Deeps ''MObile Cloning''

Seminar Report, 2012 Mobile Cloning

INTRODUCTION

Cell phone cloning is copying the identity of one mobile telephone to another

mobile telephone.

Usually this is done for the purpose of making fraudulent telephone calls. The bills

for the calls go to the legitimate subscriber. The cloner is also able to make

effectively anonymous calls, which attracts another group of interested users.

Cloning is the process of taking the programmed information that is stored in a

legitimate mobile phone and illegally programming the identical information into

another mobile phone. The result is that the "cloned" phone can make and

receive calls and the charges for those calls are billed to the legitimate subscriber.

The service provider network does not have a way to differentiate between the

legitimate phone and the "cloned" phone.

Mobile communication has been readily available for several years, and is

major business today. It provides a valuable service to its users who are willing to

pay a considerable premium over a fixed line phone, to be able to walk and talk

freely. Because of its usefulness and the money involved in the business, it is

subject to fraud. Unfortunately, the advance of security standards has not kept

pace with the dissemination of mobile communication.

Some of the features of mobile communication make it an alluring target for

criminals. It is a relatively new invention, so not all people are quite familiar with

its possibilities, in good or in bad. Its newness also means intense competition

1 (SBIT-CSE-KMM)


among mobile phone service providers as they are attracting customers. The

major threat to mobile phone is from cloning.

You might have read news of the cloning of sheep or cattle with amused interest.

But how would you feel if somebody `cloned' your mobile phone? Technology is

finally rearing up its dark side. Along with the proliferation of technological

innovations, this era also marks the birth of the new-age IT criminals in a big way,

with the latest technology fraud being cell phone cloning. Cell phone cloning is a

technique wherein security data from one cell phone is transferred into another

phone. The other cell phone becomes the exact replica of the original cell phone

like a clone. As a result, while calls can be made from both phones, only the

original is billed. Though communication channels are equipped with security

algorithms, yet cloners get away with the help of loop holes in systems. So when

one gets huge bills, the chances are that the phone is being cloned.

This paper describes about the cell phone cloning with implementation in GSM

and CDMA technology phones. It gives an insight into the security mechanism in

CDMA and GSM phones along with the loop holes in the systems and discusses on

the different ways of preventing this cloning. Moreover, the future threat of this

fraud is being elaborated

Remember Dolly the lamb, cloned from a six-year-old ewe in 1997, by a group of

researchers at the Roslyn Institute in Scotland? While the debate on the ethics of

cloning continues, human race, for the first time, are faced with a more tangible

and harmful version of cloning and this time it is your cell phone that is the target.

Millions of cell phones users, be it GSM or CDMA, run at risk of having their

phones cloned. As a cell phone user if you have been receiving exorbitantly high

2 (SBIT-CSE-KMM)


bills for calls that were never placed, chances are that your cell phone could be

cloned. Unfortunately, there is no way the subscriber can detect cloning. Events

like call dropping or anomalies in monthly bills can act as tickers.

According to media reports, recently the Delhi (India) police arrested a person

with 20 cell- phones, a laptop, a SIM scanner, and a writer. The accused was

running an exchange illegally wherein he cloned CDMA based cell phones. He

used software named Patagonia for the cloning and provided cheap international

calls to Indian immigrants in West Asia.

3 (SBIT-CSE-KMM)


HISTORY

WHEN DID MOBILE CLONING START?

The early 1990s were boom times for eavesdroppers. Any curious

teenager with a ‚ £100 Tandy Scanner could listen in to nearly any analogue

mobile phone call. As a result, Cabinet Ministers, company chiefs and celebrities

routinely found their most intimate conversations published in the next day's

tabloids

Cell phone cloning started with Motorola "bag" phones and reached its peak in

the mid 90's with a commonly available modification for the Motorola "brick"

phones, such as the Classic, the Ultra Classic, and the Model 8000.

Background

The U.S. Secret Service and the wireless telecommunications industry are increasingly concerned about wireless fraud. First, the wireless telecommunication industry asserts that wireless fraud has grown exponentially since its introduction into the market. They estimate that wireless fraud costs the telecommunications industry over $650 million per year. Second, according to the Secret Service cloned phones are the communications medium of choice for criminals because it gives them mobile communications and anonymity. Cloned phones are difficult to detect and trace, and phone numbers can be changed in an instant. Law

Enforcement reports an increase in the number of cloned phones confiscated during investigations of other offenses, such as drug distribution and credit card fraud. There are four major types of cellular fraud: counterfeit fraud, subscription fraud, network fraud, and call selling operations. Explanations of each are provided below. These cellular telecommunications violations are similar

4 (SBIT-CSE-KMM)


to other access device violations (e.g. credit cards) in that they involve unauthorized use and/or access to individual accounts. The changes in 18 U.S.C. § 1029 are aimed at counterfeit fraud, specifically, the cloning of cellular telephones. • Counterfeit Fraud (cloning): Involves the use of illegally altered cellular phones. Offenders gain access to legitimate account number combinations and reprogram them into other handsets to gain unauthorized access to those accounts. • Subscription Fraud: Includes schemes related to fraudulently obtaining cellular telephone accounts. These may involve employees of the cellular carrier, forgery of application information, or theft of subscriber information. • Network Fraud: This advanced type of fraud includes efforts to exploit weaknesses in phone switch equipment and billing systems. Manipulation of current systems can result in third party billing, use of nonexistent account numbers, or the use of multiple phones on single accounts. • Call Selling Operations: This type of fraud involves using stolen calling card numbers and/or cellular account numbers to sell less expensive cellular long distance (often international) service to others.

