Abstract— Global System for Mobile communications (GSM)is the most popular telecommunication protocol used intelecommunication networks. The telecommunications industryuses a combination of 2G (GSM), 3G (Universal MobileTelecommunications Service-UMTS) and 4G (Long TermEvolution-LTE) systems to access communication worldwide.However telecommunications industry keeps a high percentage oftheir deployed infrastructure using GSM technologies. GSMoffers worldwide roaming and interconnection with any availableGSM network. Users are expected to be aware of the possiblesecurity threats.
This work highlights weaknesses and issues inthe GSM standard, and presents an informed approach to helpaudit GSM networks for vulnerabilitiesKeywords— Sniffing GSM, RTL-SDR, GSM Vulnerability,GSM attack, Security, Privacy, Universal Software RadioPeripheral (USRP).I. INTRODUCTIONWith the exponential growth in the communication field Suchas communication through voice, video, data packets etc., it is acritical task to modify the radio devices in an Easy and costeffective manner. SDR technology provides a flexible, costeffective solution to drive communication with wide reachingbenefits to the end users Software Defined Radio can be definedas a radio in which some or all of the physical functions aresoftware defined.
Traditional Hardware based radio devices canonly be modified through Physical intervention which results inhigh production cost and limited flexibility. With the advent ofSDR, through Software upgrades, it is possible to enhancemulti-mode, Multi-band or multi-functional wireless devicestherebyProviding an efficient and inexpensive solution to this Problem.To implement SDR, a free and open source softwareDevelopment tool kit known as GNU radio is available 1.The concept of GSM emerged from a cell-based mobileradio system at Bell Laboratories in the early 1970s.
Theconcept of GSM emerged from a cell based mobile radiosystem at Bell Laboratories in the early 1970s.GSM is thename of a standardization group established in 1982 to create acommon European mobile telephone standard. GSM is themost widely accepted standard in telecommunications and it isimplemented globally. As of 2014 it has become the de factoglobal standard for mobile communications – with over 90%market share, operating in over 219 countries and territories.GSM was developed using digital technology. It has an abilityto carry 64 kbps to 120 Mbps of data rates 2.Despite the rapid change in cellular technologies,Mobile Network Operators (MNOs) keep a highpercentage of their deployed infrastructure using GSMtechnologies.
With about 3.5 billion subscribers, GSMremains as the only standard for cellularcommunications. However, the security criteriaenvisioned 30 years ago, when the standard wasdesigned, are no longer sufficient to ensure the securityand privacy of the users.
Furthermore, even with thenewest fourth generation (4G) cellular technologiesstarting to be deployed, these networks could neverachieve strong security guarantees because the MNOskeep backwards compatibility given the huge amount ofGSM subscribers. Recent research has shown thatmobile devices data can be used as an effective way totrack individuals. This presents a problem related tousers’ privacy, as their location allows the carriers toprofile and track their movement(s) 3.
The most advanced penetration testing platform, KaliLinux could be a handful solution for any start in thematter. Under Kali-Linux Rolling one can find and readyto use, many tools like Wireshark for network sniffing.The main advantage of the Kali-Linux distribution againstthe Ubuntu or Delian is, in fact, related to the specialpackages installed that are useful in software penetrationand testing. Nevertheless, there is no distribution readyfor GSM sniffing so; there are many to be done beforestarting the capturing.
The most important step isTo identify a low-cost SDR that is suited for the sniffingapproach. One of the low-cost SDR available on themarket isThe RTL-SDR 4.II. SDRA. Software Defined RADIO:SDR technology is an adaptive future proof solution forwireless networks that aims to replace the conventional radiohardware by building an open-architecture based radio systemSoftware which is reconfigurable and reprogrammable. Itsupports different functional modules of the radio system suchas modulation, demodulation, signal generation, coding, linklayer protocols etc. in software. SDR is a promisingtechnology in radio communication that uses softwaretechniques on digitized radio signals.
It turns hardwareproblems into software problems. Compared to conventionalradio, it can switch between different architectures and there isa significant improvement in price/performance overtraditional radio. Even it has the ability to change waveformfunction on-the- fly, receive and broadcast multiple channels atthe same time as well as upgrade the software over the air.
Since it is possible to receive and transmit signalssimultaneously, Software Radio can act as a bridge between2different radio networks. SDR is of growing importance towireless communication industry, military and public safetysector. SDR technologies will even endow space and planetaryexploration systems with increased capability and reducedpower consumption than the conventional systems 5.B. GNU Radio PlatformIt is an open source software tool kit that enables building of aSoftware Defined Radio.
