Senior Dissertation Jonathan Arbib

RICHMOND
The American International University in London

Department of Arts & Sciences
Security Measures in GSM

Networks and Possible
Attack Methods
Jonathan Simon Arbib
SENIOR PROJECT IN COMPUTING
SPRING 2008
Table of Contents
ACKNOWLEDGMENTS ................................................................................................................................................4
GLOSSARY.......................................................................................................................................................................5
CHAPTER 1. INTRODUCTION ....................................................................................................................................6
1.1 – PURPOSE OF PROJECT .............................................................................................................................................6

1.2 – DESCRIPTION OF PROBLEM TO BE SOLVED ..............................................................................................................6
1.3 – RECENT DEVELOPMENT IN THE MARKET ...............................................................................................................7
1.4 – EXPECTED RESULTS ................................................................................................................................................7
1.5 – STRUCTURE OF DOCUMENT ....................................................................................................................................8
CHAPTER 2. LITERATURE BASED REVIEW ..........................................................................................................9
2.1 – COMPONENTS OF THE GSM NETWORK ...................................................................................................................9

2.1.1 – The Mobile Station (MS)..............................................................................................................................10
2.1.2 – The Base Station Subsystem (BSS)...............................................................................................................12
2.1.3 – Network & Switching Subsystem (NSS) .......................................................................................................13
CHAPTER 3. SECURITY AND AUTHENTICATION...............................................................................................15
3.1 – GSM SPECIFICATIONS 02.09 ................................................................................................................................15

3.1.1 – Subscriber identity (IMSI) confidentiality ...................................................................................................15
3.1.2 – Subscriber identity (IMSI) authentication ...................................................................................................16
3.1.3 – User data confidentiality on physical connections ......................................................................................16
3.1.4 – Connectionless user data confidentiality.....................................................................................................17
3.1.5 – Signalling information element confidentiality............................................................................................17
3.2 – THE A5 ALGORITHM ............................................................................................................................................18
3.2.1 – Overview......................................................................................................................................................18
3.2.2 – In Detail.......................................................................................................................................................18
3.2.3 – Flaws ...........................................................................................................................................................20
3.3 – GSM WEAKNESSES AND FLAWS ...........................................................................................................................21
3.3.1 – Network does not authenticate itself to a phone ..........................................................................................21
3.4 – PREVENTING ATTACKS .........................................................................................................................................22
3.4.1 – New GSM Standard .....................................................................................................................................22
3.4.2 – Alternative GSM Devices: The Cryptophone...............................................................................................23
CHAPTER 4. TYPES OF ATTACK (BUILDING A SOLUTION) .............................................................................24
4.1 – PROPOSED APPROACHES ......................................................................................................................................24

4.2 – MAN-IN-THE-MIDDLE ATTACK: THE IMSI CATCHER ..........................................................................................24
4.2.1 – Overview......................................................................................................................................................24
4.2.2 – Open-Source Alternatives ............................................................................................................................28
4.3 – SIM CLONING ......................................................................................................................................................29
4.3.1 – Overview......................................................................................................................................................29
4.3.2 – Dejan Kaljevic’s SimScan v 2.01 .................................................................................................................30
CHAPTER 5. PROPOSED APPROACH – OVER-THE-AIR-INTERCEPTION: IMSI CATCHER....................33
5.1 – OVERVIEW ...........................................................................................................................................................33

5.1.1 – GSM receiver...............................................................................................................................................35
5.1.2 – GSM Transmitter .........................................................................................................................................41
5.1.3 – Hacking the Encryption and Time/Memory Tradeoff...................................................................................42
5.1.4 – Relaying the conversation to the BS ............................................................................................................45
5.1.5 – Recording device .........................................................................................................................................45
FUTURE WORK ............................................................................................................................................................47
CONCLUSION ...............................................................................................................................................................48
REFERENCES................................................................................................................................................................49
PAPERS AND BOOKS ......................................................................................................................................................49

WEB RESOURCES & RESEARCH MATERIAL ...................................................................................................................49
TEXT REFERENCES ........................................................................................................................................................50
APPENDICES .................................................................................................................................................................50
APPENDIX A – ORIGINAL TIME MANAGEMENT (DATE: 07/12/2007).............................................................................52

Corrections on Original Time Plan .........................................................................................................................52
APPENDIX B – LIST OF COMPONENTS FOR SIMSCAN HARDWARE .................................................................................53
APPENDIX C – EXCERPT FROM GSM 02.09 V6.1.0 (2000-02) - EUROPEAN STANDARD ...............................................55
APPENDIX D – FULL SIZE IMAGES OF IMSI CATCHERS.................................................................................................64
APPENDIX E – TUTORIAL: FIND A GSM BASE STATION MANUALLY USING A USRP.......................................................67
Acknowledgments
Working on this dissertation has been a wonderful challenge for me. I believe in this
section of the paper I am supposed to thank everyone who has helped me both directly and
indirectly in the course of this project. I have to start with my advisor Professor Reza Joadat,
for listening to my questions and complains for the last two semesters, and for the advice he
has given me so far. My next thanks go to Professor John Dwyer for being a wonderful
professor, but mostly a wonderful person beyond the academic layer. Outside of the academia
I then want to thank my parents for always being with me and supporting me both morally
and financially, and loving me as they do; I would have never been able to accomplish this
without their support. I have to also thank my fiancé Giulia, who has to bear me talking about
technical matters beyond reason, and for standing by my side this whole time. Lastly, but not
least of all are all my friends here in Richmond who have stood by me for these last two years
of my life. I thank them for all the wonderful moments we have been through together.
Glossary
A3 Authentication Algorithm
A5 Ciphering Algorithm
A8 Ciphering Key Generating Algorithm
AUC Authentication Centre
AN Access Network
BSC Base Station Controller
BSS Base Station System
BTS Base Transceiver Station
CEPT European Conference of Post and Telecommunication Administrations
CGI Cell Global Identity
CKSN Cipher Key Sequence Number
DIMSI Dual International Mobile Subscriber Identity
DES Data Encryption Standard
DSA Digital Signature Algorithm
EIR Equipment Identity Register
EMS Enhanced Messaging Service
GSM Global System for Mobile communication
HLR Home Location Register
IMEI International Mobile Equipment Identifier
IMSI International Mobile Subscriber Identity
Kc Ciphering Key
Ki Individual Subscriber Authentication Key
LFSR Linear Feedback Shift Register
LI Lawful Interception
LLC Limited Liability Company
ME Mobile Equipment
MSC Mobile Services Switching Centre
MS Mobile Station
MSIN Mobile Subscriber Identity Number
NSS Network and Switching Subsystem
RAND Random Number
RAID Redundant Array of Inexpensive Disks
SHA Secure Hash Algorithm
SIM Subscriber Identification Module
SMS Short Message Service
TAC Type Allocation Code
TDMA Time Division Multiple Access
THC The Hackers Choice
TMSI Temporary Mobile Subscriber Identity
USRP Universal Software Radio Peripheral
VLR Visitor Location Register
XOR Exclusive OR
Chapter 1. Introduction
1.1 – Purpose of project
This project was born from the love of computing and communications, and the thrills
of being able to overcome security measures in communication systems. The purpose of this
project is to prove that it is possible for individuals to break though the barriers of GSM
(Global System for Mobile communication) protection systems using common and publicly
available tools. It has to be said in advance that devices able to intercept GSM conversations
do exist; nonetheless these devices are only available to law enforcement agencies and special
services.
1.2 – Description of problem to be solved
To successfully intercept live GSM communications it is necessary to develop a device
capable of several tasks: firstly it needs to produce a man-in-the-middle attack onto a stream
of GSM traffic; secondly it also needs to decipher the contents of the conversation; thirdly it
should record the conversation to allow deferred listening and storing; and finally relay the
content onto the Network without the user being aware of this process.
Another issue to overcome is the A5 encryption: as it will be described later in the
upcoming chapters, the main means to exploit a GSM conversation encrypted with the A5
algorithm, is to build a system capable of decrypting the captured GSM data possibly using a
set of pre-computed tables to speed up the cracking process.
The main components that to this day are known to work in a GSM live intercept, are
the receiver and the cracking units. Transmitting on GSM frequencies and performing channel
hopping has not yet been possible, even thought solutions from other researchers in this area
seem to be near.
1.3 – Recent Development in the Market
This project started with the intention of building a GSM intercepting device using
single components and combining them to form the appropriate hardware solution. This was
then later found to be very impractical due to the limitations of some devices. An example of
a limitation encountered with this approach, was in the GSM transmitting and receiving unit;
all the units on the market available for mobile products developers, are not aimed to support
low level commands, and they do not allow sending of raw commands to the device, while
only a portion of the AT command set1 is supported. This therefore has excluded this type of
approach. Beyond the first hardware attempt described, other solutions have been attempted,
such as simulation. A license from OPNET was requested for a six months trial period, to run
a simulation of an attack on a Network. After receiving the license and testing the software, it
was later discovered that OPNET products will not be adequate in simulating an attack onto a
network.
1.4 – Expected results
With this dissertation, the author plans to lay the grounds for the development of a
working GSM intercepting mechanism, which possibly in the future might be turned into a
real working hardware unit. It is known that eavesdropping into conversations without a
1
The AT command set actually supports several commands, nonetheless most modules available on the market
for end users only support some of the most common high level ones, such as placing a call, hanging up the
connection, sending text messages, etc. The ETS – European Telecommunications Standards – published the
ETS 300 642, with the full AT command set.
written consent is illegal, and therefore any findings will be solely targeted as educational
research. No attempt will be made to use this device illegally.
1.5 – Structure of document
This Document is divided into four main sections. The first section (Chapter two)
deals with an overview of the GSM Network infrastructure explaining the different
components and their characteristics. Here a general discussion on the various components
will be carried out to form the basis for the next chapters. Chapter three describes in detail the
Security Measures adopted in GSM networks, both under the “GSM Specifications” point of
view and under the more technical aspects by explaining the A5 encryption algorithm, and its
flaws. Chapter four then analyses the possible means of attacking a GSM Network. Finally a
practical approach will be attempted, considering the latest developments in the technology. A
conclusion will then explain any problems encountered during the development of this
dissertation, and possible solutions will be presented to overcome the problems in the future.
Chapter 2. Literature Based Review
2.1 – Components of the GSM network
The GSM Network is generally divided in three parts. The Mobile Station (MS), or
commonly known as cellular-phone, is the client-side of the network from which calls are
generated and to which calls are directed. The second part is the Base Transceiver Station
(BTS), which deals with the radio link between the MS and other BTSs though microwave or
wired links. All BTSs form logically the Base Stations Subsystem (BSS). The BSS then links
to the third component, which is the Network & Switching Subsystem (NSS). The NSS is
usually the Headquarters of the communications network for every Mobile Phone Operator. In
the NSS, various operations are performed like switching calls between mobile and fixed
network users, and computing billing information for costumers. In the following sections,
each component will be dealt with in greater detail.
Figure 1 – Model of a simplified GSM Network - Courtesy of http://www.pulsewan.com

