DOCSLIB.ORG

Greedybts – Hacking Adventures in GSM

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Greedybts – Hacking Adventures in GSM GreedyBTS – Hacking Adventures in GSM GreedyBTS)*)Hac.in1)2d3entures)in)GS7) 21end,) • Eho)am)I?) • Technical)o3er3ieI)of)2.5G)en3ironments) • Cellular)en3ironment diagnosAcs)and)tools) • Security)3ulnerabiliAes)in)GS7) • Cre,An1)an)openNsource)2.5G)simul,Aon)en3ironment for)analysis.) • Implementaons)of)GS7),Oac.s) • Demo © 2014 MDSec ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) 2.5G)Technical)O3er3ieI) IntroducAon)to)GS7) • June)2008)*)2.9 BILLION subscribers)use)GSM.) • Replaced)2nalo1ue)TTotal)2ccess)Communic,Aon)SystemU)in)the)UW.)(T2CS)) • GS7)is),)European)Eide)Standard)started)in)1982)by)Groupe)Spécial)Mobile.) • Di1ital)standard)Iith)neI)Security),OempAn1)to)address)losses)due)to)Fraud.) • GPRS)created)to)Ior.)Iith)GS7)and)address)data needs_)2.5G.) • UMTS)and)LTE_)3rd)and)4th)1ener,Aon)networ.s)have)arri3ed)*)2.5G)sAll)here.)) • HoI)3ulnerable)are)2.5G)networ.s)a)GS7)communic,Aons)todayH) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) GS7)2rchitecture) • Mobile)Staon)is)your)phone.) ) • BSS)pro3ides)the)air)interface) between)networ.)a)phone.) • betwor.)SIitchin1)subsystem) pro3ides)authenAc,Aon_)idenAty_) billin1)and)more.) • The)architecture)shoIn)is),) typical)2G)GS7)en3ironment.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Mobile)Staon)(MS).) • Intern,Aonal)mobile)staon)ecuipment idenAty)(IMEI)) • Contains)unicuely)idenAdable)inform,Aon)on)de3ice.) ) • SG7)card)contains)subscriber)inform,Aon.) • Intern,Aonal)mobile)subscriber)idenAty)(IMSI).) • Mobile)Country)Code)*)MCC)N)3)di1its.) • Mobile)betwor.)Code)*)7bC)*)2)di1its.) • Mobile)Subscriber)IdenAdc,Aon)bumber)*)MSIN)*)(m,e)10).) • SG7)card)also)holds)encrypAon).eys.) • four)phone)contains),)baseband)processor)and)RTOS)used)by)GSM.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Ehat is),)SG7)cardH) • Described)in)GS7)11.14.) • Subscriber)IdenAty)Module.) • Stores)the)IMSI and)Wi).ey.) • Wi).ey)needed)for)networ.)) ))))))authenAc,Aon)a)2ir)encrypAon.) • Pro1rammable)card)can)be)used)Ihich)has),)Iriteable)Wi) key.) • GS7)test cards)Iith),)Iriteable)Wi).ey)can)be)bou1ht online.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) ISOg81h)a)SG7)Tool.it) • ISOg81h)dednes),)physical)smart card)standard.)) • SG7)2pplic,Aon)Tool.it (STW))is)implemented)by)GS7)smart cards.) • GS7)applic,Aon)pro3ides)authenAc,Aon)2PDUis.) • COMP12831)is)an)encrypAon)al1orithm)that Ias)found)to)be)jawed.) • 2)TstopU)condiAon)Ias)found)that alloIs)Wi)to)be)brute)forced.) • COMP12831),Oac.)takes)12N24)hours)and)recuires)physical)card.) • COMP12833)is)used)more)Iidely)today)and)COMP12831)is)rare.) • Chinese)3endors)sell)cheap)COMP12831)mulANSG7)cards)a)cloner.) • SG7)Trace)hOp:llbb.osmocom.or1ltraclIi.ilSIMtrace)) • For)more)inform,Aon)on)SG7),Oac.s)THC)have),)SG7)Tool.it Research)Group) promect that contains),)lot more)inform,Aonn)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Eh,4os),)Base)Transcei3er)System)(BTS)H) • TransmiOer)and)recei3er)ecuipment,)such)as) antennas)and)ampliders.) • Has)components)for)doin1)di1ital)si1nal) processing (DSP). • Contains)funcAons)for)Radio)Resource) management.) • Pro3ides)the)air)(UM))interface)to),)MS.) • This)is)part of),)typical)Tcell)toIerU)that is)used) by)GSM.) • BTS)pro3ides)the)radio)si1nallin1)between),) networ.)and)phone.) • Base)Staon)Subsystem)(BSS))has)addiAonal) component Base)Staon)Controller)that pro3ides)lo1ic)a)intelli1ence.)