Abstract— Global System for Mobile communications GSM) is mostused as a telecommunication protocol in telecommunication netorks to enableaccessing communication around the world utilizing 2G (GSM), 3G (UniversalMobile Telecommunications Service-UMTS) and 4G (Long Term Evolution-LTE)systems. However, one of the benefits of using GSM technologies is that itallows telecommunication industry to keep a high portion of their organizeddatabase saved. Another benefit is the availability of worldwide roaming andinterconnection with any GSM network.
However, the possibility of encounteringsecurity risks requires from users to be aware and cautious. This paper soptsthe light on problems and issues related to GSM security standard andrecommends a structured approach to modify these security weaknesses in GSMnetworks. Keywords— Sniffing GSM, RTL-SDR,GSM Vulnerability, GSM attack, Security, Privacy, UniversalSoftware Radio Peripheral (USRP).
I. INTRODUCTIONThe digital growth of defferent communication methods,such as using voice, video, data packets etc., makes an easy and cost effectivedevelopment of radio devices a hard task. SDR (Software Defined Radio), whichis defined as a radio of automated functionality, is considered a moreeffective method of reducing cost and is increase efficiency in solving issuesof drive communication related to end users. The problem with the Traditional Hardware based radiodevices is with their unability to modify automatically, which increases costsand creates more complexity. However, SDR depends on Software upgrades thatenable multi-mode, multi-band or multi-funtional wireless devices to beprocessed and, eventually, creating a more efficient and cheaper solution thatprevious options. In order to use this solution, GNU; an open source softwaretool kit, need to be installed 1.
The history of GSM is traced back to Bell Laboratories inthe early 1970s, which started from a cell-based mobile radio system. In 1982,the concept GSM is used to refer to a standardization group aimed at creating aEuropean mobile telephone standard. In fact, GSM is used globally as a standardin telecommunication field, which in 2014 was recognized as the best genuinestandard that operates in more than 219 countries with a share of 90% of theworld’s market. Because GSM is based on digital technology, it is able to carry64 kbps to 120 Mbps of data rates 2. Mobile Network Operators (MNOs) preservemuch of their basic data by using GSM even after the continuous changes inmobile technologies. The huge number of subscribers all over the world make GSMthe dominant standard for cellular communications.
However, the old methods ofsecurity used at the beginning of GSM services are insufficient in creating asecure and private experience for users. In addition, the emergence of fourthgeneration (4G) cellular technologies did not solve the security issue due tothe inability of MNOs compatibility to cope with the huge increase in numbersof subscribers. According to latest research about GSM users’ privacy, mobiledata are an easy method to track and detect users, which creates a privacy issuefrom users’ perspectives because of the ability of carriers to detect users’location and show their movements 3. The starting point of dealing with suchsecurity issues is to consider Kali Linux as the most effectivepenetration-testing operator. By using Kali-Linux Rolling, different importanttools such as Wireshark for network sniffing could be used to detect securitypreaches.
The difference between Kali-Linux and other tools, such as Ubuntu or Delian, is related to kindsof packages installed that help in testing and measuring penetrations. However,GSM sniffing has no method to detect penetrations, which makes the ground isopen for more research in this matter. Solving such a problem could start byfinding a cost effective SDR, such as the low—cost RTL-SDR 4. II. SDRA. Software Defined RADIO:Wireless networks that seek to use moremodern radio software solution instead of the old radio hardware could use SDRtechnology as a promising one in creating an efficient radio system softwarethat could be restructured, reprogrammed and utilizes software on digital radiosignals. The benefit of SDR solution is its ability to support multiplemodules, such as modulation, demodulation, signal generation, coding, linklayer protocols etc. In comparison to traditional radio, SDR has the ability tomove from one structure into another in an efficient and cost effective manner.
Another important advantage of SDR solution is its ability to transformwaveform functionality on-the-fly and broadcasting different channelssimultaneously with the ability to update the software while working.Therefore, this feature allows Software Radio to perform as a linking platformbetween other radio networks. SDR is becoming a very important need to wirelesscommunication industry as well as to military and public security sectors.Future expansion in SDR technologies could also be applied to systems used inspace exploration 5. B. GNU Radio PlatformGNU Radio Platform is an open sourcesoftware toolkit that help in designing an SDR. GUN provides software codes fordifferent functions such as modulation, demodulation, filtering, encoding,decoding, Source coding, channel coding etc.
