mobile phone cloning

Research Topic Mobile Phone Cloning

ABSTRACT

Mobile phone cloning is copying the identity of one cellphone to another cellphone. The cell phones can be re-configured so that the calls are billed to other persons. The identification numbers of a victim cellphone user is stolen and re-programmed into another cellphone. Each cellular phone has a unique pair of identification numbers – Electronic Serial Number (ESN) and Mobile Identification Number (MIN). These numbers can be cloned without the knowledge of the subscriber or the carrier through the use of electronic scanning devices.

Cellular thieves can capture ESN & MIN pair using devices such as cellphone ESN reader or DDI (Digital Data Interpreters) by monitoring the radio wave transmissions from the cell phones of legitimate subscribers. The ESN & MIN are then transferred into another cell phone using a computer loaded with specialized software, or a ‘copycat’ box, a device specially made to clone phones. There are other devices also such as Plugs and ES-Pros which are as small as a calculator that do not require computers or copycat boxes for cloning. The entire programming process takes 10-15 minutes per phone. Cloning is possible in both GSM and CDMA technologies.

Any call made with cloned phone are billed and traced to a legitimate cellphone account. Innocent subscribers end up with unexplained monthly cellphone bills. If you get your cellphone bill unexpectedly high, you must check the details of billing where you may find numbers whom you never called. If so, it is possible that your cellphone has been cloned and someone else is making calls using your identity.

Many criminals use cloned cell phones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace. Cloned phones are often used to make long distance calls, even to foreign countries. Pre-paid users are at lesser risk, not because their cell phones can’t be cloned technically but because the misuse would be quickly detected and would be limited. Cellphone cloning has been taking place throughout the world for long although it was reported in India this year only when police arrested people related to this crime in Delhi and Mumbai.

1


1. INTRODUCTION

Today every one of us is familiar with cell phones. At present approximately every fifth person

in the world is using cell-phone. It is a very great technological revolution and is enhancing day

by day. Slowly but surely, technology is showing up its ugly face too. Mobile services have and

will be subject to fraud. Mobile communication is readily available for several years, and is a

major business today. It provides a valuable service to those who are willing to pay a

considerable premium over a fixed line phone, to be able to walk and talk freely. Because of its

usefulness and the money involved in the business, it is subject to fraud and criminal interest.

Today it’s increasingly being used by new-age criminals in a variety of ways- the latest is

“MOBILE-PHONE CLONING”.

Millions of mobile phone users be at GSM or CDMA, run the risk of having their phones

cloned. And the worst part is that there isn’t much we can do to prevent this. A resident of

Moradabad was arrested from South Delhi some time back for cloning mobile phones and

providing ISD facility by using those cloned phones.

So, some features of mobile communication make it an alluring target for criminals. It is

relatively a new invention, so not all people are quite familiar with its possibilities, in good or in

bad. Its newness also means intense competition among all mobile phone operators as they try

to attract the customers. Both of these provide the opportunity for the criminally inclined to try

and make profit out of the situation.

According to media reports, recently the Delhi (India) police arrested a person with 20

cellphones, a laptop, a SIM scanner, and a writer. The accused was running an exchange

illegally wherein he cloned CDMA based cell phones. He used software named Patagonia for the

cloning and provided cheap international calls to Indian immigrants in West Asia.

2


2. HISTORY

The early 1990s were boom times for eavesdroppers. Any curious teenager with a £100 Tandy

Scanner could listen in to nearly any analogue mobile phone call. As a result, Cabinet

Ministers, company chiefs and celebrities routinely found their most intimate conversations

published in the next day's tabloids

Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's

with a commonly available modification for the Motorola "brick" phones, such as the Classic,

the Ultra Classic, and the Model 8000.

In Korea where the wireless penetration rate reaches 75 percent, mobile fraud is increasingly becoming a challenge for law enforcement, reports The Korea Herald.

"The government will mandate that mobile-phone operators allocate unique identification codes to the handsets of their new subscribers starting next month, to counter against mobile-phone fraud stemming from stolen and cloned phones.

"The electronic serial numbers on mobile phones have become vulnerable targets for theft, with "phone-cloners" replicating the code on an copied telephone and enabling the users to make telephone calls which are then billed to the original subscriber.

More than 2,000 phone-cloning cases were reported to authorities during the Jan.-July period last year, according to the Communication Ministry. Under Korea's telecommunication law, those who produced cloned phones face a maximum of three years in prison or 20 million won fine."

"The MIC has detected a total of 1,940 cloned phones from last November to June this year and the monthly figure is on the rise.

Interesting an article in CNN dated December 1996 on cell phone cloning - Thieves are charging calls to the accounts of unknowing cell phone customers. The scam is known as cloning. Thieves capture the signal of a legitimate call, and then electronically duplicate the cell phone number.

3

http://www.cnn.com/TECH/9612/10/cellular.cloning/

http://www.koreaherald.co.kr/SITE/data/html_dir/2005/02/17/200502170017.asp


Hardly a single day passes without cloning making headlines here in Korea. This time, it is about cell phones, not stem cells involving the troubled scientist Hwang Woo-suk. Korea Times

reports.

"The Central Radio Management Office (CRMO) Monday said it had seized 6,574 illegally-cloned handsets last year, roughly eight times more than 858 in 2004.

... Experts point out the cloned phones is problematic when they are in the hands of criminals who might use them to conceal their identity while committing crimes through the handheld gadgets.

The cloned phones also raise the concern that they might be used to overhear conversations of legitimate phone owners. "

Figure1. Cloned cell phones graph

The Rise and Fall of the Cloned Phone

When cell phones became popular, criminals found ways to clone them so that they could use

them without paying any bills. They used scanners near airports and hotels to capture the

numbers that each phone transmits in order to send and receive calls. They then created

"clones" of the original phones by re-programming the numbers into phones they had stolen.