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Radio)a)CellularH) • The)spectrum)is)di3ided)into) uplin.ldoInlin.)TchannelsU.) • GS7)uses)2bsolute)Radio) Frecuency)Channel)bumber) (2RFCb).) • Cellular)betwor.)means) channels)can)be)reNused) Iithin)diperent sp,Aal)areas.)) • This)is)hoI),)small)number) of)frecuencies)can)pro3ide),) n,Aonal)networ.n) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Physical)Interface) • Eaterfall)3ieIs)of)GS7)2RFCb)doInlin.)(leD))and)uplin.)(ri1ht).) • 2RFCb)is)200.+r)channel)and)this)is)di3ided)into)TD72)slots.) • Fi3e)diperent types)of)TburstsU)are)modulated)Iithin.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Radio)a)CellularH)) • GS7)communicates)usin1)Time) Di3ision)MulAple)2ccess)l)Frecuency) Di3ision)MulAple)2ccess)(TD72l FD72))principles.) • Space)Di3ision)MulAple)2ccess)1i3es) the)cellular)concept.)) • Tr,sc)transmiOed)as)TburstsU.) • Radio)modul,Aon)is)usin1)Gaussian) Minimum)ShiD)Weyin1)(GMSW).) • GMSW)is)3ariant of)frecuency)shiD) .eyin1)(FSW))desi1ned)to)reduce) bandIidth_)minimum)shiD).eyin1) (MSW))Iith)further)Gaussian) bandpass)(GMSW).) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) betwor.)SIitchin1)Subsystem) • The)GS7)core)networ.)components)usually)not 3isible)to),Oac.er.) • Mobile)SIitchin1)Centre)(MSC).) • Home)Locality)Re1istrar)(HLSY.) • tisitor)Locality)Re1istrar)(tLSY.) • Ecuipment IdenAty)Re1istrar)(EIR).) • These)are)components)or)databases)that handle)subscribers)inform,Aon_)IMSGl encrypAon).eys)and)perform)processes)li.e)billin1.)) • 2lso)Ihere)the)call)sIitchin1)and)rouAn1)takes)place)and)connecAn1)to)other) networ.s)e.1.)PSTb.)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) GS7)Lo1ical)Channels) • GS7)implements)lo1ical)channels)to)alloI)for)si1nallin1)between)handset and) networ..) • There)is),)dedned)Tr,sc)Channel)(TCH))*)FullNrate)and)HalfNrate)channels)are) available)as)TC+lF)(Bm)_)TC+lH (Lm).) • There)are)Si1nallin1)channels)(Dm). • Many)eeploitable)Ie,.nesses)in)GS7)are)due)to)TinNbandU)si1nallin1.) • This)same)class)of)3ulnerability)is)Ihat alloIs)phre,.er)Tblue)boeesU)to) funcAon)and)responsible)for)Tformat strin1),Oac.s.U)*)Ihere)management capability)is)accessible)it has)potenAal)for)sub3erAn1.)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Broadcast Channel)(BCH)) • The)BCH is)used)by),)MS)to)synchronize)i4os)oscillator)and)frecuency)Iith)the) BTS.)) • The)BCH consists)of)subNchannels)that assist Iith)this)process.) • Broadcast Control)N)BCCH • Frecuency)CorrecAon)N)FCCH • Synchronir,Aon)*)SCH • The)channels)are)used)durin1)the)preliminary)stages)of),)MS)bein1)poIered)on) and)are)inte1ral)part of)T1eu01),)si1nalU.)