Device cloning

What is device cloning?

Device cloning is the unauthorized duplication of a mobile device's identity attributes used to create a copy or mimic the original device. In the scope of application security, device cloning allows malicious actors to impersonate the original device's owner, potentially leading to identity theft and fraud. 

Summary

There are 3 types of device cloning:

1. SIM swapping: This involves physically obtaining a valid SIM card with the phone number of the user, either by stealing it or tricking network operators into providing it.
2. Obtaining IMEI: This type is based on obtaining the International Mobile Equipment Identity (IMEI) of the phone, which can be used to access the cellular network as if the attacker had a valid SIM card for the number.
   Neither of these methods allows the attacker to access data of the user on their phones, but both allow them to send SMS as the user, and intercept inbound SMS sent to the number. It can be used to intercept 2FA codes or perform advanced phishing to the contacts of the device owner.
3. Phone backup: The third method of device cloning is through phone backup. This method requires gaining access to a backup of the phone, either by compromising the iCloud or Google Drive account of the user, or by having them install backup applications (usually accomplished through phishing). This allows the attacker to access sensitive data about the user (photos, messages, contacts, documents, etc.) and some application-specific data. If the app has effective security, it can limit the sensitivity of the data accessed, however, the security of each of the apps on the compromised device is a variable.

Deep dive

To access these identifiers and other sensitive information, an attacker might exploit vulnerabilities within the device's software or operating system. Rooting an Android device or jailbreaking an iOS device can allow an attacker to manipulate the device's software and clone identifiers.

Other times, attackers take aim at the device’s owner by launching phishing attempts or social engineering tactics to trick the user or service providers into divulging sensitive information, such as Apple ID credentials, which can then be used to access and duplicate accounts.

Another means of cloning is gaining physical access to a device which could allow a malicious actor to bypass security measures (like encryption) and access data directly from the device, however this is made significantly more challenging with modern smartphones.

Once a device is cloned, the security implications are significant. This opens up the device, individual, and service provider to the possibility of fraud or identity theft through the use of the IMEI, or a breach of sensitive information through the backups of the phone, and it carries a real risk of financial and personal data loss.

Cloned devices can be used as vectors for various cyberattacks, including launching phishing campaigns, spreading malware, or participating in botnets for DDoS attacks. Such activities go beyond the compromised device and introduce risk to other users and services connected to the network.

Applications that rely on device-specific information to maintain data integrity and secure user sessions—like many security protocols and authentication mechanisms—but fail to store sensitive data correctly can be compromised through device cloning. Attackers might intercept, modify, or inject fraudulent data, leading to misinformation or unauthorized data manipulation.

Examples

When a device is cloned or an attempt is being made to clone it, a user may be completely unaware that their device is being targeted. Other times, there are clear abnormalities in device behavior, like unexplained battery drain, significant data usage, and multiple restart or reset requests.  

Major phone carriers, financial organizations, and mainstream media outlets are starting to warn consumers about the dangers of device cloning as the measurable impact and stories of siphoned bank accounts and stolen data grow in numbers. Verizon warns both Android and iPhone users of a "bank-raiding clone attack" and how to detect if their phone has already been compromised.

A method of device cloning called SIM swapping, also called "phone porting," is when an attacker can transfer an existing phone number to a new device that they control. This allows for the interception of information like two-factor authentication giving access to banking apps and other programs with sensitive personal data. The device owner is left with little defense or awareness of the attack, apart from the phone potentially entering SOS mode and core functions becoming unusable.

History

Consumer devices hold more information and access to personal and financial data than ever before, and organizations face an ever-increasing amount of threat vectors with mobile origins. Decades after device cloning was predominantly a physical threat that relied on intercepting a SIM card or the device itself, new means of obtaining the sensitive data of the phone through backups and phishing is still a very real risk.

Future

Mitigation of device cloning and the threats that it carries is multifaceted. Consumer and employee education to sniff out phishing attempts and suspicious messages is one of the most effective defenses against device cloning. Some basic best practices like using screen locks and biometrics, employing multi-factor authentication (MFA), using VPNs (particularly on public Wi-Fi), and keeping device software up to date to patch vulnerabilities and apply new updates from providers will also mitigate cloning from an attacker with physical access to the device.

It’s more important than ever for organizations to leverage tools for detection and protection. Secure communication channels and data protection techniques, like encrypting data at rest and using platform-specific secure storage, make it more difficult for attackers to succeed in intercepting and duplicating sensitive information and taking control of a device.

Sources

1. https://www.9news.com.au/technology/phone-porting-scams-australia-what-signs-how-to-protect-yourself-what-to-do-explainer/4a6bfe00-334d-4eb4-887c-cc93ec8f2645
2. https://www.the-sun.com/tech/8200980/verizon-warning-android-iphone-owners-bank-clone-attack/
3. https://twitter.com/parth220_/status/1771589790611423317
4. https://www.forbes.com/sites/kateoflahertyuk/2024/03/28/new-iphone-password-attack-warning-issued-to-apple-users/?sh=6a1b3f0e1028
5. https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en
6. https://www.fcc.gov/consumers/guides/cell-phone-fraud