2.1.1 – The Mobile Station (MS)
On the user side of the GSM infrastructure, the only requirement to access the network
is to have a GSM-compatible device with unique identifications that can be recognized by the
network. There are three forms of identifications that the network accepts.
The first one is the Subscriber Identity Module card, or most commonly known as the
SIM card which, among other jobs, handles the authentication of the user to the network. The
SIM card is a smart card that is inserted into the phone to provide the network with unique
details about the customer using the GSM line. This is needed in order to know what user is
placing a call for example, or where the call needs to be relayed to. The SIM card is a self-
sufficient smart card with an embedded microprocessor. Inside the SIM card a unique key is
stored, called the Ki. The Ki is a “randomly generated 128-bit number allocated to a particular
subscriber that seeds the generation of all keys and challenges used in the GSM system”
[www-1] The Ki is not known to either the handset or the user, but only to the AuC
(Authentication Centre), which, when requiring user-authentication, feeds a challenge string
to the mobile phone called the RAND, which is passed straight to the SIM card. The smart
card then computes a Kc based on the submitted challenge string and the Ki embedded in it,
and sends it back to the network for authentication. The following figure clearly summarises
the flow of the RAND, and the Kc. In this diagram the SIM card is shown to use either the A3
or the A8 algorithm for authentication. This does not occur anymore since both A3 and A8
algorithms have been replaced by the A5/1 and A5/2 which will be discussed in depth in later
sections.
Figure 2 – SIM authentication process – Courtesy of http://www.csd.uoc.gr
The second mode of authentication identifies the user connected to the network
through another code stored in the SIM card, called the International Mobile Subscriber
Identity (IMSI) code. The IMSI code is usually2 15 digits long, where the first three digits
represent the Mobile Country Code, the next set of two (in Europe) or three (in North
America) are the Mobile Network Code (MNC), and the remaining ones are the mobile
subscriber identification number (MSIN), which are assigned by the network uniquely to
every user. The IMSI number is stored in the SIM card, and does not have as many security
restrictions as the Ki. Some level of protection has been granted to the IMSI which will be
later discussed in Chapter 3.1.
The third mode of identification to the network pertains to the phone which has a
unique International Mobile Equipment Identity (IMEI) code: a 15 digit unique serial number
bound to the device. The IMEI is in the form of AA-BBBBBB-CCCCCC-D, where the A
group is for the Reporting Body Identifier, or in simple terms, the entity that registered (or
approved) the phone, the second group, or the B group, is made up of six digits and represents
the TAC, or Type Allocation Code; the C group of six digits refers to a unique ID to the
2
In some countries it can be shorter, like for example MTN South Africa's IMSIs are 14 digits
device, and the last digit is the Luhn [www-2] check digit for the whole series, or zero. One of
the purposes of the IMEI is to allow the network to ban a cell-phone without banning the
person’s contract. This is useful in case a phone is stolen for example. In that situation the
owner can report the IMEI to the network operator, and have the IMEI banned from accessing
any network, rendering the phone useless, even if another SIM card is inserted.
2.1.2 – The Base Station Subsystem (BSS)
GSM relies on the use of cellular repeaters to distribute the signal across a predefined
area. Every area with a cellular repeater tower is called a cell. To maximize cell’s coverage a
hexagonal shape has been found to be the best approach so far. Further on, each group of
seven cells is marked as a cluster. The following Figure shows the Hexagonal shape approach
used in modern BSSs. Each dot in the figure represents a BTS, while the Hexagonal Shape
symbolizes the coverage area.
Cellular Repeater
Coverage Area
Figure 3 – BTS Layout in a Hexagonal Configuration
Due to the high amount of users on the GSM network, a proper system of frequency
allocation has been designed in which non-neighbouring cells are capable of reusing the same
frequency without causing interference. This is shown by the following diagram, where each
number could be interpreted as a channel. Here as much as 49 cells are driven by only seven
different frequencies.
Figure 4 – Hexagonal Frequency Allocation Cluster Grouping – Courtesy of http://www-dse.doc.ic.ac.uk

[www-3]
This has helped allocate the frequency spectrum dedicated to GSM communications over a
wide territory. BSSs are divided into two parts: one part is the Base Transceiver Station
(BTS), which is responsible for the communication between Mobile Stations, and Base
Stations, while the other part is the Base Station Controller (BSC) which is the device that
controls the surrounding BTSs, radio channel allocation, handovers and communication to the
Mobile Switching Centre. Each cell is capable of communicating with every MS in its
coverage area, provided there are enough channels available for all the MS in the area to
operate on.
2.1.3 – Network & Switching Subsystem (NSS)
This last component in a GSM network is probably the core, where most of the
operations are performed. The NSS is made up of several sub sections, the most relevant of
which are the Mobile Switching Centre (MSC), the Home Location Register (HLR) and the
Visitor Location Register (VLR). The Mobile Switching Centre has the duty of managing the
location of phones within the network, switching calls, managing security features, control
handover of calls between different BSCs, and collect Billing Information. The Home
Location Register and the Visitor Location Register have the task of keeping track of the local
users and the roaming users on the network at any given time. There is usually one of these
databases in every network.

Chapter 3. Security and Authentication
GSM systems have several features to implement secure connections between the
Mobile Stations and the Base Stations. Authentication of the user is implemented at the
Mobile Station level by the use of a SIM card (which incorporates an IMSI number, and a Ki)
and by the use of an IMEI number, while over-the-air communications are secured using
standards which vary mostly depending on the continent they are in. The most popular
encryption algorithm used for over-the-air transmissions is the A5, which has two main3
versions: A5/1 and A5/2. The latter being a purposely toned down version of the A5/1 [www-
4]. To discuss in more depth the aspects of the SIM, IMEI and the IMSI, the GSM
specifications 02.09 can be used as a reference point, since all standards are branched from
them, while for an accurate understanding of the A5 algorithm, “Real Time Cryptanalysis of
A5/1 on a PC” by Alex Biryukov, Adi Shamir and David Wagner, is possibly one of the best
papers that explains the workings and the hacks of the A5 algorithm.
3.1 – GSM Specifications 02.09
The GSM specifications 02.09 [www-5] outline the security measures implemented in
GSM, and particularly Section 3 describes the mandatory security measures that must be
implemented in a GSM network. In the following chapters, each section pertaining to GSM
security will be analysed in detail.
3.1.1 – Subscriber identity (IMSI) confidentiality
Specifications 02.09, Section 3.1.1: “The subscriber identity confidentiality feature is
the property that the IMSI is not made available or disclosed to unauthorized individuals,
3
There are more variations of the A5 algorithm beyond A5/1 and A5/2. Nonetheless these are no longer used in
today’s GSM networks.
entities or processes.” Being the IMSI number a unique identifier of a user account on a
network, its disclosure would imply that by eavesdropping on the network, an attacker would
be able to know if a certain person is in the area being scanned. This issue is addressed by the
network with the use of a Temporary Mobile Subscriber Identity (TMSI) number – a pseudo-
random number [www-6] generated from the IMSI – and a location string generated by the
MS. Every time a MS switches tower, a new TMSI is issued. A TMSI number is usually not
bound to the device in any particular format known to the user. The BSS and the NSS are the
only entities controlling the handover of the TMSI. This greatly helps user anonymity on the
network.
3.1.2 – Subscriber identity (IMSI) authentication
Specifications 02.09, Section 3.2.1: “International Mobile Subscriber identity (IMSI)
authentication is the corroboration by the land-based part of the system that the subscriber
identity (IMSI or TMSI), transferred by the mobile subscriber within the identification
procedure at the radio path, is the one claimed.” This clause ensures that every IMSI (or
TMSI equivalent) is properly recognized by the system. This prevents other MSs from using
someone else’s account to place calls. For example: “by denying the possibility for intruders
to impersonate authorized users”.
3.1.3 – User data confidentiality on physical connections
Specifications 02.09, Section 3.3.1: “The user data confidentiality feature on physical
connections is the property that the user information exchanged on traffic channels is not
made available or disclosed to unauthorized individuals, entities or processes.” With this
clause the network allows the user to implement one of the seven available algorithms to
encrypt voice and data transmissions. In case no encryption is available the network will not
provide one and the voice conversation or data exchange will happened without proper
security measures. This is a crucial issue in GSM security which will be dealt with in more
depth in the following sections.
3.1.4 – Connectionless user data confidentiality
Specifications 02.09, Section 3.4.1: “The connectionless user data confidentiality
feature is the property that the user information which is transferred in a connectionless
packet mode over a signalling channel is not made available or disclosed to unauthorized
individuals, entities or processes.” This security measure relates for example to the Short
Messaging Service (SMS) feature, allowing a MS to send and receive data in a properly
encrypted manner. In a note in section 3.4.3 it is interesting to note how “Protection of
connectionless user data is not applicable to SMS Cell Broadcast.”
3.1.5 – Signalling information element confidentiality
Specifications 02.09, Section 3.5.1: “The signalling information element
confidentiality feature is the property that a given piece of signalling information which is
exchanged between MSs and base stations is not made available or disclosed to unauthorized
individuals, entities or processes.” This clause relates to the communication signalling
elements, and (as in the previous cases) it ensures that they are transmitted securely encrypted
from eavesdropping. The following signalling information elements are bound to be protected
by this clause: IMEI, IMSI, Calling subscriber directory number (mobile terminating calls),
and Called subscriber directory number (mobile originated calls).

