Professional Documents
Culture Documents
SPRING 2008
Table of Contents
ACKNOWLEDGMENTS ................................................................................................................................................4
GLOSSARY.......................................................................................................................................................................5
CONCLUSION ...............................................................................................................................................................48
REFERENCES................................................................................................................................................................49
APPENDICES .................................................................................................................................................................50
Working on this dissertation has been a wonderful challenge for me. I believe in this
section of the paper I am supposed to thank everyone who has helped me both directly and
indirectly in the course of this project. I have to start with my advisor Professor Reza Joadat,
for listening to my questions and complains for the last two semesters, and for the advice he
has given me so far. My next thanks go to Professor John Dwyer for being a wonderful
professor, but mostly a wonderful person beyond the academic layer. Outside of the academia
I then want to thank my parents for always being with me and supporting me both morally
and financially, and loving me as they do; I would have never been able to accomplish this
without their support. I have to also thank my fiancé Giulia, who has to bear me talking about
technical matters beyond reason, and for standing by my side this whole time. Lastly, but not
least of all are all my friends here in Richmond who have stood by me for these last two years
of my life. I thank them for all the wonderful moments we have been through together.
Glossary
A3 Authentication Algorithm
A5 Ciphering Algorithm
A8 Ciphering Key Generating Algorithm
AUC Authentication Centre
AN Access Network
BSC Base Station Controller
BSS Base Station System
BTS Base Transceiver Station
CEPT European Conference of Post and Telecommunication Administrations
CGI Cell Global Identity
CKSN Cipher Key Sequence Number
DIMSI Dual International Mobile Subscriber Identity
DES Data Encryption Standard
DSA Digital Signature Algorithm
EIR Equipment Identity Register
EMS Enhanced Messaging Service
GSM Global System for Mobile communication
HLR Home Location Register
IMEI International Mobile Equipment Identifier
IMSI International Mobile Subscriber Identity
Kc Ciphering Key
Ki Individual Subscriber Authentication Key
LFSR Linear Feedback Shift Register
LI Lawful Interception
LLC Limited Liability Company
ME Mobile Equipment
MSC Mobile Services Switching Centre
MS Mobile Station
MSIN Mobile Subscriber Identity Number
NSS Network and Switching Subsystem
RAND Random Number
RAID Redundant Array of Inexpensive Disks
SHA Secure Hash Algorithm
SIM Subscriber Identification Module
SMS Short Message Service
TAC Type Allocation Code
TDMA Time Division Multiple Access
THC The Hackers Choice
TMSI Temporary Mobile Subscriber Identity
USRP Universal Software Radio Peripheral
VLR Visitor Location Register
XOR Exclusive OR
Chapter 1. Introduction
This project was born from the love of computing and communications, and the thrills
of being able to overcome security measures in communication systems. The purpose of this
project is to prove that it is possible for individuals to break though the barriers of GSM
(Global System for Mobile communication) protection systems using common and publicly
available tools. It has to be said in advance that devices able to intercept GSM conversations
do exist; nonetheless these devices are only available to law enforcement agencies and special
services.
capable of several tasks: firstly it needs to produce a man-in-the-middle attack onto a stream
of GSM traffic; secondly it also needs to decipher the contents of the conversation; thirdly it
should record the conversation to allow deferred listening and storing; and finally relay the
content onto the Network without the user being aware of this process.
upcoming chapters, the main means to exploit a GSM conversation encrypted with the A5
algorithm, is to build a system capable of decrypting the captured GSM data possibly using a
The main components that to this day are known to work in a GSM live intercept, are
the receiver and the cracking units. Transmitting on GSM frequencies and performing channel
hopping has not yet been possible, even thought solutions from other researchers in this area
seem to be near.
This project started with the intention of building a GSM intercepting device using
single components and combining them to form the appropriate hardware solution. This was
then later found to be very impractical due to the limitations of some devices. An example of
a limitation encountered with this approach, was in the GSM transmitting and receiving unit;
all the units on the market available for mobile products developers, are not aimed to support
low level commands, and they do not allow sending of raw commands to the device, while
only a portion of the AT command set1 is supported. This therefore has excluded this type of
approach. Beyond the first hardware attempt described, other solutions have been attempted,
such as simulation. A license from OPNET was requested for a six months trial period, to run
a simulation of an attack on a Network. After receiving the license and testing the software, it
was later discovered that OPNET products will not be adequate in simulating an attack onto a
network.
With this dissertation, the author plans to lay the grounds for the development of a
working GSM intercepting mechanism, which possibly in the future might be turned into a
real working hardware unit. It is known that eavesdropping into conversations without a
1
The AT command set actually supports several commands, nonetheless most modules available on the market
for end users only support some of the most common high level ones, such as placing a call, hanging up the
connection, sending text messages, etc. The ETS – European Telecommunications Standards – published the
ETS 300 642, with the full AT command set.
written consent is illegal, and therefore any findings will be solely targeted as educational
This Document is divided into four main sections. The first section (Chapter two)
deals with an overview of the GSM Network infrastructure explaining the different
components and their characteristics. Here a general discussion on the various components
will be carried out to form the basis for the next chapters. Chapter three describes in detail the
Security Measures adopted in GSM networks, both under the “GSM Specifications” point of
view and under the more technical aspects by explaining the A5 encryption algorithm, and its
flaws. Chapter four then analyses the possible means of attacking a GSM Network. Finally a
practical approach will be attempted, considering the latest developments in the technology. A
conclusion will then explain any problems encountered during the development of this
dissertation, and possible solutions will be presented to overcome the problems in the future.
Chapter 2. Literature Based Review
The GSM Network is generally divided in three parts. The Mobile Station (MS), or
commonly known as cellular-phone, is the client-side of the network from which calls are
generated and to which calls are directed. The second part is the Base Transceiver Station
(BTS), which deals with the radio link between the MS and other BTSs though microwave or
wired links. All BTSs form logically the Base Stations Subsystem (BSS). The BSS then links
to the third component, which is the Network & Switching Subsystem (NSS). The NSS is
usually the Headquarters of the communications network for every Mobile Phone Operator. In
the NSS, various operations are performed like switching calls between mobile and fixed
network users, and computing billing information for costumers. In the following sections,
On the user side of the GSM infrastructure, the only requirement to access the network
is to have a GSM-compatible device with unique identifications that can be recognized by the
network. There are three forms of identifications that the network accepts.
