You are on page 1of 25

Seminar Report, 2011

Cell Phone Cloning

1. INTRODUCTION

Cell phone cloning is copying the identity of one mobile telephone to another mobile telephone. Usually this is done for the purpose of making fraudulent telephone calls. The bills for the calls go to the legitimate subscriber. The cloner is also able to make effectively anonymous calls, which attracts another group of interested users. Cloning is the process of taking the programmed information that is stored in a legitimate mobile phone and illegally programming the identical information into another mobile phone. The result is that the "cloned" phone can make and receive calls and the charges for those calls are billed to the legitimate subscriber. The service provider network does not have a way to differentiate between the legitimate phone and the "cloned" phone.

1 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

HISTERY
WHEN DID CELL CLONING START? The early 1990s were boom times for eavesdroppers. Any curious teenager with a 100 Tandy Scanner could listen in to nearly any analogue mobile phone call. As a result, Cabinet Ministers, company chiefs and celebrities routinely found their most intimate conversations published in the next day's tabloids Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's with a commonly available modification for the Motorola "brick" phones, such as the Classic, the Ultra Classic, and the Model 8000. GSM Global System for Mobile Communications. A digital cellular phone technology based on TDMA GSM phones use a Subscriber Identity Module (SIM) card that contains user account information. Any GSM phone becomes immediately programmed after plugging in the SIM card, thus allowing GSM phones to be easily rented or borrowed.Operators who provide GSM service are Airtel,Hutch etc. CDMA Code Division Multiple Access. A method for transmitting simultaneous signals over a shared portion of the spectrum. There is no Subscriber Identity Module (SIM) card unlike in GSM.Operators who provides CDMA service in India are Reliance and Tata Indicom. IS FIXED TELEPHONE NETWORK SAFER THAN MOBILE PHONE? The answer is yes. In spite of this, the security functions which prevent eavesdropping and Unauthorized uses are emphasized by the mobile phone companies. The existing mobile communication networks are not safer than the fixed Telephone networks. They only offer protection against the new forms of abuse. SECURITY FUNCTIONS OF THE GSM AND CDMA As background to a better understanding of the attacks on the GSM and CDMA network The following gives a brief introduction to the Security functions available in GSM. The following functions exist: Access control by means of a personal smart card (called subscriber Identity module, SIM) and PIN (personal identification number),

2 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

Authentication of the users towards the network carrier and generation of A session key in order to prevent abuse. Encryption of communication on the radio interface, i.e. between mobile Station and base station, concealing the users identity on the radio interface, i.e. a temporary valid Identity code (TMSI) is used for the identification of a mobile user instead Of the IMSI. HOW BIG OF A PROBLEM IS CLONING FRAUD? The Cellular Telecommunications Industry Association (CTIA) estimates that financial losses in due to cloning fraud are between $600 million and $900 million in the United States. Some subscribers of Reliance had to suffer because their phone was cloned. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government. HOW IS CELL CLONING DONE? Cloning involved modifying or replacing the EPROM in the phone with a new chip which would allow you to configure an ESN (Electronic serial number) via software. You would also have to change the MIN (Mobile Identification Number). When you had successfully changed the ESN/MIN pair, your phone was an effective clone of the other phone. Cloning required access to ESN and MIN pairs. ESN/MIN pairs were discovered in several ways: Sniffing the cellular Trashing cellular companies or cellular resellers Hacking cellular companies or cellular resellers Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older clone able phones are more difficult to find and newer phones have not been successfully reverse-engineered. Cloning has been successfully demonstrated under GSM, but the process is not easy and it currently remains in the realm of serious hobbyists and researchers. ARE OUR CELL PHONES SECURED? Too many users treat their mobile phones as gadgets rather than as business assets covered by corporate security policy. Did you realize there's a lucrative black market in stolen and "cloned" Sim cards? This is possible because Sims are not network specific and, though tamper-proof, their security is flawed. In fact, a Sim can be cloned many
3 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

times and the resulting cards used in numerous phones, each feeding illegally off the same bill. But there are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it. With the shift to GSM digital - which now covers almost the entire UK mobile sector - the phone companies assure us that the bad old days are over. Mobile phones, they say, are secure and privacy friendly. This is not entirely true. While the amateur scanner menace has been largely exterminated, there is now more potential than ever before for privacy invasion. The alleged security of GSM relies on the myth that encryption - the mathematical scrambling of our conversations - makes it impossible for anyone to intercept and understand our words. And while this claim looks good on paper, it does not stand up to scrutiny. The reality is that the encryption has deliberately been made insecure. Many encrypted calls can therefore be intercepted and decrypted with a laptop computer. WHAT ARE EMIE AND PIN? ESN mean Electronic Serial Number. This number is loaded when the phone number is manufactured. this number cannot be tampered or changes by the user or subscriber. if this number is known a mobile can be cloned easily. Personal Identification Number (PIN).every subscriber provides a Personal Identification Number (PIN) to its user. This is a unique number. If PIN and ESN are know a mobile phone can be cloned in seconds using some softwares like Patagonia. Which is used to clone CDMA phones. WHAT IS PATAGONIA? Patagonia is software available in the market which is used to clone CDMA phone. Using this software a cloner can take over the control of a CDMA phone i.e. cloning of phone. There are other Softwares available in the market to clone GSM phone. This softwares are easily available in the market. A SIM can be cloned again and again and they can be used at different places. Messages and calls sent by cloned phones
4 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