The original phone would then be charged for calls made by the clone. This rapidly became big

business. The top line in the graph shows that the cloning losses for all cell phone companies

4

http://times.hankooki.com/lpage/tech/200601/kt2006011619151211780.htm

http://times.hankooki.com/lpage/tech/200601/kt2006011217080311780.htm


increased quite rapidly from June 1992 to June 1996 when they totaled nearly $450 million for

the previous 6 months. (The losses were the charges that the phone companies wiped off the

bills of legitimate subscribers whose phones were cloned.) At this point, the phone companies

began to introduce a variety of technologies that made it much more difficult to steal phone

numbers and to use a clone. There was a rapid reduction in cloning so that, by December 1999,

it was all but eliminated. Incidentally, the second most common form of cell phone fraud,

"subscription fraud" (opening an account with a false name and address), did not skyrocket

when cloning was closed down, as displacement doomsters would predict. This could be

because cloning was easy to "massproduce" by organized criminals, whereas subscription fraud

is not.

Figure2.Semi –Annual Fraud Dollar Losses

5


3. GSM AND CDMA MOBILE PHONE SETS

CDMA is one of the newer digital technologies used in Canada, the US, Australia, and some

South-eastern Asian countries (e.g. Hong Kong and South Korea). CDMA differs from GSM and

TDMA (Time Division Multiple Access) by its use of spread spectrum techniques for

transmitting voice or data over the air. Rather than dividing the radio frequency spectrum into

separate user channels by frequency slices or time slots, spread spectrum technology separates

users by assigning them digital codes within the same broad spectrum. Advantages of CDMA

include higher user capacity and immunity from interference by other signals.

GSM is a digital mobile telephone system that is widely used in Europe and other parts of the

world. GSM uses a variation of TDMA and is the most widely used of the three digital wireless

telephone technologies. GSM digitizes and compresses data, then sends it down a channel with

two other streams of user data, each in its own time slot. It operates at either the 900 MHz or

1,800 MHz frequency band.

Some other important terms whose knowledge is necessary are

IMEI

SIM

ESN

MIN

So, first things first, the IMEI is an abbreviation for International Mobile Equipment

Identifier, this is a 10 digit universally unique number of our GSM handset. I use the term

Universally Unique because there cannot be 2 mobile phones having the same IMEI no. This is a

very valuable number and used in tracking mobile phones.

Second comes SIM, which stands for Subscriber Identification Module. The sim has survived

and evolved. Earlier the mobiles had the entire sim card to be inserted in them such sim’s are

6


called IDG-1 Sims. The other in which we small part of the card which has the chip is inserted in

the mobile and is known as PLUG-IN Sims.

Basically the SIM provides storage of subscriber related information of three types:

Fixed data stored before the subscription is sold

Temporary network data

Service related data.

ESN mean Electronic Serial Number. This number is loaded when the phone number is

manufactured. This number cannot be tampered or changes by the user or subscriber. if this

number is known a mobile can be cloned easily.

Personal Identification Number (PIN). Every subscriber provides a Personal Identification

Number (PIN) to its user. This is a unique number. If PIN and ESN are known a mobile phone

can be cloned in seconds using some software’s like Patagonia, which is used to clone CDMA

phones. ESN is same as the IMEI but is used in CDMA handsets.

MIN stands for Mobile Identification Number, which is the same as the SIM of GSM.

The basic difference between a CDMA handset and a GSM handset is that a CDMA handset has

no sim i.e. the CDMA handset uses MIN as its Sim, which cannot be replaced as in GSM. The

MIN chip is embedded in the CDMA hand set.

7


4. WORKING OF CELL PHONE

Cell phones send radio frequency transmissions through the air on two distinct channels, one

for voice communications and the other for control signals. When a cellular phone makes a call,

it normally transmits its Electronic Security Number (ESN), Mobile Identification Number

(MIN), its Station Class Mark (SCM) and the number called in a short burst of data. This burst is

the short buzz you hear after you press the SEND button and before the tower catches the data.

These four things are the components the cellular provider uses to ensure that the phone is

programmed to be billed and that it also has the identity of both the customer and the phone.

MIN and ESN is collectively known as the ‘Pair’ which is used for the cell phone identification.

When the cell site receives the pair signal, it determines if the requester is a legitimate

registered user by comparing the requestor's pair to a cellular subscriber list. Once the cellular

telephone's pair has been recognized, the cell site emits a control signal to permit the subscriber

to place calls at will. This process, known as Anonymous Registration, is carried out each time

the telephone is turned on or picked up by a new cell site.

8


Figure3. Cell Phone Working Procedure

4.1. SECURITY VULNERABILITIES IN CELL PHONE.

Your cellular telephone has three major security

vulnerabilities:

Monitoring of your conversations while using the

phone.

Your phone being turned into a microphone to

monitor conversations in the vicinity of your phone

while the phone is inactive.

Cloning or the use of your phone number by others

to make calls that are charged to your account.

The best defense against these three major vulnerabilities of cell phones is very simple -- do

not use the cell phone. If you must use a cell phone, you can reduce the risk by following these

guidelines:

Because a cellular phone can be turned into a microphone without your knowledge, do

not carry a cellular phone into any classified area or other area where sensitive

discussions are held. (This is prohibited in many offices that handle classified or sensitive

information.)

Turn your cellular telephone on only when you need to place a call. Turn it off after

placing the call. Do not give your cellular phone number to anyone and don't use your

cell phone for receiving calls, as that requires leaving it on all the time. Ask your friends

and associates to page you if they need to talk with you. You can then return the page by

using your cellular telephone.