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Common)Control)Channel)N)CCCH • The)CCCH is)used)by)MS)and)BTS)for)communic,An1)recuests)for)resources) Iith)networ.)and)handset such)as)Ihen),)call),Oempt is)placed.) • Random)2ccess)Channel)N)S2CH • 2ccess)Grant Channel)N)2GCH • Pagin1)Channel)N)PCH • boAdc,Aon)Channel)*)bCH • Temporary)Mobile)Subscriber)IdenAty)(TMSI))is)used)to)help)pre3ent trac.in1) of),)GS7)user_)can)be)frecuently)chan1ed)and)has),)lifeAme)limit.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Dedicated)Control)Channels)N)DCCH) • The)DCCH and)i4os)associated)subNchannels)perform)authenAc,Aon)recuests_) cipher)selecAon)a)si1nallin1)of)call)compleAon.) • Standalone)dedicated)control)N)SDCCH ) • SloI)associated)control)N)S2CCH • Fast associated)control)*)F2CCH • Summary)of)the)three)control)channels)and)purpose)of)each.) • 2Oac.er)could)eeploit GS7)si1nallin1)Ie,.nesses)to)access)subscriber)mobile) usage.)Ee)Iill)loo.)at this)in)more)detail.)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) Ehat about O3erNtheN2ir)EncrypAonH) • Se3eral)o3erNtheNair)(OT2))encrypAon)al1orithms)eeist.)These)are)used)to) encrypt v6omev)of)the)GS7)lo1ical)channels)data (such)as)TCH).) • 25l1)*)publicly)bro.en_)rainboI)tables)eeist.) • 25l2)*)opers)no)real)security.) • 25l3)*)W2SU7G)Cipher_)althou1h)some)manNinNtheNmiddle),Oac.s)are).noIn)*) it has)not yet been)publicly)bro.en)in)GSM.) • 23l28)N)used)durin1)the)authenAc,Aon)process.) • 2Oac.er)can),Oempt to)Tpassi3elyU)analyse)tr,sc)loo.in1)for)Ie,.)encrypAon) or)perform)manNinNtheNmiddle),Oac.s)against subscriber)MS)and)BTS.)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) 2.5G)Technical)O3er3ieI) General)Pac.et Radio)Ser3ice) • Uses)eeisAn1)GS7)concepts_)e.1.)Ameslots.) • Introduces)TSubscriber)GPRS)Ser3ice)bodeU) ))))))(SGSb))and)TGateIay)GPRS)Ser3ice)bodeU)) ))))))X!!(b). ) • 2dds)Pac.et Control)Unit to)BSS.) • Data is)sent in)PCU)frames.) • Introduces),)neI)Radio)Resource)(SSY)protocol.) • Radio)Lin.)Control)(SBC))l)Medi,)2ccess)Control)(72C)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) Cell)DiagnosAcs)a)Tools) bo.i,)betMonitor)) • bo.i,)shipped)diagnosAc)tool)in)early)phones.) • Can)be)enabled)on)phone)such)as)3310)usin1)cable) • Pro3ides),)cellular)diagnosAc)tooln) • 2RFCb)idenAdc,Aonn) • Si1nallin1)channel)displayn) • Uplin.)Tr,sc)capturen) • tery)cool)TfeatureU)of)bo.i,)w)) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) Cell)DiagnosAcs)a)Tools) Dedicated)Test HardIare) • eBay)is)your)friend.) • GS7)tesAn1)hardIare)prices)3ary)Iildly.) • OpenNsource)tools)are)noI)more)jeeible.) • GS7)tesAn1)hardIare)is)oDen)not 3ery)featured.) • The)price)of)dedicated)hardIare)can)be)3ery)hi1h.) • tendors)oDen)not forthcomin1)Iith)help.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.) )) Cell)DiagnosAcs)a)Tools) OsmocomNLL)a)!bU/Plot) • OsmocomNbb)alloIs)you)to)Irite) tools)for)MS)baseband.) • Lots)of)useful)diagnosAcs)already) available)in)the)public)repository.) • fou)can)eetend)the)code)to) 3isually)represent the)GS7) spectrum)or)perform)more) detailed)analysis)of),)GS7)cell) toIer.) • Recuires),)xy30)phone)to)use.) 8)2014)MDSec)ConsulAn1)Ltd.))2ll)ri1hts)reser3ed.)
