/dqweek/media/agency_attachments/JNb31gQnqJvAm0jqPxaV.png)
Cell phone cloning has just taken off in India and you could be its next
victim
Remember Dolly the lamb, cloned from a six-year-old ewe in 1997, by a group
of resear-chers at the Roslin Institute in Scotland? While the debate on the
ethics of cloning contin-ues, Indians, for the first time, are faced with a more
tangible and harmful version of cloning and this time it is your mobile phone
that is the target.
In February this year, the Hyderabad police arrested two people for mobile
phone cloning-at the cost of gen-uine subscribers. The duo had established a
network of young men who frequented PCOs, which offered call faci-lity through
CDMA techno-logy. They used to make a note of the electronic serial number (ESN)
and the electronic mac-hine identification number (EMIN) of the mobile handsets.
The stolen ESN and EMIN were then fed into a new CDMA handset, whose existing
pro-gram was erased with the help of a downloaded software.
The Hyderabad arrest is not a standalone case. A spate of arrests over the
last couple of months across India reveal that cell phone cloning is on the
rise.
Who's safe?
Nobody. CDMA handsets are particularly vulnerable to cloning, according to
experts. First generation mobile cellular networks allowed fraudsters to pull
subscription data (such as ESN and MIN) from the analog air interface and use
this data to clone phones. Interception of CDMA calls is not exactly that
simple. The technology uses spread-spectrum techniques to share bands with
multiple conversa-tions. Subscriber information is also encrypted and
transmi-tted digitally.
GSM handsets, on the contrary, are safer, according to experts. Every GSM
phone has an electronic serial num-ber (referred to as the IMEI). It is not a
particularly secret bit of information and you don't need to take any care to
keep it private. The important information is the IMSI, which is stored on the
removable SIM card that carries all your subscriber information, roam-ing
database and so on. GSM employs a fairly sophisticated asymmetric-key
cryptosystem for over-the-air transmission of subscriber information. Clo-ning a
SIM using information captured over-the-air is there-fore difficult, though not
impossible. As long as you don't lose your SIM card, you're safe with GSM.
Says TV Ramachandran, Director-General of Cellular Operators Association of
India (COAI), "GSM carriers use the COMP128 authentication algorithm for
the SIM, authen-tication center and network which makes GSM a far secure
technology."
GSM networks were consi-dered to be impregnable until last month, when a
Delhi-based computer science graduate revealed gaps in the security system of
Hutch. The process was simple: a SIM card was inserted into a reader. After
connecting it to the computer using data cables, the card details were trans-ferred
into the PC. Then, using freely available encryption software on the Net, the
card details were encrypted on to a blank smart card.
Consumer and cloning
While Hutch may be in a position to bear the damage, what happens when a
subscriber becomes a victim? Not much, as most operators, both CDMA and GSM,
have chosen to maintain silence. While Reliance refused to speak to and Bharti
claimed that no GSM phone has been cloned and hence it is not a matter of
concern, Hutch considers the incident to be a stray case. Says Ramachan-dran of
COAI, "GSM networks are more secure. It is difficult to clone a SIM card as
som-eone needs to possess your SIM card to get the carrier's key." The
entire GSM industry in India runs on COMP128-1, which has been breached a couple
of years back in the US. COAI has asked all service providers to upgrade their
authentication algorithm to COMP128-3, declared tamper-proof by the
international GSM Association.
The best detection measure available in CDMA today is the A key feature. The
A key is a secret 20 digit number unique to the handset given by the
manufacturer to the service provider only. This number is loaded in the
Authentication Center for each mobile. As this number is not displayed in mobile
parameters this cannot be copied. Whenever the call is originated/termina-ted
from a mobile with auth-entication active, the network checks for the
originality of the set using this secret key. Says Naresh Malhan, COO, Delhi and
Rajasthan circle, Tata Indicom, "Both the man-ufacturer and the operator
have to participate to prev-ent cloning. The manufactu-rer has responsibility to
protect the handset parame-ters access by use of compli-cated software
protection."
Beyond detection
However, all these methods are only good at detecting cloning, not
preventing damage. A better solution is to add authentication to the system.
But, this requires upgrades to users' and operators' equipment. The Ministry
of Information and Communication (MIC) of Korea has asked the country's
leading service providers to implement the new cellular authentication system in
a full-fledged manner from March. MIC expects the measure to eradicate illegal
cloning completely. This means, upgrading the software of the operators'
network, and renewing the SIM cards, which comes for a price and may not be a
palatable idea for most Indian carriers at present.
Bhaswati Chakravorty
in New Delhi