• XCell Technologies

Beware of anonymous SIM scammers



If you can't convince them, confuse them. This is the basis for selling lies. And very easy for anonymous SIM card fraud.


Preparatory measures


Without a SIM card, you can't make a call from your phone unless you call emergency numbers or use app voice calls over WIFI (as Skype or WhatsApp). As scammers try to sell you a SIM card pretending to be "anonymous", this SIM card could be using a cell tower. Also, if you use data calls instead of normal voice calls, your phone will connect to the nearest cell tower (data connection channels instead of voice channels). Unless you are using WIFI, there is no way to bypass a cell tower when you want to communicate. A cell tower means cellular network, servers, SS7 vulnerabilities and exploits, IMSI catchers, GSM interceptors, location tracking and monitoring. And last but not least: Mass surveillance.


The test


Are you a happy buyer of one of these anonymous SIM cards? Are you sure that IMSI is protected and your SIM security is "hardened"? Now it's time for a small and quick test.


Most people have no idea what IMSI is, and no idea how to get it from their own SIM card. They also have no idea what to do if someone retrieves the IMSI from your SIM card. So let's start with testing. No technical skills, special knowledge or payments are required.


Test No. 1


The manufacturers of anonymous SIM cards claim that the security of the card is "hardened" and the IMSI is not revealed due to some security tricks for eavesdropping systems.

Whether you have a fancy Android device or a swanky iPhone, you can test your newly purchased "anonymous" SIM card right now. Just head over to Google Play or the App Store and install any app that displays your SIM card information. Example: Whats My IMSI

On the iPhone, it's actually quite simple: go to the "Settings" menu and select "Mobile data". Select "SIM applications" and that's pretty much all you need to do.


Do you have your IMSI now? Good! Now you can throw away your "anonymous" SIM. And take a look at your window: your "protected" calls might actually "call" the police right outside your pad.


The IMSI you can see is used by your phone when it connects to any cell tower to make/receive calls and messages. There is no other way. The phone cannot connect directly to a "switchboard" as the scammers pretend. This is because the "switchboard" is not a cell tower. Your phone call is routed first through the local cellular network and then through the SS7 network to the recipient cellular network. In this particular case, your call is also routed through the SIM manufacturer's "anonymous" servers in Russia before reaching the recipient's local network. So instead of "hardened" security, you have less security than you expected. And, of course, at a premium, fooling you into thinking it's serious yet affordable security.


Test No. 2


Google SS7 attack, SIM toolkit attack, IMSI catcher to see how the IMSI can be retrieved over the air and what they can then do with it.


A fraudulent business


Buy cheap PrePaid SIM cards and sell them as anonymous SIM cards, with 500% profit margin.


The SIMs behind the business


Quite simply, there are no anonymous SIM cards. This is technically impossible. All these cards are just a big scam that exploits the ignorance of ordinary people. And nothing more.


Fact is: There is no SIM card without IMSI.

Fact: There is no connection to a cell tower without IMSI being used for connection purposes.

Fact: Data only SIM cards also have an IMSI assigned by the manufacturer.

Fact is: There are so-called IMSI catchers, which are specially designed for intercepting calls / SMS, as - as the name suggests - based on IMSI.

Fact: If you can call any number or receive calls, it means that your phone is connected to a cell tower via voice / data channels.

Fact: Once connected to a cell tower, almost ANY cell phone location can (and will) be tracked by various technologies and systems, exploiting cellular network vulnerabilities or cellular network nodes (SS7).

Fact: Once connected to a cell tower, any call can (and will) be intercepted, regardless of whether the voice call is forwarded on standard voice channels (regular voice call) or on data channels (such as Skype, IM, WhatsApp, etc.).

The fact is: It is not the SIM card that selects the cell tower for the connection, but the phone. This is how all mobile networks are designed (whether 2G, 3G, 4G, etc.), with a SIM card used only to identify a particular subscriber.

Fact: The phone number is not stored on the SIM card. The phone number is stored on mobile network servers (HLR / VLR) and cannot be changed directly from the phone / SIM card. A phone number can ONLY be changed via data connections and third-party servers. Some certain "Russian SIM cards" use standard voice channels that still route the call through a Russian server where a voice change actually takes place, and only then is the call routed to the call recipient.

Fact: EVERY SIM card is encrypted with the comp128 algorithm by default. There is no other encryption supported by a SIM card. This is for anti-cloning purposes. Some early comp128 versions have been compromised as old SIM cards (up to 2012) are easy to clone.

Fact: EVERY regular call on ANY cellular network (whether 2G, 3G, 4G, etc.) is encrypted by default. Otherwise, anyone with a wireless receiver can intercept that call. A SIM card cannot add another layer of encryption on top of an existing one, nor can it add additional encryption.

Fact: EVERY SIM card is traceable and all calls and SMS made with a SIM card can be intercepted.

