Abstract— Global System for Mobile communications GSM) is most
used as a telecommunication protocol in telecommunication netorks to enable
accessing communication around the world utilizing 2G (GSM), 3G (Universal
Mobile Telecommunications Service-UMTS) and 4G (Long Term Evolution-LTE)
systems. However, one of the benefits of using GSM technologies is that it
allows telecommunication industry to keep a high portion of their organized
database saved. Another benefit is the availability of worldwide roaming and
interconnection with any GSM network. However, the possibility of encountering
security risks requires from users to be aware and cautious. This paper sopts
the light on problems and issues related to GSM security standard and
recommends a structured approach to modify these security weaknesses in GSM
Keywords— Sniffing GSM, RTL-SDR,
GSM attack, Security, Privacy, Universal
Software Radio Peripheral (USRP).
The digital growth of defferent communication methods,
such as using voice, video, data packets etc., makes an easy and cost effective
development of radio devices a hard task. SDR (Software Defined Radio), which
is defined as a radio of automated functionality, is considered a more
effective method of reducing cost and is increase efficiency in solving issues
of drive communication related to end users.
The problem with the Traditional Hardware based radio
devices is with their unability to modify automatically, which increases costs
and creates more complexity. However, SDR depends on Software upgrades that
enable multi-mode, multi-band or multi-funtional wireless devices to be
processed and, eventually, creating a more efficient and cheaper solution that
previous options. In order to use this solution, GNU; an open source software
tool kit, need to be installed 1.
The history of GSM is traced back to Bell Laboratories in
the early 1970s, which started from a cell-based mobile radio system. In 1982,
the concept GSM is used to refer to a standardization group aimed at creating a
European mobile telephone standard. In fact, GSM is used globally as a standard
in telecommunication field, which in 2014 was recognized as the best genuine
standard that operates in more than 219 countries with a share of 90% of the
world’s market. Because GSM is based on digital technology, it is able to carry
64 kbps to 120 Mbps of data rates 2.
Mobile Network Operators (MNOs) preserve
much of their basic data by using GSM even after the continuous changes in
mobile technologies. The huge number of subscribers all over the world make GSM
the dominant standard for cellular communications. However, the old methods of
security used at the beginning of GSM services are insufficient in creating a
secure and private experience for users. In addition, the emergence of fourth
generation (4G) cellular technologies did not solve the security issue due to
the inability of MNOs compatibility to cope with the huge increase in numbers
of subscribers. According to latest research about GSM users’ privacy, mobile
data are an easy method to track and detect users, which creates a privacy issue
from users’ perspectives because of the ability of carriers to detect users’
location and show their movements 3.
The starting point of dealing with such
security issues is to consider Kali Linux as the most effective
penetration-testing operator. By using Kali-Linux Rolling, different important
tools such as Wireshark for network sniffing could be used to detect security
preaches. The difference between Kali-Linux and other tools, such as Ubuntu or Delian, is related to kinds
of packages installed that help in testing and measuring penetrations. However,
GSM sniffing has no method to detect penetrations, which makes the ground is
open for more research in this matter. Solving such a problem could start by
finding a cost effective SDR, such as the low—cost RTL-SDR 4.
Software Defined RADIO:
Wireless networks that seek to use more
modern radio software solution instead of the old radio hardware could use SDR
technology as a promising one in creating an efficient radio system software
that could be restructured, reprogrammed and utilizes software on digital radio
signals. The benefit of SDR solution is its ability to support multiple
modules, such as modulation, demodulation, signal generation, coding, link
layer protocols etc. In comparison to traditional radio, SDR has the ability to
move from one structure into another in an efficient and cost effective manner.
Another important advantage of SDR solution is its ability to transform
waveform functionality on-the-fly and broadcasting different channels
simultaneously with the ability to update the software while working.
Therefore, this feature allows Software Radio to perform as a linking platform
between other radio networks. SDR is becoming a very important need to wireless
communication industry as well as to military and public security sectors.
Future expansion in SDR technologies could also be applied to systems used in
space exploration 5.
