There's a lot of inaccurate information going
around about the topic of SIM card cloning. Even here on YouTube there's a number of videos
that don't give completely accurate information. I also found this mention on Wikipedia,
on this page about phone cloning, and the section about SIM card cloning
is actually kind of wrong. So by SIM card cloning I mean copying a SIM, so that you then
have a second SIM card that can also make and receive calls and text messages. Using exactly
the same phone number as the original SIM card. In theory you would also be able to use that to
listen in and decrypt phone calls. Made using the original SIM card. And to demonstrate how it was
once possible, I'm going to show in this video exactly how it was done. To do this I'm going to
use this SIM card to USB adaptor. These adapters are very cheap and easy to find. And I'm going to
be attempting to copy this very old 2G SIM card. To copy a SIM card you need to read two numbers
out of the card. The first number is the IMSI or International Mobile Subscriber Identity number.
This number is actually really easy to get. In fact with most Android phones, if you download a
SIM card app, it will simply show you this number. But to copy a SIM you need one other number from
the card. And this is the Ki or Key number. I've also got my Windows XP laptop here. But the
software I'm using here should be able to run on just about any modern version of Windows.
The software I'm using is called Woron Scan. A neat little program that enables me to talk
to a SIM card using very low level commands. I'm now going to use the Key extraction function
of this software. And I'm going to have to leave this running for quite a while, and that's because
it's not possible to read the Key number directly. And it's the job of a SIM card to keep this
number secret at all times. The Key number is really important. Because it's how your carrier
authenticates your phone on the network. It does this by picking a random number and then doing
a calculation with your Key number. Which the network also knows and keeps secret. Then it sends
this random number to your phone. Your phone then asks the SIM card to also do the same calculation
using your secret Key number, and gets a result. If the result from your SIM card, and the result
that the network itself calculated match, then the phone call or message has now been authenticated,
and the network now sets up the communication. Then in 1998, cryptographic researchers
found by examining the GSM standards, they were able to work out how
the calculation was being done. But to copy a SIM card you would still need to
know what the Key number is. The researchers found that the algorithm also had some flaws. They
found if you collect enough responses, then you can eventually work out what the Key number is.
And that's what's happening here. This software is asking the SIM card to run the authentication,
over and over again, thousands of times. This poor SIM card normally at most does a few dozen of
these per day. But today it's being hammered. And then suddenly it seems to have stopped.
Everything seems to have locked up, at 5849 calculations. I've tried starting the process
again, and it seems this SIM card is now dead. It obviously couldn't take the
heat, and I seem to have killed it. I've had a look through some of the other
SIM cards I've got, and I found this Optus SIM that looks fairly old. I think this is
a good candidate to try this process again. The first thing I've noticed about this
Optus SIM compared to the Telstra SIM is that the authentication rate, it
seems to be running a lot slower. Which means it's going to take a lot longer to
get enough responses to work out the Key number. But it's also a good sign that this
should actually be an older SIM card. I'll let this run and I'll see if it
can get the Ki number for this SIM card. If this is an older SIM card, then
eventually we will get the Key number [Music] [Music] When this calculation was originally
designed, it was kept secret, and not many people had seen how it works. And
so there weren't enough people to spot the flaws. When the algorithm eventually became known to
many, and people started to see the flaws in the calculation. The part that was meant to
be secret, the Key number, was compromised. OK that took about 40 minutes or so. But after
16616 calculations, the Key number has been found. Combined with the IMSI means I can now
clone this SIM card. And in the previous video, I made a dummy SIM card. That ran entirely
emulated on a computer. If I now input the IMSI and the key number into that software. I
can now emulate the SIM card and do everything the original SIM card can do. But for this video
I want to make a real copy of this SIM card. Which means getting a blank SIM card and writing
a copy of the original into it. I have here a SIM Max card by STK. It comes with a couple of
software programs. One is the SIM editor program, and this is just a basic editor that can edit
phone numbers and text messages that are stored on the SIM card. The other program this comes with
is the SIM Scanner software. And this will do the same thing as Woron Scan. It will scan a SIM card
and get the IMSI and the Ki. But it will also give the option of writing that to the Sim Max, making
a full clone. Now unfortunately I can't just enter the Ki into this software and write to the SIM
Max directly. Because it doesn't give me that option. So I'm going to run the recalculation
process all over again on this poor SIM card. This software has a couple of different options.