3.2 – The A5 Algorithm
3.2.1 – Overview
The A5 algorithm is the entity responsible for encrypting communications for over-
the-air data transfers. It was developed in 1987 as a closed-source algorithm4. Two years later,
the second version was released, called the A5/2. One source [www-7] mentions that “there
was a terrific row between the NATO signals agencies in the mid 1980's over whether GSM
encryption should be strong or not. The Germans said it should be […] but the other countries
didn't feel this way, and the algorithm as now fielded is a French design.” This rumour is
supported by some online resources as being true, since later in 1994, the general design was
reverse-engineered, while later in 1999 Marc Briceno [www-8] fully reversed-engineered the
A5 algorithm, which was found to posses major security flaws.
3.2.2 – In Detail
The data from a GSM conversation is sent in a sequence of frames every 4.6
milliseconds. Each frame is characterised by 228 bits, 114 bits with the digitized
communication, and the remaining 114 bits with the reversed digitized communication. To
each conversation, a session key K encrypts the data. Next, for each frame, the session key is
mixed with a publicly known frame counter Fn, which results in 228 pseudo-random bits.
Lastly these bits are XOR’ed5 with the plain text to create the ciphertext. Specifically the A5/1
is built using three Linear Feedback Shift Registers (LFSR)6, R1, R2, and R3 of lengths 19,
22, and 23 bits respectively with the leftmost bit labelled 0 (zero). Each register has a certain
4
Closed-Source is commonly used as an antonym to Open-Source; i.e. the source code is not distributed along
with the final product.
5
XOR is a logical function by which distinct inputs generate a true value (or one), and equal inputs generate a
false (or zero) value.
6
A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous
state.
amount of taps, each placed in different positions: the taps for R1 are at bit positions 13, 16,
17, 18, the taps of R2 are at bit positions 20, 21, and the taps of R3 are at bit positions 7, 20,
21, 22 (see Figure below). The paper by Alex Biryukov et al, efficiently describes the process
of encrypting GSM traffic as follows: “When a register is clocked, its taps are XORed
together, and the result is stored in the rightmost bit of the left-shifted register. The three
registers are maximal length LFSR's with periods 219 -1, 222 - 1, and 223 -1, respectively. They
are clocked in a stop/go fashion using the following majority rule: Each register has a single
"clocking" tap (bit 8 for R1, bit 10 for R2, and bit 10 for R3); each clock cycle, the majority
function of the clocking taps is calculated and only those registers whose clocking taps agree
with the majority bit are actually clocked. Note that at each step either two or three registers
are clocked, and that each register moves with probability 3/4 and stops with probability 1/4.”
Figure 5 – Representation of the three LFSRs and the Clocking Unit – Photo Courtesy of
wiki.thc.org/cracking_a5
“The process of generating pseudo random bits from the session key K and the frame
counter Fn is carried out in four steps:

The three registers are zeroed, and then clocked for 64 cycles (ignoring the stop/go
clock control). During this period each bit of K (from lsb to msb) is XOR'ed in parallel into
the lsb's of the three registers.
The three registers are clocked for 22 additional cycles (ignoring the stop/go clock
control). During this period the successive bits of Fn (from lsb to msb) are again XOR'ed in
parallel into the lsb's of the three registers. The contents of the three registers at the end of this
step is called the initial state of the frame.
The three registers are clocked for 100 additional clock cycles with the stop/go clock
control but without producing any outputs.
The three registers are clocked for 228 additional clock cycles with the stop/go clock
control in order to produce the 228 output bits. At each clock cycle, one output bit is produced
as the XOR of the msb's of the three registers.” [www-4]
3.2.3 – Flaws
The main flaw in the A5/1 algorithm revolves around the limited size of the three
Linear Feedback Shift Registers. As described R1+R2+R3 have 64 bits of information, which
generates 264 possible states. Using the Golic time-memory tradeoff as described in Biryukov
paper, it is possible “to keep a large set A of precomputed states on a hard disk, and to
consider the large set B of states through which the algorithm progresses during the actual
generation of output bits. Any intersection between A and B will enable us to identify an
actual state of the algorithm from stored information.” [www-4] This is the principle around
which the tables of the THC team have been generated. More information on Time/Memory
Tradeoff will be presented in Section 5.1.3.

3.3 – GSM Weaknesses and flaws
Since its implementation, GSM was never developed to be a highly secure system.
Roaming and portability per se were the focus of attention to make a highly scalable and user-
friendly system. Furthermore GSM technology can be regarded as a fairly old technology in
computing terms since it has been developed between the mid 1980s and the very early 90s.
Some of the algorithms used in securing conversations in GSM were once thought to be
virtually unbreakable in a timely manner since computing power was not at today’s standards;
but with the advances in technologies since the 1980s, it has become possible to break the
security currently implemented in GSM voice and short messaging conversations.
3.3.1 – Network does not authenticate itself to a phone
According to some sources [www-9] this is possibly the biggest flaw in the GSM
protocol. This flaw implies that the MS is not aware if it is connected to a legitimate BS, since
it does not need to prove its knowledge of the Ki. “Thus it is possible for an attacker to setup
a false base station with the same Mobile Network Code as the subscriber’s network. Since
the authentication procedure initiation is up to the network’s discretion, the false network may
choose not to authenticate at all, or simply send the RAND and ignore the response. It does
not have to activate ciphering either. The attacker can set the cell reselection parameters of his
false base station to values that will highly encourage his ‘victims’ to camp on it – such as a
high CELL_RESELECT_OFFSET.” [www-10] This flaw can be thought also as the basic
flaw that enables an attacker to perform other operations to generate man-in-the-middle
attacks.
3.4 – Preventing Attacks
3.4.1 – New GSM Standard
The constant war between code-makers and code-breakers ensures that new standards
are constantly implemented to increase security of communications, especially in computing.
This evolution is made evident by patches and upgrades released by the software industry to
make their products more secure and stable. Nonetheless this evolution has not yet occurred
in the GSM industry. The reason for this is possibly explained by the fact that in the software
industry the product being updated only requires downloadable patches to be applied, while in
a GSM network, implementing radical “patching” to the security flaws will most certainly
mean cutting off the service to a large portion of GSM users, unless everyone changes their
headset during the same period. Some patching has been done years back with the
introduction of the A5 algorithm which was thought to be unbreakable (also because it was
meant to be kept secret). Most Telecom firms do not see an urge in increasing the level of
security, since to day there have been no known cases of eavesdropping from the public;
hence there is an inexistent threat. Possibly the work of the THC group might raise concerns
in future times, as it has earlier this year.7 Their constant work in this area is shown by the
intense communications through their mailing list, and the rapid updating of the wiki pages as
new information comes through. Perhaps a new possibility of attack might spark the
deployment of a new, more secure standard to communications, creating a new challenge for
hackers.
7
See responses given to the media on http://wiki.thc.org/cracking_a5
3.4.2 – Alternative GSM Devices: The Cryptophone
As mentioned earlier in this chapter, one of the flaws in the GSM authentication is the
one-way authentication in which towers do not authenticate to the MSs. The Cryptophone
[www-11] is described as being “the first and only fully trustworthy solution for completely
confidential mobile phone calls.” [www-12] This device has the same inner workings as a
common GSM phone, except that it has the ability to further encrypt conversations. GSM
protocols only have the ability to encrypt data from the MS to the BS; hence everything else
is transmitted in clear-text, providing easy tapping at the BSS (Base Station Subsystem) for
example. To prove their strength, the company that produces the Cryptophone states that all
its phones “come with full source-code available for independent review.” This aspect can be
seen as a warranty by consumers since they are certain that their product can be marked as
being “safe.” Nonetheless it also encourages hackers to crack that protection open and exploit
its vulnerabilities (if any).