How Wireless Technology Works

Each cellular phone has a unique pair of identifying numbers: the electronic serial number (“ESN”) and the mobile identification number (“MIN”). The ESN is programmed into the wireless phone’s microchip by the manufacturer at the time of production. The MIN is a ten-digit phone number that is assigned by the wireless carrier to a customer when an account is opened. The MIN can be changed by the carrier, but the ESN, by law, cannot be altered. When a cellular phone is first turned on, it emits a radio signal that broadcasts these numbers to the nearest cellular tower. The phone will continue to emit these signals at regular intervals, remaining in contact with the nearest cellular tower. These emissions (called autonomous registration) allow computers at the cellular carrier to know how to route incoming calls to that phone, to verify that the account is valid so that outgoing calls can be made, and to provide the

5 (SBIT-CSE-KMM)


foundation for proper billing of calls. This autonomous registration occurs whenever the phone is on, regardless of whether a call is actually in progress.

WHAT ARE GSM AND CDMA MOBILE PHONE SETS?

CDMA is one of the newer digital technologies used in Canada, the US,

Australia, and some South-eastern Asian countries (e.g. Hong Kong and South

Korea). CDMA differs from GSM and TDMA (Time Division Multiple Access) by its

use of spread spectrum techniques for transmitting voice or data over the air.

Rather than dividing the radio frequency spectrum into separate user channels by

frequency slices or time slots, spread spectrum technology separates users by

assigning them digital codes within the same broad spectrum. Advantages of

CDMA include higher user capacity and immunity from interference by other

signals.

GSM is a digital mobile telephone system that is widely used in

Europe and other parts of the world. GSM uses a variation of TDMA and is the

most widely used of the three digital wireless telephone technologies. GSM

digitizes and compresses data, then sends it down a channel with two other

streams of user data, each in its own time slot. It operates at either the 900 MHz

or 1,800 MHz frequency band.

Some other important terms whose knowledge is necessary are

6 (SBIT-CSE-KMM)


1) IMEI

2) SIM

3) ESN

4) MIN

So, first things first, the IMEI is an abbreviation for International Mobile

Equipment Identifier, this is a 10 digit universally unique number of our GSM

handset. I use the term Universally Unique because there cannot be 2 mobile

phones having the same IMEI no. This is a very valuable number and used in

tracking mobile phones.

Second comes SIM, which stands for Subscriber Identification Module. The sim

has survived and evolved. Earlier the mobiles had the entire sim card to be

inserted in them such sim’s Are called IDG-1 Sims. The other in which we small

part of the card which has the chip is inserted in the mobile and is known as

PLUG-IN Sims.

Basically the SIM provides storage of subscriber related information of three

types:

1. Fixed data stored before the subscription is sold

2. Temporary network data

3. Service related data.

Next is the ESN, which stands for Electronic Serial Number. It is

same as the IMEI but is used in CDMA handsets. MIN stands for Mobile

Identification Number, which is the same as the SIM of GSM.

7 (SBIT-CSE-KMM)


The basic difference between a CDMA handset and a GSM handset

is that a CDMA handset has no sim i.e. the CDMA handset uses MIN as its Sim,

which cannot be replaced as in GSM. The MIN chip is embedded in the CDMA

hand set.

Now that we are familiarized ourselves in these terms let us address the next

question.

GSM

Global System for Mobile Communications. A digital cellular phone

technology based on TDMA GSM phones use a Subscriber Identity Module (SIM)

card that contains user account information. Any GSM phone becomes

immediately programmed after plugging in the SIM card, thus allowing GSM

phones to be easily rented or borrowed.Operators who provide GSM service are

Airtel,Hutch etc.

Do GSM sets run the risk of ‘cloning’?

Looking at the recent case, it is quite possible to clone both

GSM and CDMA sets. The accused in the Delhi case used software called

Patagonia to clone only CDMA phones (Reliance and Tata Indicom). However,

there are software packages that can be used to clone even GSM phones (e.g.

Airtel, BSNL, Hutch, Idea). In order to clone a GSM phone, knowledge of the

International Mobile Equipment Identity (IMEI) or instrument number is

sufficient.

But the GSM-based operators maintain that the fraud is

8 (SBIT-CSE-KMM)


happening on CDMA, for now, and so their subscribers wouldn't need to worry.

Operators in other countries have deployed various technologies to tackle this

menace. They are: -

1) There's the duplicate detection method where the network sees the same

phone in several places at the same time. Reactions include shutting them all off,

so that the real customer will contact the operator because he has lost the service

he is paying for.

2) Velocity trap is another test to check the situation, whereby the mobile phone

seems to be moving at impossible, or most unlikely speeds. For example, if a call

is first made in Delhi, and five minutes later, another call is made but this time in

Chennai, there must be two phones with the same identity on the network.

3) Some operators also use Radio Frequency fingerprinting, originally a military

technology. Even identical radio equipment has a distinguishing `fingerprint', so

the network software stores and compares fingerprints for all the phones that it

sees. This way, it will spot the clones with the same identity, but different

fingerprints.

