There is much misinformation on the topic of SIM card cloning. This video shows the cloning process in detail, and answers the questions of when, how and what SIM card cloning actually is.
Help support the future of this channel using SuperThanks here on KZhead,
Or by subscribing on Patreon to help support this channel
/ januscycle
GSM Cloning History
www.isaac.cs.berkeley.edu/isaa...
Nick Vs Networking on modern SIM card Authentication
nickvsnetworking.com/confiden...
Music:
Depeche Mode - Policy Of Truth (Eric Lymon Remix)
There have been some really great responses on possible alternate ways to getting your Ki number. Including, voltage glitching your SIM to get it to read out unintended memory addresses. Physical extraction and/or reading the chip's die directly using a Scanning Electron Microscope. Or bribing an engineer working in your local network to access your Ki database entry. Wikipedia is a wonderful collaborative information resource. This video provides a quality example of the way collaborative effort promptly fixes these errors. I demonstrate the truth, and within just a couple of hours, editors rush in to check and fix the accuracy of Wikipedia. Keep up the great work everyone :)
I have a query,,, is there a way to use a sim cards functionality such as of internet, phone calsl and sms on a PC? with some kind of adapter, I have looked far and wide but can't find any sim-card adapter and software combo which can do this do you have any idea?
I'm ancient building tube-amps and first pre-windows interface time when so called younger-wonder age 10-16😊 (" it's so simple , but the manufacturer trends to over button/Dail was funny. Still most don't know why things work. I 'm now entering that old styled thinking patterns group of people. But A.I. winning on board games GO is just unfairness towards human workings-processor trying to navigate in a bowl of pea soup.....intuitive non-selfishness works better. Can that be progressing in self-education AI situation near future?🤔 sparks Mr youngster thinking again. Thanx for upload this!
@@Redditard there used to be some netbooks some time ago with built-in 3G modems and SIM card slots, so you could browse the internet or send SMS via mobile network (not sure about voice calls). Some USB 3G dongles from Huawei also allowed enabling voice features, but that was like 10 years ago.
@@KPbICMAH yeah, but they aren't sold anymore I did check it
@@Redditard yes but your pc would need an antenna or other hardware capable of talking with mobile networks
The Phone Cloning Wikipedia page has been updated. Thank you to whoever did that so quickly, less than two hours after release!
I still don't get it. So I have this sim card. It's made of metal and plastic. How can I not plug it in, copy the data to another? It makes zero sense. Explain it to me
@@slyceth Sure thing, SIM cards have a little processor inside that does secret key authentication calculations. The software running on this processor also decides how to respond to requests to read the memory. It will never allow the secret key to be read out. The only way in theory to read the entire memory would be to bypass the processor. By directly extracting the internal silicon and reading the memory contents directly with an electron microscope or similar specialised equipment. This also destroys the original SIM card in the process.
Dude thank you for doing this video, although I would worry about the type of enemies you will make for posting it.. There was an Aussie politician who claimed his sim was cloned about 5 years ago. I saw a radio show in Sydney then got US private investigator Ed Oppernan on their show to debunk the politician's claims in a phone interview. I was very vocal at the time, because I knew for a FACT they were lying to protect this flaw from being fixed and essentially throw this politician under the buss. What people need to realise, especially those who think that law enforcement should be allowed to do this because "nothing to hide, nothing to fear", is that anything the good guys have access to, the bad guys do too. How do I know? The son of a guy who was high up in the mafia, had the hots for my girlfriend at the time. He was sending messed up messages to her pretending to be me. He was not spoofing my number because he could read her replies, and I changed my phone to make sure it wasn't my phone having remote access software running on it. We only realised why we were fighting, and she was sending me messages that made no sense, because we managed to catch him doing it when I had the day off work and were together while he tried to send more abusive messages as me. As a side note - encryption matters. A government back door is a a mafia back door. Imagine you were in the witness protection scheme and your private communication was being read by the wrong people. Or police records. Or private photos which can compromise people in positions of authority. Does Dan Andrews and other politicians frothing at the mouth about getting everyone jabbed make sense now? Encryption protects everyone, bad and good. The old trope of needing to catch pedophiles is BS, and they have many other means of doing that job that they should be adequately funding. Rant over, excellent video
@@slyceth It's actually pretty simple Computer to SIM card: "Gimme key" SIM card to Computer: "No"
Why didn't you do it yourself? That's what I do when I see something that's wrong on Wikipedia.
Pretty crazy seeing all this out in the open all these years later. I use to see a lot of this stuff and the systems Telstra used when I worked for them back in the day. Everything you said was correct.
Everything everyone says is correct apparently. Christian channel commenter's say that. Satanist channels commenter's say that. Atheist cult channels commenter's say that. Republicans channels all say that. Democrat channels, libertarian channels, bigfoot sighting channels.... Channels that say: see where I'm getting with this, probably say that
Typically, music on most educational / research videos is misplaced and annoying, IMO. You Sir...are the exception. Beautiful and brilliant song and version selection. Perfect application and execution. Thanks for making this video, the content was info I've been curious about for years. Depeche Mode was the cherry on top!
Thank you, music is really important in life, and my videos :)
i was waiting for the moment u discribed... I WAS DELIGHTED and slightyly impressed as wel.
though... the volume in the end track is kind a louder the the rest...
@@JanusCycle what remix is that?
