Trew & Co

MOBILE
TELEPHONE EVIDENCE
Trew & Co
ICT specialist

GSM Mobile Phone & SIM Card

forensic examination & expert evidence SPECIAL ISSUE: B/2002

CLONING SIM CARDS

Overview of cloning Sources for SIM Cloning tools availability A review of cloning technique

Trew & Co/Trew MTE

trewCO@compuserve.com

________________________________________________________________________
Trew MTE Special INDEX No: B/2002
Greg Smith editor of Trew MTE. Principal consulting forensic engineer Trew & Co. Chief Training Officer Trew MTE

Overview of Cloning - A Perspective

Report by Greg Smith
Special Issue A/2002 looked at cloning of GSM digital mobile telephones and the multi-million pounds market that has been created in its wake. Cloning of GSM digital mobile telephones was thought of as phenomenon, at its inception, but now is so common that it hardly seems newsworthy any more. SIM (Subscriber Identity Module) cloning is the latest phenomena and potentially, in financial terms, may go well beyond the multi-million pounds mobile telephone cloning industry. So what is SIM cloning? The abstract conceptualisation of cloning comprehended by most people is that of "duplication" of original information and so it may appear patronising and rather trite for this article to start extrapolating a semantic view of the word 'cloning'. It is relevant though to briefly review the issue of cloning in context with GSM SIMs. In April 1998 the Smartcard Developers Association (SDA) and two U.C. Berkeley researchers jointly announced, following examination of GSM security for SIM, the discovery, after a day's examination, of a fatal cryptographic flaw in COMP128, the algorithm used to protect the identity inside the SIM. In order to protect the identity the SIM needs to keep its secret authentication key (Ki) secure. See diagram below. SDA developed a system to exploit the flaw by repeatedly asking (150.000 RAND challenges) the SIM to identify itself. By processing the responses from arguments presented to it (A8 algorithm), they were able to extract the secret from inside the SIM. The SDA candidly suggested that no practical over-the-air (OTA) attack was yet known, but such an attack could not be ruled out in the future. The reality of their findings though is that once in possession of a SIM cloning could be possible. The release of the security flaw discovery into the public domain generated reports in the various media, all around the world. Industry responded to allay fears and reassure users with respect to GSM's authentication security. One proposition mooted was that the time and expense it would take to clone just one SIM made it unlikely to see a spawning of cloning factories. This flawed thinking though was an under-estimation of the hacking community, of which rose to the challenge. Since 2000 there has been increasing discussions in the hacking web newsgroups and bulletin boards about SIM readers and writers. We are now seeing in 2002 a host of websites selling SIM cloning hardware and software. Moreover, some websites now publish dummies guides to SIM cloning, which one is included in the discussion, in this report.

Welcome to this Special Issue edition of Trew MTE relating to Cloning of SIM. This edition of Trew MTE is published only for the purpose of research and it is not intended that readers enter into cloning SIMs. Readers should have regard to national laws and Trew & Co, its editor and Trew MTE do not accept or agree expressly or implied responsibility in relation to how readers use the information contained herein. The information in issue was discovered on the Internet (in the public domain) and where possible the source of such discovery is identified. It is up to the reader to research further in order to comprehend each issue. This issue does not recommend installing programmes that have been identified during the research nor is it possible to indicate how such programmes might affect your computer. Hope you find the research of interest.
Trew MTE is an electronic publication for those involved with mobile telephone examination or for whom have an interest in the evidence obtained following data acquisition. Views expressed in articles by the authors are not necessarily those of the editor or Trew & Co. If you have something to say or you would care to write an article for MTE please send an electronic copy along with any photos (JPG, GIF etc) to Greg Smith email address: <trewCO@compuserve.com>

________________________________________________________________________

WHAT'S INSIDE

SOURCES OF SIM
A necessary commodity for those involved with SIM cloning is the obtaining of SIM cards for practise and to produce workable cloned SIMs. As an observation, there appear many places original SIMs can be obtained. Places such as, dustbins where old mobiles and SIMs have been thrown away. It is recalled that sometime back Kings Cross was an area where discarded mobiles could be found in alleys and other areas frequented by passers-through. Road sweepers were picking up, so the gossip went, sometimes 100 discarded mobiles and SIMs a week. Recycle for environmental and manufacturing appears another area where vast quantities of mobiles/SIMs may be obtained. Many stores and organisations operate mobile phone recycling collection facilities apparently as 35.00 per handset can be reclaimed. It is not clear whether all mobiles/SIMs that are collected are actually returned to manufacturers or recycling plants. Also "Lost and Found" (Railways and Taxi firms) is another source. Theft of mobile/SIM is yet another.

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

"Road sweepers were picking up, so the gossip went, sometimes 100 discarded mobiles and SIMs a week."

