Mobile Communication and its Security Analysis

by
K Gunjan
 Agenda

•evolution of mobile communication

•1G technology
•2G technology
•GSM architecture
•GSM channels
•SIM
•Sharing Spectrum
•Authentication and Encryption Scheme
•GSM calling sequence
•GSM called sequence
•Security issues
 Evolution of Mobile Comm
Ancient time: light for comm... eg ship,becon..
150 BC: smoke signals...color/strength
1794: optical telegraphy
1877: First wireline telephone
1895: wireless telegraphy
1915: wireless voice
transmission(AM)
1928: TV broadcast
1933: FM patented.. radios in 1950s
 Evolution of Mobile Comm
1946: Mobile Telephone was introduced
System:MTS,
Device wt:36KG
In Bell System, used in St. Louis
Setup by operator,
Only 3 channels for whole metro
1960: Bell Labs -> Celular concept
1970: Mobile User M<=>PSTN
System: IMTS(improved mobile tele service)
Reduced size and wt
Eliminate setup by operator
32 channels across 3 bands
450-470MHz
Other wireless systems:

Push to talk(PTT)
AMTS-Advance Mobile tele system
Etc

These were also called

mobile radio systems
 1G technology

=>Deployed in early 1990s

1.AMPS-Advanced Mobile Phone System
Developed and deployed in USA
2.NMT-Nordic mobile Tele System
developed and deployed in Scandinavian
countries
3.TACS-Total Access Communication System
developed in UK, Deployed in Europe
.
 1G technology
All analog
FDMA + FM
Only voice
Poor Voice quality
Poor battery life
Large phone size
Poor handoff reliability
No Roaming—
even between two same technology
 1G technology

No security
 Analog Signals does not allow advance encryption methods
hence there is no security

 FM receivers can be used to listen in on any conversation

 Anyone could collect a large database of identity etc by driving

around and go into business by reprogramming stolen phones
and reselling them.

 Airtime thefts were also reported

 2G technology
Deployed in early 90s
Three popular systems: GSM, D-AMPS and CDMA One/IS-95
Digital systems
SMS
MMS-Multi Media Messages
Data Service-GPRS-64kbps
Roaming
Voice encryption provision
Better security
 GSM
GSM is the most popular 2G Technology
Developed in Europe and has European standards

Low data rate: 9.6 kbps

Higher data rates using 2G:

GPRS: General Packet Radio Service
2.5G
171kbps(50kbps)
EDGE: Enhanced Data Rates for GSM Evolution

2.75G
473.6kbps(100kbps)
 GSM

New network elements required to achieve higher data rate:

Serving GPRS Support Node (SGSN),

The SGSN handles all packet switched data within the network and is
responsible for the authentication and tracking of the users. The SGSN performs
the same functions as the MSC for voice traffic
Gateway GPRS Support Node (GGSN).
The GGSN is the interface from the GSM/GPRS network to external networks.
The GGSN is also responsible for the allocation of IP-addresses.
 GSM ARCHITECHTURE
CDR archive USAU
Service
Voucher Provisioning &
SMP
Centers billing/CRM

MNP D/B STP

USSD
OMC gateways CRBT system
Architecture form network perspective
MPLS,
Routers
E1s
STP
GSM Links
Motivation

Understand it

&

Look for CIA

GSM ARCHITECHTURE
GSM Protocol stack
GSM Protocol stack
 Sharing Spectrum
GSM uses TDMA & FDMA
Sharing Spectrum
GSM channels
GSM channels
 Subscriber Identification Module (SIM)

Smart Card – a single chip computer containing

OS, File System, Applications
Protected by PIN
Owned by operator (i.e. trusted)
SIM applications can be written with SIM Toolkit
Contains PIN, Ki and Kc

Contains A3, A5 and A8 algos

31
Authentication and Encryption Scheme
Mobile Station Radio Link GSM Operator

Challenge RAND 128bit

SIM
Ki Ki
A3 A3
Signed response (SRES32 bit)
SRES SRES

A8 Authentication: are SRES A8

values equal?
Fn Kc 64 bit Kc Fn
mi Encrypted Data mi
A5 A5

32
Authentication and Encryption Scheme
* A3 Input: 128-bit RAND random challenge, Ki 128- bit private key
• A3 Output: 32-bit SRES signed response
• A8 Input: 128-bit RAND random challenge, Ki 128-bit private key
• A8 Output: 64-bit Kc Cipher Key, used for A5
 GSM Basic Call Sequence