One is the A3 limit option. Where you can set the maximum number of authentications on the SIM
card to below 65 000. There's also an option for a strong Ki number. These appear to be options
to deal with early attempts to thwart cloning. Some SIM cards were designed to stop working
when you did more than 65 000 calculations. And strong Ki may have been an attempt to pick
strong Key numbers that were hard to crack. And then finally after 29207 calculations, this
software has got the Key number. This took almost twice as long as Woron Scan. Woron Scan probably
uses a more efficient way of working out what the Key number is. But it's done now and I have
everything I need to make a copy of the SIM. Replacing the Optus SIM with the SIM Max
card, I can now go to the write SIM option. This particular SIM Max card has the option to
hold the profiles of 12 different SIM cards, and their Key numbers. But I'm only wanting to
copy one SIM. So I'll write the profile into the first slot. I now have a cloned SIM
card. Two exact copies of the same SIM. Now I'm not going to be able to test these on
a network because the 2G networks around here all shut down years ago. But I still want to
be certain that I have an exact copy of this SIM card. So I'm switching back to Woron Scan.
Which has an option to test the authentication using the Run GSM Algorithm command. With this
command I'll also have to send the random number to be used in the calculation. This is an extra
16 bytes, and then I get the 12 byte response, plus '90 00' at the end. Which is a SIM card
speak for end of response. With that done, I'm now going to run the exact same calculation
on the Clone SIM card. Which means entering the exact same random number all over again, and
then getting the response. I can see I've got an exact match from the first SIM card. I've
now confirmed that I've got a cloned SIM card. So what stops this happening today with modern SIM
cards? Well these flaws were originally exposed in 1998 in the COMP128 algorithm. And in response new
algorithms were developed COMP128 version 2 and COMP128 version 3. Both of these algorithms have
been pretty well known for the past 20 years. And in that time no one has found any flaws to reverse
the process and work out what the Key numbers are inside SIM cards. That means it's no longer
possible to clone a SIM card, unless you can find another way to get your Key number. Now there
are a couple of other places that your Key number is stored. One of course is your network provider.
But the other place you can get Key numbers from is from SIM card manufacturers themselves. And it
turns out the security of SIM card manufacturers is fairly lax compared to network providers. For
example when a network provider orders say, 500 000 SIM cards. The card manufacturer will just
email them the Key numbers for all those cards, in plain text, unencrypted and easy to intercept.
And we know this because that's exactly how many government security agencies get access to
Key numbers. Security agencies for years have been hacking into card manufacturers to
gather up all the Key numbers that they can. At this point they pretty much know everyone's
Key numbers from every SIM card in the world. And that's billions of Key numbers. So you can
be pretty certain they've got your Key number. But they're not interested in cloning your SIM
card, they just want to listen in if they need to. That's the Truth about SIM card cloning. Oh Yeah, that Wikipedia article that got it all
wrong. The first paragraph talks about putting a device between the SIM card and the phone,
to capture the responses of the calculation. Unfortunately as I've demonstrated here, you
need tens of thousands of responses to work out the Key number. And there's no way you're
going to be able to get enough just by capturing everything between the phone and the SIM card. And
the second paragraph talks about an adaptor that's actually not related to SIM card cloning, and not
a relevant piece of information in this article. I'm sure this article will get updated soon. So
if you're watching this video in the future that may have changed. And that's really it for now.
We've reached the end of the video. I hope you've enjoyed this. It's been a lot of fun looking at
all of this. I'd like to thank my patrons who continue to support, and everyone who watches
and likes and shares and comments. Thank you, you're really helping this channel to continue.
Thanks for watching and I'll see you next time. [Music]
