SEMINAR REPORT
ON
PRESENTED BY
YEAR 2005-2006
GUIDED BY
Mr. M. Ali.
Mr. R. D. Bhoyar.
SIM CLONING
MR. KHAN ASIF NASIM AHMED KHAN
(M.Sc. IIND. Year IIIRD SEM.)
POST GRADUATE DEPARTMENT OF COMPUTER SOFTWARE
SHRI. SHIVAJI SCIENCE COLLEGE, AMRAVATI
1. Introduction to SIM-Cloning 01
2. What is SIM? 01
3. Cloning 02
4. SIM Attacks 02
5. Traditional Methods 02
6. Application & Advantages 03
7. Disadvantages 04
8. SW/HW used for SIM cloning 04
9. Steps for SIM Cloning (8-in-1) 05
10. What You Need 07
11. Configuring your card 08
12. Conclusion 11
13. Appendix
Seminar Report on SIM Cloning
Introduction of SIM Cloning
SIM cloning consists of duplicating the GSM motor (each GSM mobile phone contains a GSM motor) identification and placing calls/SMS/data services using the account of cloned GSM motor.
In early 90's, due to poor security, cloning was common practice. Cloning has now been rendered more challenging technically (physical access to GSM motor is required as opposed to simply being within radio reach). GSM cloning is considered in telecoms as dark grey criminal activity (in opposition to "light grey" GSM gateways, which use legit SIM cards, simply leveraging pricing arbitrage between retail and wholesale pricing). SIM cloning is a great concern of security/police services as GSM LBS (location based services) tracking is frequently used and incidentally rendered unreliable in event of widespread cloning.
In early 90's, due to poor security, cloning was common practice. Cloning has now been rendered more challenging technically (physical access to GSM motor is required as opposed to simply being within radio reach). GSM cloning is considered in telecoms as dark grey criminal activity (in opposition to "light grey" GSM gateways, which use legit SIM cards, simply leveraging pricing arbitrage between retail and wholesale pricing). SIM cloning is a great concern of security/police services as GSM LBS (location based services) tracking is frequently used and incidentally rendered unreliable in event of widespread cloning.
What is SIM? (Subscriber Identification Module)
The SIM contains various subscriber details, as well as personal data belonging to the subscriber, such as phone book entries and stored SMS messages. Subscriber information is discussed later in this paper.
To protect the SIM from misuse, a Personal Identification Number (PIN) can be used. If the wrong PIN is entered three times in a row, the card locks itself, and can only be unlocked by providing a Personal Unblocking Key (PUK). SIM fraud is actively being committed, although work is in progress to resolve this issue. One of the pieces of information stored on the SIM is the International Mobile Subscriber Identifier (IMSI). This is a unique number, completely separate to a phone number that identifies the particular SIM on the GSM network. The IMSI is up to 15 digits long. The first 3 digits specify the Mobile Country Code (MCC) followed by a 2 digit Mobile Network Code (MCC) then up to ten digits can be used as a Mobile Subscriber Identification Number (MSIN) to complete the IMSI.
The SIM contains various subscriber details, as well as personal data belonging to the subscriber, such as phone book entries and stored SMS messages. Subscriber information is discussed later in this paper.
To protect the SIM from misuse, a Personal Identification Number (PIN) can be used. If the wrong PIN is entered three times in a row, the card locks itself, and can only be unlocked by providing a Personal Unblocking Key (PUK). SIM fraud is actively being committed, although work is in progress to resolve this issue. One of the pieces of information stored on the SIM is the International Mobile Subscriber Identifier (IMSI). This is a unique number, completely separate to a phone number that identifies the particular SIM on the GSM network. The IMSI is up to 15 digits long. The first 3 digits specify the Mobile Country Code (MCC) followed by a 2 digit Mobile Network Code (MCC) then up to ten digits can be used as a Mobile Subscriber Identification Number (MSIN) to complete the IMSI.
What is Cloning? (Programming)
Cloning refers to the making of an exact copy of an object, frequently under the paradigm of instance-based programming.