Do not discuss sensitive information on a cellular phone. When you call someone from

your cell phone, consider advising them you are calling from a cell phone that is

9


vulnerable to monitoring, and that you will be speaking generally and not get into

sensitive matters.

Do not leave your cellular telephone unattended. If your cell phone is vehicle-mounted,

turn it off before permitting valet parking attendants to park the car, even if the telephone

automatically locks when the car's ignition is turned off.

Avoid using your cellular telephone within several miles of the airport, stadium, mall, or

other heavy traffic locations. These are areas where radio hobbyists use scanners for

random monitoring. If they come across an interesting conversation, your number may be

marked for regular selective monitoring.

If your cellular service company offers personal identification numbers (PIN), consider

using one. Although cellular PIN services are cumbersome and require that you input

your PIN for every call, they are an effective means of thwarting cloning.

10


4.2. LOOP HOLES IN CELL PHONE NETWORKS

ESN/MIN data is NOT encrypted on the way to the MSC (Mobile Switching Centre) for

further authentication. Thus, scanning the airwaves for this data if you wish to clone a

phone. By changing ESN and MIN, the cellular carrier will accept the call and bill it to

either a wrong account or provide service based on the fact that it is NOT a disconnected

receiver. It will also look at the other two components, in order to insure that it is

actually a cellular phone and to forward billing information to that carrier.

The Station Class Mark can also be changed if you wish to prevent the cellular carrier

from determining the type of phone that is placing the call. By providing the cellular

tower with a false SCM, the cellular carrier, the FCC, or whoever happens to chase down

cellular fraud is often looking for a particular phone which in reality is not the phone they

are looking for.

The Number Assignment Module (NAM) also has the SIDH (System Identification for

Home System) number programmed into it. The transmittal of the SIDH number tells the

carrier where to forward the billing information to in case the user is "roaming". The

SIDH table tells the major cities and their identifying numbers. Changing an SIDH is

programming job that takes only minutes, but be aware that the ESN is still sent to the

cellular phone company. After they realize that the ESN is connected to either a fake

number or a phone that is not in the network, they will block service. They only way

around this is to reprogram the ESN.

11


5. MOBILE PHONE CLONING

Mobile phone cloning is copying the identity of one cellphone to another cellphone. The

cellphones can be re-configured so that the calls are billed to other persons. The identification

numbers of a victim cellphone user is stolen and re-programmed into another cellphone.

Each cellular phone has a unique pair of identification numbers – Electronic Serial

Number (ESN) and Mobile Identification Number (MIN). These numbers can be cloned

without the knowledge of the subscriber or the carrier through the use of electronic scanning

devices.

Cellular thieves can capture ESN & MIN pair using devices such as cellphone ESN

reader or DDI (Digital Data Interpreters) by monitoring the radio wave transmissions from the

cell phones of legitimate subscribers.The ESN & MIN are then transferred into another cellphone

using a computer loaded with specialised software, or a ‘copycat’ box, a device specially made

to clone phones. There are other devices also such as Plugs and ES-Pros which are as small as a

calculator that do not require computers or copycat boxes for cloning. The entire programming

process takes 10-15 minutes per phone. Cloning is possible in both GSM and CDMA

technologies.

Figure4.Cloning a Cell Phone

12


Any call made with cloned phone are billed and traced to a legitimate cellphone account.

Innocent subscribers end up with unexplained monthly cellphone bills. If you get your cellphone

bill unexpectedly high, you must check the details of billing where you may find numbers whom

you never called. If so, It is possible that your cellphone has been cloned and someone else is

making calls using your identity.

Many criminals use cloned cellphones for illegal activities, because their calls are not

billed to them, and are therefore much more difficult to trace. Cloned phones are often used to

make long distance calls, even to foreign countries.

Figure5.Mobile Cloning (Nokia 1100)

Pre-paid users are at lesser risk, not because their cell phones can't be cloned technically but

because the misuse would be quickly detected and would be limited.

Cell phone cloning has been taking place throughout the world for long although it was reported

in India this year only when police arrested people related to this crime in Delhi and Mumbai.

Cloning occurs most frequently in areas of high cell phone usage -- valet parking lots,

airports, shopping malls, concert halls, sports stadiums, and high-congestion traffic areas in

metropolitan cities.

13


Figure6. Cellular phone cloning

14


5.1. HOW DO I KNOW THAT MY PHONE IS GETTING

CLONED?

Cellular fraud became a serious problem which occurred at a rather high rate. Although today's

modern digital networks and cell handset manufacturers have taken extraordinary steps toward

making cell phone fraud more difficult, there are some ill-intentioned individuals who continue

to find ways to circumvent even the highest state of modern technology.

Cell phone cloning is one of the most notorious methods of cell phone fraud, and the

customer must monitor cellular usage on a regular basis. Thankfully, cellular providers keep

excellent records of all numbers called from your handset on a monthly basis.

Use a computer connected to the Internet and visit your cellular provider's website. Sign

up for your provider's online account management system so you can have immediate

access to your billing and use information, even before your paper bill arrives by mail.

Take special note of any times where you may be unable to use your phone. Since a

cloned cell phone appears identical to yours, you may discover that you are given

messages stating that the mobile number is already in use, or you may find that you are

unable to initiate or receive calls while the clone is being used by the perpetrator.

Figure7.Clone Identification

15


Record the times, dates and frequency of these "cell usage blackouts" you may be

experiencing and, if they are occurring for long durations and repeatedly throughout each

day, contact your cellular provider with your concerns that you feel your phone may have

been cloned.

Cooperate with your cellular provider if asked for your permission for the company to

initiate a detailed audit of your cell usage. The company will send you a highly detailed

list of phone calls sent or received on your account over the month, and your provider

will most likely ask that you highlight all numbers, dates and times which you are

unfamiliar with.

