mobile phone cloning
TRANSCRIPT
Research Topic Mobile Phone Cloning
ABSTRACT
Mobile phone cloning is copying the identity of one cellphone to another cellphone. The cell phones can be re-configured so that the calls are billed to other persons. The identification numbers of a victim cellphone user is stolen and re-programmed into another cellphone. Each cellular phone has a unique pair of identification numbers – Electronic Serial Number (ESN) and Mobile Identification Number (MIN). These numbers can be cloned without the knowledge of the subscriber or the carrier through the use of electronic scanning devices.
Cellular thieves can capture ESN & MIN pair using devices such as cellphone ESN reader or DDI (Digital Data Interpreters) by monitoring the radio wave transmissions from the cell phones of legitimate subscribers. The ESN & MIN are then transferred into another cell phone using a computer loaded with specialized software, or a ‘copycat’ box, a device specially made to clone phones. There are other devices also such as Plugs and ES-Pros which are as small as a calculator that do not require computers or copycat boxes for cloning. The entire programming process takes 10-15 minutes per phone. Cloning is possible in both GSM and CDMA technologies.
Any call made with cloned phone are billed and traced to a legitimate cellphone account. Innocent subscribers end up with unexplained monthly cellphone bills. If you get your cellphone bill unexpectedly high, you must check the details of billing where you may find numbers whom you never called. If so, it is possible that your cellphone has been cloned and someone else is making calls using your identity.
Many criminals use cloned cell phones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace. Cloned phones are often used to make long distance calls, even to foreign countries. Pre-paid users are at lesser risk, not because their cell phones can’t be cloned technically but because the misuse would be quickly detected and would be limited. Cellphone cloning has been taking place throughout the world for long although it was reported in India this year only when police arrested people related to this crime in Delhi and Mumbai.
1
Research Topic Mobile Phone Cloning
1. INTRODUCTION
Today every one of us is familiar with cell phones. At present approximately every fifth person
in the world is using cell-phone. It is a very great technological revolution and is enhancing day
by day. Slowly but surely, technology is showing up its ugly face too. Mobile services have and
will be subject to fraud. Mobile communication is readily available for several years, and is a
major business today. It provides a valuable service to those who are willing to pay a
considerable premium over a fixed line phone, to be able to walk and talk freely. Because of its
usefulness and the money involved in the business, it is subject to fraud and criminal interest.
Today it’s increasingly being used by new-age criminals in a variety of ways- the latest is
“MOBILE-PHONE CLONING”.
Millions of mobile phone users be at GSM or CDMA, run the risk of having their phones
cloned. And the worst part is that there isn’t much we can do to prevent this. A resident of
Moradabad was arrested from South Delhi some time back for cloning mobile phones and
providing ISD facility by using those cloned phones.
So, some features of mobile communication make it an alluring target for criminals. It is
relatively a new invention, so not all people are quite familiar with its possibilities, in good or in
bad. Its newness also means intense competition among all mobile phone operators as they try
to attract the customers. Both of these provide the opportunity for the criminally inclined to try
and make profit out of the situation.
According to media reports, recently the Delhi (India) police arrested a person with 20
cell- phones, a laptop, a SIM scanner, and a writer. The accused was running an exchange
illegally wherein he cloned CDMA based cell phones. He used software named Patagonia for the
cloning and provided cheap international calls to Indian immigrants in West Asia.
2
Research Topic Mobile Phone Cloning
2. HISTORY
The early 1990s were boom times for eavesdroppers. Any curious teenager with a £100 Tandy
Scanner could listen in to nearly any analogue mobile phone call. As a result, Cabinet
Ministers, company chiefs and celebrities routinely found their most intimate conversations
published in the next day's tabloids
Cell phone cloning started with Motorola "bag" phones and reached its peak in the mid 90's
with a commonly available modification for the Motorola "brick" phones, such as the Classic,
the Ultra Classic, and the Model 8000.
In Korea where the wireless penetration rate reaches 75 percent, mobile fraud is increasingly becoming a challenge for law enforcement, reports The Korea Herald.
"The government will mandate that mobile-phone operators allocate unique identification codes to the handsets of their new subscribers starting next month, to counter against mobile-phone fraud stemming from stolen and cloned phones.
"The electronic serial numbers on mobile phones have become vulnerable targets for theft, with "phone-cloners" replicating the code on an copied telephone and enabling the users to make telephone calls which are then billed to the original subscriber.
More than 2,000 phone-cloning cases were reported to authorities during the Jan.-July period last year, according to the Communication Ministry. Under Korea's telecommunication law, those who produced cloned phones face a maximum of three years in prison or 20 million won fine."
"The MIC has detected a total of 1,940 cloned phones from last November to June this year and the monthly figure is on the rise.
Interesting an article in CNN dated December 1996 on cell phone cloning - Thieves are charging calls to the accounts of unknowing cell phone customers. The scam is known as cloning. Thieves capture the signal of a legitimate call, and then electronically duplicate the cell phone number.
3
Research Topic Mobile Phone Cloning
Hardly a single day passes without cloning making headlines here in Korea. This time, it is about cell phones, not stem cells involving the troubled scientist Hwang Woo-suk. Korea Times
reports.
"The Central Radio Management Office (CRMO) Monday said it had seized 6,574 illegally-cloned handsets last year, roughly eight times more than 858 in 2004.
... Experts point out the cloned phones is problematic when they are in the hands of criminals who might use them to conceal their identity while committing crimes through the handheld gadgets.
The cloned phones also raise the concern that they might be used to overhear conversations of legitimate phone owners. "
Figure1. Cloned cell phones graph
The Rise and Fall of the Cloned Phone
When cell phones became popular, criminals found ways to clone them so that they could use
them without paying any bills. They used scanners near airports and hotels to capture the
numbers that each phone transmits in order to send and receive calls. They then created
"clones" of the original phones by re-programming the numbers into phones they had stolen.
