There have been some really great responses on possible alternate ways to getting your Ki number. Including, voltage glitching your SIM to get it to read out unintended memory addresses. Physical extraction and/or reading the chip's die directly using a Scanning Electron Microscope. Or bribing an engineer working in your local network to access your Ki database entry. Wikipedia is a wonderful collaborative information resource. This video provides a quality example of the way collaborative effort promptly fixes these errors. I demonstrate the truth, and within just a couple of hours, editors rush in to check and fix the accuracy of Wikipedia. Keep up the great work everyone :)
I have a query,,, is there a way to use a sim cards functionality such as of internet, phone calsl and sms on a PC? with some kind of adapter, I have looked far and wide but can't find any sim-card adapter and software combo which can do this do you have any idea?
I'm ancient building tube-amps and first pre-windows interface time when so called younger-wonder age 10-16😊 (" it's so simple , but the manufacturer trends to over button/Dail was funny. Still most don't know why things work. I 'm now entering that old styled thinking patterns group of people. But A.I. winning on board games GO is just unfairness towards human workings-processor trying to navigate in a bowl of pea soup.....intuitive non-selfishness works better. Can that be progressing in self-education AI situation near future?🤔 sparks Mr youngster thinking again. Thanx for upload this!
@@Redditard there used to be some netbooks some time ago with built-in 3G modems and SIM card slots, so you could browse the internet or send SMS via mobile network (not sure about voice calls). Some USB 3G dongles from Huawei also allowed enabling voice features, but that was like 10 years ago.
I still don't get it. So I have this sim card. It's made of metal and plastic. How can I not plug it in, copy the data to another? It makes zero sense. Explain it to me
@@slyceth Sure thing, SIM cards have a little processor inside that does secret key authentication calculations. The software running on this processor also decides how to respond to requests to read the memory. It will never allow the secret key to be read out. The only way in theory to read the entire memory would be to bypass the processor. By directly extracting the internal silicon and reading the memory contents directly with an electron microscope or similar specialised equipment. This also destroys the original SIM card in the process.
Dude thank you for doing this video, although I would worry about the type of enemies you will make for posting it.. There was an Aussie politician who claimed his sim was cloned about 5 years ago. I saw a radio show in Sydney then got US private investigator Ed Oppernan on their show to debunk the politician's claims in a phone interview. I was very vocal at the time, because I knew for a FACT they were lying to protect this flaw from being fixed and essentially throw this politician under the buss. What people need to realise, especially those who think that law enforcement should be allowed to do this because "nothing to hide, nothing to fear", is that anything the good guys have access to, the bad guys do too. How do I know? The son of a guy who was high up in the mafia, had the hots for my girlfriend at the time. He was sending messed up messages to her pretending to be me. He was not spoofing my number because he could read her replies, and I changed my phone to make sure it wasn't my phone having remote access software running on it. We only realised why we were fighting, and she was sending me messages that made no sense, because we managed to catch him doing it when I had the day off work and were together while he tried to send more abusive messages as me. As a side note - encryption matters. A government back door is a a mafia back door. Imagine you were in the witness protection scheme and your private communication was being read by the wrong people. Or police records. Or private photos which can compromise people in positions of authority. Does Dan Andrews and other politicians frothing at the mouth about getting everyone jabbed make sense now? Encryption protects everyone, bad and good. The old trope of needing to catch pedophiles is BS, and they have many other means of doing that job that they should be adequately funding. Rant over, excellent video
Reminds me of the time when I used to play with SIM emulators. They used to run on a small microcontroller (A PIC variety). Gold cards, silver cards, wafer cards (and others) usually used for decrypting the old analogue satellite pay TV. But could be used as clone phone-cards in payphones and something called a yes-card (a fake bank card that used a flaw that meant it wasn't checked online) where you could enter any PIN on the PIN pad.
@@JanusCycle I've still got all the details and source code (as an historical artifact), but fully expect the vulnerable systems to have been hardened by now.
I still have one of those. it let enter imsi and ki directly from phone "sim menu" but on new phones that menu half broken so it only work properly on old phone. It let create multiple "profiles" with pairs of imsi and ki and switch between them. On old phone switching worked even without need to reboot phone to reconnect to new network. It worked for 2g and 3g without any issues but for 4g couldnt work because for 4g algorithm was changed again and 3rd code called "opc" was added to make more "security trough obscurity".
Back in the day, Satellite TV access cards were hacked by 'glitching'. That's resetting the card, counting clock cycles, and then glitching the power supply. Repeated thousands of times (with variable parameters) until the card responded out of spec, and spilled its secrets, or (at the user end) allowed access to adjust the available channels.
@@raylopez99 Once in a while, closer to a year. But sometimes the signal provider would issue a series of changes all in a row, and the hacked cards would be mailed back and forth more than being used. Later, one could buy a glitcher (serial or parallel port, long before USB) and subscribe to the new software from the pirate. I stopped before it became illegal in my jurisdiction. And I always maintained a local subscription to the local provider, in case that might mitigate things. House had up to four small dishes at one point.
Speaking about SIM card vendors sending card data to mobile operators. I used to work for a GSMoperator in one of the former Soviet republics in the early 2000s, being responsible for interaction with SIM makers, among other things. We used PGP for any sensitive information sent via email, but even if you did get the plain-text output files, you wouldn’t get Ki from them, as it was additionally encrypted with a transport key (which was delivered separately and entered in the switch for decrypting the Ki information inside the AUC). Different keys were used for different SIM vendors (and sometimes several keys for the same vendor), and these were only referenced in the output files by their numbers, which means the actual Ki value was pretty much never available to anyone on the operator's side. I don’t think this was much different in the UK or elsewhere, at least post-2000.
Back in my day we had tons of tricks like kicking people off the internet. seriously. That sounds so far off like something a bigfoot or religious follower would say that no one today would even believe that was possible I bet. I bet I could make a video about it claiming it still exists an the big feet/ape evolution people would spread it like it's gospel
I really surprised its not mobile operator who writes those keys in blank cards from manufacturer. It is even possible to order those blank cards from sellers online for cheap. And process of writing keys is so simple and only require basic usb card reader hardware it could be even done at operator sim card sale office.
You'd be surprised how expensive low-power GSM base stations are to buy/run. It isn't simply a matter of software, to handle 100s of simultaneous links they have to have extremely expensive clocks, and this is true even if there is only 1 subscriber, the base station basically keeps time. Now i'm sure it's possible with a HackRF and a TCXO solder into something somewhere, but it's not as easy as reading a card with a card reader unfortunately, unless you spend above $3000
Sure, but OpenBTS with a cheap SDR would probably be enough for a local system to be setup. Main issue I see is managing the RF situation, can it be run low power legally, or would the room have to be turned into a faraday cage first?
Some places keep Gen2 GSM running as the common fallback for later phones after their preferred protocol is shutdown . So when 3G shuts down, the old 3G phones "roam" to the backup 2G net. Same for 4G.
Amazing nostalgia trip :) Cloning SIMs to wafer or "12in1" cards was quite popular in the Balkans before multisim phones came out. It was more convenient to restart your phone and select the active SIM with a code than juggling a few actual cards of different providers. Due to 64k inquiry limit, it worked only on some cards ofcourse. However there was a horror story that most of the phone repair shops (and enthusiasts) unknowingly used a "backdoored" version of Woron scan that was sending all the KI numbers to some Russian hacker group that made the clones as well, and then used them to call ultra premium numbers they set up :)
A high tech version of what occasionally happens today, where a stranger who looks like a drug dealer will ask to use your phone, because he "lost" his, and then use it to make a deal. A kind of a 'burner phone' technique.
Your part about the backdoored version of Woron scan will serve as my daily reminder to only use this sort of software in a virtual machine isolated from the Internet :)
The question is, as intriguing as it was, in some places SIM cards are sold more or less freely like here in the Philippines making burners and fraudulent calls easy; it wasn't until 2022 when mandatory SIM registration was enacted.
Whoa. That's hard to imagine having lived in Australia. Getting a new SIM has always been such a barrier, that people were far less likely to swap prepaid carriers because of it.
@@HonestAuntyElle I'm in Croatia, you can still buy prepaid sim cards without any kind of identification or registration, they're $3 or so. You can optionally register it with info that is not checked in any way and in that case they send you those $3 you paid for card back to your prepaid account to use for calls.
so even with registration, it is still possible to extract an e sim profile and edit the info in a such way that you will get a new identity and if that identity exists on the career server than easy as cake
About 20 years ago a family friend claimed to be able to do this alongside hacking the cards in cable boxes and such. Of course, he wasn't open about his process but some of the things he talked about were mentioned here. Maybe he wasn't actually doing anything but its neat to see he wasn't totally blowing smoke. He did eventually get caught up in a casino machine cheating scandal so its not hard to imagine he was up to something.
The whole DirecTV smart card story was fun to read. The gist of it was them and hackers going back and forth for years until DTV started sending required card updates that appeared to have useless data, but once the last bytes were received, it turned into a program running on the card itself. Then a week before a Super Bowl (I think it was 2000 or 2001), they sent a command that bricked all hacked smart cards and set the first 8 bytes of the card to GAMEOVER.
Pretty crazy seeing all this out in the open all these years later. I use to see a lot of this stuff and the systems Telstra used when I worked for them back in the day. Everything you said was correct.
Everything everyone says is correct apparently. Christian channel commenter's say that. Satanist channels commenter's say that. Atheist cult channels commenter's say that. Republicans channels all say that. Democrat channels, libertarian channels, bigfoot sighting channels.... Channels that say: see where I'm getting with this, probably say that
64k attempts lifetime limit, how neat. That's probably why my SIM card mysteriously died after 15 years of flawless service (getting a replacement was challenging since not many people remembered the time one didn't have to show id and register everything in that country).
It's been a long time, so I don't remember all the details, but I remember the days at Research In Motion developing the Tachyon, aka The BlackBerry 5810/20... It had a number of problems. An important one was that they SIM card slot was prone to bad electrical connections and static discharge. One (entirely temporary and never shipped IIRC) solution was to get the Ki and program it into the phone, so that the phone could emulate the SIM card rather than use it... It made the phone far more reliable. My memory was that it was possible to have the phone work out the Ki by passively gathering challenges, actively get it (which took a day or so if it didn't crash, and was tough on the battery), or asking nicely and getting it from the carrier. Our SIMs at work were weird special SIMs meant for testing and devellopment, so the Ki's were not treated with the same care as normal SIMs. I think it's possible that they didn't have protected ROM on some of them, so if you had the right tools, you could just read the Ki off of it.
I knew some guys who kept a 2G tower unit in their bathroom and were slowly hacking it, I think they were able to span a little network of their own but they didn't run it very often. Perhaps you can find some enthusiasts like that where you live.
Is the frequency for 2G unused by any other networks? I would have guess that if the phone company had no use for it the government would take back that frequency and offer it to other service providers? And if they did and thes rogue 2g towers were broadcasting on the airwaves.. they would eventually get identified, there broadcasts would potentially either be jamming the new legit devices using those frequencies and/or those new devices would jam the rogue 2g stations broadcasts??
@@manp1039 I'm hoping frequency reassignment is a SLOW process. And as long as noone complains, nobody investigates. Hush hush sort of business though, you don't show every stranger your bathroom if you have one of those.
Naa I live in the 13th largest city in usa. They don't even know how to milk the cows on their farms in usa. Back in the day I was like a space alien using computers. Today they still think only phones exist
one of my simcards (bought around 2003) was cloned over 10 years ago (same simmax 16-in-one), and it still works perfectly in 2G and 3G networks after all this years. No need to swap cards in my old phones :-) Just switch it on and ready-to-go! By the way, should I switch more than one phone at the same time, they both (or all 3) can make calls, but only last-one-online will receive the incoming call. However I do not turn on more than one phone simultaneously.