16


6. CLONING FRAUD

The Cellular Telecommunications Industry Association (CTIA) estimates that financial losses in

due to cloning fraud are between $600 million and $900 million in the United States. Some

subscribers of Reliance had to suffer because their phone was cloned. Mobile Cloning Is in

initial stages in India so preventive steps should be taken by the network provider and the

Government.

6.1. COSTS OF FRAUD

Publicly available figures for the costs of fraud have many uses,so the reader should know a few

things before believing them to be correct. Cost figures are published by the operators

themselves, by various organizations such as the Cellular Telecommunications Industry

Association, and by governmental institutions.

Hard and soft currency

Costs of mobile phone fraud can be divided into two classes, soft currency and hard

currency.

Soft currency is a theoretical figure. It is derived from the lost revenue due to illegal use of the

services. It is based on the assumption that the illegal user would have paid for the services he

used without permission. This assumption does not hold always. The same assumption is usually

made with the figures for music, computer software and movie piracy.

Hard currency is real money. It is money that the operator has to pay someone else. For

example, when a mobile phone user of operator A roams in operator B's network, operator A

pays to the operator B for the use of his network. Hard currency can also be lost on premium

services, that is, services with higher than regular tariffs.

Uses of cost estimates

Cost estimates of fraud have several uses. On one hand, the operators can use high fraud figures

to gain more favorable legislation from the government on the basis that the current situation is

so detrimental to their business, hoping that stricter legislation will act as a deterrent to criminals.

17


In the USA, a new strict law was amended, making it illegal to own a scanner or a cell phone

programmer with the intent to defraud, use, own, or traffic counterfeit phones, with maximum

sentences of up to 10 to 15 years in prison.

On the other hand, low fraud figures are good publicity for the operator. It gives an

impression of a secure network, so customers are not afraid to use their phones. Also, low fraud

means less hassle to the customers who, in the end, end up paying for fraud through the service

fees.

6.2. FRAUD EXAMPLES

Example: Roaming fraud

In this type of fraud, stolen and cloned mobile phones are used to make international calls

and in roaming, possibly abroad. Once a suitable subscription has been acquired, it can be used

for call

selling locally or it can be used to place calls in a roaming network.

In roaming a subscriber to operator A can use operator B's network and services,

provided that the operators have made a roaming agreement. Roaming, especially international

roaming, and international calls in general, are usually expensive, and therefore subject to

criminal interest and fraud. Roaming fraud is a hard currency problem because the roaming

user's operator has to pay to the operator of the roaming network for the roaming user's use,

whether or not the user pays his bills. Therefore, operators have taken measures to limit the costs

of roaming fraud.

The main problem behind roaming fraud is the delay in the communication of billing

information between the operators. The delay has been shortened from 72 to 24 hours. The

information is transferred with EDI (Electronic Data Interchange) or by tape. An example of

roaming fraud is: SIM cards were taken out of the phones acquired with false identities, mailed

abroad where they were used in call selling operations, with call lengths averaging 10-12 hours.

According to the guidelines of the GSM Memorandum of Understanding, a call report of a user

exceeding 100 SDR 1 units a day must be delivered to the home network within 24 hours.

18


Should GSM cloning become a major problem, the importance of timely communication

between the roaming operators will become critical in avoiding fraud losses. Already, clearing

houses have been set up to offer billing and billing information services to roaming operators.

Example: Criminal users

Mobile communication provided by a mobile phone is a valuable tool for criminals, just

as it is for ordinary people. Criminals, however, have more reason to worry about the operator

knowing their location than regular users.

Mobile operators can find out the location of a mobile phone, with varying accuracy. In

areas where base station density is high, for example in cities, the accuracy can be a few hundred

meters, whereas in rural regions the accuracy is a few kilometers. In GSM systems, the phone

has a unique identifier (IMEI, International Mobile Equipment Identity) as well as a SIM

containing the subscriber information (IMSI, International Mobile Subscriber Identity).

Depending on the legislation of each country, the law enforcement can get this

information from the operator, possibly in real time. Therefore, it makes sense for a criminal to

use one or more stolen or cloned phones to gain anonymity and to make it harder to track them.

By constantly using the one and the same phone and SIM card, it is easy to track the criminal's

movement. Using some tools (e.g. Wintesla), it is possible to change the IMEI of one's phone.

This will make the network think that the same SIM is used in different phones when, in reality,

it is the same phone. A Radio Frequency Fingerprinting system can identify the phone as being

the same one. Therefore, criminals use subscriptions that can not be connected to them (i.e.

cloned or stolen subscriptions, or a subscription for a fake identity) and several different phones.

This type of fraud can be prevented by offering a suitable service, such as prepaid

subscriptions. In prepaid subscriptions, the customer pays up front a certain sum, for instance

350Rs., and uses the subscription as long as there are credits left, after which he can buy more

credits or take another prepaid subscription.

19


Example of a technical method: Cloning

Cloning of analog mobile phones was a major problem until operators and equipment

manufacturers took measures to make it more difficult. Analog mobile phone systems include

AMPS (Advanced Mobile Phone System), used mainly in the USA, TACS, a version of AMPS

used for instance in the UK, and NMT, used in Scandinavia. These systems had similar issues, so

only one of them is presented.

AMPS, the analog mobile phone system used in the USA was in the beginning very

vulnerable to cloning. Each phone has an Electronic Serial Number (ESN), identifying the

phone, as well as a Mobile Identification Number (MIN), which includes the telephone number

of the phone. As the acronyms indicate, these are used to identify the subscriber.

Figure8. Cellular counterfeiting

When placing a call, the phone transmits both the ESN and the MIN to the network.