Whatever the source for collecting original SIMs, there is still the requirement of obtaining SIMs needed for programming (cloning). When researching for sources that sold SIMs, it was not clear how the distributors themselves obtained the SIMs, whether purchased directly from manufacturers, through distribution chains or from cleansing and refurbishment of old SIMs. Internet searches produced some interesting results for Goldwafer and Silverwafer Cards produced by Far East sources, such as Taiwan and China, and European sources, that suggested Spain and Germany. The cost of Gold Wafer Cards offered @ US$5 and Silver Wafer cards @ US$15. It is the fact of availability of programming tools and Cards that is precisely the issue being addressed at the beginning of this article that SIM cloning could well extend financially as an industry well beyond the industry created for cloning mobile telephones.

________________________________________________________________________

WHAT'S INSIDE

CLONING TOOLS AVAILABILITY

Discovery of websites on the Internet selling SIM cloning tools was in fact quite a surprisingly easy research task to perform. The websites ranged from auction (bidding) sites, to distributors and manufacturers sites. The cost of the cloning tools ranged from 35Euros to 57-Euros. Interestingly the functional capability of the tools was a surprising factor also. For example, the blurb by one supplier stated: "SIMCARD8 is a preprogrammed simcard that allow to store or make a backup of 8 different mobile phone sim cards in only 1 simcard. You will need to know IMSI and Ki codes of every simcard that you want to make backup. IMSI and Ki codes are the codes that identify a simcard at your network provider, this codes are encrypted at your original simcard, to find out your will need our SIM-MASTER card reader/writer." [http://ucables.com/ref/SIMCARD8]
Features: Support for 8 different provider names on the same card PIN security management like original SIM cards. (3 PIN attempts + 10 PUK attempts) Storage capacity between 125 and 250 phonebook entries (0 to 125 in EEPROM and 125 on FLASH) SMS storage capacity configurable from 20 to 40 SMS Individual SMS centre number for each of the 8 phone numbers Storage of 10 last dialled numbers (Used only on some mobile brands) Support for NOKIA, SIEMENS, ALCATEL, PHILIPS, ERICSSON, MOTOROLA, MAXON, PANASONIC, MITSUBISHI, NEC, SAMSUNG mobile phones. Be sure that your phone is unlocked, to be sure that SIMCARD8 will be accepted at your mobile phone. SIMEMU management through mobile menus. Change mobile phone number without turning off mobile phone (this option is not compatible with all mobile phones) Selection of the ratio of SMS/Phonebook entries in the mobile itself

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

Text and images reproduced are as recorded from some web sites.

A fascinating part during research on SIM cloning was noting the packaging and point-of-sale presentation of the tools. The SIMMASTER referred to above gave the illustration and feature description suggesting that there was a high demand for such a product and that point-of-sale presentation was as a result of massproduction. If this product were not massed-produced it would appear an expensive way of selling these tools to a low-demand market.
Features: Source web site URL: http://ucables.com/ref/SIM-MASTER Compatible with all GSM Cellular phones Edit your phone book in your PC Edit SMS short messages in your PC Read IMSI and Ki codes of GSM simcards, very useful to use with our new SIMCARD8 to make simcard backups Edit and Change the personal ringtone for motorola cellular phone (Send as SMS function support needed. ex. V8088, V7689) GSM SIM PIN code management Connect to Serial port (RS-232), no need external power Built-in hundreds of Midi ringtone for Ring Tone editing. Copy and Backup phone book and SMS messages between your SIM cards. Convenience sorting functions Read IMSI and Ki codes from SIM Card with SIM-BACKUP or SIMscan 1.21

________________________________________________________________________

WHAT'S INSIDE

A REVIEW OF CLONING TECHNIQUE

The possibility that SIM cloning could be achieved by use of just two pieces of tooling (as above) is perhaps not the case. This is sharply brought into perspective when researching the issue how one website believes cloning could be applied in practise. This website discovered illustrated that in fact six tools were required, suggesting a ring of truth about the claims made at the site, as the author of the SIM cloning guide encouraged would-be cloners to use free software and provided the means to get the software from the site. Most hackers or cloners want to do the job at minimal cost to them by getting everyone else to pay for it. The site was offering for sale SIM readers and writers but equally offered schematics from which a cloner could build each device. The following is a website's 10 easy steps practical guide to cloning SIMs. The comments in parenthesis [" "] are those of the author indicating websites where the tools or components can be found or simply making an observation.

