Ahmed Mohammd Altarawneh & Prof. Dr. Alaa H Al-Hamami King Hussein Faculty for Computing Sciences Princess Sumaya University for Technology Amman, Jordan [email protected] Abstract— Worldwide framework to versatile correspondences(GSM) will be the greater part well known telecommunication protocol utilizedwithin telecommunication networks. Those telecommunications businessemployments a mix about 2G (GSM), 3G (Universal portable TelecommunicationsService-UMTS) Furthermore 4G (Long term Evolution-LTE) frameworks with rightcorrespondence overall. Nonetheless telecommunications industry keeps highpercentage of their deployed framework utilizing GSM advances.
GSM offersaround the world roaming also intercontinental for at whatever accessible GSMsystem. Clients are expected with be mindful of the time permits securitydangers. This worth of effort highlights Shortcomings Also issues in the GSMstandard, What’s more displays an educated methodology to help review GSMnetworks to vulnerabilities Keywords— Sniffing GSM, RTL-SDR,GSM Vulnerability, GSM attack, Security, Privacy, Universal Software Radio Peripheral (USRP). I.
INTRODUCTIONWith theexponential growth in the communication field Such as communication throughvoice, video, data packets etc., it is a critical task to modify the radiodevices in an Easy and cost effective manner. SDR technology provides aflexible, cost effective solution to drive communication with wide reachingbenefits to the end users Software Defined Radio can be defined as a radio inwhich some or all of the physical functions are software defined. Traditional Hardwarebased radio devices can only be modified through Physical intervention whichresults in high production cost and limited flexibility. With the advent ofSDR, through Software upgrades, it is possible to enhance multi-mode, Multi-bandor multi-functional wireless devices therebyProviding anefficient and inexpensive solution to this Problem. To implement SDR, a freeand open source software Developmenttool kit known as GNU radio is available 1.
The concept of GSM emergedfrom a cell-based mobile radio system at Bell Laboratories in the early1970s.The concept of GSM emerged from a cell based mobile radio system at BellLaboratories in the early 1970s.GSM is the name of a standardization groupestablished in 1982 to create a common European mobile telephone standard. GSMis the most widely accepted standard in telecommunications and it isimplemented globally. As of 2014 it has become the de facto global standard formobile communications – with over 90% market share, operating in over 219countries and territories .GSM was developed using digital technology. It hasan ability to carry 64 kbps to 120 Mbps of data rates 2. Despite the rapid change in cellulartechnologies, Mobile Network Operators (MNOs) keep a high percentage of theirdeployed infrastructure using GSM technologies.
With about 3.5 billionsubscribers, GSM remains as the only standard for cellular communications.However, the security criteria envisioned 30 years ago, when the standard wasdesigned, are no longer sufficient to ensure the security and privacy of theusers. Furthermore, even with the newest fourth generation (4G) cellulartechnologies starting to be deployed, these networks could never achieve strongsecurity guarantees because the MNOs keep backwards compatibility given thehuge amount of GSM subscribers. Recent research has shown that mobile devicesdata can be used as an effective way to track individuals. This presents aproblem related to users’ privacy, as their location allows the carriers toprofile and track their movement(s) 3. The most advanced penetrationtesting platform, Kali Linux could be a handful solution for any start in thematter. Under Kali-Linux Rolling one can find and ready to use, many tools likeWireshark for network sniffing.
The main advantage of the Kali-Linuxdistribution against the Ubuntu or Delian is, in fact, related to the specialpackages installed that are useful in software penetration and testing.Nevertheless, there is no distribution ready for GSM sniffing so; there aremany to be done before starting the capturing. The most important step isToidentify a low-cost SDR that is suited for the sniffing approach. One of the low-costSDR available on the market isTheRTL-SDR 4.II.
SDRA. Software Defined RADIO:SDR technology is an adaptivefuture proof solution for wireless networks that aims to replace theconventional radio hardware by building an open-architecture based radio systemSoftware which is reconfigurableand reprogrammable. It supports different functional modules of the radiosystem such as modulation, demodulation, signal generation, coding, link layerprotocols etc. in software. SDR is a promising technology in radiocommunication that uses software techniques on digitized radio signals. Itturns hardware problems into software problems. Compared to conventional radio,it can switch between different architectures and there is a significant improvementin price/performance over traditional radio. Even it has the ability to changewaveform function on-the-fly, receive and broadcast multiple channels at thesame time as well as upgrade the software over the air.