The original phone would then be charged for calls made by the clone. This rapidly became big
business. The top line in the graph shows that the cloning losses for all cell phone companies
4
Research Topic Mobile Phone Cloning
increased quite rapidly from June 1992 to June 1996 when they totaled nearly $450 million for
the previous 6 months. (The losses were the charges that the phone companies wiped off the
bills of legitimate subscribers whose phones were cloned.) At this point, the phone companies
began to introduce a variety of technologies that made it much more difficult to steal phone
numbers and to use a clone. There was a rapid reduction in cloning so that, by December 1999,
it was all but eliminated. Incidentally, the second most common form of cell phone fraud,
"subscription fraud" (opening an account with a false name and address), did not skyrocket
when cloning was closed down, as displacement doomsters would predict. This could be
because cloning was easy to "massproduce" by organized criminals, whereas subscription fraud
is not.
Figure2.Semi –Annual Fraud Dollar Losses
5
Research Topic Mobile Phone Cloning
3. GSM AND CDMA MOBILE PHONE SETS
CDMA is one of the newer digital technologies used in Canada, the US, Australia, and some
South-eastern Asian countries (e.g. Hong Kong and South Korea). CDMA differs from GSM and
TDMA (Time Division Multiple Access) by its use of spread spectrum techniques for
transmitting voice or data over the air. Rather than dividing the radio frequency spectrum into
separate user channels by frequency slices or time slots, spread spectrum technology separates
users by assigning them digital codes within the same broad spectrum. Advantages of CDMA
include higher user capacity and immunity from interference by other signals.
GSM is a digital mobile telephone system that is widely used in Europe and other parts of the
world. GSM uses a variation of TDMA and is the most widely used of the three digital wireless
telephone technologies. GSM digitizes and compresses data, then sends it down a channel with
two other streams of user data, each in its own time slot. It operates at either the 900 MHz or
1,800 MHz frequency band.
Some other important terms whose knowledge is necessary are
IMEI
SIM
ESN
MIN
So, first things first, the IMEI is an abbreviation for International Mobile Equipment
Identifier, this is a 10 digit universally unique number of our GSM handset. I use the term
Universally Unique because there cannot be 2 mobile phones having the same IMEI no. This is a
very valuable number and used in tracking mobile phones.
Second comes SIM, which stands for Subscriber Identification Module. The sim has survived
and evolved. Earlier the mobiles had the entire sim card to be inserted in them such sim’s are
6
Research Topic Mobile Phone Cloning
called IDG-1 Sims. The other in which we small part of the card which has the chip is inserted in
the mobile and is known as PLUG-IN Sims.
Basically the SIM provides storage of subscriber related information of three types:
Fixed data stored before the subscription is sold
Temporary network data
Service related data.
ESN mean Electronic Serial Number. This number is loaded when the phone number is
manufactured. This number cannot be tampered or changes by the user or subscriber. if this
number is known a mobile can be cloned easily.
Personal Identification Number (PIN). Every subscriber provides a Personal Identification
Number (PIN) to its user. This is a unique number. If PIN and ESN are known a mobile phone
can be cloned in seconds using some software’s like Patagonia, which is used to clone CDMA
phones. ESN is same as the IMEI but is used in CDMA handsets.
MIN stands for Mobile Identification Number, which is the same as the SIM of GSM.
The basic difference between a CDMA handset and a GSM handset is that a CDMA handset has
no sim i.e. the CDMA handset uses MIN as its Sim, which cannot be replaced as in GSM. The
MIN chip is embedded in the CDMA hand set.
7
Research Topic Mobile Phone Cloning
4. WORKING OF CELL PHONE
Cell phones send radio frequency transmissions through the air on two distinct channels, one
for voice communications and the other for control signals. When a cellular phone makes a call,
it normally transmits its Electronic Security Number (ESN), Mobile Identification Number
(MIN), its Station Class Mark (SCM) and the number called in a short burst of data. This burst is
the short buzz you hear after you press the SEND button and before the tower catches the data.
These four things are the components the cellular provider uses to ensure that the phone is
programmed to be billed and that it also has the identity of both the customer and the phone.
MIN and ESN is collectively known as the ‘Pair’ which is used for the cell phone identification.
When the cell site receives the pair signal, it determines if the requester is a legitimate
registered user by comparing the requestor's pair to a cellular subscriber list. Once the cellular
telephone's pair has been recognized, the cell site emits a control signal to permit the subscriber
to place calls at will. This process, known as Anonymous Registration, is carried out each time
the telephone is turned on or picked up by a new cell site.
8
Research Topic Mobile Phone Cloning
Figure3. Cell Phone Working Procedure
4.1. SECURITY VULNERABILITIES IN CELL PHONE.
Your cellular telephone has three major security
vulnerabilities:
Monitoring of your conversations while using the
phone.
Your phone being turned into a microphone to
monitor conversations in the vicinity of your phone
while the phone is inactive.
Cloning or the use of your phone number by others
to make calls that are charged to your account.
The best defense against these three major vulnerabilities of cell phones is very simple -- do
not use the cell phone. If you must use a cell phone, you can reduce the risk by following these
guidelines:
Because a cellular phone can be turned into a microphone without your knowledge, do
not carry a cellular phone into any classified area or other area where sensitive
discussions are held. (This is prohibited in many offices that handle classified or sensitive
information.)
Turn your cellular telephone on only when you need to place a call. Turn it off after
placing the call. Do not give your cellular phone number to anyone and don't use your
cell phone for receiving calls, as that requires leaving it on all the time. Ask your friends
and associates to page you if they need to talk with you. You can then return the page by
using your cellular telephone.
Do not discuss sensitive information on a cellular phone. When you call someone from
your cell phone, consider advising them you are calling from a cell phone that is
9
Research Topic Mobile Phone Cloning
vulnerable to monitoring, and that you will be speaking generally and not get into
sensitive matters.