These were, however, sent in the clear, so anyone with a suitable scanner could receive them.

20


The eavesdropped codes would then be programmed into another phone, effectively cloning the

original subscription. Any calls made on this cloned phone would be charged on the original

customer.

Because of the relative ease of cloning these analog mobile phones, the cloning became a

major problem. An example of the detailed instructions available on the Internet is: in which the

writer describes how to modify a specific model of a scanner to receive the cellular frequencies.

Also necessary software and instructions for cloning the subscriptions are provided.

21


7. HOW IS CELL CLONING DONE?

Cloning involved modifying or replacing the EPROM in the phone with a new chip, which

would allow one to configure an ESN (Electronic Serial Number) via software. The MIN

(Mobile Identification Number) would also have to be changed.

After successfully changing the ESN/MIN pair, the phone

would become an effective clone of the other phone.

Cloning required access to ESN and MIN pairs.

ESN/MIN pairs were discovered in several ways:

Sniffing the cellular network

Trashing cellular companies or cellular

resellers

Hacking cellular companies or cellular resellers

Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older

phones that can be cloned are more difficult to find and newer phones have not been successfully

reverse engineered.

Cloning has been successfully demonstrated under GSM, but the process is not easy and

currently remains in the realm of serious hobbyists and researchers. Furthermore, cloning as a

means of escaping the law is difficult because of the additional feature of a radio fingerprint that

is present in every mobile phone’s transmission signal. This fingerprint remains the same even if

the ESN or MIN are changed. Mobile phone companies can use the mismatch in the fingerprints

and the ESN and MIN to identify fraud cases.

22

http://www.tech-faq.com/cell-phone-cloning.html


7.1. CLONING CDMA CELL PHONES

Cellular telephone thieves monitor the radio frequency spectrum and steal the cell phone pair

as it is being anonymously registered with a cell site. The technology uses spread-spectrum

techniques to share bands with multiple conversations. Subscriber information is also encrypted

and transmitted digitally. CDMA handsets are particularly vulnerable to cloning, according to

experts. First generation mobile cellular networks allowed fraudsters to pull subscription data

(such as ESN and MIN) from the analog air interface and use this data to clone phones. A device

called as DDI, Digital Data Interface (which comes in various formats from the more expensive

stand-alone box, to a device which interfaces with your 800 MHz capable scanner and a PC) can

be used to get pairs by simply making the device mobile and sitting in a busy traffic area

(freeway overpass) and collect all the data you need. The stolen ESN and MIN were then fed into

a new CDMA handset, whose existing program was erased with the help of downloaded

software. The buyer then programs them into new phones which will have the same number as

that of the original subscriber.

PATAGONIA

Patagonia is software available in the market which is used to clone CDMA phone. Using this

software a cloner can take over the control of a CDMA phone i.e. cloning of phone. There are

other Software’s available in the market to clone GSM phone. This software’s are easily

available in the market. A SIM can be cloned again and again and they can be used at different

places. Messages and calls sent by cloned phones can be tracked. However, if the accused

manages to also clone the IMEI number of the handset, for which software’s are available, there

is no way he can be traced.

CDMA WORKSHOP

CDMA Workshop is a professional universal and all-in-one service software, developed to work with any CDMA 450/800/1900/EVDO(1xEVDO)/etc phones, smart phones, fixed terminals, data cards/modems based on any Qualcomm chipsets. It is the necessary tool for easy and fast programming or re-programming CDMA phones to any network, making clones, unlocking, reading and changing ESN and MEID, security codes, such as: user lock, SPC, MSL, FSC, OTKSL, Minlock, etc.. authentication security codes, such as: A-key, SSD_A, SSD_B.. and many other things. CDMA Workshop combines all major functions and operations which are necessary for full-functional work with CDMA phones and it is a «must have» software for every serious technician, cellular/repair shops and dealers.

23


Supported Windows: Win 95/98/ME, NT, 2000, XP, 2003, Vista, Windows 7 (x32 and x64)Supported Interfaces: COM (serial), USB, USB-to-COM converters, any kind of Uniboxe.

Figure9. CDMA Workshop

24


7.2. CLONING GSM PHONES

GSM handsets, on the contrary, are safer, according to experts. Every GSM phone has a 15

digit electronic serial number (referred to as the IMEI). It is not a particularly secret bit of

information and you don’t need to take any care to keep it private. The important information is

the IMSI, which is stored on the removable SIM card that carries all your subscriber information,

roaming database and so on. GSM employs a fairly sophisticated asymmetric-key cryptosystem

for over-the-air transmission of subscriber information. Cloning a SIM using information

captured over-the-air is therefore difficult, though not impossible. As long as you don’t lose your

SIM card, you’re safe with GSM. GSM carriers use the COMP128 authentication algorithm for

the SIM, authentication center and network which make GSM a far secure technology.

GSM networks which are considered to be impregnable can also be hacked. The process is

simple: a SIM card is inserted into a reader. After connecting it to the computer using data

cables, the card details were transferred into the PC. Then, using freely available encryption

software on the Net, the card details can be encrypted on to a blank smart card. The result: A

cloned cell phone is ready for misuse.

Figure10. SIM –CLONE

25


8. IDENTIFYING THE ESN IN YOUR CELLULAR PHONE

Depending on what model phone you have, the ESN will be located on a PROM. The

PROM is programmed at the factory, and installed usually with the security fuse blown to

prevent tampering. The code on the PROM might possibly be obtained by unsoldering it from

the cellular phone, putting it in a PROM reader, and then obtaining a memory map of the chip.

