We propose a SIM box detection technique that can be used in the core network of MNOs. The technique is useful for detecting unauthoized SIM boxes on the core network, as they are widely used for interconnect bypass fraud and voice phishing, causing huge financial loss to both MNOs and the people. The proposed SIM box detection is on the basis of device model fingerprinting, which uses cellular capabilities of the devices as a fingerprint of each device model. We show that most cellular device models have unique fingerprints, and are useful for SIM box detection. We also propose a simple access control policy for MNOs to build a SIM box fraud prevention system. The system is a practical and reliable way to prevent illegal SIM boxes from making unauthorized voice calls, and it simplifies the mitigation against SIM box fraud.

Our device model fingerprinting technique uses the control-plane messages containing UE capabilities. Meanwhile, several previous works also presented cellular device fingerprinting using the same messages. The biggest difference with the previous works is that our work performed feature analysis and end-user customizations that affect fingerprints. We show that those considerations are essential to perform device model fingerprinting. Also, our work targets device model for fingerprinting, while the other works targeted baseband modem/vendors, or device type. Lastly, we attempted to use most of the contents in the messages while the other works used only some parts of the message contents for the fingerprinting.

Fingerprint construction consists of two main steps. First, the control-plane messages, NAS Attach Request and RRC UE Capability Information, are collected from the devices. Note that the message pairs are collected multiple times, varying the configuration of the devices. Once the messages are collected, they are converted to a vector form. In this work, we call such vectors as feature vectors. Next, the feature vector is passed through the filter. The filter contains multiple features that should be pruned out from the vector to make a proper fingerprint. Specification analysis and intra-model analysis are performed to build a filter. Note that specification analysis is manual, but does not require considerable efforts, as it is only done for each specification update. Once the vectors are passed through the filter, we make a set containing the vectors from the same device models, and finally call the set as fingerprint of the device model.

We propose access control list (ACL) to reject the non-registered SIM boxes at the cellular network. The ACL utilizes a reported IMEI, a fingerprint, and a subscribed plan to make a decision. In our work, we showed that unauthorized SIM boxes can be blocked with no false reject and niche false accept, assuming that the MNO only allows voice service to the registered IoT devices.

https://github.com/junho226/DeviceModelFingerprinting 

If you have any questions or comments, please contact first authors, Beomseok Oh (beomseoko@kaist.ac.kr) and Junho Ahn (dwg226@kaist.ac.kr), working in System Security Lab at KAIST, Korea.

We thank all anonymous reviewers who reviewed our paper.

We also thank to Cheoljun Park and Jiho Lee for the valuable discussions to develop our paper.