@@JKC40 The Eric Lymon remix
Amazing nostalgia trip :) Cloning SIMs to wafer or "12in1" cards was quite popular in the Balkans before multisim phones came out. It was more convenient to restart your phone and select the active SIM with a code than juggling a few actual cards of different providers. Due to 64k inquiry limit, it worked only on some cards ofcourse. However there was a horror story that most of the phone repair shops (and enthusiasts) unknowingly used a "backdoored" version of Woron scan that was sending all the KI numbers to some Russian hacker group that made the clones as well, and then used them to call ultra premium numbers they set up :)
Точно, такое было.
A high tech version of what occasionally happens today, where a stranger who looks like a drug dealer will ask to use your phone, because he "lost" his, and then use it to make a deal. A kind of a 'burner phone' technique.
@@raylopez99 Not the same
Your part about the backdoored version of Woron scan will serve as my daily reminder to only use this sort of software in a virtual machine isolated from the Internet :)
There is a lesson about the russians in this. Learn it
Reminds me of the time when I used to play with SIM emulators. They used to run on a small microcontroller (A PIC variety). Gold cards, silver cards, wafer cards (and others) usually used for decrypting the old analogue satellite pay TV. But could be used as clone phone-cards in payphones and something called a yes-card (a fake bank card that used a flaw that meant it wasn't checked online) where you could enter any PIN on the PIN pad.
I remember those cards, but I didn't have a use for one so I have never tried them out. That payphone trick is quite sneaky.
@@JanusCycle I've still got all the details and source code (as an historical artifact), but fully expect the vulnerable systems to have been hardened by now.
@@threeMetreJim can you share your source code maybe?
I still have one of those. it let enter imsi and ki directly from phone "sim menu" but on new phones that menu half broken so it only work properly on old phone. It let create multiple "profiles" with pairs of imsi and ki and switch between them. On old phone switching worked even without need to reboot phone to reconnect to new network. It worked for 2g and 3g without any issues but for 4g couldnt work because for 4g algorithm was changed again and 3rd code called "opc" was added to make more "security trough obscurity".
FBI we got a suspect here... 🤣🤣🤣😅
Incredibly interesting, informative and entertaining! Your choice of music was nothing short of genius! Thank you for taking the time to put this together.
Glad you enjoyed :)
Back in the day, Satellite TV access cards were hacked by 'glitching'. That's resetting the card, counting clock cycles, and then glitching the power supply. Repeated thousands of times (with variable parameters) until the card responded out of spec, and spilled its secrets, or (at the user end) allowed access to adjust the available channels.
So that's how they did it! Those clever pirates, selling those cards which would last a few months before having to be replaced...or so I'm told.
@@raylopez99 Once in a while, closer to a year. But sometimes the signal provider would issue a series of changes all in a row, and the hacked cards would be mailed back and forth more than being used. Later, one could buy a glitcher (serial or parallel port, long before USB) and subscribe to the new software from the pirate. I stopped before it became illegal in my jurisdiction. And I always maintained a local subscription to the local provider, in case that might mitigate things. House had up to four small dishes at one point.
@@JxH i remember my mom and dad buying those cards until they gave up because of them having to change it every year or 6 months
Oh I spent so much time back when I was young in the early 2000's playing with SIM cards, phone cards, SIM card emulators. I've built a serial port scanner, and used it with Dejan Kaljevic's software. Lots of fun. (R.I.P.)
Dejan Kaljevic was the pioneer of phone hacking, and sad that he has passed. It's good to see him being mentioned.
I was privileged to know him quite well. Godspeed, Den's hacking den...
Thanks a lot mate! this was the question I had when I was a child, and I searched a lot for it.. thank you for solving my childhood mystery!
@Liam Peanut your spammer is running and old script xD
Excellent video! Really interesting topic and you explained so well. Hope to see more content from you.
Your voice fits perfectly for the topic. An obscure, niche topic in electronic enthusiast community. I remember my dad used to get gold cards from ebay back in the day and programmed them to work as a car wash card. The first time he tried it, the cashier said he had 50k on it. Can’t imagine what went through his mind at that point
Your videos get better and better.
Nice video. Interesting stuff. Apt music choice @ 4:38 - nice 👍 Would still like the option of having handsets with multiple sims or at lest two or more carriers in one sim so you can switch carriers for different rates or needs..
That is exactly what I'm typing this on. Dual SIM phones are quite common if you search for them.
Great video! Your voice is very nice, the topic is very interesting (to me lol) and the demonstrations and explanations were really good. Keep up the great work!
This whole channel is magical - more videos on phreaking generally please
It's been a long time, so I don't remember all the details, but I remember the days at Research In Motion developing the Tachyon, aka The BlackBerry 5810/20... It had a number of problems. An important one was that they SIM card slot was prone to bad electrical connections and static discharge. One (entirely temporary and never shipped IIRC) solution was to get the Ki and program it into the phone, so that the phone could emulate the SIM card rather than use it... It made the phone far more reliable. My memory was that it was possible to have the phone work out the Ki by passively gathering challenges, actively get it (which took a day or so if it didn't crash, and was tough on the battery), or asking nicely and getting it from the carrier. Our SIMs at work were weird special SIMs meant for testing and devellopment, so the Ki's were not treated with the same care as normal SIMs. I think it's possible that they didn't have protected ROM on some of them, so if you had the right tools, you could just read the Ki off of it.
Excellent video, content, narrating, presentation... everything! (And I especially loved that version of "Policy of Truth") Wishing you continued success with your youtube channel! ~ Allen
Thank you Allen. I really enjoy making videos and I'm glad you enjoyed this one.