Do not leave your cellular telephone unattended. If your cell phone is vehicle-mounted,
turn it off before permitting valet parking attendants to park the car, even if the telephone
automatically locks when the car's ignition is turned off.
Avoid using your cellular telephone within several miles of the airport, stadium, mall, or
other heavy traffic locations. These are areas where radio hobbyists use scanners for
random monitoring. If they come across an interesting conversation, your number may be
marked for regular selective monitoring.
If your cellular service company offers personal identification numbers (PIN), consider
using one. Although cellular PIN services are cumbersome and require that you input
your PIN for every call, they are an effective means of thwarting cloning.
10
Research Topic Mobile Phone Cloning
4.2. LOOP HOLES IN CELL PHONE NETWORKS
ESN/MIN data is NOT encrypted on the way to the MSC (Mobile Switching Centre) for
further authentication. Thus, scanning the airwaves for this data if you wish to clone a
phone. By changing ESN and MIN, the cellular carrier will accept the call and bill it to
either a wrong account or provide service based on the fact that it is NOT a disconnected
receiver. It will also look at the other two components, in order to insure that it is
actually a cellular phone and to forward billing information to that carrier.
The Station Class Mark can also be changed if you wish to prevent the cellular carrier
from determining the type of phone that is placing the call. By providing the cellular
tower with a false SCM, the cellular carrier, the FCC, or whoever happens to chase down
cellular fraud is often looking for a particular phone which in reality is not the phone they
are looking for.
The Number Assignment Module (NAM) also has the SIDH (System Identification for
Home System) number programmed into it. The transmittal of the SIDH number tells the
carrier where to forward the billing information to in case the user is "roaming". The
SIDH table tells the major cities and their identifying numbers. Changing an SIDH is
programming job that takes only minutes, but be aware that the ESN is still sent to the
cellular phone company. After they realize that the ESN is connected to either a fake
number or a phone that is not in the network, they will block service. They only way
around this is to reprogram the ESN.
11
Research Topic Mobile Phone Cloning
5. MOBILE PHONE CLONING
Mobile phone cloning is copying the identity of one cellphone to another cellphone. The
cellphones can be re-configured so that the calls are billed to other persons. The identification
numbers of a victim cellphone user is stolen and re-programmed into another cellphone.
Each cellular phone has a unique pair of identification numbers – Electronic Serial
Number (ESN) and Mobile Identification Number (MIN). These numbers can be cloned
without the knowledge of the subscriber or the carrier through the use of electronic scanning
devices.
Cellular thieves can capture ESN & MIN pair using devices such as cellphone ESN
reader or DDI (Digital Data Interpreters) by monitoring the radio wave transmissions from the
cell phones of legitimate subscribers.The ESN & MIN are then transferred into another cellphone
using a computer loaded with specialised software, or a ‘copycat’ box, a device specially made
to clone phones. There are other devices also such as Plugs and ES-Pros which are as small as a
calculator that do not require computers or copycat boxes for cloning. The entire programming
process takes 10-15 minutes per phone. Cloning is possible in both GSM and CDMA
technologies.
Figure4.Cloning a Cell Phone
12
Research Topic Mobile Phone Cloning
Any call made with cloned phone are billed and traced to a legitimate cellphone account.
Innocent subscribers end up with unexplained monthly cellphone bills. If you get your cellphone
bill unexpectedly high, you must check the details of billing where you may find numbers whom
you never called. If so, It is possible that your cellphone has been cloned and someone else is
making calls using your identity.
Many criminals use cloned cellphones for illegal activities, because their calls are not
billed to them, and are therefore much more difficult to trace. Cloned phones are often used to
make long distance calls, even to foreign countries.
Figure5.Mobile Cloning (Nokia 1100)
Pre-paid users are at lesser risk, not because their cell phones can't be cloned technically but
because the misuse would be quickly detected and would be limited.
Cell phone cloning has been taking place throughout the world for long although it was reported
in India this year only when police arrested people related to this crime in Delhi and Mumbai.
Cloning occurs most frequently in areas of high cell phone usage -- valet parking lots,
airports, shopping malls, concert halls, sports stadiums, and high-congestion traffic areas in
metropolitan cities.
13
Research Topic Mobile Phone Cloning
Figure6. Cellular phone cloning
14
Research Topic Mobile Phone Cloning
5.1. HOW DO I KNOW THAT MY PHONE IS GETTING
CLONED?
Cellular fraud became a serious problem which occurred at a rather high rate. Although today's
modern digital networks and cell handset manufacturers have taken extraordinary steps toward
making cell phone fraud more difficult, there are some ill-intentioned individuals who continue
to find ways to circumvent even the highest state of modern technology.
Cell phone cloning is one of the most notorious methods of cell phone fraud, and the
customer must monitor cellular usage on a regular basis. Thankfully, cellular providers keep
excellent records of all numbers called from your handset on a monthly basis.
Use a computer connected to the Internet and visit your cellular provider's website. Sign
up for your provider's online account management system so you can have immediate
access to your billing and use information, even before your paper bill arrives by mail.
Take special note of any times where you may be unable to use your phone. Since a
cloned cell phone appears identical to yours, you may discover that you are given
messages stating that the mobile number is already in use, or you may find that you are
unable to initiate or receive calls while the clone is being used by the perpetrator.
Figure7.Clone Identification
15
Research Topic Mobile Phone Cloning
Record the times, dates and frequency of these "cell usage blackouts" you may be
experiencing and, if they are occurring for long durations and repeatedly throughout each
day, contact your cellular provider with your concerns that you feel your phone may have
been cloned.
Cooperate with your cellular provider if asked for your permission for the company to
initiate a detailed audit of your cell usage. The company will send you a highly detailed
list of phone calls sent or received on your account over the month, and your provider
will most likely ask that you highlight all numbers, dates and times which you are
unfamiliar with.
