larwe.com logo Home Contact Resume Writing Technical projects Scout restoration Vintage computing

cellular phones:
about cellular fraud
imei cross-reference table
useful technical terms
world gsm carrier list

Did You Know?

Cellular cloning is a federal crime in the United States of America. Specifically, it is a crime for any person other than a cellphone manufacturer to alter the electronic serial number in a cellphone, regardless of the purpose. In other words, in the USA there is no such thing as "legitimately" cloning a cellphone.


Book 3

My third book is released! Learn what you'll need to know in order to become an embedded engineer.


Book 2

Check out my second book; learn practical stuff about building robots and control systems around Linux PCs and the Atmel AVR.


Book 1

My first book gives you all the intro you need on developing 32-bit embedded systems on a hobbyist budget.

Cellular Cloning And Fraud

As with nearly everything else in human life, criminals try to cheat the cellular telephone system. The exact techniques vary, but the basic strategy is that the cellular thief will steal the details of a valid cellular account and electronically impersonate the characteristics of the account holder's cellphone. The thief's calls will be billed to an unsuspecting cellular subscriber.

In the bad old days of analog (AMPS) cellular, criminals could simply listen to the paging channels of the cellular band with a device that would decode the data stream on that channel, and they could pick up lists of ESNs and their corresponding telephone numbers. It was simple to burn a new ESN into the phones of the day, and to program the NAM with the corresponding phone number. The thief could then make an unlimited number of calls, and as far as the cellular system was concerned, his phone was the same as the real subscriber's phone.

Also in the days of AMPS, it was possible for anyone with a scanning radio receiver covering the 800MHz band to listen to all the cellular conversations within range. Many cellphones (especially older Motorolas) even had test modes inbuilt which would allow you to listen to all the conversations in your area by typing in a few secret codes.

Because of the ease with which these crimes could be carried out, there is still a lingering unease on the part of many prospective and current cellular subscribers. However, things are very different now. Below, we'll cover the major cellular systems used in North America, and list the security features that have been added to each, and what their weaknesses are.

AMPS (Analog, "traditional" cellular) - The major security increase in AMPS comes from RF fingerprinting. Every single cellular phone has slightly different characteristics, due to unavoidable production differences. With RF fingerprinting, the cellular system observes the characteristics of your phone for the first few calls after you open your account, and determines a sort of signature for your particular phone. If somebody clones your phone, the signature of the illegal phone won't match yours, and the network won't let it steal your service. I've had personal experience of how sensitive this can be - I replaced the antenna and rear plastic casing on a colleague's Ericsson AF738, and his (Bell Atlantic) service immediately cut out. Luckily, I knew what to tell him to suggest to the support staff. They reset their system's knowledge of his phone's RF fingerprint, and all was well.

However, nothing can be done to make the call security of AMPS any better. You should never give out credit card numbers, Social Security numbers or other vital information over an analog cellular connection. This includes making calling-card calls from your analog cellphone.

D-AMPS - This is another name for IS-136.

IS-136 (TDMA, used by AT&T Wireless, among others) - All subscriber information is encrypted and sent digitally, making it difficult for cloners to intercept it over the air. AT&T Wireless also uses RF fingerprinting. Most if not all IS-136 phones are also capable of analog operation, and you should take care to follow the analog guidelines above if your digital phone switches down into analog mode.

Some areas offer "voice privacy" which is an additional level of security provided by encrypting the actual voice data. While this is welcome, the mere details of how the digital signal is transmitted already deters the vast majority of eavesdroppers, and sophisticated equipment is required to monitor the signal with or without encryption.

IS-95 (CDMA, used by Sprint PCS and Verizon Wireless, among others) - Interception of CDMA calls is very difficult. The technology uses spread-spectrum techniques to share bands with multiple conversations. This system makes it extremely difficult to locate one conversation and eavesdrop on it. Subscriber information is also encrypted and transmitted digitally. CDMA is basically pretty secure, but remember that many CDMA phones can switch down into analog mode; see the notes for AMPS if you're in an area where your phone can only find an analog signal.

GSM (Used by Omnipoint and a few other North American carriers, as well as many other carriers worldwide) - GSM is a bit special. Although every GSM phone has an electronic serial number (referred to as the IMEI), it isn't a particularly secret bit of information and you don't need to take any care to keep it private. The important information is the IMSI, which is stored on the removable SIM card that carries all your subscriber information, roaming database and so on. GSM employs a fairly sophisticated asymmetric-key cryptosystem for over-the-air transmission of subscriber information. Cloning a SIM using information captured over-the-air is therefore difficult, though not impossible (the GSM cryptosystem has been cracked in an academic way - though it requires some hours of access to a SIM card to get the carrier's key). As long as you don't lose your SIM card, you're safe with GSM. As with the other digital systems, voice information is transmitted digitally and is difficult to eavesdrop.

N-AMPS (Narrowband AMPS) - The same notes apply as for AMPS.


larwe.com and all original content herein is © Copyright 2001 by Lewin A.R.W. Edwards. "larwe.com" is a trademark protected under U.S. and international law. Infringement or attempted dilution of the intellectual property rights held by Lewin A.R.W. Edwards will be prosecuted to the fullest possible extent.