Categories
Privacy & Security

Beware of anonymous SIM scammers

If you can’t convince them, confuse them. This is the basis for selling lies. And very easy for anonymous SIM card fraud.

Preparatory measures

Without a SIM card, you won’t be able to make a call from your cell phone unless you call emergency numbers or use app voice calls over WIFI (as Skype or WhatsApp). As scammers try to sell you a SIM card pretending to be “anonymous”, this SIM card might use a cell tower. Also, if you use data calls instead of normal voice calls, your phone will connect to the nearest cell tower (data connection channels instead of voice channels). Unless you are using WIFI, there is no way to bypass a cell tower when you want to communicate. A cell tower means cellular network, servers, SS7 vulnerabilities and exploits, IMSI catchers, GSM interceptors, location tracking and monitoring. And last but not least: Mass surveillance.

The test

Are you a happy buyer of one of these anonymous SIM cards? Are you sure that IMSI is protected and your SIM security is “hardened”? Now it’s time for a small and quick test.

Most people have no idea what IMSI is, and no idea how to get it from their own SIM card. Also, they have no idea what to do if someone retrieves the IMSI from your SIM card. So let’s start with testing. No technical skills, special knowledge or payments are required.

Test No. 1

The manufacturers of anonymous SIM cards claim that the security of the card is “hardened” and the IMSI is not revealed due to some security tricks for eavesdropping systems.

Whether you have a fancy Android device or a swanky iPhone, you can test your newly purchased “anonymous” SIM card right now. Just go to Google Play or the App Store and install any app that displays your SIM card information. Example: Whats My IMSI

On the iPhone, it’s actually quite simple: go to the “Settings” menu and select “Mobile data” there. Select “SIM Applications” and that’s pretty much all you need to do.

Do you have your IMSI now? Good! Now you can throw away your “anonymous” SIM. And take a look at your window: your “protected” calls might actually “call” the police right outside your pad.

The IMSI you can see is used by your phone when it connects to any cell tower to make/receive calls and messages. There is no other way. The phone cannot connect directly to a “switchboard” as the scammers pretend. This is because the “switchboard” is not a cell tower. Your phone call will be routed first through the local cellular network and then through the SS7 network to the recipient cellular network. In this particular case, your call will also be routed through the SIM manufacturer’s “anonymous” servers in Russia before reaching the recipient’s local network. So instead of “hardened” security, you have less security than you expected. And, of course, at a premium that makes you think it’s serious yet affordable security.

Test No. 2

Google SS7 attack, SIM toolkit attack, IMSI catcher to see how the IMSI can be retrieved over the air and what they can then do with it.

A fraudulent business

Buy cheap PrePaid SIM cards and sell them as anonymous SIM cards, with 500% profit margin.

The SIMs behind the business

Quite simply, there are no anonymous SIM cards. This is technically impossible. All these cards are just a big scam that exploits the ignorance of ordinary people. And nothing more.

Fact: There is no SIM card without IMSI.

Fact: There is no connection to a cell tower without IMSI being used for connection purposes.

Fact: Data-only SIM cards also have an IMSI assigned by the manufacturer.

Fact: There are so-called IMSI catchers, which are specially designed to intercept calls / SMS, as – as the name suggests – based on IMSI.

Fact: If you can call any number or receive calls, it means that your phone is connected to a cell tower via voice / data channels.

Fact: Once connected to a cell tower, almost ANY cell phone location can (and will) be tracked by various technologies and systems, exploiting cellular network vulnerabilities or cellular network nodes (SS7).

Fact: Once connected to a cell tower, any call can (and will) be intercepted, regardless of whether the voice call is forwarded on standard voice channels (regular voice call) or on data channels (such as Skype, IM, WhatsApp, etc.).

Fact: It is not the SIM card that selects the cell tower for the connection, but the phone. In this way, all mobile networks are designed (whether 2G, 3G, 4G, etc.), using a SIM card only to identify a particular subscriber.

Fact: The phone number is not stored on the SIM card. The phone number is stored on mobile network servers (HLR / VLR) and cannot be changed directly from the phone / SIM card. A phone number can be changed ONLY via data connections and third-party servers. Some specific “Russian SIM cards” use standard voice channels that still route the call through a Russian server where a voice change actually takes place, and only then is the call routed to the call recipient.

Fact: EVERY SIM card is encrypted by default using the comp128 algorithm. There is no other encryption supported by a SIM card. This is for anti-cloning purposes. Some early comp128 versions have been compromised as old SIM cards (up to 2012) are easy to clone.

Fact: EVERY regular call on ANY cellular network (whether 2G, 3G, 4G, etc.) is encrypted by default. Otherwise, anyone with a radio receiver can intercept that call. A SIM card cannot add another layer of encryption on top of an existing one, nor can it add additional encryption.