5) Usage profiling is another way wherein profiles of customers' phone usage

are kept, and when discrepancies are noticed, the customer is contacted.

For example, if a customer normally makes only local network calls but is

suddenly placing calls to foreign countries for hours of airtime, it indicates a

possible clone.

9 (SBIT-CSE-KMM)


Cloning GSM Phones.

GSM handsets, on the contrary, are safer, according to experts.

Every GSM phone has a 15 digit electronic serial number (referred to as the IMEI).

It is not a particularly secret bit of information and you don't need to take any

care to keep it private. The important information is the IMSI, which is stored on

the removable SIM card that carries all your subscriber information, roaming

database and so on. GSM employs a fairly sophisticated asymmetric-key

cryptosystem for over-the-air transmission of subscriber information. Cloning a

SIM using information captured over-the-air is therefore difficult, though not

impossible. As long as you don't lose your SIM card, you're safe with GSM. GSM

carriers use the COMP128 authentication algorithm for the SIM, authentication

center and network which make GSM a far secure technology.

GSM networks which are considered to be impregnable can also be hacked. The process is simple: a SIM card is inserted into a reader. After connecting it to the computer using data cables, the card details were transferred into the PC. Then, using freely available encryption software on the Net, the card details can be encrypted on to a blank smart card. The result: A cloned cell phone is ready for misuse.

CDMA

Code Division Multiple Access. A method for transmitting simultaneous

signals over a shared portion of the spectrum. There is no Subscriber Identity

10 (SBIT-CSE-KMM)


Module (SIM) card unlike in GSM.Operators who provides CDMA service in India

are Reliance and Tata Indicom.

Cloning CDMA Cell Phones.

Cellular telephone thieves monitor the radio frequency spectrum and steal the cell phone pair as it is being anonymously registered with a cell site. The technology uses spread-spectrum techniques to share bands with multiple conversations. Subscriber information is also encrypted and transmitted digitally. CDMA handsets are particularly vulnerable to cloning, according to experts. First generation mobile cellular networks allowed fraudsters to pull subscription data (such as ESN and MIN) from the analog air interface and use this data to clone phones. A device called as DDi, Digital Data Interface (which comes in various formats from the more expensive stand-alone box, to a device which interfaces with your 800 MHz capable scanner and a PC) can be used to get pairs by simply making the device mobile and sitting in a busy traffic area (freeway overpass) and collect all the data you need. The stolen ESN and EMIN were then fed into a new CDMA handset, whose existing program was erased with the help of downloaded software. The buyer then programs them into new phones which will have the same number as that of the original subscriber.

SECURITY FUNCTIONS OF THE GSM AND CDMA

As background to a better understanding of the attacks on the GSM and

CDMA network The following gives a brief introduction to the Security functions

available in GSM. The following functions exist: ¢ Access control by means of a

personal smart card (called subscriber Identity module, SIM) and PIN (personal

identification number), Authentication of the users towards the network carrier

11 (SBIT-CSE-KMM)


and generation of A session key in order to prevent abuse. Encryption of

communication on the radio interface, i.e. between mobile Station and base

station, concealing the users , identity on the radio interface, i.e. a temporary

valid Identity code (TMSI) is used for the identification of a mobile user instead Of

the IMSI.

HOW MOBILE WORKS?

Cell phones send radio frequency transmissions through the air on

two distinct channels, one for voice communications and the other for control

signals. When a cellular phone makes a call, it normally transmits its Electronic

Security Number (ESN), Mobile Identification Number (MIN), its Station Class

Mark (SCM) and the number called in a short burst of data. This burst is the short

buzz you hear after you press the SEND button and before the tower catches the

data. These four things are the components the cellular provider uses to ensure

that the phone is programmed to be billed and that it also has the identity of both

the customer and the phone. MIN and ESN is collectively known as the ‘Pair’

which is used for the cell phone identification.

When the cell site receives the pair signal, it determines if the requester is a

legitimate registered user by comparing the requestor's pair to a cellular

subscriber list. Once the cellular telephone's pair has been recognized, the cell

site emits a control signal to permit the subscriber to place calls at will. This

process, known as Anonymous Registration, is carried out each time the

telephone is turned on or picked up by a new cell site.

12 (SBIT-CSE-KMM)


SECURITY VULNERABILITIES IN CELL PHONE.

Your cellular telephone has three major security vulnerabilities:

• Monitoring of your conversations while using the phone.

• Your phone being turned into a microphone to monitor conversations

. the vicinity of your phone while the phone is inactive.

• Cloning or the use of your phone number by others to make calls that

. are charged to your account.

IS FIXED TELEPHONE NETWORK SAFER THAN MOBILE PHONE?

The answer is yes. In spite of this, the security functions which prevent

eavesdropping and Unauthorized uses are emphasized by the mobile phone

companies. The existing mobile communication networks are not safer than the

fixed Telephone networks. They only offer protection against the new forms of

abuse.

HOW BIG OF A PROBLEM IS CLONING FRAUD?

The Cellular Telecommunications Industry Association (CTIA)

estimates that financial losses in due to cloning fraud are between $600 million

and $900 million in the United States. Some subscribers of Reliance had to suffer

because their phone was cloned. Mobile Cloning Is in initial stages in India so

preventive steps should be taken by the network provider and the Government.

13 (SBIT-CSE-KMM)


HOW IS MOBILE CLONING DONE?