Different functionalities likemodulation, demodulation, filtering, encoding, decoding,Source coding, channel coding etc. are provided as softwarecodes. The advantage of implementing functionalities asSoftware modules provides re-configurability property toSDR. Traditionally, for example, if a modulation scheme of aradio had to be changed , the entire analog circuitry employedfor modulation have to be changed.
Using SDR, only the codeneeded for the task has to be changed. GNU Radio provides agraphical user interface with GNU Radio Companion (GRC).Experiments can be done by connecting signal processingblocks written in C++ and python. The programmer builds aradio by creating a graph where the nodes are signalprocessing primitives and the edges represent the data flowbetween them 6.C. Universal Software Radio PeripheralUSRP is a device which allows a creation of a SDR using anycomputer with an USB 2.
0 port. It is a hardware module thatprovides both transmission and reception capabilities over awide range of frequencies. The motherboard comprises theFPGA chip to do expensive signal processing anddaughterboard is having AD/DA converter and RF front end. Ithas a motherboard and can support four daughter boards. Themotherboard cost around 700 dollars and each daughterboardcost around 75 dollars to 475 dollars based on the applicationrequirement 7.D. RTL-SDRTill date USRP (Universal Software Radio Peripheral) is apopular hardware device for doing real-time communicationexperiments in SDR.
But now, a 20 dollars revolution fromOSMO SDR has introduced a hardware called RTL-SDRRealtek RTL2832U which is the cheapest one .The DVBT(Digital Video Broadcast Terrestrial) dongle proved to beefficient for SDR purposes as the chip is able to transmit rawI/Q samples to the host. The operating frequency range ofRTL-SDR is from 64 to 1700 MHz, with sample rate of3.2MS/s 8.III. BACKGROUND ON GSMGSM is a very well-known cellular standard, so we onlyprovide a very brief background on some aspects of particularrelevance for our work in this section.
It consists of threemajor interconnected subsystems that interact betweenthemselves and with the users through certain networkinterfaces.The subsystems are:-a) Base Station Subsystem (BSS)b) Network and Switching Subsystem (NSS)c) Operation Support Subsystem (OSS)The Mobile Station (MS) is also a subsystem, but is usuallyconsidered to be part of the BSS for architecture purposes.Equipment and services are designed within GSM to supportone or more of these specific subsystems9.a) Base Station Subsystem (BSS)The BSS is in charge of providing connectivity between themobiles and the network.
It consists of the Mobile Station(MS), the Base Transceiver Station (BTS), and the BaseStation Controller (BSC). The MS is used to provide the useran interface to communicate with the GSM network. Itincludes the mobile equipment (ME) and the SubscriberIdentity Module (SIM). The SIM is used to provide theidentity of the user to the network. The BTS transmits andreceives the signals from the MSs and controls thetransmission power, modulation, voice coding/decoding andencryption of the signals. The BSC controls a set of BTSs aswell as the handover, radio channels, paging and other controlfunctions 10.
b) Network and Switching Subsystem (NSS)The NSS is in charge of the switching functions, locating theMSs and the interconnection with other networks. It consistsof the Mobile Switching Center (MSC), the Home LocationRegister (HLR), the Visitor Location Register (VLR), and theGateway Mobile Switching Center (GMSC). The MSC is themain element in the NSS, it controls different BSCs and it isresponsible for routing incoming/outgoing calls and for themobility functions of the terminals such as registration andlocation of the MSs.
The HLR is a static database that containsspecific parameters of the subscriber (location information,authorized services, type of terminal, etc).The VLR is adynamic database and it is associated with one MSC, it storesinformation of the terminals that are registered with the MSC.When a MS registers with the network, the correspondingVLR verifies the different parameters with the HLR of thehome network.
The GMSC is the interconnection pointbetween the GSM network and external networks for which itprovides gateway functions 11.C) OPERATION SUPPORT SUBSYSTEM (OSS)A The OSS controls, in a centralized manner, the managementand maintenance of the GSM subsystems. It consists of theAuthentication Center (AuC), and the Equipment IdentityRegister (EIR). The AuC contains a database that stores the3identification and authentication of every subscriber. It storesthe International Mobile Subscriber Identity (IMSI) and thepermanent key associated with every SIM (Ki).The EIR is adatabase that stores lists of the MSs identified by theirInternational Mobile Station Equipment Identity (IMEI).