SIM Wars – Attack of the clones
In this section the security of the Subscriber Identity Module (SIM) is discussed. The SIM was originally designed to be tamperproof, copy proof and generally as difficult to break as possible. Over time a variety of issues have been discovered that have made the SIM seem somewhat less secure, although it should be noted that it is still an acceptable solution for GSM.
SIM Wars – Attack of the clones
In this section the security of the Subscriber Identity Module (SIM) is discussed. The SIM was originally designed to be tamperproof, copy proof and generally as difficult to break as possible. Over time a variety of issues have been discovered that have made the SIM seem somewhat less secure, although it should be noted that it is still an acceptable solution for GSM.
Traditional methods
As discussed earlier, the COMP128 algorithm is commonly used for A3/A8 and has a number of flaws. By obtaining Ki and the IMSI it is effectively possible to program another SIM card using freely available tools and ‘clone’ a SIM. This takes a considerable amount of time, as 150,000 COMP128 queries have to be performed. Usually, SIM cloning via this method takes between eight and fifteen hours and requires physical access to the SIM. The most popular tool to utilize this technique is Dejan Karavic’s SIM Scan.
There are methods that will decrease the amount of time required to clone the SIM (such as using a higher frequency oscillator on the SIM Card reader), but these methods increase the risk of failure and damage to the original SIM. It should be noted that COMP128-2, a new version of the COMP128 algorithm has remedied the issues present in the original, and as such requires more exotic methods of attack in order to gain Ki.
There are methods that will decrease the amount of time required to clone the SIM (such as using a higher frequency oscillator on the SIM Card reader), but these methods increase the risk of failure and damage to the original SIM. It should be noted that COMP128-2, a new version of the COMP128 algorithm has remedied the issues present in the original, and as such requires more exotic methods of attack in order to gain Ki.
APPLICATION & Advantages
1. CLONING
a. Making the same SIM for multiuse like if somebody has number of SIM for different countries or different states then he has to carry lots of cell phones there is a great problem to handle number of cell phone which is ringing or whatever the information is stored in which SIM it so difficult then cloning make easy to make number of SIM in one SIM and with one cell phone. It is legal in some countries but it is illegal in our country.
2. SIM BACKUP
a. It is very good someone has a backup of SIM because if SIM is damaged or anything odd happened then there is a backup of that SIM make help in future. Backup is used in future to replace future SIM.
3. MULTISIM
a. MULTISIM card is a revolutionary new step in GSM telephony. It contains up to 10 different numbers from one or more cell communication providers. The number can be switched from one to another on line and without powering your phone off and on. It's much easier then switching SIM cards. Changing the number takes no more then 5-10 seconds.
There are some examples where MULTISIM card is irreplaceable
You are using two or more cell phones from different providers. It means that you have more than two phones or you have more then two SIM cards that you have to install in your phone every time you want to change the number. You just copy all your numbers onto one MULTISIM card and have all your numbers within one cell phone. If you want to change the number, you just press few buttons.
You have one phone number but you have more then one cell terminals to use it with. For example, your car is equipped with stationary terminal that use same SIM card that you use in your cellular phone. You have to change this card every time you get in and out of the car. Now it's in the past. With MULTISIM card you can make a copy of your original SIM card and install it in your car stationary terminal, while original SIM card will be used on you regular cell phone.
There are some examples where MULTISIM card is irreplaceable
You are using two or more cell phones from different providers. It means that you have more than two phones or you have more then two SIM cards that you have to install in your phone every time you want to change the number. You just copy all your numbers onto one MULTISIM card and have all your numbers within one cell phone. If you want to change the number, you just press few buttons.
You have one phone number but you have more then one cell terminals to use it with. For example, your car is equipped with stationary terminal that use same SIM card that you use in your cellular phone. You have to change this card every time you get in and out of the car. Now it's in the past. With MULTISIM card you can make a copy of your original SIM card and install it in your car stationary terminal, while original SIM card will be used on you regular cell phone.
