7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 1/54

CATCHING AND  UNDERSTANDING  GSM

SIGNALS

Master Thesis

Fabian van den Broek

Radboud University Nijmegen

30 March 2010

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 2/54

Some Numbers

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 3/54

Some Numbers

•  $ 600 Billion

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 4/54

Some Numbers

•  $ 600 Billion

•  90% of population has coverage

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 5/54

Some Numbers

•  $ 600 Billion

•  90% of population has coverage

•  4.1 billion mobile users

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 6/54

Some Numbers

•  $ 600 Billion

•  90% of population has coverage

•  4.1 billion mobile users

But has GSM been properly tested?

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 7/54

Cellular technology

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 8/54

GSM system overview

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 9/54

The Um interface

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 10/54

Software Defined Radio

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 11/54

Software Defined Radio

•   USRP

•  Gnu Radio•  Air Probe

Have these new SDR products made GSM less secure?

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 12/54

Software Defined Radio

•   USRP

•  Gnu Radio•  Air Probe

Have these new SDR products made GSM less secure?

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 13/54

Software Defined Radio

•   USRP

•  Gnu Radio•  Air Probe

Have these new SDR products made GSM less secure?

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 14/54

Software Defined Radio

•   USRP

•

 Gnu Radio•  Air Probe

Have these new SDR products made GSM less secure?

d h

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 15/54

and then....

Th U i t f

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 16/54

The Um interface

F b d (GSM900)

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 17/54

Frequency band (GSM900)

F b d (II)

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 18/54

Frequency band (II)

Frequency band (III)

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 19/54

Frequency band (III)

Frequency band (III)

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 20/54

Frequency band (III)

Frequency division

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 21/54

Frequency division

Combined up and down link frequency

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 22/54

Combined up and down link frequency

Combined up and down link frequency

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 23/54

Combined up and down link frequency

Numbered with ARFCNs

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 24/54

Numbered with ARFCNs

Frequency division

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 25/54

Frequency division

Frequency division

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 26/54

Frequency division

GSM messages

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 27/54

GSM messages

49 06 1b 3 2 2 2 0 2 f 4 80   −   11 7 f d8 04 28 15 65 04   −   a 9 0 0 0 0 1 c 1 3 2 b 2 b

5 5 0 6 1 9 0 0 0 0 0 0 0 0 2 0   −   0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0   −   0 1 0 0 0 0 a 9 0 0 0 0 2 b

KPN system information

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 28/54

KPN system information

1 : 49 0 6 1b 3 2 22 0 2 f 4 80   −   11 7 f d8 04 28 15 65 04   −   a 9 0 0 0 0 1 c 1 3 2 b 2 b0: 49 010010−−   Pseudo Length : 181 : 0 6 0−−−−−−−   D i r e c t i o n : From o r i g i n a t i n g s i t e1 : 06   −000−−−−   0 T r a n s ac t i o n ID

1 : 06  −−−−

0110 Radio Resouce Management2: 1b 00011011 RRsystemInfo3C3 : 32 12834 [ 0 x3222 ] C el l i d e n t i t y5 : 02 204 M ob il e C ou nt ry Code ( N et he rl an ds )6 : f 4 08 f M ob il e Network Code (KPN Telecom B . V . )8 : 11 4479 [ 0 x 11 7f ] L oc al Area Code

1 0: d8 1−−−−−−−   Spa re b i t ( s h ou ld be 0 )1 0 : d8   −1−−−−−−   MSs i n t he c e l l s h a l l a pp ly I MS I a t t a c h / d et ac h p ro ce du re1 0 : d8   −−011−−−   Number o f b l o c k s : 31 0 : d8   −−−−−000 1 b a si c p h y si c a l ch a n n el fo r CCCH, n o t combi ne d wi t h SDCCHs11: 04 00000

−−−  s pa re b i t s ( s ho ul d be 0 )