The PROM is going to have from sixteen to twenty-eight leads coming from it. It is a

bipolar PROM. The majority of phones will accept the National Semiconductor 32x8 PROM,

which will hold the ESN and cannot be reprogrammed. If the ESN is known on the phone, it is

possible to trace the memory map by installing the PROM into a reader, and obtaining the fuse

map from the PROM by triggering the "READ MASTER" switch of the PROM programmer. In

addition, most PROM programming systems include verifies and compare switch to allow you to

compare the programming of one PROM with another.

As said earlier, the ESN is uniformly black with sixteen to twenty-eight leads emanating

from its rectangular body, or square shaped body. If it is the dual-in-line package chip, (usually

found in transportable and installed phones), it is rectangular. If it is the plastic leaded chip

carrier (PLCC), it will be square and have a much smaller appearance. Functionally, they are the

same chip, but the PLCC is used with hand held cellular phones because of the need for reduced

size circuitry.

8.1 ESN REPLACEMENT

De-solder the ESN chip.

Solder in a zero insertion force (ZIF) replacement, so that replacement chip can be

changed easily.

After the ZIF socket has been successfully soldered in, reinsert the ESN and attempt to

make a phone call (Be sure the NAM is programmed correctly). If it doesn't, check the

leads on the ZIF to insure that you have soldered them correctly.

After that, insert your ESN into your PROM reader and make sure it provides some sort

of reading. You should use the search mode to look for the manufacturer’s serial number

to identify the address on the PROM where to reprogram the ESN.

26


8.2. EQUIPMENT REQUIRED FOR CLONING

IBM-PC/XT/AT Computer or clone(you supply)

EPROM programmer and suitable adapter (if required) to read/ write the chips you are

using.(you supply)

Editing software to modify and save files changes (typically supplied with EPROM

Burner) Supplied by EPROM Burner manufacturer plus we supply extra software for

editing (binary and hex file editors).

Instructions for reprogramming each phone (from CELLULAR PROGRAMMERS

BIBLE)

Programming Cables for each particular Cellular Phone, such as Motorola Flip, etc.

Printed Instructions for making programming cables are included in Cellular Hackers

Bible Volume 2.

Cellular Hackers Bible Volume 6, $ 35.00 .

8.3. PROCEDURE FOR CLONING DIFFERENT PHONES:

Read and make file of master phones PROM or EEPROM using BURNER

Read and make file of clone phones PROM or EEPROM using BURNER

Print both files for hardcopy

Locate information to be swapped in both files i.e., ESN, MIN, SIDH, etc.

Swap data (above) from master in to clone file using printed hardcopies as reference

Compute checksum on completed clone file (use software supplied with EPROM Burner)

Insert checksum into clone file at proper location.

Burn new PROM or EEPROM with modified clone file

Install new chip into clone phone and reassemble.

Turn on power. Clone phone will now power-up.

Reprogram clone using reprogramming instructions from CELLULAR

PROGRAMMERS BIBLE.

You can change all information from the handset except the ESN, typically.

27


Phone is now a "CLONE" of master.

8.4. CLONING PROCEDURE FOR IDENTICAL PHONES:

Copy EPROM or EEPROM or PROM holding ESN Information

Make duplicate copy of this chip

Insert the duplicate into second phone.

Reprogram as necessary (usually not required).

If phones are EE3 models (Moto), the ESN can

only be removed or reprogrammed with

the use of a "Copycat" device. These devices are

no longer advertised for sale in this country as

this law has forcesd sellers of such devices to

remove them from the marketplace.

8.5. HOW TO PREVENT CELL CLONING?

Uniquely identifies a mobile unit within a wireless carrier's network. The MIN often can be

dialed from other wireless or wire line networks. The number differs from the electronic serial

number (ESN), which is the unit number assigned by a phone manufacturer. MINs and ESNs

can be checked electronically to help prevent fraud.

Mobiles should never be trusted for communicating/storing confidential information.

Always set a Pin that's required before the phone can be used.

Check that all mobile devices are covered by a corporate security policy.

Ensure one person is responsible for keeping tabs on who has what equipment and that they

update the central register.

How do service providers handle reports of cloned phones?

Legitimate subscribers who have their phones cloned will receive bills with charges for calls

they didn’t make. Sometimes these charges amount to several thousands of dollars in

addition to the legitimate charges.

28

http://www.techpin.com/wp-content/uploads/2010/06/cloning-a-cell-phone-2.jpg


Typically, the service provider will assume the cost of these additional fraudulent calls.

However, to keep the cloned phone from containing to receive service, the service provider will

terminate the legitimate phone subscription. The subscriber is then required to activate a new

subscription with a different phone number requiring reprogramming of the phone, along with

the additional headaches that do along with phone number changes.

8.5.1. WHAT EXACTLY IS AUTHENTICATION?

Authentication is a mathematical process by which identical calculations are performed in both

the network and the mobile phone. These calculations use secret information (known as a "key")

preprogrammed into both the mobile phone and the network before service is activated. Cloners

typically have no access to this secret information (i.e., the key), and therefore cannot obtain the

same results to the calculations.

A legitimate mobile phone will produce the same calculated result as the network. The mobile

phone's result is sent to the network and compared with the network's results. If they match, the

phone is not a "clone."

8.5.2. ARE THESE METHODS EFFECTIVE?

Yes, for the most part. However, Authentication is the most robust and reliable method for

preventing cloning fraud and it is the only industry "standard" method for eliminating cloning.

The fact that it is standardized means that all mobile telecommunications networks using IS-41

can support Authentication. There is no need to add proprietary equipment, software, or

communications protocols to the networks to prevent cloning fraud.

IS MY PHONE AUTHENTICATION CAPABLE?

