Trew & Co

T

MOBILEELEPHONE EVIDENCE

G

foren

SP

C

C• Ov• So• Clo• A r

Trew & CoICT specialist

SM Mobile Phone & SIM Card

sic examination & expertevidence

ECIAL ISSUE: B/2002

LONINGSIMARDS

erview of cloningurces for SIMning tools availabilityeview of cloning technique

Trew & Co/Trew MTE trewCO@compuserve.com

________________________________________________________________________

Overview of Cloning - A PerspectiveReport by Greg Smith

Welcome to this Special Issueedition of Trew MTE relating toCloning of SIM. This edition ofTrew MTE is published only forthe purpose of research and it isnot intended that readers enterinto cloning SIMs. Readersshould have regard to nationallaws and Trew & Co, its editorand Trew MTE do not accept oragree expressly or impliedresponsibility in relation to howreaders use the informationcontained herein.The information in issue wasdiscovered on the Internet (inthe public domain) and wherepossible the source of suchdiscovery is identified. It is upto the reader to research furtherin order to comprehend eachissue.This issue does not recommendinstalling programmes that havebeen identified during theresearch nor is it possible toindicate how such programmesmight affect your computer.Hope you find the research ofinterest.

Trew MTE is an electronic publicationfor those involved with mobiletelephone examination or for whomhave an interest in the evidenceobtained following data acquisition.Views expressed in articles by theauthors are not necessarily those of theeditor or Trew & Co. If you havesomething to say or you would care towrite an article for MTE please send anelectronic copy along with any photos(JPG, GIF etc) to Greg Smith emailaddress: <trewCO@compuserve.com>

le) cloning is the latest

Special Issue A/2002 looked atcloning of GSM digital mobiletelephones and the multi-millionpounds market that has beencreated in its wake. Cloning ofGSM digital mobile telephones wasthought of as phenomenon, at itsinception, but now is so commonthat it hardly seems newsworthyany more.SIM (Subscriber Identity Modu

Trew MTE SpecialINDEX No: B/2002

Greg Smith editor ofTrew MTE. Principalconsulting forensicengineer Trew & Co.Chief Training OfficerTrew MTE

phenomena and potentially, in finanbeyond the multi-million pounds industry. So what is SIM cloning?The abstract conceptualisation of clonpeople is that of "duplication" of origmay appear patronising and rather trextrapolating a semantic view of the wthough to briefly review the issue oGSM SIMs.In April 1998 the Smartcard Developtwo U.C. Berkeley researchers joinexamination of GSM security for Sday's examination, of a fatal cryptogthe algorithm used to protect the identto protect the identity the SIM nauthentication key (Ki) secure. Sedeveloped a system to exploit the f(150.000 RAND challenges) the Sprocessing the responses from argumalgorithm), they were able to extractSIM. The SDA candidly suggested th(OTA) attack was yet known, but suruled out in the future. The reality of tonce in possession of a SIM cloning cThe release of the security flaw discovgenerated reports in the various meIndustry responded to allay fears and to GSM's authentication security. Onthat the time and expense it would tmade it unlikely to see a spawning of This flawed thinking though was ahacking community, of which rose tothere has been increasing discussinewsgroups and bulletin boards abouWe are now seeing in 2002 a hostcloning hardware and software. Morpublish dummies guides to SIM clonin the discussion, in this report.

cial terms, may go wellmobile telephone cloning

ing comprehended by mostinal information and so itite for this article to startord 'cloning'. It is relevantf cloning in context with

ers Association (SDA) andtly announced, following

IM, the discovery, after araphic flaw in COMP128,ity inside the SIM. In ordereeds to keep its secrete diagram below. SDAlaw by repeatedly asking

IM to identify itself. Byents presented to it (A8

the secret from inside theat no practical over-the-airch an attack could not beheir findings though is thatould be possible.ery into the public domain

dia, all around the world.reassure users with respecte proposition mooted wasake to clone just one SIMcloning factories.n under-estimation of the the challenge. Since 2000ons in the hacking webt SIM readers and writers. of websites selling SIMeover, some websites nowing, which one is included