Fact: IMSI is not the same as phone number or ICCID. IMSI is stored on SIM as the phone number is stored on carrier servers.

Fact: IMSI is not printed on SIM, but on ICCID.

Fact: Anyone can find out their own SIM card IMSI using freely available apps (both on Google Play and the App Store). If an average citizen can do this, law enforcement or hackers can do it remotely over the air.

Fact: Changing the IMSI is possible by sending special requests to the SIM issuer (the mobile network that issued the respective SIM). The request cannot be sent directly by the SIM user, but by another company on their behalf (e.g. when porting a phone number). Changing the IMSI in this way is not a standard procedure, although IMSI change is mentioned in GSMA and 3GPP procedures. Fraudulent MVNO companies (mostly Russian) exploit this procedure, enforce the law because the MNO does not care, and change the IMSI of the SIM card at the direct request of the user.


The anonymous SIM card scam, launched in 2014, refers to some types of SIM cards sold to people who do not have sufficient knowledge of mobile networks:


1. pay-as-you-go SIM cards (also called prepaid SIM)


In some European and non-European countries, SIM cards are still issued for a fee that do not require identification or prior registration. These types of SIM cards are called "anonymous" because there is no link between username and phone number. No other "special" features or "security hardened" things exist, whatever that is supposed to mean. At first glance, using a paid SIM card (possibly issued by a foreign provider) looks like an advantage for the SIM user. In practice, however, it looks like this: When a suspect uses any SIM card, law enforcement agencies deploy IMSI catchers and/or GSM interceptors that capture both the SIM card's IMSI and the phone's IMEI for further tracking and monitoring. So it doesn't matter if the suspect is using a paid SIM card: IMSI Catcher has done the job and matches everything together: the identity of the suspect, the identity of the SIM card (IMSI) and the identity of the phone (IMEI). Simple and effective. A good article about this kind of anonymous SIM fraud can be found at here.


2. SIM cards that have the so-called "Multi IMSI" option.


This is nothing unusual and does not provide any additional security for phone calls or location tracking. Just Google it yourself. Multi-IMSI SIM cards are sold worldwide by various carriers as SIM cards for frequent travelers that can have up to 4 different IMSIs, which equates to 4 different phone numbers. The user can choose which IMSI (phone number) to use at a time based on local low tariff policies. Nothing to do with extra security or dynamic IMSI changes. This type of "anonymous" SIM card creates a false sense of security just because the user can alternatively choose from 4 phone numbers to use. Any multi-IMSI SIM card can be tracked and intercepted just like any other SIM card.


3. Russian "anonymous" SIM cards.


These are SIMs issued by Russian MVNOs that have been assigned 1 or more IMSIs (up to 4). To make "anonymous" calls, the phone (together with the SIM card) connects to the nearest cell tower by providing both IMSI and IMEI. There is no other way.

IMSI and IMEI must be used to connect to the network. Therefore no anonymity: Since IMSI and IMEI are exposed, a wide range of tracking methods (SS7, GSM Interceptors) is possible, also eavesdropping on calls and SMS is just a piece of cake. As the call progresses, it is routed from the local mobile network (which is the first vulnerability that immediately reveals the user's identity) to the Russian MVNO servers, where the phone number and voice may be changed (if the user uses voice and phone number change), and then the call finally reaches the recipient number.

What these clowns are trying to hide from you by exploiting your lack of knowledge about GSM network standards and specifications is the call route: instead of the standard call route (simplified: Mobile phone > Mobile tower > Core network HLR/VLR > Network switch SS7 > Russian MNO > Russian MVNO servers > Russian MNO > SS7 switch > Receiver network HLR/VLR > Receiver's local mobile tower > Receiver's mobile phone) they claim that the call originating from your mobile phone does not connect to a surrounding mobile tower, but to some kind of "switchboard", which of course is technically impossible. Don't forget that even when using the data connection to make an IM call (Skype, WhatsApp, etc.) your phone connects to the CELL tower using the same IDs: IMSI and IMEI. In other words, unless you're using WIFI, every call goes through the nearest cell tower, regardless of which SIM card you're using. Using a lot of nonsensical blah-blah and seemingly technical vocabulary to make you believe they are professionals and/or experienced hackers, vocabulary that at the end of the day will probably only confuse you, scammers manage to sell SIM cards as "anonymous" SIM cards.


We all know the SS7 network is compromised, but it takes more than a few keystrokes to abuse the SS7 network: It takes expertise, money, and more importantly, SS7 access. But from what we've seen, once attackers have all 3, they make sophisticated use of SS7 because once you have that capability, you want to take full advantage of it. The real issue with these unscrupulous Russian MVNOs is access to SS7 nodes based on contracts with other international carriers. This access gives them a wide range of SS7 exploits, including call monitoring and location tracking.