It isused to determine if the MSs are authorized, unauthorized orin need to be monitored.V: GSM SECURITYGSM security is addressed in two aspects: authentication andencryption. Authentication avoids fraudulent access by acloned MS. Encryption avoids unauthorized listening.A secret key, Ki, is used to achieve authentication. Ki is storedin the AuC as well as in the SIM. The Ki value is unknown tothe subscriber.
To initiate the authentication process; the homesystem of the MS generates a 128-bit random number calledRAND. This number is sent to the MS. By exercising analgorithm, A3, both the network (AuC) and the MS (SIM) useKi and RAND to produce a signed result (SRES). The SRESgenerated by the MS is sent to the home system and iscompared with the SRES generated by the AuC. If they are notidentical, the access request is rejected. Note that if the SRESand RAND generated by the AuC are sent from the HLR to thevisited VLR in advance, the SRES comparison can be done atthe visited VLR.
Algorithm A3 is dependent on the GSMservice provider. Since the visited system may not know theA3 algorithm of a roaming MS, authentication result SRES isgenerated at the home system of the MS 12.If the MS is accepted for access, an encryption key producedby an algorithm, A8, with Ki and RAND as inputs.
Like A3,A8 is specific to the home system has generated Kc, thisencryption key is sent to the visited system. Kc and the TDMAframe number encoded in the data-bits are used by analgorithm, A5, to cipher and decipher the data stream betweenthe MS and the visited system. The same A5 algorithm may beused in all systems participating in the GSM service 12.The cellular service providers has track the location of mobilesubscribers in a efficient way by making competent use of theradio resources. In order to accomplish that, the large areasthat being served from a cellular network are parted intosmaller geographical regions like the well-known LocationAreas (LA, LAC). Then, the broadcast messages will beaddressed in those smaller areas. Identifying the pagingrequests that carry TMSIs of the users, we can suppose if anindividual resides in that area in case we know the specifictemporary ID. Moreover, the temporary ID is the onlyidentifier by observing the broadcasted messages of pagingprocedure so it could be a difficult procedure to map thetemporary ID with the telephone number of the user.
From the GSM specifications and from mobile networkoperators is strict policy is considered that the IMSI must sentas rarely as possible, to avoid it being located and tracked.However by reviewing the above and as it observed during ourexperiments and attacks, there multiple times that networkauthenticates its users by the IMSI.Across the history of the GSM standard, there have been manyattacks to the protocol. In 1998, reverse engineeringtechniques were applied to break the 3GPP subscriberauthentication algorithms implementation 3. Since then,numerous attacks to the different versions of the encryptionalgorithms have been reported in 13, 14 and 15.
VI. SNIFFING GSM TRAFFICIn this section, we describe our scenario, the tools needed toperform the attack and we detail the implementation of theattack.VI.1 TOOLSWe now briefly describe the set of tools used to perform theattack:Kali Linux OS (2017.3, 64-bit):Kali Linux is a Debian-derived Linux distribution designed fordigital forensics and penetration testing. It is maintained andfunded by Offensive Security Ltd.
Mati Aharoni, DevonKearns and Raphaël Hertzog are the core developers.Wireshark:Wireshark is a network analysis tool previously known asEthereal. It captures packet in real time and display them inhuman readable format. Basically, it is a network packetanalyzer which provides the minute details about your networkprotocols, decryption, packet information, etc. It is an opensource and can be used on Linux, Windows, OS X, Solaris,NetBSD, FreeBSD and many other systems. The informationthat is retrieved via this tool can be viewed through a GUI orthe TTY mode TShark Utility.Airprobe:Airprobe is a GSM air interface analysis tool 16.Kalibrate (kal):It is an open-source software project used to scan the GSMfrequencies of the base stations in the vicinity and capable ofdetermining the local oscillator frequency offset 17.
GNU Radio:It is an open-source toolkit that offers real-time signalprocessing as well as the possibility to implement differentradio technologies.RTL-SDR DONGLE:4RTL-SDR is a special commodity hardware that consisted tobe as wideband software defined radio (SDR) scanner. RTLcan be used with a DVB-T TV Tuner dongle. RTL-SDR is avery broadband (60MHz to 1700MHz) product and has a largescale of applications on different things. RTL can be used as atelecommunication “antenna” for TV broadcasting.
VI.2 ImplementationBeginning with the RTL-SDR we have to install the Kalibrateutility. Kalibrate is a useful tool that enables us to identify theavailable principal GSM channels in our area.
Kalibrate-RTLor kal is a Linux program used to scan for GSM BTSs in agiven frequency band.System Information MessageWe start our analysis from System Information messages.Generally this type of message contains the info that MS needsin order to communicate with the network. As we can see thereare different types of such messages each one contains variouspiece of information.