The "what happens with two identical SIMs simultaneously on the network" question is a plot point in _Primer_ (2004), arguably the most convoluted time-travel movie ever. Now I know the answer to that, thanks. But I wonder, does the last-one-online rule still apply in the new SIM paradigm? For a network to assume there are no simultaneous duplicate subscribers seems... sloppy.
I am guessing that your calls and numbers you call are being monitored? and you may not be the only one with clones of your original sim that you bought in 2003?
Incredibly interesting, informative and entertaining! Your choice of music was nothing short of genius! Thank you for taking the time to put this together.
Oh I spent so much time back when I was young in the early 2000's playing with SIM cards, phone cards, SIM card emulators. I've built a serial port scanner, and used it with Dejan Kaljevic's software. Lots of fun. (R.I.P.)
Switching ssms was how I upgraded, traded and sold a lot of my phones back when flips were cool. I even knew someone who's unlock for a small fee Now smms are useless in modern smartphones and om learning how to unlock phone by myself
In this context I'm interested how the eSIM affects this. How does the Ki value get into the eSIM without being able to be intercepted, assuming the owner of the eSIM phone is interested in cloning his Ki value to use on more devices? BTW 90 00 is not only for sim cards but generally for PCSC smart cards and means "command successful". Error messages start with a 6 in hexadecimal which is not only flipping the digit glyph, but also its bit representation.
My guess is that an encrypted packet is sent to the eSIM chip, which decrypts it to get the Ki. The specifications exist, but I have't looked into eSIMs yet.
@@JanusCycle Thank you for the response. But that means, that either all eSIM must have another key that is known to the carrier (chicken and egg problem), or some PKI must be involved that requires someone to sign the keys used as they would otherwise be prone to Man in the middle attacks (introducing a new point of failure)
In a lot of places, SIM cloning is an insider job that is done by someone inside the phone company who has all the tools to "port" the number to a new SIM. These days it is a compromised human rather than hardware.
There are a number of reasons (surveillance is mentioned in the video), but a huge, more nefarious motivator is getting access to MFA security. Assuming you can get a user's account credentials through social engineering or other means, having access to their phone number to receive MFA verification codes can give you access to tons of sensitive information. Government sites, bank accounts, web accounts, corporate resources, etc. Cellphones and their numbers are generally fairly secure; they are a separate, independently secured (sometimes through their own MFA security), physical object that also tends to be very important to the user, so people tend to keep them on hand, and they will be replaced quickly if lost. The best way to get around that security is to either get the sim out of the phone, or use social engineering/bribing (made easier because of the information the criminal has already gathered about the victim) to manipulate an underpaid customer service worker to replace the sim.
@@circuit10 The SIM "cloning" you may see on the news is just someone transferring a cell number to new SIM, it may be a new SIM or cell company. This is so that someone is able to get a MFA code to allow them to your bank account.
The phone number is not stored in the SIM. The phone number is held in the HLR/HSS of the mobile network. And it is associated with the IMSI number of SIM card. And the IMSI numbers are allocated in batches to each mobile network operator. So if you are trying to clone a SIM and use the SIM to get free phone calls, then you don't need to port a number from another SIM to the cloned SIM. Access to the mobile network is not granted to the mobile phone based on the mobile number, it's based on the IMSI number which is held in the SIM card and in the HLR/HSS.
Our service provider can give up to 4 sim clones if requested with a small fee. I had 3 sims of the same number all working on different phones with 3G/4G simultaneously. This service started around 2 decades ago.
@@ANWA143 service provider is STC in Saudi Arabia. You can send calls and messages from all sims but set one sim for recieving calls and you can switch the recieving to one sim at a time if you liked. Worked like a charm.
@@PHANTOmIND8 thats incredibly unsafe if someone gets your phone number you wouldnt even notice, as if someone sim swaps a normal phone number the real user would lose signal
What a blast from the past. I was playing with this 20-30 years ago and it was really fun. One interesting thing was that first mobile operator in my country didn't use KI authentication for quite some time, and phone numbers were correlating with IMSI numbers, so you would be able to easily guess IMSI number of any phone number and clone it.
@@manp1039 differences between two phone numbers and their IMSI keys were the same :) so, if i wanted to "hijack" phone number 12345 and mine phone number was 12300 i would just add 45 to my IMSI number
I managed to accomplish a SIM clone back in the early noughties, and it was only possible to get the Ki on one out of about 10 SIM cards I tried, I think providers had added authentication limits to SIMs at that time (this was all done for legit purposes where we were developing a JavaCard application and no provider would give us a Ki unless we paid thousands and signed NDAs etc, so we DIY'd it in the end)
Back on 1G phones I was in school at the time, and with some friends we managed to get access to hidden menus in the phone and copied all these random digits into a different phone, and then when we called the number both phones rang! Could only answer one of them though as the other then stopped ringing. This was back when the call was basically not yet digital, if you went somewhere away from signal the voice started to go fuzzy like a walkie talky. Didn't take long for 2g phones and text messages to appear on the scene, at which point everything was digitally encrypted with the sim.
Nice video. Interesting stuff. Apt music choice @ 4:38 - nice 👍 Would still like the option of having handsets with multiple sims or at lest two or more carriers in one sim so you can switch carriers for different rates or needs..
I just have a basic knowledge of computer/phone etc devices but this video I watched in full , even when video actually ended at 11:44 I stayed to watch listening the song . Kudos , bro !
Sometimes just seeing technology and hearing the descriptions, even when you don't understand it all can help you learn. When learning more things in the future you will remember bits and it will become easier. I'm really glad you enjoyed this. Thank you for watching.
You'd think they would have implemented simple rate limiting at the first sign of brute force attacks. Only allow a key attempt at most once a second.. maybe delayed even more if multiple are requested back to back. For normal use, this delay may never occur/be noticed. But that 40 minute attack might take days, weeks, or months, instead. Also, while I could understand some secret proprietary algorithm decades ago, anything in the past 10 years or so should be using established public key encryption, with SIM cards randomly generating there own private key and only exporting the public one. So nobody could amass everyone's keys, even if they wanted, since they would never be known to start with. Then you'd have to resort to glitching, side channel attacks, or more destructive means to try to get the key.
Even with the new stronger algorithms, including some sort of rate limiting should be easy to include and greatly add to the security. I don't know if they have done this, but your analysis is spot on.
No, but one would have to power off the SIM and then back on, waiting for it to initialize again first. That is much slower than just hammering it constantly. Plus, it might be able to write a counter to persistent storage each time it fails, and then on power-up, it will have to wait a given amount before it will accept another attempt or clear the counter. It only needs to track accumulated run-time to delay.
@@JanusCycle- My assumption for not rate/time limiting is, if there's an unreliable network connection due to weak signal or interference, the requests/responses would need to be resent several times in order to connect. They could have imposed something like 10 non-limited requests per second then a 1 second pause which would slow down hacking attempts significantly. But the best protection is a longer key.
Typically, music on most educational / research videos is misplaced and annoying, IMO. You Sir...are the exception. Beautiful and brilliant song and version selection. Perfect application and execution. Thanks for making this video, the content was info I've been curious about for years. Depeche Mode was the cherry on top!
all these new kids woth their videos on this topic are nice and dandy, but you're actually going indepth on some of the history and more practical attacks. very nice
Even if I could clone a modern SIM card somehow, I would very much be cautious to use more than one of them simultaneously. I guess the operators have some algorithm to recognize requests with the same IMSI numbers coming from different cells (from distant locations) at or around the same time, and would block my account, and may even ask me unpleasant questions. Or is the cloning so unlikely that they don't care? Any comments on this?
I have accidentally turned on two modems using the same physical SIM on 4G (the sim slots are connected to the system CPU and then proxied to the modems, it happened due to a software bug). It didn't cause problems but only one of the modems was working, although both claimed to be registered. Probably depends on the network.
The network operates separately to the billing system When you make a call, the records that make up your call (CLR's, Call Link Records (Think of your mobile call going from cell tower to cell tower, onto say a landline network to eventually end up at someone's home, all of those hops are CLR's)) are aggregated into a CDR, Call Detail Record) that is used for Rating (assigning distance and charging / service components to), that is then fed into the Billing engine (for assigning a cost value to) i.e. [CLR + CLR + CLR+ ...] -> CDR -> Rated -> Billed Back in the 3G and 4G days, it didn't matter how many dual sims were on the network, the system doesn't cross check (how could it, with literally millions of phones on the network, it would be extremely compute intensive. Even 10,000 phones active at once would take 10,000 x 10,000 cross checks) It was the last sim activated that got the incoming calls, so even though you had multiple sims the last active used to get the incoming traffic Making calls was different, any copied sim on the network could make calls at any time Things have most certainly changed since I was involved in the telco space though
@@stultuses Thank you for the inside info. It was 15, maybe 20 years ago, I wrote microcontroller code into a Microchip PIC in our remote control device monitoring pump stations. The uC was interfaced to a GSM modem, that we had to buy and maintain subscriptions for about 150 pcs SIM cards. It was expensive, although we used very little data, just a couple of bytes per message, and almost nothing if no errors, so it really felt an overkill having so many full phone subscriptions (the operator had no plan for M2M communication back then). I was then thinking about how we could trick the system with cloned SIMs but lacked both the courage and knowledge for it.
@@stultuses I could imagine if they wanted to that they could implement some kind of optimized cross-check algorithm to catch duplicate sims, but I can see where it would be mostly a non-issue to correct. The number of people who can clone a sim is relatively small and mostly limited to people who tend to confound your efforts, anyway - and by virtue of how the network functions, it wouldn't really be a valid way of gaming the system to the user's favor ... again, outside of niche uses. It's not just cross-checks for activating phones, it's cross-checks for changing towers or some means of rationally managing a phone between nearby towers. In principle, it could be done - but I don't really see it as being a priority investment as it addresses a very niche problem that is only a problem when governments aren't doing it (at least from the network operator's perspective). Further, here in the States, most cell infrastructure is locally or regionally owned/maintained and the network operator leases access to the tower, as I understand it. That adds a whole different layer into authentication strategies. The authentication would have to be baked into the communication standard used by the tower so that any carrier could function. The only thing I could see being different with 5g is some manner of sub-identifier which would basically turn a sim card into a network gateway and multiple devices could send/receive on the network at the same time. My phone would just ignore the data packets for a different phone. I could see support for this being put in.... but don't really see the use/advantage as you'd have to effectively route data to two different towers for broadcast... or more. And whatever plan that is would probably be absurdly expensive while having no particular benefit other than potentially reducing the number of authenticated devices on a tower (as the sim allocates and band and packet address the device) .... but you could implement something similar to this without doing cloned sims in congested areas, overlapping devices into a single band and using the band as an old fashioned network bus.
What was the original sales purpose of the SimMax holding 12 Sims, was it able to be swapped by phones, or did it need an external device to swap between profiles. If it was simple as typing a number command and rebooting, then I could see the purpose if you were trying to make cheap calls from Optus to Optus or Telstra to Telstra or for frequent travellers.
If I remember correctly there were sim cards which could store multiple sim card profiles/numbers you would read cards you have and then store those into that single "super sim" and on some phones you could cycle through those stored profiles even through menu on phone itself.
@@kerozin520 This could be using SIM Application Toolkit to add menu options to the phone. Another aspect of SIM cards that doesn't seem well known about.
You actually have "SIM menu" on your phone and there's an item called "change number" provided you have this all-in-one SIMcard inserted, so you can select there any of slots of your 12-in-one SIM. But not all phones do support simcard hotswap, so most old phones still needed reboot (power cycle) in order to change simcard.
@@JanusCycle Yup, that's actually what the "STK" on the card refers to - SIM ToolKit. On phones that supported STK, an extra menu would appear on the phone allowing you to pick a SIM. You could also use a PIC programmer like the Infinity USB to write SIM-EMU software onto a blank Greencard to create your own SIMMAX-style multisim-in-one card. From memory SIM-EMU worked more reliably than SIMMAX.
