines whether it is physically possible for the subscriber to be making a call from a current location, based on the location and time of the previous call. Currently, South Africas two service providers, MTN and Vodacom, use traffic analysis with the International Mobile Equipment Identity (IMEI) a 15 digit number which acts as a unique identifier and is usually printed on the back of the phone underneath the battery to trace stolen phones.

34

Mobile Phone Cloning

Other warning signs that subscribers should watch out for to detect fraudulent activity include: Frequent wrong number phone calls to your phone, or hang-ups. Difficulty in placing outgoing calls. Difficulty in retrieving voice mail messages. Incoming calls constantly receiving busy signals or wrong numbers. Unusual calls appearing on your phone bills.

10.2. SOME FACTS AND FIGURES

Southwestern Bell claims wireless fraud costs the industry $650 million each year in the US. Some federal agents in the US have called phone cloning an especially `popular' crime because it is hard to trace. In one case, more than 1,500 telephone calls were placed in a single day by cellular phone thieves using the number of a single unsuspecting owner. A Home Office report in 2002 revealed that in London around 3,000 mobile phones were stolen in one month alone which were used for cell phone cloning. Authorities, in the case, estimated the loss at $3,000 to $4,000 for each number used in cell phone cloning. According to a school of thought, the Telecom Regulatory Authority of India (TRAI) should issue a directive, which holds the operators responsible for duplications of mobile phones. Qualcomm, which develops CDMA technology globally, says each instance of mobile hacking is different and therefore there is very little an operator can do to prevent hacking. "It's like a virus hitting the computer. The software which is used to hack into the network is different, so operators can only keep upgrading their security firewall as and when the hackers strike," says a Qualcomm executive.

35

Mobile Phone Cloning

CHAPTER 11 FUTURE THREATS

Resolving subscriber fraud can be a long and difficult process for the victim. It may take time to discover that subscriber fraud has occurred and an even longer time to prove that you did not incur the debts. As described in this article there are many ways to abuse telecommunication system, and to prevent abuse from occurring it is absolutely necessary to check out the weakness and vulnerability of existing telecom systems. If it is planned to invest in new telecom equipment, a security plan should be made and the system tested before being implemented. It is therefore mandatory to keep in mind that a technique which is described as safe today can be the most unsecured technique in the future.

36

Mobile Phone Cloning

CHAPTER 12 12. CONCLUSION


Existing cellular systems have a number of potential weaknesses that were considered. It is crucial that businesses and staff take mobile phone security seriously. Awareness and a few sensible precautions as part of the overall enterprise security policy will deter all but the most sophisticated criminal. It is also mandatory to keep in mind that a technique which is described as safe today can be the most unsecured technique in the future. Therefore it is absolutely important to check the function of a security system once a year and if necessary update or replace it. Finally, cell-phones have to go a long way in security before they can be used in critical applications like m-commerce.

37

Mobile Phone Cloning

CHAPTER 13 REFERENCES
Websites: o http://www.cdmasoftware.com/eng.html o http://www.victorgsm.com/products/msl/ o http://www.unlocker.ru/cdma_soft.php o http://www.cxotoday.com o http://infotech.indiatimes.com o http://www.spy.org o http://wiretap.spies.com o http://www.hackinthebox.org/

38

You might also like