2012

PAF KIET Subimitted By:Madiha Zaib

[ SIM/USIM CLONNING IDENTIFICATION & PRIVILEGE]

This paper investigates the mobile cloning by cloned the Subscriber identity Module (SIM)/Universal Subscriber Identity Module (USIM) in GSM/Universal Mobile Telecommunication System (UMTS) technologies

ABSTRACT This paper investigates the mobile cloning by cloned the Subscriber identity Module (SIM)/Universal Subscriber Identity Module (USIM) in GSM/Universal Mobile Telecommunication System (UMTS) technologies. It could be happen by the cloning of SIM and access network through SIM authentication, in this paper, we will identify this type of cloning by the mobility management & call setup procedures.

INTRODUCTION Mobile telecommunications services have become very popular recently. Consider Taiwan as an example, the total number of mobile service subscribers has reached over 22 millions, with the penetration rate over 100 percent. As the penetration rate of mobile services significantly increase, fake usage has become a serious issue. At the mobile subscriber side, modern mobile services, such as GSM and Universal Mobile Telecommunication System (UMTS), are secured by the subscriber identity module (SIM). Without the SIM card, a mobile phone or mobile station (MS) cannot access mobile services (except for emergency calls). The SIM can be a smart card that usually has the size of a credit card, a smaller sized plug-in SIM, or a smart card that can be performed, which contains a plug-in SIM that can be broken out of it. A SIM contains the subscriber-related information including its identity, authentication key, and encryption key. The subscriber identity and authentication key are used to authorize mobile service access, and to avoid fraudulent access of a cloned MS. Through interaction between the SIM and the authentication center (AuC), GSM provides one-way authentication. In UMTS, mutual authentication is achieved by sharing a secret key between the SIM and the AuC. This procedure follows a challenge/response protocol identical to the GSM subscriber authentication and key establishment protocol combined with a sequence-number based onepass protocol for network authentication derived from ISO/ IEC 9798-4. The above authentication procedures assume that the SIM is securely kept by the corresponding legal mobile user. Unfortunately, we have observed the existence of cloned SIMs that also have the same identities and authentication keys as the legal SIMs. These cloned SIMs will result in fraudulent usage as well as misrouting of incoming calls to the legal users. In Taiwan, potential loss due to this problem can be up to several millions of US dollars per year. To our knowledge, this issue has not been addressed in the literature. In this paper, we investigate how fraudulent usage may occur when fraudulent usage may be detected by the existing UMTS/GSM mechanisms and how to reduce the possibility of fraudulent usage.

PROBLEM STATEMENT We use GSM/UMTS as an example to describe the operations in a mobile telecommunications network and show how fraudulent usage may occur. In GSM/UMTS, authentication is typically performed in the following events: registration (i.e., MS attach or location update), call origination (i.e., an outgoing call), and call termination (i.e., an incoming call). An illegal user gains access to the mobile network through registration and then enjoys free services through call originations. Such fraudulent usage may be detected by the GSM/UMTS network when the legal user performs the next registration or call origination. We briefly describe the registration and call setup procedures as follows Mobility management of mobile services involves two types of mobility databases: Home Location Register (HLR) and Visitor Location Register (VLR). When a user subscribes to the services of a mobile operator, a record is created in the operators HLR. The record stores services subscribed by the user (such as call waiting, call forwarding, voice mailbox, etc.). The location information (i.e., the address of the VLR visited by the MS) is also kept in the record. The service areas of mobile networks are partitioned into several location areas (LAs). One or more LAs are associated with a VLR. When a mobile user visits a LA, a temporary record for the mobile user is created in the corresponding VLR. The VLR typically collocates with a mobile switching center (MSC) that is responsible for call setup of MS. The VLR stores subscription information (replicated from the HLR) for the visiting subscribers so that they visited system can provide services. The VLR record also maintains the location information (i.e., the address of the LA where the MS resides). In other words, the VLR is the location register other than the HLR used to retrieve information for handling calls to or from a visiting mobile user. To track the location of an MS, the MS automatically reports its location (to the visited VLR and then to the HLR) when it moves to a new location. This procedure is called registration. Before the user accesses the VLR/HLR, authentication is performed between the user and the AuC (which may be collocated with HLR). To deliver a call to an MS, the network retrieves the location information stored in the HLR and the VLR, and the network sets up a trunk based on this location information. Like registration, authentication is required before call setup is performed. In this paper, we present the fraudulent usage problem due to cloned SIM. Suppose that the SIM card of a legal user u has been cloned by an illegal user u_. Consider the timing diagram in Fig. 1. In this example, u enters a location area LA1 at time _0, and moves to another location area LA2 at time _3. Then, following the standard GSM/UMTS mobility management procedure [17], u informs the network that it has moved into LA1 at _0, and informs that it has left LA1 and moved into LA2 at _3. Fig. 2 illustrates the registration procedure performed at _0. In this figure, the MS is first authenticated by the AuC. (Note that through network signaling optimization [1], [16], the MS may be authenticated by the VLR instead of the AuC.) Then, the MS registers to VLR1 and the HLR. After registration, the HLR record of u indicates that the MS is in VLR1, and the record in VLR1 indicates that the MS is in LA1. Suppose that u_ attempts to illegally access the mobile network at time _1 in the interval _0; _3_. This illegal user u_ either issues attach or a normal location area update action at _1. If u_ and u are in the same location area LA1, then this abnormal action will be detected; that is, the network notices that the same MS registers to the same location area twice. The network may suspend the services for u until the fraudulent usage issue is cleared. If u_ registers in a different location area LA3 (controlled by VLR2 in our example), then the network considers that u has moved from LA1 to LA3. As illustrated in Fig. 3, after the registration at _1, the HLR record indicates that u is in VLR2 and the VLR2 record indicates that u is in LA3. The VLR1 record for u is deleted through the location cancellation procedure. At this point, u_ gains mobile service access and fraudulent usage may occur. Such fraudulent usage can continue until either there is an outgoing call originated by u at time _2 or when u moves to

another location area LA3 and issues location update at time_3. Therefore, two cases are considered: Case 1. Suppose that after _1, the first outgoing call for u occurs before u moves to LA2 (i.e., _2 < _3). Then, at _2, u issues a call origination request to VLR1 as illustrated in Fig. 4. Since the us record at VLR1 has been erased or modified (in Fig. 4, the record has been erased), the network will detect that u has registered with location area LA3 but is issuing an outgoing call from location area LA1. At this point, the mobile service of u will be suspended until the network has resolved the fraudulent usage issue. Case 2. If _3 < _2, then after _1, the first event of u is a registration request due to movement from LA1 to LA2 (assume that both location areas are covered by VLR1). Similar to the situation in Case 1, when u issues the registration request to VLR1, VLR1 cannot identify the record for u, and the potential fraudulent usage situation is detected. In Fig. 1, let t1 _3 _ _1 and t2 _2 _ _1. Then, T mint1; t2 is the potential fraudulent usage period. During this period, u_ can illegally originate calls. Also, all incoming calls to u will be directed to u_ during T, i.e., these calls are misrouted as illustrated in Fig. 5. The calling parties of these misrouted calls may misleadingly think that the mobile operator accidentally routes the calls to wrong places. In the next section, we derive the expected potential fraudulent usage period ET_ and the probability PrN n_ that there are n misrouted calls during the potential fraudulent usage period.