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

GSM SIM Cloning for Dummies

This guide will help you "clone" your GSM SIM card and make unlimited copies of it by using either Gold Wafer Cards or 16F84a + 24C16 DIL. [Have a look at website http://www.wafer-cards.com or http://www.anytimenow.com] The "cloned" SIM card will work just like the original meaning you can make a call, send an SMS, manage phonebook and SMS messages too. You can use the "cloned" SIM and the original SIM simultaneously meaning both of your SIMs will have network and both can send SMS at the same time. However, only one of the active SIMs can make a phone call at any time. Simultaneous calls are not allowed because the call will immediately be disconnected by your Network Provider. Regarding receiving SMS from other people, only one of the SIMs will receive the message. This is a "first-come-first-serve" basis and no bias is given to the original SIM. Obviously, the bills for the "cloned" SIM will also be reflected to the bills of the original SIM. Not all phones accept "cloned" SIMs. The Nokia 9210 rejects cloned SIMs as well as most new 3G phones (and even some old ones...). Not all original SIMs can be "cloned" because "cloning" requires that you should extract the Ki and IMSI from the original SIM and today the new GSM SIM cards are built will tougher protection algorithms. You may be able to get the Ki and the IMSI, but it will take you at least 8 hours for the latest SIMs. It could even take days... [The length of time of extract Ki ranged from 10 minutes to 4-8 hours. It could be some websites exaggerated the capability of equipment available from them. However, a common statement was 8 hours. See http://nokiafree.org and search for Nokia Flask Reverse Engineering > Hardware > SIM Cloning > Cloning]

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

10 easy steps to 'clone' your GSM SIM ! Let us begin... (This is only applicable to Goldwafer Cards not to Silverwafer Cards) STEP 1 - Download software from the Internet: SIM Scan 1.21 by Dejan Kaljevic [http://www.anytimenow.com] TwinSim 1.0 by lotfi17 [http://www.anytimenow.com] IC-Prog 1.04 by Bonny Gijzen [http://www.ic.prog.com/icprog.zip] WinPhoenix 1.06 by Paul Arnold and Joos [http://www.anytimenow.com] WinPhoenix EEPROM Loader [http://www.anytimenow.com] HEX to BIN Converter [http://www.anytimenow.com] STEP 2 - Building your own GSM SIM Reader/Writer Hardware SIM Reader = SIM SCAN - Smart Mouse Compatible - Schematics [http://www.anytimenow.com] SIM Writer = JDM Programmer -- Schematics [http://www.anytimenow.com] /\/\/\/\Don't have time to build this? Buy ready-made here./\/\/\/\ [http://www.anytimenow.com] STEP 3 - Buying or making your own blank SIM cards Make your own 16F84A + 24C16 DIL - Schematics [http://www.anytimenow.com] /\/\/\/\Don't have time to build this? Buy Goldwafer cards here./\/\/\/\

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

[http://users.anytimenow.com/sid67b/GSMSIM3.htm]
STEP 4 - Getting the Ki and IMSI of the original SIM Install Sim Scan 1.21 by running the install.bat file. Run and configure Sim Scan from c:\sim_scan\setup.bat file. Screen 1: Press Alt+Enter Key, then select the COM port where SIM Reader is connected. SIM Scan will not work properly unless it is maximised to full screen.

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

Screen 2: Select baud rate (choose 9600 bps 3.57 Mhz) [The baud rate should be considered in relation to the SIM functionality and the device reading the SIM. For example, at [http://users.anytimenow.com/sid67b/GSMSIM3.htm] it offers for sale the device called U-GSR Advanced ver 1.6 and states "U-GSR Advanced ver 1.6 is for advanced users who want to faster and better performance in cloning GSM SIMs. The Dual Resonator option lets you switch from 3.57Mhz or 6.00Mhz easily. Using the 6.00Mhz option, you will lessen the time it will take you to get the Ki and the IMSI by 50%!]."

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

Screen 3: Put original SIM card to SIM Reader and press Enter

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

Screen 4: Press 'F5' - Get IMSI and Ki. Sim Scan will automatically create par2.bin file as part of installation. This will take about 40 minutes on a fast computer. [Interestingly, the implied situation here is that obtaining IMSI and Ki takes 40 minutes, although such a time-duration conflicts with the 4hrs-8hrs or couple of days. It could be more likely that the reference here to 40 minutes refers to the installation of program.]

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

Screen 5: Select 'F2' or 'F3' (Do not use 'F1' unless you know what you are doing.) 'F3' Retrieves 75% of SIMs even year 2001 GSM SIMs, but it is slow. 'F2' Retrieves 50% of SIMs even year 2001 GSM SIMs and it is faster. /\/\/\/\If the Ki and IMSI cannot be retrieved using 'F2', you can switch to 'F3'/\/\/\/\

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

The process of getting the Ki and the IMSI from the original SIM usually takes from 4 hours to 3 days depending on the type of GSM SIM. You can exit at anytime and you can resume whenever you want. Sim Scan will start from where you last finished. After the Ki and the IMSI has been retrieved, a file named c:\Imsi_ki.dat will be created and by using Notepad to open it you will see similar to screen below.