can be tracked. However, if the accused manages to also clone the IMEI number of the handset, for which softwares are available, there is no way he can be traced. CAN DIGITAL PHONES BE CLONED? Yes. Digital phones can be cloned however; the mobile phones employing digital TDMA and CDMA technology are equipped with a feature known as "Authentication." Some newer model analog phones also have this feature. Authentication allows the mobile service provider network to determine the legitimacy of a mobile phone. Phones determined to be "clones" can be instantly denied access to service before any calls are made or received. HOW TO KNOW THAT THE CELL HAS BEEN CLONED? Frequent wrong number phone calls to your phone, or hang-ups. Difficulty in placing outgoing calls. Difficulty in retrieving voice mail messages. Incoming calls constantly receiving busy signals or wrong numbers. Unusual calls appearing on your phone bills CAN CALLS ON CLONED PHONE BE TRACKED? Yes. A SIM can be cloned again and again and they can be used at different places. Messages and calls can track sent by cloned phones. However, if the accused manages to also clone the IMEI number of the handset, for which softwares are available, there is no way the cell can be traced. HOW TO PREVENT CELL CLONING? Uniquely identifies a mobile unit within a wireless carrier's network. The MIN often can be dialed from other wireless or wire line networks. The number differs from the electronic serial number (ESN), which is the unit number assigned by a phone manufacturer. MINs and ESNs can be checked electronically to help prevent fraud. .Mobiles should never be trusted for communicating/storing confidential information. Always set a Pin that's required before the phone can be used. Check that all mobile devices are covered by a corporate security policy. Ensure one person is responsible for keeping tabs on who has what equipment and that they update the central register. How do service providers handle reports of cloned phones?
5 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

Legitimate subscribers who have their phones cloned will receive bills with charges for calls they didn't make. Sometimes these charges amount to several thousands of dollars in addition to the legitimate charges. Typically, the service provider will assume the cost of those additional fraudulent calls. However, to keep the cloned phone from continuing to receive service, the service provider will terminate the legitimate phone subscription. The subscriber is then required to activate a new subscription with a different phone number requiring reprogramming of the phone, along with the additional headaches that go along with phone number changes. WHAT EXACTLY IS AUTHENTICATION? Authentication is a mathematical process by which identical calculations are performed in both the network and the mobile phone. These calculations use secret information (known as a "key") preprogrammed into both the mobile phone and the network before service is activated. Cloners typically have no access to this secret information (i.e., the key), and therefore cannot obtain the same results to the calculations. A legitimate mobile phone will produce the same calculated result as the network. The mobile phone's result is sent to the network and compared with the network's results. If they match, the phone is not a "clone." ARE THESE METHODS EFFECTIVE? Yes, for the most part. However, Authentication is the most robust and reliable method for preventing cloning fraud and it is the only industry "standard" method for eliminating cloning. The fact that it is standardized means that all mobile telecommunications networks using IS-41 can support Authentication. There is no need to add proprietary equipment, software, or communications protocols to the networks to prevent cloning fraud. IS MY PHONE AUTHENTICATION CAPABLE? If the phone supports TDMA or CDMA digital radio, then yes. Otherwise, it depends on how old the phone is and the make and model. Almost all phones manufactured since the beginning of 1996 support the Authentication function. The best bet is to check with your service ROLE OF SERVICE PROVIDER TO COMBAT CLONING FRAUD?
6 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

They are using many methods such as RF Fingerprinting, subscriber behavior profiling, and Authentication. RF Fingerprinting is a method to uniquely identify mobile phones based on certain unique radio frequency transmission characteristics that are essentially "fingerprints" of the radio being used. Subscriber behavior profiling is used to predict possible fraudulent use of mobile service based on the types of calls previously made by the subscriber. Calls that are not typical of the subscriber's past usage are flagged as potentially fraudulent and appropriate actions can be taken. Authentication has advantages over these technologies in that it is the only industry standardized procedure that is transparent to the user, a technology that can effectively combat roamer fraud, and is a prevention system as opposed to a detection system. WHAT IS IS-41? IS-41(Interim Standard No. 41) is a document prescribing standards for communications between mobile networks. The standard was developed by the Telecommunications Industry Association (TIA) and is used primarily throughout North America as well as many Latin American countries and Asia. The IS-41 network communications standard supports AMPS, NAMPS, TDMA, and CDMA radio technologies. IS-41 is the standard that defines the methods for automatic roaming, handoff between systems, and for performing Authentication. WHAT CAN BE DONE? With technically sophisticated thieves, customers are relatively helpless against cellular phone fraud. Usually they became aware of the fraud only once receiving their phone bill. Service providers have adopted certain measures to prevent cellular fraud. These include encryption, blocking, blacklisting, user verification and traffic analysis: Encryption is regarded as the most effective way to prevent cellular fraud as it prevents eavesdropping on cellular calls and makes it nearly impossible for thieves to steal Electronic Serial Number (ESN) and Personal Identification Number (PIN) pairs. Blocking is used by service providers to protect themselves from high risk callers. For example, international calls can be made only with prior approval. In some countries only users with major credit cards and good credit ratings are allowed to make long
7 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