GNU Radio Platform
GNU Radio Platform is an open source
software toolkit that help in designing an SDR. GUN provides software codes for
different functions such as modulation, demodulation, filtering, encoding,
decoding, Source coding, channel coding etc. Transforming these functions to
software features helps in adding the re-configurability feature to SDR. For
example, in traditional methods, when a modulation pattern need to be changed,
the analog circuitry responsible for it need to be changed as well. On the
other hand, SDR has the feature of changing the needed code only instead of
changing the entire analog. Another feature of GNU Radio is the visual user
interface provided with GNU Radio Companion (GRC). Using this feature is done
by connecting signal processing codes in languages such as C++ and Python,
where the programmer can add graphs to the primary processing signal with nodes
and edges to show the data flow 6.
Universal Software Radio
USDP is simply a device to create an SDR
on any computer that has an USB 2.0 port. It is a hardware device with the
ability to transmit and receive data on different frequencies. The device
contains a motherboard that can provide four other daughter boards by using an
FPGA chip to send signals to these small boards, which in there turn use AD/DA
converter and RF front end. The price of the motherboard is 700 dollars and the
daughter boards cost 75 dollars each 7.
USRP (Universal Software Radio
Peripheral) is considered a very important hardware device when it comes to
performing real-time communication in SDR. However, the new revolutionary
device, RTL-SDR Realtek RTL2832U, designed by OSMO SDR is changing the scene
with its cheapest price, 20 dollars. Sufficient to the SDR system is the DVBT (Digital
Video Broadcast Terrestrial) dongle that helps in the transmission of raw I/Q
samples to the host. The operating frequency range of RTL-SDR is from 64 to
1700 MHz, with sample rate of 3.2MS/s 8.
III. BACKGROUND ON GSM
The following is a short introductory
background to the GSM as a cellular standard for the purpose of our work here.
There are three main intertwined subsystems interacting with users through
The subsystems are:-
a) Base Station Subsystem (BSS)
b) Network and Switching Subsystem
c) Operation Support Subsystem
Station (MS) is another subsystem, which is part of the BSS. The supporting
tools and services for these subsystems are manufactured withn GSM 9.
Base Station Subsystem (BSS)
of the BSS is to connect mobiles with networks. It contains the Mobile
Station (MS), the Base Transceiver Station (BTS), and the Base Station
Controller (BSC). Providing the user with an interface of communication with
GSM networks is done by the MS. The mobile equipment (ME) the Subscriber
Identity Module (SIM) are also within the BSS. The role of the SIM is to
provide the network with the user’s information. The signals from the MSs and
controls the transmission power, modulation, voice coding/decoding and
encryption of these signals is transmitted and received from the BTS. The BTSs
set and handover, radio channels, paging and other control functions are
monitored by the BSC.
Network and Switching Subsystem
manages the switching functions by spotting the MSs and other networks. It
consists of the Mobile Switching Center (MSC), the Home Location Register
(HLR), the Visitor Location Register (VLR), and the Gateway Mobile Switching
Center (GMSC). As the main component of the NSS, the MSC is in charge of BSCs
in directing incoming/outgoing calls as well as controlling the mobility
features of the terminals of the MSs. The HLR consists of fixed information
about the subscriber, such as location information, authorized services, type
of terminal, etc. On the other hand, the VLR is a more active database connected
with one MSC to keep information about terminals operating within the MSC. Once
an MS registers with the network, the related VLR connects between the specific
parameters and the HLR of the home network. The GMSC is defined as the
connecting point that allows other networks to connect with the GSM network
c) Operation Support Subsystem (OSS)
subsystems are managed and maintained basiclly by the OSS controls, which
contains the Authentication Center (AuC) and the Equipment Identity Register
(EIR). In the AuC, we find a database that keeps every information about each
subscriber. The International Mobile Subscriber Identity (IMSI), along
with other fixed keys of every SIM (Ki), is also stored and saved in the AuC.
The authenticated list of the MSs by responsible International Mobile Station
Equipment Identity (IMEI) is stored in the EIR database, which decides the
authorization or unauthorization or the filtering of the MSs.
