Seminar Report, 2012

Mobile Cloning

INTRODUCTION

Cell phone cloning is copying the identity of one mobile telephone to another mobile telephone. Usually this is done for the purpose of making fraudulent telephone calls. The bills for the calls go to the legitimate subscriber. The cloner is also able to make effectively anonymous calls, which attracts another group of interested users. Cloning is the process of taking the programmed information that is stored in a legitimate mobile phone and illegally programming the identical information into another mobile phone. The result is that the "cloned" phone can make and receive calls and the charges for those calls are billed to the legitimate subscriber. The service provider network does not have a way to differentiate between the legitimate phone and the "cloned" phone. Mobile communication has been readily available for several years, and is major business today. It provides a valuable service to its users who are willing to pay a considerable premium over a fixed line phone, to be able to walk and talk freely. Because of its usefulness and the money involved in the business, it is subject to fraud. Unfortunately, the advance of security standards has not kept pace with the dissemination of mobile communication.

Some of the features of mobile communication make it an alluring target for criminals. It is a relatively new invention, so not all people are quite familiar with
1 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

its possibilities, in good or in bad. Its newness also means intense competition among mobile phone service providers as they are attracting customers. The major threat to mobile phone is from cloning. You might have read news of the cloning of sheep or cattle with amused interest. But how would you feel if somebody `cloned' your mobile phone? Technology is finally rearing up its dark side. Along with the proliferation of technological innovations, this era also marks the birth of the new-age IT criminals in a big way, with the latest technology fraud being cell phone cloning. Cell phone cloning is a technique wherein security data from one cell phone is transferred into another phone. The other cell phone becomes the exact replica of the original cell phone like a clone. As a result, while calls can be made from both phones, only the original is billed. Though communication channels are equipped with security algorithms, yet cloners get away with the help of loop holes in systems. So when one gets huge bills, the chances are that the phone is being cloned. This paper describes about the cell phone cloning with implementation in GSM and CDMA technology phones. It gives an insight into the security mechanism in CDMA and GSM phones along with the loop holes in the systems and discusses on the different ways of preventing this cloning. Moreover, the future threat of this fraud is being elaborated Remember Dolly the lamb, cloned from a six-year-old ewe in 1997, by a group of researchers at the Roslyn Institute in Scotland? While the debate on the ethics of cloning continues, human race, for the first time, are faced with a more tangible and harmful version of cloning and this time it is your cell phone that is the target. Millions of cell phones users, be it GSM or CDMA, run at risk of having their

2 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

phones cloned. As a cell phone user if you have been receiving exorbitantly high bills for calls that were never placed, chances are that your cell phone could be cloned. Unfortunately, there is no way the subscriber can detect cloning. Events like call dropping or anomalies in monthly bills can act as tickers. According to media reports, recently the Delhi (India) police arrested a person with 20 cell- phones, a laptop, a SIM scanner, and a writer. The accused was running an exchange illegally wherein he cloned CDMA based cell phones. He used software named Patagonia for the cloning and provided cheap international calls to Indian immigrants in West Asia.

3 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

HISTORY WHEN DID MOBILE CLONING START?

The early 1990s were boom times for eavesdroppers. Any curious teenager with a 100 Tandy Scanner could listen in to nearly any analogue mobile phone call. As a result, Cabinet Ministers, company chiefs and celebrities routinely found their most intimate conversations published in the next day's tabloids Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's with a commonly available modification for the Motorola "brick" phones, such as the Classic, the Ultra Classic, and the Model 8000.

Background
The U.S. Secret Service and the wireless telecommunications industry are increasingly concerned about wireless fraud. First, the wireless telecommunication industry asserts that wireless fraud has grown exponentially since its introduction into the market. They estimate that wireless fraud costs the telecommunications industry over $650 million per year. Second, according to the Secret Service cloned phones are the communications medium of choice for criminals because it gives them mobile communications and anonymity. Cloned phones are difficult to detect and trace, and phone numbers can be changed in an instant. Law Enforcement reports an increase in the number of cloned phones confiscated during investigations of other offenses, such as drug distribution and
4 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

credit card fraud. There are four major types of cellular fraud: counterfeit fraud, subscription fraud, network fraud, and call selling operations. Explanations of each are provided below. These cellular telecommunications violations are similar to other access device violations (e.g. credit cards) in that they involve unauthorized use and/or access to individual accounts. The changes in 18 U.S.C. 1029 are aimed at counterfeit fraud, specifically, the cloning of cellular telephones. Counterfeit Fraud (cloning): Involves the use of illegally altered cellular phones. Offenders gain access to legitimate account number combinations and reprogram them into other handsets to gain unauthorized access to those accounts. Subscription Fraud: Includes schemes related to fraudulently obtaining cellular telephone accounts. These may involve employees of the cellular carrier, forgery of application information, or theft of subscriber information. Network Fraud: This advanced type of fraud includes efforts to exploit weaknesses in phone switch equipment and billing systems. Manipulation of current systems can result in third party billing, use of nonexistent account numbers, or the use of multiple phones on single accounts. Call Selling Operations: This type of fraud involves using stolen calling card numbers and/or cellular account numbers to sell less expensive cellular long distance (often international) service to others.