Chapter 4. Types of Attack (Building a Solution)
4.1 – Proposed Approaches
In sections 4.2 and 4.3, two proposed approaches will be analysed. The first approach
involves the use of a device to perform a live-intercept of GSM phone calls, while the second
implies the use of a small and inexpensive Hardware to retrieve the Ki from a SIM card.
4.2 – Man-In-The-Middle Attack: The IMSI Catcher
4.2.1 – Overview
BBC UK defines the IMSI catcher as a device that “pretends to be a legitimate base
station of the mobile phone network and tricks the [victim’s] phone into routing its call via the
IMSI-catcher where it can be passed on for decryption. Once received, the IMSI-catcher
passes the call on to the network, so the suspect is none the wiser he is being monitored.”
[www-13] This device is known to be used by Government and Law Enforcement Agencies
to intercept cellular phone conversations. Due to its sensitive nature, it is only produced by a
small amount of firms worldwide (mostly North American, British, and some Italian), and is
only sold to Government Agencies and Special Forces with prior verification of the identity of
the buyer8. The images that follow are examples of publicly available photographs of IMSI
catchers.
8
Most producers of IMSI catchers on the Web announce that they will only supply this product to Government
agencies and Special Forces prior Identity verification.
Figure 6 – IMSI Catcher – Photo Courtesy of www.iwi.uni-hannover.de
Figure 7 – Vehicle-Mounted IMSI Catcher – Photo Courtesy of http://corcom.wordpress.com/
The devices are usually mutli-channel and allow eavesdropping on several
conversations at the same time. Figure 7 shows how an IMSI catcher can be mounted inside a
van for mobile tracing operations, since it is possible that the person being traced is not in a
static position while talking (for example is commuting from home to work). The following
screenshots represent various stages of a Commercial IMSI catcher.
Figure 8 – IMSI Catcher Screenshot. Courtesy of http://www.alarm.de
In this image it can be seen how the device is capable of intercepting IMEI codes from
off the air interceptions.
Figure 9 – Screenshot of a working IMSI catcher. Courtesy of http://www.alarm.de

In this screenshot on the other hand, it can be noted how the device has a capability to
scan the air and detect uplink and downlink frequency strengths to find the MSs in the vicinity
of the IMSI unit.
Figure 10 – Screenshot of a working IMSI catcher. Courtesy of http://www.alarm.de
The image above instead shows the device capturing the IMSI code. Both in
screenshot one and in this third screenshot the device is positively acquiring sensitive data
from several MS in its vicinities.
Figure 11 – Screenshot of a working IMSI catcher Courtesy of http://www.alarm.de

In this last screenshot, the IMSI catcher software is shown while intercepting SMS
messages. This is another useful feature to eavesdrop on GSM conversations. All the
screenshots above are included in Appendix E in full size.
4.2.2 – Open-Source Alternatives
As to many Commercial Hardware and Software products on the market these days,
the open-source community usually is challenged to create a better faster and more efficient
device using open technologies. There is one group in particular called The Hackers Choice
[www-14], or in short THC, which is actively working to hack this technology to create an
IMSI catcher. Being this device banned from public use, any sort of official documentation
and specifications sheet is inexistent. Nonetheless the wiki [www-15] where the THC
community exchanges ideas and information is regularly updated with the progress of the
research in this field. Possibly this resource is the richest in content known to the web, also
since many other sources appear to be linking to it as their main reference. The latest news as
of March 2008 highlight the completion in developing a set of tables 2.2 Terabytes9 (Roughly
more than 2200 Gigabytes) in size which should be able to decrypt A5/1 encrypted messages
(audio and text messages) in real time. Steve (steve@segfault.net) reports though the GSM
Mailing List10 that “[they] ran over 30 cracks so far and recovered the Kc 29 times.”11 This
breakthrough shows the success of the THC team in cracking the encryption algorithm once
more in the history of GSM. Due to the size of the tables they “figured that many people will
not be able to download 2TB over the internet,” therefore they are planning on offering a
web-portal for the internet community where people can “submit [their] GSM frame and […]
9
E-mail conversations with Steve (steve@segfault.net) – See Appendix B
10
gsm@lists.segfault.net
11
Mon, Mar 31, 2008 at 10:04 PM on gsm@lists.segfault.net
get the Kc back in return.”12 The team is also hoping to provide a demonstration of a live
intercept with the use of their tables in the April 2008 HackInTheBox Conference to be held
in Dubai [www-16].
Other groups researching GSM technologies are either not as active as THC, or their
main focus of research is not centred on the cracking of GSM. For example the OpenMoko
group [www-17] is a team of hardware and software developers creating a totally open-source
mobile device similar to Apple’s iPhone [www-18] to enable the Open Source communities
worldwide to create their own applications in a more transparent way than Apple is. Some
developers also mentioned the possibility of creating a software IMSI catcher installable on
OpenMoko devices. Controversy on this may arise, since, if a device like this was ever to be
implemented it may be a serious threat to the current privacy of GSM conversations.
4.3 – SIM Cloning
4.3.1 – Overview
Intercepting calls though SIM cloning is much easier than dealing with over-the-air
interception of calls. One very famous software which effectively was able to clone SIM cards
is SimScan (version 2.01) [www-19]. SimScan is described by its author as “a program that
allows functionality analysis of your GSM SIM smart card. […] With this program you can
analyze: ATR, CLA+INS, FILES, Key. Also, you can write IMSI and Ki to GSM a38 SIM
Gold Card (PIC 16f84 & EEPROM 24c16). Finding Ki works on 100% of new SIM cards
from 2000-2002 with COMP128-1 ciphering algorithm.” [www-20] As it can be noted from
the rough description, the program has not been updated for a few years now, and hence does
12
Mon, Mar 31, 2008 at 10:04 PM on gsm@lists.segfault.net
not support the new models of SIM cards on the market today which ensure greater protection
against this practice using the newer COMP128v2 algorithm (which is now embraced by the
A5 algorithm).
4.3.2 – Dejan Kaljevic’s SimScan v 2.01
Dejan Kaljevic’s SimScan program comes with documentation and schematics to
assemble the PCB to perform the cloning. The PCB layout is shown in the following figure.
Figure 12 – SimScan v 2.01 PCB Layout Design – Courtesy of http://users.net.yu/~dejan/
The above PCB layout requires only a minimal amount of components. These are
outlined in Appendix C. Following are examples of implemented PCB layouts built for this
purpose.
Figure 13 – A Home-made version of a SimScan Hardware. The Serial Connector can be seen on the top, while
the Quartz is on the bottom right and the SIM card holder on the bottom left – Photo courtesy of
http://ucables.com/ref/SIM-SCAN/es
Figure 14 – USB SIM card reader – Photo Courtesy of http://www.gsm-technology.com/index.php

The following is a screenshot of SimScan, showing the available operations on the
SIM card. To note is the “Find Ki” button which is the most useful one to find the Ki of a SIM
card.
Figure 15 – Screenshot of SimScan V2.01

Chapter 5. Proposed Approach – Over-the-Air-Interception: IMSI Catcher
5.1 – Overview
The design of a device capable of intercepting GSM phone calls, recording the
content, and relaying it to the nearest real base station is a multi-step procedure that involves
many different technologies. Software approaches are sometimes preferred since they appear
to be more flexible to computer programmers, while entirely-hardware solutions usually seem
to be the choice of Electronic Engineers. For this implementation a combination of Software
and Hardware devices will be used. Ettus Research LLC [www-21] produces a device capable
of supporting various daughterboards to create a software radio interface.
Figure 16 – USRP Board – Photo Courtesy of Ettus.com

The USRP is a Universal Software Radio Peripheral capable of supporting various
daughterboards, each one of them covering a different portion of the radio spectrum. The
board is equipped with two RX channels and two TX channels, each able to support one
board, for a total of four parallel boards. The various daughterboards are capable of covering
the frequency range from DC to 2.9 GHz as of February 2008. Currently the USRP board
supports the following daughterboards [www-22]:
DC to 30 MHz receiver
DC to 30 MHz transmitter
1 MHz to 250 MHz receiver
1 MHz to 250 MHz transmitter
50 to 860 MHz receiver
800 MHz to 2.4 GHz receiver
400-500 MHz transceiver
750-1050 MHz transceiver (including cell and ISM bands)
1150-1450 MHz transceiver
1.5-2.1 GHz transceiver (including PCS bands)
2.3-2.9 GHz transceiver (including ISM band)