Disadvantages
1. Illegal use of someone’s SIM
2. Its money matter
3. Its security matter
4. Its big crime
2. Its money matter
3. Its security matter
4. Its big crime
Software & Hardware used for SIM Cloning
HARDWARE
1. SIM SCANNER
2. SIM CARD READER
SOFTWARE
1. SIMEMU
2. SIMSCAN 2.0
2. SIM CARD READER
SOFTWARE
1. SIMEMU
2. SIMSCAN 2.0
Following are steps for SIM Cloning. (8 in one)
1. Reading of original SIM.
Download from Downloads: SimScan2.00new, IcProg1.05cXP and SimEmu6.01s for SilverCard (or SimEmu6.01 for GreenCard2). Before reading of SIM -> take off PIN-code. Insert SIM to adapter and adapter to SimReaderWriter (contacts down and forward).
Plug your SimReaderWriter to COM-port and set mode Phoenix. Copy to directory C:\sim_scan files PAR3.BIN, PAR2.BIN and sim_scan.exe from directory SimScan2.00new. Run sim_scan.exe, select your COM-port and your COM-port Speed: Press Find Ki. About 20min - 2 hours later you see the Ki and IMSI in directory C:\sim_scan. Remove SIM from SimReaderWriter and adapter.
2. Preparation.
Run icprog.exe, select your COM-port, I/O Delay and Interface: Ok -> Settings -> Options -> Smartcard, select your COM-port and your Frequency: -> Programming, select Verify during programming: Ok -> Settings -> SmartCard (Phoenix): Select in icprog the device PIC 16F877 and open file SIM_EMU_FL_6.01_ENG.hex from directory
In area of the data, copy the found value Ki (if them is more than one, then to copy consistently, maximum 8):
If it is necessary, it is possible to change values PIN and PUK of codes for each number, by default they are established so, for first number PIN=1111 and PUK=11111111, for second PIN=2222 and PUK=22222222 etc.:
Save file as pic16f877_my.hex. Select in icprog the device 24C64 and open file SIM_EMU_EP_6.01.hex from directory SimEmu6.01:
In area of the data, copy the found value IMSI (if them is more than one, then to copy consistently, maximum 8):
.
3. Programming 8in1 SIM-card.
Insert 8in1 SIM-card to adapter and adapter to SimReaderWriter (contacts down and forward). Set mode JDM. Select in icprog the device PIC 16F877 and open file pic16f877_my.hex. Press enter Set mode Poenix. Select in icprog the device 24C64 and open file ee24c64_my.hex. Press enter Remove 8in1 SIM-card from SimReaderWriter and adapter.
4. How does it work.
Seminar Report on SIM Cloning
Insert 8in1 SIM-map to the telephone If you want to change the active number, just switch off the phone and switch it on with the PIN number of the new phone number you want to make active.
Plug your SimReaderWriter to COM-port and set mode Phoenix. Copy to directory C:\sim_scan files PAR3.BIN, PAR2.BIN and sim_scan.exe from directory SimScan2.00new. Run sim_scan.exe, select your COM-port and your COM-port Speed: Press Find Ki. About 20min - 2 hours later you see the Ki and IMSI in directory C:\sim_scan. Remove SIM from SimReaderWriter and adapter.
2. Preparation.
Run icprog.exe, select your COM-port, I/O Delay and Interface: Ok -> Settings -> Options -> Smartcard, select your COM-port and your Frequency: -> Programming, select Verify during programming: Ok -> Settings -> SmartCard (Phoenix): Select in icprog the device PIC 16F877 and open file SIM_EMU_FL_6.01_ENG.hex from directory
In area of the data, copy the found value Ki (if them is more than one, then to copy consistently, maximum 8):
If it is necessary, it is possible to change values PIN and PUK of codes for each number, by default they are established so, for first number PIN=1111 and PUK=11111111, for second PIN=2222 and PUK=22222222 etc.:
Save file as pic16f877_my.hex. Select in icprog the device 24C64 and open file SIM_EMU_EP_6.01.hex from directory SimEmu6.01:
In area of the data, copy the found value IMSI (if them is more than one, then to copy consistently, maximum 8):
.