V: GSM SECURITY
The issue of GSM
security is handled from two perspectives; authentication and encryption. While
authentication handles the unauthorized access of duplicated MS, encryption
deals with unauthorized listening.
In order to for an MS to be
authenticated, a secret key, Ki, is used, which is saved in the AuC and the
SIM. There is no need for the subscriber to know the value of this key. The
authentication process starts by generating a 12-bit random number called RAND
at the original system of the MS before sending it. Based on a specific
algorithm, A3, the network (AuC) and the MS SIM) combine Ki and RAND to
generate a signed result (SRES). This generated SRES is sent back to the
original system to be compared with the other generated SRES by the AuC. The
request then is rejected if these two numbers do not match. It is important to
know that sending the SRES and RAND generated by the AuC from HLR to the
visited VLR, comparing the SRES numbers is occur at the visited VLR.
Recognizing the algorithm A3 of a roaming MS depends on the GSM service
provider because this recognition may not occur at the visited system 12.
Once there is an access for the MS,
algorithm A8 generates an encryption key with Ki and RAND as inputs. Both
algorithms A3 and A8 are related to the home system, but A8 generates the
encryption key, Kc, which is sent to the visited system. Another algorithm, A5,
which is used by all systems in the process of GSM service, is utilized by both
the TDMA encoded in the data-bit to cipher and decipher the data transferred
between the MS and the visited system 12.
The multiple radio resources helped
mobile services providers to be able to track the location of users in an
effective way. This result comes first from a process of recognizing the areas
to be served and dividing them into smaller geographical location, such as
Location Areas (LA, LAC), in order to send and receive the broadcast message.
The request that has the TMSIs of users is then identified based on the
assumption that a specific temporary user’s ID is recognized and matches the
request. However, the broadcasted message belongs to one temporary ID, which
makes it hard to match the temporary ID with the user’s phone number.
Both the GSM and mobile network
operators have policies and instructions regarding sending IMSI in order to
have more security and reduce the possibility of tracking the user’s location.
However, these policies are subject to violations based on different
experiments that showed networks using IMSI as an authentication to their users
By reviewing the history of GSM,
different kinds of attacks to the standards have been spotted. After the
reverse engineering technologies have been used in 1998 to understand the 3GPP
subscriber authentication algorithm, many attempts of attacking the encryption
algorithms have been found 13, 14 and 15.
VI. SNIFFING GSM
In this section, we
describe our scenario, the tools needed to perform and implement the attack.
We now briefly
describe the set of tools used to perform the attack:
Kali Linux OS (2017.3,
Kali Linux is a
Debian-derived Linux distribution used in digital investigations and
penetration testing. Offensive Security Ltd funds and supports the project. The
main developers are Mati Aharoni, Devon Kearns and Raphaël Hertzog.
Wireshark analysis tool, previously known
as Ethereal, detect preaches and translate them into an understandable format.
The core function of this network is to analyze meticulous details about the
network protocols, encryption and packet information, etc. this network is used
by Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. It
also display information via a GUI or the TTY mode TShark Utility.
Airprobe is a GSM
air interface analysis tool 16.
It is an
open-source software project used to scan the GSM frequencies of the base
stations in the vicinity and capable of determining the local oscillator
frequency offset 17.
It is an
open-source toolkit that offers real-time signal processing as well as the
possibility to implement different radio technologies.
RTL-SDR is a
special commodity hardware that is considered to be a wideband software defined
radio (SDR) scanner. RTL can be used with a DVB-T TV Tuner dongle. RTL-SDR is a
very broadband (60MHz to 1700MHz) product and is used for different purposes.
RTL can be used as a telecommunication “antenna” for TV broadcasting.
In order to implement the sniffing tools,
with RTL-SDR we have to install kalibrate utility, which help to recognize the
existing GSM channels in this matter. Kalibrate-RTL or kal is a Linux program
used to scan for GSM BTSs in a given frequency band.
The analysis process starts from System
Information messages, which typically carry the needed information by MS to
connect with the network. There are different types of these messages with
different kind of information for each as displayed here.
Type 1: Channel type =
BCCH: Contains a list of ARFCN (Absolute Radio Frequency Channel Number) s of
the cell and RACH control parameters.