How Wireless Technology Works

Each cellular phone has a unique pair of identifying numbers: the electronic serial number ( ESN ) and the mobile identification number ( MIN ). The ESN is programmed into the wireless phone s microchip by the manufacturer at the time of production. The MIN is a ten-digit phone number that is assigned by the wireless carrier to a customer when an account is opened. The MIN can be changed by the carrier, but the ESN, by law, cannot be altered. When a cellular phone is first turned on, it emits a radio signal that broadcasts these numbers to the nearest cellular tower. The phone will continue to emit these signals at regular intervals, remaining in contact with the nearest
5 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

cellular tower. These emissions (called autonomous registration) allow computers at the cellular carrier to know how to route incoming calls to that phone, to verify that the account is valid so that outgoing calls can be made, and to provide the foundation for proper billing of calls. This autonomous registration occurs whenever the phone is on, regardless of whether a call is actually in progress.

WHAT ARE GSM AND CDMA MOBILE PHONE SETS?

CDMA is one of the newer digital technologies used in Canada, the US, Australia, and some South-eastern Asian countries (e.g. Hong Kong and South Korea). CDMA differs from GSM and TDMA (Time Division Multiple Access) by its use of spread spectrum techniques for transmitting voice or data over the air. Rather than dividing the radio frequency spectrum into separate user channels by frequency slices or time slots, spread spectrum technology separates users by assigning them digital codes within the same broad spectrum. Advantages of CDMA include higher user capacity and immunity from interference by other signals.

GSM is a digital mobile telephone system that is widely used in Europe and other parts of the world. GSM uses a variation of TDMA and is the most widely used of the three digital wireless telephone technologies. GSM digitizes and compresses data, then sends it down a channel with two other streams of user data, each in its own time slot. It operates at either the 900 MHz or 1,800 MHz frequency band.

6 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

Some other important terms whose knowledge is necessary are 1) IMEI 2) SIM 3) ESN 4) MIN

So, first things first, the IMEI is an abbreviation for International Mobile Equipment Identifier, this is a 10 digit universally unique number of our GSM handset. I use the term Universally Unique because there cannot be 2 mobile phones having the same IMEI no. This is a very valuable number and used in tracking mobile phones. Second comes SIM, which stands for Subscriber Identification Module. The sim has survived and evolved. Earlier the mobiles had the entire sim card to be inserted in them such sim s Are called IDG-1 Sims. The other in which we small part of the card which has the chip is inserted in the mobile and is known as PLUG-IN Sims.

Basically the SIM provides storage of subscriber related information of three types: 1. Fixed data stored before the subscription is sold 2. Temporary network data 3. Service related data.

7 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

Next is the ESN, which stands for Electronic Serial Number. It is same as the IMEI but is used in CDMA handsets. MIN stands for Mobile Identification Number, which is the same as the SIM of GSM.

The basic difference between a CDMA handset and a GSM handset is that a CDMA handset has no sim i.e. the CDMA handset uses MIN as its Sim, which cannot be replaced as in GSM. The MIN chip is embedded in the CDMA hand set. Now that we are familiarized ourselves in these terms let us address the next question.

GSM
Global System for Mobile Communications. A digital cellular phone technology based on TDMA GSM phones use a Subscriber Identity Module (SIM) card that contains user account information. Any GSM phone becomes immediately programmed after plugging in the SIM card, thus allowing GSM phones to be easily rented or borrowed.Operators who provide GSM service are Airtel,Hutch etc.

Do GSM sets run the risk of cloning ?

Looking at the recent case, it is quite possible to clone both GSM and CDMA sets. The accused in the Delhi case used software called Patagonia to clone only CDMA phones (Reliance and Tata Indicom). However, there are software packages that can be used to clone even GSM phones (e.g. Airtel, BSNL, Hutch, Idea). In order to clone a GSM phone, knowledge of the
8 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

International Mobile Equipment Identity (IMEI) or instrument number is sufficient. But the GSM-based operators maintain that the fraud is happening on CDMA, for now, and so their subscribers wouldn't need to worry. Operators in other countries have deployed various technologies to tackle this menace. They are: 1) There's the duplicate detection method where the network sees the same phone in several places at the same time. Reactions include shutting them all off, so that the real customer will contact the operator because he has lost the service he is paying for. 2) Velocity trap is another test to check the situation, whereby the mobile phone seems to be moving at impossible, or most unlikely speeds. For example, if a call is first made in Delhi, and five minutes later, another call is made but this time in Chennai, there must be two phones with the same identity on the network.

3) Some operators also use Radio Frequency fingerprinting, originally a military technology. Even identical radio equipment has a distinguishing `fingerprint', so the network software stores and compares fingerprints for all the phones that it sees. This way, it will spot the clones with the same identity, but different fingerprints.