Your voice fits perfectly for the topic. An obscure, niche topic in electronic enthusiast community. I remember my dad used to get gold cards from ebay back in the day and programmed them to work as a car wash card. The first time he tried it, the cashier said he had 50k on it. Can’t imagine what went through his mind at that point
I cloned my sim card years ago, I had a stk 8 in 1 sim that could have 8 numbers. I only ever used one and kept the original sim at home. It didn't take long either.
Maybe this is why mobile operators are keen for you to have a new SIM whenever you get a new handset, even if you are retaining the same number with the same provider.
There's potentially another way to read out the Ki No. from a sim card, use an e-beam prober to read out the actual Flash memory in the SIM card. You need a lot spare change to buy one, but I'm sure that's not much of a problem for a state owned spy agency. On your comment on Wikipedia being updated so quickly, actually virtually anybody can do that, so it was probably one of your regular viewers.
Goverments dont work that way usually mate, Years ago they just mandated that Providers ie telstra etc provide unfettered access to agencies on request. Meaning at least 15 years ago when i worked for telstra, they could see everything you did, imagine their capabilities now.
@@Steve211Ucdhihifvshi I think you've misunderstood what I was saying, It wasn't that state level actors do it, only that it is the sort of budget you need. Of course multinationals have more loose change than a lot of governments so clearly they can do it.
So by literally viewing the hexdump of the flash memory? Wouldn't that contain the code that runs on the SIM processor as well that you'd have to disassemble to sort them out from the key and understand how the code retrieves the key? Are the processors used by SIM card documented?
@@EvilSapphireR I would suggest to you that it is all relatively easily achieved by a skilled operator. I once did a hex dump of a microcontroller's Flash and hand disassembled the whole thing (didn't have the disassembler, just the data book), created a flow chart of what it was doing corrected a bug and then reassembled it all and programmed the device in 2 weeks. With the proper SW tools it would have been much easier. As to the documentation of the CPU they all use off the shelf cores. Some companies do soft cores in an FPGA but that's not going to happen for a simm card reader
its like cracking a wpa wifi code (trying many codes until matching exact one) but sim cards have security made in, factory they send a voltege on a pin to burn it, this pin is the one for writting or making changes on the sim so it cannot be edited
This video is a great case study in supply chain exploitation with the points discussed from 9:47 onwards. Kinda like that one XKCD comic about encryption, rather than cracking a Ki, just social engineer and/or drug your way into the manufacturers which is the path of far less resistance.
How i HATE how simcards have changed over the years. Now you gotta register even prepaid simcards for "security"? Yeah no - it got nothing to do with that as we have seen what it is actually used for the past 3 years. Then also the push towards eSIM. So now the phones can be hardware vendor locked and i can not just use whatever phone i want (aside from the other obvious problems). And the most aggravating thing is trying to get a 2nd SIM officially..... i asked my provider - it is "only" 5€ per month.......and 20€ for the card ..... and 20€ each year for "services" .... and 5€/month extra to be able to use it for anything but phonecalls. They seriously want to charge me more just for a 2nd SIM than it would cost me to get an entire 2nd contract.
Very interesting! I always wanted to know the details of how SIM cards worked. I actually built a SIM card reader when I was younger but it just bricked the SIM cards, it must have been hitting the limit!. However as a teenager everyone at school had a Nokia 5110 (without sim), you could enter a secret technician menu and change the phone number to a friends phone number and then receive their text messages and calls! it only worked when you were on the same cell tower and more of a funny prank as it diverted calls and messages and their phone would stop working.
You may be referring to the AMPS/TDMA variants of the 5110. AMPS is notorious for being insecure, and that may have been the network standard used on the cellphone provider my dad complained about a few decades ago.
Great video! Your voice is very nice, the topic is very interesting (to me lol) and the demonstrations and explanations were really good. Keep up the great work!
"...they just want to listen in if they need to." something tells me that "if they need to" means all the time to misconstruct or find the smallest thing in case you dare to "notice" or do a "wrong think".
Excellent video, content, narrating, presentation... everything! (And I especially loved that version of "Policy of Truth") Wishing you continued success with your youtube channel! ~ Allen
We used to clone our in house phones back in the analog days to save on maintaining separate accounts. Like to experiment this for a couple of my phones, but so far yet to find a safe trojan-free version of woron scan.
Some years ago, a father and son cloned a sim card, for whatever reason. They were found out, arrested and jailed. I think there's a way from the NP side to find out this kind of activity, for example by way of phone make and model number or an UUID.
that is exactly what i was thinking. It is not just a sim that the network has for any device that connect to it. Those people would have had to clone everything on the phone.. and there may even be one or more unique chips on each of the phones that the NP can collect data from.. in addition to which tower and date and time it connects (presuming this father and son were using prepaid sim cards where the location they lived and their legal names etc were not already known by the NP and connected with the sim acct?
I remember back in a the gsm days people had pay a you go mobile phones that they had literally chipped and because the credit that was on the account was actually stored on the phone itself every time they turn the phone off and on again it would reset the balance show £10 credit, i wonder if you could do a video about this as it always fascinated me
Just like to point out that just because there is no "known" method to clone a modern SIM card; that doesn't mean certain people don't know how to do it. Just because something isn't widely spread, doesn't imply that theres no way to do that thing. I'm sure you can't find any information on copying a government issued form of ID, but it does happen.
Great video! Could you also make a video about how phone gets the carrier name? It always intrested me, because despite some carriers changing their names my new Android phone would report old name until I changed the sim card. But when I used second old sim card from another carrier my phone displayed correct up-to-date name... 🤔
nice video and nice music. Remember ages back reading about how sim cards were essentially little CPUs rather than things that simply store data, so cloning was impossible. Didn't know there was a way to mathematically brute force what they were doing but I guess it makes sense. I now see why government so upset about encrypted chat programs. Guess they lost their favourite toy.
They are microcontrollers, yes, but they do have memory containing the required executable code and keys, so it's absolutely not impossible to read them out.
My ex-roommate went to MIT, he's now head of R&D (they don't call it that but I can't remember the exact job title) for Deutsche Telekom/Tmobile here in the U.S. Back in 2014 when we were living together, I watched him clone his own sim card so he could have multiple phones with the same number. This was on Tmobile's 3G/4G network. He definitely found a significant vulnerability and wasn't keen on sharing it with me. And I doubt he's the only one who knows of it. But instead of revealing it, he (and/or they) keep their mouths shut so they don't "fix" it again. He learned his lesson with satellite TV -- they used to hack the cards in order to get free TV. They would then release the new hacked ROM online and eventually the TV company would send out a patch to fix the hole and they'd have to crack it again; rinse repeat. This happened numerous times until the satellite TV company finally did away with that card system all together. If my ex-roommate would have never released those hacked roms on the internet, he would probably still have free satellite TV to this day. He said he'll never forget that lesson.
I did this to my card and my wifes card and put them on an ATMEL card. Worked fine and i was able to select which simcard i wanted to emulate, simply by the PIN code. If i turned the phone on and entered 1111 as PIN i would get my own card, if i used 2222 i got my wifes. Sadly both phone numbers could not be active at the same time though. Was mainly done as proof of concept, but i did it with a program just like yours that found the IMSI and KI.
My dad just lost his phone by dropping it into our well. After the incident, he cloned his lost sim card. but some apps interact weirdly with the new sim. It had known the sim has the same number as the old one but some verifications were not sent to the new card but to the old one.
If he went to get a replacement at the carrier, it's likely not a clone but a new card that the carrier bound to his account. I remember when I did that back in Russia all my bank and payment apps stopped working because the login code would come in an sms and they weren't sure it was me who made the replacement sim card (there used to be a lot of incidents where carrier employees would illegally reissue sim cards to get into peoples bank accounts)
Since you know so much about SIM and how they work, please do an episode on eSIM and how to convert between them. My provider charges for esims and it is difficult and costly to swap sims between phone.
Actually capturing responses and working out the key is how you can figure out the secret key in WPA2 encrypted wireless networks. All you really need is a computer that can put the wireless card into promiscuous mode and set it up to listen for new device traffic. You can even send a bad packet of data to the network to reboot all the devices and they all have to re-auth back to the WAP thus getting a large number of encrypted packets to process. You then either manually decrypt the password or you can put the encrypted password into a giant list of known passwords and see if the user used one of them. It only takes like 48 hours or so to decrypt WPA2 encrypted keys and maybe even less with GPU processing. Its pretty fun to do, just don't use it to try and steal your neighbors wifi as that can be illegal in some places.
the time to crack WPA2 is extremely variable depending on hardware and complexity of the password assuming brute force(or how big the password list is, assuming it even has it). there was a manufacturer of mobile data wifi pucks who used a default password of 8 random numbers. a laptop with a 1070 GPU could brute force that keyspace in about 4 mins with hashcat.
In my country they are blocking the 3G network. 2G stays because apparently some old infrastructure works on it, and the 2G network has several advantages
If someone can get your phone and just copy the number and create an identical sim card, can they then listen to conversations between you and another person?
Modern SIM cards cannot be copied. But if it's an old SIM card and they have special radio equipment and lots of time and skills, then yes, they can copy and listen in.
Why am I not surprised that most of the Ki numbers are known by surveillance agencies? This is the reason one doesn’t attempt any crucially private exchanges without decent end-to-end encryption.
Would be interesting to try this in a country where 2G/basic GSM is still alive and well, like Germany. I still know of two pre-2000 prepaid SIMs that are still active and being used, one being my moms (from sometime in '97) and one being mine from my very first own phone I got for christmas '99, which might already be too new...
If you still want to know one of those cloned cards still work well in russia because original card was lost and that number only used in old phone without 4g so no one bothered to do anything and just used cloned card. No issues or oddities was noticed for years.
Very interesting information! Thanks. Best I can tell, the biggest danger is SIM Swapping via Human Engineering: A scammer using what would seem to be, but isn’t, hard-to-obtain information about the victim, to convince some underpaid and undertrained customer service agent at their mobile carrier that s/he is you, then transfer your number over the hacker’s phone.
True, I've worked on big, secret M&As (Mergers & Acquisitions) where the utmost care was taken to ensure privacy, since it would affect the price of the companies if word got out, and yet details of the deal were sent in plaintext over email.
Is there a non-criminal use case? For example: I own a phone and a tablet. I purchased a tablet that accepts a phone SIM card specifically because a previous tablet was stolen and so I need mobile data to track movement and remote lock it. However, paying for a phone and data plan for multiple devices costs more. It's also inconvenient to have multiple different phone numbers when I'd rather just have the one. So, I was thinking: If I clone to SIM card for one device and put the copy in the other could I use them both? And what would happen? If someone called me, would it ring to both devices, or just one? If someone sent me a text message would both devices receive it? And would the network detect the same SIM card is active twice and move to block both from functioning? Assuming, of course, it's even possible to use a sufficiently old SIM card that is vulnerable.
iirc these old days, when the second device has been registered by network, the previous one has been forgotten, like you turned it off. The 1st device may eventually find itself forgotten, disagree and reregister again :) thus you will observe exciting push-pull fight between two devices for owning the network registration. You cant get two devices working simultaneously, because network is not designed to do so.
Back in the early 2000s my mobile phone carrier actually advertised this as an option charging $10 monthly for the second sim. They claimed both sims are able to place calls, send text messages, but only the last active sim would recieve phone calls or messages. So if both devices were switched off the one that is switched on second would be the device able to recieve phone calls. They did the cloning instantly in the store (because they actually had the customer KI they just loaded that on to another SIM).