The first one is the Subscriber Identity Module card, or most commonly known as the
SIM card which, among other jobs, handles the authentication of the user to the network. The
SIM card is a smart card that is inserted into the phone to provide the network with unique
details about the customer using the GSM line. This is needed in order to know what user is
placing a call for example, or where the call needs to be relayed to. The SIM card is a self-
sufficient smart card with an embedded microprocessor. Inside the SIM card a unique key is
stored, called the Ki. The Ki is a “randomly generated 128-bit number allocated to a particular
subscriber that seeds the generation of all keys and challenges used in the GSM system”
[www-1] The Ki is not known to either the handset or the user, but only to the AuC
to the mobile phone called the RAND, which is passed straight to the SIM card. The smart
card then computes a Kc based on the submitted challenge string and the Ki embedded in it,
and sends it back to the network for authentication. The following figure clearly summarises
the flow of the RAND, and the Kc. In this diagram the SIM card is shown to use either the A3
or the A8 algorithm for authentication. This does not occur anymore since both A3 and A8
algorithms have been replaced by the A5/1 and A5/2 which will be discussed in depth in later
sections.
Figure 2 – SIM authentication process – Courtesy of http://www.csd.uoc.gr
The second mode of authentication identifies the user connected to the network
through another code stored in the SIM card, called the International Mobile Subscriber
Identity (IMSI) code. The IMSI code is usually2 15 digits long, where the first three digits
represent the Mobile Country Code, the next set of two (in Europe) or three (in North
America) are the Mobile Network Code (MNC), and the remaining ones are the mobile
subscriber identification number (MSIN), which are assigned by the network uniquely to
every user. The IMSI number is stored in the SIM card, and does not have as many security
restrictions as the Ki. Some level of protection has been granted to the IMSI which will be
The third mode of identification to the network pertains to the phone which has a
unique International Mobile Equipment Identity (IMEI) code: a 15 digit unique serial number
bound to the device. The IMEI is in the form of AA-BBBBBB-CCCCCC-D, where the A
group is for the Reporting Body Identifier, or in simple terms, the entity that registered (or
approved) the phone, the second group, or the B group, is made up of six digits and represents
the TAC, or Type Allocation Code; the C group of six digits refers to a unique ID to the
2
In some countries it can be shorter, like for example MTN South Africa's IMSIs are 14 digits
device, and the last digit is the Luhn [www-2] check digit for the whole series, or zero. One of
the purposes of the IMEI is to allow the network to ban a cell-phone without banning the
person’s contract. This is useful in case a phone is stolen for example. In that situation the
owner can report the IMEI to the network operator, and have the IMEI banned from accessing
any network, rendering the phone useless, even if another SIM card is inserted.
GSM relies on the use of cellular repeaters to distribute the signal across a predefined
area. Every area with a cellular repeater tower is called a cell. To maximize cell’s coverage a
hexagonal shape has been found to be the best approach so far. Further on, each group of
seven cells is marked as a cluster. The following Figure shows the Hexagonal shape approach
used in modern BSSs. Each dot in the figure represents a BTS, while the Hexagonal Shape
Cellular Repeater
Coverage Area
Due to the high amount of users on the GSM network, a proper system of frequency
allocation has been designed in which non-neighbouring cells are capable of reusing the same
frequency without causing interference. This is shown by the following diagram, where each
number could be interpreted as a channel. Here as much as 49 cells are driven by only seven
different frequencies.
This has helped allocate the frequency spectrum dedicated to GSM communications over a
wide territory. BSSs are divided into two parts: one part is the Base Transceiver Station
(BTS), which is responsible for the communication between Mobile Stations, and Base
Stations, while the other part is the Base Station Controller (BSC) which is the device that
controls the surrounding BTSs, radio channel allocation, handovers and communication to the
Mobile Switching Centre. Each cell is capable of communicating with every MS in its
coverage area, provided there are enough channels available for all the MS in the area to
operate on.
This last component in a GSM network is probably the core, where most of the
operations are performed. The NSS is made up of several sub sections, the most relevant of
which are the Mobile Switching Centre (MSC), the Home Location Register (HLR) and the
Visitor Location Register (VLR). The Mobile Switching Centre has the duty of managing the
location of phones within the network, switching calls, managing security features, control
handover of calls between different BSCs, and collect Billing Information. The Home
Location Register and the Visitor Location Register have the task of keeping track of the local
users and the roaming users on the network at any given time. There is usually one of these
GSM systems have several features to implement secure connections between the
Mobile Stations and the Base Stations. Authentication of the user is implemented at the
Mobile Station level by the use of a SIM card (which incorporates an IMSI number, and a Ki)
and by the use of an IMEI number, while over-the-air communications are secured using
standards which vary mostly depending on the continent they are in. The most popular
encryption algorithm used for over-the-air transmissions is the A5, which has two main3
versions: A5/1 and A5/2. The latter being a purposely toned down version of the A5/1 [www-
4]. To discuss in more depth the aspects of the SIM, IMEI and the IMSI, the GSM
specifications 02.09 can be used as a reference point, since all standards are branched from
them, while for an accurate understanding of the A5 algorithm, “Real Time Cryptanalysis of
A5/1 on a PC” by Alex Biryukov, Adi Shamir and David Wagner, is possibly one of the best
papers that explains the workings and the hacks of the A5 algorithm.
The GSM specifications 02.09 [www-5] outline the security measures implemented in
GSM, and particularly Section 3 describes the mandatory security measures that must be
implemented in a GSM network. In the following chapters, each section pertaining to GSM
the property that the IMSI is not made available or disclosed to unauthorized individuals,
3
There are more variations of the A5 algorithm beyond A5/1 and A5/2. Nonetheless these are no longer used in
today’s GSM networks.
entities or processes.” Being the IMSI number a unique identifier of a user account on a
network, its disclosure would imply that by eavesdropping on the network, an attacker would
be able to know if a certain person is in the area being scanned. This issue is addressed by the
network with the use of a Temporary Mobile Subscriber Identity (TMSI) number – a pseudo-
random number [www-6] generated from the IMSI – and a location string generated by the
MS. Every time a MS switches tower, a new TMSI is issued. A TMSI number is usually not
bound to the device in any particular format known to the user. The BSS and the NSS are the
only entities controlling the handover of the TMSI. This greatly helps user anonymity on the
network.