5)

Usage profiling is another way wherein profiles of customers' phone usage are kept, and when discrepancies are noticed, the customer is contacted. For example, if a customer normally makes only local network calls but is
9 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

suddenly placing calls to foreign countries for hours of airtime, it indicates a possible clone.

Cloning GSM Phones. GSM handsets, on the contrary, are safer, according to experts. Every GSM phone has a 15 digit electronic serial number (referred to as the IMEI). It is not a particularly secret bit of information and you don't need to take any care to keep it private. The important information is the IMSI, which is stored on the removable SIM card that carries all your subscriber information, roaming database and so on. GSM employs a fairly sophisticated asymmetric-key cryptosystem for over-the-air transmission of subscriber information. Cloning a SIM using information captured over-the-air is therefore difficult, though not impossible. As long as you don't lose your SIM card, you're safe with GSM. GSM carriers use the COMP128 authentication algorithm for the SIM, authentication center and network which make GSM a far secure technology. GSM networks which are considered to be impregnable can also be hacked. The process is simple: a SIM card is inserted into a reader. After connecting it to the computer using data cables, the card details were transferred into the PC. Then, using freely available encryption software on the Net, the card details can be encrypted on to a blank smart card. The result: A cloned cell phone is ready for misuse.

10 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

CDMA
Code Division Multiple Access. A method for transmitting simultaneous signals over a shared portion of the spectrum. There is no Subscriber Identity Module (SIM) card unlike in GSM.Operators who provides CDMA service in India are Reliance and Tata Indicom.

Cloning CDMA Cell Phones.

Cellular telephone thieves monitor the radio frequency spectrum and steal the cell phone pair as it is being anonymously registered with a cell site. The technology uses spread-spectrum techniques to share bands with multiple conversations. Subscriber information is also encrypted and transmitted digitally. CDMA handsets are particularly vulnerable to cloning, according to experts. First generation mobile cellular networks allowed fraudsters to pull subscription data (such as ESN and MIN) from the analog air interface and use this data to clone phones. A device called as DDi, Digital Data Interface (which comes in various formats from the more expensive stand-alone box, to a device which interfaces with your 800 MHz capable scanner and a PC) can be used to get pairs by simply making the device mobile and sitting in a busy traffic area (freeway overpass) and collect all the data you need. The stolen ESN and EMIN were then fed into a new CDMA handset, whose existing program was erased with the help of downloaded software. The buyer then programs them into new phones which will have the same number as that of the original subscriber.

SECURITY FUNCTIONS OF THE GSM AND CDMA

As background to a better understanding of the attacks on the GSM and CDMA network The following gives a brief introduction to the Security functions
11 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

available in GSM. The following functions exist: Access control by means of a personal smart card (called subscriber Identity module, SIM) and PIN (personal identification number), Authentication of the users towards the network carrier and generation of A session key in order to prevent abuse. Encryption of communication on the radio interface, i.e. between mobile Station and base station, concealing the users , identity on the radio interface, i.e. a temporary valid Identity code (TMSI) is used for the identification of a mobile user instead Of the IMSI.

HOW MOBILE WORKS?

Cell phones send radio frequency transmissions through the air on two distinct channels, one for voice communications and the other for control signals. When a cellular phone makes a call, it normally transmits its Electronic Security Number (ESN), Mobile Identification Number (MIN), its Station Class Mark (SCM) and the number called in a short burst of data. This burst is the short buzz you hear after you press the SEND button and before the tower catches the data. These four things are the components the cellular provider uses to ensure that the phone is programmed to be billed and that it also has the identity of both the customer and the phone. MIN and ESN is collectively known as the Pair which is used for the cell phone identification. When the cell site receives the pair signal, it determines if the requester is a legitimate registered user by comparing the requestor's pair to a cellular subscriber list. Once the cellular telephone's pair has been recognized, the cell site emits a control signal to permit the subscriber to place calls at will. This

12 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

process, known as Anonymous Registration, is carried out each time the telephone is turned on or picked up by a new cell site.

SECURITY VULNERABILITIES IN CELL PHONE.

Your cellular telephone has three major security vulnerabilities: Monitoring of your conversations while using the phone. Your phone being turned into a microphone to monitor conversations . the vicinity of your phone while the phone is inactive. Cloning or the use of your phone number by others to make calls that . are charged to your account.

IS FIXED TELEPHONE NETWORK SAFER THAN MOBILE PHONE?

The answer is yes. In spite of this, the security functions which prevent eavesdropping and Unauthorized uses are emphasized by the mobile phone companies. The existing mobile communication networks are not safer than the fixed Telephone networks. They only offer protection against the new forms of abuse.

HOW BIG OF A PROBLEM IS CLONING FRAUD?

The Cellular Telecommunications Industry Association (CTIA) estimates that financial losses in due to cloning fraud are between $600 million and $900 million in the United States. Some subscribers of Reliance had to suffer
13 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

because their phone was cloned. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government.

HOW IS MOBILE CLONING DONE?