The vast choice of devices available for this board, combined with its Open-Source
nature, both in hardware and software, and by the relative low price, make this setup an ideal
entry-level hardware choice for receiving and potentially transmitting on GSM channels. For
the design of the IMSI catcher therefore the USRP has been appointed as a “favourite” among
hackers.
As previously stated, the Construction of an IMSI catcher is a multi-step process. Each
component needs engineering and testing on its own; then the whole unit needs to be
assembled and tested. The core components needed for the IMSI catcher are the Receiver, the
Transmitter, the Decryption device (software or hardware), the Relaying circuitry, and the
Recording device. In the sections to come each single component of the IMSI catcher will be
analysed in detail.
5.1.1 – GSM receiver
This is the first virtual interface in the design. It has the job of receiving signals from
the Mobile Station and from the Base Station; hence two physical interfaces are required
(unless switching is performed). The THC Group lists ten approaches in section 5.3 of their
wiki [www-23] which are a good start to decide which type of hardware to use for the
receiver:
1. “Use a commercial baseband transceiver chip (silabs.com? analog.com?). (Requires
electronic engineer and those folks seem to be rare).”
The first option requires purchasing of a proprietary device. This usually implies low
compatibility with other hardware and the item is usually not equipped with Open Source
Software.
2. “Use the USRP (Universal Software Radio Peripheral) board from Ettus and develop the
rest in software (C++, python) and/or verilog (firmware of USRP). (Still requires
electronic engineer /Ettus person. We are software developers. Anyone?)”
This option provided involves the use of an Open platform as previously described:
the USRP. This solution would not be portable to other boards or devices, nonetheless, the
fact that the board is produced with Open Documentation, allows anyone to reproduce it, and
contribute to code.
3. “Patch the Baseband Processor of an existing mobile phone (possible but not portable)”
This option involves the hacking of a mobile phone, and as the comment states it is
“possible but not portable,” meaning that if a certain model of phone is patched to receive raw
GSM signals, then the patch will only work for that model, and not be portable to other
devices, which is a major draw-back.
4. “Attach the Baseband signal of an existing mobile phone to a digitizer (for example the
USRP or a simpler AD/DA converter board with at least 1 MHz sample rate) (This option
is also not very portable and hard to connect to those tiny traces (has been tried). The best
shot is using a very old big phone but then you only get the low 900 MHz band (and not
the 1800/1900 MHz band)) (comment: 3 and 4 are also dead-ends in the long run as we
would only be able to receive but certainly never be able to transmit. Both approaches also
limit us to 1 channel (not?))”
This option describes itself very well. By attaching the Baseband signal of an existing
mobile phone to a digitizer there is a need for two devices: a mobile phone and a digitizer like
the USRP for example. This would mean even less portability than the previous option, since
two device are required this time.
5. “Using a nokia phone or the MC351i from Siemens. For both devices is it possible to
update the firmware on the Baseband processor. This would mean we would have to
disassemble the firmware and do binary patching. Probably limited to 1 channel (but we
can use 128 phones at the same time:>). Not as flexible as the USRP.”
6. “Use Analog's development board. This way we do not have to bother with DSP and can
use example source!”
7. “The Sagem OT460 is a trace phone which connects via USB to a PC. It comes with
monitoring software. It captures data from the Control Channel (Channel Dm, uplink +
downlink) and transfers the captured date in real-time to the PC.”
8. “A Watkins Johnson 8691A receiver can trace 6 phone calls at the same time. It requires
PC software that is impossible to get. The company currently refused that they even
manufactures this device.”
9. “The IZT CCT is a commercial multiband receiver with a bandwidth of 16 mbit. It's
connected via Ethernet. tkrauze@o2.pl is working on this one. We currently believe that
the USRP is the cheaper solution but we are keen to compare results.”
Options five though nine on the other hand deal with a more software-oriented
approach either through the use of commercial hardware like existing models of mobile
phones, or through dedicated hardware like the Watkins Johnson 8691A receiver, or the IZT
CCT.
10. “Using http://www.comblock.com/ hardware to capture data to an IQ file, then using
MATLAB and the modified GSMSim scripts to parse the file. Perhaps convert the
COMBLOCK IQ file to the format from USRP for use with the GNURadio software.
(Comblock setup RF amp >> COM-3006 >> COM-8002 >> COM-5003)”
This last option requires the use of multiple devices and software products chained
together. This obviously seems to be the most complicated option for this device, and perhaps
the least portable of all.
Overall to route the digital signal into a computer, the list of options deals with these
main branches:
1. Use of Proprietary hardware
2. Use of Open Source hardware
3. Use of existing general purpose commercially-available hardware like cellular phones
4. Use of existing dedicated commercially-available hardware like the Watkins Johnson
8691A receiver
Among these four options, the most versatile and flexible one definitely seems to be
option number two. The use of Open Source software, drivers and peripherals enables
developers around the globe to contribute to code being written for any particular platform.
The THC Team also seems to have settled on the use of Open Source hardware, and more
specifically with the Ettus line of products.

To fully understand which daughterboard though is more appropriate for the
development of a receiver, the GSM frequency spectrum needs to be analysed. A GSM-
capable receiver needs to be able to listen on all the frequencies allocated to GSM
conversations [www-24]. The frequency allocation of GSM includes GSM-900 and GSM-
1800 which are mainly used in Europe, and some parts of Central/South America, and GSM-
850 which is mostly used (in conjunction with GSM-1900) in the United States and Canada.
GSM-850 uses 824–849 MHz for the uplink channels and 869–894 MHz for the downlink
channels. GSM-900 uses 890–915 MHz for the uplink channels and 935–960 MHz for the
downlink channels. GSM-1800 uses 1710–1785 MHz for the uplink channels and 1805–
1880 MHz for the downlink channels. GSM-1900 uses 1850–1910 MHz for the downlink
channels and 1930–1990 MHz for the downlink channel. The following table summarises the
most used bands.
Table 1 – GSM Frequency allocation by GSM standard

System Band Uplink (MHz) Downlink (MHz) Channel Number
GSM-850 850 824.0–849.0 869.0–894.0 128–251
GSM-900 900 890.0–915.0 935.0–960.0 1–124
DCS-1800 1800 1710.0–1785.0 1805.0–1880.0 512–885
PCS-1900 1900 1850.0–1910.0 1930.0–1990.0 512–810
As a result it can be deduced that GSM standards use frequencies between 824 MHz
and 1.99 GHz.
For the receiver component of the GSM intercepting device therefore, it seems that the
most appropriate USRP daughterboard is the DBSRX, which covers frequencies from 800
MHz to 2.4GHz. This board then has to be coupled with an appropriate antenna to properly
receive the desired frequencies.

Figure 17 – DBSRX Daughterboard – Photo Courtesy of http://www.ettus.com
The main decision when chosing an antenna has to be around its directivity and the
relative gain (dBi). A directional antenna (a Yagi for example) will be more adequate to point
towards a desired location and receive signals from a specified area, while an Omni
Directional antenna will be more useful to survey the region in a uniform manner (360
degrees on the horizontal plane). Discussions on types of antennas are certainly very
important and interesting at the same time, nonetheless they are beyond the scope of this
paper.
Relating to software, as previously said, the USRP family of boards embraces Open-
Source standards. This allows developers to contribute their own code and solutions to expand
the usability of this type of boards. For this reason, the choice of operating system has been
GNU/Linux (or more commonly known simply as Linux) and the Radio package called
GnuRadio. GnuRadio’s functionality depends on logical blocks written in C++ which are then
in turn accessible though high level python commands as objects. Pawel Koszut, in his paper
entitled “GSM scanning tutorial” describes in detail some procedures known so far when
trying to implement GSM scanning using USRP boards. As Koszut mentions in his paper,
GnuRadio provides a very useful script called usrp_fft.py in the path gnuradio/gnuradio-
examples/python/usrp. This program is a spectrum viewer to “explore the spectrum of GSM
bands and to find GSM Base Transceiver Stations (BTS [or BS]) transmitting in your area.” A
tutorial on the modalities of scanning with the USRP and GnuRadio and FFT (Ettus USRP
Software) is included in Appendix F.
5.1.2 – GSM Transmitter
On the Transmitter side, Ettus Research LLC currently does not provide one solution
that embraces the whole GSM spectrum, as the DBSRX does for the receiver; the only
apparent usable solution would be to combine the RFX900 (800-1000MHz) and the RFX1800
(1.5-2.1 GHz), which together cover most of the available GSM spectrum [www-25]. Not
much research has been undertaken into transmitting the GSM signals since the efforts so far
have been centred on cracking the encryption mechanism. To effectively create a working
transmitting unit, it is possibly best to first complete a working receiving unit and the relaying
device. So far research has not achieved this, since only in the last months it was possible to
create a working receiving unit.

5.1.3 – Hacking the Encryption and Time/Memory Tradeoff
The main player in this field is the THC group. Only recently13 the group was able to
release the first version of the famous 2.2 Terabytes of tables to decrypt GSM conversations
discussed in 4.1.2. Therefore so far it is possible to receive GSM data, and return the Kc (the
challenge to the operations between the RAND and the Ki).
To achieve maximum efficiency when cracking the conversations, the use of
time/memory tradeoffs is a relevant factor in reducing computation times while increasing
memory use. To break the same code, currently it is possible to use two approaches: The first
involves high processor usage for long periods of times (usually five to seven hours) to break
one conversation with a high success rate14; while the second method involves the
precomputation of a set of tables varying in size and the subsequent reduction in computing
time to almost-real time, to a few seconds15. The GSM project ran by the THC group has
produced tables 2.2 Terabytes in size and they have declared that their success rate is 95%. To
increase the success rate from 95% to 97.5% a doubling of the table size is required from 2.2
Terabytes to 4.4 Terabytes. And again, to achieve a 98.75% success rate the tables need to be
doubled again. The relationship can be simply explained as: for every time the table is
doubled, the non-success rate is halved, generating the following recursive formula:
F(n) = F(n-1)+((1-F(n-1))/2)
Where F(1) = 95%.
13
Late March / April 2008
14
Depending on the method used, success rate varies between 95% and 99.998%
15
This process usually involves the use of large tables ranging between a few gigabytes to several Terabytes. The
size of the tables influences the success rate, while the algorithm used influences the cracking time.
The following values have been calculated to estimate table size for high success rate
values.
Table 2 – Approximation of Table size and Success Rate values
Table Size Percentage

(Tbytes) Success Rate
2.2 95.00000%
4.4 97.50000%
8.8 98.75000%
17.6 99.37500%
35.2 99.68750%
70.4 99.84375%
140.8 99.92188%
281.6 99.96094%
563.2 99.98047%
1,126.4 99.99023%
2,252.8 99.99512%
4,505.6 99.99756%
9,011.2 99.99878%
18,022.4 99.99939%
36,044.8 99.99969%
To visually see the trend of the data, plotting the above values into a chart would
produce the following graphical representation.