What a cool channel. Real gem stumbled upon. The DM lyrics while bruting that poor SIM was hilarious. Subbed.
It's a great song!
I just have a basic knowledge of computer/phone etc devices but this video I watched in full , even when video actually ended at 11:44 I stayed to watch listening the song . Kudos , bro !
Sometimes just seeing technology and hearing the descriptions, even when you don't understand it all can help you learn. When learning more things in the future you will remember bits and it will become easier. I'm really glad you enjoyed this. Thank you for watching.
About 20 years ago a family friend claimed to be able to do this alongside hacking the cards in cable boxes and such. Of course, he wasn't open about his process but some of the things he talked about were mentioned here. Maybe he wasn't actually doing anything but its neat to see he wasn't totally blowing smoke. He did eventually get caught up in a casino machine cheating scandal so its not hard to imagine he was up to something.
The whole DirecTV smart card story was fun to read. The gist of it was them and hackers going back and forth for years until DTV started sending required card updates that appeared to have useless data, but once the last bytes were received, it turned into a program running on the card itself. Then a week before a Super Bowl (I think it was 2000 or 2001), they sent a command that bricked all hacked smart cards and set the first 8 bytes of the card to GAMEOVER.
Very well explained, thank you! And nice music btw
What a blast from the past. I was playing with this 20-30 years ago and it was really fun. One interesting thing was that first mobile operator in my country didn't use KI authentication for quite some time, and phone numbers were correlating with IMSI numbers, so you would be able to easily guess IMSI number of any phone number and clone it.
what was the correlation?
@@manp1039 differences between two phone numbers and their IMSI keys were the same :) so, if i wanted to "hijack" phone number 12345 and mine phone number was 12300 i would just add 45 to my IMSI number
Wait... Are you THIS DEJAN?!
@@rodak_ You mean the guy who hacked this algo, Kaljević? No, but I knew him. He's no longer alive.
@@grajzer I was referring to the guy who made the "Dejan flasher" for Nokia phones. Was he the same guy?
GLAD YOU ARE ON OUR SIDE THX
I enjoyed that. That was very good. Over 20 years working on cell phones building cell towers. Working on DTMF codes back in the early 70s and early 80s. *****
Speaking about SIM card vendors sending card data to mobile operators. I used to work for a GSMoperator in one of the former Soviet republics in the early 2000s, being responsible for interaction with SIM makers, among other things. We used PGP for any sensitive information sent via email, but even if you did get the plain-text output files, you wouldn’t get Ki from them, as it was additionally encrypted with a transport key (which was delivered separately and entered in the switch for decrypting the Ki information inside the AUC). Different keys were used for different SIM vendors (and sometimes several keys for the same vendor), and these were only referenced in the output files by their numbers, which means the actual Ki value was pretty much never available to anyone on the operator's side. I don’t think this was much different in the UK or elsewhere, at least post-2000.
Interesting, thank you. Have you (op-side) had the transport keys in plain? Could you decrypt Ki outside AUC using the transport key?
@@mustfit no, the switch people received the transport keys and input them into the system. So in theory we could have cooperated with them on this.
Interesting, thank you again
Back in my day we had tons of tricks like kicking people off the internet. seriously. That sounds so far off like something a bigfoot or religious follower would say that no one today would even believe that was possible I bet. I bet I could make a video about it claiming it still exists an the big feet/ape evolution people would spread it like it's gospel
I really surprised its not mobile operator who writes those keys in blank cards from manufacturer. It is even possible to order those blank cards from sellers online for cheap. And process of writing keys is so simple and only require basic usb card reader hardware it could be even done at operator sim card sale office.
love the depish mode music when you put the second sim card for reading
What a tune to select, bravo, more! I hope you have a lime mini2 on order for some TACS and LTE fun
Would be interesting to see if you could run a low power GSM base station to get these devices online and play with this a bit more in depth.
You'd be surprised how expensive low-power GSM base stations are to buy/run. It isn't simply a matter of software, to handle 100s of simultaneous links they have to have extremely expensive clocks, and this is true even if there is only 1 subscriber, the base station basically keeps time. Now i'm sure it's possible with a HackRF and a TCXO solder into something somewhere, but it's not as easy as reading a card with a card reader unfortunately, unless you spend above $3000
Sure, but OpenBTS with a cheap SDR would probably be enough for a local system to be setup. Main issue I see is managing the RF situation, can it be run low power legally, or would the room have to be turned into a faraday cage first?
Some places keep Gen2 GSM running as the common fallback for later phones after their preferred protocol is shutdown . So when 3G shuts down, the old 3G phones "roam" to the backup 2G net. Same for 4G.
one of my simcards (bought around 2003) was cloned over 10 years ago (same simmax 16-in-one), and it still works perfectly in 2G and 3G networks after all this years. No need to swap cards in my old phones :-) Just switch it on and ready-to-go! By the way, should I switch more than one phone at the same time, they both (or all 3) can make calls, but only last-one-online will receive the incoming call. However I do not turn on more than one phone simultaneously.
It must be nice to have the convenience of cloned SIMs. And the last-one-online incoming calls is correct. Best to keep only one phone switched on :)
The "what happens with two identical SIMs simultaneously on the network" question is a plot point in _Primer_ (2004), arguably the most convoluted time-travel movie ever. Now I know the answer to that, thanks. But I wonder, does the last-one-online rule still apply in the new SIM paradigm? For a network to assume there are no simultaneous duplicate subscribers seems... sloppy.