16
Research Topic Mobile Phone Cloning
6. CLONING FRAUD
The Cellular Telecommunications Industry Association (CTIA) estimates that financial losses in
due to cloning fraud are between $600 million and $900 million in the United States. Some
subscribers of Reliance had to suffer because their phone was cloned. Mobile Cloning Is in
initial stages in India so preventive steps should be taken by the network provider and the
Government.
6.1. COSTS OF FRAUD
Publicly available figures for the costs of fraud have many uses,so the reader should know a few
things before believing them to be correct. Cost figures are published by the operators
themselves, by various organizations such as the Cellular Telecommunications Industry
Association, and by governmental institutions.
Hard and soft currency
Costs of mobile phone fraud can be divided into two classes, soft currency and hard
currency.
Soft currency is a theoretical figure. It is derived from the lost revenue due to illegal use of the
services. It is based on the assumption that the illegal user would have paid for the services he
used without permission. This assumption does not hold always. The same assumption is usually
made with the figures for music, computer software and movie piracy.
Hard currency is real money. It is money that the operator has to pay someone else. For
example, when a mobile phone user of operator A roams in operator B's network, operator A
pays to the operator B for the use of his network. Hard currency can also be lost on premium
services, that is, services with higher than regular tariffs.
Uses of cost estimates
Cost estimates of fraud have several uses. On one hand, the operators can use high fraud figures
to gain more favorable legislation from the government on the basis that the current situation is
so detrimental to their business, hoping that stricter legislation will act as a deterrent to criminals.
17
Research Topic Mobile Phone Cloning
In the USA, a new strict law was amended, making it illegal to own a scanner or a cell phone
programmer with the intent to defraud, use, own, or traffic counterfeit phones, with maximum
sentences of up to 10 to 15 years in prison.
On the other hand, low fraud figures are good publicity for the operator. It gives an
impression of a secure network, so customers are not afraid to use their phones. Also, low fraud
means less hassle to the customers who, in the end, end up paying for fraud through the service
fees.
6.2. FRAUD EXAMPLES
Example: Roaming fraud
In this type of fraud, stolen and cloned mobile phones are used to make international calls
and in roaming, possibly abroad. Once a suitable subscription has been acquired, it can be used
for call
selling locally or it can be used to place calls in a roaming network.
In roaming a subscriber to operator A can use operator B's network and services,
provided that the operators have made a roaming agreement. Roaming, especially international
roaming, and international calls in general, are usually expensive, and therefore subject to
criminal interest and fraud. Roaming fraud is a hard currency problem because the roaming
user's operator has to pay to the operator of the roaming network for the roaming user's use,
whether or not the user pays his bills. Therefore, operators have taken measures to limit the costs
of roaming fraud.
The main problem behind roaming fraud is the delay in the communication of billing
information between the operators. The delay has been shortened from 72 to 24 hours. The
information is transferred with EDI (Electronic Data Interchange) or by tape. An example of
roaming fraud is: SIM cards were taken out of the phones acquired with false identities, mailed
abroad where they were used in call selling operations, with call lengths averaging 10-12 hours.
According to the guidelines of the GSM Memorandum of Understanding, a call report of a user
exceeding 100 SDR 1 units a day must be delivered to the home network within 24 hours.
18
Research Topic Mobile Phone Cloning
Should GSM cloning become a major problem, the importance of timely communication
between the roaming operators will become critical in avoiding fraud losses. Already, clearing
houses have been set up to offer billing and billing information services to roaming operators.
Example: Criminal users
Mobile communication provided by a mobile phone is a valuable tool for criminals, just
as it is for ordinary people. Criminals, however, have more reason to worry about the operator
knowing their location than regular users.
Mobile operators can find out the location of a mobile phone, with varying accuracy. In
areas where base station density is high, for example in cities, the accuracy can be a few hundred
meters, whereas in rural regions the accuracy is a few kilometers. In GSM systems, the phone
has a unique identifier (IMEI, International Mobile Equipment Identity) as well as a SIM
containing the subscriber information (IMSI, International Mobile Subscriber Identity).
Depending on the legislation of each country, the law enforcement can get this
information from the operator, possibly in real time. Therefore, it makes sense for a criminal to
use one or more stolen or cloned phones to gain anonymity and to make it harder to track them.
By constantly using the one and the same phone and SIM card, it is easy to track the criminal's
movement. Using some tools (e.g. Wintesla), it is possible to change the IMEI of one's phone.
This will make the network think that the same SIM is used in different phones when, in reality,
it is the same phone. A Radio Frequency Fingerprinting system can identify the phone as being
the same one. Therefore, criminals use subscriptions that can not be connected to them (i.e.
cloned or stolen subscriptions, or a subscription for a fake identity) and several different phones.
This type of fraud can be prevented by offering a suitable service, such as prepaid
subscriptions. In prepaid subscriptions, the customer pays up front a certain sum, for instance
350Rs., and uses the subscription as long as there are credits left, after which he can buy more
credits or take another prepaid subscription.
19
Research Topic Mobile Phone Cloning
Example of a technical method: Cloning
Cloning of analog mobile phones was a major problem until operators and equipment
manufacturers took measures to make it more difficult. Analog mobile phone systems include
AMPS (Advanced Mobile Phone System), used mainly in the USA, TACS, a version of AMPS
used for instance in the UK, and NMT, used in Scandinavia. These systems had similar issues, so
only one of them is presented.
AMPS, the analog mobile phone system used in the USA was in the beginning very
vulnerable to cloning. Each phone has an Electronic Serial Number (ESN), identifying the
phone, as well as a Mobile Identification Number (MIN), which includes the telephone number
of the phone. As the acronyms indicate, these are used to identify the subscriber.