Load more

Recommended publications
  • Mee10:71 Location-Aware Decision Algorithm for Handover Across
    MEE10:71 LOCATION-AWARE DECISION ALGORITHM FOR HANDOVER ACROSS HETEROGENOUS WIRELESS NETWORK. BY STANLEY O.OKOYE This thesis is submitted in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering with Emphasis on Telecommunication. Department of Telecommunication Blekinge Institute of Technology Karlskrona, Sweden August 2010 DEDICATION: To my wife Gloria Okoye ,and my child Kamsi Okoye for their love, patience while doing this work; to my brothers Stephen E. Okoye and Augustine I. Okoye for their wonderful support and encouragement. ii ABSTRACT Vertical handover is the processes that switch a mobile node from one technology to another in order to maintain a communication in a network. Heterogeneous Networks are two Networks whose entities support different technologies. Because of the benefits brought about by 3G networks such UMTS, it is increasingly desirable to integrate 3G networks with WLAN. WLAN is a low coverage, high speed network compared to 3G networks. Consequently, WLAN is used to extend 3G networks at certain locations in order to provide improved services and address QoS issues. To achieve a beneficial vertical handover in a network, an algorithm that departs from the conventional RF based algorithm is necessary. An attempt is made in this study to provide such algorithm which aims to utilize location information stored in a WLAN coverage database, and the location service entities of UTRAN as defined by 3GPP to determine a valuable/beneficial vertical handover between UMTS and WLAN. RF based conventional downward vertical handovers can be inefficient and wastes resources. This study aims to correct the lapses associated with conventional RF based vertical handover across heterogeneous network.
    [Show full text]
  • Openbts Application Suite User Manual
    OpenBTS Application Suite Release 4.0 User Manual Revision date: April 15, 2014 Copyright 2011-2014 Range Networks, Inc. This document is distributed and licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents 1 General Information 7 1.1 Scope and Audience.........................................8 1.2 License and Copyright........................................8 1.3 Disclaimers..............................................8 1.4 Source Code Availability....................................... 10 1.5 Abbreviations............................................ 11 1.6 References.............................................. 12 1.7 Contact Information & Support................................... 13 2 Introduction to OpenBTS Application Suite 14 2.1 Key Programs............................................ 15 2.2 Network Organization........................................ 16 3 Getting to Know Your OpenBTS System 19 3.1 Accessing the System........................................ 19 3.2 Starting and Stopping Applications................................. 20 3.3 OpenBTS Command Line Interface (CLI)............................. 20 3.4 Using the OpenRANUI....................................... 24 3.5 Databases.............................................. 25 3.6 Folder Structure........................................... 25 3.7 Logging............................................... 26 4 OpenBTS Data Tables and Structures 27 4.1 Manipulating OpenBTS Databases................................. 27 4.2 The Configuration Table.....................................
    [Show full text]
  • Introduction to GSM
    PART 3 Introduction to GSM Lecture 3.0 History Giuseppe Bianchi History of wireless communication Î 1896: Marconi Ö first demonstration of wireless telegraphy Ö tx of radio waves to a ship at sea 29 km away Ö long wave transmission, high power req. (200 kW and +) Î 1901: Marconi Ö Telegraph across the atlantic ocean Ö Close to 3000 Km hop! Î 1907 Commercial transatlantic connections Ö huge ground stations (30 by100m antennas) Î 1915: Wireless telephony established Ö NY – S. Francisco Ö Virginia and Paris Î 1920 Marconi: Ö Discovery of short waves (< 100m) Ö reflection at the ionosphere Ö (cheaper) smaller sender and receiver, possible due to the invention of the vacuum tube (1906, Lee DeForest and Robert von Lieben) Giuseppe Bianchi 1 History of wireless communication Î 1920's: Radio broadcasting became popular Î 1928: many TV broadcast trials Î 1930's: TV broadcasting deployment Î 1946: First public mobile telephone service in US Ö St. Louis, Missouri Ö Single cell system Î 1960's: Bell Labs developed cellular concept Ö brought mobile telephony to masses Î 1960’s: Communications satellites launched Î Late 1970's: technology advances enable affordable cellular telephony Ö entering the modern cellular era Î 1974-1978: First field Trial for Cellular System Ö AMPS, Chicago Giuseppe Bianchi 1st generation mobile systems early deployment ÎFirst system: Ö NMT-450 (Nordic Mobile Telephone) ÆScandinavian standard; adopted in most of Europe Æ450 MHZ band ÆFirst european system (Sweden, october 1981) Î Italian history: Ö 1966: first experiments