If the phone supports TDMA or CDMA digital radio, then yes. Otherwise, it depends on how old

the phone is and the make and model. Almost all phones manufactured since the beginning of

1996 support the Authentication function. The best bet is to check with your service

29


9. ROLE OF SERVICE PROVIDER TO COMBAT CLONING

FRAUD

They are using many methods such as RF Fingerprinting, subscriber behavior profiling, and

Authentication. RF Fingerprinting is a method to uniquely identify mobile phones based on

certain unique radio frequency transmission characteristics that are essentially "fingerprints" of

the radio being used. Subscriber behavior profiling is used to predict possible fraudulent use of

mobile service based on the types of calls previously made by the subscriber.

Calls that are not typical of the subscriber's past usage are flagged as potentially fraudulent and

appropriate actions can be taken.

Authentication has advantages over these technologies in that it is the only industry standardized

procedure that is transparent to the user, a technology that can effectively combat roamer fraud,

and is a prevention system as opposed to a detection system.

9.1. Interim Standard Number.41

IS-41(Interim Standard No. 41) is a document prescribing standards for communications

between mobile networks. The standard was developed by the Telecommunications Industry

Association (TIA) and is used primarily throughout North America as well as many Latin

American countries and Asia.

The IS-41 network communications standard supports AMPS, NAMPS, TDMA, and

CDMA radio technologies. IS-41 is the standard that defines the methods for automatic roaming,

handoff between systems, and for performing Authentication.

30


9.2. IMPACT OF CLONING

Each year, the mobile phone industry loses millions of dollars in revenue because of the criminal

actions of persons who are able to reconfigure mobile phones so that their calls are billed to other

phones owned by innocent third persons. Often these cloned phones are used to place hundreds

of calls, often long distance, even to foreign countries, resulting in thousands of dollars in airtime

and long distance charges. Cellular telephone companies do not require their customers to pay

for any charges illegally made to their account, no matter how great the cost. But some portion of

the cost of these illegal telephone calls is passed along to cellular telephone consumers as a

whole.

Many criminals use cloned cellular telephones for illegal activities, because their calls are not

billed to them, and are therefore much more difficult to trace.

This phenomenon is especially prevalent in drug crimes. Drug dealers need to be in constant

contact with their sources of supply and their confederates on the streets. Traffickers acquire

cloned phones at a minimum cost, make dozens of calls, and then throw the phone away after as

little as a days' use. In the same way, criminals who pose a threat to our national security, such as

terrorists, have been known to use cloned phones to thwart law enforcement efforts aimed at

tracking their whereabouts.

9.3. ARE OUR CELL PHONES SECURED?

Too many users treat their mobile phones as gadgets rather than as business assets covered

by corporate security policy. Did you realize there's a lucrative black market in stolen and

"cloned" Sim cards? This is possible because Sims are not network specific and, though tamper-

proof, their security is flawed. In fact, a Sim can be cloned many times and the resulting cards

used in numerous phones, each feeding illegally off the same bill.

But there are locking mechanisms on the cellular phones that require a PIN to access the

phone. This would dissuade some attackers, foil others, but might not work against a well

financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but

there may be ways for sophisticated attackers to bypass it.

31


With the shift to GSM digital - which now covers almost the entire UK mobile sector - the

phone companies assure us that the bad old days are over. Mobile phones, they say, are secure

and privacy friendly.

This is not entirely true. While the amateur scanner menace has been largely exterminated,

there is now more potential than ever before for privacy invasion.

The alleged security of GSM relies on the myth that encryption - the mathematical

scrambling of our conversations - makes it impossible for anyone to intercept and understand

our words. And while this claim looks good on paper, it does not stand up to scrutiny.

The reality is that the encryption has deliberately been made insecure. Many encrypted calls

can therefore be intercepted and decrypted with a laptop computer.

Is fixed telephone network safer than mobile phone?

The answer is yes. In spite of this, the security functions which prevent eavesdropping and

unauthorized uses are emphasized by the mobile phone companies. The existing mobile

Communication networks are not safer than the fixed Telephone networks. They only offer

protection against the new forms of abuse

32


10. METHODS TO BAN CELL PHONE CLONING

Cellular operators in many countries have deployed various technologies to tackle this

menace. Some of them are as follows:

There's the Duplicate Detection Method where the network sees the same phone in

several places at the same time. Reactions include shutting them all off, so that the real

customer will contact the operator because he has lost the service he is paying for.

Velocity Trap is another test to check the situation, whereby the mobile phone seems

to be moving at impossible or most unlikely speeds. For example, if a call is first made in

Delhi, and five minutes later, another call is made but this time in Chennai, there must be

two phones with the same identity on the network.

Some operators also use Radio Frequency Fingerprinting, originally a military

technology. Even identical radio equipment has a distinguishing `fingerprint', so the

network software stores and compares fingerprints for all the phones that it sees. This

way, it will spot the clones with the same identity, but different fingerprints.

Usage Profiling is another way wherein profiles of customers' phone usage are kept,

and when discrepancies are noticed, the customer is contacted. For example, if a

customer normally makes only local network calls but is suddenly placing calls to foreign

countries for hours of airtime, it indicates a possible clone. On the other hand, the

consumers can check regularly the unbilled amount details. Users with ILD facility need

to be more careful as fraudsters attempt to make as many international calls as possible

within a short time due to fear of getting caught. Since ILD rates are higher than other

calls, fraudsters try to derive maximum benefits in the shortest time.

If your cellular service company offers Personal Identification Numbers (PIN),

consider using it. Although cellular PIN services are cumbersome and require that you

input you’re PIN for every call, they are an effective means of thwarting cloning.