Cloning involved modifying or replacing the EPROM in the phone with a new chip which would allow you to configure an ESN (Electronic serial number) via software. You would also have to change the MIN (Mobile Identification Number). When you had successfully changed the ESN/MIN pair, your phone was an effective clone of the other phone. Cloning required access to ESN and MIN pairs. ESN/MIN pairs were discovered in several ways:
y y y

Trashing cellular companies or cellular resellers Sniffing the cellular Hacking cellular companies or cellular resellers

Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older clone able phones are more difficult to find and newer phones have not been successfully reverse-engineered.

Cloning has been successfully demonstrated under GSM, but the process is not easy and it currently remains in the realm of serious hobbyists and researchers. Cellular thieves can capture ESN/MINs using devices such as cell phone ESN reader or digital data interpreters (DDI). DDIs are devices specially manufactured to intercept ESN/MINs. By simply sitting near busy roads where the volume of cellular traffic is high, cellular thieves monitoring the radio wave
14 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

transmissions from the cell phones of legitimate subscribers can capture ESN/MIN pair. Numbers can be recorded by hand, one-by-one, or stored in the box and later downloaded to a computer. ESN/MIN readers can also be used from inside an offender s home, office, or hotel room, increasing the difficulty of detection.

The ESN/MIN pair can be cloned in a number of ways without the knowledge of the carrier or subscriber through the use of electronic scanning devices. After the ESN/MIN pair is captured, the cloner reprograms or alters the microchip of any wireless phone to create a clone of the wireless phone from which the ESN/MIN pair was stolen. The entire programming process takes 10-15 minutes per phone. Any call made with cloned phone are billed to and traced to a legitimate phone account. Innocent citizens end up with unexplained monthly phone bills. To reprogram a phone, the ESN/MINs are transferred using a computer loaded with specialized software, or a copycat box, a device whose sole purpose is to clone phones. The devices are connected to the cellular handsets and the new identifying information is entered into the phone. There are also more discreet, concealable devices used to clone cellular phones. Plugs and ES-Pros, which are about the size of a pager or small calculator, do not require computers or copycat boxes for cloning. The entire programming process takes ten-15 minutes per phone.

15 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

Basic Mobile Cloning Instructions

What you re looking to do is basically modify two different numbers on the device. You will have to alter the ESN (electronic serial number) and the MIN (mobile identification number). Once altered, the cell network will believe that your handset is that handset. This means that in order to clone a cell phone, you will have to first find those two numbers on the cell phone you would like to clone. This can be difficult - you would have to get your hands on the phone itself. Once that happens, you will have to get an identical model and replace the Eprom with one that can be altered via software. This is somewhat simple with a GSM phone and more difficult with a CDMA model. The cell phones cloning instructions for a CDMA model would include removing the Eprom and soldering would be necessary with many models.

Controlling Cell Phone Fraud in the US: Lessons for the UK 'Foresight' Prevention Initiative
During the 1990s, criminals in the US discovered ways of altering cellular phones to obtain free service. In 'cloning' frauds, criminals using scanners were able to capture the identifying numbers broadcast by legitimate phones and to program these into illegitimate 'clones'. These could then be used to obtain free access to the wireless network. In 'tumbling' frauds, telephones were altered so that they randomly transmitted illegally obtained identifying numbers. This allowed the phone to gain access to free cellular service, particularly when used outside the area where the numbers had been issued. By 1995, these frauds were
16 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

costing the cellular telephone industry about $800 million per year. They also created 'upstream' crime costs in terms of thefts of phones for cloning and 'downstream' costs by facilitating drug dealing and other organized crimes. They were virtually eliminated by the end of the 1990s, through technological countermeasures adopted by the industry. There was little sign of displacement to other forms of cell phone fraud, and the preventive measures appeared to be highly cost-effective. The case study permits comment on the UK 'Foresight' initiative that envisages partnerships between the government and industry to anticipate and remove opportunities for crime created by new technology.

ARE OUR MOBILE SECURED?

Too many users treat their mobile phones as gadgets rather than as business assets covered by corporate security policy. Did you realize there's a lucrative black market in stolen and "cloned" Sim cards? This is possible because Sims are not network specific and, though tamper-proof, their security is flawed. In fact, a Sim can be cloned many times and the resulting cards used in numerous phones, each feeding illegally off the same bill. But there are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it. With the shift to GSM digital - which now covers almost the entire UK mobile sector - the phone companies assure us that the bad old days are over. Mobile phones, they say, are secure and privacy friendly.

17 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

This is not entirely true. While the amateur scanner menace has been largely exterminated, there is now more potential than ever before for privacy invasion. The alleged security of GSM relies on the myth that encryption - the mathematical scrambling of our conversations - makes it impossible for anyone to intercept and understand our words. And while this claim looks good on paper, it does not stand up to scrutiny.

The reality is that the encryption has deliberately been made insecure. Many encrypted calls can therefore be intercepted and decrypted with a laptop computer.

WHAT ARE EMIE AND PIN?

ESN mean Electronic Serial Number. This number is loaded when the phone number is manufactured. This number cannot be tampered or changes by the user or subscriber. if this number is known a mobile can be cloned easily. Personal Identification Number (PIN).every subscriber provides a Personal Identification Number (PIN) to its user. This is a unique number. If PIN and ESN are know a mobile phone can be cloned in seconds using some software, s like Patagonia. Which is used to clone CDMA phones.