I am guessing that your calls and numbers you call are being monitored? and you may not be the only one with clones of your original sim that you bought in 2003?
Same here. Only issue is 4G not available.
This video is a great case study in supply chain exploitation with the points discussed from 9:47 onwards. Kinda like that one XKCD comic about encryption, rather than cracking a Ki, just social engineer and/or drug your way into the manufacturers which is the path of far less resistance.
Nice production and very clear explanation.
Very interesting! I always wanted to know the details of how SIM cards worked. I actually built a SIM card reader when I was younger but it just bricked the SIM cards, it must have been hitting the limit!. However as a teenager everyone at school had a Nokia 5110 (without sim), you could enter a secret technician menu and change the phone number to a friends phone number and then receive their text messages and calls! it only worked when you were on the same cell tower and more of a funny prank as it diverted calls and messages and their phone would stop working.
You may be referring to the AMPS/TDMA variants of the 5110. AMPS is notorious for being insecure, and that may have been the network standard used on the cellphone provider my dad complained about a few decades ago.
I remember having a TDMA/AMPS Ericsson phone and with some service codes you could even listen to calls from other people.
@@blakegriplingph is your dad a revisionist or hackitivist
That's hilarious, must have seen a lot of sexting from the cheerleader team
The question is, as intriguing as it was, in some places SIM cards are sold more or less freely like here in the Philippines making burners and fraudulent calls easy; it wasn't until 2022 when mandatory SIM registration was enacted.
Whoa. That's hard to imagine having lived in Australia. Getting a new SIM has always been such a barrier, that people were far less likely to swap prepaid carriers because of it.
@@HonestAuntyElle I'm in Croatia, you can still buy prepaid sim cards without any kind of identification or registration, they're $3 or so. You can optionally register it with info that is not checked in any way and in that case they send you those $3 you paid for card back to your prepaid account to use for calls.
@@kerozin520 in Hungary you have to register it and they call it EU law
Philippine law is shit. They make that law to lessen sms scam but still there is sms scams and now it even become more convincing.
so even with registration, it is still possible to extract an e sim profile and edit the info in a such way that you will get a new identity and if that identity exists on the career server than easy as cake
The outro was so awesome! I almost missed it
Thank you very much bro, for leaving the subtitles activated for the language in Spanish. Greetings from Colombia. ❤️🩹
Making subtitles is hard work. I'm glad you appreciate them. Thank you for letting me know.
In a lot of places, SIM cloning is an insider job that is done by someone inside the phone company who has all the tools to "port" the number to a new SIM. These days it is a compromised human rather than hardware.
What motivation do people have to do it? That seems like a lot of effort to just... have a spare SIM? So there must be some other reason
There are a number of reasons (surveillance is mentioned in the video), but a huge, more nefarious motivator is getting access to MFA security. Assuming you can get a user's account credentials through social engineering or other means, having access to their phone number to receive MFA verification codes can give you access to tons of sensitive information. Government sites, bank accounts, web accounts, corporate resources, etc. Cellphones and their numbers are generally fairly secure; they are a separate, independently secured (sometimes through their own MFA security), physical object that also tends to be very important to the user, so people tend to keep them on hand, and they will be replaced quickly if lost. The best way to get around that security is to either get the sim out of the phone, or use social engineering/bribing (made easier because of the information the criminal has already gathered about the victim) to manipulate an underpaid customer service worker to replace the sim.
@@circuit10 The SIM "cloning" you may see on the news is just someone transferring a cell number to new SIM, it may be a new SIM or cell company. This is so that someone is able to get a MFA code to allow them to your bank account.
@@liampeanut1269 Scam
The phone number is not stored in the SIM. The phone number is held in the HLR/HSS of the mobile network. And it is associated with the IMSI number of SIM card. And the IMSI numbers are allocated in batches to each mobile network operator. So if you are trying to clone a SIM and use the SIM to get free phone calls, then you don't need to port a number from another SIM to the cloned SIM. Access to the mobile network is not granted to the mobile phone based on the mobile number, it's based on the IMSI number which is held in the SIM card and in the HLR/HSS.
I knew some guys who kept a 2G tower unit in their bathroom and were slowly hacking it, I think they were able to span a little network of their own but they didn't run it very often. Perhaps you can find some enthusiasts like that where you live.
Is the frequency for 2G unused by any other networks? I would have guess that if the phone company had no use for it the government would take back that frequency and offer it to other service providers? And if they did and thes rogue 2g towers were broadcasting on the airwaves.. they would eventually get identified, there broadcasts would potentially either be jamming the new legit devices using those frequencies and/or those new devices would jam the rogue 2g stations broadcasts??
@@manp1039 I'm hoping frequency reassignment is a SLOW process. And as long as noone complains, nobody investigates. Hush hush sort of business though, you don't show every stranger your bathroom if you have one of those.
Naa I live in the 13th largest city in usa. They don't even know how to milk the cows on their farms in usa. Back in the day I was like a space alien using computers. Today they still think only phones exist
LOL
This is good info for someone looking into recovering info from an old phone that stored it SMS and Contacts on the sim card. Last time I went looking, there was lots of really schechy products and software.
all these new kids woth their videos on this topic are nice and dandy, but you're actually going indepth on some of the history and more practical attacks. very nice
Thank you
Back on 1G phones I was in school at the time, and with some friends we managed to get access to hidden menus in the phone and copied all these random digits into a different phone, and then when we called the number both phones rang! Could only answer one of them though as the other then stopped ringing. This was back when the call was basically not yet digital, if you went somewhere away from signal the voice started to go fuzzy like a walkie talky. Didn't take long for 2g phones and text messages to appear on the scene, at which point everything was digitally encrypted with the sim.
