It has been ten years since the first attack used to clone sim, and five year since the discolure of the last attack in the paper “Partitioning Attacks: Or how to rapidly clone some GSM cards” by J.R. Rao and Al. So in 2008 does sim cloning still possible ?
SIM Cloning the basic
To clone a SIM card you need various information easily dumpable from the SIM and a secret key stored inside a none readable part of the smart card. People often refers to it as KI. Knowing this key and public data is sufficient to make calls, sms and receive call. The tamper-resistant smartcard is supposed to protect the key from disclosure. To be more precise the KI is used for the initialization of the A3 and A8 GSM algorithms. Theses algorithms are used to “prove” the knowledge of the key to the service provider, thus authorizing a call. They are also used to setup the “privacy” of the call but that is a different story.
The known attack
The vulnerable instantiation of the A3/A8 is called COMP128. In 1998 the ISAAC reseach group from Berkeley shows that using collisions it was possible to guess the KI in few hours. The speed of the attack was improved and the last attack known to recovers the KI is the paper cited in the introduction.
Many softwares implement this attack to extract the KI. For instance simscan can be used to extract KI used in the comp128v1
Attack Response
To prevents the extraction of the KI with the collision method the algorithm was upgraded to the COMP128V2 version. It appears that since 2003 most of providers have switched to it.
It is not currently possible to extract the comp128v2 KI. Although some sites claim to have sim analyzer based on side channels analysis. I doubt that these readers ars real, they are more likely scam. Even if side channel analysis such as power consumption have been proved efficient in hardware attack making a device that use it automatically is hard to believe (at least for civilians). User posts on forum tends to be consistent with the fact that they are fake.
As additionnal protection, there is a hard limit implemented in SIM. After 65xxx authentification the sim is burned. That ensure that no brute force attack can be made. It also probably explains why sim card stop working after a couple of years.
The 3G card
3G card are refered as USIM (Universal Subscriber Identity Module). They use a new authentification algorithm based on AES. If there is a doubt about the possibility of extracting the KI from a COMP128V2, there is none about the USIM algorithm. This is a public algorithm so it has been reviewed by the scientific communauty and so far It assumed as solid.
Conclusion
I have tried the Ki extraction on a quite recent SIM card. It appears that in France providers are at least used comp128v2 and that new card are USIM. So as far as I know cloning SIM is a dying field. In few years there will be only comp128v2 and USIM around unless a new vulnerability is found. Note that not be able to clone a SIM does not mean that your conversation are not eavesdropped. Privacy is ensured by the A5 algorithm and this one is broken…
This device is a fake. It doesn’t really exist.