PIN Enabled SIM Card

PIN Enabled SIM Card

A recent question raised the notion what data would be revealed if the SIM Card was read but had a PIN enabled. Using a free SIM Card reader the results are below. Do remember, using different readers their output can reveal different results dependent upon how the programmer wrote the software. The results are from an old Phase 2 GSM SIM Card.

Additional tests with the PIN Locked SIM Card conducted with different SIM Readers

Considering Clone Test SIM Card Tools

Considering Clone Test SIM Card Tools

There have been a few mentions about clone test Sim Cards at this blog raising observations as to possible issues that may be useful to know.  

Yet further observations examiners may find useful to consider are whether it is necessary for a cloned test SIM Card tool to produce identical files, structure and format for every clone test card produced or whether the make/model of handset can influence e.g. the number of files etc necessary to gain access to a handset's memory? Cust_Files pre-generated on a cloned test card should be included or excluded from consideration regarding the number of GSM/3GPP EFs identified on a cloned test card? The importance, if any, of the evolution in a clone test card's development?

Below are two screen dumps, following examination using just one (U)SIM Card Reader, from two different clone test SIM Cards supplied by different manufacturer with their tools that provide a useful visual indicator when placed in context with the above observations. The observations above and the images below are not published to suggest a problem with a particular clone test SIM Card or tool. The observations are for the purpose should two different examiners use two different clone test SIM Cards and tools to generate evidence which one would be more pertinent for use when accessing memory on a particular handset etc?      

Quad-SIM (4 in 1)

Quad-SIM (4 in 1)

Wonder how we will handle the examination of this beast? Which profile will need to be read first? Will the handset have different profiles? Will each SIM have its own password?  There are so many question this news story raises. Previous experience has shown care is needed with handling the examination of handsets containing two (dual) SIMs (http://sim2usim.blogspot.com/2008/11/cloning-test-sim-cards.html).


Spreadtrum Announces the World’s First Single Chip Quad-SIM Standby Solution
The SC6600L6 allows four GSM SIM cards simultaneously running on standby mode with only one set of baseband and RF. It integrates a processor engine and controller for supporting quadruple SIM cards and has an improved graphic user interface for Quad-SIM. The product supports different multi-SIM options, including dual SIM, triple SIM, and Quad-SIM in a single set of baseband and RF chip, provides more choices to handset designers and meets need of users from different regions.

http://www.spreadtrum.com/eng/showNews.asp?name=1&ID=306

Smart Card Hacking

Smart Card Hacking

Back in 2002 I wrote about SIM Card Cloning for examiners to demonstrate the state of the market place, where software and hardware was being openly promoted that researchers could obtain and what might an examiner be exposed to when examining a cloned SIM Card. A copy of that report can be downloaded here:

SIM Card Cloning
http://www.4shared.com/document/GMz_Gqcc/Special_Edition_2002_SIM_Cloni.html

In 1998 I circulated  a report (UPD5-1 Vol1 - FEN98) on Smart Card Hacking to members of the British Association of Criminal Experts (BACE). The archive report has been scanned page by page and put into acrobat.pdf format and can now be downloaded here:


Smart Card Hacking
http://www.4shared.com/file/kq5NGzns/UPD5-1_Vol1_-_FEN98.html

The smart card hacking report has an interesting description for classification of the various levels of criminal activity in addition to techniques of smart card hacking. This particular report was the one that inspired me to write about SIM Card Cloning for exmainers. Once again thanks and respect to Ross Anderson and Markus Kuhn.

It is important to consult the laws of the country you are in when dealing with research for cloning SIM Cards. This blog article does not promote or advocate anyone to break the law by cloning or attempting to clone SIM cards for the purposes of obtaining services or breaching property rights belonging to respective particular network operators etc.

BCCH data uncovered

BCCH data uncovered

.
The data found in the elementary file broadcast control channel (EFBCCH) 7F20:6F74 / 7F21:6F74 can provide useful data relating to a geographical radio area when combined with location area information data.
.
Method for translating BCCH information data. The question is, is the translation below to find the BCCH frequencies correct and what have I not mentioned below? You will need copies of GSM11.11, GSM03.03, GSM04.08 as well as understanding coding schemes.
.
FIGURE 1 What the Standard states:
.
FIGURE 2 What that means:
.

.
FIGURE 3 Harvested data from a Orange SIM Card read:
.


.
FIGURE 4 Translating the hex output to binary:
.


.
FIGURE 5 Converting to decimal digits which translates again and corresponds to GSM assigned uplink/downlink frequencies:
.
BCCH Frequencies (ARFCN)
761 765 766 774 781 782 786 787 789 790 797 799 801 803 806 813 816 825 828 829 838 846 847 849 869
.
FIGURE 6 Corroborating the conversion using another tool:
.
.
More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

Ultra-thin membrane changes (U)SIM card usage

Ultra-thin membrane changes SIM card usage

Examiners may come across an ultra-thin (0.3mm) membrane that lays over the contacts of a SIM card. Called the V200 SIM Dialer, the membrane is "Prefix base programmable (For routing prefix and bypass prefix setting)". What does that mean? Well, it allows mobile phones installed with SIM Tool Kit menu (most up to date phones have them) and define access to the network. The point being, if you are looking for least-cost routing for calls or want to use a calling card, rather than have mobile network call charges, then this device makes that happen, apparently.

How does it do it? "Dial the desired number directly each time you call, SIM dialer V200 will automatically dial IP access in front of the dialed number". As the manufacturer promotes, using their device will not change your dialling habits and there is "No cutting, No pounching your SIM".

