
Phone Cloning - diablo1
https://en.wikipedia.org/wiki/SIM_cloning
======
jfim
This is completely wrong, and in multiple ways.

For example:

> There are various methods used to obtain the IMEI. The most common methods
> are to hack into the cellular company, or to eavesdrop on the cellular
> network.

Or on Android, go in settings, about phone, and tap MEID. There should be an
equivalent on iPhone. The MEID and IMEI are not secret at all. They just
identify that particular phone.

The part that one would want to clone is the subscriber part anyway, not the
equipment ID.

> A GSM SIM card is copied by removing the SIM card and placing a device
> between the handset and the SIM card and allowing it to operate for a few
> minutes and extracting the Ki, or secret code.[citation needed] This is
> normally done with handsets that have the option of an "extended battery" by
> placing the normal size battery in the handset and the Ki in the now vacant
> extra space. This is done by allowing the device to log the interaction
> between the mobile telephone switching office and the handset.

The Ki is just a cryptographic key (not a physical thing as the article would
imply by it needing "vacant empty space"), and is not exposed on the wire
protocol between the handset and the SIM card. The handset forwards
cryptographic challenges from the mobile network to the SIM card, and the SIM
card answers with the correct answer to the handset, which then replies to the
network.

~~~
tuyiown
Yes, I took it like it mentioned ways to clone the phone without physical
access to the device

~~~
jfim
Even then, it doesn't make sense to do that. Three letter agencies can just go
ask the phone company for a wiretap.

Cloning the equipment ID is also useless on its own, you'd want to clone the
subscriber identification, which is the part that says to the network that
you're the device for this subscriber. It's how moving a SIM card to a new
phone makes the new one ring and the old phone stay silent when calling the
number associated with it.

~~~
Lammy
Equipment ID and subscriber information used to be the same thing in the far
past:
[http://web.textfiles.com/phreak/cell.txt](http://web.textfiles.com/phreak/cell.txt)

People cloned phones to make free calls, not receive them — like a '90s/2000s
version of blueboxing: [https://www.pressherald.com/2010/04/19/woman-finds-
cell-phon...](https://www.pressherald.com/2010/04/19/woman-finds-cell-phone-
bill-inf-lated-by-cloning-calls_2010-04-19/)

------
cuonic
Interesting, I was unaware of the fact that every mobile device has a unique
radio fingerprint [0]

[0]
[https://en.wikipedia.org/wiki/Radio_fingerprinting](https://en.wikipedia.org/wiki/Radio_fingerprinting)

~~~
etaioinshrdlu
I got to say, to me it seems rather ... unlikely that this is used on a wide
scale. The differences in mass produced hardware must fall within a fairly
small distribution, and they only mention rise-time as a measurable variable.
Taking into account other variations like temperature and device aging, and I
have a hard time believing that these fingerprints are highly unique or stable
over time.

In addition it seems unlikely that your average receiver hardware could even
pick up such details. These are super low-level details observable only at the
lowest level of the radio stack.

There's also no sources cited that this is used on a wide scale. To me, I
would put this in the bucket of hypotheticals (like the power company stealing
your data from your PC based on voltage fluctuations from your laptop).
Perhaps barely physically possible, but not really worthwhile.

(unless of course the fingerprints are put there intentionally and secretly...
like the yellow dots from printers)

~~~
tuyiown
I know nothing of radio communicaion, but having slight variations on some
part of network negotiation might limit conflict between devices. The same
ways you would add some radomization on broadcast responses on networking, or
auto-reconnect, but in a low level, on hardware manufacturing. This could be a
easy to track, recognizable signature with standard antenna hardware.

------
mindslight
Back in the first-gen CDMA days, I copied the ESN from my phone to a second
phone of an identical model (a friend was upgrading his). I tried calling them
the number when they were both on and next to each other, and they both rang.
Answering both allowed me to hear audio in both phones for a short time, until
something got out of sync and the call would end.

Leaving one off, the other would work normally. It was a great way to have a
backup phone when cell plans used to cost $70/mo and phones were locked to
carrier accounts.

------
steveharman
Back in the day I found a guy who cloned the identity of my _analogue_
portable cell phone with my in-car cell phone so they both behaved as the same
number. When one rang, they both rang.

In theory when I answered a call on one, the network would be signalled to say
I'd picked up and it would stop telling the other to ring - but once in a
while the other phone would keep on ringing .

iirc phone cloning may have been illegal here in the UK at the time...

~~~
ShamelessC
That's interesting. Slightly off topic, but this seems to reveal a small error
in the movie Primer.

The two main characters travel back in time one day to use their knowledge of
the stock market to make money on some good trades. Their doubles are of
course also in the past, so they make efforts to avoid them at all costs so
that they don't interfere with causality.

One of the characters mistakenly brings his cellphone with him back in time.
When his wife calls, they assume that since the his phone is ringing that the
double's phone couldn't be ringing, so he decides to answer it and pretend to
be at work as his double is.

In reality it seems both phones would have rung?

------
blendergeek
"This section does not cite any sources"

------
the_pwner224
Around 7 years ago I had a Galaxy S2 on Sprint (CDMA) and home internet via
ClearWire. Sprint and Clear both used the same WiMax network (same cell
towers) for '4G.' My phone was rooted so I could mess around with some
normally locked settings, and at some point phone service for my S2 was
cancelled.

One day I changed the APNs (which virtual network the phone connects to via
its radio) from the default Sprint ones to the Clear ones, and also changed
the MAC address (might not be the exact term, but WiMax 4G was basically long-
range WiFi and so the device had a sort of MAC address). Even though my
phone's service had been cancelled, I was able to use internet from the
Clearwire plan. Of course no phone calls / text messages.

It worked as long as I was at home - I think they both connected to the same
cell tower and so couldn't be distinguished.

~~~
1996
I think you still had the same IMEI

The sim card allows you to connect to the same physical cellular network.

The APN gave you access to a virtual network inside this physical network
where they didn't check you had the right to use it.

