GSM Cloning? Can it be done?

Hi

I have been doing research into Mobile phone security recently, and I have been looking into cloning. I have learnt about and gained first hand experiance into cloning analogue phones (obviously for research purposes only). I will not explain what hardware and software i used to capture the ESN/MIN pair, as im sure this forum will not allow this type of information to be posted. but there are alot of websites out there that give information on how to clone analogue phones (not that i encourage it).

The main bulk of my research is based on GSm security. I am aware that the COMP128 (COMP128 is the most common implementation of the A3 and A8 algorithems, rolled into a single algorithm) has a fatal flaw, and that it requires about 50,000 challanges and responses to find out the Ki (this is the secret key shared between the SIM and the Home Location Register (HLR) of the subscriber's home network). Once the Ki is found a new smart card can be created, with all the information required you can now pretend to be the user who was clonned. But inorder to aquire the Ki you need physical access to the smart card to be cloned, because eavesdropping the radio link doesnt allow this to be done.

I have gained the above information from reading through websites, books and journals. My question is that has anyone got any first hand experience or researched into the flaws with GSM Security, someone who can give me abit more information about the cloning of GSM?

Thanks

Imran R. Khan