Cloning involved modifying or replacing the EPROM in the phone with a

new chip which would allow you to configure an ESN (Electronic serial number)

via software. You would also have to change the MIN (Mobile Identification

Number). When you had successfully changed the ESN/MIN pair, your phone was

an effective clone of the other phone. Cloning required access to ESN and MIN

pairs. ESN/MIN pairs were discovered in several ways:

Trashing cellular companies or cellular resellers

Sniffing the cellular

Hacking cellular companies or cellular resellers

Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as

older clone able phones are more difficult to find and newer phones have not

been successfully reverse-engineered.

Cloning has been successfully demonstrated under GSM, but the

process is not easy and it currently remains in the realm of serious hobbyists and

researchers.

Cellular thieves can capture ESN/MINs using devices such as cell

phone ESN reader or digital data interpreters (DDI). DDIs are devices specially

manufactured to intercept ESN/MINs. By simply sitting near busy roads where the

volume of cellular traffic is high, cellular thieves monitoring the radio wave

transmissions from the cell phones of legitimate subscribers can capture ESN/MIN

pair. Numbers can be recorded by hand, one-by-one, or stored in the box and

14 (SBIT-CSE-KMM)


later downloaded to a computer. ESN/MIN readers can also be used from inside

an offender’s home, office, or hotel room, increasing the difficulty of detection.

The ESN/MIN pair can be cloned in a number of ways without the

knowledge of the carrier or subscriber through the use of electronic scanning

devices. After the ESN/MIN pair is captured, the cloner reprograms or alters the

microchip of any wireless phone to create a clone of the wireless phone from

which the ESN/MIN pair was stolen. The entire programming process takes 10-15

minutes per phone. Any call made with cloned phone are billed to and traced to a

legitimate phone account. Innocent citizens end up with unexplained monthly

phone bills. To reprogram a phone, the ESN/MINs are transferred using a

computer loaded with specialized software, or a “copycat” box, a device whose

sole purpose is to clone phones. The devices are connected to the cellular

handsets and the new identifying information is entered into the phone. There

are also more discreet, concealable devices used to clone cellular phones. Plugs

and ES-Pros, which are about the size of a pager or small calculator, do not

require computers or copycat boxes for cloning. The entire programming process

takes ten-15 minutes per phone.

15 (SBIT-CSE-KMM)


Basic Mobile Cloning Instructions

What you’re looking to do is basically modify two different numbers on the device. You will have to alter the ESN (electronic serial number) and the MIN (mobile identification number). Once altered, the cell network will believe that your handset is that handset.

This means that in order to clone a cell phone, you will have to first find those two numbers on the cell phone you would like to clone. This can be difficult - you would have to get your hands on the phone itself. Once that happens, you will have to get an identical model and replace the Eprom with one that can be altered via software. This is somewhat simple with a GSM phone and more difficult with a CDMA model. The cell phones cloning instructions for a CDMA model would include removing the Eprom and soldering would be necessary with many models.

Controlling Cell Phone Fraud in the US: Lessons for the UK 'Foresight' Prevention Initiative

During the 1990s, criminals in the US discovered ways of altering cellular phones to obtain free service. In 'cloning' frauds, criminals using scanners were able to capture the identifying numbers broadcast by legitimate phones and to program these into illegitimate 'clones'. These could then be used to obtain free access to the wireless network. In 'tumbling' frauds, telephones were altered so that they randomly transmitted illegally obtained identifying numbers. This allowed the phone to gain access to free cellular service, particularly when used outside the area where the numbers had been issued. By 1995, these frauds were costing the cellular telephone industry about $800 million per year. They also created 'upstream' crime costs in terms of thefts of phones for cloning and 'downstream' costs by facilitating drug dealing and other organized crimes. They were virtually eliminated by the end of the 1990s, through technological counter-measures adopted by the industry. There was little sign of displacement to other forms of cell phone fraud, and the preventive measures appeared to be highly cost-effective. The case study permits comment on the UK 'Foresight' initiative that envisages partnerships between the government and industry to anticipate and remove opportunities for crime created by new technology.

16 (SBIT-CSE-KMM)


ARE OUR MOBILE SECURED?

Too many users treat their mobile phones as gadgets rather than as

business assets covered by corporate security policy. Did you realize there's a

lucrative black market in stolen and "cloned" Sim cards? This is possible because

Sims are not network specific and, though tamper-proof, their security is flawed.

In fact, a Sim can be cloned many times and the resulting cards used in numerous

phones, each feeding illegally off the same bill.

But there are locking mechanisms on the cellular phones that require a PIN to

access the phone. This would dissuade some attackers, foil others, but might not

work against a well financed and equipped attacker. An 8-digit PIN requires

approximately 50,000,000 guesses, but there may be ways for sophisticated

attackers to bypass it. With the shift to GSM digital - which now covers almost the

entire UK mobile sector - the phone companies assure us that the bad old days

are over. Mobile phones, they say, are secure and privacy friendly.

This is not entirely true. While the amateur scanner menace has been largely

exterminated, there is now more potential than ever before for privacy invasion.

The alleged security of GSM relies on the myth that encryption - the mathematical

scrambling of our conversations - makes it impossible for anyone to intercept and

understand our words. And while this claim looks good on paper, it does not

stand up to scrutiny.