FYI, as of April 2023 there is 900Mhz GSM still operating in one part of Australia I work at. Christmas Island. Telstra still operates the only mobile phone network there, its still 2G voice and SMS only, just like the early 90’s. The only mobile data service on the island is offered by a small business known as CiFi with their own LTE equipment and that service is data only. Their connection comes by way of tapping into the Vocus under sea cable from Perth. I was there only last week and can confirm this is the case still. Telstra has accepted millions of dollars of tax payers money in order to upgrade their service to 4G, but as usual is moving at a glacial pace. At some stage this remaining 2G outpost will also get switched off.
@@JanusCycle astonishingly, they even installed additional 2G equipment last year to increase coverage 😂 I’m no expert and wonder if it is in fact modern stuff thats been dumbed down till the necessary bandwidth is available. Voice quality on the 2G service is below average also, extremely low bit rate and like AM radio quality. When you make a whatsapp or optus wifi call using the cifi LtE its like listening to a CD player in the age of worn out type 1 cassettes for the first time.
When you try and make a second call at the same time the other phone drops the call, as the second call starts. From what people who have tried that have said happens.
It was known from the start of the GSM implementations that the SIM crypto algorithm was pretty weak. But as you said it was kept secret, which in the early 1990s created quite a discussions. Normally in Crypto systems the security lies in the secrecy of the key, not in the secrecy of the algorithm. But this was ignored by the GSM standards consortium. I guess there were two reasons. The first is that they were worried about the SIM chips available being powerful enough. The other reason was probably the governments wanted a back door. To your assertion about getting the Perso keys of the SIM cards, there the security has been tightened considerably and the Perso Keys issued by the SI vendors are now sent in a classic crypto ceremony in 3 parts, where only the combination of all three parts of the key will result in the correct key. This is used to derive the individual chip keys. But I guess there may be still different standards used by different vendors.
@@JanusCycle The 3 part way is not default for any manufacturer afaik. Where I worked we started forcing encrypted orders in 2019 or so, after which I ordered new cards and destroyed my old ones. But even that handling did not seem to be the default way for the big manufacturers =/
Somehow, somebody copied my Sim Card back in the year 2000 here in Germany, but not like that. This person had to build an access point, so my phone logged into it, and they must've sniffed every information they could get. They phoned away on my bill. 200 bucks later, I went to police and the provider told me I was in a different city while calling people. Lucky me, I had proof I worked at that time - at least I thought lucky me. O2 refused to refund me, it went to the court, I won, but they kicked me out of the contract. So yeah, somehow it was easier 23 years ago, when no real encryption was implemented in GSM. This video made me remember it. Decades later, we know how you can build your cell tower or at least a small version of it. How somebody gets the KI number though with just listening to 1 calculation... maybe somebody made "logged in" phones reauthenticate many times and then.. tried the rest? I know, I was working at my job back then, and not in Berlin, so who knows how that worked back then. Hardware was slow back then, so your method would be taking a long time.
Sounds like those scenes in movies where someone pulls the sim card out of another person's phone while they're in the bathroom, clones it in 30 seconds, and puts it back in their phone before they know what happened, are pretty far-fetched.
There is a scene just like your description in the The Bourne Supremacy. Since it's a movie we can assume Bourne had a backdoor SIM exploit, or some other secret intel we don't know to keep it fun :)
I like how you formally announce "We've reached the end of the video" . Great video, I have no interest in the subject matter, yet, watched the whole thing.
I remember the good old times when me and my friends would clone the analog NMT mobile phones. It was ridiculously easy back then, and then you can be any number in the network. In my country for a long time it was not believed that it was possible. There was a classic case where a police chief gave a challenge to replicate his phone number, as he did not believe it was possible. Next month he received in his mobile invoice costs for calls to adult phone services not made by him, and he had to believe it was true.
I was wondering if this sim usb adapter is a standard PSCS reader? Or actualy a better question would be if I can use my Phoenix interface as a standard PSCS reader? I am thinking to buy a Duolabs CAS3 (for some other things), and was wondering if I can also use it like s normal PSCS reader or I need to buy a separate device for that?
Mine has been cloned already....I worked at a BIG telephone company and you would be surprise how corrupt the employees are!!!! Money talk.....as you already know ..... Most illegal things are not done by criminals but by government employees.....😂
Because the calculation is a hash function, it can't be reversed easily. There is not enough information in the result for it to work backwards. Unless the hash function is weak, then you can start trying many combinations and find the key in a reasonable amount of time.
2G is still available everywhere across europe. It was something related to contracts mobile operators had with emergency phone numbers iirc, so we will probably have 2G for at least 10 more years!
So SIM card cloning is dead if I am not a government entity ? Good to know, thank you, I add thought of cloning a sim card to share internet access but looks like it's not possible
@@orange11squares Not the same, once the SIM is replaced the number is assigned to the new SIM card and the old one becomes useless, I work in a US telecom company
@@JanusCycle Isn't it viable to read it directly from the chip with a microscope, destroying the original sim in the process, and later cloning it to another 2 sims?
Thank you for sharing this I was getting spam texts recently and my bank informed me about this very thing so I now know how they did it and changed all my details so haven't received any since
Unfortunately there is something called the 'SIM Swap attack', where network employees are duped into swapping your SIM details to another SIM card. Try not to rely on SMS messages for security.
Very good video, two thumbs up! As a person who cloned SIM cards and made multiple-in-one cards I can tell the video and explanation is 100% accurate. Except the part of spy agencies spying by intercepting the Ki number.
Spy agencies intercepted Ki numbers in emails from card manufactures sent to networks. Not over the air. Hopefully I made that clear enough in the video.
I don't have enough knowledge myself to be certain. But I remember that Ben from Applied Science channel was viewing active electronic circuits with his scanning electron microscope, so yes!
just a short question: when you say that "2G networks has been shut down in your area" - where is that? because afaik - in europe the 2G network won't be shut down anytime soon, instead 3G will. in some areas around me there's 2g and 4g signal, but not 3g anymore.
On the first version there was an exploit message that you could sent to someone and the senders phone would automaticaly send you back an error message with the key number
I can’t imagine you’d be able to listen in on calls with a cloned SIM. At best you might receive the odd call, but a cellular network holds registration records for each phone, ie what cell site it’s currently using etc. There is no facility for ‘the same’ phone to be registered twice and therefore would have no means to route the call to two phones. I suspect the network would pick up on registration requests from the ‘same phone’ on two different cell sites, especially if they were geographically separated and just block the number altogether. Even bank card systems detect this. I once refuelled a hired car with my company fuel card in Scotland, caught a plane back to London and tried to refuel my own car 2 hours after previously using the card several hundred miles away and the system picked it up as potential fraud and blocked my card. I’d be very surprised if the same didn’t happen with two phones online at the same time with the same SIM details.
Exactly. Why would they bother with ancient tech like sim cards, when they have access to the data and voice feed at an service provider level. China has access at a device level. But 15 years ago sim cards were outdated
Jokes on them, no one can listen in on my phone calls because I don't make any XD Google does have front row seats to my internet browsing habbits though as I subscribe to the whole google ecosystem lol.
It maybe possible using more sophisticated techniques and implementing a spectrum analyzer and an oscilloscope to view the waveform produced by the sim card and find some way to replicate that in another card.
the waveform produced by the sim card? lol. Perhaps use a super undulating dipole converting overclocked cpu to encapsulate the intangible profanation of the sim.
I wonder if you could use a device in between the card and phone to act as a relay for the authentication? You’d never need the key because you’d just be getting the actual card to do the work for you.
Yes these exist. They bypass the phone’s network lock by telling the phone the network it expects to be on. But when it comes to authentication they relay the request to the SIM and get the result.
There have been some really great responses on possible alternate ways to getting your Ki number. Including, voltage glitching your SIM to get it to read out unintended memory addresses. Physical extraction and/or reading the chip's die directly using a Scanning Electron Microscope. Or bribing an engineer working in your local network to access your Ki database entry.
Wikipedia is a wonderful collaborative information resource. This video provides a quality example of the way collaborative effort promptly fixes these errors. I demonstrate the truth, and within just a couple of hours, editors rush in to check and fix the accuracy of Wikipedia. Keep up the great work everyone :)
I have a query,,, is there a way to use a sim cards functionality such as of internet, phone calsl and sms on a PC? with some kind of adapter, I have looked far and wide but can't find any sim-card adapter and software combo which can do this do you have any idea?
I'm ancient building tube-amps and first pre-windows interface time when so called younger-wonder age 10-16😊 (" it's so simple , but the manufacturer trends to over button/Dail was funny.
Still most don't know why things work. I 'm now entering that old styled thinking patterns group of people.
But A.I. winning on board games GO is just unfairness towards human workings-processor trying to navigate in a bowl of pea soup.....intuitive non-selfishness works better.
Can that be progressing in self-education AI situation near future?🤔 sparks Mr youngster thinking again.
Thanx for upload this!
@@Redditard there used to be some netbooks some time ago with built-in 3G modems and SIM card slots, so you could browse the internet or send SMS via mobile network (not sure about voice calls). Some USB 3G dongles from Huawei also allowed enabling voice features, but that was like 10 years ago.
@@KPbICMAH yeah, but they aren't sold anymore I did check it
@@Redditard yes but your pc would need an antenna or other hardware capable of talking with mobile networks
The Phone Cloning Wikipedia page has been updated. Thank you to whoever did that so quickly, less than two hours after release!
I still don't get it.
So I have this sim card. It's made of metal and plastic. How can I not plug it in, copy the data to another?
It makes zero sense. Explain it to me
@@slyceth Sure thing, SIM cards have a little processor inside that does secret key authentication calculations. The software running on this processor also decides how to respond to requests to read the memory. It will never allow the secret key to be read out.
The only way in theory to read the entire memory would be to bypass the processor. By directly extracting the internal silicon and reading the memory contents directly with an electron microscope or similar specialised equipment. This also destroys the original SIM card in the process.
Dude thank you for doing this video, although I would worry about the type of enemies you will make for posting it..
There was an Aussie politician who claimed his sim was cloned about 5 years ago. I saw a radio show in Sydney then got US private investigator Ed Oppernan on their show to debunk the politician's claims in a phone interview.
I was very vocal at the time, because I knew for a FACT they were lying to protect this flaw from being fixed and essentially throw this politician under the buss. What people need to realise, especially those who think that law enforcement should be allowed to do this because "nothing to hide, nothing to fear", is that anything the good guys have access to, the bad guys do too. How do I know? The son of a guy who was high up in the mafia, had the hots for my girlfriend at the time. He was sending messed up messages to her pretending to be me. He was not spoofing my number because he could read her replies, and I changed my phone to make sure it wasn't my phone having remote access software running on it. We only realised why we were fighting, and she was sending me messages that made no sense, because we managed to catch him doing it when I had the day off work and were together while he tried to send more abusive messages as me.
As a side note - encryption matters. A government back door is a a mafia back door. Imagine you were in the witness protection scheme and your private communication was being read by the wrong people. Or police records. Or private photos which can compromise people in positions of authority. Does Dan Andrews and other politicians frothing at the mouth about getting everyone jabbed make sense now? Encryption protects everyone, bad and good. The old trope of needing to catch pedophiles is BS, and they have many other means of doing that job that they should be adequately funding.
Rant over, excellent video
@@slyceth It's actually pretty simple
Computer to SIM card: "Gimme key"
SIM card to Computer: "No"
Why didn't you do it yourself? That's what I do when I see something that's wrong on Wikipedia.
Reminds me of the time when I used to play with SIM emulators. They used to run on a small microcontroller (A PIC variety). Gold cards, silver cards, wafer cards (and others) usually used for decrypting the old analogue satellite pay TV. But could be used as clone phone-cards in payphones and something called a yes-card (a fake bank card that used a flaw that meant it wasn't checked online) where you could enter any PIN on the PIN pad.
I remember those cards, but I didn't have a use for one so I have never tried them out. That payphone trick is quite sneaky.