Maybe this is why mobile operators are keen for you to have a new SIM whenever you get a new handset, even if you are retaining the same number with the same provider.
This video answered more questions that I had, so I guess I know way more now than I did before starting the video
Thanks for watching!
Learn something new every day, good video. Interesting and informative.
I cloned my sim card years ago, I had a stk 8 in 1 sim that could have 8 numbers. I only ever used one and kept the original sim at home. It didn't take long either.
I managed to accomplish a SIM clone back in the early noughties, and it was only possible to get the Ki on one out of about 10 SIM cards I tried, I think providers had added authentication limits to SIMs at that time (this was all done for legit purposes where we were developing a JavaCard application and no provider would give us a Ki unless we paid thousands and signed NDAs etc, so we DIY'd it in the end)
please my sim is still cloned, what do i do? my ex listens to my calls
@@temitopeadeleye9394- Most likely it's not your sim cloned, but there's a spy app on your phone grabbing everything. Big difference.
Brief but perfect musical interlude!
Absolutely fantastic ending. The music really fits the visuals.
Thank you
I've done cloning years ago 😀 I'm talking about the year 2006, 2007. Nothing is new in this video for me, Anyway you've got a thumbs-up
Hello to an experienced SIM cloner! I'm glad you enjoyed the video :)
Our service provider can give up to 4 sim clones if requested with a small fee. I had 3 sims of the same number all working on different phones with 3G/4G simultaneously. This service started around 2 decades ago.
Most probably those are not clones - just regular SIMs pinned to same number.
What service provider and how would this work? Would all of the phones ring when that number was being called?
@@ANWA143 service provider is STC in Saudi Arabia. You can send calls and messages from all sims but set one sim for recieving calls and you can switch the recieving to one sim at a time if you liked. Worked like a charm.
@@PHANTOmIND8 thats incredibly unsafe if someone gets your phone number you wouldnt even notice, as if someone sim swaps a normal phone number the real user would lose signal
I just love this cover song. Great work. Great content.
What a great video and great song to end it off with!!
You'd think they would have implemented simple rate limiting at the first sign of brute force attacks. Only allow a key attempt at most once a second.. maybe delayed even more if multiple are requested back to back. For normal use, this delay may never occur/be noticed. But that 40 minute attack might take days, weeks, or months, instead. Also, while I could understand some secret proprietary algorithm decades ago, anything in the past 10 years or so should be using established public key encryption, with SIM cards randomly generating there own private key and only exporting the public one. So nobody could amass everyone's keys, even if they wanted, since they would never be known to start with. Then you'd have to resort to glitching, side channel attacks, or more destructive means to try to get the key.
Even with the new stronger algorithms, including some sort of rate limiting should be easy to include and greatly add to the security. I don't know if they have done this, but your analysis is spot on.
SIM cards don't have real-time clocks so it would be hard to implement rate limiting.
No, but one would have to power off the SIM and then back on, waiting for it to initialize again first. That is much slower than just hammering it constantly. Plus, it might be able to write a counter to persistent storage each time it fails, and then on power-up, it will have to wait a given amount before it will accept another attempt or clear the counter. It only needs to track accumulated run-time to delay.
@@JanusCycle- My assumption for not rate/time limiting is, if there's an unreliable network connection due to weak signal or interference, the requests/responses would need to be resent several times in order to connect. They could have imposed something like 10 non-limited requests per second then a 1 second pause which would slow down hacking attempts significantly. But the best protection is a longer key.
@@ignorance72 Couldn't it be done algorithmic ? With an exponentially increasing number of empty loops between each failed attempt ?
There's potentially another way to read out the Ki No. from a sim card, use an e-beam prober to read out the actual Flash memory in the SIM card. You need a lot spare change to buy one, but I'm sure that's not much of a problem for a state owned spy agency. On your comment on Wikipedia being updated so quickly, actually virtually anybody can do that, so it was probably one of your regular viewers.
Goverments dont work that way usually mate, Years ago they just mandated that Providers ie telstra etc provide unfettered access to agencies on request. Meaning at least 15 years ago when i worked for telstra, they could see everything you did, imagine their capabilities now.
@@Steve211Ucdhihifvshi I think you've misunderstood what I was saying, It wasn't that state level actors do it, only that it is the sort of budget you need. Of course multinationals have more loose change than a lot of governments so clearly they can do it.
So by literally viewing the hexdump of the flash memory? Wouldn't that contain the code that runs on the SIM processor as well that you'd have to disassemble to sort them out from the key and understand how the code retrieves the key? Are the processors used by SIM card documented?
@@EvilSapphireR I would suggest to you that it is all relatively easily achieved by a skilled operator. I once did a hex dump of a microcontroller's Flash and hand disassembled the whole thing (didn't have the disassembler, just the data book), created a flow chart of what it was doing corrected a bug and then reassembled it all and programmed the device in 2 weeks. With the proper SW tools it would have been much easier. As to the documentation of the CPU they all use off the shelf cores. Some companies do soft cores in an FPGA but that's not going to happen for a simm card reader
I like how you formally announce "We've reached the end of the video" . Great video, I have no interest in the subject matter, yet, watched the whole thing.