authentication is the corroboration by the land-based part of the system that the subscriber
identity (IMSI or TMSI), transferred by the mobile subscriber within the identification
procedure at the radio path, is the one claimed.” This clause ensures that every IMSI (or
TMSI equivalent) is properly recognized by the system. This prevents other MSs from using
someone else’s account to place calls. For example: “by denying the possibility for intruders
Specifications 02.09, Section 3.3.1: “The user data confidentiality feature on physical
connections is the property that the user information exchanged on traffic channels is not
clause the network allows the user to implement one of the seven available algorithms to
encrypt voice and data transmissions. In case no encryption is available the network will not
provide one and the voice conversation or data exchange will happened without proper
security measures. This is a crucial issue in GSM security which will be dealt with in more
feature is the property that the user information which is transferred in a connectionless
packet mode over a signalling channel is not made available or disclosed to unauthorized
individuals, entities or processes.” This security measure relates for example to the Short
Messaging Service (SMS) feature, allowing a MS to send and receive data in a properly
confidentiality feature is the property that a given piece of signalling information which is
exchanged between MSs and base stations is not made available or disclosed to unauthorized
elements, and (as in the previous cases) it ensures that they are transmitted securely encrypted
from eavesdropping. The following signalling information elements are bound to be protected
by this clause: IMEI, IMSI, Calling subscriber directory number (mobile terminating calls),
3.2.1 – Overview
The A5 algorithm is the entity responsible for encrypting communications for over-
the-air data transfers. It was developed in 1987 as a closed-source algorithm4. Two years later,
the second version was released, called the A5/2. One source [www-7] mentions that “there
was a terrific row between the NATO signals agencies in the mid 1980's over whether GSM
encryption should be strong or not. The Germans said it should be […] but the other countries
didn't feel this way, and the algorithm as now fielded is a French design.” This rumour is
supported by some online resources as being true, since later in 1994, the general design was
reverse-engineered, while later in 1999 Marc Briceno [www-8] fully reversed-engineered the
3.2.2 – In Detail
The data from a GSM conversation is sent in a sequence of frames every 4.6
milliseconds. Each frame is characterised by 228 bits, 114 bits with the digitized
communication, and the remaining 114 bits with the reversed digitized communication. To
each conversation, a session key K encrypts the data. Next, for each frame, the session key is
mixed with a publicly known frame counter Fn, which results in 228 pseudo-random bits.
Lastly these bits are XOR’ed5 with the plain text to create the ciphertext. Specifically the A5/1
is built using three Linear Feedback Shift Registers (LFSR)6, R1, R2, and R3 of lengths 19,
22, and 23 bits respectively with the leftmost bit labelled 0 (zero). Each register has a certain
4
Closed-Source is commonly used as an antonym to Open-Source; i.e. the source code is not distributed along
with the final product.
5
XOR is a logical function by which distinct inputs generate a true value (or one), and equal inputs generate a
false (or zero) value.
6
A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous
state.
amount of taps, each placed in different positions: the taps for R1 are at bit positions 13, 16,
17, 18, the taps of R2 are at bit positions 20, 21, and the taps of R3 are at bit positions 7, 20,
21, 22 (see Figure below). The paper by Alex Biryukov et al, efficiently describes the process
of encrypting GSM traffic as follows: “When a register is clocked, its taps are XORed
together, and the result is stored in the rightmost bit of the left-shifted register. The three
registers are maximal length LFSR's with periods 219 -1, 222 - 1, and 223 -1, respectively. They
are clocked in a stop/go fashion using the following majority rule: Each register has a single
"clocking" tap (bit 8 for R1, bit 10 for R2, and bit 10 for R3); each clock cycle, the majority
function of the clocking taps is calculated and only those registers whose clocking taps agree
with the majority bit are actually clocked. Note that at each step either two or three registers
are clocked, and that each register moves with probability 3/4 and stops with probability 1/4.”
Figure 5 – Representation of the three LFSRs and the Clocking Unit – Photo Courtesy of
wiki.thc.org/cracking_a5
“The process of generating pseudo random bits from the session key K and the frame
clock control). During this period each bit of K (from lsb to msb) is XOR'ed in parallel into
The three registers are clocked for 22 additional cycles (ignoring the stop/go clock
control). During this period the successive bits of Fn (from lsb to msb) are again XOR'ed in
parallel into the lsb's of the three registers. The contents of the three registers at the end of this
The three registers are clocked for 100 additional clock cycles with the stop/go clock
The three registers are clocked for 228 additional clock cycles with the stop/go clock
control in order to produce the 228 output bits. At each clock cycle, one output bit is produced
3.2.3 – Flaws
The main flaw in the A5/1 algorithm revolves around the limited size of the three
Linear Feedback Shift Registers. As described R1+R2+R3 have 64 bits of information, which
generates 264 possible states. Using the Golic time-memory tradeoff as described in Biryukov
paper, it is possible “to keep a large set A of precomputed states on a hard disk, and to
consider the large set B of states through which the algorithm progresses during the actual
generation of output bits. Any intersection between A and B will enable us to identify an
actual state of the algorithm from stored information.” [www-4] This is the principle around
which the tables of the THC team have been generated. More information on Time/Memory
Since its implementation, GSM was never developed to be a highly secure system.
Roaming and portability per se were the focus of attention to make a highly scalable and user-
friendly system. Furthermore GSM technology can be regarded as a fairly old technology in
computing terms since it has been developed between the mid 1980s and the very early 90s.
Some of the algorithms used in securing conversations in GSM were once thought to be
virtually unbreakable in a timely manner since computing power was not at today’s standards;
but with the advances in technologies since the 1980s, it has become possible to break the
According to some sources [www-9] this is possibly the biggest flaw in the GSM
protocol. This flaw implies that the MS is not aware if it is connected to a legitimate BS, since
it does not need to prove its knowledge of the Ki. “Thus it is possible for an attacker to setup
a false base station with the same Mobile Network Code as the subscriber’s network. Since
the authentication procedure initiation is up to the network’s discretion, the false network may
choose not to authenticate at all, or simply send the RAND and ignore the response. It does
not have to activate ciphering either. The attacker can set the cell reselection parameters of his
false base station to values that will highly encourage his ‘victims’ to camp on it – such as a
high CELL_RESELECT_OFFSET.” [www-10] This flaw can be thought also as the basic
attacks.