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

SOURCES OF SIMA necessary commodity for those involved with SIM cloning is theobtaining of SIM cards for practise and to produce workable clonedSIMs. As an observation, there appear many places original SIMs canbe obtained. Places such as, dustbins where old mobiles and SIMs havebeen thrown away. It is recalled that sometime back Kings Cross wasan area where discarded mobiles could be found in alleys and otherareas frequented by passers-through. Road sweepers were picking up,so the gossip went, sometimes 100 discarded mobiles and SIMs aweek.Recycle for environmental and manufacturing appears another areawhere vast quantities of mobiles/SIMs may be obtained. Many storesand organisations operate mobile phone recycling collection facilitiesapparently as £35.00 per handset can be reclaimed. It is not clearwhether all mobiles/SIMs that are collected are actually returned tomanufacturers or recycling plants. Also "Lost and Found" (Railwaysand Taxi firms) is another source. Theft of mobile/SIM is yet another.

"Road sweeperswere picking up,so the gossipwent, sometimes100 discardedmobiles andSIMs a week."

Whatever the source for collecting original SIMs, there is still therequirement of obtaining SIMs needed for programming (cloning).When researching for sources that sold SIMs, it was not clear how thedistributors themselves obtained the SIMs, whether purchased directlyfrom manufacturers, through distribution chains or from cleansing andrefurbishment of old SIMs.Internet searches produced some interesting results for Goldwafer andSilverwafer Cards produced by Far East sources, such as Taiwan andChina, and European sources, that suggested Spain and Germany. Thecost of Gold Wafer Cards offered @ US$5 and Silver Wafer cards @US$15.It is the fact of availability of programming tools and Cards that isprecisely the issue being addressed at the beginning of this article thatSIM cloning could well extend financially as an industry well beyondthe industry created for cloning mobile telephones.

________________________________________________________________________

CLONING TOOLS AVAILABILITYDiscovery of websites on the Internet selling SIM cloning tools wasin fact quite a surprisingly easy research task to perform. Thewebsites ranged from auction (bidding) sites, to distributors andmanufacturers sites. The cost of the cloning tools ranged from 35-Euros to 57-Euros.Interestingly the functional capability of the tools was a surprisingfactor also. For example, the blurb by one supplier stated:"SIMCARD8 is a preprogrammed simcard that allow to store ormake a backup of 8 different mobile phone sim cards in only 1simcard. You will need to know IMSI and Ki codes of every simcardthat you want to make backup. IMSI and Ki codes are the codes thatidentify a simcard at your network provider, this codes areencrypted at your original simcard, to find out your will need ourSIM-MASTER card reader/writer." [http://ucables.com/ref/SIMCARD8]

WHAT'SINSIDECloning

SIM Cards

Consu

Tereprecsom

Sourcehttp://u

Greg Smithlting Forensic Engineer

Features:• Support for 8 different provider names on the same card• PIN security management like original SIM cards. (3 PIN attempts + 10 PUK attempts)• Storage capacity between 125 and 250 phonebook entries (0 to 125 in EEPROM and

125 on FLASH)• SMS storage capacity configurable from 20 to 40 SMS• Individual SMS centre number for each of the 8 phone numbers• Storage of 10 last dialled numbers (Used only on some mobile brands)• Support for NOKIA, SIEMENS, ALCATEL, PHILIPS, ERICSSON, MOTOROLA,

MAXON, PANASONIC, MITSUBISHI, NEC, SAMSUNG mobile phones. Be surethat your phone is unlocked, to be sure that SIMCARD8 will be accepted at yourmobile phone.