Success Rate Vs Table Size
101.00000%
100.00000%
99.00000%
98.00000%
97.00000%
Success Rate
96.00000%
95.00000%
94.00000%
93.00000%
92.00000%
2.2
4.4
8.8
17.6
35.2
70.4
140.8
281.6
563.2
1,126.4
2,252.8
4,505.6
9,011.2
18,022.4
36,044.8
Figure 8 – Graphical representation of Table 2 developed using Microsoft Excel
An adequate success rate would probably be around 99.99% which would require
tables possibly 1,126 Terabytes in size, approximately 1 Petabytes in size16; definitely out of
the reach of any individual so far. Nonetheless a 95% or a 97% success rate is more than
acceptable and would clearly be achievable using commercially available products. This
shows the advantage of using time/memory tradeoffs to achieve high success rates.
After a quick market research carried out in February 2008 and then updated in April
2008, the price to create a redundant17 array of disks to store the 2.2 Terabytes of information,
ranged between 500.00 GBP and 600.00 GBP depending on the models of drives and disk
16
1 Petabyte = 1024 Terabytes
17
A Redundant array will guarantee data availability even in case of a drive failure. The most adequate setup
would be to use a RAID 5 configuration.
controllers18. With this amount of money it is possible to store the complete tables produced
by the THC team to crack the A5 algorithm on data samples.
5.1.4 – Relaying the conversation to the BS
The relaying mechanism needs to be implemented either in software at the Application
Layer, or in Hardware, at the Physical Layer. Each choice will have its advantages and
disadvantages, and no conclusions on this device can be formulated without first fully
understanding how transmission works. The main problem for the relaying device will be
related to frequency (or channel) hopping, and BS handovers. The relaying device needs to
control the transmission device and send instructions to allow handovers and present a
mechanism to deal with them efficiently without dropping the connection.
5.1.5 – Recording device
The recording device is possibly the least difficult to find and insert into the layout of
an IMSI catcher. The recording device can either be software based or hardware based.
Software based will imply the use of the computer where the decryption is taking place as the
recording device. Programs for software recording are varied, and free solutions like Audacity
for example are available. For Hardware recording solutions, a tape recorder may be used
(even if now outdated), or a more modern CD-recorder. Nonetheless a tape recorder might be
more efficient than a CD-recorder since there is no need of high quality recording due to the
very lossy quality of GSM compression compared to the quality obtainable with a CD-ROM,
and if the IMSI catcher is installed on a vehicle, then possibly the CD-recorder might be too
delicate, and also susceptible to vibrations. Instead of using commercial tapes for the
recording a DAT tape player may be used instead. This will increase the cost of the recorder
18
This price only includes the disk array and the RAID controller card.
but will possibly provide a more robust interface for the user. DAT Tapes are still widely
available today as they are to date a very good media for storing multi-track recordings in
recording studios, and as removable media for server backups.

Future Work
In the very near future an implementation will be attempted using the USRP board as
soon as it is available again from Ettus. There are also news of a USRP v2 coming out this
year, which should be more powerful than the current version. No specifications are out yet,
but it will be interesting to investigate also on a newer version rather than the current one. It
will probably support the current product line of Daughterboards, so it should keep the costs
down similarly to v1.
A plan to share the A5/1 tables in Richmond University has also been passed to the
department with a Cost Analysis and Resource Requirements. It seems to be a possible project
that can be implemented in the near future, and something definitely that would contribute to
the Open Source Communities world wide.

Conclusion
This field has been of personal interest for years, and time and knowledge halted me
from ever exploring it in depth. This dissertation has allowed me time to learn more about this
area and experiment with new technologies. Since starting the project the complexity of
developing a hardware platform were weighted against time. Time seemed to be enough for
the development of the project, and so a choice was made to stick with this topic.
Unfortunately during the course of the research, more complexities started to arise which
highly disrupted the workflow on this project; and since the deadline is fixed for this paper, no
workarounds could be accomplished in the limited time frame. When the time came to order
the hardware for the USRP board from Ettus.com, another issue delayed the implementation:
Ettus was out of stock of USRP boards and DBSRX Daughterboards until the last weeks of
April. This made it impossible to develop a hardware solution using the USRP board. No
other vendors supply the USRP board except the producer itself. A SIM cloning device was
also attempted, but the fact that it only reads SIM cards that use COMP-1, limited the usable
SIM cards to about 5% of the market which meant that it was hard or impossible to know
which company still produced COMP-1 cards, if such information was available to the public.
In the upcoming months an implementation will be attempted using the USRP. The results
should prove that over-the-air interception with the aid of commercially available products is
technically achievable.
References
Papers and Books
Alfred, J., “Ensure strong security in mobile transactions”, Certicom, Feb 2007
Biryukov, A., Shamir, A. and Wagner, D. “Real Time Cryptanalysis of A5/1 on a PC”, 27
April 2000
Digital cellular telecommunications system (Phase 2+); Security aspects, (GSM 02.09 version
6.1.0 Release 1997)
GSM 02.09 V6.1.0 (2000-02), European Standard (Telecommunications series)
Koszut, P., “GSM scanning tutorial”, Warsaw University of Technology, Institute of

Telecommunications. Available from:
http://wiki.thc.org/gsm?action=AttachFile&do=get&target=gsm_scanning_tutorial.pdf – Last
Access November 2007
Quirke J. “Security in the GSM system”, AusMobile, 1 May 2004. Avavilable from:
www.csd.uoc.gr/~hy457/_Past-Courses/0506F/papers/Security_in_the_GSM_system.pdf - Last
Access 29/04/2008
Web Resources & Research Material
Cellular.co.za, http://www.cellular.co.za/gsmhistory.htm, Last Access: Nov. 2007
Collection of emails and conversations on the topic: Cracking A5. http://jya.com/crack-a5.htm

- Last Access 25/04/2008
Ettus LLC, http://www.ettus.com - Last Access 25/04/2008
GSM A5/1 Cracked, http://www.crazylinux.net/downloads/articles/gsm/a51-crack.htm, Last

Access: March 2008
GSM Security, “http://www.gsm-security.net/”, Last Access: Nov. 2007

Gsmworld.com, http://www.gsmworld.com/about/history.shtml, Last Access: Nov. 2007
Mobiletracker.net, http://www.mobiletracker.net/archives/2006/06/13/2-billion-gsm, Last

Access: Nov. 2007
Periannan R., Fahham F. “Questions & Answers about Cellular Networks – Mobile Phones”
THC wiki, http://wiki.thc.org/gsm and http://wiki.thc.org/cracking_a5 - Last Access

25/04/2008
Text References
[www-1] Jeremy Quirke, Security in the GSM system
[www-2] http://www.dotnetjohn.com/articles.aspx?articleid=97
[www-3] http://www-dse.doc.ic.ac.uk/~nd/surprise_96/journal/vol1/pr4/article1.new-4.gif
[www-4] Real Time Cryptanalysis of A5/1 on a PC, Alex Biryukov, Adi Shamir, David
Wagner. 27 April 2000
[www-5] http://www.3gpp1.org/ftp/tsg_sa/WG3_Security/TSGS3_11_Mainz/Docs/PDF/S3-
000142.pdf
[www-6] http://www.gsm-security.net/faq/timsi-temporary-imsi-gsm.shtml
[www-7] Ross Anderson – email exchange - 17 Jun 1994
[www-8] http://cryptome.org/gsm-a512.htm
[www-11] http://www.cryptophone.de/
[www-13] http://news.bbc.co.uk/1/hi/technology/4738219.stm
[www-14] http://www.thx.org
[www-15] http://wiki.thc.org/gsm, and http://wiki.thc.org/cracking_a5
[www-16] http://conference.hitb.org/hitbsecconf2008dubai/
[www-17] http://www.openmoko.org/
[www-18] http://www.apple.com/iphone/
[www-19] http://users.net.yu/~dejan/
[www-21] http://www.ettus.com/
[www-22] http://www.ettus.com/downloads/ettus_broch_trifold_v3b.pdf
[www-23] http://wiki.thc.org/gsm
[www-24] http://www.gsmworld.com/roaming/gsminfo/index.shtml
[www-25] http://www.ettus.com/custom.html
Appendices
Appendix A – Original Time Management (Date: 07/12/2007)
Corrections on Original Time Plan
The original Time Management Plan was designed in December 2007 to represent an
approximate evolution of the work to be done. Nonetheless it was not possible to adhere to
the time organization, since the project actually mutated over time. The modified Time Plan is
shown in the following image representing at its best the development of the project.
Both Time Management Plans were designed using the online software at
http://www.helpuplan.com
Appendix B – List of Components for SimScan Hardware
The Following is a list of components to build the hardware for SimScan v 2.01.
Quantities are not noted since some spares were bought for backup reasons (in case a
component was damaged while building the device. Also tools are not included, such as
soldering iron, solder, electric tape, etc…
f47uF 25V, 105C. capacitor
100nF. capacitor
33pF. disc ceramic capacitor.
Diode WE 200mA 75V 4nS
HCMOS 6 INVERTERS (OR gates)
1M. 0.25 Watt 5% Resistor.
1M. 2 Watt 5% Resistor.
10K. 0.25 Watt 5% Resistor
10K. 2 Watt 5% Resistor
22K. 2 Watt 5% Resistor.
15K. 2 Watt 5% Resistor.
2.2K. 0.25 Watt 5% Resistor
BC239C NPN TO92 CBE 20V 0A1 380
47uF 50V. Lo Z Hi temp. Electrolytic radial capacitor.
47uF 35V. Tantalum Bead capacitor. Low leakage, Tolerance 20%
47uF 25V. Tantalum Bead capacitor. Low leakage, Tolerance 20%
470uF 16V, 105C. High Temperature radial electrolytic capacitor.