Since it is possible toreceive and transmit signals simultaneously, Software Radio can act as a bridgebetween different radio networks. SDR is of growing importance to wirelesscommunication industry, military and public safety sector. SDR technologieswill even endow space and planetary exploration systems with increasedcapability and reduced power consumption than the conventional systems 5. B.
GNU Radio PlatformIt is an open source softwaretool kit that enables building of a Software Defined Radio. Differentfunctionalities like modulation, demodulation, filtering, encoding, decoding,Source coding, channel codingetc. are provided as software codes. The advantage of implementingfunctionalities asSoftware modules providesre-configurability property to SDR. Traditionally, for example, if a modulationscheme of a radio had to be changed , the entire analog circuitry employed formodulation have to be changed. Using SDR, only the code needed for the task hasto be changed.
GNU Radio provides a graphical user interface with GNU RadioCompanion (GRC). Experiments can be done by connecting signal processing blockswritten in C++ and python. The programmer builds a radio by creating a graphwhere the nodes are signal processing primitives and the edges represent thedata flow between them 6.
C. Universal Software RadioPeripheralUSRP is a device which allows acreation of a SDR using any computer with an USB 2.0 port.
It is a hardwaremodule that provides both transmission and reception capabilities over a widerange of frequencies. The motherboard comprises the FPGA chip to do expensivesignal processing and daughterboard is having AD/DA converter and RFfront end. It has a motherboard and can support four daughter boards. Themotherboard cost around 700 dollars and each daughterboard cost around 75 dollarsto 475 dollars based on the application requirement 7. D. RTL-SDRTill date USRP (UniversalSoftware Radio Peripheral) is a popular hardware device for doing real-timecommunication experiments in SDR.
But now, a 20 dollars revolution from OSMOSDR has introduced a hardware called RTL-SDR Realtek RTL2832U which is thecheapest one .The DVBT (Digital Video Broadcast Terrestrial) dongle proved tobe efficient for SDR purposes as the chip is able to transmit raw I/Qsamples to the host. The operating frequency range of RTL-SDR is from 64 to1700 MHz, with sample rate of 3.2MS/s 8.III. BACKGROUND ON GSM GSM is a very well-known cellular standard, sowe only provide a very brief background on some aspects of particular relevancefor our work in this section. It consists of three major interconnectedsubsystems that interact between themselves and with the users through certainnetwork interfaces. The subsystems are:- a) Base Station Subsystem (BSS) b) Network and Switching Subsystem(NSS) c) Operation Support Subsystem(OSS) The MobileStation (MS) is also a subsystem, but is usually considered to be part of theBSS for architecture purposes.
Equipment and services are designed within GSMto support one or more of these specific subsystems9. a) Base Station Subsystem (BSS) The BSS is in charge of providingconnectivity between the mobiles and the network. It consists of the MobileStation (MS), the Base Transceiver Station (BTS), and the Base StationController (BSC). The MS is used to provide the user an interface tocommunicate with the GSM network. It includes the mobile equipment (ME) and theSubscriber Identity Module (SIM).
The SIM is used to provide the identity ofthe user to the network. The BTS transmits and receives the signals from theMSs and controls the transmission power, modulation, voice coding/decoding andencryption of the signals. The BSC controls a set of BTSs as well as thehandover, radio channels, paging and other control functions 10. b) Network and Switching Subsystem(NSS) The NSS is in charge of theswitching functions, locating the MSs and the interconnection with othernetworks.
It consists of the Mobile Switching Center (MSC), the Home LocationRegister (HLR), the Visitor Location Register (VLR), and the Gateway Mobile SwitchingCenter (GMSC). The MSC is the main element in the NSS, it controls differentBSCs and it is responsible for routing incoming/outgoing calls and for themobility functions of the terminals such as registration and location of theMSs. The HLR is a static database that contains specific parameters of thesubscriber (location information, authorized services, type of terminal,etc).The VLR is a dynamic database and it is associated with one MSC, it storesinformation of the terminals that are registered with the MSC.
When a MSregisters with the network, the corresponding VLR verifies the differentparameters with the HLR of the home network. The GMSC is the interconnectionpoint between the GSM network and external networks for which it provides gatewayfunctions 11. c) Operation Support Subsystem (OSS)A The OSS controls,in a centralized manner, the management and maintenance of the GSM subsystems.It consists of the Authentication Center (AuC), and the Equipment IdentityRegister (EIR). The AuC contains a database that stores the identification andauthentication of every subscriber.