1 1 : 04   −−−−−100 6 m u l t i f ra me s p e r io d f o r p ag in g r e qu es t12: 28 00101000 T3212 TimeOut value : 401 3: 15 0−−−−−−−   s pa re b i t ( s ho ul d be 0 )1 3 : 15   −0−−−−−−   Power c o n t ro l i n d i c a t o r i s n ot s et1 3 : 15   −−01−−−−   MSs s h a l l us e u p l i n k DTX1 3 : 15   −−−−0101 Rad i o L i n k Ti me o ut : 241 4 : 6 5 011−−−−−   C e l l R e s el e ct H ys t . : 6 d b RXLEV1 4 : 65   −−−x x x xx Max T x p ow er l e v e l : 5

1 5: 04 0−−−−−−−

  No a d d i t i o n a l c e l l s i n S ys In fo 7−

81 5 : 04   −0−−−−−−   New e s t a b l i s h m c au se : n o t s u p po r t ed1 5 : 04   −−xxxxxx RXLEV Access Min p e rm i t te d =   −110 + 4dB1 6 : a9 1 0−−−−−−   Max . o f r e tr an s mi s s : 41 6 : a9   −−1010−−   s l o t s t o s pre ad TX : 141 6 : a9   −−−−−−0−   The c e l l i s b a rre d : no1 6 : a9   −−−−−−−1 C e l l r e e s t a b l . i . c e l l : n ot a ll ow ed1 7 : 00   −−−−−0−−   Emergency c a l l EC 1 0 : a l l o w ed17: 00 00000−−−   Acc c t r l c l 11−15: 0 = p e rm i tt e d , 1 = f o r b id d e n

1 7 : 00  −−−−−−

00 Acc c t r l c l 8−

  9 : 0 = p er mi tt ed , 1 =   f o r b i d d e n1 7 : 00   −−−−−−−0 O r d in ar y s u b s c ri b e r s ( 8 )

KPN system information

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 29/54

KPN system information

2 : 55 06 19 00 00 00 00 20   −   0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0   −   0 1 0 0 0 0 a 9 0 0 0 0 2 b0: 55 010101−−   Pseudo Length : 21

1 : 0 6 0−−−−−−−

  D i r e c t i o n : From o r i g i n a t i n g s i t e1 : 06   −000−−−−   0 T r a n s ac t i o n ID1 : 06   −−−−0110 Radio Resouce Management2: 19 00011001 RRsystemInfo13 : 00 00−−−−−−   B it ma p 0 f o r m a t7 : 20   −−1−−−−−   C el l Al l oc a t i o n : ARFCN 949 : 10   −−−1−−−−   C el l Al l oc a t i o n : ARFCN 77

1 0 : 10   −−−1−−−−   C el l Al l oc a t i o n : ARFCN 691 6 : 01   −−−−−−−1 C el l Al l oc a t i o n : ARFCN 171 9 : a9 1 0−−−−−−   Max . o f r e tr an s mi s s : 41 9 : a9   −−1010−−   s l o t s t o s pre ad TX : 141 9 : a9   −−−−−−0−   The c e l l i s b a rre d : no1 9 : a9   −−−−−−−1 C e l l r e e s t a b l . i . c e l l : n ot a ll ow ed2 0 : 00   −−−−−0−−   Emergency c a l l EC 1 0 : a l l o w ed20: 00 00000−−−   Acc c t r l c l 11−15: 0 = p e rm i tt e d , 1 = f o r b id d e n2 0 : 00   −−−−−−00 Acc c t r l c l 8−   9 : 0 = p er mi tt ed , 1 = f o rb i dd e n2 0 : 00   −−−−−−−0 O r d in ar y s u b s c ri b e rs ( 8 )2 0 : 00   −−−−−−0−   Or d in ar y s u b s c ri b e rs ( 9 )2 0 : 00   −−−−−0−−   E mergency c a l l ( 1 0 ) : E ve ry on e2 0 : 00

  −−−−0−−−

  Op er at or S p e c i f i c ( 1 1 )2 0 : 00   −−−0−−−−   S ec u r it y s e r vi c e ( 1 2)2 0 : 00   −−0−−−−−   P ub l ic s e r vi c e ( 1 3)2 0 : 00   −0−−−−−−   Emergency s e r v i c e ( 1 4 )2 0: 00 0−−−−−−−   N et wo rk O p e ra t o r ( 1 5 )2 1: 00 00000000 Acc c t r l c l 0−   7 : 0 = p er mi tt ed , 1 = f o rb i dd e n2 1 : 00 00000000 O r d in a r y s u b s c r i b e r s ( 0−7)

