Pres Thesis

7/27/2019 Pres Thesis

http://slidepdf.com/reader/full/pres-thesis 1/54

CATCHING AND UNDERSTANDING GSM

SIGNALS

Master Thesis

Fabian van den Broek

Radboud University Nijmegen

30 March 2010

http://find/



Some Numbers

http://find/



Some Numbers

• $ 600 Billion

http://find/



Some Numbers

• $ 600 Billion

• 90% of population has coverage

http://goforward/

http://find/

http://goback/



Some Numbers

• $ 600 Billion


• 4.1 billion mobile users

http://find/

http://goback/



Some Numbers

• $ 600 Billion


• 4.1 billion mobile users

But has GSM been properly tested?

http://find/

http://goback/



Cellular technology

http://find/

http://goback/



GSM system overview

http://find/

http://goback/



The Um interface

http://find/

http://goback/



Software Defined Radio

http://find/

http://goback/




• USRP

• Gnu Radio• Air Probe

Have these new SDR products made GSM less secure?

http://find/

http://goback/




• USRP



http://find/

http://goback/




• USRP



http://find/




• USRP

•

Gnu Radio• Air Probe


d h

http://find/



and then....

Th U i t f

http://find/



The Um interface

F b d (GSM900)

http://find/



Frequency band (GSM900)

F b d (II)

http://find/



Frequency band (II)

Frequency band (III)

http://find/





http://find/




Frequency division

http://find/



Frequency division

Combined up and down link frequency

http://find/





http://find/




Numbered with ARFCNs

http://find/



Numbered with ARFCNs

Frequency division

http://find/

http://goback/



Frequency division

Frequency division

http://find/



Frequency division

GSM messages

http://find/



GSM messages

49 06 1b 3 2 2 2 0 2 f 4 80 − 11 7 f d8 04 28 15 65 04 − a 9 0 0 0 0 1 c 1 3 2 b 2 b

5 5 0 6 1 9 0 0 0 0 0 0 0 0 2 0 − 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 − 0 1 0 0 0 0 a 9 0 0 0 0 2 b

KPN system information

http://find/




1 : 49 0 6 1b 3 2 22 0 2 f 4 80 − 11 7 f d8 04 28 15 65 04 − a 9 0 0 0 0 1 c 1 3 2 b 2 b0: 49 010010−− Pseudo Length : 181 : 0 6 0−−−−−−− D i r e c t i o n : From o r i g i n a t i n g s i t e1 : 06 −000−−−− 0 T r a n s ac t i o n ID

1 : 06 −−−−

0110 Radio Resouce Management2: 1b 00011011 RRsystemInfo3C3 : 32 12834 [ 0 x3222 ] C el l i d e n t i t y5 : 02 204 M ob il e C ou nt ry Code ( N et he rl an ds )6 : f 4 08 f M ob il e Network Code (KPN Telecom B . V . )8 : 11 4479 [ 0 x 11 7f ] L oc al Area Code

1 0: d8 1−−−−−−− Spa re b i t ( s h ou ld be 0 )1 0 : d8 −1−−−−−− MSs i n t he c e l l s h a l l a pp ly I MS I a t t a c h / d et ac h p ro ce du re1 0 : d8 −−011−−− Number o f b l o c k s : 31 0 : d8 −−−−−000 1 b a si c p h y si c a l ch a n n el fo r CCCH, n o t combi ne d wi t h SDCCHs11: 04 00000

−−− s pa re b i t s ( s ho ul d be 0 )

1 1 : 04 −−−−−100 6 m u l t i f ra me s p e r io d f o r p ag in g r e qu es t12: 28 00101000 T3212 TimeOut value : 401 3: 15 0−−−−−−− s pa re b i t ( s ho ul d be 0 )1 3 : 15 −0−−−−−− Power c o n t ro l i n d i c a t o r i s n ot s et1 3 : 15 −−01−−−− MSs s h a l l us e u p l i n k DTX1 3 : 15 −−−−0101 Rad i o L i n k Ti me o ut : 241 4 : 6 5 011−−−−− C e l l R e s el e ct H ys t . : 6 d b RXLEV1 4 : 65 −−−x x x xx Max T x p ow er l e v e l : 5