As the device has been programmed, and looking at the on-board chip, there should be a reader for it or one could be constructed. This throws me back to the old days of ponyprog and PIC basics. Of course, of equal importance is how does this device impact when examining the handset and SIM card? Will manual examination be the only course for examination or do the current handset and SIM readers detect changes this device makes to them? What evidence is there for call history or data usage? These are just a few of the questions to get examiners started.

It seems this programmable ultra-thin membrane is not limited to just SIM calls, but there is a USIM version (U-SIM V33G) that can be used to unlock iPhones. There is a video that is useful to watch so that examiners can at least comprehend how ultra-thin the membrane is and how it is installed:-
http://tw.youtube.com/watch?v=JQSNJxis7Ds

Please note, this is not a promotion or advert for these products, the information provided is to assist examiners with observations about these devices that may form part of their evidence.

Cloning Test SIM Cards

Cloning Test SIM Cards

.
Cloning test SIM cards can present problems if their use is not carefully monitored and can lead to loss of data from a device under test (DUT). There appears many different instances under which the loss of data can occur when using a cloning test SIM card. Some examples are:
.
- The inadequate level of notice and advice within the applications that create the clone test SIM card to precisely define that a particular Make/Model of handset has been tested using the cloning application before using with a partricular Make/Model or where the guide generally infers the application is usable with a particular Make.
.
- Whether the cloned test SIM card has been correctly recorded or not, before inserting it into the device under examination (DUT).
.
- The 'trial and error' approach being applied to evidential mobile phones leading to loss of data, where the written advice in the guide, when given, doesn't deal with the examination problem at hand.
.
Taking one example of a mobile phone examination problem relating to the Samsung D880.
.

.
This mobile phone is capable of having two SIM cards inserted, at the same time, in order to allow for two different subscriber accounts to be used separately by a user. To understand the difference compare the position when dealing with the traditional way of having to manually swop a SIM card with another in a device that is a single-inserted SIM card operating mobile phone.
.

Once the user has selected to use one of the two SIM Cards inserted, the option to switch to a particular SIM in normal user mode is via the 'SIM selection key' with visual Icons displayed on the device's screen confirming which SIM and subscription account is in use.

Problematical for the examiner using cloned test SIM cards is what is the safest method for examining a dual SIM card mobile phone. Looking at some options, what problems can arise for the examiner:

1) Take out one of the user SIM cards and produce a cloned test SIM card, whilst leaving the other user SIM card in place? Then insert the new clone test SIM card and then examine the phone? It is unlikely this could work well because an original user SIM card is still in place, thus the mobile phone could still register to the network etc. That is so, because the examiner doesn't know which SIM and subscription account was last used by the mobile phone. The notion of switching the mobile phone 'ON' prior to using a cloned Test SIM card to find out begs the question why is the examiner using cloned test SIM cards in the first place?

2) Take out both user SIM cards and produce two cloned test SIM cards, but insert only one test card and examine on that basis? This might work, provided of course the examiner has selected for access the right SIM slot and subscription account, which is a bit 'trial and error', 'hit and miss'? Moreover, assuming the above method had worked and the examiner safely selected the correct SIM slot/account - for example by taking the pragmatic step of recording which user SIM came out of which slot and replacing the correct cloned test SIM card into the slot - what happens when the second cloned test SIM card needs to be inserted? Using the SIM selection key to switch to another SIM card may not assist because there isn't a cloned test SIM card in the second slot for the device to read any details. Moreover, bearing in mind the device memory has noted only one SIM inserted the first time around what impact might now happen if a second cloned test SIM card is inserted? Will it allow access to the subscriber account user data on the device? Furthermore, what happens when switching over to the other cloned test SIM card?

3) Inevitably, the line of reasoning in this discussion is intended to bring the reader's attention to the option of putting both cloned test SIM cards into the appropriate SIM slots and examining further from that standpoint. But what happens then if the device does not give up its riches and enables the examiner to gain access to the user data? Turning to the cloned test SIM cards guides, what if they provide no assistance at all? What if the cloning application may not record properly to the cloned test SIM card or the data that it does record are insufficient for a particular make and model of mobile phone to function in the way it is expected?
.
In each of the above cases where loss of data might occur, that is to say e.g. where no call history or text messages are accesible, it may not be because the user has deleted them or the user has gone to settings to set a calendar event to delete texts or clear call history on a date and time, but may be because the cloned test SIM card may have removed access to them and the examiner may not be aware of that until either using a device reading program or conducting manual examination.
.
The presumption suggested that the examination and the tools used to recover data from a device were functioning properly and without flaw at the time of the examination arising from the mobile phone data being served in evidence, inferring that it is safe to rely on, may not meet the maxim omnia praesumuntur rite esse acta, as expressed by Lord Griffiths in the case of R .v. Shepherd [1993] AC380. That can be so because it has never simply been solely about whether the original device (exhibit) was working properly at the material time, but of equal significance whether in the obtaining and the processes used to obtain data that the evidence is safe to rely on. The latter requirement did not disappear in the wake of the repeal of section 69 Police and Criminal Evidence Act 1984. Nor did it disappear by the introduction of the Criminal Procedures and Investigations Act 1996, The Police Act 1997, The Regulation of Investigatory Powers Act 2000 and so on.
.
The purpose of raising this discussion (for examiners and students) about mobile phone forensic examination and tools it that discussions on these types of topics are not simply about providing answers and solutions to problems, but identifying potential questions that need to be adddressed before using cloned test SIM cards.
.
Lastly, I have not described every event dealing with the examination of a dual SIM card mobile phone or how Samsung D880 manages the operation and functionality of both SIM cards. By not referring to these matters it has helped simplify and refine the discussion to keep the important points to the fore.