Fact: EVERY SIM card is traceable and all calls and SMS made with a SIM card can be intercepted.

Fact: IMSI is not the same as phone number or ICCID. IMSI is stored on SIM because phone number is stored on carrier servers.

Fact: IMSI is not printed on SIM, but on ICCID.

Fact: Anyone can find out their own SIM card IMSI using freely available apps (both on Google Play and the App Store). If an average citizen can do this, law enforcement or hackers can do it remotely over the air.

Fact: Changing the IMSI is possible by sending special requests to the SIM issuer (the mobile network that issued the particular SIM). The request cannot be sent directly by the SIM user, but by another company on his behalf (for example, when porting a phone number). Changing the IMSI in this way is not a standard procedure, although IMSI change is mentioned in GSMA and 3GPP procedures. Fraudulent MVNO companies (mostly Russian) exploit this procedure, enforce the law because the MNO does not care, and change the IMSI of the SIM card at the direct request of the user.

The anonymous SIM card scam launched in 2014 refers to some types of SIM cards sold to people who do not have sufficient knowledge about mobile networks:

1. pay-as-you-go SIM cards (also called prepaid SIM).

In some European and non-European countries, pay-as-you-go SIM cards are still issued that do not require identification or prior registration. These types of SIM cards are referred to as “anonymous” because there is no link between the user name and phone number. There are no other “special” features or “security hardened” things, whatever that is supposed to mean. At first glance, using a paid SIM card (possibly issued by a foreign provider) looks like an advantage for the SIM user. In practice, however, it looks like this: When a suspect uses any SIM card, law enforcement agencies deploy IMSI catchers and/or GSM interceptors that capture both the SIM card’s IMSI and the phone’s IMEI for further tracking and monitoring. Thus, it does not matter if the suspect is using a paid SIM card: IMSI Catcher has done the job and matches everything together: the identity of the suspect, the identity of the SIM card (IMSI) and the identity of the phone (IMEI). Simple and effective.

2. SIM cards that have the so-called “Multi IMSI” option.

This is nothing unusual and does not provide additional security for phone calls or location tracking. Just Google it yourself. Multi-IMSI SIM cards are sold worldwide by various providers as SIM cards for frequent travelers, which can have up to 4 different IMSIs, corresponding to 4 different phone numbers. The user can choose which IMSI (phone number) to use at any given time based on local low tariff policies. Nothing to do with additional security or dynamic IMSI changes. This type of “anonymous” SIM card creates a false sense of security just because the user can alternatively choose from 4 phone numbers to use. Any multi-IMSI SIM card can be tracked and intercepted just like any other SIM card.

3. Russian “anonymous” SIM cards.

These are SIMs issued by Russian MVNOs to which 1 or more IMSIs (up to 4) have been assigned. To make “anonymous” calls, the phone (together with the SIM card) connects to the nearest cell tower by providing both IMSI and IMEI. There is no other way.

IMSI and IMEI must be used to connect to the network. Therefore, no anonymity: Since IMSI and IMEI are exposed, a wide range of tracking methods (SS7, GSM Interceptors) is possible, even eavesdropping on calls and SMS is just a child’s play. Further on, the call is routed from the local cellular network (which is the first vulnerability that immediately reveals the user’s identity) to the Russian MVNO servers, where the phone number and voice may be changed (if the user uses voice and phone number change), and then the call finally reaches the recipient number.

What these clowns try to hide from you by exploiting your lack of knowledge about GSM network standards and specifications is the call route: instead of the standard call route (simplified: Cell phone > Mobile tower > Core network HLR/VLR > Network switch SS7 > Russian MNO > Russian MVNO servers > Russian MNO > SS7 switch > Receiver network HLR/VLR > Receiver’s local mobile tower > Receiver’s cell phone) they claim that the call originating from your cell phone does not connect to a surrounding mobile tower, but to some kind of “switchboard”, which is of course technically impossible. Don’t forget that even when using the data connection to make an IM call (Skype, WhatsApp, etc.), your phone connects to the CELL tower using the same IDs: IMSI and IMEI. In other words, unless you’re using WIFI, every call goes through the nearest cell tower, regardless of which SIM card you’re using. Using a lot of nonsensical blah-blah and seemingly technical vocabulary to make you believe that they are professionals and/or experienced hackers, vocabulary that at the end of the day will probably only confuse you, scammers manage to sell SIM cards as “anonymous” SIM cards.

We all know that the SS7 network is compromised, but it takes more than a few keystrokes to abuse the SS7 network: It takes expertise, money, and more importantly, SS7 access. But from what we’ve seen, once attackers have all 3, they make sophisticated use of SS7 because once you have that capability, you want to take full advantage of it. The real issue with these unscrupulous Russian MVNOs is access to SS7 nodes based on contracts with other international carriers. This access provides them with a wide range of SS7 exploits, including call monitoring and location tracking.