The process for calling MS and called MS are

two independent flow. The calling party begins
with channel request and ends with TCH
assignment competition. In general, the calling
party includes following several stages: access
process, authentication and ciphering process,
TCH assignment process. So, we take the
sequence from mobile to land as example, in this
sequence, we mainly devote to the calling party.
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

<SDCCH> SFOC
4 SET-UP
Call Info
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

<SDCCH> SFOC
4 SET-UP
Call Info
5 EQUIP. ID REQ.
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

<SDCCH> SFOC
4 SET-UP
Call Info
5 EQUIP. ID REQ.

6 COMPLETE CALL
<SDCCH>
CALL PROCEEDING
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE

Initial and Final Address

8 Message (IFAM)
Address Complete(ACM)
<FACCH>
Alerting MS hears ring
tone from land
phone
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE

Initial and Final Address

8 Message (IFAM)
Address Complete(ACM)
<FACCH>
Alerting MS hears ring
tone from land
phone

9 Answer (ANS)Connect
<FACCH>
Ring tone
stops
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE

Initial and Final Address

8 Message (IFAM)
Address Complete(ACM)
<FACCH>
Alerting MS hears ring
tone from land
phone

9 Answer (ANS)Connect
<FACCH>
Ring tone
stops
BILLING STARTS
<FACCH>
10 Connect Acknowledge HELLO!
<TCH>
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

<SDCCH> SFOC
4 SET-UP
Call Info
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

<SDCCH> SFOC
4 SET-UP
Call Info
5 EQUIP. ID REQ.
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
1 CHANNEL REQUEST <RACH>

DCCH ASSIGN <AGCH>

SIGNALING LINK
ESTABLISHED

<SDCCH> CR
2 REQ. FOR SERVICE CC

3 AUTHENTICATION

SET Cipher MODE

<SDCCH> SFOC
4 SET-UP
Call Info
5 EQUIP. ID REQ.

6 COMPLETE CALL
<SDCCH>
CALL PROCEEDING
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE

Initial and Final Address

8 Message (IFAM)
Address Complete(ACM)
<FACCH>
Alerting MS hears ring
tone from land
phone
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE

Initial and Final Address

8 Message (IFAM)
Address Complete(ACM)
<FACCH>
Alerting MS hears ring
tone from land
phone

9 Answer (ANS)Connect
<FACCH>
Ring tone
stops
 Mobile to Land Sequence
MS BSS MSC VLR HLR PSTN
<SDCCH>
7 ASSIG. COMMAND
<FACCH> circuit
ASSIG. COMPLETE

Initial and Final Address

8 Message (IFAM)
Address Complete(ACM)
<FACCH>
Alerting MS hears ring
tone from land
phone

9 Answer (ANS)Connect
<FACCH>
Ring tone
stops
BILLING STARTS
<FACCH>
10 Connect Acknowledge HELLO!
<TCH>
 GSM Basic Call Sequence

For the called party, the flow for the called party
begins when MSC sends paging command to the
called party, ends when two party start talk. In
general, this call flow includes several stages:
access process, authentication and ciphering
process, TCH assignment process, talk process,
release process.
 Land to Mobile Sequence
MS BSS MSC VLR HLR GMSC PSTN

Initial and Final

1 Address Message
(MSISDN)

2 Send Routing Info

(IMSI) (MSISDN)
3 Routing Info Ack
Initial and Final (MSRN) (MSRN)
Address Message
(MSRN)

4 Send Info For I/C

Call Setup (MSRN)

5 Page <PCH>
Paging Request (LAI & TMSI)
(TMSI) (TMSI)
 Land to Mobile Sequence
MS BSS MSC VLR HLR GMSC PSTN
9 Assignment
Command (channel) (circuit)
Assignment <FACCH>
Complete Ring Tone at
<TCH> the land
Alert phone
Address Complete

10 Connect <FACCH>
Ringing stops
Subscriber at land phone
picks up
Connect ACK ANS <FACCH> Billing
starts

<TCH>
Hello...
 Attacks on GSM

OSMOCOMBB
sniffing
MIMT attack on call
MIMT attack on SMS
Attack using data card
………
…..
…
..
.
 Twitter: @Gunjan_cn
Gunjan.cn@gmail.com