Identifying the ESN in your MOBILE.

Depending on what model phone you have, the ESN will be located on a PROM. The PROM is programmed at the factory, and installed usually with the security fuse blown to prevent tampering. The code on the PROM might
18 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

possibly be obtained by unsoldering it from the cellular phone, putting it in a PROM reader, and then obtaining a memory map of the chip. The PROM is going to have from sixteen to twenty-eight leads coming from it. It is a bipolar PROM. The majority of phones will accept the National Semiconductor 32x8 PROM, which will hold the ESN and cannot be reprogrammed. If the ESN is known on the phone, it is possible to trace the memory map by installing the PROM into a reader, and obtaining the fuse map from the PROM by triggering the "READ MASTER" switch of the PROM programmer. In addition, most PROM programming systems include verify and compare switch to allow you to compare the programming of one PROM with another. As said earlier, the ESN is uniformly black with sixteen to twenty-eight leads emanating from its rectangular body, or square shaped body. If it is the dual-in-line package chip, (usually found in transportable and installed phones), it is rectangular. If it is the plastic leaded chip carrier (PLCC), it will be square and have a much smaller appearance. Functionally, they are the same chip, but the PLCC is used with hand held cellular phones because of the need for reduced size circuitry.

ESN Replacement.
y De-solder the ESN chip. y Solder in a zero insertion force (ZIF) replacement, so that replacement chip can be changed easily. y After the ZIF socket has been successfully soldered in, reinsert the ESN and attempt to make a phone call (Be sure the NAM is programmed correctly). If it doesn't, check the leads on the ZIF to insure that you have soldered them correctly. y After that, insert your ESN into your PROM reader and make sure it provides some sort of reading. You should use the search mode to look for the
19 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

manufacturer s serial number to identify the address on the PROM where to reprogram the ESN.

MOBILE Security Measures.

Cellular operators in many countries have deployed various technologies to tackle this menace. Some of them are as follows: y There's the Duplicate Detection Method where the network sees the same phone in several places at the same time. Reactions include shutting them all off, so that the real customer will contact the operator because he has lost the service he is paying for. y Velocity Trap is another test to check the situation, whereby the mobile phone seems to be moving at impossible or most unlikely speeds. For example, if a call is first made in Delhi, and five minutes later, another call is made but this time in Chennai, there must be two phones with the same identity on the network.

y Some operators also use Radio Frequency Fingerprinting, originally a military technology. Even identical radio equipment has a distinguishing `fingerprint', so the network software stores and compares fingerprints for all the phones that it sees. This way, it will spot the clones with the same identity, but different fingerprints.

y Usage Profiling is another way wherein profiles of customers' phone usage are kept, and when discrepancies are noticed, the customer is contacted. For example, if a customer normally makes only local network calls but is suddenly placing calls to foreign countries for hours of airtime, it indicates a possible clone. On the other hand, the consumers can check regularly the unbilled amount details. Users with ILD facility need to be more careful as fraudsters attempt to make as many international calls as possible within a short time

20 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

due to fear of getting caught. Since ILD rates are higher than other calls, fraudsters try to derive maximum benefits in the shortest time.

y If your cellular service company offers Personal Identification Numbers (PIN), consider using it. Although cellular PIN services are cumbersome and require that you input you re PIN for every call, they are an effective means of thwarting cloning.

y The Central Forensic Laboratory at Hyderabad has developed software to detect cloned mobile phones. The laboratory helped Delhi Police identify two such cloned mobile phones recovered recently. Called the Speaker Identification Technique, the software enables one to recognize the voice of a person by acoustics analysis, using a computerized speech laboratory machine. For the process, developed by Dr S.K. Jain, a voice sample of four seconds is adequate for an accurate result.

y The best detection measure available in CDMA today is the A Key Feature. The A key is a secret 20 digit number unique to the handset given by the manufacturer to the service provider only. This number is loaded in the Authentication Center for each mobile. As this number is not displayed in mobile parameters this cannot be copied. Whenever the call is originated / terminated from a mobile with authentication active, the network checks for the originality of the set using this secret key. If the data matches at both mobile and network end the call is allowed to go through otherwise it is dropped.

y Avoid using your cellular telephone within several miles of the airport, stadium, mall, or other heavy traffic locations. These are areas where radio hobbyists use scanners for random monitoring. If they come across an interesting conversation, your number may be marked for regular selective monitoring.

21 (SBIT-CSE-KMM)

Seminar Report, 2012

y

Mobile Cloning

However, all these methods are only good at detecting cloning, not preventing damage. A better solution is to add authentication to the system. But this requires upgrades to users' and operators' equipment before they can be used.

