Académique Documents
Professionnel Documents
Culture Documents
Dennis "ehrle# $onrad Meier# Dir% von Suchodolet&# $laus Rechert# Gerhard Schneider
Overview
!( GSM *nfrastructure 2( Analysis of GSM )( +ur o,n GSM net,or% -( Security
-(! .ocali&ation -(2 *MS*/Catcher -() 0ncryption A'1!
!'( )(!! GSM Research 2
1. GSM Infrastructure
GSM is a cellular net,or% .argest mobile net,or% ,orld ,ide Subscriber vie,2
/ Mobile Station
3 Cell phone 3 S*M card
1. GSM Infrastructure
+perator 1 <et,or% vie,
!'( )(!!
GSM Research
Overview
!( GSM *nfrastructure 2( Analysis of GSM )( +ur o,n GSM net,or% -( Security
-(! .ocali&ation -(2 *MS*/Catcher -() 0ncryption A'1!
!'( )(!! GSM Research '
2. GSM Analysis
Analysis from the subscriber point of vie,
/ <o%ia ))!
3 <etmonitor to sho, net,or% parameters and cell phone state 3 Gammu>!? captures data received and transmitted by the phone(
/ USR8>2?
3 Fle@ible soft,are radio 3 GSM signals can be captured( 3 Data processing is done ,ith airprobe(>)?
[1] Gamm ! http!""wamm #e "$amm " [%] USRP from &tt s Resear'h! http!""www#ett s#'om [3] airpro(e! https!""svn#(erlin#'''#de"pro)e'ts"airpro(e"
!'( )(!! GSM Research
Nokia 3310
2. GSM Analysis
Gammu output displayed ,ith "ireshar% <o%ia ))! <etmonitor
'ell parameters
nei$h(orhood list
A
2. GSM Analysis
Analysis from the provider point of vie,
/ Access to a real/,orld GSM net,or% is hard to get( / 5herefore ,e have set up our o,n GSM net,or% called RB/GSM( / Research net,or% for2
3 3 3 3 3 C8layingD ,ith the GSM topic in a meaningful ,ay Statistics about user behavior ,ithin the net,or% 8ositioning of Mobile Station GSM encryption A'1! "hat information can1,ill be gathered by the providerE 3 Fo, to protect the user in a GSM net,or%E
!'( )(!! GSM Research :
Overview
!( GSM *nfrastructure 2( Analysis of GSM )( +ur o,n GSM net,or% -( Security
-(! .ocali&ation -(2 *MS*/Catcher -() 0ncryption A'1!
!'( )(!! GSM Research ;
/ Fard,are
3 ip(access <ano45S 3 Small GSM picocell
[1] /pen-S0! http!""open(s'#osmo'om#or$ [%] 10R! http!""www#lin 23'all3ro ter#de" [3] 4sterisk! http!""www#asterisk#or$"
!'( )(!! GSM Research
ip#a''ess nano-.S
!
!'( )(!!
GSM Research
!)
Overview
!( GSM *nfrastructure 2( Analysis of GSM )( +ur o,n GSM net,or% -( Security
-(! .ocali&ation -(2 *MS*/Catcher -() 0ncryption A'1!
!'( )(!! GSM Research !'
4. Security on GSM
+riginal intention2
/ Anonymi&ation of subscribers 6usage of temporary identifier 5MS*7 / 8revention of eavesdropping 6encryption7
5hrough the lac% of computing po,er and suitable hard,are for analysis# GSM ,as KsecureK for a long time( 4ut by no, there e@ists several hard,are components and soft,are proLects that can be used to analy&e# crac% and build up GSM net,or%s(
!'( )(!! GSM Research !=
4. Security on GSM
8roblems2
/ <o physical access needed for attac%ers 6e(g( cable/based communication7 / Radio ,aves spread ,ith less1no control( / Much information is not encrypted during transmission(
!'( )(!!
GSM Research
!A
8roblem2
/ Misuse of the data / *t is not clear ,hat happens ,ith the data2 3 e(g(2 5he Austria provider A! sells anonymi&ed data
!'( )(!! GSM Research !;
7ispla5ed ran$e
!'( )(!!
GSM Research
Overview
!( GSM *nfrastructure 2( Analysis of GSM )( +ur o,n GSM net,or% -( Security
-(! .ocali&ation -(2 *MS*/Catcher -() 0ncryption A'1!
!'( )(!! GSM Research 2!
4.2 IMSI$%atc&er
*MS*2
/ "orld,ide uni9ue identifier for the S*M / Stored on the S*M
*M0*2
/ "orld,ide uni9ue identifier for the Mobile Station
*MS*/Catcher2
/ May only be used by public authorities 6in Germany7 / 8rice is really high 6I M! Rohde N Sch,ar&7 / 4ut ,ith USR8 you can build a cheap one 6O M!' 7(
8roblems2
/ *dentity of the user can be revealed / Record conversation / 8roduce a moving profile
!'( )(!! GSM Research 22
4.2 IMSI$%atc&er
Fo, does it ,or%E
/ Simulates a base station as part of a regular mobile radio net,or% 6in Germany2 D!# D2# 0/8lus# +27 / During the login procedure the Mobile Station transmits the *MS* 1 *M0*(
5his is successful because GSM doesnPt provide mutual authentication( +nly the Mobile Stations have to authenticate correctly(
!'( )(!!
GSM Research
2)
4.2 IMSI$%atc&er
8Standard8 +,S+30at'her!
!'( )(!!
GSM Research
2-
8roblem2
/ *f the *MS*/Catcher isnPt on the neighborhood list# it ,ill not be recogni&ed(
Solutions2
/ Force the Mobile Station to s,itch to the *MS*/Catcher( / Use a GSM/Qammer to induce the Mobile Station to rescan the fre9uency/band
!'( )(!! GSM Research 2'
-( MS s,itch to *MS*/Catcher(
!'( )(!! GSM Research 2=
<ormally the user should be notified of the use of an unencrypted net,or%( 4ut2
/ Modern devices do not display if the connection is secure or not( / <otification about unencrypted connections can be disabled via a flag on the S*M card(
!'( )(!!
GSM Research
2:
Overview
!( GSM *nfrastructure 2( Analysis of GSM )( +ur o,n GSM net,or% -( Security
-(! .ocali&ation -(2 *MS*/Catcher -() 0ncryption A'1!
!'( )(!! GSM Research 2;
!'( )(!!
GSM Research
)!
,otorola 01%3
)2