17 (SBIT-CSE-KMM)


The reality is that the encryption has deliberately been made insecure.

Many encrypted calls can therefore be intercepted and decrypted with a laptop

computer.

WHAT ARE EMIE AND PIN?

ESN mean Electronic Serial Number. This number is loaded when

the phone number is manufactured. This number cannot be tampered or changes

by the user or subscriber. if this number is known a mobile can be cloned easily.

Personal Identification Number (PIN).every subscriber provides a Personal

Identification Number (PIN) to its user. This is a unique number. If PIN and ESN

are know a mobile phone can be cloned in seconds using some software, ¢s like

Patagonia. Which is used to clone CDMA phones.

Identifying the ESN in your MOBILE.

Depending on what model phone you have, the ESN will be located on a PROM. The PROM is programmed at the factory, and installed usually with the security fuse blown to prevent tampering. The code on the PROM might possibly be obtained by unsoldering it from the cellular phone, putting it in a PROM reader, and then obtaining a memory map of the chip.

The PROM is going to have from sixteen to twenty-eight leads coming from it. It is a bipolar PROM. The majority of phones will accept the National Semiconductor 32x8 PROM, which will hold the ESN and cannot be reprogrammed. If the ESN is known on the phone, it is possible to trace the memory map by installing the PROM into a reader, and obtaining the fuse map from the PROM by triggering the "READ MASTER" switch of the PROM programmer. In addition, most PROM programming systems include verify and

18 (SBIT-CSE-KMM)


compare switch to allow you to compare the programming of one PROM with another.

As said earlier, the ESN is uniformly black with sixteen to twenty-eight leads emanating from its rectangular body, or square shaped body. If it is the dual-in-line package chip, (usually found in transportable and installed phones), it is rectangular. If it is the plastic leaded chip carrier (PLCC), it will be square and have a much smaller appearance. Functionally, they are the same chip, but the PLCC is used with hand held cellular phones because of the need for reduced size circuitry.

ESN Replacement.

De-solder the ESN chip. Solder in a zero insertion force (ZIF) replacement, so that replacement chip can be changed easily. After the ZIF socket has been successfully soldered in, reinsert the ESN and attempt to make a phone call (Be sure the NAM is programmed correctly). If it doesn't, check the leads on the ZIF to insure that you have soldered them correctly. After that, insert your ESN into your PROM reader and make sure it provides some sort of reading. You should use the search mode to look for the manufacturer’s serial number to identify the address on the PROM where to reprogram the ESN.

MOBILE Security Measures.

Cellular operators in many countries have deployed various technologies to tackle this menace. Some of them are as follows:

19 (SBIT-CSE-KMM)


There's the Duplicate Detection Method where the network sees the same phone in several places at the same time. Reactions include shutting them all off, so that the real customer will contact the operator because he has lost the service he is paying for. Velocity Trap is another test to check the situation, whereby the mobile phone seems to be moving at impossible or most unlikely speeds. For example, if a call is first made in Delhi, and five minutes later, another call is made but this time in Chennai, there must be two phones with the same identity on the network.

Some operators also use Radio Frequency Fingerprinting, originally a military technology. Even identical radio equipment has a distinguishing `fingerprint', so the network software stores and compares fingerprints for all the phones that it sees. This way, it will spot the clones with the same identity, but different fingerprints.

Usage Profiling is another way wherein profiles of customers' phone usage are kept, and when discrepancies are noticed, the customer is contacted. For example, if a customer normally makes only local network calls but is suddenly placing calls to foreign countries for hours of airtime, it indicates a possible clone. On the other hand, the consumers can check regularly the unbilled amount details. Users with ILD facility need to be more careful as fraudsters attempt to make as many international calls as possible within a short time due to fear of getting caught. Since ILD rates are higher than other calls, fraudsters try to derive maximum benefits in the shortest time.

If your cellular service company offers Personal Identification Numbers (PIN), consider using it. Although cellular PIN services are cumbersome and require that you input you’re PIN for every call, they are an effective means of thwarting cloning.

20 (SBIT-CSE-KMM)


The Central Forensic Laboratory at Hyderabad has developed software to detect cloned mobile phones. The laboratory helped Delhi Police identify two such cloned mobile phones recovered recently. Called the Speaker Identification Technique, the software enables one to recognize the voice of a person by acoustics analysis, using a computerized speech laboratory machine. For the process, developed by Dr S.K. Jain, a voice sample of four seconds is adequate for an accurate result.

The best detection measure available in CDMA today is the A Key Feature. The A key is a secret 20 digit number unique to the handset given by the manufacturer to the service provider only. This number is loaded in the Authentication Center for each mobile. As this number is not displayed in mobile parameters this cannot be copied. Whenever the call is originated / terminated from a mobile with authentication active, the network checks for the originality of the set using this secret key. If the data matches at both mobile and network end the call is allowed to go through otherwise it is dropped.

Avoid using your cellular telephone within several miles of the airport, stadium, mall, or other heavy traffic locations. These are areas where radio hobbyists use scanners for random monitoring. If they come across an interesting conversation, your number may be marked for regular selective monitoring.

However, all these methods are only good at detecting cloning, not preventing damage. A better solution is to add authentication to the system. But this requires upgrades to users' and operators' equipment before they can be used.

WHAT IS PATAGONIA?