3.4 – Preventing Attacks
The constant war between code-makers and code-breakers ensures that new standards
This evolution is made evident by patches and upgrades released by the software industry to
make their products more secure and stable. Nonetheless this evolution has not yet occurred
in the GSM industry. The reason for this is possibly explained by the fact that in the software
industry the product being updated only requires downloadable patches to be applied, while in
a GSM network, implementing radical “patching” to the security flaws will most certainly
mean cutting off the service to a large portion of GSM users, unless everyone changes their
headset during the same period. Some patching has been done years back with the
introduction of the A5 algorithm which was thought to be unbreakable (also because it was
meant to be kept secret). Most Telecom firms do not see an urge in increasing the level of
security, since to day there have been no known cases of eavesdropping from the public;
hence there is an inexistent threat. Possibly the work of the THC group might raise concerns
in future times, as it has earlier this year.7 Their constant work in this area is shown by the
intense communications through their mailing list, and the rapid updating of the wiki pages as
new information comes through. Perhaps a new possibility of attack might spark the
deployment of a new, more secure standard to communications, creating a new challenge for
hackers.
7
See responses given to the media on http://wiki.thc.org/cracking_a5
3.4.2 – Alternative GSM Devices: The Cryptophone
As mentioned earlier in this chapter, one of the flaws in the GSM authentication is the
one-way authentication in which towers do not authenticate to the MSs. The Cryptophone
[www-11] is described as being “the first and only fully trustworthy solution for completely
confidential mobile phone calls.” [www-12] This device has the same inner workings as a
common GSM phone, except that it has the ability to further encrypt conversations. GSM
protocols only have the ability to encrypt data from the MS to the BS; hence everything else
is transmitted in clear-text, providing easy tapping at the BSS (Base Station Subsystem) for
example. To prove their strength, the company that produces the Cryptophone states that all
its phones “come with full source-code available for independent review.” This aspect can be
seen as a warranty by consumers since they are certain that their product can be marked as
being “safe.” Nonetheless it also encourages hackers to crack that protection open and exploit
In sections 4.2 and 4.3, two proposed approaches will be analysed. The first approach
involves the use of a device to perform a live-intercept of GSM phone calls, while the second
implies the use of a small and inexpensive Hardware to retrieve the Ki from a SIM card.
4.2.1 – Overview
BBC UK defines the IMSI catcher as a device that “pretends to be a legitimate base
station of the mobile phone network and tricks the [victim’s] phone into routing its call via the
IMSI-catcher where it can be passed on for decryption. Once received, the IMSI-catcher
passes the call on to the network, so the suspect is none the wiser he is being monitored.”
[www-13] This device is known to be used by Government and Law Enforcement Agencies
to intercept cellular phone conversations. Due to its sensitive nature, it is only produced by a
small amount of firms worldwide (mostly North American, British, and some Italian), and is
only sold to Government Agencies and Special Forces with prior verification of the identity of
the buyer8. The images that follow are examples of publicly available photographs of IMSI
catchers.
8
Most producers of IMSI catchers on the Web announce that they will only supply this product to Government
agencies and Special Forces prior Identity verification.
Figure 6 – IMSI Catcher – Photo Courtesy of www.iwi.uni-hannover.de
conversations at the same time. Figure 7 shows how an IMSI catcher can be mounted inside a
van for mobile tracing operations, since it is possible that the person being traced is not in a
static position while talking (for example is commuting from home to work). The following
In this image it can be seen how the device is capable of intercepting IMEI codes from
scan the air and detect uplink and downlink frequency strengths to find the MSs in the vicinity
The image above instead shows the device capturing the IMSI code. Both in
screenshot one and in this third screenshot the device is positively acquiring sensitive data
messages. This is another useful feature to eavesdrop on GSM conversations. All the
As to many Commercial Hardware and Software products on the market these days,
the open-source community usually is challenged to create a better faster and more efficient
device using open technologies. There is one group in particular called The Hackers Choice
[www-14], or in short THC, which is actively working to hack this technology to create an
IMSI catcher. Being this device banned from public use, any sort of official documentation
and specifications sheet is inexistent. Nonetheless the wiki [www-15] where the THC
community exchanges ideas and information is regularly updated with the progress of the
research in this field. Possibly this resource is the richest in content known to the web, also
since many other sources appear to be linking to it as their main reference. The latest news as
of March 2008 highlight the completion in developing a set of tables 2.2 Terabytes9 (Roughly
more than 2200 Gigabytes) in size which should be able to decrypt A5/1 encrypted messages
(audio and text messages) in real time. Steve (steve@segfault.net) reports though the GSM
Mailing List10 that “[they] ran over 30 cracks so far and recovered the Kc 29 times.”11 This
breakthrough shows the success of the THC team in cracking the encryption algorithm once
more in the history of GSM. Due to the size of the tables they “figured that many people will
not be able to download 2TB over the internet,” therefore they are planning on offering a
web-portal for the internet community where people can “submit [their] GSM frame and […]
9
E-mail conversations with Steve (steve@segfault.net) – See Appendix B
10
gsm@lists.segfault.net
11
Mon, Mar 31, 2008 at 10:04 PM on gsm@lists.segfault.net
get the Kc back in return.”12 The team is also hoping to provide a demonstration of a live
intercept with the use of their tables in the April 2008 HackInTheBox Conference to be held
in Dubai [www-16].
Other groups researching GSM technologies are either not as active as THC, or their
main focus of research is not centred on the cracking of GSM. For example the OpenMoko
group [www-17] is a team of hardware and software developers creating a totally open-source
mobile device similar to Apple’s iPhone [www-18] to enable the Open Source communities
worldwide to create their own applications in a more transparent way than Apple is. Some
developers also mentioned the possibility of creating a software IMSI catcher installable on
OpenMoko devices. Controversy on this may arise, since, if a device like this was ever to be
4.3.1 – Overview
Intercepting calls though SIM cloning is much easier than dealing with over-the-air
interception of calls. One very famous software which effectively was able to clone SIM cards
is SimScan (version 2.01) [www-19]. SimScan is described by its author as “a program that
allows functionality analysis of your GSM SIM smart card. […] With this program you can
analyze: ATR, CLA+INS, FILES, Key. Also, you can write IMSI and Ki to GSM a38 SIM
Gold Card (PIC 16f84 & EEPROM 24c16). Finding Ki works on 100% of new SIM cards
from 2000-2002 with COMP128-1 ciphering algorithm.” [www-20] As it can be noted from
the rough description, the program has not been updated for a few years now, and hence does
12
Mon, Mar 31, 2008 at 10:04 PM on gsm@lists.segfault.net
not support the new models of SIM cards on the market today which ensure greater protection
against this practice using the newer COMP128v2 algorithm (which is now embraced by the
A5 algorithm).
assemble the PCB to perform the cloning. The PCB layout is shown in the following figure.