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

Step 5 - Creating the HEX files for the "clone" SIM Run TwinSim 1.0 and select 'Single-Sim' then input the Ki and the IMSI that you got from the original SIM. For 'PIN' enter any 4 digits and for 'PUC' enter any 8 digits. After inputting all data needed, click 'Generate Picfile' and 'Generate Epromfile' then exit the program. Two HEX files will be generated in the folder where TwinSim is located (pic16f84.hex + eprom.hex).

Step 6 - Converting the eeprom.hex to eeprom.bin The eeprom.hex and hex2bin.exe files must be placed on the same directory. Run hex2bin.exe and copy the settings from the screen below. Now a new file 'eeprom.bin' will be created.

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

Step 7 - Burning the EEPROM Loader to the Goldwafer. Run IC-Prog 1.04 and configure it to work with the SIM Writer which is a JDM hardware. Choose 'Settings' --> 'Hardware' then choose correct COM port where SIM Writer is connected.

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

After setting up the hardware, put the blank Goldcard to the SIM Writer and select 16F84A from the chip list.

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

Now load the 'Winphoenix Loader.hex' by selecting 'File' --> "Open File'. After loading the file, click the program all button (the one with the thunder icon).

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

Step 8 - Burning the eeprom.bin to the Goldcard. Put the Goldcard which you used from IC-Prog to the SIM Reader and then run WinPhoenix 1.06. Other versions of WinPhoenix might not work so make sure that you are using version 1.06. Configure the COM port where the SIM reader is connected. This can be done using the 'File' --> 'Preferences' and selecting 'General' Tab.

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

Select 'File' --> 'Load' and choose eeprom.bin.

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

Select 'Card' --> 'Program' and the eeprom.bin will be written to the Goldwafer's 24C16

Step 9 - Burning the pic16f84.hex to the Goldwafer. Put the Goldwafer to the SIM writer hardware and run IC-Prog 1.04 again. Follow the same steps as described in Step 7, but this time load the pic16f84.hex file instead. You can program this card with 'CP' enabled or disabled, it does not matter.

________________________________________________________________________

WHAT'S INSIDE

GSM SIM Cloning for Dummies cont'd:

Step 10 - Testing the 'cloned' SIM to your phone. Insert the 'cloned' SIM to your phone and enter the PIN code which you wrote earlier using the TwinSim 1.0 program. Wait for the phone to register to the Network and now you are done:)
[The author of Cloning for Dummies (c) X-Shadow 2001 GSM Technology.]

Cloning SIM Cards

Greg Smith
Consulting Forensic Engineer

OBSERVATIONS
The discussion above represents a small proportion of information discovered by way of searching the Internet. Cloning for Dummies and tools, which have been identified above, are accessible and available from the Internet. The discussion above does not represent all testing carried out by the author of this Special Issue report. The aim has been to highlight the growth in promotion of tools claiming that SIM cloning is possible and how it is done. If the assertions made by the claims are correct then forensic examiners need to be aware of this and it is hoped this special issue helps to some degree. The impact of this issue in relation to data acquisition from SIM cards might initially create concern as to what constitutes an original SIM and what constitutes a clone SIM. During SIM examination there may be some clues by reference to Gold Wafer and Silver Wafer cards. This could be relevant provided that the examiner is in possession of two cards with identical IMSI and Ki. Of course, some examples of things more obvious to look for would be:
The printing on the card of the SIM might give some clues e.g. who is the mobile network operator ? The SSN (SIM Serial Numbers) and the ICCID (Integrated Circuit/s Card Identity) numbers. If they do not match, this could be another illustrator in determining a clone The plastic card material The contact pads as to shape and design, colour and alloy material Using SimiS, look at the Card Info Page and determine whether the SIMs produce identical information. The same analysis should be conducted with PhoneBase, if you use PhoneBase. The review should extend to all pages of information captured during data acquisition from SIM. In the article Cloning for Dummies guide it gave a clue that two identical SIMs could contain different data. Here's one example "Regarding receiving SMS from other people, only one of the SIMs will receive the message." The clues are there if time is given to considering what they are.

It appears inevitable that consideration must be given to the evidential impact of this topic. During the Extended Mobile Telephone Evidence training course best endeavours will be made to include some discussion time on this topic. Finally, readers should be aware that it is unclear at this stage whether cloning a SIM is a crime, where the person uses their own number (so to speak). There may be legal requirements too that might make cloning a SIM a civil wrong. IMSI, it is understood is owned by the issuer and may be authorised only to be recorded into one SIM. It is suggested therefore that before any laboratory testing is carried out enquiries as to the legal implications and authorisation may need to be sought.