21 (SBIT-CSE-KMM)


Patagonia is software available in the market which is used to

clone CDMA phone. Using this software a cloner can take over the control of a

CDMA phone i.e. cloning of phone. There are other Software, ¢s available in the

market to clone GSM phone. This software, ¢s are easily available in the market. A

SIM can be cloned again and again and they can be used at different places.

Messages and calls sent by cloned phones can be tracked. However, if the

accused manages to also clone the IMEI number of the handset, for which

software,¢s are available, there is no way he can be traced.

CAN DIGITAL PHONES BE CLONED?

Yes. Digital phones can be cloned however; the mobile phones

employing digital TDMA and CDMA technology are equipped with a feature

known as "Authentication." Some newer model analog phones also have this

feature. Authentication allows the mobile service provider network to determine

the legitimacy of a mobile phone. Phones determined to be "clones" can be

instantly denied access to service before any calls are made or received.

WHAT EXACTLY IS AUTHENTICATION?

Authentication is a mathematical process by which identical

22 (SBIT-CSE-KMM)


calculations are performed in both the network and the mobile phone. These

calculations use secret information (known as a "key") preprogrammed into both

the mobile phone and the network before service is activated. Cloners typically

have no access to this secret information (i.e., the key), and therefore cannot

obtain the same results to the calculations.

A legitimate mobile phone will produce the same calculated result as the

network. The mobile phone's result is sent to the network and compared with the

network's results. If they match, the phone is not a "clone."

ARE THESE METHODS EFFECTIVE?

Yes, for the most part. However, Authentication is the most robust

and reliable method for preventing cloning fraud and it is the only industry

"standard" method for eliminating cloning. The fact that it is standardized means

that all mobile telecommunications networks using IS-41 can support

Authentication. There is no need to add proprietary equipment, software, or

communications protocols to the networks to prevent cloning fraud.

IS MY PHONE AUTHENTICATION CAPABLE?

If the phone supports TDMA or CDMA digital radio, then yes.

Otherwise, it depends on how old the phone is and the make and model. Almost

all phones manufactured since the beginning of 1996 support the Authentication

function. The best bet is to check with your service

23 (SBIT-CSE-KMM)


Technical details of the attack

We showed how to break the COMP128 authentication algorithm, an instantiation of A3/A8 widely used by providers. Our attack is a chosen-challenge attack. We form a number of specially-chosen challenges and query the SIM for each one; the SIM applies COMP128 to its secret key and our chosen challenge, returning a response to us. By analyzing the responses, we are able to determine the value of the secret key.

Mounting this attack requires physical access to the target SIM, an off-the-shelf smartcard reader, and a computer to direct the operation. The attack requires one to query the smartcard about 150,000 times; our smartcard reader can issue 6.25 queries per second, so the whole attack takes 8 hours. Very little extra computation is required to analyze the responses.

Though the COMP128 algorithm is supposed to be a secret, we pieced together information on its internal details from public documents, leaked information, and several SIMs we had access to. After a theoretical analysis uncovered a potential vulnerability in the algorithm, we confirmed that our reconstruction of the COMP128 algorithm was correct by comparing a software implementation to responses computed by a SIM known to implement COMP128.

Information for cryptographers

The attack exploits a lack of diffusion: there's a narrow ``pipe'' inside COMP128. In particular, bytes i,i+8,i+16,i+24 at the output of the second round depend only on bytes i,i+8,i+16,i+24 of the input to COMP128. (By ``round'', I refer to one layer of ``butterflies'' and S-boxes; there are a total of 5*8 rounds in COMP128.) Bytes i,i+8 of the COMP128 input are bytes i,i+8 of the key, and bytes i+16,i+24 of the COMP128 input are bytes i,i+8 of the challenge input.

Now we ``probe'' the narrow pipe, by varying bytes i+16,i+24 of the COMP128 input (i.e. bytes i,i+8 of the challenge) and holding the rest of the COMP128 input constant. Since the rounds are non-bijective, you can hope for a collision in bytes i,i+8,i+16,i+24 of the output after two rounds. The birthday paradox guarantees

24 (SBIT-CSE-KMM)


that collisions will occur pretty rapidly (since the pipe is only 4 bytes wide); collisions in the narrow pipe can be recognized, since they will cause a collision in the output of COMP128 (i.e. the two authentication responses will be the same); and each collision can be used to learn the two key bytes i,i+8 with a bit of analysis of the first two rounds (i.e. perform a ``2-R attack'', in the terminology of differential cryptanalysis).

As stated, this would require 2^{4*7/2 + 0.5} = 2^{14.5} chosen-input queries to COMP128 to learn two key bytes (since each of the four bytes of output after the second round are actually only 7-bit values), and thus would require 8 * 2^{14.5} = 2^{17.5} queries to recover the whole 128-bit key Ki. However, we have some optimizations to get this number down a bit.

Note that there is a significant amount of literature on the design of cryptographic hash functions out of a FFT-like structure (as COMP128 is designed). For instance, Serge Vaudenay's work on a theory of black-box cryptanalysis (as well as his other work, e.g. ``FFT-Hash II is not yet secure'') is more than sufficient to uncover this weakness in COMP128. In other words, our attack techniques are not particularly novel.

What went wrong?

This vulnerability can be attributed to a serious failing of the GSM security design process: it was conducted in secrecy. Experts have learned over the years that the only way to assure security is to follow an open design process, encouraging public review to identify flaws while they can still be fixed. There's no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny; nobody is that much better than the rest of the research community.

