Complete phone cloning
October 24, 2012 8:27 PM Subscribe
Hypothetically, what are the practical results of completely cloning a GSM phone-- not just the SIM card, but also the radio fingerprint and any other method used to differentiate two mobile devices?
E.g., assuming that myself and my friend across town have two phones that are indistinguishable by the carrier, what happens when someone dials the number? Or when both of us try to access the internet at the same time? When someone texts the number? Etc.
E.g., assuming that myself and my friend across town have two phones that are indistinguishable by the carrier, what happens when someone dials the number? Or when both of us try to access the internet at the same time? When someone texts the number? Etc.
Best answer: Cloning was a huge problem in the original, analog cellular networks and GSM was specifically designed to prevent it.
There are basically two items unique to every GSM phone: the IMSI, which is stored on the SIM card and which is unique for each subscriber and the IMEI or International Mobile Equipment Identity which is personal to each physical device. (3G phones would also have a unique MAC Address.)
During GSM authentication, the handset transmits both the IMSI and IMEI to the network. The IMSI is checked to see if the subscriber is active and the IMEI is checked to see if the equipment is not black-listed (i.e., stolen.) A successful check of both returns the TMSI to the phone which is then used to identify a GSM device in all subsequent communications with the network. Only one IMSI/IMEI pair can be registered in the HLR. If one device was already registered in the HLR and a second device tried to authenticate (which is what an identical GSM phone would do) the second authentication attempt would be rejected by the HLR, no TMSI would be assigned and the device would be effectively locked out.
Because GSM uses asymmetric encryption keys, it is basically impossible for a second device - even if it was otherwise identical and knew the TMSI - to bypass authentication and attempt to communicate with the network.
posted by three blind mice at 2:15 AM on October 25, 2012
There are basically two items unique to every GSM phone: the IMSI, which is stored on the SIM card and which is unique for each subscriber and the IMEI or International Mobile Equipment Identity which is personal to each physical device. (3G phones would also have a unique MAC Address.)
During GSM authentication, the handset transmits both the IMSI and IMEI to the network. The IMSI is checked to see if the subscriber is active and the IMEI is checked to see if the equipment is not black-listed (i.e., stolen.) A successful check of both returns the TMSI to the phone which is then used to identify a GSM device in all subsequent communications with the network. Only one IMSI/IMEI pair can be registered in the HLR. If one device was already registered in the HLR and a second device tried to authenticate (which is what an identical GSM phone would do) the second authentication attempt would be rejected by the HLR, no TMSI would be assigned and the device would be effectively locked out.
Because GSM uses asymmetric encryption keys, it is basically impossible for a second device - even if it was otherwise identical and knew the TMSI - to bypass authentication and attempt to communicate with the network.
posted by three blind mice at 2:15 AM on October 25, 2012
To get some feel how all this IMSI, TMSI etc works in practice, check out this demonstration of an IMSI-catcher.
posted by DreamerFi at 5:05 PM on October 25, 2012
posted by DreamerFi at 5:05 PM on October 25, 2012
three blind mice: "Only one IMSI/IMEI pair can be registered in the HLR. If one device was already registered in the HLR and a second device tried to authenticate (which is what an identical GSM phone would do) the second authentication attempt would be rejected by the HLR, no TMSI would be assigned and the device would be effectively locked out."
I don't think that's entirely true. Pull your phone's battery and it won't unregister itself as it would when it shuts down normally. You can test this by calling it, you'll note that if you turn it off it immediately goes to voicemail, while if you just pull the battery the network won't realize it's gone away and so will ring for a while before hitting the forward no answer timeout.
If you then put the battery back in and boot the phone before the HLR entry times out and it'll register on the network just fine.
posted by wierdo at 6:29 PM on October 25, 2012
I don't think that's entirely true. Pull your phone's battery and it won't unregister itself as it would when it shuts down normally. You can test this by calling it, you'll note that if you turn it off it immediately goes to voicemail, while if you just pull the battery the network won't realize it's gone away and so will ring for a while before hitting the forward no answer timeout.
If you then put the battery back in and boot the phone before the HLR entry times out and it'll register on the network just fine.
posted by wierdo at 6:29 PM on October 25, 2012
They talk about this a little bit in the movie Primer, for what it's worth. They theorize (based on experience in their little universe) that the network would ring whichever phone it found first, but in the end declare it's a mystery beyond their ken.
posted by carsonb at 4:51 PM on October 29, 2012
posted by carsonb at 4:51 PM on October 29, 2012
This thread is closed to new comments.
Internet service is unlikely to work at all. I'm pretty sure the GGSN keeps track of which site you're on by IMSI. Outgoing SMS would probably work fine.
posted by wierdo at 8:43 PM on October 24, 2012 [1 favorite]