Type 2: Channel type =
BCCH: Contains neighbor cell description (list of ARFCNs of the cell) and BCCH
Type 3: Channel type =
BCCH: Contains cell identity (cell ID) code decoded, Location Area Identity-LAI
(which involves Mobile Country Code (MCC), Mobile Network Code (MNC) and Location Area
Code (LAC)) and some GPRS information.
Type 4: Channel type =
BCCH: Contains LAI (MCC+MNC+LAC) decoded, Cell selection parameters and RACH
control parameters. Some GPRS information too.
Type 2ter: Channel type =
BCCH: Contains neighbor cell description (list of ARFCNs of the cell) with
Extended BCCH frequency list.
Type 2quater: Channel type =
BCCH: Is 3G message with information that we don’t take into account in this
study. Contains 3G-neighbor cell description.
Type 13: Channel type =
BCCH: They contain all the important information about GPRS like GPRS Cell
options and GPRS power control parameters.
Type 1: Channel type = CCCH
Contains: Mobile Identity 1
Page Mode = normal paging (P1)
Contains: Mobile Identity 1 and
2 = TMSI/P-TMSI
Page Mode = normal paging (0)
Type 2: Channel type = CCCH
Contains: Mobile Identity 1, 2
= TMSI/P-TMSI or IMSI Mobile Identity 3
Page Mode = normal paging (0)
Type 3: Channel type = CCCH
Contains: Mobile Identity 1, 2,
3 and 4 = TMSI/P-TMSI (Not decoded)
Page Mode = normal paging (0)
Channel type = CCCH
Contains: Time Advance Value
Packet Channel Description
Page Mode = Extended Paging (1)
IMSI is the authentic identification of
the user that contains the origin country and mobile network that the user
subscribed from. Each mobile network has its different identification as well.
IMSI is generally used by all GSM networks to identify users. The length of the
number that represents the IMSI could be 15 digits or shorter, which consists
of the mobile country code in the first three digits and the mobile network
code as the rest of the number. The SIM also has information about the IMSI
number. The network operators usually use IMSI to authenticate users and give
them the permission to use another operator. However, the IMSI helps in
tracking, not only the subscriber, but also the identity of the call receiver
and time and location of the call.
Public land mobile network (PLMN) divides
areas into other subareas. There is a unique method of identification for each
of these areas by a location area identity (LAI), which is used globally to
update locations of mobile subscribers. This identifier consist of a three
decimal digits mobile country code (MCC), a two to three digit mobile network
code (MNC) to help in identifying a Subscriber Module Public Land Mobile
Network (SM PLMN) and a location area code (LAC), which is in total a 16 bit
number that makes one GSM PLMN operates 65536 locations at once.
A broadcast control channel (BCCH) is
responsible for broadcasting the LAI in a regular basis. Then, a mobile
station, such as a cell phone, identifies the LAI and saves it in the SIM. With
the movement of this mobile station, the LAI changes and a location update is
sent in order for the mobile provider to recognize the ne LAI and to help the
mobile provider to send the incoming calls as well. Therefore, these kind of
data are highly critical and important to the privacy and security of the
This paper aimed exploring issues related
to the possible attacks on the basic vulnerabilities that exist in the GSM
cellular technology. Such attacks could leave serious impact on using latest
technologies such as UMTS and LTE. New commodity hardware, RTL-SDR. RTL-SDR,
have been explained above and its role as an IMSI catcher when combined with
some hardware and software to create a mechanism of mobile user tracking. It is
obvious that an individual equipped with that cheap commodity hardware could
compromise the GSM subscribers’ privacy and perform some serious attacks.
Therefore, systems with broadcast paging protocol can cause a leak of
information, which could be monitored and controlled using available and low
cost commodity hardware presented in this paper. These results are an explicit
proof of the vulnerabilities of the GSM network and endanger directly the
user’s personal identity when shared over the radio link. This paper has shown the
current protocols used in radio and wireless systems may not be as robust and
secure as originally thought and recommended for a solution with the
appropriate certain tools, a system can be created to audit GSM.