* Anomalous, but not malicious, traffic. This can be anything from faulty nodes trying to send for all subscribers and not their own, to unusual implementations of legitimate services, to anything else not known to be malicious. The skill is in identifying this and understanding what is malicious and what is not – not always easy to understand.

* Malicious attacks, up to a medium level of complexity. These are the more familiar location tracking, fraud, and intelligence gathering attacks. They were the main type of attacks that operators encountered when they began to investigate SS7 security in depth. Over time, the perception of “simple” has grown in complexity to cover more and more types of attacks.

* Malicious attacks of advanced complexity. This is the type of attack that requires investigation to even identify. Once identified, a detailed understanding of what the attacker is trying to accomplish and how is required to build a consistent defense against it. These are the most advanced types of attacks, and their complexity increases over time.

We are actually seeing an evolution over time (i.e. the last 2 years) where some of the attackers who have access to the SS7 network have moved to using more and more sophisticated methods to achieve what they want, especially now that a large number of operators have started to implement defenses.

One more thing: as always, when something seems too good to be true, you never know who is really hiding behind these servers. You have no way of verifying that Russian MVNOs and their hidden strings don’t ultimately lead to local (Russian) intelligence.

4. Recordable/programmable blank SIM cards.

widely available on Alibaba and other chinesse web stores, also on eBay and Amazon, at really low prices, which comes bundled with read/write device and software. This way you can make your own SIM card, with any IMSI.

This is all you need:

a. A programmable blank SIM card

b. SIM card reader / writer

c. Software (usually 128k Milenage algorithm and XOR algorithm, suitable for GSM11.11, GSM11.12, GSM11.14, GSM11.17 standards).

The (big) problem is Ki (encryption key), which must be written on this new SIM card. You need to know the Ki key, and there is no way to retrieve this key from another SIM card in 99.9% of cases, because it is known only to the operator himself. For this reason, SIM card cloning (comp128 v2, v3, v4) is not successful.

The Ki problem can be easily solved by a malicious MVNO who knows the Ki and can program his own blank SIm cards.

Chinesse providers have solved this problem: SIM Factory can program the SIM card for you if you order in bulk, including custom printing as you see on most “anonymous” SIM cards.

Watch it in action

Disadvantages:

Even if Ki is known, the new “anonymous” SIM card, once written, encounters real security issues that make it more vulnerable than a regular SIM, thus nullifying the IMSI change function in this way:

a. does not support GSM 11.14: digital cellular telecommunications system (phase 2+) – SIM Application Toolkit specification for the Subscriber Identity Module – Mobile Equipment(SIM – ME) interface.

b. does not support GSM 03.48: security mechanisms for SIM Application Toolkit – Stage2 (GSM 03.48 version 8.8.0 Release 1999).

This means that the SIM card is vulnerable to a variety of remote SIM toolkit attacks.

c. comes with STK menu that supports various applications that can be updated via OTA download. This means that you have no control over your “anonymous” SIM card: Various and potentially dangerous executable programs can be downloaded and run on your SIM card without your consent and confirmation.

The people behind the business

Just Google it. Legions of scammers using dozens of websites, eBay and Amazon accounts are trying to scam you big time with “anonymous” SIM cards. You can even call them and ask in more detail how anonymous SIM cards work. In any case, you will get as many explanations as there are scammers. Each one will come up with their own evasive explanations, sometimes even hilarious for an advised person. Some are “professional experts.” The others – the type of “honest” seller – will simply reply that they only sell these SIMs and further explanations can be found on the manufacturer’s website.

Those affected

Measured by the number of items sold on eBay and Amazon, there are thousands of affected individuals. And their number is still growing.

Change/replace call number

Besides billing, changing the phone number is a feature that works. A different phone number will always appear on the other phone you are calling. At first glance, this is an amazing security feature for most users, and will certainly impress buyers who can see a live demo of the feature. But:

The phone number change takes place on the provider’s servers, so the phone number is changed only when the forwarded call arrives on the provider’s servers, on its way to the called cell phone. The call leaves your cell phone with the same IMSI and phone number every time, and the changes are made only when your call arrives at the server.

From the point of view of an IMSI catcher or SS7 attack, it is NOT the phone number that is relevant, but the IMSI. That’s why wiretap systems are called “IMSI catchers” and not “phone number catchers”.

And yes, your cell phone location can be tracked and your calls can be intercepted just like any other. From a law enforcement perspective, changing the phone number is not relevant to call interception and location tracking simply because the phone number is NOT stored on the SIM card. Changing the phone number is actually the only feature that can be tested by the user and that will convince any skeptical person to buy an anonymous SIM card.

A technical study of anonymous SIM card scams.

Back in 2014, some Russian white hat hackers uncovered fraud using anonymous SIM cards. Read below their study and conclusions.

study and conclusions.