I've just subscribed for the bit of music you used
Just like to point out that just because there is no "known" method to clone a modern SIM card; that doesn't mean certain people don't know how to do it. Just because something isn't widely spread, doesn't imply that theres no way to do that thing. I'm sure you can't find any information on copying a government issued form of ID, but it does happen.
You make a good point, there is a dark web out there.
nice video and nice music. Remember ages back reading about how sim cards were essentially little CPUs rather than things that simply store data, so cloning was impossible. Didn't know there was a way to mathematically brute force what they were doing but I guess it makes sense. I now see why government so upset about encrypted chat programs. Guess they lost their favourite toy.
They are microcontrollers, yes, but they do have memory containing the required executable code and keys, so it's absolutely not impossible to read them out.
If they worked, they would be illegal.
Awesome stuff. Can you do a video explaning how these devices worked that let carrier locked phones work on other networks? I remember using different ones but I guess I didn't bother looking how they worked exactly.
Amazing channel. So glad I found it!
cool, thank you :)
In this context I'm interested how the eSIM affects this. How does the Ki value get into the eSIM without being able to be intercepted, assuming the owner of the eSIM phone is interested in cloning his Ki value to use on more devices? BTW 90 00 is not only for sim cards but generally for PCSC smart cards and means "command successful". Error messages start with a 6 in hexadecimal which is not only flipping the digit glyph, but also its bit representation.
My guess is that an encrypted packet is sent to the eSIM chip, which decrypts it to get the Ki. The specifications exist, but I have't looked into eSIMs yet.
@@JanusCycle Thank you for the response. But that means, that either all eSIM must have another key that is known to the carrier (chicken and egg problem), or some PKI must be involved that requires someone to sign the keys used as they would otherwise be prone to Man in the middle attacks (introducing a new point of failure)
Thank you, very good points. I have also wondered about eSIM security. Just not had the time to look that deeply yet.
@@mihiguy diffie helman
@@mkontent Without some kind of authentication scheme, Diffie-Hellman only helps agains passive listeners, not against active men in the middle.
Actually capturing responses and working out the key is how you can figure out the secret key in WPA2 encrypted wireless networks. All you really need is a computer that can put the wireless card into promiscuous mode and set it up to listen for new device traffic. You can even send a bad packet of data to the network to reboot all the devices and they all have to re-auth back to the WAP thus getting a large number of encrypted packets to process. You then either manually decrypt the password or you can put the encrypted password into a giant list of known passwords and see if the user used one of them. It only takes like 48 hours or so to decrypt WPA2 encrypted keys and maybe even less with GPU processing. Its pretty fun to do, just don't use it to try and steal your neighbors wifi as that can be illegal in some places.
the time to crack WPA2 is extremely variable depending on hardware and complexity of the password assuming brute force(or how big the password list is, assuming it even has it). there was a manufacturer of mobile data wifi pucks who used a default password of 8 random numbers. a laptop with a 1070 GPU could brute force that keyspace in about 4 mins with hashcat.
Thanks man, great stuff!
This topic is very fascinating.. And very untouched .
My ex-roommate went to MIT, he's now head of R&D (they don't call it that but I can't remember the exact job title) for Deutsche Telekom/Tmobile here in the U.S. Back in 2014 when we were living together, I watched him clone his own sim card so he could have multiple phones with the same number. This was on Tmobile's 3G/4G network. He definitely found a significant vulnerability and wasn't keen on sharing it with me. And I doubt he's the only one who knows of it. But instead of revealing it, he (and/or they) keep their mouths shut so they don't "fix" it again. He learned his lesson with satellite TV -- they used to hack the cards in order to get free TV. They would then release the new hacked ROM online and eventually the TV company would send out a patch to fix the hole and they'd have to crack it again; rinse repeat. This happened numerous times until the satellite TV company finally did away with that card system all together. If my ex-roommate would have never released those hacked roms on the internet, he would probably still have free satellite TV to this day. He said he'll never forget that lesson.
Interesting, thank you. I wonder if the vulnerability he found was inside the SIM or in the network.
Very interesting to watch. Funny how the SIMs are compromised over simple e-mails though.
True, I've worked on big, secret M&As (Mergers & Acquisitions) where the utmost care was taken to ensure privacy, since it would affect the price of the companies if word got out, and yet details of the deal were sent in plaintext over email.
@@raylopez99 ב''ה, all securely stored at RIM's data center, right?
@@josephkanowitz6875 Iron Mountain...I do remember that logo a lot. Back in the the day before I think Google even did https on all its transmissions.
Lovely video. Thanks, mate!
Love the Depeche Mode bit, absolute genius
I remember the good old times when me and my friends would clone the analog NMT mobile phones. It was ridiculously easy back then, and then you can be any number in the network. In my country for a long time it was not believed that it was possible. There was a classic case where a police chief gave a challenge to replicate his phone number, as he did not believe it was possible. Next month he received in his mobile invoice costs for calls to adult phone services not made by him, and he had to believe it was true.
My sims locked every time I turn it off,I know a little bu about to Learn more
"...they just want to listen in if they need to." something tells me that "if they need to" means all the time to misconstruct or find the smallest thing in case you dare to "notice" or do a "wrong think".
The ability to harvest a data stream is considered a digital goldmine these days.
You should do a video on direct tv card SIM cards. Very interesting imo, very 'educational'
Great choice of soundtrack.
Does this apply to eSIM and iSIM as well? Thanks. Great vid!