The above PCB layout requires only a minimal amount of components. These are
outlined in Appendix C. Following are examples of implemented PCB layouts built for this
purpose.
Figure 13 – A Home-made version of a SimScan Hardware. The Serial Connector can be seen on the top, while
the Quartz is on the bottom right and the SIM card holder on the bottom left – Photo courtesy of
http://ucables.com/ref/SIM-SCAN/es
SIM card. To note is the “Find Ki” button which is the most useful one to find the Ki of a SIM
card.
5.1 – Overview
The design of a device capable of intercepting GSM phone calls, recording the
content, and relaying it to the nearest real base station is a multi-step procedure that involves
many different technologies. Software approaches are sometimes preferred since they appear
and Hardware devices will be used. Ettus Research LLC [www-21] produces a device capable
daughterboards, each one of them covering a different portion of the radio spectrum. The
board is equipped with two RX channels and two TX channels, each able to support one
board, for a total of four parallel boards. The various daughterboards are capable of covering
the frequency range from DC to 2.9 GHz as of February 2008. Currently the USRP board
DC to 30 MHz receiver
DC to 30 MHz transmitter
nature, both in hardware and software, and by the relative low price, make this setup an ideal
entry-level hardware choice for receiving and potentially transmitting on GSM channels. For
the design of the IMSI catcher therefore the USRP has been appointed as a “favourite” among
hackers.
component needs engineering and testing on its own; then the whole unit needs to be
assembled and tested. The core components needed for the IMSI catcher are the Receiver, the
Transmitter, the Decryption device (software or hardware), the Relaying circuitry, and the
Recording device. In the sections to come each single component of the IMSI catcher will be
analysed in detail.
This is the first virtual interface in the design. It has the job of receiving signals from
the Mobile Station and from the Base Station; hence two physical interfaces are required
(unless switching is performed). The THC Group lists ten approaches in section 5.3 of their
wiki [www-23] which are a good start to decide which type of hardware to use for the
receiver:
The first option requires purchasing of a proprietary device. This usually implies low
compatibility with other hardware and the item is usually not equipped with Open Source
Software.
2. “Use the USRP (Universal Software Radio Peripheral) board from Ettus and develop the
rest in software (C++, python) and/or verilog (firmware of USRP). (Still requires
This option provided involves the use of an Open platform as previously described:
the USRP. This solution would not be portable to other boards or devices, nonetheless, the
fact that the board is produced with Open Documentation, allows anyone to reproduce it, and
contribute to code.
3. “Patch the Baseband Processor of an existing mobile phone (possible but not portable)”
This option involves the hacking of a mobile phone, and as the comment states it is
“possible but not portable,” meaning that if a certain model of phone is patched to receive raw
GSM signals, then the patch will only work for that model, and not be portable to other
4. “Attach the Baseband signal of an existing mobile phone to a digitizer (for example the
USRP or a simpler AD/DA converter board with at least 1 MHz sample rate) (This option
is also not very portable and hard to connect to those tiny traces (has been tried). The best
shot is using a very old big phone but then you only get the low 900 MHz band (and not
the 1800/1900 MHz band)) (comment: 3 and 4 are also dead-ends in the long run as we
would only be able to receive but certainly never be able to transmit. Both approaches also
This option describes itself very well. By attaching the Baseband signal of an existing
mobile phone to a digitizer there is a need for two devices: a mobile phone and a digitizer like
the USRP for example. This would mean even less portability than the previous option, since
5. “Using a nokia phone or the MC351i from Siemens. For both devices is it possible to
update the firmware on the Baseband processor. This would mean we would have to
disassemble the firmware and do binary patching. Probably limited to 1 channel (but we
can use 128 phones at the same time:>). Not as flexible as the USRP.”
6. “Use Analog's development board. This way we do not have to bother with DSP and can
7. “The Sagem OT460 is a trace phone which connects via USB to a PC. It comes with
monitoring software. It captures data from the Control Channel (Channel Dm, uplink +
8. “A Watkins Johnson 8691A receiver can trace 6 phone calls at the same time. It requires
PC software that is impossible to get. The company currently refused that they even
9. “The IZT CCT is a commercial multiband receiver with a bandwidth of 16 mbit. It's
connected via Ethernet. tkrauze@o2.pl is working on this one. We currently believe that
the USRP is the cheaper solution but we are keen to compare results.”
Options five though nine on the other hand deal with a more software-oriented
approach either through the use of commercial hardware like existing models of mobile
phones, or through dedicated hardware like the Watkins Johnson 8691A receiver, or the IZT
CCT.
10. “Using http://www.comblock.com/ hardware to capture data to an IQ file, then using
MATLAB and the modified GSMSim scripts to parse the file. Perhaps convert the
COMBLOCK IQ file to the format from USRP for use with the GNURadio software.
This last option requires the use of multiple devices and software products chained
together. This obviously seems to be the most complicated option for this device, and perhaps
Overall to route the digital signal into a computer, the list of options deals with these
main branches:
8691A receiver
Among these four options, the most versatile and flexible one definitely seems to be
option number two. The use of Open Source software, drivers and peripherals enables
developers around the globe to contribute to code being written for any particular platform.
The THC Team also seems to have settled on the use of Open Source hardware, and more
capable receiver needs to be able to listen on all the frequencies allocated to GSM
conversations [www-24]. The frequency allocation of GSM includes GSM-900 and GSM-
1800 which are mainly used in Europe, and some parts of Central/South America, and GSM-
850 which is mostly used (in conjunction with GSM-1900) in the United States and Canada.