22K. 0.25 Watt 5% Resistor.
15K. 0.25 Watt 5% Resistor.
Red 5mm Diffused Low Current LED 0.8mcd @ 2mA.
Red 5mm 12V Diffused LED 8mcd.
3.579545MHz HC49 Quartz Crystal
SIM card holder
White 6C Round Security Cable (Or any cable with at least 5 gauges)
Serial Port Female Socket with cover and screws
Appendix C – Excerpt from GSM 02.09 V6.1.0 (2000-02) - European Standard
3 - Security features provided in a GSM PLMN
The following security features are considered:
- subscriber identity (IMSI) confidentiality;
- subscriber identity (IMSI) authentication;
- user data confidentiality on physical connections;
- connectionless user data confidentiality;

- signalling information element confidentiality.
The implementation of these five security features is mandatory on both the fixed
infrastructure side and the MS side. This means that all GSM PLMNs and all MSs shall be
able to support every security feature. Use of these five security features is at the discretion of
the operator for its own subscribers while on the HPLMN. For roaming subscribers, use of
these five security features is mandatory unless otherwise agreed by all the affected PLMN
operators (see also subclause 3.3.3).
3.1 Subscriber identity confidentiality
3.1.1 Definition
The subscriber identity confidentiality feature is the property that the IMSI is not made
available or disclosed to unauthorized individuals, entities or processes.
3.1.2 Purpose
This feature provides for the privacy of the identities of the subscribers who are using
GSM PLMN resources (e.g. a traffic channel or any signalling means). It allows for the
improvement of all other security features (e.g. user data confidentiality) and provides for the
protection against tracing the location of a mobile subscriber by listening to the signalling
exchanges on the radio path.
3.1.3 Functional requirements
This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is
transferred in signalling messages (see subclause 3.5) together with specific measures to
preclude the possibility to derive it indirectly from listening to specific information, such as
addresses, at the radio path. The means used to identify a mobile subscriber on the radio path
consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in
GSM 03.20.
When used, the subscriber identity confidentiality feature shall apply for all signalling
sequences on the radio path. However, in the case of location register failure, or in case the
MS has no TMSI available, open identification is allowed on the radio path.
3.2 Subscriber identity authentication
3.2.1 Definition
International Mobile Subscriber identity (IMSI) authentication is the corroboration by
the land-based part of the system that the subscriber identity (IMSI or TMSI), transferred by
the mobile subscriber within the identification procedure at the radio path, is the one claimed.
3.2.2 Purpose
The purpose of this authentication security feature is to protect the network against
unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the
possibility for intruders to impersonate authorized users.
The authentication of the GSM PLMN subscriber identity may be triggered by the
network when the subscriber applies for:

a change of subscriber-related information element in the VLR or HLR (including
some or all of: location updating involving change of VLR, registration or erasure of a
supplementary service); or an access to a service (including some or all of: set-up of mobile
originating or terminated calls, activation or deactivation of a supplementary service); or first
network access after restart of MSC/VLR;
or in the event of cipher key sequence number mismatch.
Physical security means must be provided to preclude the possibility to obtain
sufficient information to impersonate or duplicate a subscriber in a GSM PLMN, in particular
by deriving sensitive information from the mobile station equipment.
If, on an access request to the GSM PLMN, the subscriber identity authentication
procedure fails and this failure is not due to network malfunction, then the access to the GSM
PLMN shall be denied to the requesting party.
3.2.4 Authentication during a malfunction of the network
If an MS is registered and has been successfully authenticated, whether active or not
active on a call, calls are permitted (including continuation and hand-over).
If an MS has already been registered (and therefore been already authenticated) and
can not be successfully reauthenticated due to the network malfunction (e.g. the HPLMN was
not able to provide authentication pairs RAND, SRES), calls are permitted.
If an MS attempts to register and can not be successfully authenticated due to the
network malfunction, calls are not permitted.

If the MS is not registered, or ceases to be registered, a new registration need to be
performed, and the preceding cases apply.
3.3 User data confidentiality on physical connections (Voice and Non-voice)
3.3.1 Definition
The user data confidentiality feature on physical connections is the property that the
user information exchanged on traffic channels is not made available or disclosed to
unauthorized individuals, entities or processes.
3.3.2 Purpose
The purpose of this feature is to ensure the privacy of the user information on traffic
channels.
Encryption will normally be applied to all voice and non-voice communications.
Although a standard algorithm will normally be employed, it is permissible for the mobile
station and/or PLMN infrastructure to support more than one algorithm. In this case, the
infrastructure is responsible for deciding which algorithm to use (including the possibility not
to use encryption, in which case confidentiality is not applied).
When necessary, the MS shall signal to the network indicating which of up to seven
ciphering algorithms it supports. The serving network then selects one of these that it can
support (based on an order of priority preset in the network), and signals this to the MS. The
selected algorithm is then used by the MS and network. The network shall not provide service
to an MS which indicates that it does not support any of the ciphering algorithm(s) required
by GSM 02.07.
The ME has to check if the user data confidentiality is switched on using one of the
seven algorithms as defined in GSM 02.07. In the event that the ME detects that this is not the
case, or ceases to be the case (e.g. during handover), then an indication is given to the user.
This ciphering indicator feature may be disabled by the SIM (see GSM 11.11).
In case the SIM does not support the feature that disables the ciphering indicator, then
the ciphering indicator feature in the ME shall be enabled by default.
The nature of the indicator and the trigger points for its activation are for the ME
manufacturer to decide.
During the establishment of a call the trigger point shall be at call initiation at the
latest. In the case of handover the trigger point shall be the completion of handover at the
latest.
The manufacturer may provide the means to enable the user to temporarily disable the
feature. This should be done in such a way that the user can protect it from misuse.
3.4 Connectionless user data confidentiality
3.4.1 Definition
The connectionless user data confidentiality feature is the property that the user
information which is transferred in a connectionless packet mode over a signalling channel is
not made available or disclosed to unauthorized individuals, entities or processes.
3.4.2 Purpose
The purpose of this feature is to ensure the privacy of the user information on
signalling channels (e.g. short messages).
NOTE: Protection of connectionless user data is not applicable to SMS Cell
Broadcast.
3.5 Signalling information element confidentiality
3.5.1 Definition
The signalling information element confidentiality feature is the property that a given
piece of signalling information which is exchanged between MSs and base stations is not
made available or disclosed to unauthorized individuals, entities or processes.
3.5.2 Purpose
The purpose of this feature is to ensure the privacy of users related signalling
elements.

When used, this feature applies on selected fields of signalling messages which are
exchanged between MSs and base stations.
The signalling information elements included in the message used to establish the
connection (protocol discriminator, connection reference, message type and MS identity
(IMSI, TMSI or IMEI according to the circumstance)) are not protected.
The following signalling information elements related to the user are protected
whenever used after connection establishment:
International Mobile Equipment Identity (IMEI).
International Mobile Subscriber Identity (IMSI).
Calling subscriber directory number (mobile terminating calls).
Called subscriber directory number (mobile originated calls).
The IMSI is stored securely within the SIM.
The IMEI shall not be changed after the ME’s final production process. It shall resist
tampering, i.e. manipulation and change, by any means (e.g. physical, electrical and
software).
NOTE: This requirement is valid for new GSM Phase 2 and Release 96, 97, 98 and 99
MEs type approved after 1st June 2002.

The security policy for the Software Version Number (SVN) is such that it cannot be
readily changed by the user, but can be updated with changes to the software. The security of
the SVN shall be separate from that of the IMEI.