It stores the International MobileSubscriber Identity (IMSI) and the permanent key associated with every SIM(Ki).The EIR is a database that stores lists of the MSs identified by theirInternational Mobile Station Equipment Identity (IMEI). It is used to determineif the MSs are authorized, unauthorized or in need to be monitored. V: GSM SECURITYGSM security isaddressed in two aspects: authentication and encryption. Authentication avoidsfraudulent access by a cloned MS. Encryption avoids unauthorized listening.A secret key, Ki, is used to achieveauthentication. Ki is stored in the AuC as well as in the SIM.
The Ki value isunknown to the subscriber. To initiate the authentication process; the homesystem of the MS generates a 128-bit random number called RAND. This number issent to the MS. By exercising an algorithm, A3, both the network (AuC) and theMS (SIM) use Ki and RAND to produce a signed result (SRES).
The SRES generatedby the MS is sent to the home system and is compared with the SRES generated bythe AuC. If they are not identical, the access request is rejected. Note thatif the SRES and RAND generated by the AuC are sent from the HLR to the visitedVLR in advance, the SRES comparison can be done at the visited VLR. AlgorithmA3 is dependent on the GSM service provider.
Since the visited system may notknow the A3 algorithm of a roaming MS, authentication result SRES is generatedat the home system of the MS 12.If the MS is accepted for access, anencryption key produced by an algorithm, A8, with Ki and RAND as inputs. LikeA3, A8 is specific to the home system has generated Kc, this encryption key issent to the visited system. Kc and the TDMA frame number encoded in thedata-bits are used by an algorithm, A5, to cipher and decipher the data streambetween the MS and the visited system. The same A5 algorithm may be used in allsystems participating in the GSM service 12.The cellular service providers hastrack the location of mobile subscribers in a efficient way by making competentuse of the radio resources. In order to accomplish that, the large areas thatbeing served from a cellular network are parted into smaller geographical regionslike the well-known Location Areas (LA, LAC).
Then, the broadcast messages willbe addressed in those smaller areas. Identifying the paging requests that carryTMSIs of the users, we can suppose if an individual resides in that area incase we know the specific temporary ID. Moreover, the temporary ID is the onlyidentifier by observing the broadcasted messages of paging procedure so itcould be a difficult procedure to map the temporary ID with the telephonenumber of the user.From the GSM specifications and frommobile network operators is strict policy is considered that the IMSI must sentas rarely as possible, to avoid it being located and tracked. However byreviewing the above and as it observed during our experiments and attacks,there multiple times that network authenticates its users by the IMSI.Across the history of the GSM standard,there have been many attacks to the protocol.
In 1998, reverse engineeringtechniques were applied to break the 3GPP subscriber authentication algorithmsimplementation 3. Since then, numerous attacks to the different versions ofthe encryption algorithms have been reported in 13, 14 and 15.VI. SNIFFING GSMTRAFFICIn this section, wedescribe our scenario, the tools needed to perform the attack and we detail theimplementation of the attack.vI.1 Tools We now brieflydescribe the set of tools used to perform the attack:Kali Linux OS (2017.3,64-bit):Kali Linux is aDebian-derived Linux distribution designed for digital forensics andpenetration testing.
It is maintained and funded by Offensive Security Ltd.Mati Aharoni, Devon Kearns and Raphaël Hertzog are the core developers.Wireshark:Wireshark is anetwork analysis tool previously known as Ethereal. It captures packet in realtime and display them in human readable format. Basically, it is a networkpacket analyzer which provides the minute details about your network protocols,decryption, packet information, etc. It is an open source and can be used onLinux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. Theinformation that is retrieved via this tool can be viewed through a GUI or theTTY mode TShark Utility.Airprobe:Airprobe is a GSMair interface analysis tool 16.
Kalibrate (kal):It is anopen-source software project used to scan the GSM frequencies of the basestations in the vicinity and capable of determining the local oscillatorfrequency offset 17.GNU Radio:It is anopen-source toolkit that offers real-time signal processing as well as thepossibility to implement different radio technologies. RTL-SDR Dongle: RTL-SDR is aspecial commodity hardware that consisted to be as wideband software definedradio (SDR) scanner.
RTL can be used with a DVB-T TV Tuner dongle. RTL-SDR is avery broadband (60MHz to 1700MHz) product and has a large scale of applicationson different things. RTL can be used as a telecommunication “antenna” for TVbroadcasting. VI.
2 ImplementationBeginning with theRTL-SDR we have to install the Kalibrate utility. Kalibrate is a useful tool thatenables us to identify the available principal GSM channels in our area.Kalibrate-RTL or kal is a Linux program used to scan for GSM BTSs in a givenfrequency band.System InformationMessageWe start ouranalysis from System Information messages.