KPN system information

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 30/54

syste o at o

[ 0 x3222 ] C e l l i d e n t i t yMo b i l e Co u n try Code ( Ne th e rl a n d s )Mobile Network Code (KPN Telecom B .V . )

[ 0 x 1 1 7f ] L o c a l A re a Code

C el l A l lo c a t i on : ARFCN 94C el l A l lo c a t i on : ARFCN 77C el l A l lo c a t i on : ARFCN 69C el l A l lo c a t i on : ARFCN 17

The KPN cell

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 31/54

The KPN cell

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 32/54

No Frequency hopping

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 33/54

q y pp g

Frequency hopping (I)

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 34/54

q y pp g ( )

Frequency hopping (II)

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 35/54

Immediate Assignment

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 36/54

31 0 6 3 f 00 5 2 f 0 ab 8 5   −   ad e0 01 01 0 f 2b 2b 2b   −   2 b 2 b 2 b 2 b 2 b 2 b 2 b0: 31 001100−−   Pseudo Length : 12

1 : 0 6 0−−−−−−−

  D i r e c t i o n : From o r i g i n a t i n g s i t e1 : 06   −000−−−−   0 T r a n s ac t i o n ID1 : 06   −−−−0110 Radio Resouce Management2 : 3 f 0−111111 RRimmediateAssignment2 : 3 f   −x−−−−−−   Send sequence number: 03 : 00   −−−−−−00 Page Mode: Normal paging3 : 00   −0−−−−−−   No meaning3 : 00   −−0−−−−−   Do wnl i n k a ssi g n to MS: No me an in g3 : 00   −−−0−−−−   Th i s messa ges a ssi g n s a d e d i ca te d mode re so u rce

4 : 52  −−−−−

010 T i m e s l o t num ber : 24: 52 01010−−−   Chan. De sc ri pt . : SDCCH/8 + SACCH/ C8 or CBCH (SDCCH/ 8 )5 : f 0 111−−−−−   T r a in i ng seq . code : 75 : f 0   −−−1−−−−   HoppingChannel6 : ab . . . . . . . . M ob il e A l l o c a t i o n I nd ex O f f s e t ( MAIO ) 26 : ab   −−101011 Hopping Seq . Number: 437 : 8 5 100−−−−−   E s t a b l i s h i n g Cause : A ns wer t o p a gi n g7 : 85   −−−xxxxx Random Reference : 58 : ad x x xx x xx x T1 / T2 / T3

9 : e0 x x xx x xx x T1 / T2 / T31 0 : 01   −−x x x xx x T i mi n g a dv an ce v a l u e : 11 1 : 01 00000001 L en gt h o f M o bi l e A l l o c a t i o n : 11 2 : 0 f   −−−−1−−−   Mo b i l e Al l o ca t i o n ARFCN #41 2 : 0 f   −−−−−1−−   Mo b i l e Al l o ca t i o n ARFCN #31 2 : 0 f   −−−−−−1−   Mo b i l e Al l o ca t i o n ARFCN #21 2 : 0 f   −−−−−−−1 M o b il e A l l o c a t i o n ARFCN # 1

Immediate Assignment

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 37/54

HoppingChannelM ob il e A l l o c a t i o n I nd ex O f f s e t ( MAIO ) 2Hopping Seq . Number : 43

Mo b i l e Al l o ca t i o n ARFCN #4Mo b i l e Al l o ca t i o n ARFCN #3Mo b i l e Al l o ca t i o n ARFCN #2Mo b i l e Al l o ca t i o n ARFCN #1

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 38/54

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 39/54

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 40/54

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 41/54

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 42/54

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 43/54

Message Sequence

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 44/54

Hopping Problem

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 45/54

Conclusion

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 46/54

•  Still hard to eavesdrop in general

•  Other attacks have become feasible•  The GSM system can still use a lot of testing

Questions

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 47/54

A single sub-frequency

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 48/54

A single sub-frequency

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 49/54

Time division

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 50/54

Time division

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 51/54

Bursts

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 52/54

Logical channels

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 53/54

Offset

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 54/54