The Central Forensic Laboratory at Hyderabad has developed software to detect cloned

mobile phones. The laboratory helped Delhi Police identify two such cloned mobile

phones recovered recently. Called the Speaker Identification Technique, the

software enables one to recognize the voice of a person by acoustics analysis, using a

33


computerized speech laboratory machine. For the process, developed by Dr S.K. Jain, a

voice sample of four seconds is adequate for an accurate result.

The best detection measure available in CDMA today is the A Key Feature. The A

key is a secret 20 digit number unique to the handset given by the manufacturer to the

service provider only. This number is loaded in the Authentication Center for each

mobile. As this number is not displayed in mobile parameters this cannot be copied.

Whenever the call is originated / terminated from a mobile with authentication active, the

network checks for the originality of the set using this secret key. If the data matches at

both mobile and network end the call is allowed to go through otherwise it is dropped.

Avoid using your cellular telephone within several miles of the airport, stadium, mall, or

other heavy traffic locations. These are areas where radio hobbyists use scanners for

random monitoring. If they come across an interesting conversation, your number may be

marked for regular selective monitoring.

However, all these methods are only good at detecting cloning, not preventing damage. A

better solution is to add authentication to the system. But this requires upgrades to users'

and operators' equipment before they can be used.

34


10.1. WHAT CAN BE DONE?

With technically sophisticated thieves, customers are relatively helpless against cellular phone

fraud. Usually they became aware of the fraud only once receiving their phone bill.

Service providers have adopted certain measures to prevent cellular fraud. These include

encryption, blocking, blacklisting, user verification and traffic analysis: Encryption is regarded

as the most effective way to prevent cellular fraud as it prevents eavesdropping on cellular calls

and makes it nearly impossible for thieves to steal Electronic Serial Number (ESN) and

Personal Identification Number (PIN) pairs. Blocking is used by service providers to protect

themselves from high risk callers. For example, international calls can be made only with prior

approval. In some countries only users with major credit cards and good credit ratings are

allowed to make long distance calls.

Blacklisting of stolen phones is another mechanism to prevent unauthorized use. An

Equipment Identity Register (EIR) enables network operators to disable stolen cellular

phones on networks around the world.

User verification using Personal Identification Number (PIN) codes is one method for

customer protection against cellular phone fraud.

Tests conducted have proved that United States found that having a PIN code reduced fraud

by more than 80%.

Traffic analysis detects cellular fraud by using artificial intelligence software to detect

suspicious calling patterns, such as a sudden increase in the length of calls or a sudden

increase in the number of international calls.

The software also determines whether it is physically possible for the subscriber to be

making a call from a current location, based on the location and time of the previous call.

Currently, South Africa’s two service providers, MTN and Vodacom, use traffic analysis

with the International Mobile Equipment Identity (IMEI) — a 15 digit number which acts as

a unique identifier and is usually printed on the back of the phone underneath the battery —

to trace stolen phones.

Other warning signs that subscribers should watch out for to detect fraudulent activity include:

35


Frequent wrong number phone calls to your phone, or hang-ups.

Difficulty in placing outgoing calls.

Difficulty in retrieving voice mail messages.

Incoming calls constantly receiving busy signals or wrong numbers.

Unusual calls appearing on your phone bills.

10.2. SOME FACTS AND FIGURES

Southwestern Bell claims wireless fraud costs the industry $650 million each year in the

US. Some federal agents in the US have called phone cloning an especially `popular'

crime because it is hard to trace. In one case, more than 1,500 telephone calls were placed

in a single day by cellular phone thieves using the number of a single unsuspecting

owner.

A Home Office report in 2002 revealed that in London around 3,000 mobile phones were

stolen in one month alone which were used for cell phone cloning.

Authorities, in the case, estimated the loss at $3,000 to $4,000 for each number used in

cell phone cloning.

According to a school of thought, the Telecom Regulatory Authority of India (TRAI)

should issue a directive, which holds the operators responsible for duplications of mobile

phones.

Qualcomm, which develops CDMA technology globally, says each instance of mobile

hacking is different and therefore there is very little an operator can do to prevent hacking. "It's

like a virus hitting the computer. The software which is used to hack into the network is

different, so operators can only keep upgrading their security firewall as and when the hackers

strike," says a Qualcomm executive.

36


11. FUTURE THREATS

Resolving subscriber fraud can be a long and difficult process for the victim. It may take time

to discover that subscriber fraud has occurred and an even longer time to prove that you did not

incur the debts. As described in this article there are many ways to abuse telecommunication

system, and to prevent abuse from occurring it is absolutely necessary to check out the weakness

and vulnerability of existing telecom systems. If it is planned to invest in new telecom

equipment, a security plan should be made and the system tested before being implemented. It is

therefore mandatory to keep in mind that a technique which is described as safe today can be the

most unsecured technique in the future.

37


12. CONCLUSION

Existing cellular systems have a number of potential weaknesses that were considered. It is

crucial that businesses and staff take mobile phone security seriously.

Awareness and a few sensible precautions as part of the overall enterprise security policy will

deter all but the most sophisticated criminal. It is also mandatory to keep in mind that a technique

which is described as safe today can be the most unsecured technique in the future. Therefore it

is absolutely important to check the function of a security system once a year and if necessary

update or replace it. Finally, cell-phones have to go a long way in security before they can be

used in critical applications like m-commerce.

38


13. REFERENCES

Websites:

o http://www.cdmasoftware.com/eng.html

o http://www.victorgsm.com/products/msl/

o http://www.unlocker.ru/cdma_soft.php

o http://www.cxotoday.com

o http://infotech.indiatimes.com

o http://www.spy.org

o http://wiretap.spies.com

o http://www.hackinthebox.org/

39

mobile phone cloning

Documents

mobile phones

mobilephone cloning

cell phones

cloned phones

mobilephone fraud

cloned cell phones

mobile phone operators

mobilephone operators