WHAT IS PATAGONIA?
Patagonia is software available in the market which is used to clone CDMA phone. Using this software a cloner can take over the control of a CDMA phone i.e. cloning of phone. There are other Software, s available in the market to clone GSM phone. This software, s are easily available in the market. A SIM can be cloned again and again and they can be used at different places. Messages and calls sent by cloned phones can be tracked. However, if the accused manages to also clone the IMEI number of the handset, for which software,s are available, there is no way he can be traced.

CAN DIGITAL PHONES BE CLONED?

Yes. Digital phones can be cloned however; the mobile phones employing digital TDMA and CDMA technology are equipped with a feature known as "Authentication." Some newer model analog phones also have this feature. Authentication allows the mobile service provider network to determine

22 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

the legitimacy of a mobile phone. Phones determined to be "clones" can be instantly denied access to service before any calls are made or received.

WHAT EXACTLY IS AUTHENTICATION?

Authentication is a mathematical process by which identical calculations are performed in both the network and the mobile phone. These calculations use secret information (known as a "key") preprogrammed into both the mobile phone and the network before service is activated. Cloners typically have no access to this secret information (i.e., the key), and therefore cannot obtain the same results to the calculations.

A legitimate mobile phone will produce the same calculated result as the network. The mobile phone's result is sent to the network and compared with the network's results. If they match, the phone is not a "clone."

ARE THESE METHODS EFFECTIVE?

Yes, for the most part. However, Authentication is the most robust and reliable method for preventing cloning fraud and it is the only industry "standard" method for eliminating cloning. The fact that it is standardized means that all mobile telecommunications networks using IS-41 can support

23 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

Authentication. There is no need to add proprietary equipment, software, or communications protocols to the networks to prevent cloning fraud.

IS MY PHONE AUTHENTICATION CAPABLE?

If the phone supports TDMA or CDMA digital radio, then yes. Otherwise, it depends on how old the phone is and the make and model. Almost all phones manufactured since the beginning of 1996 support the Authentication function. The best bet is to check with your service

Technical details of the attack

We showed how to break the COMP128 authentication algorithm, an instantiation of A3/A8 widely used by providers. Our attack is a chosen-challenge attack. We form a number of specially-chosen challenges and query the SIM for each one; the SIM applies COMP128 to its secret key and our chosen challenge, returning a response to us. By analyzing the responses, we are able to determine the value of the secret key. Mounting this attack requires physical access to the target SIM, an off-the-shelf smartcard reader, and a computer to direct the operation. The attack requires one to query the smartcard about 150,000 times; our smartcard reader can issue 6.25 queries per second, so the whole attack takes 8 hours. Very little extra computation is required to analyze the responses. Though the COMP128 algorithm is supposed to be a secret, we pieced together information on its internal details from public documents, leaked information, and several SIMs we had access to. After a theoretical analysis uncovered a potential vulnerability in the algorithm, we confirmed that our reconstruction of the COMP128 algorithm was correct by comparing a software implementation to responses computed by a SIM known to implement COMP128.

24 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

Information for cryptographers

The attack exploits a lack of diffusion: there's a narrow ``pipe'' inside COMP128. In particular, bytes i,i+8,i+16,i+24 at the output of the second round depend only on bytes i,i+8,i+16,i+24 of the input to COMP128. (By ``round'', I refer to one layer of ``butterflies'' and S-boxes; there are a total of 5*8 rounds in COMP128.) Bytes i,i+8 of the COMP128 input are bytes i,i+8 of the key, and bytes i+16,i+24 of the COMP128 input are bytes i,i+8 of the challenge input. Now we ``probe'' the narrow pipe, by varying bytes i+16,i+24 of the COMP128 input (i.e. bytes i,i+8 of the challenge) and holding the rest of the COMP128 input constant. Since the rounds are non-bijective, you can hope for a collision in bytes i,i+8,i+16,i+24 of the output after two rounds. The birthday paradox guarantees that collisions will occur pretty rapidly (since the pipe is only 4 bytes wide); collisions in the narrow pipe can be recognized, since they will cause a collision in the output of COMP128 (i.e. the two authentication responses will be the same); and each collision can be used to learn the two key bytes i,i+8 with a bit of analysis of the first two rounds (i.e. perform a ``2-R attack'', in the terminology of differential cryptanalysis). As stated, this would require 2^{4*7/2 + 0.5} = 2^{14.5} chosen-input queries to COMP128 to learn two key bytes (since each of the four bytes of output after the second round are actually only 7-bit values), and thus would require 8 * 2^{14.5} = 2^{17.5} queries to recover the whole 128-bit key Ki. However, we have some optimizations to get this number down a bit. Note that there is a significant amount of literature on the design of cryptographic hash functions out of a FFT-like structure (as COMP128 is designed). For instance, Serge Vaudenay's work on a theory of black-box cryptanalysis (as well as his other work, e.g. ``FFT-Hash II is not yet secure'') is more than sufficient to uncover this weakness in COMP128. In other words, our attack techniques are not particularly novel.

25 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

What went wrong?