GSM-850 uses 824–849 MHz for the uplink channels and 869–894 MHz for the downlink
channels. GSM-900 uses 890–915 MHz for the uplink channels and 935–960 MHz for the
downlink channels. GSM-1800 uses 1710–1785 MHz for the uplink channels and 1805–
1880 MHz for the downlink channels. GSM-1900 uses 1850–1910 MHz for the downlink
channels and 1930–1990 MHz for the downlink channel. The following table summarises the
As a result it can be deduced that GSM standards use frequencies between 824 MHz
For the receiver component of the GSM intercepting device therefore, it seems that the
most appropriate USRP daughterboard is the DBSRX, which covers frequencies from 800
MHz to 2.4GHz. This board then has to be coupled with an appropriate antenna to properly
The main decision when chosing an antenna has to be around its directivity and the
relative gain (dBi). A directional antenna (a Yagi for example) will be more adequate to point
towards a desired location and receive signals from a specified area, while an Omni
Directional antenna will be more useful to survey the region in a uniform manner (360
degrees on the horizontal plane). Discussions on types of antennas are certainly very
important and interesting at the same time, nonetheless they are beyond the scope of this
paper.
Relating to software, as previously said, the USRP family of boards embraces Open-
Source standards. This allows developers to contribute their own code and solutions to expand
the usability of this type of boards. For this reason, the choice of operating system has been
GNU/Linux (or more commonly known simply as Linux) and the Radio package called
GnuRadio. GnuRadio’s functionality depends on logical blocks written in C++ which are then
in turn accessible though high level python commands as objects. Pawel Koszut, in his paper
entitled “GSM scanning tutorial” describes in detail some procedures known so far when
trying to implement GSM scanning using USRP boards. As Koszut mentions in his paper,
GnuRadio provides a very useful script called usrp_fft.py in the path gnuradio/gnuradio-
bands and to find GSM Base Transceiver Stations (BTS [or BS]) transmitting in your area.” A
tutorial on the modalities of scanning with the USRP and GnuRadio and FFT (Ettus USRP
On the Transmitter side, Ettus Research LLC currently does not provide one solution
that embraces the whole GSM spectrum, as the DBSRX does for the receiver; the only
apparent usable solution would be to combine the RFX900 (800-1000MHz) and the RFX1800
(1.5-2.1 GHz), which together cover most of the available GSM spectrum [www-25]. Not
much research has been undertaken into transmitting the GSM signals since the efforts so far
have been centred on cracking the encryption mechanism. To effectively create a working
transmitting unit, it is possibly best to first complete a working receiving unit and the relaying
device. So far research has not achieved this, since only in the last months it was possible to
The main player in this field is the THC group. Only recently13 the group was able to
release the first version of the famous 2.2 Terabytes of tables to decrypt GSM conversations
discussed in 4.1.2. Therefore so far it is possible to receive GSM data, and return the Kc (the
memory use. To break the same code, currently it is possible to use two approaches: The first
involves high processor usage for long periods of times (usually five to seven hours) to break
one conversation with a high success rate14; while the second method involves the
precomputation of a set of tables varying in size and the subsequent reduction in computing
time to almost-real time, to a few seconds15. The GSM project ran by the THC group has
produced tables 2.2 Terabytes in size and they have declared that their success rate is 95%. To
increase the success rate from 95% to 97.5% a doubling of the table size is required from 2.2
Terabytes to 4.4 Terabytes. And again, to achieve a 98.75% success rate the tables need to be
doubled again. The relationship can be simply explained as: for every time the table is
doubled, the non-success rate is halved, generating the following recursive formula:
F(n) = F(n-1)+((1-F(n-1))/2)
13
Late March / April 2008
14
Depending on the method used, success rate varies between 95% and 99.998%
15
This process usually involves the use of large tables ranging between a few gigabytes to several Terabytes. The
size of the tables influences the success rate, while the algorithm used influences the cracking time.
The following values have been calculated to estimate table size for high success rate
values.
To visually see the trend of the data, plotting the above values into a chart would
101.00000%
100.00000%
99.00000%
98.00000%
97.00000%
Success Rate
96.00000%
95.00000%
94.00000%
93.00000%
92.00000%
2.2
4.4
8.8
17.6
35.2
70.4
140.8
281.6
563.2
1,126.4
2,252.8
4,505.6
9,011.2
18,022.4
36,044.8
Figure 8 – Graphical representation of Table 2 developed using Microsoft Excel
An adequate success rate would probably be around 99.99% which would require
tables possibly 1,126 Terabytes in size, approximately 1 Petabytes in size16; definitely out of
the reach of any individual so far. Nonetheless a 95% or a 97% success rate is more than
acceptable and would clearly be achievable using commercially available products. This
shows the advantage of using time/memory tradeoffs to achieve high success rates.
After a quick market research carried out in February 2008 and then updated in April
2008, the price to create a redundant17 array of disks to store the 2.2 Terabytes of information,
ranged between 500.00 GBP and 600.00 GBP depending on the models of drives and disk
16
1 Petabyte = 1024 Terabytes
17
A Redundant array will guarantee data availability even in case of a drive failure. The most adequate setup
would be to use a RAID 5 configuration.
controllers18. With this amount of money it is possible to store the complete tables produced
Layer, or in Hardware, at the Physical Layer. Each choice will have its advantages and
disadvantages, and no conclusions on this device can be formulated without first fully
understanding how transmission works. The main problem for the relaying device will be
related to frequency (or channel) hopping, and BS handovers. The relaying device needs to
control the transmission device and send instructions to allow handovers and present a
The recording device is possibly the least difficult to find and insert into the layout of
an IMSI catcher. The recording device can either be software based or hardware based.
Software based will imply the use of the computer where the decryption is taking place as the
recording device. Programs for software recording are varied, and free solutions like Audacity
for example are available. For Hardware recording solutions, a tape recorder may be used
(even if now outdated), or a more modern CD-recorder. Nonetheless a tape recorder might be
more efficient than a CD-recorder since there is no need of high quality recording due to the
very lossy quality of GSM compression compared to the quality obtainable with a CD-ROM,
and if the IMSI catcher is installed on a vehicle, then possibly the CD-recorder might be too
delicate, and also susceptible to vibrations. Instead of using commercial tapes for the
recording a DAT tape player may be used instead. This will increase the cost of the recorder
18
This price only includes the disk array and the RAID controller card.
but will possibly provide a more robust interface for the user. DAT Tapes are still widely
available today as they are to date a very good media for storing multi-track recordings in
In the very near future an implementation will be attempted using the USRP board as
soon as it is available again from Ettus. There are also news of a USRP v2 coming out this
year, which should be more powerful than the current version. No specifications are out yet,
but it will be interesting to investigate also on a newer version rather than the current one. It
will probably support the current product line of Daughterboards, so it should keep the costs
A plan to share the A5/1 tables in Richmond University has also been passed to the
department with a Cost Analysis and Resource Requirements. It seems to be a possible project
that can be implemented in the near future, and something definitely that would contribute to
This field has been of personal interest for years, and time and knowledge halted me
from ever exploring it in depth. This dissertation has allowed me time to learn more about this
area and experiment with new technologies. Since starting the project the complexity of
developing a hardware platform were weighted against time. Time seemed to be enough for
the development of the project, and so a choice was made to stick with this topic.