Those chips are also much more secure.
Very good video, two thumbs up! As a person who cloned SIM cards and made multiple-in-one cards I can tell the video and explanation is 100% accurate. Except the part of spy agencies spying by intercepting the Ki number.
Spy agencies intercepted Ki numbers in emails from card manufactures sent to networks. Not over the air. Hopefully I made that clear enough in the video.
A man of class using the Zune theme 👍
Very informative video, thanks a bunch :)
What was the original sales purpose of the SimMax holding 12 Sims, was it able to be swapped by phones, or did it need an external device to swap between profiles. If it was simple as typing a number command and rebooting, then I could see the purpose if you were trying to make cheap calls from Optus to Optus or Telstra to Telstra or for frequent travellers.
One of the benefits they describe is 'Change mobile phone number without turning off mobile phone'. I'm not sure how it was done, yet.
If I remember correctly there were sim cards which could store multiple sim card profiles/numbers you would read cards you have and then store those into that single "super sim" and on some phones you could cycle through those stored profiles even through menu on phone itself.
@@kerozin520 This could be using SIM Application Toolkit to add menu options to the phone. Another aspect of SIM cards that doesn't seem well known about.
You actually have "SIM menu" on your phone and there's an item called "change number" provided you have this all-in-one SIMcard inserted, so you can select there any of slots of your 12-in-one SIM. But not all phones do support simcard hotswap, so most old phones still needed reboot (power cycle) in order to change simcard.
@@JanusCycle Yup, that's actually what the "STK" on the card refers to - SIM ToolKit. On phones that supported STK, an extra menu would appear on the phone allowing you to pick a SIM. You could also use a PIC programmer like the Infinity USB to write SIM-EMU software onto a blank Greencard to create your own SIMMAX-style multisim-in-one card. From memory SIM-EMU worked more reliably than SIMMAX.
It was known from the start of the GSM implementations that the SIM crypto algorithm was pretty weak. But as you said it was kept secret, which in the early 1990s created quite a discussions. Normally in Crypto systems the security lies in the secrecy of the key, not in the secrecy of the algorithm. But this was ignored by the GSM standards consortium. I guess there were two reasons. The first is that they were worried about the SIM chips available being powerful enough. The other reason was probably the governments wanted a back door. To your assertion about getting the Perso keys of the SIM cards, there the security has been tightened considerably and the Perso Keys issued by the SI vendors are now sent in a classic crypto ceremony in 3 parts, where only the combination of all three parts of the key will result in the correct key. This is used to derive the individual chip keys. But I guess there may be still different standards used by different vendors.
I'm glad we are getting smarter at having good security. Great info, thanks.
@@JanusCycle The 3 part way is not default for any manufacturer afaik. Where I worked we started forcing encrypted orders in 2019 or so, after which I ordered new cards and destroyed my old ones. But even that handling did not seem to be the default way for the big manufacturers =/
It is know that it was the second reason. The Brits.
Thank you for informative explanation. Also thanks for telling how the governments can listen to celluar network calls.
Thank for the info dude
Since you know so much about SIM and how they work, please do an episode on eSIM and how to convert between them. My provider charges for esims and it is difficult and costly to swap sims between phone.
you said "convert".. did you mean transfer the esim to a new device? if you did mean "convert" convert to what?
It is no secret that the phone network in general was built with very little security in mind, even a WhatsApp call is safer in most circumstances.
The GSM net was intentionally built with sub par security.
informative very much and interesting topic. worth a like
i kept looking for the music in all my opened chrome tabs. Later realized it was in the bg.
Some years ago, a father and son cloned a sim card, for whatever reason. They were found out, arrested and jailed. I think there's a way from the NP side to find out this kind of activity, for example by way of phone make and model number or an UUID.
that is exactly what i was thinking. It is not just a sim that the network has for any device that connect to it. Those people would have had to clone everything on the phone.. and there may even be one or more unique chips on each of the phones that the NP can collect data from.. in addition to which tower and date and time it connects (presuming this father and son were using prepaid sim cards where the location they lived and their legal names etc were not already known by the NP and connected with the sim acct?
Are they got lifetime sentence for such horrible crime against humanity ?
Why am I not surprised that most of the Ki numbers are known by surveillance agencies? This is the reason one doesn’t attempt any crucially private exchanges without decent end-to-end encryption.
Somehow, somebody copied my Sim Card back in the year 2000 here in Germany, but not like that. This person had to build an access point, so my phone logged into it, and they must've sniffed every information they could get. They phoned away on my bill. 200 bucks later, I went to police and the provider told me I was in a different city while calling people. Lucky me, I had proof I worked at that time - at least I thought lucky me. O2 refused to refund me, it went to the court, I won, but they kicked me out of the contract. So yeah, somehow it was easier 23 years ago, when no real encryption was implemented in GSM. This video made me remember it. Decades later, we know how you can build your cell tower or at least a small version of it. How somebody gets the KI number though with just listening to 1 calculation... maybe somebody made "logged in" phones reauthenticate many times and then.. tried the rest? I know, I was working at my job back then, and not in Berlin, so who knows how that worked back then. Hardware was slow back then, so your method would be taking a long time.
I didn't know a simcard was this complicated.
Would be interesting to try this in a country where 2G/basic GSM is still alive and well, like Germany. I still know of two pre-2000 prepaid SIMs that are still active and being used, one being my moms (from sometime in '97) and one being mine from my very first own phone I got for christmas '99, which might already be too new...