This vulnerability can be attributed to a serious failing of the GSM security design process: it was conducted in secrecy. Experts have learned over the years that the only way to assure security is to follow an open design process, encouraging public review to identify flaws while they can still be fixed. There's no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny; nobody is that much better than the rest of the research community. In the telecommunications security field, openness is critical to good design. Code making is so hard to get right the first time that it is crucial to have others doublecheck one's ideas. Instead, the GSM design committee kept all security specifications secret -- which made the information just secret enough to prevent others from identifying flaws in time to fix them, but not secret enough to protect the system against eventual scrutiny. With 80 million GSM users, fixing flaws in such a widely-fielded system is likely to be quite costly. We expect that fixing the flaw may potentially be expensive. A new authentication algorithm would have to be selected. Then new SIMs would have to be programmed with the new algorithm, and distributed to the 80 million end users. Finally, a software upgrade may be required for all authentication centers.

HOW TO KNOW THAT THE CELL HAS BEEN CLONED?

y y y Frequent wrong number phone calls to your phone, or hang-ups. Difficulty in placing outgoing calls. Difficulty in retrieving voice mail messages.

y Incoming calls constantly receiving busy signals or wrong numbers. Unusual calls appearing on your phone bills

26 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

CAN CALLS ON CLONED PHONE BE TRACKED?

Yes. A SIM can be cloned again and again and they can be used at different places. Messages and calls can track sent by cloned phones. However, if the accused manages to also clone the IMEI number of the handset, for which software, s are available, there is no way the cell can be traced.

HOW TO PREVENT CELL CLONING?

Uniquely identifies a mobile unit within a wireless carrier's network. The MIN often can be dialed from other wireless or wire line networks. The number differs from the electronic serial number (ESN), which is the unit number assigned by a phone manufacturer. MINs and ESNs can be checked electronically to help prevent fraud. y Mobiles should never be trusted for communicating/storing confidential information. y Always set a Pin that's required before the phone can be used. Check that all mobile devices are covered by a corporate security policy.

Ensure one person is responsible for keeping tabs on who has what equipment and that they update the central register.

27 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

How do service providers handle reports of cloned phones?

Legitimate subscribers who have their phones cloned will receive bills with charges for calls they didn't make. Sometimes these charges amount to several thousands of dollars in addition to the legitimate charges.

Typically, the service provider will assume the cost of those additional fraudulent calls. However, to keep the cloned phone from continuing to receive service, the service provider will terminate the legitimate phone subscription. The subscriber is then required to activate a new subscription with a different phone number requiring reprogramming of the phone, along with the additional headaches that go along with phone number changes.

ROLE OF SERVICE PROVIDER TO COMBAT CLONING FRAUD?

They are using many methods such as RF Fingerprinting, subscriber behavior profiling, and Authentication. RF Fingerprinting is a method to uniquely identify mobile phones based on certain unique radio frequency transmission characteristics that are essentially "fingerprints" of the radio being used. Subscriber behavior profiling is used to predict possible fraudulent use of mobile service based on the types of calls previously made by the subscriber.

Calls that are not typical of the subscriber's past usage are flagged as potentially fraudulent and appropriate actions can be taken.

28 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

Authentication has advantages over these technologies in that it is the only industry standardized procedure that is transparent to the user, a technology that can effectively combat roamer fraud, and is a prevention system as opposed to a detection system.

WHAT IS IS-41?
IS-41(Interim Standard No. 41) is a document prescribing standards for communications between mobile networks. The standard was developed by the Telecommunications Industry Association (TIA) and is used primarily throughout North America as well as many Latin American countries and Asia. The IS-41 network communications standard supports AMPS, NAMPS, TDMA, and CDMA radio technologies. IS-41 is the standard that defines the methods for automatic roaming, handoff between systems, and for performing Authentication.

WHAT CAN BE DONE?

With technically sophisticated thieves, customers are relatively helpless against cellular phone fraud. Usually they became aware of the fraud only once receiving their phone bill.

Service providers have adopted certain measures to prevent cellular fraud. These include encryption, blocking, blacklisting, user verification and traffic analysis: Encryption is regarded as the most effective way to prevent cellular fraud as it prevents eavesdropping on cellular calls and makes it nearly impossible for
29 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

thieves to steal Electronic Serial Number (ESN) and Personal Identification Number (PIN) pairs. Blocking is used by service providers to protect themselves from high risk callers. For example, international calls can be made only with prior approval. In some countries only users with major credit cards and good credit ratings are allowed to make long distance calls. Blacklisting of stolen phones is another mechanism to prevent unauthorized use. An Equipment Identity Register (EIR) enables network operators to disable stolen cellular phones on networks around the world. y User verification using Personal Identification Number (PIN) codes is one method for customer protection against cellular phone fraud. y Tests conducted have proved that United States found that having a PIN code reduced fraud by more than 80%. y Traffic analysis detects cellular fraud by using artificial intelligence software to detect suspicious calling patterns, such as a sudden increase in the length of calls or a sudden increase in the number of international calls. The software also determines whether it is physically possible for the subscriber to be making a call from a current location, based on the location and time of the previous call. Currently, South Africa s two service providers, MTN and Vodacom, use traffic analysis with the International Mobile Equipment Identity (IMEI) a 15 digit number which acts as a unique identifier and is usually printed on the back of the phone underneath the battery to trace stolen phones.

