Characteristics of SIM card & Its role in Equipment Identification

Prepared by: Amita Jajoo Roll No. 18

Overview
GSM facts GSM components Subscriber SIM anatomy SIM Information Storage Threats to SIM data Equipment :Generic Properties Equipment identification phase

Some GSM Facts

(Cont..)
With GSM, systems for mobile communication reached a global scale. In the western world, it seems everyone has their own mobile phone, and GSM has taken more and more of the market. GSM allows users to roam seamlessly between networks, and separate the user identity from the phone equipment. In addition the GSM system provides the functional basis for the 3rd generation mobile system.

Some GSM Facts

(Cont..)
Nearly 1 billion subscribers worldwide Estimated that worldwide mobile phone fraud will reach $40 billion dollars US Law enforcement agents have found that 80% of drug dealers arrested in US using cloned mobile phones. One of the top Columbian drug dealer was tracked down by monitoring his mobile phone activity. Two aspects relevant to a Forensic Analyst Has the phone been used for a criminal act? Can the phone be used to secure a conviction?

Some GSM Facts

(Cont..)
The European Telecommunication Standards Institute (ETSI) regulates the GSM standard (all 4000 pages of it!). Any equipment used on a GSM network has to have approval by the ETSI. All MSs are independent from any network.

Components of a GSM network (cont..)

The Switching System (SS)
Home Location Register (HLR) - A database which stores data about GSM subscribers, including the Individual Subscriber Authentication Key (Ki) for each Subscriber Identity Module (SIM). Mobile Services Switching Center (MSC) - The network element which performs the telephony switching functions of the GSM network. Visitor Location Register (VLR) - A database which stores temporary information about roaming GSM subscribers. Authentication Center (AUC) - A database which contains the International Mobile Subscriber Identity (IMSI) the Subscriber Authentication key (Ki), and the defined algorithms for encryption. Equipment Identity Register (EIR) - A database which contains information about the identity of mobile equipment in order to prevent calls from stolen, unauthorized, or defective mobile stations.

Components of a GSM network (cont..)

The Base Station System (BSS) Base Station Controller (BSC) - The network element which provides all the control functions and physical links between the MSC and BTS. The BSC provides functions such as handover, cell configuration data, and control of radio frequency (RF) power levels in Base Transceiver Stations. Base Transceiver Station (BTS) - The network element which handles the radio interface to the mobile station. The BTS is the radio equipment (transceivers and antennas) needed to service each cell in the network.

Components of a GSM network (cont..)

The Operation and Support System (OSS) Message Center (MXE) - A network element which provides Short Message Service (SMS), voice mail, fax mail, email, and paging. Gateway Mobile Services Switching Center (GMSC) - A network element used to interconnect two GSM networks.

The Subscriber

In 1987, GSM decided that all information elements contained in MS that are related to mobile subscriber must be stored and operated within a specific module, called SIM. The remaining part of the MS , called ME, is intended to contain all the mechanism and devices that are needed to access the GSM services but are not specific to a given subscriber.

How to Identify a Subscriber

Every mobile subscriber is issued with a smart card called a Subscriber Identity Module (SIM) As physical evidence the SIM provides details printed on the surface of;

Name of the Network Provider Unique ID Number

Smart Card Anatomy

12

SIM Anatomy
Subscriber Identification Module (SIM) Smart Card a single chip computer containing OS, File System, Applications Protected by PIN SIM applications can be written with SIM Toolkit SIM Application Toolkit (commonly referred to as STK) is a standard of the GSM system which enables the Subscriber Identity Module (SIM) to initiate actions which can be used for various value-added services.

13

Serial Number
File ICCID Purpose Serial Number Size 10 bytes

Integrated Circuit Card Identifier:Each SIM is internationally identified by its integrated circuit card identifier (ICCID). ICCIDs are stored in the SIM cards and are also engraved or printed on the SIM card body during a process called personalization

What Can Be Extracted From A SIM?

As SIM is a smart card it has

A processor Non-volatile memory

Processor is used for providing access to the data and security To access the data we need;

Standard smart card reader SIM access Software

Data stored in binary files

SIM Storage
A SIM card contains its unique serial number (ICCID), internationally unique number of the mobile user (IMSI), security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to and two passwords (PIN for usual use and PUK for PIN unlocking). In order to allow the mobile subscriber to operate his SIM in different places with possibly different MEs, the SIM must also contain the certain values of the temporary data namely TMSI, LAI, and Kc. The technology adapted by SIM manufacturers is such that frequent updating of data are made possible. The SIM storage capabilities may provide facilities to memorize and manage additional elements related to the mobile subscriber in association with GSM services or MS features.

SIM Storage (Cont..)

1. 2. 3. 4.
5. Some of these storage capabilities are as follows: Storage of short messages and associated parameters Management of an abbreviated dialing numbers list Implementation of fixed dialing number list Memorization of various bearer capability configuration parameters of terminals Memorization of the advice of charge information given by the network Management of a list of preferred PLMNs for connection Implantation of the MS feature of barring for outgoing calls.

6. 7.

SIM Storage
SIM is also used to control or to ease the access of the MS to the network by having the following capabilities. 1. Storage of a list of BCCH frequencies 2. Storage of a network access control parameters 3. The SIM stores network state information, which is received from the Location Area Identity (LAI). Operator networks are divided into Location Areas, each having a unique LAI number. When the device changes locations, it stores the new LAI to the SIM and sends it back to the operator network with its new location

SIM Storage (Cont..)