• SIMEMU management through mobile menus.• Change mobile phone number without turning off mobile phone (this option is not

compatible with all mobile phones)• Selection of the ratio of SMS/Phonebook entries in the mobile itself

xt and imagesroduced are asorded frome web sites.

web site URL:cables.com/ref/SIM-MASTER

A fascinating part during research on SIM cloning was noting thepackaging and point-of-sale presentation of the tools. The SIM-MASTER referred to above gave the illustration and featuredescription suggesting that there was a high demand for such aproduct and that point-of-sale presentation was as a result of mass-production. If this product were not massed-produced it wouldappear an expensive way of selling these tools to a low-demandmarket.

Features:

• Compatible with all GSM Cellular phones• Edit your phone book in your PC• Edit SMS short messages in your PC• Read IMSI and Ki codes of GSM simcards,

very useful to use with our new SIMCARD8to make simcard backups

• Edit and Change the personal ringtone formotorola cellular phone (Send as SMSfunction support needed. ex. V8088, V7689)

• GSM SIM PIN code management• Connect to Serial port (RS-232), no need

external power• Built-in hundreds of Midi ringtone for Ring

Tone editing.• Copy and Backup phone book and SMS

messages between your SIM cards.• Convenience sorting functions• Read IMSI and Ki codes from SIM Card with

SIM-BACKUP or SIMscan 1.21

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

A REVIEW OF CLONING TECHNIQUEThe possibility that SIM cloning could be achieved by use of justtwo pieces of tooling (as above) is perhaps not the case. This issharply brought into perspective when researching the issue howone website believes cloning could be applied in practise. Thiswebsite discovered illustrated that in fact six tools were required,suggesting a ring of truth about the claims made at the site, as theauthor of the SIM cloning guide encouraged would-be cloners touse free software and provided the means to get the software fromthe site. Most hackers or cloners want to do the job at minimal costto them by getting everyone else to pay for it.The site was offering for sale SIM readers and writers but equallyoffered schematics from which a cloner could build each device.The following is a website's 10 easy steps practical guide to cloningSIMs. The comments in parenthesis [" "] are those of the authorindicating websites where the tools or components can be found orsimply making an observation.

GSM SIM Cloning for DummiesThis guide will help you "clone" your GSM SIM card and makeunlimited copies of it by using either Gold Wafer Cards or 16F84a +24C16 DIL. [Have a look at website http://www.wafer-cards.com orhttp://www.anytimenow.com]

The "cloned" SIM card will work just like the original meaning youcan make a call, send an SMS, manage phonebook and SMSmessages too. You can use the "cloned" SIM and the original SIMsimultaneously meaning both of your SIMs will have network andboth can send SMS at the same time.

However, only one of the active SIMs can make a phone call at anytime. Simultaneous calls are not allowed because the call willimmediately be disconnected by your Network Provider. Regardingreceiving SMS from other people, only one of the SIMs will receivethe message. This is a "first-come-first-serve" basis and no bias isgiven to the original SIM. Obviously, the bills for the "cloned" SIMwill also be reflected to the bills of the original SIM. Not all phonesaccept "cloned" SIMs.

The Nokia 9210 rejects cloned SIMs as well as most new 3G phones(and even some old ones...). Not all original SIMs can be "cloned"because "cloning" requires that you should extract the Ki and IMSIfrom the original SIM and today the new GSM SIM cards are builtwill tougher protection algorithms. You may be able to get the Ki andthe IMSI, but it will take you at least 8 hours for the latest SIMs. Itcould even take days... [The length of time of extract Ki ranged from10 minutes to 4-8 hours. It could be some websites exaggerated thecapability of equipment available from them. However, a commonstatement was 8 hours. See http://nokiafree.org and search for NokiaFlask Reverse Engineering > Hardware > SIM Cloning > Cloning]

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:10 easy steps to 'clone' your GSM SIM ! Let us begin...(This is only applicable to Goldwafer Cards not to Silverwafer Cards)

STEP 1 - Download software from the Internet:SIM Scan 1.21 by Dejan Kaljevic [http://www.anytimenow.com]TwinSim 1.0 by lotfi17 [http://www.anytimenow.com]IC-Prog 1.04 by Bonny Gijzen [http://www.ic.prog.com/icprog.zip]WinPhoenix 1.06 by Paul Arnold and Joos [http://www.anytimenow.com]WinPhoenix EEPROM Loader [http://www.anytimenow.com]HEX to BIN Converter [http://www.anytimenow.com]