distance calls. Blacklisting of stolen phones is another mechanism to prevent unauthorized use. An Equipment Identity Register (EIR) enables network operators to disable stolen cellular phones on networks around the world. User verification using Personal Identification Number (PIN) codes is one method for customer protection against cellular phone fraud. Tests conducted have proved that United States found that having a PIN code reduced fraud by more than 80%. Traffic analysis detects cellular fraud by using artificial intelligence software to detect suspicious calling patterns, such as a sudden increase in the length of calls or a sudden increase in the number of international calls. The software also determines whether it is physically possible for the subscriber to be making a call from a current location, based on the location and time of the previous call. Currently, South Africas two service providers, MTN and Vodacom, use traffic analysis with the International Mobile Equipment Identity (IMEI) underneath the battery include: Frequent wrong number phone calls to your phone, or hang-ups. Difficulty in placing outgoing calls. Difficulty in retrieving voice mail messages. Incoming calls constantly receiving busy signals or wrong numbers. Unusual calls appearing on your phone bills. CONCLUSION Presently the cellular phone industry relies on common law (fraud and theft) and inhouse counter measures to address cellular phone fraud. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government the enactment of legislation to prosecute crimes related to cellular phones is not viewed as a priority, however. It is essential that intended mobile crime legislation be comprehensive enough to incorporate cellular phone fraud, in particular
8 Dept.Electronics & Communication METSS School of Engg.,Mala

a 15 digit number

which acts as a unique identifier and is usually printed on the back of the phone to trace stolen phones. Other warning signs that subscribers should watch out for to detect fraudulent activity

Seminar Report, 2011

Cell Phone Cloning

"cloning fraud" as a specific crime.

ANOTHER
Reference: http://www.seminarprojects.com/Thread-mobile-phone-cloning-fullreport#ixzz1UyKyt7YM ABSTRACT:
Mobile communication has been readily available for several years, and is major business today. It provides a valuable service to its users who are willing to pay a considerable premium over a fixed line phone, to be able to walk and talk freely. Because of its usefulness and the money involved in the business, it is subject to fraud. Unfortunately, the advance of security standards has not kept pace with the dissemination of mobile communication. Some of the features of mobile communication make it an alluring target for criminals. It is a relatively new invention, so not all people are quite familiar with its possibilities, in good or in bad. Its newness also means intense competition among mobile phone service providers as they are attracting customers. The major threat to mobile phone is from cloning. Cell phone cloning is copying the identity of one mobile telephone to another mobile telephone. Usually this is done for the purpose of making fraudulent telephone calls. The bills for the calls go to the legitimate subscriber. The cloner is also able to make effectively anonymous calls, which attracts another group of interested users. Cloning is the process of taking the programmed information that is stored in a legitimate mobile phone and illegally programming the identical information into another mobile phone. The result is that the "cloned" phone can make and receive calls and the charges for those calls are billed to the legitimate subscriber. The service provider network does not have a way to differentiate between the legitimate phone and the "cloned" phone. WHEN DID CELL CLONING START? The early 1990s were boom times for eavesdroppers. Any curious teenager with a 100 Tandy Scanner could listen in to nearly any analogue mobile phone call. As a result, Cabinet Ministers, company chiefs and celebrities routinely found their most intimate conversations published in the next day's tabloids Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's with a commonly available modification for the Motorola "brick" phones, such as the Classic, the Ultra Classic, and the Model 8000. GSM Global System for Mobile Communications. A digital cellular phone technology based on TDMA GSM phones use a Subscriber Identity Module (SIM) card that contains user account information. Any GSM phone becomes immediately programmed after plugging in the SIM card, thus allowing

9 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

GSM phones to be easily rented or borrowed.Operators who provide GSM service are Airtel,Hutch etc. CDMA Code Division Multiple Access. A method for transmitting simultaneous signals over a shared portion of the spectrum. There is no Subscriber Identity Module (SIM) card unlike in GSM.Operators who provides CDMA service in India are Reliance and Tata Indicom. IS FIXED TELEPHONE NETWORK SAFER THAN MOBILE PHONE? The answer is yes. In spite of this, the security functions which prevent eavesdropping and Unauthorized uses are emphasized by the mobile phone companies. The existing mobile communication networks are not safer than the fixed Telephone networks. They only offer protection against the new forms of abuse SECURITY FUNCTIONS OF THE GSM AND CDMA As background to a better understanding of the attacks on the GSM and CDMA network The following gives a brief introduction to the Security functions available in GSM. The following functions exist: Access control by means of a personal smart card (called subscriber Identity module, SIM) and PIN (personal identification number), Authentication of the users towards the network carrier and generation of A session key in order to prevent abuse. Encryption of communication on the radio interface, i.e. between mobile Station and base station, concealing the users identity on the radio interface, i.e. a temporary valid Identity code (TMSI) is used for the identification of a mobile user instead Of the IMSI. HOW BIG OF A PROBLEM IS CLONING FRAUD? The Cellular Telecommunications Industry Association (CTIA) estimates that financial losses in due to cloning fraud are between $600 million and $900 million in the United States. Some subscribers of Reliance had to suffer because their phone was cloned. Mobile Cloning Is in initial stages in India so preventive steps should be taken by the network provider and the Government. HOW IS CELL CLONING DONE? Cloning involved modifying or replacing the EPROM in the phone with a new chip which would allow you to configure an ESN (Electronic serial number) via software. You would also have to change the MIN (Mobile Identification Number). When you had successfully changed the ESN/MIN pair, your phone was an effective clone of the other phone. Cloning required access to ESN and MIN pairs. ESN/MIN pairs were discovered in several ways: Sniffing the cellular Trashing cellular companies or cellular resellers Hacking cellular companies or cellular resellers Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older clone able