Generally this type of messagecontains the info that MS needs in order to communicate with the network. As wecan see there are different types of such messages each one contains variouspiece of information.Type 1: Channel type =BCCH: Contains a list of ARFCN (Absolute Radio Frequency Channel Number) s ofthe cell and RACH control parameters.
Type 2: Channel type =BCCH: Contains neighbor cell description (list of ARFCNs of the cell) and BCCHfrequency listType 3: Channel type =BCCH: Contains cell identity (cell ID) code decoded, Location Area Identity-LAI(which involves Mobile Country Code (MCC), Mobile Network Code (MNC) and Location AreaCode (LAC)) and some GPRS information. Type 4: Channel type =BCCH: Contains LAI (MCC+MNC+LAC) decoded, Cell selection parameters and RACHcontrol parameters. Some GPRS information too. Type 2ter: Channel type =BCCH: Contains neighbor cell description (list of ARFCNs of the cell) withExtended BCCH frequency list. Type 2quater: Channel type =BCCH: Is 3G message with information that we don’t take into account in thisstudy. Contains 3G-neighbor cell description. Type 13: Channel type =BCCH: They contain all the important information about GPRS like GPRS Celloptions and GPRS power control parameters.
Paging RequestMessageType 1: Channel type = CCCH Contains: Mobile Identity 1number (IMSI) Page Mode = normal paging (P1) Channel Needed. Contains: Mobile Identity 1 and2 = TMSI/P-TMSI Page Mode = normal paging (0) Channel NeededType 2: Channel type = CCCH Contains: Mobile Identity 1, 2= TMSI/P-TMSI or IMSI Mobile Identity 3 Page Mode = normal paging (0) Channel NeededType 3: Channel type = CCCH Contains: Mobile Identity 1, 2,3 and 4 = TMSI/P-TMSI (Not decoded) Page Mode = normal paging (0) Channel Needed ImmediateAssignment MessageChannel type = CCCH Contains: Time Advance Value Packet Channel Description(Time Slot)Page Mode = Extended Paging (1)IMSI actually represents the uniqueidentity for the subscriber of the phone including the origin country andmobile network that the subscriber subscribes. It basically identifies the userof a cellular network and every cellular network has its own uniqueidentification. Basically, all GSM networks use IMSI as the primary identity ofa subscriber or user. The number that represents IMSI can be as long as 15digits or shorter. The first three digits are the mobile country code (MCC) andfollowed by the mobile network code (MNC). The information of IMSI is alsocontained in the SIM card. IMSI are normally used by network operator to examine thesubscribers and whether to allow the subscriber to use another networkoperator.
By tracking your IMSI, the authority can actually track not just thelocation of your phone but also who you are calling, at what time and where thecall is made.Each location area of a public landmobile network (PLMN) has its own unique identifier which is known as itslocation area identity (LAI). This internationally unique identifier is usedfor location updating of mobile subscribers. It is composed of a three decimaldigit mobile country code (MCC), a two to three digit mobile network code (MNC)that identifies a Subscriber Module Public Land Mobile Network (SM PLMN) inthat country, and a location area code (LAC) which is a 16 bit number therebyallowing 65536 location areas within one GSM PLMN.The LAI is broadcast regularly througha broadcast control channel (BCCH).
A mobile station (e.g. cell phone)recognizes the LAI and stores it in the subscriber identity module (SIM). Ifthe mobile station is moving and notices a change of LAI, it will issue alocation update request, thereby informing the mobile provider of its new LAI.
This allows the provider to locate the mobile station in case of an incomingcall. So we can say that this information are very sensitive to the privacy andsecurity of mobile phone users. VII. CONCLUSIONIn this paper we presented an effectiveattack that can exploit chronic and fundamental vulnerabilities that exist inthe GSM cellular technology. This attack could also have a serious impact atthe latest in use cellular technologies like UMTS and LTE. We learned about newcome commodity hardware RTL-SDR. RTL-SDR can also be characterized as an IMSIcatcher and when combined with some hardware and software can build a mechanismof mobile user tracking.
It is obvious that an individual equipped with that cheapcommodity hardware could compromise the GSM subscribers’ privacy and performsome serious attacks. So, systems with broadcast paging protocols can leaklocation information and the leaks can be observed with the available and lowcost commodity hardware presented in this paper. All these come to exploit theproven vulnerabilities that exist in GSM network and related with the expose ofthe user’s personal identities over the radio link. This research has shownthat with certain tools, a system can be created to audit GSM. It is provedthat the current protocols used in radio and wireless systems may not be as robust and secureas originally thought.