In the telecommunications security field, openness is critical to good design. Code making is so hard to get right the first time that it is crucial to have others double-check one's ideas. Instead, the GSM design committee kept all security specifications secret -- which made the information just secret enough to prevent others from identifying flaws in time to fix them, but not secret enough to protect

25 (SBIT-CSE-KMM)


the system against eventual scrutiny. With 80 million GSM users, fixing flaws in such a widely-fielded system is likely to be quite costly.

We expect that fixing the flaw may potentially be expensive. A new authentication algorithm would have to be selected. Then new SIMs would have to be programmed with the new algorithm, and distributed to the 80 million end users. Finally, a software upgrade may be required for all authentication centers.

HOW TO KNOW THAT THE CELL HAS BEEN CLONED?

Frequent wrong number phone calls to your phone, or hang-ups.

Difficulty in placing outgoing calls.

Difficulty in retrieving voice mail messages.

Incoming calls constantly receiving busy signals or wrong numbers. Unusual

calls appearing on your phone bills

CAN CALLS ON CLONED PHONE BE TRACKED?

Yes. A SIM can be cloned again and again and they can be used at

different places. Messages and calls can track sent by cloned phones. However, if

the accused manages to also clone the IMEI number of the handset, for which

software, ¢s are available, there is no way the cell can be traced.

HOW TO PREVENT CELL CLONING?

26 (SBIT-CSE-KMM)


Uniquely identifies a mobile unit within a wireless carrier's network.

The MIN often can be dialed from other wireless or wire line networks. The

number differs from the electronic serial number (ESN), which is the unit number

assigned by a phone manufacturer. MINs and ESNs can be checked electronically

to help prevent fraud.

Mobiles should never be trusted for communicating/storing

confidential information.

Always set a Pin that's required before the phone can be used.

Check that all mobile devices are covered by a corporate security

policy.

Ensure one person is responsible for keeping tabs on who has what

equipment and that they update the central register.

How do service providers handle reports of cloned phones?

Legitimate subscribers who have their phones cloned will receive bills

with charges for calls they didn't make. Sometimes these charges amount to

several thousands of dollars in addition to the legitimate charges.

Typically, the service provider will assume the cost of those additional fraudulent

calls. However, to keep the cloned phone from continuing to receive service, the

service provider will terminate the legitimate phone subscription. The subscriber

is then required to activate a new subscription with a different phone number

27 (SBIT-CSE-KMM)


requiring reprogramming of the phone, along with the additional headaches that

go along with phone number changes.

ROLE OF SERVICE PROVIDER TO COMBAT CLONING FRAUD?

They are using many methods such as RF Fingerprinting, subscriber

behavior profiling, and Authentication. RF Fingerprinting is a method to uniquely

identify mobile phones based on certain unique radio frequency transmission

characteristics that are essentially "fingerprints" of the radio being used.

Subscriber behavior profiling is used to predict possible fraudulent use of mobile

service based on the types of calls previously made by the subscriber.

Calls that are not typical of the subscriber's past usage are flagged as potentially

fraudulent and appropriate actions can be taken.

Authentication has advantages over these technologies in that it is the only

industry standardized procedure that is transparent to the user, a technology that

can effectively combat roamer fraud, and is a prevention system as opposed to a

detection system.

WHAT IS IS-41?

IS-41(Interim Standard No. 41) is a document prescribing standards for

communications between mobile networks. The standard was developed by the

Telecommunications Industry Association (TIA) and is used primarily throughout

North America as well as many Latin American countries and Asia.

28 (SBIT-CSE-KMM)


The IS-41 network communications standard supports AMPS, NAMPS, TDMA, and

CDMA radio technologies. IS-41 is the standard that defines the methods for

automatic roaming, handoff between systems, and for performing

Authentication.

WHAT CAN BE DONE?

With technically sophisticated thieves, customers are relatively

helpless against cellular phone fraud. Usually they became aware of the fraud

only once receiving their phone bill.

Service providers have adopted certain measures to prevent cellular fraud. These

include encryption, blocking, blacklisting, user verification and traffic analysis:

Encryption is regarded as the most effective way to prevent cellular fraud as it

prevents eavesdropping on cellular calls and makes it nearly impossible for

thieves to steal Electronic Serial Number (ESN) and Personal Identification

Number (PIN) pairs. Blocking is used by service providers to protect themselves

from high risk callers. For example, international calls can be made only with prior

approval. In some countries only users with major credit cards and good credit

ratings are allowed to make long distance calls.

Blacklisting of stolen phones is another mechanism to prevent unauthorized use.

An Equipment Identity Register (EIR) enables network operators to disable stolen

cellular phones on networks around the world.

User verification using Personal Identification Number (PIN) codes is one

method for customer protection against cellular phone fraud.

29 (SBIT-CSE-KMM)


Tests conducted have proved that United States found that having a PIN

code reduced fraud by more than 80%.

Traffic analysis detects cellular fraud by using artificial intelligence software

to detect suspicious calling patterns, such as a sudden increase in the

length of calls or a sudden increase in the number of international calls.