@@JanusCycle I've still got all the details and source code (as an historical artifact), but fully expect the vulnerable systems to have been hardened by now.
@@threeMetreJim can you share your source code maybe?
I still have one of those. it let enter imsi and ki directly from phone "sim menu" but on new phones that menu half broken so it only work properly on old phone. It let create multiple "profiles" with pairs of imsi and ki and switch between them. On old phone switching worked even without need to reboot phone to reconnect to new network. It worked for 2g and 3g without any issues but for 4g couldnt work because for 4g algorithm was changed again and 3rd code called "opc" was added to make more "security trough obscurity".
FBI we got a suspect here... 🤣🤣🤣😅
Back in the day, Satellite TV access cards were hacked by 'glitching'. That's resetting the card, counting clock cycles, and then glitching the power supply. Repeated thousands of times (with variable parameters) until the card responded out of spec, and spilled its secrets, or (at the user end) allowed access to adjust the available channels.
So that's how they did it! Those clever pirates, selling those cards which would last a few months before having to be replaced...or so I'm told.
@@raylopez99 Once in a while, closer to a year. But sometimes the signal provider would issue a series of changes all in a row, and the hacked cards would be mailed back and forth more than being used. Later, one could buy a glitcher (serial or parallel port, long before USB) and subscribe to the new software from the pirate. I stopped before it became illegal in my jurisdiction. And I always maintained a local subscription to the local provider, in case that might mitigate things. House had up to four small dishes at one point.
@@JxH i remember my mom and dad buying those cards until they gave up because of them having to change it every year or 6 months
Merde
Speaking about SIM card vendors sending card data to mobile operators. I used to work for a GSMoperator in one of the former Soviet republics in the early 2000s, being responsible for interaction with SIM makers, among other things. We used PGP for any sensitive information sent via email, but even if you did get the plain-text output files, you wouldn’t get Ki from them, as it was additionally encrypted with a transport key (which was delivered separately and entered in the switch for decrypting the Ki information inside the AUC). Different keys were used for different SIM vendors (and sometimes several keys for the same vendor), and these were only referenced in the output files by their numbers, which means the actual Ki value was pretty much never available to anyone on the operator's side. I don’t think this was much different in the UK or elsewhere, at least post-2000.
Interesting, thank you. Have you (op-side) had the transport keys in plain? Could you decrypt Ki outside AUC using the transport key?
@@mustfit no, the switch people received the transport keys and input them into the system. So in theory we could have cooperated with them on this.
Interesting, thank you again
Back in my day we had tons of tricks like kicking people off the internet. seriously. That sounds so far off like something a bigfoot or religious follower would say that no one today would even believe that was possible I bet.
I bet I could make a video about it claiming it still exists an the big feet/ape evolution people would spread it like it's gospel
I really surprised its not mobile operator who writes those keys in blank cards from manufacturer. It is even possible to order those blank cards from sellers online for cheap. And process of writing keys is so simple and only require basic usb card reader hardware it could be even done at operator sim card sale office.
Would be interesting to see if you could run a low power GSM base station to get these devices online and play with this a bit more in depth.
You'd be surprised how expensive low-power GSM base stations are to buy/run. It isn't simply a matter of software, to handle 100s of simultaneous links they have to have extremely expensive clocks, and this is true even if there is only 1 subscriber, the base station basically keeps time.
Now i'm sure it's possible with a HackRF and a TCXO solder into something somewhere, but it's not as easy as reading a card with a card reader unfortunately, unless you spend above $3000
Sure, but OpenBTS with a cheap SDR would probably be enough for a local system to be setup. Main issue I see is managing the RF situation, can it be run low power legally, or would the room have to be turned into a faraday cage first?
Some places keep Gen2 GSM running as the common fallback for later phones after their preferred protocol is shutdown . So when 3G shuts down, the old 3G phones "roam" to the backup 2G net. Same for 4G.
Amazing nostalgia trip :) Cloning SIMs to wafer or "12in1" cards was quite popular in the Balkans before multisim phones came out. It was more convenient to restart your phone and select the active SIM with a code than juggling a few actual cards of different providers. Due to 64k inquiry limit, it worked only on some cards ofcourse. However there was a horror story that most of the phone repair shops (and enthusiasts) unknowingly used a "backdoored" version of Woron scan that was sending all the KI numbers to some Russian hacker group that made the clones as well, and then used them to call ultra premium numbers they set up :)
Точно, такое было.
A high tech version of what occasionally happens today, where a stranger who looks like a drug dealer will ask to use your phone, because he "lost" his, and then use it to make a deal. A kind of a 'burner phone' technique.
@@raylopez99 Not the same
Your part about the backdoored version of Woron scan will serve as my daily reminder to only use this sort of software in a virtual machine isolated from the Internet :)
There is a lesson about the russians in this. Learn it
The question is, as intriguing as it was, in some places SIM cards are sold more or less freely like here in the Philippines making burners and fraudulent calls easy; it wasn't until 2022 when mandatory SIM registration was enacted.
Whoa. That's hard to imagine having lived in Australia. Getting a new SIM has always been such a barrier, that people were far less likely to swap prepaid carriers because of it.
@@HonestAuntyElle I'm in Croatia, you can still buy prepaid sim cards without any kind of identification or registration, they're $3 or so. You can optionally register it with info that is not checked in any way and in that case they send you those $3 you paid for card back to your prepaid account to use for calls.
@@kerozin520 in Hungary you have to register it and they call it EU law
Philippine law is shit. They make that law to lessen sms scam but still there is sms scams and now it even become more convincing.
so even with registration, it is still possible to extract an e sim profile and edit the info in a such way that you will get a new identity and if that identity exists on the career server than easy as cake
About 20 years ago a family friend claimed to be able to do this alongside hacking the cards in cable boxes and such. Of course, he wasn't open about his process but some of the things he talked about were mentioned here. Maybe he wasn't actually doing anything but its neat to see he wasn't totally blowing smoke. He did eventually get caught up in a casino machine cheating scandal so its not hard to imagine he was up to something.
The whole DirecTV smart card story was fun to read. The gist of it was them and hackers going back and forth for years until DTV started sending required card updates that appeared to have useless data, but once the last bytes were received, it turned into a program running on the card itself. Then a week before a Super Bowl (I think it was 2000 or 2001), they sent a command that bricked all hacked smart cards and set the first 8 bytes of the card to GAMEOVER.
Pretty crazy seeing all this out in the open all these years later. I use to see a lot of this stuff and the systems Telstra used when I worked for them back in the day. Everything you said was correct.
Everything everyone says is correct apparently. Christian channel commenter's say that. Satanist channels commenter's say that. Atheist cult channels commenter's say that. Republicans channels all say that. Democrat channels, libertarian channels, bigfoot sighting channels....
Channels that say: see where I'm getting with this, probably say that
64k attempts lifetime limit, how neat. That's probably why my SIM card mysteriously died after 15 years of flawless service (getting a replacement was challenging since not many people remembered the time one didn't have to show id and register everything in that country).
It's been a long time, so I don't remember all the details, but I remember the days at Research In Motion developing the Tachyon, aka The BlackBerry 5810/20... It had a number of problems. An important one was that they SIM card slot was prone to bad electrical connections and static discharge. One (entirely temporary and never shipped IIRC) solution was to get the Ki and program it into the phone, so that the phone could emulate the SIM card rather than use it... It made the phone far more reliable. My memory was that it was possible to have the phone work out the Ki by passively gathering challenges, actively get it (which took a day or so if it didn't crash, and was tough on the battery), or asking nicely and getting it from the carrier. Our SIMs at work were weird special SIMs meant for testing and devellopment, so the Ki's were not treated with the same care as normal SIMs. I think it's possible that they didn't have protected ROM on some of them, so if you had the right tools, you could just read the Ki off of it.
I knew some guys who kept a 2G tower unit in their bathroom and were slowly hacking it, I think they were able to span a little network of their own but they didn't run it very often. Perhaps you can find some enthusiasts like that where you live.
Is the frequency for 2G unused by any other networks? I would have guess that if the phone company had no use for it the government would take back that frequency and offer it to other service providers? And if they did and thes rogue 2g towers were broadcasting on the airwaves.. they would eventually get identified, there broadcasts would potentially either be jamming the new legit devices using those frequencies and/or those new devices would jam the rogue 2g stations broadcasts??
@@manp1039 I'm hoping frequency reassignment is a SLOW process. And as long as noone complains, nobody investigates. Hush hush sort of business though, you don't show every stranger your bathroom if you have one of those.
Naa I live in the 13th largest city in usa. They don't even know how to milk the cows on their farms in usa. Back in the day I was like a space alien using computers. Today they still think only phones exist
LOL
one of my simcards (bought around 2003) was cloned over 10 years ago (same simmax 16-in-one), and it still works perfectly in 2G and 3G networks after all this years. No need to swap cards in my old phones :-) Just switch it on and ready-to-go! By the way, should I switch more than one phone at the same time, they both (or all 3) can make calls, but only last-one-online will receive the incoming call. However I do not turn on more than one phone simultaneously.
It must be nice to have the convenience of cloned SIMs. And the last-one-online incoming calls is correct. Best to keep only one phone switched on :)
The "what happens with two identical SIMs simultaneously on the network" question is a plot point in _Primer_ (2004), arguably the most convoluted time-travel movie ever. Now I know the answer to that, thanks. But I wonder, does the last-one-online rule still apply in the new SIM paradigm? For a network to assume there are no simultaneous duplicate subscribers seems... sloppy.
I am guessing that your calls and numbers you call are being monitored? and you may not be the only one with clones of your original sim that you bought in 2003?
Same here. Only issue is 4G not available.
Incredibly interesting, informative and entertaining! Your choice of music was nothing short of genius! Thank you for taking the time to put this together.
Glad you enjoyed :)
Oh I spent so much time back when I was young in the early 2000's playing with SIM cards, phone cards, SIM card emulators.
I've built a serial port scanner, and used it with Dejan Kaljevic's software. Lots of fun. (R.I.P.)
Dejan Kaljevic was the pioneer of phone hacking, and sad that he has passed. It's good to see him being mentioned.
I was privileged to know him quite well. Godspeed, Den's hacking den...
Switching ssms was how I upgraded, traded and sold a lot of my phones back when flips were cool.
I even knew someone who's unlock for a small fee
Now smms are useless in modern smartphones and om learning how to unlock phone by myself
In this context I'm interested how the eSIM affects this. How does the Ki value get into the eSIM without being able to be intercepted, assuming the owner of the eSIM phone is interested in cloning his Ki value to use on more devices?
BTW 90 00 is not only for sim cards but generally for PCSC smart cards and means "command successful". Error messages start with a 6 in hexadecimal which is not only flipping the digit glyph, but also its bit representation.
My guess is that an encrypted packet is sent to the eSIM chip, which decrypts it to get the Ki. The specifications exist, but I have't looked into eSIMs yet.
@@JanusCycle Thank you for the response. But that means, that either all eSIM must have another key that is known to the carrier (chicken and egg problem), or some PKI must be involved that requires someone to sign the keys used as they would otherwise be prone to Man in the middle attacks (introducing a new point of failure)
Thank you, very good points. I have also wondered about eSIM security. Just not had the time to look that deeply yet.
@@mihiguy diffie helman
@@mkontent Without some kind of authentication scheme, Diffie-Hellman only helps agains passive listeners, not against active men in the middle.
In a lot of places, SIM cloning is an insider job that is done by someone inside the phone company who has all the tools to "port" the number to a new SIM. These days it is a compromised human rather than hardware.