SIM contains security related information like: 1. Unique mobile subscriber ID through IMSI and MSISDN numbers 2. PIN 3. Authentication key Ki is allocated to the subscriber together with its IMSI. 4. A3: for subscriber authentication, A5: for ciphering/deciphering, and A8: for cipher key generation It also contain the current values of the temporary data namely TMSI, LAI ,and Kc.

SIM Storage (Cont..)

SIM takes care of most of the security functions at the mobile station side. It stores Ki, it implements operator dependent A3/A8 and stores the dormant key Kc. Existence of SIM as a separate physical equipment gives flexibility in the choice of A3 and A8. Ki is burnt into SIM in the initial personalization of the SIM card at manufacturing place , so it is not easy to read Ki from SIM. Another advantage of SIM is that if the security requires operator can issue new SIM and there by A3 and A8 algorithm gets updated.

International Mobile Subscriber Identity

3 digits MCC 3 digits MNC Up to 9 digits MSIN

MCC: Mobile country code MNC: Mobile network code MSIN: Mobile Station Identification Number NMSI = MNC + MSIN (National mobile station identity)

Electronic Access to the SIM

Every SIM can be protected by a Personal Identification Number (PIN)

Set at point of manufacture Can be changed by the Subscriber Four digit code Usually 3 attempts before phone is blocked

Bypassing the PIN requires the Pin Unblocking Key (PUK)

8 digit code Set by manufacturer Maximum 10 attempts before phone is permanently blocked

Text Message Data (SMS)

File SMS SMSP SMSS Purpose The text messages Message parameters Status of the message Size n * 176 bytes variable variable

Short Message Service is a popular communication method Most SIMs have 12 slots for storing messages

Modern MSs allow storage on the device as well

Text Message Data (SMS) - Status

Value 00000000 00000001 00000011 Interpretation Unused Mobile terminated message, read Mobile terminated message, unread

00000101 00000111

Mobile originated message, sent Mobile originated message, not sent

When user deletes a message only the status flag is changed

Therefore, providing the message has not been overwritten any message in a slot can be recovered and translated using software

Threats to SIM Data

Knowledgeable criminals will be aware of the properties of the SIM and thus manipulate them. Greater threat is that of cloning SIM data for illegal use Two key pieces of data IMSI The data encryption key (Ki) IMSI can be obtained; Directly from the SIM using a scanning software Eaves-dropping on the networks for unencrypted transmission of the IMSI Ki cannot normally be obtained directly as it is derived from an encryption algorithm stored on the SIM However, if the encryption algorithm is weak then it is possible to feed numbers

Threats to SIM Data (Cont..)

Obtaining blank SIMs These cards can be ordered from the same source where network providers get their cards. The card must then be programmed with a special tool for programming of fresh cards. Such a tool is distributed together with the SIM-Scan package. An attacker could also get hold of a generic smart card and smart card programmer, and then program the card to act as a SIM.

SIM Life
It covers the whole period from the very beginning when it is manufactured, passing by personalization phase when it is allocated to a mobile subscriber ,and until the moment it is put out of service. GSM distinguishes two phases during SIM life: 1.GSM network operation phase : When SIM is allocated to a given subscriber and operated in association with ME in order to access the GSM services. 2.GSM administrative management phase: It covers all the operations needed for the establishment and the continuity of the SIM capability to access the GSM system. Manufacturing, service provider operations, and personalization(for ex .when SIM is loaded with IMSI or Ki)

The Equipment

In GSM the customer subscription and authentication capabilities is contained within SIM. Any mobile will take on the identity of subscriber by insertion of SIM, thats why mobiles now become attractive item to steal. To prevent this , GSM has specified an International Mobile Equipment Identifier (IMEI)

Generic Properties
All MSs have GSM standards on how they access and communicate with the network and SIM card Every MS has a unique ID called the International Mobile Equipment Identity (IMEI) Everything else is manufacturer dependent

File system Features Interface Etc.

Have to request the SIM PIN if activated May have optional MS PIN

Equipment identification phase

EIR Storage of all num Series for mobile equipment that have been allocated in the different GSM countries Storage of all the Gray/black listed equipment Check IMEI Access or barring Continue with the call or stop the call setup procedure IMEI Request Sends IMEI call setup MSC/VLR MS Storage of equipment identity IMEI

MS Data
Very much dependent on the model, may include;

IMEI Short Dial Numbers Text/Multimedia Messages Settings (languge, date/time, tone/volume etc) Stored Audio Recordings Stored images/multimedia Stored Computer Files Logged incoming calls and dialled numbers Stored Executable Progams (eg J2ME) Stored Calendar Events GPRS, WAP and Internet settings

Threats to MS Data
Tools such as Flashers and Data Suites can be used to directly manipulate MS data Common threat is removing the Service Provider Lock (SP-Lock) limiting the MS to a single networked. Changing the IMEI on stolen phones
Networks blacklist stolen IMEIs in the EIR. Can also be used to avoid tracing an MS.

Detecting changes to the IMEI

Compare the electronic IMEI with that printed on the inside of the device

Thank You