STEP 2 - Building your own GSM SIM Reader/Writer HardwareSIM Reader = SIM SCAN - Smart Mouse Compatible - Schematics [http://www.anytimenow.com]SIM Writer = JDM Programmer -- Schematics [http://www.anytimenow.com]/\/\/\/\Don't have time to build this? Buy ready-made here./\/\/\/\ [http://www.anytimenow.com]

STEP 3 - Buying or making your own blank SIM cardsMake your own 16F84A + 24C16 DIL - Schematics [http://www.anytimenow.com]/\/\/\/\Don't have time to build this? Buy Goldwafer cards here./\/\/\/\ [http://users.anytimenow.com/sid67b/GSMSIM3.htm]

STEP 4 - Getting the Ki and IMSI of the original SIMInstall Sim Scan 1.21 by running the install.bat file.Run and configure Sim Scan from c:\sim_scan\setup.bat file.Screen 1: Press Alt+Enter Key, then select the COM port whereSIM Reader is connected. SIM Scan will not work properly unlessit is maximised to full screen.

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:Screen 2: Select baud rate (choose 9600 bps 3.57 Mhz)[The baud rate should be considered in relation to the SIMfunctionality and the device reading the SIM. For example, at[http://users.anytimenow.com/sid67b/GSMSIM3.htm] it offers for salethe device called U-GSR Advanced ver 1.6 and states "U-GSRAdvanced ver 1.6 is for advanced users who want to faster and betterperformance in cloning GSM SIMs. The Dual Resonator option letsyou switch from 3.57Mhz or 6.00Mhz easily. Using the 6.00Mhzoption, you will lessen the time it will take you to get the Ki and theIMSI by 50%!]."

Screen 3: Put original SIM card to SIM Reader and press Enter

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:Screen 4: Press 'F5' - Get IMSI and Ki. Sim Scan willautomatically create par2.bin file as part of installation. This willtake about 40 minutes on a fast computer. [Interestingly, theimplied situation here is that obtaining IMSI and Ki takes 40 minutes,although such a time-duration conflicts with the 4hrs-8hrs or coupleof days. It could be more likely that the reference here to 40 minutesrefers to the installation of program.]

Screen 5: Select 'F2' or 'F3' (Do not use 'F1' unless you knowwhat you are doing.) 'F3' Retrieves 75% of SIMs even year 2001GSM SIMs, but it is slow. 'F2' Retrieves 50% of SIMs even year2001 GSM SIMs and it is faster. /\/\/\/\If the Ki and IMSI cannot beretrieved using 'F2', you can switch to 'F3'/\/\/\/\

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:The process of getting the Ki and the IMSI from the original SIMusually takes from 4 hours to 3 days depending on the type of GSMSIM. You can exit at anytime and you can resume whenever youwant. Sim Scan will start from where you last finished. After the Kiand the IMSI has been retrieved, a file named c:\Imsi_ki.dat will becreated and by using Notepad to open it you will see similar to screenbelow.

Step 5 - Creating the HEX files for the "clone" SIMRun TwinSim 1.0 and select 'Single-Sim' then input the Ki andthe IMSI that you got from the original SIM. For 'PIN' enter any4 digits and for 'PUC' enter any 8 digits. After inputting all dataneeded, click 'Generate Picfile' and 'Generate Epromfile' thenexit the program. Two HEX files will be generated in the folderwhere TwinSim is located (pic16f84.hex + eprom.hex).

Step 6 - Converting the eeprom.hex to eeprom.binThe eeprom.hex and hex2bin.exe files must be placed on the samedirectory. Run hex2bin.exe and copy the settings from the screenbelow. Now a new file 'eeprom.bin' will be created.