What motivation do people have to do it? That seems like a lot of effort to just... have a spare SIM? So there must be some other reason
There are a number of reasons (surveillance is mentioned in the video), but a huge, more nefarious motivator is getting access to MFA security. Assuming you can get a user's account credentials through social engineering or other means, having access to their phone number to receive MFA verification codes can give you access to tons of sensitive information. Government sites, bank accounts, web accounts, corporate resources, etc. Cellphones and their numbers are generally fairly secure; they are a separate, independently secured (sometimes through their own MFA security), physical object that also tends to be very important to the user, so people tend to keep them on hand, and they will be replaced quickly if lost. The best way to get around that security is to either get the sim out of the phone, or use social engineering/bribing (made easier because of the information the criminal has already gathered about the victim) to manipulate an underpaid customer service worker to replace the sim.
@@circuit10 The SIM "cloning" you may see on the news is just someone transferring a cell number to new SIM, it may be a new SIM or cell company. This is so that someone is able to get a MFA code to allow them to your bank account.
@liampeanut1269 Scam
The phone number is not stored in the SIM.
The phone number is held in the HLR/HSS of the mobile network.
And it is associated with the IMSI number of SIM card.
And the IMSI numbers are allocated in batches to each mobile network operator.
So if you are trying to clone a SIM and use the SIM to get free phone calls, then you don't need to port a number from another SIM to the cloned SIM.
Access to the mobile network is not granted to the mobile phone based on the mobile number, it's based on the IMSI number which is held in the SIM card and in the HLR/HSS.
Our service provider can give up to 4 sim clones if requested with a small fee. I had 3 sims of the same number all working on different phones with 3G/4G simultaneously. This service started around 2 decades ago.
Most probably those are not clones - just regular SIMs pinned to same number.
What service provider and how would this work? Would all of the phones ring when that number was being called?
@@ANWA143 service provider is STC in Saudi Arabia. You can send calls and messages from all sims but set one sim for recieving calls and you can switch the recieving to one sim at a time if you liked. Worked like a charm.
@@PHANTOmIND8 thats incredibly unsafe if someone gets your phone number you wouldnt even notice, as if someone sim swaps a normal phone number the real user would lose signal
What a blast from the past. I was playing with this 20-30 years ago and it was really fun. One interesting thing was that first mobile operator in my country didn't use KI authentication for quite some time, and phone numbers were correlating with IMSI numbers, so you would be able to easily guess IMSI number of any phone number and clone it.
what was the correlation?
@@manp1039 differences between two phone numbers and their IMSI keys were the same :) so, if i wanted to "hijack" phone number 12345 and mine phone number was 12300 i would just add 45 to my IMSI number
Wait... Are you THIS DEJAN?!
@@rodak_ You mean the guy who hacked this algo, Kaljević? No, but I knew him. He's no longer alive.
@@grajzer I was referring to the guy who made the "Dejan flasher" for Nokia phones. Was he the same guy?
I managed to accomplish a SIM clone back in the early noughties, and it was only possible to get the Ki on one out of about 10 SIM cards I tried, I think providers had added authentication limits to SIMs at that time (this was all done for legit purposes where we were developing a JavaCard application and no provider would give us a Ki unless we paid thousands and signed NDAs etc, so we DIY'd it in the end)
please my sim is still cloned, what do i do? my ex listens to my calls
@@TeeDwomanGodshowsmercy- Most likely it's not your sim cloned, but there's a spy app on your phone grabbing everything. Big difference.
Back on 1G phones I was in school at the time, and with some friends we managed to get access to hidden menus in the phone and copied all these random digits into a different phone, and then when we called the number both phones rang! Could only answer one of them though as the other then stopped ringing. This was back when the call was basically not yet digital, if you went somewhere away from signal the voice started to go fuzzy like a walkie talky. Didn't take long for 2g phones and text messages to appear on the scene, at which point everything was digitally encrypted with the sim.
Nice video. Interesting stuff. Apt music choice @ 4:38 - nice 👍
Would still like the option of having handsets with multiple sims or at lest two or more carriers in one sim so you can switch carriers for different rates or needs..
That is exactly what I'm typing this on. Dual SIM phones are quite common if you search for them.
I just have a basic knowledge of computer/phone etc devices but this video I watched in full , even when video actually ended at 11:44 I stayed to watch listening the song . Kudos , bro !
Sometimes just seeing technology and hearing the descriptions, even when you don't understand it all can help you learn. When learning more things in the future you will remember bits and it will become easier. I'm really glad you enjoyed this. Thank you for watching.
You'd think they would have implemented simple rate limiting at the first sign of brute force attacks. Only allow a key attempt at most once a second.. maybe delayed even more if multiple are requested back to back. For normal use, this delay may never occur/be noticed. But that 40 minute attack might take days, weeks, or months, instead. Also, while I could understand some secret proprietary algorithm decades ago, anything in the past 10 years or so should be using established public key encryption, with SIM cards randomly generating there own private key and only exporting the public one. So nobody could amass everyone's keys, even if they wanted, since they would never be known to start with. Then you'd have to resort to glitching, side channel attacks, or more destructive means to try to get the key.
Even with the new stronger algorithms, including some sort of rate limiting should be easy to include and greatly add to the security. I don't know if they have done this, but your analysis is spot on.
SIM cards don't have real-time clocks so it would be hard to implement rate limiting.
No, but one would have to power off the SIM and then back on, waiting for it to initialize again first. That is much slower than just hammering it constantly. Plus, it might be able to write a counter to persistent storage each time it fails, and then on power-up, it will have to wait a given amount before it will accept another attempt or clear the counter. It only needs to track accumulated run-time to delay.
@@JanusCycle- My assumption for not rate/time limiting is, if there's an unreliable network connection due to weak signal or interference, the requests/responses would need to be resent several times in order to connect. They could have imposed something like 10 non-limited requests per second then a 1 second pause which would slow down hacking attempts significantly. But the best protection is a longer key.
@@ignorance72 Couldn't it be done algorithmic ? With an exponentially increasing number of empty loops between each failed attempt ?
What a cool channel. Real gem stumbled upon. The DM lyrics while bruting that poor SIM was hilarious. Subbed.
It's a great song!
Typically, music on most educational / research videos is misplaced and annoying, IMO. You Sir...are the exception. Beautiful and brilliant song and version selection. Perfect application and execution. Thanks for making this video, the content was info I've been curious about for years. Depeche Mode was the cherry on top!
Thank you, music is really important in life, and my videos :)
i was waiting for the moment u discribed... I WAS DELIGHTED and slightyly impressed as wel.
though... the volume in the end track is kind a louder the the rest...
@@JanusCycle what remix is that?
@@JKC40 The Eric Lymon remix
all these new kids woth their videos on this topic are nice and dandy, but you're actually going indepth on some of the history and more practical attacks. very nice
Thank you
Even if I could clone a modern SIM card somehow, I would very much be cautious to use more than one of them simultaneously. I guess the operators have some algorithm to recognize requests with the same IMSI numbers coming from different cells (from distant locations) at or around the same time, and would block my account, and may even ask me unpleasant questions. Or is the cloning so unlikely that they don't care? Any comments on this?
I have accidentally turned on two modems using the same physical SIM on 4G (the sim slots are connected to the system CPU and then proxied to the modems, it happened due to a software bug). It didn't cause problems but only one of the modems was working, although both claimed to be registered. Probably depends on the network.
BTW: Since both modems were on the same board, they both joined the same cell.
The network operates separately to the billing system
When you make a call, the records that make up your call (CLR's, Call Link Records (Think of your mobile call going from cell tower to cell tower, onto say a landline network to eventually end up at someone's home, all of those hops are CLR's)) are aggregated into a CDR, Call Detail Record) that is used for Rating (assigning distance and charging / service components to), that is then fed into the Billing engine (for assigning a cost value to)
i.e. [CLR + CLR + CLR+ ...] -> CDR -> Rated -> Billed
Back in the 3G and 4G days, it didn't matter how many dual sims were on the network, the system doesn't cross check (how could it, with literally millions of phones on the network, it would be extremely compute intensive. Even 10,000 phones active at once would take 10,000 x 10,000 cross checks)
It was the last sim activated that got the incoming calls, so even though you had multiple sims the last active used to get the incoming traffic
Making calls was different, any copied sim on the network could make calls at any time
Things have most certainly changed since I was involved in the telco space though
@@stultuses Thank you for the inside info. It was 15, maybe 20 years ago, I wrote microcontroller code into a Microchip PIC in our remote control device monitoring pump stations. The uC was interfaced to a GSM modem, that we had to buy and maintain subscriptions for about 150 pcs SIM cards. It was expensive, although we used very little data, just a couple of bytes per message, and almost nothing if no errors, so it really felt an overkill having so many full phone subscriptions (the operator had no plan for M2M communication back then). I was then thinking about how we could trick the system with cloned SIMs but lacked both the courage and knowledge for it.
@@stultuses
I could imagine if they wanted to that they could implement some kind of optimized cross-check algorithm to catch duplicate sims, but I can see where it would be mostly a non-issue to correct.
The number of people who can clone a sim is relatively small and mostly limited to people who tend to confound your efforts, anyway - and by virtue of how the network functions, it wouldn't really be a valid way of gaming the system to the user's favor ... again, outside of niche uses.
It's not just cross-checks for activating phones, it's cross-checks for changing towers or some means of rationally managing a phone between nearby towers. In principle, it could be done - but I don't really see it as being a priority investment as it addresses a very niche problem that is only a problem when governments aren't doing it (at least from the network operator's perspective). Further, here in the States, most cell infrastructure is locally or regionally owned/maintained and the network operator leases access to the tower, as I understand it. That adds a whole different layer into authentication strategies. The authentication would have to be baked into the communication standard used by the tower so that any carrier could function.
The only thing I could see being different with 5g is some manner of sub-identifier which would basically turn a sim card into a network gateway and multiple devices could send/receive on the network at the same time. My phone would just ignore the data packets for a different phone.
I could see support for this being put in.... but don't really see the use/advantage as you'd have to effectively route data to two different towers for broadcast... or more. And whatever plan that is would probably be absurdly expensive while having no particular benefit other than potentially reducing the number of authenticated devices on a tower (as the sim allocates and band and packet address the device) .... but you could implement something similar to this without doing cloned sims in congested areas, overlapping devices into a single band and using the band as an old fashioned network bus.
love the depish mode music when you put the second sim card for reading
What was the original sales purpose of the SimMax holding 12 Sims, was it able to be swapped by phones, or did it need an external device to swap between profiles. If it was simple as typing a number command and rebooting, then I could see the purpose if you were trying to make cheap calls from Optus to Optus or Telstra to Telstra or for frequent travellers.
One of the benefits they describe is 'Change mobile phone number without turning off mobile phone'. I'm not sure how it was done, yet.
If I remember correctly there were sim cards which could store multiple sim card profiles/numbers you would read cards you have and then store those into that single "super sim" and on some phones you could cycle through those stored profiles even through menu on phone itself.
@@kerozin520 This could be using SIM Application Toolkit to add menu options to the phone. Another aspect of SIM cards that doesn't seem well known about.
You actually have "SIM menu" on your phone and there's an item called "change number" provided you have this all-in-one SIMcard inserted, so you can select there any of slots of your 12-in-one SIM. But not all phones do support simcard hotswap, so most old phones still needed reboot (power cycle) in order to change simcard.
@@JanusCycle Yup, that's actually what the "STK" on the card refers to - SIM ToolKit. On phones that supported STK, an extra menu would appear on the phone allowing you to pick a SIM.
You could also use a PIC programmer like the Infinity USB to write SIM-EMU software onto a blank Greencard to create your own SIMMAX-style multisim-in-one card. From memory SIM-EMU worked more reliably than SIMMAX.
Your voice fits perfectly for the topic. An obscure, niche topic in electronic enthusiast community. I remember my dad used to get gold cards from ebay back in the day and programmed them to work as a car wash card. The first time he tried it, the cashier said he had 50k on it. Can’t imagine what went through his mind at that point
I cloned my sim card years ago, I had a stk 8 in 1 sim that could have 8 numbers. I only ever used one and kept the original sim at home. It didn't take long either.
