Thought for the day: Send in the clones

Mobile phones are essential to business, yet few owners seem aware of the security implications, says Gunter Ollmann.

New Asset  

Mobile phones are essential to business, yet few owners seem aware of the security implications, says Gunter Ollmann. 




Too many users treat their mobile phones as gadgets rather than as business assets covered by corporate security policy.

Did you realise there's a lucrative black market in stolen and "cloned" Sim cards? This is possible because SIMs are not network specific and, though tamper-proof, their security is flawed. In fact, a Sim can be cloned many times and the resulting cards used in numerous phones, each feeding illegally off the same bill.

The scenario might work like this: John leaves his mobile unattended in a pub. Jane swaps his Sim for an already cloned card after using Sim Backup (a legitimate hardware device available from some high-street retailers) to copy John's address book to it.

Jane then leaves to extract the Ki (the secret ciphering and authentication key held on the Sim) using freely available software and hardware – a process that can be reduced to just over an hour. She then returns and swaps the Sim back again.

John never knows what's happening as he could still make calls and his address book is still there. Finally, Jane makes multiple copies of the Sim, changing its IMEI (International Mobile Equipment Identification) so Sim become usable again, then selling the copies at boot sales and online auctions.

John only realises the problem on receipt of a staggeringly high bill that he - or his business - has to pay. This is actually happening: a Home Office report in 2002 revealed that in London around 3,000 mobile phones were stolen in one month alone.

And then there's SMS forgery. It is trivial to forge the originating phone number and send "flash" messages to certain phones - these don't display any information about the sender. It is even possible to crash mobile phones using malformed SMS messages. This leaves users vulnerable to "social engineering" attacks.

Testing this, my colleagues sent text messages instructing friends to do various things, like turning off their mobile phone for 30 minutes. In all cases, the recipient of the message did as they were told. The potential is scary, especially if you think of the move towards government e-voting and the growth of interactive voting on TV shows – not to mention next-generation SMS small product payments such as Vodafone’s MTicket or Load-A-Ticket services.

It is crucial that businesses and staff take mobile phone security seriously. Awareness and a few sensible precautions as part of the overall enterprise security policy will deter all but the most sophisticated criminal.

How can organisations help themselves?
  • Mobiles should never be trusted for communicating/storing confidential information.
  • Always set a Pin that's required before the phone can be used.
  • Check that all mobile devices are covered by a corporate security policy.
  • Ensure one person is responsible for keeping tabs on who has what equipment and that they update the central register.

What do you think?

Do you take mobile phone security seriously? Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Gunter Ollmann is the manager of X-Force Security Assessment Services EMEA, Internet Security Systems

Read more on IT strategy