Figure8. Cellular counterfeiting
When placing a call, the phone transmits both the ESN and the MIN to the network.
These were, however, sent in the clear, so anyone with a suitable scanner could receive them.
20
Research Topic Mobile Phone Cloning
The eavesdropped codes would then be programmed into another phone, effectively cloning the
original subscription. Any calls made on this cloned phone would be charged on the original
customer.
Because of the relative ease of cloning these analog mobile phones, the cloning became a
major problem. An example of the detailed instructions available on the Internet is: in which the
writer describes how to modify a specific model of a scanner to receive the cellular frequencies.
Also necessary software and instructions for cloning the subscriptions are provided.
21
Research Topic Mobile Phone Cloning
7. HOW IS CELL CLONING DONE?
Cloning involved modifying or replacing the EPROM in the phone with a new chip, which
would allow one to configure an ESN (Electronic Serial Number) via software. The MIN
(Mobile Identification Number) would also have to be changed.
After successfully changing the ESN/MIN pair, the phone
would become an effective clone of the other phone.
Cloning required access to ESN and MIN pairs.
ESN/MIN pairs were discovered in several ways:
Sniffing the cellular network
Trashing cellular companies or cellular
resellers
Hacking cellular companies or cellular resellers
Cloning still works under the AMPS/NAMPS system, but has fallen in popularity as older
phones that can be cloned are more difficult to find and newer phones have not been successfully
reverse engineered.
Cloning has been successfully demonstrated under GSM, but the process is not easy and
currently remains in the realm of serious hobbyists and researchers. Furthermore, cloning as a
means of escaping the law is difficult because of the additional feature of a radio fingerprint that
is present in every mobile phone’s transmission signal. This fingerprint remains the same even if
the ESN or MIN are changed. Mobile phone companies can use the mismatch in the fingerprints
and the ESN and MIN to identify fraud cases.
22
Research Topic Mobile Phone Cloning
7.1. CLONING CDMA CELL PHONES
Cellular telephone thieves monitor the radio frequency spectrum and steal the cell phone pair
as it is being anonymously registered with a cell site. The technology uses spread-spectrum
techniques to share bands with multiple conversations. Subscriber information is also encrypted
and transmitted digitally. CDMA handsets are particularly vulnerable to cloning, according to
experts. First generation mobile cellular networks allowed fraudsters to pull subscription data
(such as ESN and MIN) from the analog air interface and use this data to clone phones. A device
called as DDI, Digital Data Interface (which comes in various formats from the more expensive
stand-alone box, to a device which interfaces with your 800 MHz capable scanner and a PC) can
be used to get pairs by simply making the device mobile and sitting in a busy traffic area
(freeway overpass) and collect all the data you need. The stolen ESN and MIN were then fed into
a new CDMA handset, whose existing program was erased with the help of downloaded
software. The buyer then programs them into new phones which will have the same number as
that of the original subscriber.
PATAGONIA
Patagonia is software available in the market which is used to clone CDMA phone. Using this
software a cloner can take over the control of a CDMA phone i.e. cloning of phone. There are
other Software’s available in the market to clone GSM phone. This software’s are easily
available in the market. A SIM can be cloned again and again and they can be used at different
places. Messages and calls sent by cloned phones can be tracked. However, if the accused
manages to also clone the IMEI number of the handset, for which software’s are available, there
is no way he can be traced.
CDMA WORKSHOP
CDMA Workshop is a professional universal and all-in-one service software, developed to work with any CDMA 450/800/1900/EVDO(1xEVDO)/etc phones, smart phones, fixed terminals, data cards/modems based on any Qualcomm chipsets. It is the necessary tool for easy and fast programming or re-programming CDMA phones to any network, making clones, unlocking, reading and changing ESN and MEID, security codes, such as: user lock, SPC, MSL, FSC, OTKSL, Minlock, etc.. authentication security codes, such as: A-key, SSD_A, SSD_B.. and many other things. CDMA Workshop combines all major functions and operations which are necessary for full-functional work with CDMA phones and it is a «must have» software for every serious technician, cellular/repair shops and dealers.
23
Research Topic Mobile Phone Cloning
Supported Windows: Win 95/98/ME, NT, 2000, XP, 2003, Vista, Windows 7 (x32 and x64)Supported Interfaces: COM (serial), USB, USB-to-COM converters, any kind of Uniboxe.
Figure9. CDMA Workshop
24
Research Topic Mobile Phone Cloning
7.2. CLONING GSM PHONES
GSM handsets, on the contrary, are safer, according to experts. Every GSM phone has a 15
digit electronic serial number (referred to as the IMEI). It is not a particularly secret bit of
information and you don’t need to take any care to keep it private. The important information is
the IMSI, which is stored on the removable SIM card that carries all your subscriber information,
roaming database and so on. GSM employs a fairly sophisticated asymmetric-key cryptosystem
for over-the-air transmission of subscriber information. Cloning a SIM using information
captured over-the-air is therefore difficult, though not impossible. As long as you don’t lose your
SIM card, you’re safe with GSM. GSM carriers use the COMP128 authentication algorithm for
the SIM, authentication center and network which make GSM a far secure technology.
GSM networks which are considered to be impregnable can also be hacked. The process is
simple: a SIM card is inserted into a reader. After connecting it to the computer using data
cables, the card details were transferred into the PC. Then, using freely available encryption
software on the Net, the card details can be encrypted on to a blank smart card. The result: A
cloned cell phone is ready for misuse.
Figure10. SIM –CLONE
25
Research Topic Mobile Phone Cloning
8. IDENTIFYING THE ESN IN YOUR CELLULAR PHONE
Depending on what model phone you have, the ESN will be located on a PROM. The
PROM is programmed at the factory, and installed usually with the security fuse blown to
prevent tampering. The code on the PROM might possibly be obtained by unsoldering it from
the cellular phone, putting it in a PROM reader, and then obtaining a memory map of the chip.