Transforming these functions tosoftware features helps in adding the re-configurability feature to SDR. Forexample, in traditional methods, when a modulation pattern need to be changed,the analog circuitry responsible for it need to be changed as well. On theother hand, SDR has the feature of changing the needed code only instead ofchanging the entire analog. Another feature of GNU Radio is the visual userinterface provided with GNU Radio Companion (GRC). Using this feature is doneby connecting signal processing codes in languages such as C++ and Python,where the programmer can add graphs to the primary processing signal with nodesand edges to show the data flow 6. C. Universal Software RadioPeripheralUSDP is simply a device to create an SDRon any computer that has an USB 2.0 port.
It is a hardware device with theability to transmit and receive data on different frequencies. The devicecontains a motherboard that can provide four other daughter boards by using anFPGA chip to send signals to these small boards, which in there turn use AD/DAconverter and RF front end. The price of the motherboard is 700 dollars and thedaughter boards cost 75 dollars each 7. D. RTL-SDRUSRP (Universal Software RadioPeripheral) is considered a very important hardware device when it comes toperforming real-time communication in SDR. However, the new revolutionarydevice, RTL-SDR Realtek RTL2832U, designed by OSMO SDR is changing the scenewith its cheapest price, 20 dollars. Sufficient to the SDR system is the DVBT (DigitalVideo Broadcast Terrestrial) dongle that helps in the transmission of raw I/Qsamples to the host.
The operating frequency range of RTL-SDR is from 64 to1700 MHz, with sample rate of 3.2MS/s 8. III. BACKGROUND ON GSM The following is a short introductorybackground to the GSM as a cellular standard for the purpose of our work here.There are three main intertwined subsystems interacting with users throughdifferent interfaces.
The subsystems are:- a) Base Station Subsystem (BSS) b) Network and Switching Subsystem(NSS) c) Operation Support Subsystem(OSS) The MobileStation (MS) is another subsystem, which is part of the BSS. The supportingtools and services for these subsystems are manufactured withn GSM 9. a) Base Station Subsystem (BSS) The roleof the BSS is to connect mobiles with networks. It contains the MobileStation (MS), the Base Transceiver Station (BTS), and the Base StationController (BSC).
Providing the user with an interface of communication withGSM networks is done by the MS. The mobile equipment (ME) the SubscriberIdentity Module (SIM) are also within the BSS. The role of the SIM is toprovide the network with the user’s information.
The signals from the MSs andcontrols the transmission power, modulation, voice coding/decoding andencryption of these signals is transmitted and received from the BTS. The BTSsset and handover, radio channels, paging and other control functions aremonitored by the BSC. b) Network and Switching Subsystem(NSS) The NSSmanages the switching functions by spotting the MSs and other networks.
Itconsists of the Mobile Switching Center (MSC), the Home Location Register(HLR), the Visitor Location Register (VLR), and the Gateway Mobile SwitchingCenter (GMSC). As the main component of the NSS, the MSC is in charge of BSCsin directing incoming/outgoing calls as well as controlling the mobilityfeatures of the terminals of the MSs. The HLR consists of fixed informationabout the subscriber, such as location information, authorized services, typeof terminal, etc. On the other hand, the VLR is a more active database connectedwith one MSC to keep information about terminals operating within the MSC. Oncean MS registers with the network, the related VLR connects between the specificparameters and the HLR of the home network. The GMSC is defined as theconnecting point that allows other networks to connect with the GSM network11.
c) Operation Support Subsystem (OSS) The GSMsubsystems are managed and maintained basiclly by the OSS controls, whichcontains the Authentication Center (AuC) and the Equipment Identity Register(EIR). In the AuC, we find a database that keeps every information about eachsubscriber. The International Mobile Subscriber Identity (IMSI), alongwith other fixed keys of every SIM (Ki), is also stored and saved in the AuC.The authenticated list of the MSs by responsible International Mobile StationEquipment Identity (IMEI) is stored in the EIR database, which decides theauthorization or unauthorization or the filtering of the MSs. V: GSM SECURITYThe issue of GSMsecurity is handled from two perspectives; authentication and encryption. Whileauthentication handles the unauthorized access of duplicated MS, encryptiondeals with unauthorized listening. In order to for an MS to beauthenticated, a secret key, Ki, is used, which is saved in the AuC and theSIM.