* Anomalous, but not malicious, traffic. This can be anything from faulty nodes trying to send for all subscribers and not their own, to unusual implementations of legitimate services, to anything else not known to be malicious. The skill is in identifying this and understanding what is malicious and what is not - not always easy to understand.

* Malicious attacks, up to a medium level of complexity. These are the more well-known location tracking, fraud, and intelligence gathering attacks. They were the main type of attacks that operators encountered when they started to investigate SS7 security in depth. Over time, the perception of "simple" has grown in complexity to cover more and more types of attacks.

* Malicious attacks of advanced complexity. This is the type of attack that requires investigation to even identify. Once identified, a detailed understanding of what the attacker is trying to accomplish and how is required to build a consistent defense against it. These are the most advanced types of attacks, and their complexity increases over time.


We are actually seeing an evolution over time (i.e., the last 2 years) where some of the attackers who have access to the SS7 network have moved to using more and more sophisticated methods to achieve what they want, especially now that a large number of operators have started to implement defensive measures. Most relevant example: ULIN.


One more thing: As always, when something seems too good to be true, you never know who is really hiding behind those servers. You have no way of verifying that Russian MVNOs and their hidden strings don't ultimately lead to local (Russian) intelligence.


4. recordable/programmable blank SIM cards, widely available on Alibaba and other chinesse web stores, also on eBay and Amazon, at really low prices, which comes bundled with read/write device and software. This way you can make your own SIM card, with any IMSI.


That's all you need:

a. A programmable blank SIM card

b. SIM card reader / writer

c. Software (usually 128k Milenage algorithm and XOR algorithm, matching the standards of GSM11.11, GSM11.12, GSM11.14, GSM11.17).

The (big) problem is Ki (encryption key) that has to be written on this new SIM card. You need to know the Ki key and there is no way to retrieve this key from another SIM card in 99.9% of the cases, because it is only known by the operator himself. For this reason, SIM card cloning (comp128 v2, v3, v4) is not successful.

The Ki problem can be easily solved by a malicious MVNO who knows the Ki and can program their own blank SIm cards.

Chinesse providers have solved this problem: SIM Factory can program the SIM card for you if you order in bulk, including custom printing like you see on most "anonymous" SIM cards.


See it in action



Disadvantages:


Even if Ki is known, the new "anonymous" SIM card, once written, encounters real security issues that make it more vulnerable than a regular SIM, thus nullifying the IMSI change feature in this way:

a. does not support GSM 11.14: digital cellular telecommunications system (Phase 2+) - SIM Application Toolkit specification for the Subscriber Identity Module - Mobile Equipment(SIM - ME) interface.

b. does not support GSM 03.48: Security mechanisms for SIM Application Toolkit - Stage2 (GSM 03.48 version 8.8.0 Release 1999).

This means that the SIM card is vulnerable to a variety of remote SIM toolkit attacks.

c. comes with STK menu that supports various applications that can be updated via OTA download. This means that you have no control over your "anonymous" SIM card: Various and potentially dangerous executable programs can be downloaded and run on your SIM card without your consent and confirmation.


The people behind the business


Just Google it. Legions of scammers using dozens of websites, eBay and Amazon accounts are trying to scam you big time with "anonymous" SIM cards. You can even call them and ask them in more detail how anonymous SIM cards work. In any case, you will get as many explanations as there are scammers. Each one will come up with their own evasive explanations, sometimes even hilarious to an advised person. Some are "professional experts." The others - the "honest" seller type - will simply reply that they only sell these SIMs and further explanations can be found on the manufacturer's website.


Those concerned


Judging by the number of items sold on eBay and Amazon, there are thousands of people affected. And their number is still rising.


Change/replace phone number


Besides billing, changing the phone number is a feature that works. A different phone number will always appear on the other phone you are calling. At first glance, this is an amazing security feature for most users, and one that is sure to impress buyers who can see a live demo of the feature. But:


The phone number change takes place on the provider's servers, so the phone number is only changed when the forwarded call arrives on the provider's servers, on its way to the called mobile phone. The call leaves your mobile phone with the same IMSI and phone number each time, and the changes are only made when your call arrives at the server.

From the perspective of an IMSI catcher or SS7 attack, it is NOT the phone number that is relevant, but the IMSI. That is why interception systems are called "IMSI catchers" and not "phone number catchers".

And yes, your cell phone location can be tracked and your calls can be intercepted just like any other. From a law enforcement perspective, changing the phone number is not relevant to call interception and location tracking simply because the phone number is NOT stored on the SIM card. Changing the phone number is actually the only feature that can be tested by the user and that will convince any skeptical person to buy an anonymous SIM card.


Learn more




a technical study on anonymous SIM card scams

Already in 2014, some Russian white has revealed hackers fraud with anonymous SIM cards. Read below their study and conclusions.


Study on Anonymous SIM Card scams
.pdf
PDF - 6.93MB