10 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

phones are more difficult to find and newer phones have not been successfully reverse-engineered. Cloning has been successfully demonstrated under GSM, but the process is not easy and it currently remains in the realm of serious hobbyists and researchers. ARE OUR CELL PHONES SECURED? Too many users treat their mobile phones as gadgets rather than as business assets covered by corporate security policy. Did you realize there's a lucrative black market in stolen and "cloned" Sim cards? This is possible because Sims are not network specific and, though tamper-proof, their security is flawed. In fact, a Sim can be cloned many times and the resulting cards used in numerous phones, each feeding illegally off the same bill. But there are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it. Reference: http://www.seminarprojects.com/Thread-mobile-phone-cloning-fullreport?page=2#ixzz1U Downloads: 31) ABSTRACT

ANOTHER

You might have read news of the cloning of sheep or cattle with amused interest. But how would you feel if somebody `cloned' your mobile phone? Technology is finally rearing up its dark side. Along with the proliferation of technological innovations, this era also marks the birth of the new-age IT criminals in a big way, with the latest technology fraud being cell phone cloning. Cell phone cloning is a technique wherein security data from one cell phone is transferred into another phone. The other cell phone becomes the exact replica of the original cell phone like a clone. As a result, while calls can be made from both phones, only the original is billed. Though communication channels are equipped with security algorithms, yet cloners get away with the help of loop holes in systems. So when one gets huge bills, the chances are that the phone is being cloned. This paper describes about the cell phone cloning with implementation in GSM and CDMA technology phones. It gives an insight into the security mechanism in CDMA and GSM phones along with the loop holes in the systems and discusses on the different ways of preventing this cloning. Moreover, the future threat of this fraud is being elaborated 1. INTRODUCTION. Remember Dolly the lamb, cloned from a six-year-old ewe in 1997, by a group of researchers at the Roslyn Institute in Scotland? While the debate on the ethics of cloning continues, human race, for the first time, are faced with a more tangible and harmful version of cloning and this time it is your

11 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011


cell phone that is the target.

Cell Phone Cloning

Millions of cell phones users, be it GSM or CDMA, run at risk of having their phones cloned. As a cell phone user if you have been receiving exorbitantly high bills for calls that were never placed, chances are that your cell phone could be cloned. Unfortunately, there is no way the subscriber can detect cloning. Events like call dropping or anomalies in monthly bills can act as tickers. According to media reports, recently the Delhi (India) police arrested a person with 20 cell- phones, a laptop, a SIM scanner, and a writer. The accused was running an exchange illegally wherein he cloned CDMA based cell phones. He used software named Patagonia for the cloning and provided cheap international calls to Indian immigrants in West Asia. 2. WHAT ARE GSM AND CDMA MOBILE PHONE SETS? CDMA is one of the newer digital technologies used in Canada, the US, Australia, and some Southeastern Asian countries (e.g. Hong Kong and South Korea). CDMA differs from GSM and TDMA (Time Division Multiple Access) by its use of spread spectrum techniques for transmitting voice or data over the air. Rather than dividing the radio frequency spectrum into separate user channels by frequency slices or time slots, spread spectrum technology separates users by assigning them digital codes within the same broad spectrum. Advantages of CDMA include higher user capacity and immunity from interference by other signals. GSM is a digital mobile telephone system that is widely used in Europe and other parts of the world. GSM uses a variation of TDMA and is the most widely used of the three digital wireless telephone technologies. GSM digitizes and compresses data, then sends it down a channel with two other streams of user data, each in its own time slot. It operates at either the 900 MHz or 1,800 MHz frequency band. Some other important terms whose knowledge is necessary are IMEI SIM ESN MIN So, first things first, the IMEI is an abbreviation for International Mobile Equipment Identifier, this is a 10 digit universally unique number of our GSM handset. I use the term Universally Unique because there cannot be 2 mobile phones having the same IMEI no. This is a very valuable number and used in tracking mobile phones. Second comes SIM, which stands for Subscriber Identification Module. The sim has survived and evolved. Earlier the mobiles had the entire sim card to be inserted in them such sims are called IDG-1 Sims. The other in which we small part of the card which has the chip is inserted in the mobile and is known as PLUG-IN Sims.