Other warning signs that subscribers should watch out for to detect fraudulent activity include:
30 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

y Frequent wrong number phone calls to your phone, or hang-ups. y Difficulty in placing outgoing calls.

y Difficulty in retrieving voice mail messages. y Incoming calls constantly receiving busy signals or wrong numbers. y Unusual calls appearing on your phone bills.

Impact of cloning
Each year, the mobile phone industry loses millions of dollars in revenue because of the criminal actions of persons who are able to reconfigure mobile phones so that their calls are billed to other phones owned by innocent third persons. Often these cloned phones are used to place hundreds of calls, often long distance, even to foreign countries, resulting in thousands of dollars in airtime and long distance charges. Cellular telephone companies do not require their customers to pay for any charges illegally made to their account, no matter how great the cost. But some portion of the cost of these illegal telephone calls is passed along to cellular telephone consumers as a whole. Many criminals use cloned cellular telephones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace. His phenomenon is especially prevalent in drug crimes. Drug dealers need to be in constant contact with their sources of supply and their confederates on the streets. Traffickers acquire cloned phones at a minimum cost, make dozens of calls, and then throw the phone away after as little as a days' use. In the same way, criminals who pose a threat to our national security, such as terrorists, have been known to use cloned phones to thwart law enforcement efforts aimed at tracking their whereabouts

Solution to this problem

Cloning, as the crime branch detectives divulge, starts when some
31 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

one, working for a mobile phone service provider, agrees to sell the security numbers to gray market operators. Every mobile handset has a unique factorycoded electronic serial number and a mobile identification number. The buyer can then program these security numbers into new handsets. The onus to check the misuse of mobile cloning phenomenon falls on the subscriber himself. The subscribers, according to the officials, should be on the alert and inform the police on suspecting any foul play. It would be advisable for them to ask for the list of outgoing calls, as soon as they realize that they've been overcharged. Meanwhile, the crime branch is hopeful to find out away to stop the mobile cloning phenomenon. For example The Central Forensic Laboratory at Hyderabad has reportedly developed software that would detect cloned mobile phones. Called the Speaker Identification Technique, the software enables one to recognize the voice of a person by acoustics analysis. These methods are only good at detecting cloning, not preventing damage. A better solution is to add authentication to the system. But this means upgrading the software of the operators' network, and renewing the SIM-cards, which is not an easy or a cheap task. This initiative by the Forensic Laboratory had to be taken up in the wake of more and more reports of misuse of cloned mobiles.

32 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

How can organizations help themselves?

y

Mobiles should never be trusted for communicating/storing confidential information.

y y y

Always set a Pin that's required before the phone can be used. Check that all mobile devices are covered by a corporate security policy. Ensure one person is responsible for keeping tabs on who has what equipment and that they update the central register.

Such preventive measures are our only defense till we get a way or a technique to prevent cloning of mobile phones.

Future Threats
Resolving subscriber fraud can be a long and difficult process for the victim. It may take time to discover that subscriber fraud has occurred and an even longer time to prove that you did not incur the debts. As described in this article there are many ways to abuse telecommunication system, and to prevent abuse from occurring it is absolutely necessary to check out the weakness and vulnerability of existing telecom systems. If it is planned to invest in new telecom equipment, a security plan should be made and the system tested before being implemented. It is therefore mandatory to keep in mind that a technique which is described as safe today can be the most unsecured technique in the future.

33 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

CONCLUSION
Presently the cellular phone industry relies on common law (fraud and theft) and in-house counter measures to address cellular phone fraud. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government the enactment of legislation to prosecute crimes related to cellular phones is not viewed as a priority, however. It is essential that intended mobile crime legislation be comprehensive enough to incorporate cellular phone fraud, in particular "cloning fraud" as a specific crime. Existing cellular systems have a number of potential weaknesses that were considered. It is crucial that businesses and staff take mobile phone security seriously. Awareness and a few sensible precautions as part of the overall enterprise security policy will deter all but the most sophisticated criminal. It is also mandatory to keep in mind that a technique which is described as safe today can be the most unsecured technique in the future. Therefore it is absolutely important to check the function of a security system once a year and if necessary update or replace it. Finally, cell-phones have to go a long way in security before they can be used in critical applications like mcommerce

34 (SBIT-CSE-KMM)

Seminar Report, 2012

Mobile Cloning

References
1) IEEE journal for mobile communication 2) Science today magzine 3) Mobile cloning Reliance report 4) Report on Mobile Cloning BSNL 5) Mobile communication Govt Of India reports 6) Mobile phone cloning Indiatimes news network 7) CDMA cloning Qualcomm reports 8) SIM cloning TechnicalInfo.com 9) Mobile cloning mobiledia.com

Websites :
http://www.cxotoday.com http://infotech.indiatimes.com http://www.spy.org http://wiretap.spies.com http://www.hackinthebox.org/

35 (SBIT-CSE-KMM)