Unfortunately during the course of the research, more complexities started to arise which
highly disrupted the workflow on this project; and since the deadline is fixed for this paper, no
workarounds could be accomplished in the limited time frame. When the time came to order
the hardware for the USRP board from Ettus.com, another issue delayed the implementation:
Ettus was out of stock of USRP boards and DBSRX Daughterboards until the last weeks of
April. This made it impossible to develop a hardware solution using the USRP board. No
other vendors supply the USRP board except the producer itself. A SIM cloning device was
also attempted, but the fact that it only reads SIM cards that use COMP-1, limited the usable
SIM cards to about 5% of the market which meant that it was hard or impossible to know
which company still produced COMP-1 cards, if such information was available to the public.
In the upcoming months an implementation will be attempted using the USRP. The results
should prove that over-the-air interception with the aid of commercially available products is
technically achievable.
References
Alfred, J., “Ensure strong security in mobile transactions”, Certicom, Feb 2007
Biryukov, A., Shamir, A. and Wagner, D. “Real Time Cryptanalysis of A5/1 on a PC”, 27
April 2000
Digital cellular telecommunications system (Phase 2+); Security aspects, (GSM 02.09 version
6.1.0 Release 1997)
Quirke J. “Security in the GSM system”, AusMobile, 1 May 2004. Avavilable from:
www.csd.uoc.gr/~hy457/_Past-Courses/0506F/papers/Security_in_the_GSM_system.pdf - Last
Access 29/04/2008
Periannan R., Fahham F. “Questions & Answers about Cellular Networks – Mobile Phones”
Text References
[www-2] http://www.dotnetjohn.com/articles.aspx?articleid=97
[www-3] http://www-dse.doc.ic.ac.uk/~nd/surprise_96/journal/vol1/pr4/article1.new-4.gif
[www-4] Real Time Cryptanalysis of A5/1 on a PC, Alex Biryukov, Adi Shamir, David
Wagner. 27 April 2000
[www-5] http://www.3gpp1.org/ftp/tsg_sa/WG3_Security/TSGS3_11_Mainz/Docs/PDF/S3-
000142.pdf
[www-6] http://www.gsm-security.net/faq/timsi-temporary-imsi-gsm.shtml
[www-8] http://cryptome.org/gsm-a512.htm
[www-11] http://www.cryptophone.de/
[www-12] http://www.cryptophone.de/
[www-13] http://news.bbc.co.uk/1/hi/technology/4738219.stm
[www-14] http://www.thx.org
[www-16] http://conference.hitb.org/hitbsecconf2008dubai/
[www-17] http://www.openmoko.org/
[www-18] http://www.apple.com/iphone/
[www-19] http://users.net.yu/~dejan/
[www-20] http://users.net.yu/~dejan/
[www-21] http://www.ettus.com/
[www-22] http://www.ettus.com/downloads/ettus_broch_trifold_v3b.pdf
[www-23] http://wiki.thc.org/gsm
[www-24] http://www.gsmworld.com/roaming/gsminfo/index.shtml
[www-25] http://www.ettus.com/custom.html
Appendices
The original Time Management Plan was designed in December 2007 to represent an
approximate evolution of the work to be done. Nonetheless it was not possible to adhere to
the time organization, since the project actually mutated over time. The modified Time Plan is
shown in the following image representing at its best the development of the project.
Both Time Management Plans were designed using the online software at
http://www.helpuplan.com
The Following is a list of components to build the hardware for SimScan v 2.01.
Quantities are not noted since some spares were bought for backup reasons (in case a
component was damaged while building the device. Also tools are not included, such as
100nF. capacitor
33pF. disc ceramic capacitor.
White 6C Round Security Cable (Or any cable with at least 5 gauges)
The implementation of these five security features is mandatory on both the fixed
infrastructure side and the MS side. This means that all GSM PLMNs and all MSs shall be
able to support every security feature. Use of these five security features is at the discretion of
the operator for its own subscribers while on the HPLMN. For roaming subscribers, use of
these five security features is mandatory unless otherwise agreed by all the affected PLMN
3.1.1 Definition
The subscriber identity confidentiality feature is the property that the IMSI is not made
3.1.2 Purpose
This feature provides for the privacy of the identities of the subscribers who are using
GSM PLMN resources (e.g. a traffic channel or any signalling means). It allows for the
improvement of all other security features (e.g. user data confidentiality) and provides for the
protection against tracing the location of a mobile subscriber by listening to the signalling
This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is
transferred in signalling messages (see subclause 3.5) together with specific measures to
preclude the possibility to derive it indirectly from listening to specific information, such as
addresses, at the radio path. The means used to identify a mobile subscriber on the radio path
consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in
GSM 03.20.
When used, the subscriber identity confidentiality feature shall apply for all signalling
sequences on the radio path. However, in the case of location register failure, or in case the
3.2.1 Definition
the land-based part of the system that the subscriber identity (IMSI or TMSI), transferred by
the mobile subscriber within the identification procedure at the radio path, is the one claimed.
3.2.2 Purpose
The purpose of this authentication security feature is to protect the network against
unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the
The authentication of the GSM PLMN subscriber identity may be triggered by the
some or all of: location updating involving change of VLR, registration or erasure of a
supplementary service); or an access to a service (including some or all of: set-up of mobile
If, on an access request to the GSM PLMN, the subscriber identity authentication
procedure fails and this failure is not due to network malfunction, then the access to the GSM
If an MS has already been registered (and therefore been already authenticated) and
can not be successfully reauthenticated due to the network malfunction (e.g. the HPLMN was
not able to provide authentication pairs RAND, SRES), calls are permitted.
3.3.1 Definition
The user data confidentiality feature on physical connections is the property that the
3.3.2 Purpose
The purpose of this feature is to ensure the privacy of the user information on traffic
channels.