12 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

Basically the SIM provides storage of subscriber related information of three types: Fixed data stored before the subscription is sold Temporary network data Service related data. ESN mean Electronic Serial Number. This number is loaded when the phone number is manufactured. This number cannot be tampered or changes by the user or subscriber. if this number is known a mobile can be cloned easily. Personal Identification Number (PIN). Every subscriber provides a Personal Identification Number (PIN) to its user. This is a unique number. If PIN and ESN are known a mobile phone can be cloned in seconds using some softwares like Patagonia, which is used to clone CDMA phones. ESN is same as the IMEI but is used in CDMA handsets. MIN stands for Mobile Identification Number, which is the same as the SIM of GSM. The basic difference between a CDMA handset and a GSM handset is that a CDMA handset has no sim i.e. the CDMA handset uses MIN as its Sim, which cannot be replaced as in GSM. The MIN chip is embedded in the CDMA hand set. 3. HOW CELL PHONE WORKS? Cell phones send radio frequency transmissions through the air on two distinct channels, one for voice communications and the other for control signals. When a cellular phone makes a call, it normally transmits its Electronic Security Number (ESN), Mobile Identification Number (MIN), its Station Class Mark (SCM) and the number called in a short burst of data. This burst is the short buzz you hear after you press the SEND button and before the tower catches the data. These four things are the components the cellular provider uses to ensure that the phone is programmed to be billed and that it also has the identity of both the customer and the phone. MIN and ESN is collectively known as the Pair which is used for the cell phone identification. When the cell site receives the pair signal, it determines if the requester is a legitimate registered user by comparing the requestor's pair to a cellular subscriber list. Once the cellular telephone's pair has been recognized, the cell site emits a control signal to permit the subscriber to place calls at will. This process, known as Anonymous Registration, is carried out each time the telephone is turned on or picked up by a new cell site. 4. SECURITY VULNERABILITIES IN CELL PHONE. Your cellular telephone has three major security vulnerabilities: Monitoring of your conversations while using the phone. Your phone being turned into a microphone to monitor conversations in the vicinity of your phone while the phone is inactive. Cloning or the use of your phone number by others to make calls that are charged to your account.

13 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

Reference: http://www.seminarprojects.com/Thread-mobile-phone-cloning-full-report?page Cell phone


cloning refers to the act of copying the identity of one mobile telephone to another. This is usually done to make fraudulent telephone calls. The bill for the calls go to the legitimate subscriber. This had made cloning very popular in areas with large immigrant populations, where the cost to "call home" was very steep. The cloner is also able to make effectively anonymous calls, which attracts another group of interested law-breakers. Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's with a commonly available modification for the Motorola "brick" phones, such as the Classic, the Ultra Classic, and the Model 8000. Cloning involved modifying or replacing the EPROM in the phone with a new chip which would allow one to configure an ESN (Electronic Serial Number) via software. The MIN (Mobile Identification Number) would also have to be changed. After successfully changing the ESN/MIN pair, the phone would become an effective clone of the other phone. Cloning required access to ESN and MIN pairs. ESN/MIN pairs were discovered in several ways:

y y y

Sniffing the cellular network Trashing cellular companies or cellular resellers Hacking cellular companies or cellular resellers

Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older clone-able phones are more difficult to find and newer phones have not been successfully reverse-engineered. Cloning has been successfully demonstrated under GSM, but the process is not easy and currently remains in the realm of serious hobbyists and researchers. Furthermore, cloning as a means of escaping the law is difficult because of the additional feature of a radio fingerprints that is present in the transmission signal of every mobile phone. This fingerprint remains the same even if the ESN or MIN are changed. Mobile phone companies can use the mismatch in the fingerprints and the ESN and MIN to identify fraud cases.

You are here: Home Telephony Mobile Telephony Cell Phone Cloning

y y y y y y

14 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011


y y y

Cell Phone Cloning

e #s and one answered- it was a girl who told me she was an erotic provider. I did a search of the #s and they were all found in multiple ads for escorts on craigslist. Yah right! I guarantee I didnt make those calls and if my kids (2 & 4) happened to wake up in the middle of the night, I doubt theyd randomly dial 3 hookers. I called Verizon and was told that my BB Storm was impossible to clone. The rep said he had no idea. Im not crazy, I know I didnt call those numbers. But it is hard to believe that someone would go to the trouble to clone my phone just to make a couple free calls in the middle of the night. Any ideas?
Report as Abusive

=2#ixzz1UyMlVPOtyM43VDe

another
Technique

A selection of mobile phones that can be cloned.

Not to be confused with the android software of the same name[1], phone cloning involves placing a computer chip into the target mobile telephone, allowing the electronic serial number (ESN) of the mobile phone to be modified. The ESN is normally transmitted to the cellular company in order to ascertain whether the mobile phone user is the legitimate owner of that phone. Modifying this, as well as the phone number itself (known as the mobile identification number, or MIN) paves the way for fraudulent calls, as the target telephone is now a clone of the telephone from which the original ESN and MIN numbers were obtained. Cloning has been shown to be successful on code division multiple access (CDMA) but rare on the Global System for Mobile communication (GSM), one of the more widely used mobile telephone communication systems[2]. However, cloning GSM phones is achieved by cloning the SIM card contained within, not necessarily any of the phone's internal data (GSM phones do not have ESN or MIN, only an IMEI number.)
15 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

There are various methods used to obtain the ESN and MIN; the most common are to crack the cellular company, or eavesdrop on the cellular network.
[edit]Effectiveness

and legislation

Phone cloning is outlawed in the United Kingdom by the Wireless Telephone Protection Act of 1998, which prohibits: knowingly using, producing, trafficking in, having control or custody of, or possessing hardware or software knowing that it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization.[3] The effectiveness of phone cloning is limited. Every mobile phone contains a radio fingerprint in its transmission signal which remains unique to that mobile despite changes to the phone's ESN or MIN. Thus, cellular companies are often able to catch cloned phones when there are discrepancies between the fingerprint and the ESN or MIN.[citation needed]
[edit]