The PROM is going to have from sixteen to twenty-eight leads coming from it. It is a
bipolar PROM. The majority of phones will accept the National Semiconductor 32x8 PROM,
which will hold the ESN and cannot be reprogrammed. If the ESN is known on the phone, it is
possible to trace the memory map by installing the PROM into a reader, and obtaining the fuse
map from the PROM by triggering the "READ MASTER" switch of the PROM programmer. In
addition, most PROM programming systems include verifies and compare switch to allow you to
compare the programming of one PROM with another.
As said earlier, the ESN is uniformly black with sixteen to twenty-eight leads emanating
from its rectangular body, or square shaped body. If it is the dual-in-line package chip, (usually
found in transportable and installed phones), it is rectangular. If it is the plastic leaded chip
carrier (PLCC), it will be square and have a much smaller appearance. Functionally, they are the
same chip, but the PLCC is used with hand held cellular phones because of the need for reduced
size circuitry.
8.1 ESN REPLACEMENT
De-solder the ESN chip.
Solder in a zero insertion force (ZIF) replacement, so that replacement chip can be
changed easily.
After the ZIF socket has been successfully soldered in, reinsert the ESN and attempt to
make a phone call (Be sure the NAM is programmed correctly). If it doesn't, check the
leads on the ZIF to insure that you have soldered them correctly.
After that, insert your ESN into your PROM reader and make sure it provides some sort
of reading. You should use the search mode to look for the manufacturer’s serial number
to identify the address on the PROM where to reprogram the ESN.
26
Research Topic Mobile Phone Cloning
8.2. EQUIPMENT REQUIRED FOR CLONING
IBM-PC/XT/AT Computer or clone(you supply)
EPROM programmer and suitable adapter (if required) to read/ write the chips you are
using.(you supply)
Editing software to modify and save files changes (typically supplied with EPROM
Burner) Supplied by EPROM Burner manufacturer plus we supply extra software for
editing (binary and hex file editors).
Instructions for reprogramming each phone (from CELLULAR PROGRAMMERS
BIBLE)
Programming Cables for each particular Cellular Phone, such as Motorola Flip, etc.
Printed Instructions for making programming cables are included in Cellular Hackers
Bible Volume 2.
Cellular Hackers Bible Volume 6, $ 35.00 .
8.3. PROCEDURE FOR CLONING DIFFERENT PHONES:
Read and make file of master phones PROM or EEPROM using BURNER
Read and make file of clone phones PROM or EEPROM using BURNER
Print both files for hardcopy
Locate information to be swapped in both files i.e., ESN, MIN, SIDH, etc.
Swap data (above) from master in to clone file using printed hardcopies as reference
Compute checksum on completed clone file (use software supplied with EPROM Burner)
Insert checksum into clone file at proper location.
Burn new PROM or EEPROM with modified clone file
Install new chip into clone phone and reassemble.
Turn on power. Clone phone will now power-up.
Reprogram clone using reprogramming instructions from CELLULAR
PROGRAMMERS BIBLE.
You can change all information from the handset except the ESN, typically.
27
Research Topic Mobile Phone Cloning
Phone is now a "CLONE" of master.
8.4. CLONING PROCEDURE FOR IDENTICAL PHONES:
Copy EPROM or EEPROM or PROM holding ESN Information
Make duplicate copy of this chip
Insert the duplicate into second phone.
Reprogram as necessary (usually not required).
If phones are EE3 models (Moto), the ESN can
only be removed or reprogrammed with
the use of a "Copycat" device. These devices are
no longer advertised for sale in this country as
this law has forcesd sellers of such devices to
remove them from the marketplace.
8.5. HOW TO PREVENT CELL CLONING?
Uniquely identifies a mobile unit within a wireless carrier's network. The MIN often can be
dialed from other wireless or wire line networks. The number differs from the electronic serial
number (ESN), which is the unit number assigned by a phone manufacturer. MINs and ESNs
can be checked electronically to help prevent fraud.
Mobiles should never be trusted for communicating/storing confidential information.
Always set a Pin that's required before the phone can be used.
Check that all mobile devices are covered by a corporate security policy.
Ensure one person is responsible for keeping tabs on who has what equipment and that they
update the central register.
How do service providers handle reports of cloned phones?
Legitimate subscribers who have their phones cloned will receive bills with charges for calls
they didn’t make. Sometimes these charges amount to several thousands of dollars in
addition to the legitimate charges.
28
Research Topic Mobile Phone Cloning
Typically, the service provider will assume the cost of these additional fraudulent calls.
However, to keep the cloned phone from containing to receive service, the service provider will
terminate the legitimate phone subscription. The subscriber is then required to activate a new
subscription with a different phone number requiring reprogramming of the phone, along with
the additional headaches that do along with phone number changes.
8.5.1. WHAT EXACTLY IS AUTHENTICATION?
Authentication is a mathematical process by which identical calculations are performed in both
the network and the mobile phone. These calculations use secret information (known as a "key")
preprogrammed into both the mobile phone and the network before service is activated. Cloners
typically have no access to this secret information (i.e., the key), and therefore cannot obtain the
same results to the calculations.
A legitimate mobile phone will produce the same calculated result as the network. The mobile
phone's result is sent to the network and compared with the network's results. If they match, the
phone is not a "clone."
8.5.2. ARE THESE METHODS EFFECTIVE?
Yes, for the most part. However, Authentication is the most robust and reliable method for
preventing cloning fraud and it is the only industry "standard" method for eliminating cloning.
The fact that it is standardized means that all mobile telecommunications networks using IS-41
can support Authentication. There is no need to add proprietary equipment, software, or
communications protocols to the networks to prevent cloning fraud.
IS MY PHONE AUTHENTICATION CAPABLE?