If you still want to know one of those cloned cards still work well in russia because original card was lost and that number only used in old phone without 4g so no one bothered to do anything and just used cloned card. No issues or oddities was noticed for years.
Even if I could clone a modern SIM card somehow, I would very much be cautious to use more than one of them simultaneously. I guess the operators have some algorithm to recognize requests with the same IMSI numbers coming from different cells (from distant locations) at or around the same time, and would block my account, and may even ask me unpleasant questions. Or is the cloning so unlikely that they don't care? Any comments on this?
I have accidentally turned on two modems using the same physical SIM on 4G (the sim slots are connected to the system CPU and then proxied to the modems, it happened due to a software bug). It didn't cause problems but only one of the modems was working, although both claimed to be registered. Probably depends on the network.
BTW: Since both modems were on the same board, they both joined the same cell.
The network operates separately to the billing system When you make a call, the records that make up your call (CLR's, Call Link Records (Think of your mobile call going from cell tower to cell tower, onto say a landline network to eventually end up at someone's home, all of those hops are CLR's)) are aggregated into a CDR, Call Detail Record) that is used for Rating (assigning distance and charging / service components to), that is then fed into the Billing engine (for assigning a cost value to) i.e. [CLR + CLR + CLR+ ...] -> CDR -> Rated -> Billed Back in the 3G and 4G days, it didn't matter how many dual sims were on the network, the system doesn't cross check (how could it, with literally millions of phones on the network, it would be extremely compute intensive. Even 10,000 phones active at once would take 10,000 x 10,000 cross checks) It was the last sim activated that got the incoming calls, so even though you had multiple sims the last active used to get the incoming traffic Making calls was different, any copied sim on the network could make calls at any time Things have most certainly changed since I was involved in the telco space though
@@stultuses Thank you for the inside info. It was 15, maybe 20 years ago, I wrote microcontroller code into a Microchip PIC in our remote control device monitoring pump stations. The uC was interfaced to a GSM modem, that we had to buy and maintain subscriptions for about 150 pcs SIM cards. It was expensive, although we used very little data, just a couple of bytes per message, and almost nothing if no errors, so it really felt an overkill having so many full phone subscriptions (the operator had no plan for M2M communication back then). I was then thinking about how we could trick the system with cloned SIMs but lacked both the courage and knowledge for it.
@@stultuses I could imagine if they wanted to that they could implement some kind of optimized cross-check algorithm to catch duplicate sims, but I can see where it would be mostly a non-issue to correct. The number of people who can clone a sim is relatively small and mostly limited to people who tend to confound your efforts, anyway - and by virtue of how the network functions, it wouldn't really be a valid way of gaming the system to the user's favor ... again, outside of niche uses. It's not just cross-checks for activating phones, it's cross-checks for changing towers or some means of rationally managing a phone between nearby towers. In principle, it could be done - but I don't really see it as being a priority investment as it addresses a very niche problem that is only a problem when governments aren't doing it (at least from the network operator's perspective). Further, here in the States, most cell infrastructure is locally or regionally owned/maintained and the network operator leases access to the tower, as I understand it. That adds a whole different layer into authentication strategies. The authentication would have to be baked into the communication standard used by the tower so that any carrier could function. The only thing I could see being different with 5g is some manner of sub-identifier which would basically turn a sim card into a network gateway and multiple devices could send/receive on the network at the same time. My phone would just ignore the data packets for a different phone. I could see support for this being put in.... but don't really see the use/advantage as you'd have to effectively route data to two different towers for broadcast... or more. And whatever plan that is would probably be absurdly expensive while having no particular benefit other than potentially reducing the number of authenticated devices on a tower (as the sim allocates and band and packet address the device) .... but you could implement something similar to this without doing cloned sims in congested areas, overlapping devices into a single band and using the band as an old fashioned network bus.
Thanks. Great video and comments. Retro is cool.
Great Explaination and Speech, Man!!! :)
Hey thanks!
Sounds like those scenes in movies where someone pulls the sim card out of another person's phone while they're in the bathroom, clones it in 30 seconds, and puts it back in their phone before they know what happened, are pretty far-fetched.
There is a scene just like your description in the The Bourne Supremacy. Since it's a movie we can assume Bourne had a backdoor SIM exploit, or some other secret intel we don't know to keep it fun :)
I love the use of Depeche Mode.
YES DEPECHE MODE!!!!! Policy of Truth!! Love the mix!
I was wondering if this sim usb adapter is a standard PSCS reader? Or actualy a better question would be if I can use my Phoenix interface as a standard PSCS reader? I am thinking to buy a Duolabs CAS3 (for some other things), and was wondering if I can also use it like s normal PSCS reader or I need to buy a separate device for that?
Zune theme on your xp laptop? Did you ever own a zune or did you just download it because it looked cool?
It looks very cool. I still need to buy a Zune one day :)
@@JanusCycle yeah lol, sadly the zune service doesnt work anymore so a lot of the functionality is lost but you can still store music on it!
Mine has been cloned already....I worked at a BIG telephone company and you would be surprise how corrupt the employees are!!!! Money talk.....as you already know ..... Most illegal things are not done by criminals but by government employees.....😂
I remember back in a the gsm days people had pay a you go mobile phones that they had literally chipped and because the credit that was on the account was actually stored on the phone itself every time they turn the phone off and on again it would reset the balance show £10 credit, i wonder if you could do a video about this as it always fascinated me
Thanks so much for sharing. 😉👌🏻