The software also determines whether it is physically possible for the

subscriber to be making a call from a current location, based on the

location and time of the previous call. Currently, South Africaâ„¢s two

service providers, MTN and Vodacom, use traffic analysis with the

International Mobile Equipment Identity (IMEI) a 15 digit number which

acts as a unique identifier and is usually printed on the back of the phone

underneath the battery to trace stolen phones.

Other warning signs that subscribers should watch out for to detect fraudulent

activity include:

Frequent wrong number phone calls to your phone, or hang-ups.

Difficulty in placing outgoing calls.

Difficulty in retrieving voice mail messages.

Incoming calls constantly receiving busy signals or wrong numbers.

Unusual calls appearing on your phone bills.

Impact of cloning

Each year, the mobile phone industry loses millions of dollars in revenue because of the criminal actions of persons who are able to reconfigure mobile phones so that their calls are billed to other phones owned by innocent third

30 (SBIT-CSE-KMM)


persons. Often these cloned phones are used to place hundreds of calls, often long distance, even to foreign countries, resulting in thousands of dollars in airtime and long distance charges. Cellular telephone companies do not require their customers to pay for any charges illegally made to their account, no matter how great the cost. But some portion of the cost of these illegal telephone calls is passed along to cellular telephone consumers as a whole.

Many criminals use cloned cellular telephones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace.

His phenomenon is especially prevalent in drug crimes. Drug dealers need to be in constant contact with their sources of supply and their confederates on the streets. Traffickers acquire cloned phones at a minimum cost, make dozens of calls, and then throw the phone away after as little as a days' use. In the same way, criminals who pose a threat to our national security, such as terrorists, have been known to use cloned phones to thwart law enforcement efforts aimed at tracking their whereabouts

Solution to this problem

Cloning, as the crime branch detectives divulge, starts when some

one, working for a mobile phone service provider, agrees to sell the security

numbers to gray market operators. Every mobile handset has a unique factory-

coded electronic serial number and a mobile identification number. The buyer can

then program these security numbers into new handsets.

The onus to check the misuse of mobile cloning phenomenon falls on the

subscriber himself. The subscribers, according to the officials, should be on the

alert and inform the police on suspecting any foul play. It would be advisable for

them to ask for the list of outgoing calls, as soon as they realize that they've been

overcharged.

31 (SBIT-CSE-KMM)


Meanwhile, the crime branch is hopeful to find out away to stop the mobile

cloning phenomenon.

For example

The Central Forensic Laboratory at Hyderabad has reportedly developed software

that would detect cloned mobile phones. Called the Speaker Identification

Technique, the software enables one to recognize the voice of a person by

acoustics analysis. These methods are only good at detecting cloning, not

preventing damage. A better solution is

to add authentication to the system. But this means upgrading the software of

the operators' network, and renewing the SIM-cards, which is not an easy or a

cheap task.

This initiative by the Forensic Laboratory had to be taken up in the wake of more

and more reports of misuse of cloned mobiles.

How can organizations help themselves?

Mobiles should never be trusted for communicating/storing confidential

information.

Always set a Pin that's required before the phone can be used.

Check that all mobile devices are covered by a corporate security policy.

Ensure one person is responsible for keeping tabs on who has what

equipment and that they update the central register.

Such preventive measures are our only defense till we get a way or a technique to

prevent cloning of mobile phones.

32 (SBIT-CSE-KMM)


Future Threats

Resolving subscriber fraud can be a long and difficult process for the victim. It may take time to discover that subscriber fraud has occurred and an even longer time to prove that you did not incur the debts. As described in this article there are many ways to abuse telecommunication system, and to prevent abuse from occurring it is absolutely necessary to check out the weakness and vulnerability of existing telecom systems. If it is planned to invest in new telecom equipment, a security plan should be made and the system tested before being implemented. It is therefore mandatory to keep in mind that a technique which is described as safe today can be the most unsecured technique in the future.

CONCLUSION

Presently the cellular phone industry relies on common law (fraud and theft) and in-house counter measures to address cellular phone fraud. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government the enactment of legislation to prosecute crimes related to cellular phones is not viewed as a priority, however. It is essential that intended mobile crime legislation be comprehensive enough to incorporate cellular phone fraud, in particular "cloning fraud" as a specific crime.

Existing cellular systems have a number of potential weaknesses that were considered. It is crucial that businesses and staff take mobile phone security seriously. Awareness and a few sensible precautions as part of the overall enterprise security policy will deter all but the most sophisticated criminal. It is also mandatory to keep in mind that a technique which is described as safe today can be the most unsecured technique in the future.

33 (SBIT-CSE-KMM)


Therefore it is absolutely important to check the function of a security

system once a year and if necessary update or replace it. Finally, cell-phones have

to go a long way in security before they can be used in critical applications like m-

commerce

References

1) IEEE journal for mobile communication 2) Science today magzine

3) Mobile cloning Reliance report

4) Report on Mobile Cloning BSNL

5) Mobile communication Govt Of India reports

6) Mobile phone cloning Indiatimes news network

7) CDMA cloning Qualcomm reports

8) SIM cloning TechnicalInfo.com

9) Mobile cloning mobiledia.com

Websites :http://www.cxotoday.com

34 (SBIT-CSE-KMM)


http://infotech.indiatimes.comhttp://www.spy.org http://wiretap.spies.comhttp://www.hackinthebox.org/

35 (SBIT-CSE-KMM)

Deeps ''MObile Cloning''

Documents

Transcript of Deeps ''MObile Cloning''