If the phone supports TDMA or CDMA digital radio, then yes. Otherwise, it depends on how old
the phone is and the make and model. Almost all phones manufactured since the beginning of
1996 support the Authentication function. The best bet is to check with your service
29
Research Topic Mobile Phone Cloning
9. ROLE OF SERVICE PROVIDER TO COMBAT CLONING
FRAUD
They are using many methods such as RF Fingerprinting, subscriber behavior profiling, and
Authentication. RF Fingerprinting is a method to uniquely identify mobile phones based on
certain unique radio frequency transmission characteristics that are essentially "fingerprints" of
the radio being used. Subscriber behavior profiling is used to predict possible fraudulent use of
mobile service based on the types of calls previously made by the subscriber.
Calls that are not typical of the subscriber's past usage are flagged as potentially fraudulent and
appropriate actions can be taken.
Authentication has advantages over these technologies in that it is the only industry standardized
procedure that is transparent to the user, a technology that can effectively combat roamer fraud,
and is a prevention system as opposed to a detection system.
9.1. Interim Standard Number.41
IS-41(Interim Standard No. 41) is a document prescribing standards for communications
between mobile networks. The standard was developed by the Telecommunications Industry
Association (TIA) and is used primarily throughout North America as well as many Latin
American countries and Asia.
The IS-41 network communications standard supports AMPS, NAMPS, TDMA, and
CDMA radio technologies. IS-41 is the standard that defines the methods for automatic roaming,
handoff between systems, and for performing Authentication.
30
Research Topic Mobile Phone Cloning
9.2. IMPACT OF CLONING
Each year, the mobile phone industry loses millions of dollars in revenue because of the criminal
actions of persons who are able to reconfigure mobile phones so that their calls are billed to other
phones owned by innocent third persons. Often these cloned phones are used to place hundreds
of calls, often long distance, even to foreign countries, resulting in thousands of dollars in airtime
and long distance charges. Cellular telephone companies do not require their customers to pay
for any charges illegally made to their account, no matter how great the cost. But some portion of
the cost of these illegal telephone calls is passed along to cellular telephone consumers as a
whole.
Many criminals use cloned cellular telephones for illegal activities, because their calls are not
billed to them, and are therefore much more difficult to trace.
This phenomenon is especially prevalent in drug crimes. Drug dealers need to be in constant
contact with their sources of supply and their confederates on the streets. Traffickers acquire
cloned phones at a minimum cost, make dozens of calls, and then throw the phone away after as
little as a days' use. In the same way, criminals who pose a threat to our national security, such as
terrorists, have been known to use cloned phones to thwart law enforcement efforts aimed at
tracking their whereabouts.
9.3. ARE OUR CELL PHONES SECURED?
Too many users treat their mobile phones as gadgets rather than as business assets covered
by corporate security policy. Did you realize there's a lucrative black market in stolen and
"cloned" Sim cards? This is possible because Sims are not network specific and, though tamper-
proof, their security is flawed. In fact, a Sim can be cloned many times and the resulting cards
used in numerous phones, each feeding illegally off the same bill.
But there are locking mechanisms on the cellular phones that require a PIN to access the
phone. This would dissuade some attackers, foil others, but might not work against a well
financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but
there may be ways for sophisticated attackers to bypass it.
31
Research Topic Mobile Phone Cloning
With the shift to GSM digital - which now covers almost the entire UK mobile sector - the
phone companies assure us that the bad old days are over. Mobile phones, they say, are secure
and privacy friendly.
This is not entirely true. While the amateur scanner menace has been largely exterminated,
there is now more potential than ever before for privacy invasion.
The alleged security of GSM relies on the myth that encryption - the mathematical
scrambling of our conversations - makes it impossible for anyone to intercept and understand
our words. And while this claim looks good on paper, it does not stand up to scrutiny.
The reality is that the encryption has deliberately been made insecure. Many encrypted calls
can therefore be intercepted and decrypted with a laptop computer.
Is fixed telephone network safer than mobile phone?
The answer is yes. In spite of this, the security functions which prevent eavesdropping and
unauthorized uses are emphasized by the mobile phone companies. The existing mobile
Communication networks are not safer than the fixed Telephone networks. They only offer
protection against the new forms of abuse
32
Research Topic Mobile Phone Cloning
10. METHODS TO BAN CELL PHONE CLONING
Cellular operators in many countries have deployed various technologies to tackle this
menace. Some of them are as follows:
There's the Duplicate Detection Method where the network sees the same phone in
several places at the same time. Reactions include shutting them all off, so that the real
customer will contact the operator because he has lost the service he is paying for.
Velocity Trap is another test to check the situation, whereby the mobile phone seems
to be moving at impossible or most unlikely speeds. For example, if a call is first made in
Delhi, and five minutes later, another call is made but this time in Chennai, there must be
two phones with the same identity on the network.
Some operators also use Radio Frequency Fingerprinting, originally a military
technology. Even identical radio equipment has a distinguishing `fingerprint', so the
network software stores and compares fingerprints for all the phones that it sees. This
way, it will spot the clones with the same identity, but different fingerprints.
Usage Profiling is another way wherein profiles of customers' phone usage are kept,
and when discrepancies are noticed, the customer is contacted. For example, if a
customer normally makes only local network calls but is suddenly placing calls to foreign
countries for hours of airtime, it indicates a possible clone. On the other hand, the
consumers can check regularly the unbilled amount details. Users with ILD facility need
to be more careful as fraudsters attempt to make as many international calls as possible
within a short time due to fear of getting caught. Since ILD rates are higher than other
calls, fraudsters try to derive maximum benefits in the shortest time.
If your cellular service company offers Personal Identification Numbers (PIN),
consider using it. Although cellular PIN services are cumbersome and require that you
input you’re PIN for every call, they are an effective means of thwarting cloning.