Maybe this is why mobile operators are keen for you to have a new SIM whenever you get a new handset, even if you are retaining the same number with the same provider.
Don't install the sim!!!
There's potentially another way to read out the Ki No. from a sim card, use an e-beam prober to read out the actual Flash memory in the SIM card. You need a lot spare change to buy one, but I'm sure that's not much of a problem for a state owned spy agency.
On your comment on Wikipedia being updated so quickly, actually virtually anybody can do that, so it was probably one of your regular viewers.
Goverments dont work that way usually mate, Years ago they just mandated that Providers ie telstra etc provide unfettered access to agencies on request. Meaning at least 15 years ago when i worked for telstra, they could see everything you did, imagine their capabilities now.
@@Steve211Ucdhihifvshi I think you've misunderstood what I was saying, It wasn't that state level actors do it, only that it is the sort of budget you need. Of course multinationals have more loose change than a lot of governments so clearly they can do it.
So by literally viewing the hexdump of the flash memory? Wouldn't that contain the code that runs on the SIM processor as well that you'd have to disassemble to sort them out from the key and understand how the code retrieves the key? Are the processors used by SIM card documented?
@@EvilSapphireR I would suggest to you that it is all relatively easily achieved by a skilled operator. I once did a hex dump of a microcontroller's Flash and hand disassembled the whole thing (didn't have the disassembler, just the data book), created a flow chart of what it was doing corrected a bug and then reassembled it all and programmed the device in 2 weeks. With the proper SW tools it would have been much easier. As to the documentation of the CPU they all use off the shelf cores. Some companies do soft cores in an FPGA but that's not going to happen for a simm card reader
its like cracking a wpa wifi code (trying many codes until matching exact one) but sim cards have security made in, factory they send a voltege on a pin to burn it, this pin is the one for writting or making changes on the sim so it cannot be edited
Absolutely fantastic ending. The music really fits the visuals.
Thank you
This video is a great case study in supply chain exploitation with the points discussed from 9:47 onwards. Kinda like that one XKCD comic about encryption, rather than cracking a Ki, just social engineer and/or drug your way into the manufacturers which is the path of far less resistance.
Your videos get better and better.
How i HATE how simcards have changed over the years. Now you gotta register even prepaid simcards for "security"? Yeah no - it got nothing to do with that as we have seen what it is actually used for the past 3 years. Then also the push towards eSIM. So now the phones can be hardware vendor locked and i can not just use whatever phone i want (aside from the other obvious problems).
And the most aggravating thing is trying to get a 2nd SIM officially..... i asked my provider - it is "only" 5€ per month.......and 20€ for the card ..... and 20€ each year for "services" .... and 5€/month extra to be able to use it for anything but phonecalls. They seriously want to charge me more just for a 2nd SIM than it would cost me to get an entire 2nd contract.
Very interesting! I always wanted to know the details of how SIM cards worked. I actually built a SIM card reader when I was younger but it just bricked the SIM cards, it must have been hitting the limit!. However as a teenager everyone at school had a Nokia 5110 (without sim), you could enter a secret technician menu and change the phone number to a friends phone number and then receive their text messages and calls! it only worked when you were on the same cell tower and more of a funny prank as it diverted calls and messages and their phone would stop working.
You may be referring to the AMPS/TDMA variants of the 5110. AMPS is notorious for being insecure, and that may have been the network standard used on the cellphone provider my dad complained about a few decades ago.
I remember having a TDMA/AMPS Ericsson phone and with some service codes you could even listen to calls from other people.
@@blakegriplingph is your dad a revisionist or hackitivist
That's hilarious, must have seen a lot of sexting from the cheerleader team
Great video! Your voice is very nice, the topic is very interesting (to me lol) and the demonstrations and explanations were really good. Keep up the great work!
"...they just want to listen in if they need to." something tells me that "if they need to" means all the time to misconstruct or find the smallest thing in case you dare to "notice" or do a "wrong think".
The ability to harvest a data stream is considered a digital goldmine these days.
Thank you very much bro, for leaving the subtitles activated for the language in Spanish. Greetings from Colombia. ❤️🩹
Making subtitles is hard work. I'm glad you appreciate them. Thank you for letting me know.
Excellent video, content, narrating, presentation... everything! (And I especially loved that version of "Policy of Truth") Wishing you continued success with your youtube channel! ~ Allen
Thank you Allen. I really enjoy making videos and I'm glad you enjoyed this one.
We used to clone our in house phones back in the analog days to save on maintaining separate accounts. Like to experiment this for a couple of my phones, but so far yet to find a safe trojan-free version of woron scan.
This is where I downloaded from. I use a sacrificial laptop though to keep my main computer safe.
woronscan.narod.ru/
Some years ago, a father and son cloned a sim card, for whatever reason. They were found out, arrested and jailed. I think there's a way from the NP side to find out this kind of activity, for example by way of phone make and model number or an UUID.
that is exactly what i was thinking. It is not just a sim that the network has for any device that connect to it. Those people would have had to clone everything on the phone.. and there may even be one or more unique chips on each of the phones that the NP can collect data from.. in addition to which tower and date and time it connects (presuming this father and son were using prepaid sim cards where the location they lived and their legal names etc were not already known by the NP and connected with the sim acct?
Are they got lifetime sentence for such horrible crime against humanity ?
I remember back in a the gsm days people had pay a you go mobile phones that they had literally chipped and because the credit that was on the account was actually stored on the phone itself every time they turn the phone off and on again it would reset the balance show £10 credit, i wonder if you could do a video about this as it always fascinated me
Just like to point out that just because there is no "known" method to clone a modern SIM card; that doesn't mean certain people don't know how to do it. Just because something isn't widely spread, doesn't imply that theres no way to do that thing. I'm sure you can't find any information on copying a government issued form of ID, but it does happen.
You make a good point, there is a dark web out there.
Great video!
Could you also make a video about how phone gets the carrier name? It always intrested me, because despite some carriers changing their names my new Android phone would report old name until I changed the sim card. But when I used second old sim card from another carrier my phone displayed correct up-to-date name... 🤔
This is a good question. I would like to explore SIM cards more. Thanks for that.
nice video and nice music. Remember ages back reading about how sim cards were essentially little CPUs rather than things that simply store data, so cloning was impossible. Didn't know there was a way to mathematically brute force what they were doing but I guess it makes sense. I now see why government so upset about encrypted chat programs. Guess they lost their favourite toy.
They are microcontrollers, yes, but they do have memory containing the required executable code and keys, so it's absolutely not impossible to read them out.
If they worked, they would be illegal.
My ex-roommate went to MIT, he's now head of R&D (they don't call it that but I can't remember the exact job title) for Deutsche Telekom/Tmobile here in the U.S. Back in 2014 when we were living together, I watched him clone his own sim card so he could have multiple phones with the same number. This was on Tmobile's 3G/4G network. He definitely found a significant vulnerability and wasn't keen on sharing it with me. And I doubt he's the only one who knows of it. But instead of revealing it, he (and/or they) keep their mouths shut so they don't "fix" it again. He learned his lesson with satellite TV -- they used to hack the cards in order to get free TV. They would then release the new hacked ROM online and eventually the TV company would send out a patch to fix the hole and they'd have to crack it again; rinse repeat. This happened numerous times until the satellite TV company finally did away with that card system all together. If my ex-roommate would have never released those hacked roms on the internet, he would probably still have free satellite TV to this day. He said he'll never forget that lesson.
Interesting, thank you. I wonder if the vulnerability he found was inside the SIM or in the network.
I did this to my card and my wifes card and put them on an ATMEL card.
Worked fine and i was able to select which simcard i wanted to emulate, simply by the PIN code.
If i turned the phone on and entered 1111 as PIN i would get my own card, if i used 2222 i got my wifes.
Sadly both phone numbers could not be active at the same time though.
Was mainly done as proof of concept, but i did it with a program just like yours that found the IMSI and KI.
Nice, I'm glad you got this working.
What about R-sim? that chip puts between sim to bypass carrier locks. it even brings up a new menu on the phone. Tried on an iPhone
A clever device than intercepts and replaces the network identifier to fool the phone. Something I would like to know more about.
I've done cloning years ago 😀 I'm talking about the year 2006, 2007. Nothing is new in this video for me, Anyway you've got a thumbs-up
Hello to an experienced SIM cloner! I'm glad you enjoyed the video :)
My dad just lost his phone by dropping it into our well. After the incident, he cloned his lost sim card. but some apps interact weirdly with the new sim. It had known the sim has the same number as the old one but some verifications were not sent to the new card but to the old one.
If he went to get a replacement at the carrier, it's likely not a clone but a new card that the carrier bound to his account.
I remember when I did that back in Russia all my bank and payment apps stopped working because the login code would come in an sms and they weren't sure it was me who made the replacement sim card (there used to be a lot of incidents where carrier employees would illegally reissue sim cards to get into peoples bank accounts)
Since you know so much about SIM and how they work, please do an episode on eSIM and how to convert between them. My provider charges for esims and it is difficult and costly to swap sims between phone.
you said "convert".. did you mean transfer the esim to a new device? if you did mean "convert" convert to what?
i have a clone of my own 4g sim card, text messages only arrive to one and phone calls only arrive to one, wich one is random
Actually capturing responses and working out the key is how you can figure out the secret key in WPA2 encrypted wireless networks. All you really need is a computer that can put the wireless card into promiscuous mode and set it up to listen for new device traffic. You can even send a bad packet of data to the network to reboot all the devices and they all have to re-auth back to the WAP thus getting a large number of encrypted packets to process. You then either manually decrypt the password or you can put the encrypted password into a giant list of known passwords and see if the user used one of them.
It only takes like 48 hours or so to decrypt WPA2 encrypted keys and maybe even less with GPU processing. Its pretty fun to do, just don't use it to try and steal your neighbors wifi as that can be illegal in some places.
the time to crack WPA2 is extremely variable depending on hardware and complexity of the password assuming brute force(or how big the password list is, assuming it even has it). there was a manufacturer of mobile data wifi pucks who used a default password of 8 random numbers. a laptop with a 1070 GPU could brute force that keyspace in about 4 mins with hashcat.
In my country they are blocking the 3G network. 2G stays because apparently some old infrastructure works on it, and the 2G network has several advantages
GLAD YOU ARE ON OUR SIDE THX
If someone can get your phone and just copy the number and create an identical sim card, can they then listen to conversations between you and another person?
Modern SIM cards cannot be copied. But if it's an old SIM card and they have special radio equipment and lots of time and skills, then yes, they can copy and listen in.
Why am I not surprised that most of the Ki numbers are known by surveillance agencies? This is the reason one doesn’t attempt any crucially private exchanges without decent end-to-end encryption.
Can you tell me the title / remake of this depeche mode policy of truth version. I never heard it before
Eric Lymon remix
Would be interesting to try this in a country where 2G/basic GSM is still alive and well, like Germany. I still know of two pre-2000 prepaid SIMs that are still active and being used, one being my moms (from sometime in '97) and one being mine from my very first own phone I got for christmas '99, which might already be too new...
If you still want to know one of those cloned cards still work well in russia because original card was lost and that number only used in old phone without 4g so no one bothered to do anything and just used cloned card. No issues or oddities was noticed for years.
Very interesting information! Thanks.
Best I can tell, the biggest danger is SIM Swapping via Human Engineering: A scammer using what would seem to be, but isn’t, hard-to-obtain information about the victim, to convince some underpaid and undertrained customer service agent at their mobile carrier that s/he is you, then transfer your number over the hacker’s phone.
Very true!
Very interesting to watch. Funny how the SIMs are compromised over simple e-mails though.