Type 1: Channel type = BCCH: Contains a list of ARFCN(Absolute Radio Frequency Channel Number) s of the cell andRACH control parameters.Type 2: Channel type = BCCH: Contains neighbor celldescription (list of ARFCNs of the cell) and BCCH frequencylistType 3: Channel type = BCCH: Contains cell identity (cell ID)code decoded, Location Area Identity-LAI (which involvesMobile Country Code (MCC), Mobile Network Code (MNC)and Location Area Code (LAC)) and some GPRS information.Type 4: Channel type = BCCH: Contains LAI(MCC+MNC+LAC) decoded, Cell selection parameters andRACH control parameters. Some GPRS information too.Type 2ter: Channel type = BCCH: Contains neighbor celldescription (list of ARFCNs of the cell) with Extended BCCHfrequency list.
Type 2quater: Channel type = BCCH: Is 3G message withinformation that we don’t take into account in this study.Contains 3G-neighbor cell description.Type 13: Channel type = BCCH: They contain all theimportant information about GPRS like GPRS Cell optionsand GPRS power control parameters.Paging Request MessageType 1: Channel type = CCCHContains: Mobile Identity 1 number (IMSI)Page Mode = normal paging (P1)Channel Needed.
Contains: Mobile Identity 1 and 2 = TMSI/P-TMSIPage Mode = normal paging (0)Channel NeededType 2: Channel type = CCCHContains: Mobile Identity 1, 2 = TMSI/P-TMSI or IMSIMobile Identity 3Page Mode = normal paging (0)CHANNEL NEEDEDType 3: Channel type = CCCHContains: Mobile Identity 1, 2, 3 and 4 = TMSI/P-TMSI (Notdecoded)Page Mode = normal paging (0)CHANNEL NEEDEDImmediate Assignment MessageChannel type = CCCHContains: Time Advance ValuePacket Channel Description (Time Slot)Page Mode = Extended Paging (1)IMSI actually represents the unique identity for the subscriberof the phone including the origin country and mobile networkthat the subscriber subscribes. It basically identifies the user ofa cellular network and every cellular network has its ownunique identification. Basically, all GSM networks use IMSIas the primary identity of a subscriber or user. The number thatrepresents IMSI can be as long as 15 digits or shorter. The firstthree digits are the mobile country code (MCC) and followedby the mobile network code (MNC). The information of IMSIis also contained in the SIM card.
IMSI are normally used bynetwork operator to examine the subscribers and whether toallow the subscriber to use another network operator. Bytracking your IMSI, the authority can actually track not justthe location of your phone but also who you are calling, atwhat time and where the call is made.Each location area of a public land mobile network (PLMN)has its own unique identifier which is known as its locationarea identity (LAI).
This internationally unique identifier isused for location updating of mobile subscribers. It iscomposed of a three decimal digit mobile country code(MCC), a two to three digit mobile network code (MNC) thatidentifies a Subscriber Module Public Land Mobile Network(SM PLMN) in that country, and a location area code (LAC)which is a 16 bit number thereby allowing 65536 locationareas within one GSM PLMN.The LAI is broadcast regularly through a broadcast controlchannel (BCCH). A mobile station (e.g. cell phone) recognizesthe LAI and stores it in the subscriber identity module (SIM).If the mobile station is moving and notices a change of LAI, itwill issue a location update request, thereby informing themobile provider of its new LAI. This allows the provider tolocate the mobile station in case of an incoming call.
So we5can say that this information are very sensitive to the privacyand security of mobile phone users.VII. CONCLUSIONIn this paper we presented an effective attack that can exploitchronic and fundamental vulnerabilities that exist in the GSMcellular technology. This attack could also have a seriousimpact at the latest in use cellular technologies like UMTS andLTE. We learned about new come commodity hardware RTL-SDR. RTL-SDR can also be characterized as an IMSI catcherand when combined with some hardware and software canbuild a mechanism of mobile user tracking. It is obvious thatan individual equipped with that cheap commodity hardwarecould compromise the GSM subscribers’ privacy and performsome serious attacks.
So, systems with broadcast pagingprotocols can leak location information and the leaks can beobserved with the available and low cost commodity hardwarepresented in this paper. All these come to exploit the provenvulnerabilities that exist in GSM network and related with theexpose of the user’s personal identities over the radio link.This research has shown that with certain tools, a system canbe created to audit GSM.
It is proved that the current protocolsused in radio and wireless systems may not be as robust andsecure as originally thought.