ANOTHER

Cellular phone cloning is copying the identity of one cellphone to another cellphone. The cellphones can be re-configured so that the calls are billed to other persons. The identification numbers of a victim cellphone user is stolen and re-programmed into another cellphone. Each cellular phone has a unique pair of identification numbers - Electronic Serial Number (ESN) and Mobile Identification Number (MIN). These numbers can be cloned without the knowledge of the subscriber or the carrier through the use of electronic scanning devices. Cellular thieves can capture ESN & MIN pair using devices such as cellphone ESN reader or DDI (Digital Data Interpreters) by monitoring the radio wave transmissions from the cell phones of legitimate subscribers.The ESN & MIN are then transferred into another cellphone using a computer loaded with specialised software, or a 'copycat' box, a device specially made to clone phones. There are other devices also such as Plugs and ES-Pros which are as small as a calculator that do not require computers

16 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

or copycat boxes for cloning. The entire programming process takes 10-15 minutes per phone. Cloning is possible in both GSM and CDMA technologies. Any call made with cloned phone are billed and traced to a legitimate cellphone account. Innocent subscribers end up with unexplained monthly cellphone bills. If you get your cellphone bill unexpectedly high, you must check the details of billing where you may find numbers whom you never called. If so, It is possible that your cellphone has been cloned and someone else is making calls using your identity. Many criminals use cloned cellphones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace. Cloned phones are often used to make long distance calls, even to foreign countries. Pre-paid users are at lesser risk, not because their cellphones can't be cloned technically but because the misuse would be quickly detected and would be limited. Cellphone cloning has been taking place throughout the world for long although it was reported in India this year only when police arrested people related to this crime in Delhi and Mumbai.

ANOTHER

Cellular fraud is defined as the unauthorized use, tampering or manipulation of a cellular phone or service. At one time, cloning of cellular phones accounted for a large portion of cell fraud. As a result, the Wireless Telephone Protection Act of 1998 expanded prior law to criminalize the use, possession, manufacture or sale of cloning hardware or software. Currently, the primary type of cell fraud is subscriber fraud. The cellular industry estimates that carriers lose more than $150 million per year due to subscriber fraud.
17 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

What Is Subscriber Fraud? Subscriber fraud occurs when someone signs up for service with fraudulently-obtained customer information or false identification. Lawbreakers obtain your personal information and use it to set up a cell phone account in your name. Resolving subscriber fraud could develop into a long and difficult process for victims. It may take time to discover that subscriber fraud has occurred and an even longer time to prove that you did not incur the debts. Call your carrier if you think you have been a victim of subscriber fraud.

What Is Cell Phone Cloning Fraud? Every cell phone is supposed to have a unique factory-set electronic serial number (ESN) and telephone number (MIN). A cloned cell phone is one that has been reprogrammed to transmit the ESN and MIN belonging to another (legitimate) cell phone. Unscrupulous people can obtain valid ESN/MIN combinations by illegally monitoring the radio wave transmissions from the cell phones of legitimate subscribers. After cloning, both the legitimate and the fraudulent cell phones have the same ESN/MIN combination and cellular systems cannot distinguish the cloned cell phone from the legitimate one. The legitimate phone user then gets billed for the cloned phones calls. Call your carrier if you think you have been a victim of cloning fraud.

(More)

1-888-CALL-FCC (1-888-225-5322) Fax: 1-866-418-0232 . .

TTY: 1-888-TELL-FCC (1-888-835-5322)

www. fcc.gov/cgb Federal Communications Commission Consumer & Governmental Affairs Bureau

18 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

445 12th St., SW ngton, DC 20554 . . . . Washi . .2 Summary Remember, to prevent subscriber fraud, make sure that your personal information is kept private when purchasing anything in a store or on the Internet. Protecting your personal information is your responsibility. For cell phone cloning fraud, the cellular equipment manufacturing industry has deployed authentication systems that have proven to be a very effective countermeasure to cloning. Call your cellular phone carrier for more information. For More Information For more information on protecting your personal information, see the FCCs Protecting Your Privacy guide at www.fcc.gov/guides/protecting-your-privacy. For information about other communications issues, visit the FCCs Consumer & Governmental Affairs Bureau website at www.fcc.gov/consumer-governmental-affairs-bureau, or contact the FCCs Consumer Center by calling 1-888-CALL-FCC (1-888-225-5322) voice or 1888-TELL-FCC (1-888-835-5322) TTY; faxing 1-866-418-0232; or writing to

ANOTHER

Cellular phone security has come a long way since the days when the old analog networks were in place. Cellular fraud became a serious problem which occurred at a rather high rate. Although today's modern digital networks and cell handset manufacturers have taken extraordinary steps toward making cell phone fraud more difficult, there are some ill-intentioned individuals who continue to find ways to circumvent even the highest state of modern technology. Cell phone cloning is one of the most notorious methods of cell phone fraud, and the customer must monitor cellular usage on a

19 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

regular basis. Thankfully, cellular providers keep excellent records of all numbers called from your handset on a monthly basis.
Difficulty:

Easy

InstructionsComputer with Internet connection


y 1. o Monthly cellular billing statement

1
Use a computer connected to the Internet and visit your cellular provider's website. Sign up for your provider's online account management system so you can have immediate access to your billing and use information, even before your paper bill arrives by mail.

2
Take special note of any times where you may be unable to use your phone. Since a cloned cell phone appears identical to yours, you may discover that you are given messages stating that the mobile number is already in use, or you may find that you are unable to initiate or receive calls while the clone is being used by the perpetrator.