Although a standard algorithm will normally be employed, it is permissible for the mobile
station and/or PLMN infrastructure to support more than one algorithm. In this case, the
infrastructure is responsible for deciding which algorithm to use (including the possibility not
When necessary, the MS shall signal to the network indicating which of up to seven
ciphering algorithms it supports. The serving network then selects one of these that it can
support (based on an order of priority preset in the network), and signals this to the MS. The
selected algorithm is then used by the MS and network. The network shall not provide service
to an MS which indicates that it does not support any of the ciphering algorithm(s) required
by GSM 02.07.
The ME has to check if the user data confidentiality is switched on using one of the
seven algorithms as defined in GSM 02.07. In the event that the ME detects that this is not the
case, or ceases to be the case (e.g. during handover), then an indication is given to the user.
This ciphering indicator feature may be disabled by the SIM (see GSM 11.11).
In case the SIM does not support the feature that disables the ciphering indicator, then
The nature of the indicator and the trigger points for its activation are for the ME
manufacturer to decide.
During the establishment of a call the trigger point shall be at call initiation at the
latest. In the case of handover the trigger point shall be the completion of handover at the
latest.
The manufacturer may provide the means to enable the user to temporarily disable the
feature. This should be done in such a way that the user can protect it from misuse.
3.4.1 Definition
The connectionless user data confidentiality feature is the property that the user
3.4.2 Purpose
The purpose of this feature is to ensure the privacy of the user information on
Broadcast.
3.5.1 Definition
The signalling information element confidentiality feature is the property that a given
piece of signalling information which is exchanged between MSs and base stations is not
3.5.2 Purpose
The purpose of this feature is to ensure the privacy of users related signalling
elements.
The signalling information elements included in the message used to establish the
The following signalling information elements related to the user are protected
The IMEI shall not be changed after the ME’s final production process. It shall resist
tampering, i.e. manipulation and change, by any means (e.g. physical, electrical and
software).
NOTE: This requirement is valid for new GSM Phase 2 and Release 96, 97, 98 and 99
readily changed by the user, but can be updated with changes to the software. The security of
A mobile phone will normally look for a suitable GSM base station on a channel in the GSM-
900 band. The GSM-900 band is made up of the following frequency bands:
Update 2008-01-25: There are a number of GSM bands a mobile phone can use and these
bands can be different depending on the country you are in. Most of the world uses the GSM-
900 and GSM-1800 bands, the most notable exceptions are the United States, Canada and
other parts of the Americas which use the GSM-850 and GSM-1900 bands.
Update 2008-01-25: The rest of the techniques in this article can be adjusted to work in the
Each channel is made up of two radio frequency's a TX and RX frequency each 45 MHz
apart, the frequency's have a 200 kHz carrier spacing, for example channel 12 uses the
A base station (cell) will be allocated a set of channels, one of these channels is called the
BCCH carrier. This channel contains lots of useful information about the base station (BCCH
(Broadcast Control Channel)) and provides a mechanism for the mobile phone to find the base
We can use the FCCH to manually find an active base station using GnuRadio software an
USRP hardware with a DBSRX module. Setting up a GnuRadio environment is not covered
in this howto.
The FCCH generates a Frequency correction burst (FB) which can be seen on a spectrum
(frequency-domain) plot as a peek frequency offset 66.7 kHz (+1625/24 kHz) above the
carrier center. A suitable spectrum plot can be generated by the usrp_fft.py command.
When this above command is run, a plot window similar to Image 1 is shown with a random
moving blue line which represents the amplitude of the signal detected at that frequency. The
frequency range shown is -1 MHz to +1 MHz below and above the center frequency of 921
A possible active channel should be visible in plot display as wide bump centered around a
The center frequency can be modified by typing a new value into the Center freq: text box
and pressing enter key. Scan forward through the frequency range by typing 922M [enter],
923M [enter], etc. look for interesting channel bumps in the blue line centered around a
vertical division.
In my scan the first interesting channel bump appeared near center frequency 937 MHz
(Image 2). Note: the slight bump to the left is an artifact and can be ignored.
centers us in on the possible channel. Notice in Image 3 that the spectrum to the right of the
center channel has a similar amplitude, this tells me that other channels might be in use for
traffic data or that I'm picking up more then one base station.
By right clicking on the plot window and selecting the Peek Hold option the plot shows the
highest amplitude received. After about 30 seconds any Frequency correction bursts should be
clearly visible as narrow peeks in the plot. Image 4 show three Frequency correction bursts
highlight with red arrow and possible two more others. It would not be normal to expect so
many BCCH carriers so close together and it is most like we are picking up more then base
We should continue scanning for a more suitable base station. Right click again and select
Peek Hold to deselect that option. Enter the next center frequency.
The next interesting center frequency is 941 MHz (Image 5). This possible channel bump is as
significant higher amplitude which would indicate that the base station is closer. The Peek
Hold plot (Image 6) shows a very clear Frequency correction bursts. Also the peeks to the
We can be pretty sure that this is a local base station channel and we should record it's center
frequency for future in-depth investigation. We can continue scanning for more base stations.
[www-1] Jeremy Quirke, Security in the GSM system
[www-2] http://www.dotnetjohn.com/articles.aspx?articleid=97
[www-3] http://www-dse.doc.ic.ac.uk/~nd/surprise_96/journal/vol1/pr4/article1.new-4.gif
[www-4] Real Time Cryptanalysis of A5/1 on a PC, Alex Biryukov, Adi Shamir, David
[www-5] http://www.3gpp1.org/ftp/tsg_sa/WG3_Security/TSGS3_11_Mainz/Docs/PDF/S3-
000142.pdf
[www-6] http://www.gsm-security.net/faq/timsi-temporary-imsi-gsm.shtml
[www-8] http://cryptome.org/gsm-a512.htm
[www-11] http://www.cryptophone.de/
[www-12] http://www.cryptophone.de/
[www-13] http://news.bbc.co.uk/1/hi/technology/4738219.stm
[www-14] http://www.thx.org
[www-16] http://conference.hitb.org/hitbsecconf2008dubai/
[www-17] http://www.openmoko.org/
[www-18] http://www.apple.com/iphone/
[www-19] http://users.net.yu/~dejan/
[www-20] http://users.net.yu/~dejan/
[www-21] http://www.ettus.com/
[www-22] http://www.ettus.com/downloads/ettus_broch_trifold_v3b.pdf
[www-23] http://wiki.thc.org/gsm
[www-24] http://www.gsmworld.com/roaming/gsminfo/index.shtml
[www-25] http://www.ettus.com/custom.html