There is no need for the subscriber to know the value of this key. Theauthentication process starts by generating a 12-bit random number called RANDat the original system of the MS before sending it. Based on a specificalgorithm, A3, the network (AuC) and the MS SIM) combine Ki and RAND togenerate a signed result (SRES).
This generated SRES is sent back to theoriginal system to be compared with the other generated SRES by the AuC. Therequest then is rejected if these two numbers do not match. It is important toknow that sending the SRES and RAND generated by the AuC from HLR to thevisited VLR, comparing the SRES numbers is occur at the visited VLR.Recognizing the algorithm A3 of a roaming MS depends on the GSM serviceprovider because this recognition may not occur at the visited system 12. Once there is an access for the MS,algorithm A8 generates an encryption key with Ki and RAND as inputs. Bothalgorithms A3 and A8 are related to the home system, but A8 generates theencryption key, Kc, which is sent to the visited system. Another algorithm, A5,which is used by all systems in the process of GSM service, is utilized by boththe TDMA encoded in the data-bit to cipher and decipher the data transferredbetween the MS and the visited system 12. The multiple radio resources helpedmobile services providers to be able to track the location of users in aneffective way.
This result comes first from a process of recognizing the areasto be served and dividing them into smaller geographical location, such asLocation Areas (LA, LAC), in order to send and receive the broadcast message.The request that has the TMSIs of users is then identified based on theassumption that a specific temporary user’s ID is recognized and matches therequest. However, the broadcasted message belongs to one temporary ID, whichmakes it hard to match the temporary ID with the user’s phone number. Both the GSM and mobile networkoperators have policies and instructions regarding sending IMSI in order tohave more security and reduce the possibility of tracking the user’s location.However, these policies are subject to violations based on differentexperiments that showed networks using IMSI as an authentication to their usersBy reviewing the history of GSM,different kinds of attacks to the standards have been spotted. After thereverse engineering technologies have been used in 1998 to understand the 3GPPsubscriber authentication algorithm, many attempts of attacking the encryptionalgorithms have been found 13, 14 and 15. VI.
SNIFFING GSMTRAFFICIn this section, wedescribe our scenario, the tools needed to perform and implement the attack. vI.1 Tools We now brieflydescribe the set of tools used to perform the attack:Kali Linux OS (2017.3,64-bit):Kali Linux is aDebian-derived Linux distribution used in digital investigations andpenetration testing.
Offensive Security Ltd funds and supports the project. Themain developers are Mati Aharoni, Devon Kearns and Raphaël Hertzog. Wireshark: Wireshark analysis tool, previously knownas Ethereal, detect preaches and translate them into an understandable format.The core function of this network is to analyze meticulous details about thenetwork protocols, encryption and packet information, etc. this network is usedby Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems.
Italso display information via a GUI or the TTY mode TShark Utility. Airprobe:Airprobe is a GSMair interface analysis tool 16.Kalibrate (kal):It is anopen-source software project used to scan the GSM frequencies of the basestations in the vicinity and capable of determining the local oscillatorfrequency offset 17.GNU Radio:It is anopen-source toolkit that offers real-time signal processing as well as thepossibility to implement different radio technologies. RTL-SDR Dongle: RTL-SDR is aspecial commodity hardware that is considered to be a wideband software definedradio (SDR) scanner.
RTL can be used with a DVB-T TV Tuner dongle. RTL-SDR is avery broadband (60MHz to 1700MHz) product and is used for different purposes.RTL can be used as a telecommunication “antenna” for TV broadcasting. VI.2 ImplementationIn order to implement the sniffing tools,with RTL-SDR we have to install kalibrate utility, which help to recognize theexisting GSM channels in this matter. Kalibrate-RTL or kal is a Linux programused to scan for GSM BTSs in a given frequency band. System InformationMessage The analysis process starts from SystemInformation messages, which typically carry the needed information by MS toconnect with the network. There are different types of these messages withdifferent kind of information for each as displayed here.