True, I've worked on big, secret M&As (Mergers & Acquisitions) where the utmost care was taken to ensure privacy, since it would affect the price of the companies if word got out, and yet details of the deal were sent in plaintext over email.
@@raylopez99 ב''ה, all securely stored at RIM's data center, right?
@@josephkanowitz6875 Iron Mountain...I do remember that logo a lot. Back in the the day before I think Google even did https on all its transmissions.
This whole channel is magical - more videos on phreaking generally please
It is no secret that the phone network in general was built with very little security in mind, even a WhatsApp call is safer in most circumstances.
The GSM net was intentionally built with sub par security.
Is there a non-criminal use case? For example: I own a phone and a tablet. I purchased a tablet that accepts a phone SIM card specifically because a previous tablet was stolen and so I need mobile data to track movement and remote lock it. However, paying for a phone and data plan for multiple devices costs more. It's also inconvenient to have multiple different phone numbers when I'd rather just have the one. So, I was thinking: If I clone to SIM card for one device and put the copy in the other could I use them both? And what would happen? If someone called me, would it ring to both devices, or just one? If someone sent me a text message would both devices receive it? And would the network detect the same SIM card is active twice and move to block both from functioning?
Assuming, of course, it's even possible to use a sufficiently old SIM card that is vulnerable.
iirc these old days, when the second device has been registered by network, the previous one has been forgotten, like you turned it off. The 1st device may eventually find itself forgotten, disagree and reregister again :) thus you will observe exciting push-pull fight between two devices for owning the network registration. You cant get two devices working simultaneously, because network is not designed to do so.
Back in the early 2000s my mobile phone carrier actually advertised this as an option charging $10 monthly for the second sim. They claimed both sims are able to place calls, send text messages, but only the last active sim would recieve phone calls or messages. So if both devices were switched off the one that is switched on second would be the device able to recieve phone calls. They did the cloning instantly in the store (because they actually had the customer KI they just loaded that on to another SIM).
Does this apply to eSIM and iSIM as well? Thanks. Great vid!
Those chips are also much more secure.
FYI, as of April 2023 there is 900Mhz GSM still operating in one part of Australia I work at. Christmas Island. Telstra still operates the only mobile phone network there, its still 2G voice and SMS only, just like the early 90’s. The only mobile data service on the island is offered by a small business known as CiFi with their own LTE equipment and that service is data only. Their connection comes by way of tapping into the Vocus under sea cable from Perth. I was there only last week and can confirm this is the case still. Telstra has accepted millions of dollars of tax payers money in order to upgrade their service to 4G, but as usual is moving at a glacial pace. At some stage this remaining 2G outpost will also get switched off.
That is fascinating. It must be easy for Telstra to keep it going with the spare equipment they kept from the old network.
@@JanusCycle astonishingly, they even installed additional 2G equipment last year to increase coverage 😂 I’m no expert and wonder if it is in fact modern stuff thats been dumbed down till the necessary bandwidth is available. Voice quality on the 2G service is below average also, extremely low bit rate and like AM radio quality. When you make a whatsapp or optus wifi call using the cifi LtE its like listening to a CD player in the age of worn out type 1 cassettes for the first time.
Zune theme on your xp laptop? Did you ever own a zune or did you just download it because it looked cool?
It looks very cool. I still need to buy a Zune one day :)
@@JanusCycle yeah lol, sadly the zune service doesnt work anymore so a lot of the functionality is lost but you can still store music on it!
What was the behavior of the cards? Can the two cards perform a phone call at the same time and even from the same tower?
When you try and make a second call at the same time the other phone drops the call, as the second call starts. From what people who have tried that have said happens.
It was known from the start of the GSM implementations that the SIM crypto algorithm was pretty weak.
But as you said it was kept secret, which in the early 1990s created quite a discussions. Normally in Crypto systems the security lies in the secrecy of the key, not in the secrecy of the algorithm. But this was ignored by the GSM standards consortium.
I guess there were two reasons. The first is that they were worried about the SIM chips available being powerful enough. The other reason was probably the governments wanted a back door.
To your assertion about getting the Perso keys of the SIM cards, there the security has been tightened considerably and the Perso Keys issued by the SI vendors are now sent in a classic crypto ceremony in 3 parts, where only the combination of all three parts of the key will result in the correct key. This is used to derive the individual chip keys.
But I guess there may be still different standards used by different vendors.
I'm glad we are getting smarter at having good security. Great info, thanks.
@@JanusCycle The 3 part way is not default for any manufacturer afaik. Where I worked we started forcing encrypted orders in 2019 or so, after which I ordered new cards and destroyed my old ones. But even that handling did not seem to be the default way for the big manufacturers =/
It is know that it was the second reason. The Brits.
Somehow, somebody copied my Sim Card back in the year 2000 here in Germany, but not like that. This person had to build an access point, so my phone logged into it, and they must've sniffed every information they could get. They phoned away on my bill. 200 bucks later, I went to police and the provider told me I was in a different city while calling people. Lucky me, I had proof I worked at that time - at least I thought lucky me. O2 refused to refund me, it went to the court, I won, but they kicked me out of the contract.
So yeah, somehow it was easier 23 years ago, when no real encryption was implemented in GSM. This video made me remember it. Decades later, we know how you can build your cell tower or at least a small version of it. How somebody gets the KI number though with just listening to 1 calculation... maybe somebody made "logged in" phones reauthenticate many times and then.. tried the rest?
I know, I was working at my job back then, and not in Berlin, so who knows how that worked back then. Hardware was slow back then, so your method would be taking a long time.
Sounds like those scenes in movies where someone pulls the sim card out of another person's phone while they're in the bathroom, clones it in 30 seconds, and puts it back in their phone before they know what happened, are pretty far-fetched.
There is a scene just like your description in the The Bourne Supremacy. Since it's a movie we can assume Bourne had a backdoor SIM exploit, or some other secret intel we don't know to keep it fun :)
I like how you formally announce "We've reached the end of the video" . Great video, I have no interest in the subject matter, yet, watched the whole thing.
Thanks a lot mate! this was the question I had when I was a child, and I searched a lot for it.. thank you for solving my childhood mystery!
@Liam Peanut your spammer is running and old script xD
What a tune to select, bravo, more! I hope you have a lime mini2 on order for some TACS and LTE fun
I remember the good old times when me and my friends would clone the analog NMT mobile phones. It was ridiculously easy back then, and then you can be any number in the network. In my country for a long time it was not believed that it was possible. There was a classic case where a police chief gave a challenge to replicate his phone number, as he did not believe it was possible. Next month he received in his mobile invoice costs for calls to adult phone services not made by him, and he had to believe it was true.
My sims locked every time I turn it off,I know a little bu about to Learn more
I was wondering if this sim usb adapter is a standard PSCS reader?
Or actualy a better question would be if I can use my Phoenix interface as a standard PSCS reader?
I am thinking to buy a Duolabs CAS3 (for some other things), and was wondering if I can also use it like s normal PSCS reader or I need to buy a separate device for that?
Mine has been cloned already....I worked at a BIG telephone company and you would be surprise how corrupt the employees are!!!!
Money talk.....as you already know .....
Most illegal things are not done by criminals but by government employees.....😂
Wait, if the program asks the sim card to do a calculation with a number and the key, cant we just divide the result by the number we put in?
Because the calculation is a hash function, it can't be reversed easily. There is not enough information in the result for it to work backwards. Unless the hash function is weak, then you can start trying many combinations and find the key in a reasonable amount of time.
@@JanusCycle oooooooo yea that makes sense
Very well explained, thank you! And nice music btw
here in germany, most of the old networks are still available, i use a NOKIA from 1998 myself (witout gps)
2G is still available everywhere across europe. It was something related to contracts mobile operators had with emergency phone numbers iirc, so we will probably have 2G for at least 10 more years!
So SIM card cloning is dead if I am not a government entity ? Good to know, thank you, I add thought of cloning a sim card to share internet access but looks like it's not possible
Yep, no way to clone a modern SIM
@@JanusCycle well, telekom companies can replace your sim card in case you lost it, same phone number....
@@orange11squares Not the same, once the SIM is replaced the number is assigned to the new SIM card and the old one becomes useless, I work in a US telecom company
@@ItachIBrolly2 yep this
@@JanusCycle Isn't it viable to read it directly from the chip with a microscope, destroying the original sim in the process, and later cloning it to another 2 sims?
Thank you for sharing this I was getting spam texts recently and my bank informed me about this very thing so I now know how they did it and changed all my details so haven't received any since
Unfortunately there is something called the 'SIM Swap attack', where network employees are duped into swapping your SIM details to another SIM card. Try not to rely on SMS messages for security.
@@JanusCycle Thank you
Very good video, two thumbs up! As a person who cloned SIM cards and made multiple-in-one cards I can tell the video and explanation is 100% accurate. Except the part of spy agencies spying by intercepting the Ki number.
Spy agencies intercepted Ki numbers in emails from card manufactures sent to networks. Not over the air. Hopefully I made that clear enough in the video.
Can you take SEM photos of the sim card to see what gates are open/closed to get the number?
I don't have enough knowledge myself to be certain. But I remember that Ben from Applied Science channel was viewing active electronic circuits with his scanning electron microscope, so yes!
@@JanusCycle if so it would technically be a weakness in modern chips. You would have to destroy the original chip first though.
Here from Hugh Jeffreys! 👋🏻
Welcome, I hope you enjoy.
just a short question: when you say that "2G networks has been shut down in your area" - where is that? because afaik - in europe the 2G network won't be shut down anytime soon, instead 3G will. in some areas around me there's 2g and 4g signal, but not 3g anymore.
I'm in Australia, 2G was completely shut down in early 2018, 3G service has been greatly reduced :(
I love the use of Depeche Mode.
On the first version there was an exploit message that you could sent to someone and the senders phone would automaticaly send you back an error message with the key number
I would love to find an old SIM card and try this.
Just one more reason to not have a mobile phone. Thanks m8. 🙂
@Liam Peanut 🙂
I can’t imagine you’d be able to listen in on calls with a cloned SIM. At best you might receive the odd call, but a cellular network holds registration records for each phone, ie what cell site it’s currently using etc. There is no facility for ‘the same’ phone to be registered twice and therefore would have no means to route the call to two phones. I suspect the network would pick up on registration requests from the ‘same phone’ on two different cell sites, especially if they were geographically separated and just block the number altogether. Even bank card systems detect this. I once refuelled a hired car with my company fuel card in Scotland, caught a plane back to London and tried to refuel my own car 2 hours after previously using the card several hundred miles away and the system picked it up as potential fraud and blocked my card. I’d be very surprised if the same didn’t happen with two phones online at the same time with the same SIM details.
Exactly. Why would they bother with ancient tech like sim cards, when they have access to the data and voice feed at an service provider level. China has access at a device level. But 15 years ago sim cards were outdated
@@Steve211Ucdhihifvshi That's such a turn-on.
Jokes on them, no one can listen in on my phone calls because I don't make any XD
Google does have front row seats to my internet browsing habbits though as I subscribe to the whole google ecosystem lol.
It maybe possible using more sophisticated techniques and implementing a spectrum analyzer and an oscilloscope to view the waveform produced by the sim card and find some way to replicate that in another card.
the waveform produced by the sim card? lol. Perhaps use a super undulating dipole converting overclocked cpu to encapsulate the intangible profanation of the sim.
@@davidbanksAu now you're getting it. just watch out for sinusoidal deplenation.
@@therationalanarchist I'll be careful, thanks for the heads up
Ah such nostalgia...
Hmmm. I now saw you on a Janus video
I wonder if you could use a device in between the card and phone to act as a relay for the authentication? You’d never need the key because you’d just be getting the actual card to do the work for you.
Yes these exist. They bypass the phone’s network lock by telling the phone the network it expects to be on. But when it comes to authentication they relay the request to the SIM and get the result.