    [Show full text]
  • UMTS); Network Architecture (3GPP TS 23.002 Version 4.8.0 Release 4)
    ETSI TS 123 002 V4.8.0 (2003-06) Technical Specification Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); Network architecture (3GPP TS 23.002 version 4.8.0 Release 4) R GLOBAL SYSTEM FOR MOBILE COMMUNICATIONS 3GPP TS 23.002 version 4.8.0 Release 4 1 ETSI TS 123 002 V4.8.0 (2003-06) Reference RTS/TSGS-0223002v480 Keywords GSM, UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Lect12-GSM-Network-Elements [Compatibility Mode]
    GSM Network Elements and Interfaces Functional Basics GSM System Architecture The mobile radiotelephone system includes the following subsystems • Base Station Subsystem (BSS) • Network and Switching Subsystem (NSS) • Operations and Maintenance Subsystem (OSS) GSM Network Structure : Concept PLMN Terrestrial Public Land Mobile Network public mobile communications network network Mobile Um terminal device Air Interface PSTN BSS Public Switched Base Station Telephone Network Subsystem radio access NSS BSS Network Switching ISDN Base Station Subsystem Subsystem Integrated Services MS radio access Control/switching of Digital Network Mobile mobile services Station BSS Base Station Subsystem PDN radio access Public Data Network Mobile network Fixed network components components GSM-PLMN: Subsystems PLMN Terrestrial Public Land Mobile Network RSS Network Radio SubSystem PSTN Public Switched Telephone Network ISDN Integrated Services MS BSS NSS Digital Network Mobile Base Station Network Switching Station Subsystem Subsystem PDN Public Data Network OSS Operation SubSystem Function Units in GSM---PLMN-PLMN Radio Network Switching SubSystem Subsystem RSS = NSS Other networks Mobile Base Station Station +++ Subsystem MSMSMS BSSBSSBSS ACACAC EIREIREIR BTS HLR VLR TTT PSTN RRR BSCBSCBSC AAA MSC ISDN UUU Data OMCOMC----RRRR OMCOMC----SSSS MS = netnetnet-net --- ME + SIM works Operation SubSystem OSS Functional Units in GSM---PLMN-PLMN Phase 2+ RSS NSS Other networks MS +++ BSS ACACAC EIREIREIR BTS HLR/GR VLR TTT PSTN RRR BSCBSCBSC AAA MSC ISDN UUU CSE Data networks SGSN GGSN Inter/ intranet OMCOMC----BBBB OMCOMC----SSSS OSS Base station subsystem (BSS) The base station subsystem includes Base Transceiver Stations (BTS) that provides the radio link with MSs. • BTSs are controlled by a Base Station Controller (BSC),which also controls the Trans-Coder-Units (TCU).
    [Show full text]
  • Exploiting Broadcast Information in Cellular Networks
    Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, Kévin Redon, and Jean-Pierre Seifert, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, K´evin Redon, Jean-Pierre Seifert Technische Universitat¨ Berlin and Deutsche Telekom Innovation Laboratories {nico, kredon, jpseifert}@sec.t-labs.tu-berlin.de Abstract comBB [20, 25, 45]. These open source projects consti- tute the long sought and yet publicly available counter- Mobile telecommunication has become an important part parts of the previously closed radio stacks. Although all of our daily lives. Yet, industry standards such as GSM of them are still constrained to 2G network handling, re- often exclude scenarios with active attackers. Devices cent research provides open source software to tamper participating in communication are seen as trusted and with certain 3G base stations [24]. Needless to say that non-malicious. By implementing our own baseband those projects initiated a whole new class of so far uncon- firmware based on OsmocomBB, we violate this trust sidered and practical security investigations within the and are able to evaluate the impact of a rogue device with cellular communication research, [28, 30, 34]. regard to the usage of broadcast information. Through our analysis we show two new attacks based on the pag- Despite the recent roll-out of 4G networks, GSM re- ing procedure used in cellular networks.