3. Programming 8in1 SIM-card.
Insert 8in1 SIM-card to adapter and adapter to SimReaderWriter (contacts down and forward). Set mode JDM. Select in icprog the device PIC 16F877 and open file pic16f877_my.hex. Press enter Set mode Poenix. Select in icprog the device 24C64 and open file ee24c64_my.hex. Press enter Remove 8in1 SIM-card from SimReaderWriter and adapter.
4. How does it work.
Seminar Report on SIM Cloning
Insert 8in1 SIM-map to the telephone If you want to change the active number, just switch off the phone and switch it on with the PIN number of the new phone number you want to make active.
Conclusions
SIM Cloning is a real threat to both the user and the telecommunication operator, and should be regarded as such. The recent developments in partitioning attacks raise the impact of SIM Cloning, although the high financial outlay and complexity of the attack will hopefully put criminals off utilizing such methods.
I just given this knowledge to understand what is SIM Cloning; I personally remove some of the diagram from this seminar because no one can use this seminar for cloning the SIM. If some one takes any thing helps from this seminar and did some illegal activities he/she is responsible for that. It is only knowledge not for SIM Cloning.
I just given this knowledge to understand what is SIM Cloning; I personally remove some of the diagram from this seminar because no one can use this seminar for cloning the SIM. If some one takes any thing helps from this seminar and did some illegal activities he/she is responsible for that. It is only knowledge not for SIM Cloning.
Appendix A: References
[1] Real Time Cryptanalysis of A5/1 on a PC (Biryukov, Shamir & Wagner)
http://cryptome.org/a51-bsw.htm
[2] Status of GSM Crypto Attacks
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/1998-October/002552.html
[3] GSM Cloning (Cracking COMP128)
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
[4] GSM 12.08 – Subscriber and Equipment Trace
[5] A method for implementing Mobile Station Location in GSM
http://www.willassen.no/msl/diplom.html
[6] Nokia Mobile Location Services
http://www.nokia.com/networks/systems_and_solutions/solution_main/1,23797,71,00.html
[7] Ericsson’s Mobile Positioning System (MPS)
http://www.ericsson.com/mobilityworld/sub/open/technologies/mobile_positioning/index.html?PU=mobile_positioning
[8] IBM research news
http://www.research.ibm.com/resources/news/20020507_simcard.shtml
[9] Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards
http://www.research.ibm.com/intsec/gsm.html
[10] Mobile Security: SMS and WAP
http://www.blackhat.com/presentations/bh-europe-01/job-de-haas/dehaas.ppt
[11] SMS Spoof
http://www.waste.org/~terje/palm/SMSspoof/
[12] Metagalactic Messaging Systems Battle at the Edge of Time
http://www.brumcon.org
http://cryptome.org/a51-bsw.htm
[2] Status of GSM Crypto Attacks
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/1998-October/002552.html
[3] GSM Cloning (Cracking COMP128)
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
[4] GSM 12.08 – Subscriber and Equipment Trace
[5] A method for implementing Mobile Station Location in GSM
http://www.willassen.no/msl/diplom.html
[6] Nokia Mobile Location Services
http://www.nokia.com/networks/systems_and_solutions/solution_main/1,23797,71,00.html
[7] Ericsson’s Mobile Positioning System (MPS)
http://www.ericsson.com/mobilityworld/sub/open/technologies/mobile_positioning/index.html?PU=mobile_positioning
[8] IBM research news
http://www.research.ibm.com/resources/news/20020507_simcard.shtml
[9] Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards
http://www.research.ibm.com/intsec/gsm.html
[10] Mobile Security: SMS and WAP
http://www.blackhat.com/presentations/bh-europe-01/job-de-haas/dehaas.ppt
[11] SMS Spoof
http://www.waste.org/~terje/palm/SMSspoof/
[12] Metagalactic Messaging Systems Battle at the Edge of Time
http://www.brumcon.org
I removed practical hands on sim cloning from this report
ReplyDelete