3
Record the times, dates and frequency of these "cell usage blackouts" you may be experiencing and, if they are occurring for long durations and repeatedly throughout each day, contact your cellular provider with your concerns that you feel your phone may have been cloned.

4
Cooperate with your cellular provider if asked for your permission for the company to initiate a detailed audit of your cell usage. The company will send you a highly detailed list of phone calls sent or received on your account over the month, and your provider will most likely ask that you highlight all numbers, dates and times which you are unfamiliar with.

Read more: How to Know If Your Cell Phone Has Been Cloned | eHow.com http://www.ehow.com/how_5950167_cell-phone-cloned.html#ixzz1V4NkdpsY

ANOTHER
Controlling Cell Phone Fraud in the US: Lessons for the UK 'Foresight' Prevention Initiative
Ronald V Clarke1, Rick Kemper2 and Laura Wyckoff3

20 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011


1. 2. 3.
1 2

Cell Phone Cloning

Professor, School of Criminal Justice, Rutgers, The State University of New Jersey E-mail:rclarke@andromeda.rutgers.edu Director, Wireless Technology and Security, the Cellular Telecommunications Industry Association, Washington, DC 3 Doctoral candidate, School of Criminal Justice, Rutgers, The State University of New Jersey Topof page

Abstract
During the 1990s, criminals in the US discovered ways of altering cellular phones to obtain free service. In 'cloning' frauds, criminals using scanners were able to capture the identifying numbers broadcast by legitimate phones and to program these into illegitimate 'clones'. These could then be used to obtain free access to the wireless network. In 'tumbling' frauds, telephones were altered so that they randomly transmitted illegally obtained identifying numbers. This allowed the phone to gain access to free cellular service, particularly when used outside the area where the numbers had been issued. By 1995, these frauds were costing the cellular telephone industry about $800 million per year. They also created 'upstream' crime costs in terms of thefts of phones for cloning and 'downstream' costs by facilitating drug dealing and other organized crimes. They were virtually eliminated by the end of the 1990s, through technological counter-measures adopted by the industry. There was little sign of displacement to other forms of cell phone fraud, and the preventive measures appeared to be highly costeffective. The case study permits comment on the UK 'Foresight' initiative that envisages partnerships between the government and industry to anticipate and remove opportunities for crime created by new technology.

another
Cell Phones Cloning Instructions
Is there a good place out there for finding cell phones cloning instructions? So far we havent been able to find anything that works as well as we would like, but if we can find it well let you know. Most of the time, people are looking for cell phones cloning instructions because they would like to either make fraudulent calls or listen in on other peoples calls. We obviously cant condone using these methods for anything that isnt 100% legal. Basic Cell Phones Cloning Instructions What youre looking to do is basically modify two different numbers on the device. You will have to alter the ESN (electronic serial number) and the MIN (mobile identification number). Once altered, the cell network will believe that your handset is that handset. This means that in order to clone a cell phone, you will have to first find those two numbers on the cell phone you would like to clone. This can be difficult - you would have to get your hands on the phone itself. Once that happens, you will have to get an identical model and replace the Eprom with one that can be altered via software. This is somewhat simple with a GSM phone and more difficult with a CDMA model. The cell phones cloning instructions for a CDMA model would include removing the Eprom and soldering would be necessary with many models. Sorry that we dont have a more detailed lesson available. Hopefully you will be able to find some resources on the page that will take you to the right location. This is something that most people wont cover in too much depth

21 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

because of liability. Let us know if you find any phone cloning instructions that are valid and will work for most cell phone models. Other pages: unlocled cell phones

anoher
GSM Cloning
Here is some information on our GSM cloning results, starting at a very high level, and moving on eventually to detailed technical information, with data for the cryptographers and mathematicians at the end. Please feel free to contact us gsm@isaac.cs.berkeley.edu with any questions. This is joint work with Ian Goldberg (also of the ISAAC research group) and Marc Briceno (Director of the Smartcard Developers Association). Important note added after publication: This article was released on April 13, 1998. This is the original version of that article (with no changes made other than this note), and is provided primarily for historical reasons. Please beware that some of our understanding about some details of the attack -- especially the possibility of over-theair cloning -- has changed since when we wrote this note. We now feel that we understated the risk of over-the-air attacks in our initial announcement; based on new information, we have come to the conclusion that over-the-air cloning must be considered a very real threat which should not be ignored. Please see here for a more recent update. Executive summary: We've shown how parties with physical access to a victim's GSM cellphone can ``clone'' the phone and fraudulently place calls billed to the victim's account. This shows that the GSM fraud-prevention framework fails to live up to expectations, and casts doubt on its foundation (as well as the design process). However, we should be clear that this is only a partial flaw, not a total failure of the authentication framework: our experiments have been limited to showing that GSM phones can be cloned if the attacker has physical access to the target phone. (In US analog cellphones, one can clone the cellphones with only some radio reception equipment, which is a much more serious flaw; as a consequence, US providers lose over $500 million yearly to fraud.) One potential threat is that the salesman who sells you a cellphone may have made ``a spare copy of the keys'' for his own use; he may later make fraudulent calls billed to you. Because most providers today apparently rely purely on the authentication codes,
22 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

with no fallback position if those codes are cracked, such fraud might go undetected until long after the money has been lost.
Background