    [Show full text]
  • Data and Voice Signal Intelligence Interception Over the GSM Um Interface
    International Journal of Research and Innovations in Science and Technology ISSN (Online): 2394-3858 Volume 3 : Issue 2 : 2016 ISSN (Print): 2394-3866 International Journal of Research and Innovations in Science & Technology, ©SAINTGITS College of Engineering, INDIA www.journals.saintgits.org Research paper Data and Voice Signal Intelligence Interception Over The GSM Um Interface Vincent N. Omollo1*, Silvance Abeka2, Solomon Ogara3 Jaramogi Oginga Odinga University of Science & Technology, Bondo – Kenya. * [email protected] Copyright © 2016 Vincent Omollo, Silvance Abeka & Solomon Ogara. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Abstract The Enhanced Data rates for GSM Evolution (EDGE) is a digital mobile phone technology that permits enhanced data communication rates as a backward-compatible annex of the Global System for Mobile communications (GSM). It delivers increased bit-rates per radio channel, which results to a threefold increase in capacity and performance compared with an ordinary GSM/General Packet Radio Service (GPRS) connection. It has found many applications in packet switched communication scenarios, such as internet connections. In a GSM environment, owing to its cellular nature, the communication signals are sent over the air interface. Therefore, it is less secure than in a wired network because it is prone to eavesdroppers equipped with appropriate radio receivers. To address the various security challenges, several security functions were built into GSM to safeguard subscriber privacy. These functions include: authentication of the registered subscribers only; secure data transfer through the use of encryption; subscriber identity protection; making mobile phones inoperable without a subscriber identity module (SIM); disallowing duplicate SIMs on the network; and securely storing the individual subscriber authentication key ( KI).
    [Show full text]
  • Network Architecture
    Chapter 1 Network Architecture This section gives an overview of the most important entities in a GSM network and the different protocols that are used between these entities. A single GSM network is often referred to as a Public Land Mobile Network (PLMN). This is the network operated by a single provider in a single region. In most countries each provider maintains a single PLMN, but in certain large countries, like the USA, several PLMNs can be maintained by a single provider. A PLMN manages all traffic between mobile phones and all traffic between mobile phones and the other land networks. These land networks can either be the Public Switched Telephone Network (PSTN), an ISDN network, or the Internet. Figure 1.1 shows an overview of all the entities in a GSM network. These entities are often subdivided between three “domains”; the Mobile Station (MS) – i.e. mobile phones – , the Base Station Subsytem (BSS) and the Network Switching Subsystem (NSS). We will now look at each of these in more detail. 1.1 Mobile Station (MS) The Mobile Station (MS) is the subscribers module most people are familiar with. It consists of both some Mobile Equipment (ME) and a Subscriber Identity Module (SIM). Both are needed for the Mobile Station (MS) to function in the GSM network. Hence MS = ME+SIM. 1.1.1 Mobile Equipment (ME) The Mobile Equipment (ME) is simply the GSM phone people use to make and receive calls in a cellular network. It is basically a transmitter-receiver unit that is independent from network providers1.
    [Show full text]
  • Fuzzing the GSM Protocol
    Radboud University Nijmegen Master's Thesis Computer Science Fuzzing the GSM Protocol by Brinio Hond Supervisors: Thesis number: 654 ir. Stan Hegta Date: July 29, 2011 ir. Ronald Heilb dr.ir. Erik Pollc aAdvisor ICT Security & Control at KPMG bManager ICT Security & Control at KPMG cAssociate Professor Digital Security at Radboud University Nijmegen ii Abstract In our current society GSM can be considered a critical infrastructure as it is used by over 3.5 billion people worldwide. And even though the protocol is already over twenty years old most serious scrutiny on it stems from the last couple of years. This is due to the rapid evolution of Software Defined Radio (SDR) five years ago, which allowed most of the signal processing to take place in software instead of hardware. Several open source projects emerged that used the principle of SDR to implement a GSM stack in software using relatively cheap radio hardware. In this thesis one part of the security of GSM is analysed using an SDR based on the open source project OpenBTS and a hardware device called USRP-1. With a technique called protocol fuzzing the robustness of the implementation of the GSM protocol on different cell phones is tested. In this thesis it is first described which parts of the protocol stack are most suitable for fuzzing, as well as which fields in GSM communication are most likely to result in strange behaviour on the receiving end. Then this theory is put to the test and two parts of the GSM stack (SMS and Call Control) are fuzzed on actual cell phones.