Appendix D – Full Size Images of IMSI Catchers
Appendix E – Tutorial: Find a GSM base station manually using a USRP
Courtesy of Robert at http://wiki.thc.org/gsm
A mobile phone will normally look for a suitable GSM base station on a channel in the GSM-
900 band. The GSM-900 band is made up of the following frequency bands:
Standard or Primary GSM-900 Band, P-GSM (Channels 1 to 124)
890 MHz to 915 MHz: mobile TX, base RX
935 MHz to 960 MHz: base TX, mobile RX
Extended GSM-900 Band, E-GSM (Channels 0 to 124 and 975 to 1023)
Railways GSM-900 Band, R-GSM (Channels 0 to 124 and 955 to 1023)
Update 2008-01-25: There are a number of GSM bands a mobile phone can use and these
bands can be different depending on the country you are in. Most of the world uses the GSM-
900 and GSM-1800 bands, the most notable exceptions are the United States, Canada and
other parts of the Americas which use the GSM-850 and GSM-1900 bands.
These are the details of the other common frequency bands:
GSM-850 Band (Channels 128 to 251)
GSM-1800 or DCS-1800 Band (Channels 512 to 885)

GSM-1900 or PCS-1900 Band (Channels 512 to 810)
Update 2008-01-25: The rest of the techniques in this article can be adjusted to work in the
different bands, by using the different base TX to mobile RX frequency ranges.
Each channel is made up of two radio frequency's a TX and RX frequency each 45 MHz
apart, the frequency's have a 200 kHz carrier spacing, for example channel 12 uses the
frequency's 892.4 MHz and 937.4 MHz.
A base station (cell) will be allocated a set of channels, one of these channels is called the
BCCH carrier. This channel contains lots of useful information about the base station (BCCH
(Broadcast Control Channel)) and provides a mechanism for the mobile phone to find the base
station (FCCH (Frequency correction channel)).
We can use the FCCH to manually find an active base station using GnuRadio software an
USRP hardware with a DBSRX module. Setting up a GnuRadio environment is not covered
in this howto.
The FCCH generates a Frequency correction burst (FB) which can be seen on a spectrum
(frequency-domain) plot as a peek frequency offset 66.7 kHz (+1625/24 kHz) above the
carrier center. A suitable spectrum plot can be generated by the usrp_fft.py command.
usrp_fft.py --decim=32 --gain=26 --freq=921M
When this above command is run, a plot window similar to Image 1 is shown with a random
moving blue line which represents the amplitude of the signal detected at that frequency. The
frequency range shown is -1 MHz to +1 MHz below and above the center frequency of 921
MHz. The plots vertical divisions are 200 kHz apart.

Image 1: Showing usrp_fft.py window.
A possible active channel should be visible in plot display as wide bump centered around a
vertical division. There are no active channels shown in Image 1.
The center frequency can be modified by typing a new value into the Center freq: text box
and pressing enter key. Scan forward through the frequency range by typing 922M [enter],
923M [enter], etc. look for interesting channel bumps in the blue line centered around a
vertical division.
In my scan the first interesting channel bump appeared near center frequency 937 MHz
(Image 2). Note: the slight bump to the left is an artifact and can be ignored.
Image 2: Interesting channel bump.

To investigate the possible channel further we change the center frequency to 937.8 MHz, this
centers us in on the possible channel. Notice in Image 3 that the spectrum to the right of the
center channel has a similar amplitude, this tells me that other channels might be in use for
traffic data or that I'm picking up more then one base station.
Image 3: Centered channel bump, possible traffic.
By right clicking on the plot window and selecting the Peek Hold option the plot shows the
highest amplitude received. After about 30 seconds any Frequency correction bursts should be
clearly visible as narrow peeks in the plot. Image 4 show three Frequency correction bursts
highlight with red arrow and possible two more others. It would not be normal to expect so
many BCCH carriers so close together and it is most like we are picking up more then base
station (FIXME is this correct?).
Image 4: Marked frequency correction bursts.
We should continue scanning for a more suitable base station. Right click again and select
Peek Hold to deselect that option. Enter the next center frequency.
The next interesting center frequency is 941 MHz (Image 5). This possible channel bump is as
significant higher amplitude which would indicate that the base station is closer. The Peek
Hold plot (Image 6) shows a very clear Frequency correction bursts. Also the peeks to the
right would seem to indicate active traffic channels.
Image 5: Another interesting channel bump.

Image 6: This is a strong clean channel signal with FB, it might even show traffic channels?
We can be pretty sure that this is a local base station channel and we should record it's center
frequency for future in-depth investigation. We can continue scanning for more base stations.
[www-2] http://www.dotnetjohn.com/articles.aspx?articleid=97
[www-3] http://www-dse.doc.ic.ac.uk/~nd/surprise_96/journal/vol1/pr4/article1.new-4.gif
[www-4] Real Time Cryptanalysis of A5/1 on a PC, Alex Biryukov, Adi Shamir, David
Wagner. 27 April 2000
[www-5] http://www.3gpp1.org/ftp/tsg_sa/WG3_Security/TSGS3_11_Mainz/Docs/PDF/S3-
000142.pdf
[www-6] http://www.gsm-security.net/faq/timsi-temporary-imsi-gsm.shtml
[www-7] Ross Anderson – email exchange - 17 Jun 1994
[www-8] http://cryptome.org/gsm-a512.htm
[www-13] http://news.bbc.co.uk/1/hi/technology/4738219.stm
[www-14] http://www.thx.org
[www-15] http://wiki.thc.org/gsm, and http://wiki.thc.org/cracking_a5
[www-16] http://conference.hitb.org/hitbsecconf2008dubai/
[www-17] http://www.openmoko.org/
[www-18] http://www.apple.com/iphone/
[www-21] http://www.ettus.com/
[www-22] http://www.ettus.com/downloads/ettus_broch_trifold_v3b.pdf
[www-23] http://wiki.thc.org/gsm
[www-24] http://www.gsmworld.com/roaming/gsminfo/index.shtml
[www-25] http://www.ettus.com/custom.html

Senior Dissertation Jonathan Arbib

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Senior Dissertation Jonathan Arbib

Uploaded by

Copyright:

Available Formats

RICHMOND

The American International University in London

Security Measures in GSM

SENIOR PROJECT IN COMPUTING

CHAPTER 1. INTRODUCTION ....................................................................................................................................6

1.1 – PURPOSE OF PROJECT .............................................................................................................................................6

CHAPTER 2. LITERATURE BASED REVIEW ..........................................................................................................9

2.1 – COMPONENTS OF THE GSM NETWORK ...................................................................................................................9

CHAPTER 3. SECURITY AND AUTHENTICATION...............................................................................................15

3.1 – GSM SPECIFICATIONS 02.09 ................................................................................................................................15

CHAPTER 4. TYPES OF ATTACK (BUILDING A SOLUTION) .............................................................................24

4.1 – PROPOSED APPROACHES ......................................................................................................................................24

CHAPTER 5. PROPOSED APPROACH – OVER-THE-AIR-INTERCEPTION: IMSI CATCHER....................33

5.1 – OVERVIEW ...........................................................................................................................................................33

FUTURE WORK ............................................................................................................................................................47

PAPERS AND BOOKS ......................................................................................................................................................49

APPENDIX A – ORIGINAL TIME MANAGEMENT (DATE: 07/12/2007).............................................................................52

1.1 – Purpose of project

1.2 – Description of problem to be solved

To successfully intercept live GSM communications it is necessary to develop a device

Another issue to overcome is the A5 encryption: as it will be described later in the

set of pre-computed tables to speed up the cracking process.

1.3 – Recent Development in the Market

1.4 – Expected results

research. No attempt will be made to use this device illegally.

1.5 – Structure of document

2.1 – Components of the GSM network

each component will be dealt with in greater detail.

Figure 1 – Model of a simplified GSM Network - Courtesy of http://www.pulsewan.com

(Authentication Centre), which, when requiring user-authentication, feeds a challenge string

later discussed in Chapter 3.1.

2.1.2 – The Base Station Subsystem (BSS)

symbolizes the coverage area.

Figure 3 – BTS Layout in a Hexagonal Configuration

Figure 4 – Hexagonal Frequency Allocation Cluster Grouping – Courtesy of http://www-dse.doc.ic.ac.uk

2.1.3 – Network & Switching Subsystem (NSS)

databases in every network.

3.1 – GSM Specifications 02.09

security will be analysed in detail.

3.1.1 – Subscriber identity (IMSI) confidentiality

Specifications 02.09, Section 3.1.1: “The subscriber identity confidentiality feature is

3.1.2 – Subscriber identity (IMSI) authentication

Specifications 02.09, Section 3.2.1: “International Mobile Subscriber identity (IMSI)

to impersonate authorized users”.

3.1.3 – User data confidentiality on physical connections

made available or disclosed to unauthorized individuals, entities or processes.” With this

depth in the following sections.

3.1.4 – Connectionless user data confidentiality

Specifications 02.09, Section 3.4.1: “The connectionless user data confidentiality

encrypted manner. In a note in section 3.4.3 it is interesting to note how “Protection of

connectionless user data is not applicable to SMS Cell Broadcast.”

3.1.5 – Signalling information element confidentiality

Specifications 02.09, Section 3.5.1: “The signalling information element

individuals, entities or processes.” This clause relates to the communication signalling

and Called subscriber directory number (mobile originated calls).

A5 algorithm, which was found to posses major security flaws.

counter Fn is carried out in four steps:

the lsb's of the three registers.

step is called the initial state of the frame.

control but without producing any outputs.

as the XOR of the msb's of the three registers.” [www-4]

Tradeoff will be presented in Section 5.1.3.

security currently implemented in GSM voice and short messaging conversations.

3.3.1 – Network does not authenticate itself to a phone