The Central Forensic Laboratory at Hyderabad has developed software to detect cloned
mobile phones. The laboratory helped Delhi Police identify two such cloned mobile
phones recovered recently. Called the Speaker Identification Technique, the
software enables one to recognize the voice of a person by acoustics analysis, using a
33
Research Topic Mobile Phone Cloning
computerized speech laboratory machine. For the process, developed by Dr S.K. Jain, a
voice sample of four seconds is adequate for an accurate result.
The best detection measure available in CDMA today is the A Key Feature. The A
key is a secret 20 digit number unique to the handset given by the manufacturer to the
service provider only. This number is loaded in the Authentication Center for each
mobile. As this number is not displayed in mobile parameters this cannot be copied.
Whenever the call is originated / terminated from a mobile with authentication active, the
network checks for the originality of the set using this secret key. If the data matches at
both mobile and network end the call is allowed to go through otherwise it is dropped.
Avoid using your cellular telephone within several miles of the airport, stadium, mall, or
other heavy traffic locations. These are areas where radio hobbyists use scanners for
random monitoring. If they come across an interesting conversation, your number may be
marked for regular selective monitoring.
However, all these methods are only good at detecting cloning, not preventing damage. A
better solution is to add authentication to the system. But this requires upgrades to users'
and operators' equipment before they can be used.
34
Research Topic Mobile Phone Cloning
10.1. WHAT CAN BE DONE?
With technically sophisticated thieves, customers are relatively helpless against cellular phone
fraud. Usually they became aware of the fraud only once receiving their phone bill.
Service providers have adopted certain measures to prevent cellular fraud. These include
encryption, blocking, blacklisting, user verification and traffic analysis: Encryption is regarded
as the most effective way to prevent cellular fraud as it prevents eavesdropping on cellular calls
and makes it nearly impossible for thieves to steal Electronic Serial Number (ESN) and
Personal Identification Number (PIN) pairs. Blocking is used by service providers to protect
themselves from high risk callers. For example, international calls can be made only with prior
approval. In some countries only users with major credit cards and good credit ratings are
allowed to make long distance calls.
Blacklisting of stolen phones is another mechanism to prevent unauthorized use. An
Equipment Identity Register (EIR) enables network operators to disable stolen cellular
phones on networks around the world.
User verification using Personal Identification Number (PIN) codes is one method for
customer protection against cellular phone fraud.
Tests conducted have proved that United States found that having a PIN code reduced fraud
by more than 80%.
Traffic analysis detects cellular fraud by using artificial intelligence software to detect
suspicious calling patterns, such as a sudden increase in the length of calls or a sudden
increase in the number of international calls.
The software also determines whether it is physically possible for the subscriber to be
making a call from a current location, based on the location and time of the previous call.
Currently, South Africa’s two service providers, MTN and Vodacom, use traffic analysis
with the International Mobile Equipment Identity (IMEI) — a 15 digit number which acts as
a unique identifier and is usually printed on the back of the phone underneath the battery —
to trace stolen phones.
Other warning signs that subscribers should watch out for to detect fraudulent activity include:
35
Research Topic Mobile Phone Cloning
Frequent wrong number phone calls to your phone, or hang-ups.
Difficulty in placing outgoing calls.
Difficulty in retrieving voice mail messages.
Incoming calls constantly receiving busy signals or wrong numbers.
Unusual calls appearing on your phone bills.
10.2. SOME FACTS AND FIGURES
Southwestern Bell claims wireless fraud costs the industry $650 million each year in the
US. Some federal agents in the US have called phone cloning an especially `popular'
crime because it is hard to trace. In one case, more than 1,500 telephone calls were placed
in a single day by cellular phone thieves using the number of a single unsuspecting
owner.
A Home Office report in 2002 revealed that in London around 3,000 mobile phones were
stolen in one month alone which were used for cell phone cloning.
Authorities, in the case, estimated the loss at $3,000 to $4,000 for each number used in
cell phone cloning.
According to a school of thought, the Telecom Regulatory Authority of India (TRAI)
should issue a directive, which holds the operators responsible for duplications of mobile
phones.
Qualcomm, which develops CDMA technology globally, says each instance of mobile
hacking is different and therefore there is very little an operator can do to prevent hacking. "It's
like a virus hitting the computer. The software which is used to hack into the network is
different, so operators can only keep upgrading their security firewall as and when the hackers
strike," says a Qualcomm executive.
36
Research Topic Mobile Phone Cloning
11. FUTURE THREATS
Resolving subscriber fraud can be a long and difficult process for the victim. It may take time
to discover that subscriber fraud has occurred and an even longer time to prove that you did not
incur the debts. As described in this article there are many ways to abuse telecommunication
system, and to prevent abuse from occurring it is absolutely necessary to check out the weakness
and vulnerability of existing telecom systems. If it is planned to invest in new telecom
equipment, a security plan should be made and the system tested before being implemented. It is
therefore mandatory to keep in mind that a technique which is described as safe today can be the
most unsecured technique in the future.
37
Research Topic Mobile Phone Cloning
12. CONCLUSION
Existing cellular systems have a number of potential weaknesses that were considered. It is
crucial that businesses and staff take mobile phone security seriously.
Awareness and a few sensible precautions as part of the overall enterprise security policy will
deter all but the most sophisticated criminal. It is also mandatory to keep in mind that a technique
which is described as safe today can be the most unsecured technique in the future. Therefore it
is absolutely important to check the function of a security system once a year and if necessary
update or replace it. Finally, cell-phones have to go a long way in security before they can be
used in critical applications like m-commerce.
38
Research Topic Mobile Phone Cloning
13. REFERENCES
Websites:
o http://www.cdmasoftware.com/eng.html
o http://www.victorgsm.com/products/msl/
o http://www.unlocker.ru/cdma_soft.php
o http://www.cxotoday.com
o http://infotech.indiatimes.com
o http://www.spy.org
o http://wiretap.spies.com
o http://www.hackinthebox.org/
39