    [Show full text]
  • Intelligent Search of Correlated Alarms for GSM Networks with Model-Based Constraints*
    Intelligent Search of Correlated Alarms for GSM Networks with Model-based Constraints* Qingguo Zheng Ke Xu Weifeng Lv Shilong Ma National Lab of Software Development Environment Department of Computer Science and Engineer Beijing University of Aeronautics and Astronautics, Beijing 100083 {zqg, kexu, lwf , slma}@nlsde.buaa.edu.cn to control the process of data mining, make the Abstract process of data mining more focus, and reduce the number of rules being generated, many researchers In order to control the process of data mining and [9,10,11] have studied putting various constraints, focus on the things of interest to us, many kinds of including Boolean expressions, regular expressions, constraints have been added into the algorithms of and aggregation constraints etc., into the methods of data mining. However, discovering the correlated mining association rules. But the analysis of alarm alarms in the alarm database needs deep domain correlation will need deep domain constraints into the constraints. Because the correlated alarms greatly method of data mining, for the rules of alarm depend on the logical and physical architecture of correlation are closely related to the logical and networks. Thus we use the network model as the physical architecture of networks. constraints of algorithms, including Scope constraint, Model-Based Reasoning (MBR) was originally Inter-correlated constraint and Intra-correlated proposed in [12], the principles of which have been constraint, in our proposed algorithm called SMC widely applied in the analysis of alarm correlation (Search with Model-based Constraints). The [1,13,14,15,16,17]. MBR system consists of a experiments show that the SMC algorithm with network model and a function model.
    [Show full text]
  • SMS) for Wideband Spread Spectrum Systems Release B
    3GPP2 C.S0015-B Version 1.0 Date: 13 May 2004 Short Message Service (SMS) for Wideband Spread Spectrum Systems Release B COPYRIGHT 3GPP2 and its Organizational Partners claim copyright in this document and individual Organizational Partners may copyright and issue documents or standards publications in individual Organizational Partner’s name based on this document. Requests for reproduction of this document should be directed to the 3GPP2 Secretariat at [email protected]. Requests to reproduce individual Organizational Partner’s documents should be directed to that Organizational Partner. See www.3gpp2.org for more information. C.S0015-B v1.0 No text. ii C.S0015-B v1.0 PREFACE These technical requirements form a standard for a Short Message Service (SMS), providing delivery of text and numeric information for paging, messaging, and voice mail notification. This standard includes Service Option 6 and Service Option 14 (as defined in [15]), which support delivery of short messages on Traffic Channels. Service Option 6 and Service Option 14 conform to the general requirements for service options specified in [10]. A mobile station can obtain Short Message Service operating in either the analog or the spread spectrum (CDMA) mode when it conforms to this standard. This standard does not address the quality or reliability of Short Message Service, nor does it cover equipment performance or measurement procedures. SECTION SUMMARY 1. Introduction. This section defines the terms, references, protocols and network reference model used in this document. 2. SMS Relay Layer. This section defines the requirements for the lower layer of the SMS bearer service protocols.
    [Show full text]
  • Anatomy of Contemporary GSM Cellphone Hardware
    Anatomy of contemporary GSM cellphone hardware Harald Welte <[email protected]> April 14, 2010 Abstract Billions of cell phones are being used every day by an almost equally large number of users. The majority of those phones are built according to the GSM protocol and interoperate with GSM networks of hundreds of carriers. Despite being an openly published international standard, the architecture of the GSM network and its associated protocols are only known to a relatively small group of R&D engineers. Even less public information exists about the hardware architecture of the actual mobile phones themselves, at least as far as it relates to that part of the phone implementing the GSM protocols and facilitating access to the public GSM networks. This paper is an attempt to serve as an introductory text into the hardware architecture of contempo- rary GSM mobile phone hardware anatomy. It is intended to widen the technical background on mobile phones within the IT community. 1 Foreword This document is the result of my personal research on mobile phone hardware and system-level software throughout the last 6+ years. Despite my past work for Openmoko Inc., I have never been professionally involved in any aspect of the actual GSM related hardware of any phone. Nevertheless I have the feeling that in the wider information technology industry, I am part of a very, very small group of people who actually understand mobile phones down to the lowest layer. I hope it is useful for any systems level engineer with an interest in understanding more about how mobile phone hardware actually works.
    [Show full text]