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:Step 7 - Burning the EEPROM Loader to the Goldwafer.Run IC-Prog 1.04 and configure it to work with the SIM Writer whichis a JDM hardware.Choose 'Settings' --> 'Hardware' then choose correct COM port whereSIM Writer is connected.

After setting up the hardware, put the blank Goldcard to theSIM Writer and select 16F84A from the chip list.

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:Now load the 'Winphoenix Loader.hex' by selecting 'File' -->"Open File'. After loading the file, click the program all button(the one with the thunder icon).

Step 8 - Burning the eeprom.bin to the Goldcard.Put the Goldcard which you used from IC-Prog to the SIM Readerand then run WinPhoenix 1.06. Other versions of WinPhoenix mightnot work so make sure that you are using version 1.06. Configure theCOM port where the SIM reader is connected. This can be done usingthe 'File' --> 'Preferences' and selecting 'General' Tab.

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:Select 'File' --> 'Load' and choose eeprom.bin.

Select 'Card' --> 'Program' and the eeprom.bin will be written to theGoldwafer's 24C16

Step 9 - Burning the pic16f84.hex to the Goldwafer.Put the Goldwafer to the SIM writer hardware and run IC-Prog 1.04again. Follow the same steps as described in Step 7, but this time loadthe pic16f84.hex file instead. You can program this card with 'CP'enabled or disabled, it does not matter.

________________________________________________________________________

WHAT'SINSIDECloning

SIM Cards

Consu

Greg Smith

lting Forensic Engineer

GSM SIM Cloning for Dummies cont'd:Step 10 - Testing the 'cloned' SIM to your phone.Insert the 'cloned' SIM to your phone and enter the PIN codewhich you wrote earlier using the TwinSim 1.0 program. Waitfor the phone to register to the Network and now you are done:)[The author of Cloning for Dummies (c) X-Shadow 2001 GSMTechnology.]

OBSERVATIONSThe discussion above represents a small proportion of informationdiscovered by way of searching the Internet. Cloning for Dummiesand tools, which have been identified above, are accessible andavailable from the Internet. The discussion above does not representall testing carried out by the author of this Special Issue report. Theaim has been to highlight the growth in promotion of tools claimingthat SIM cloning is possible and how it is done.If the assertions made by the claims are correct then forensicexaminers need to be aware of this and it is hoped this special issuehelps to some degree.The impact of this issue in relation to data acquisition from SIM cardsmight initially create concern as to what constitutes an original SIMand what constitutes a clone SIM. During SIM examination there maybe some clues by reference to Gold Wafer and Silver Wafer cards.This could be relevant provided that the examiner is in possession oftwo cards with identical IMSI and Ki. Of course, some examples ofthings more obvious to look for would be:• The printing on the card of the SIM might give some clues e.g. who

is the mobile network operator ?• The SSN (SIM Serial Numbers) and the ICCID (Integrated

Circuit/s Card Identity) numbers. If they do not match, this couldbe another illustrator in determining a clone

• The plastic card material• The contact pads as to shape and design, colour and alloy material• Using SimiS, look at the Card Info Page and determine whether the

SIMs produce identical information. The same analysis should beconducted with PhoneBase, if you use PhoneBase. The reviewshould extend to all pages of information captured during dataacquisition from SIM. In the article Cloning for Dummies guide itgave a clue that two identical SIMs could contain different data.Here's one example "Regarding receiving SMS from other people,only one of the SIMs will receive the message." The clues are there iftime is given to considering what they are.

It appears inevitable that consideration must be given to the evidentialimpact of this topic. During the Extended Mobile TelephoneEvidence training course best endeavours will be made to includesome discussion time on this topic.Finally, readers should be aware that it is unclear at this stage whethercloning a SIM is a crime, where the person uses their own number (soto speak). There may be legal requirements too that might makecloning a SIM a civil wrong. IMSI, it is understood is owned by theissuer and may be authorised only to be recorded into one SIM. It issuggested therefore that before any laboratory testing is carried outenquiries as to the legal implications and authorisation may need to besought.