The GSM fraud-prevention framework relies on special cryptographic codes to authenticate customers and bill them appropriately. A personalized smartcard (called a SIM) in the cellphone stores a secret key which is used to authenticate the customer; knowledge of the key is sufficient to make calls billed to that customer. The tamperresistant smartcard is supposed to protect the key from disclosure (even against adversaries which may have physical access to the SIM); authentication is done with a cryptographic protocol which allows the SIM to "prove" knowledge of the key to the service provider, thus authorizing a call. As a result of our mathematical analysis, we have discovered that the cryptographic codes used for authentication are not strong enough to resist attack. To exploit this vulnerability, an individual would interact with the SIM repeatedly; with enough queries, the attacker can use some mathematical techniques to learn the supposedlysecret key. Once the key is compromised, it is possible to make fraudulent calls which will be billed to the victim.
Clarification: not a total break of the authentication framework

We wish to emphasize that we have only demonstrated how to clone a phone if given physical access to the phone (or its SIM chip). Many will probably be interested in the question of whether these attacks can be performed ``over the air'' (i.e. by accessing the target cellphone remotely with specialized radio equipment). While we cannot rule out the possibility that someone may learn how to perform ``over the air'' cloning, we have not demonstrated such an attack in our work.
What went wrong?

This vulnerability can be attributed to a serious failing of the GSM security design process: it was conducted in secrecy. Experts have learned over the years that the only way to assure security is to follow an open design process, encouraging public review to identify flaws while they can still be fixed. There's no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny; nobody is that much better than the rest of the research community. In the telecommunications security field, openness is critical to good design. Codemaking is so hard to get right the first time that it is crucial to have others double-check one's ideas. Instead, the GSM design committee kept all security
23 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

specifications secret -- which made the information just secret enough to prevent others from identifying flaws in time to fix them, but not secret enough to protect the system against eventual scrutiny. With 80 million GSM users, fixing flaws in such a widely-fielded system is likely to be quite costly. We expect that fixing the flaw may potentially be expensive. A new authentication algorithm would have to be selected. Then new SIMs would have to be programmed with the new algorithm, and distributed to the 80 million end users. Finally, a software upgrade may be required for all authentication centers.
Technical details of the attack

We showed how to break the COMP128 authentication algorithm, an instantiation of A3/A8 widely used by providers. Our attack is a chosen-challenge attack. We form a number of specially-chosen challenges and query the SIM for each one; the SIM applies COMP128 to its secret key and our chosen challenge, returning a response to us. By analyzing the responses, we are able to determine the value of the secret key. Mounting this attack requires physical access to the target SIM, an off-the-shelf smartcard reader, and a computer to direct the operation. The attack requires one to query the smartcard about 150,000 times; our smartcard reader can issue 6.25 queries per second, so the whole attack takes 8 hours. Very little extra computation is required to analyze the responses. Though the COMP128 algorithm is supposed to be a secret, we pieced together information on its internal details from public documents, leaked information, and several SIMs we had access to. After a theoretical analysis uncovered a potential vulnerability in the algorithm, we confirmed that our reconstruction of the COMP128 algorithm was correct by comparing a software implementation to responses computed by a SIM known to implement COMP128.
Information for cryptographers

The attack exploits a lack of diffusion: there's a narrow ``pipe'' inside COMP128. In particular, bytes i,i+8,i+16,i+24 at the output of the second round depend only on bytes i,i+8,i+16,i+24 of the input to COMP128. (By ``round'', I refer to one layer of ``butterflies'' and S-boxes; there are a total of 5*8 rounds in COMP128.) Bytes i,i+8 of the COMP128 input are bytes i,i+8 of the key, and bytes i+16,i+24 of the COMP128 input are bytes i,i+8 of the challenge input. Now we ``probe'' the narrow pipe, by varying bytes i+16,i+24 of the COMP128 input (i.e. bytes i,i+8 of the challenge) and holding the rest of the COMP128 input constant.
24 Dept.Electronics & Communication METSS School of Engg.,Mala

Seminar Report, 2011

Cell Phone Cloning

Since the rounds are non-bijective, you can hope for a collision in bytes i,i+8,i+16,i+24 of the output after two rounds. The birthday paradox guarantees that collisions will occur pretty rapidly (since the pipe is only 4 bytes wide); collisions in the narrow pipe can be recognized, since they will cause a collision in the output of COMP128 (i.e. the two authentication responses will be the same); and each collision can be used to learn the two key bytes i,i+8 with a bit of analysis of the first two rounds (i.e. perform a ``2-R attack'', in the terminology of differential cryptanalysis). As stated, this would require 2^{4*7/2 + 0.5} = 2^{14.5} chosen-input queries to COMP128 to learn two key bytes (since each of the four bytes of output after the second round are actually only 7-bit values), and thus would require 8 * 2^{14.5} = 2^{17.5} queries to recover the whole 128-bit key Ki. However, we have some optimizations to get this number down a bit. Note that there is a significant amount of literature on the design of cryptographic hash functions out of a FFT-like structure (as COMP128 is designed). For instance, Serge Vaudenay's work on a theory of black-box cryptanalysis (as well as his other work, e.g. ``FFT-Hash II is not yet secure'') is more than sufficient to uncover this weakness in COMP128. In other words, our attack techniques are not particularly novel.

25 Dept.Electronics & Communication METSS School of Engg.,Mala