Type 1: Channel type =BCCH: Contains a list of ARFCN (Absolute Radio Frequency Channel Number) s ofthe cell and RACH control parameters. Type 2: Channel type =BCCH: Contains neighbor cell description (list of ARFCNs of the cell) and BCCHfrequency listType 3: Channel type =BCCH: Contains cell identity (cell ID) code decoded, Location Area Identity-LAI(which involves Mobile Country Code (MCC), Mobile Network Code (MNC) and Location AreaCode (LAC)) and some GPRS information. Type 4: Channel type =BCCH: Contains LAI (MCC+MNC+LAC) decoded, Cell selection parameters and RACHcontrol parameters. Some GPRS information too. Type 2ter: Channel type =BCCH: Contains neighbor cell description (list of ARFCNs of the cell) withExtended BCCH frequency list. Type 2quater: Channel type =BCCH: Is 3G message with information that we don’t take into account in thisstudy.
Contains 3G-neighbor cell description. Type 13: Channel type =BCCH: They contain all the important information about GPRS like GPRS Celloptions and GPRS power control parameters.Paging RequestMessageType 1: Channel type = CCCH Contains: Mobile Identity 1number (IMSI) Page Mode = normal paging (P1) Channel Needed. Contains: Mobile Identity 1 and2 = TMSI/P-TMSI Page Mode = normal paging (0) Channel NeededType 2: Channel type = CCCH Contains: Mobile Identity 1, 2= TMSI/P-TMSI or IMSI Mobile Identity 3 Page Mode = normal paging (0) Channel NeededType 3: Channel type = CCCH Contains: Mobile Identity 1, 2,3 and 4 = TMSI/P-TMSI (Not decoded) Page Mode = normal paging (0) Channel Needed ImmediateAssignment MessageChannel type = CCCH Contains: Time Advance Value Packet Channel Description(Time Slot)Page Mode = Extended Paging (1) IMSI is the authentic identification ofthe user that contains the origin country and mobile network that the usersubscribed from. Each mobile network has its different identification as well.IMSI is generally used by all GSM networks to identify users. The length of thenumber that represents the IMSI could be 15 digits or shorter, which consistsof the mobile country code in the first three digits and the mobile networkcode as the rest of the number.
The SIM also has information about the IMSInumber. The network operators usually use IMSI to authenticate users and givethem the permission to use another operator. However, the IMSI helps intracking, not only the subscriber, but also the identity of the call receiverand time and location of the call.
Public land mobile network (PLMN) dividesareas into other subareas. There is a unique method of identification for eachof these areas by a location area identity (LAI), which is used globally toupdate locations of mobile subscribers. This identifier consist of a threedecimal digits mobile country code (MCC), a two to three digit mobile networkcode (MNC) to help in identifying a Subscriber Module Public Land MobileNetwork (SM PLMN) and a location area code (LAC), which is in total a 16 bitnumber that makes one GSM PLMN operates 65536 locations at once. A broadcast control channel (BCCH) isresponsible for broadcasting the LAI in a regular basis. Then, a mobilestation, such as a cell phone, identifies the LAI and saves it in the SIM. Withthe movement of this mobile station, the LAI changes and a location update issent in order for the mobile provider to recognize the ne LAI and to help themobile provider to send the incoming calls as well. Therefore, these kind ofdata are highly critical and important to the privacy and security of theuser.
VII. CONCLUSIONThis paper aimed exploring issues relatedto the possible attacks on the basic vulnerabilities that exist in the GSMcellular technology. Such attacks could leave serious impact on using latesttechnologies such as UMTS and LTE.
New commodity hardware, RTL-SDR. RTL-SDR,have been explained above and its role as an IMSI catcher when combined withsome hardware and software to create a mechanism of mobile user tracking. It isobvious that an individual equipped with that cheap commodity hardware couldcompromise the GSM subscribers’ privacy and perform some serious attacks.
Therefore, systems with broadcast paging protocol can cause a leak ofinformation, which could be monitored and controlled using available and lowcost commodity hardware presented in this paper. These results are an explicitproof of the vulnerabilities of the GSM network and endanger directly theuser’s personal identity when shared over the radio link. This paper has shown thecurrent protocols used in radio and wireless systems may not be as robust andsecure as originally thought and recommended for a solution with theappropriate certain tools, a system can be created to audit GSM.