1 5: 04 0−−−−−−−

No a d d i t i o n a l c e l l s i n S ys In fo 7−

81 5 : 04 −0−−−−−− New e s t a b l i s h m c au se : n o t s u p po r t ed1 5 : 04 −−xxxxxx RXLEV Access Min p e rm i t te d = −110 + 4dB1 6 : a9 1 0−−−−−− Max . o f r e tr an s mi s s : 41 6 : a9 −−1010−− s l o t s t o s pre ad TX : 141 6 : a9 −−−−−−0− The c e l l i s b a rre d : no1 6 : a9 −−−−−−−1 C e l l r e e s t a b l . i . c e l l : n ot a ll ow ed1 7 : 00 −−−−−0−− Emergency c a l l EC 1 0 : a l l o w ed17: 00 00000−−− Acc c t r l c l 11−15: 0 = p e rm i tt e d , 1 = f o r b id d e n

1 7 : 00 −−−−−−

00 Acc c t r l c l 8−

9 : 0 = p er mi tt ed , 1 = f o r b i d d e n1 7 : 00 −−−−−−−0 O r d in ar y s u b s c ri b e r s ( 8 )


http://find/




2 : 55 06 19 00 00 00 00 20 − 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 − 0 1 0 0 0 0 a 9 0 0 0 0 2 b0: 55 010101−− Pseudo Length : 21

1 : 0 6 0−−−−−−−

D i r e c t i o n : From o r i g i n a t i n g s i t e1 : 06 −000−−−− 0 T r a n s ac t i o n ID1 : 06 −−−−0110 Radio Resouce Management2: 19 00011001 RRsystemInfo13 : 00 00−−−−−− B it ma p 0 f o r m a t7 : 20 −−1−−−−− C el l Al l oc a t i o n : ARFCN 949 : 10 −−−1−−−− C el l Al l oc a t i o n : ARFCN 77

1 0 : 10 −−−1−−−− C el l Al l oc a t i o n : ARFCN 691 6 : 01 −−−−−−−1 C el l Al l oc a t i o n : ARFCN 171 9 : a9 1 0−−−−−− Max . o f r e tr an s mi s s : 41 9 : a9 −−1010−− s l o t s t o s pre ad TX : 141 9 : a9 −−−−−−0− The c e l l i s b a rre d : no1 9 : a9 −−−−−−−1 C e l l r e e s t a b l . i . c e l l : n ot a ll ow ed2 0 : 00 −−−−−0−− Emergency c a l l EC 1 0 : a l l o w ed20: 00 00000−−− Acc c t r l c l 11−15: 0 = p e rm i tt e d , 1 = f o r b id d e n2 0 : 00 −−−−−−00 Acc c t r l c l 8− 9 : 0 = p er mi tt ed , 1 = f o rb i dd e n2 0 : 00 −−−−−−−0 O r d in ar y s u b s c ri b e rs ( 8 )2 0 : 00 −−−−−−0− Or d in ar y s u b s c ri b e rs ( 9 )2 0 : 00 −−−−−0−− E mergency c a l l ( 1 0 ) : E ve ry on e2 0 : 00

−−−−0−−−

Op er at or S p e c i f i c ( 1 1 )2 0 : 00 −−−0−−−− S ec u r it y s e r vi c e ( 1 2)2 0 : 00 −−0−−−−− P ub l ic s e r vi c e ( 1 3)2 0 : 00 −0−−−−−− Emergency s e r v i c e ( 1 4 )2 0: 00 0−−−−−−− N et wo rk O p e ra t o r ( 1 5 )2 1: 00 00000000 Acc c t r l c l 0− 7 : 0 = p er mi tt ed , 1 = f o rb i dd e n2 1 : 00 00000000 O r d in a r y s u b s c r i b e r s ( 0−7)


http://find/



syste o at o

[ 0 x3222 ] C e l l i d e n t i t yMo b i l e Co u n try Code ( Ne th e rl a n d s )Mobile Network Code (KPN Telecom B .V . )

[ 0 x 1 1 7f ] L o c a l A re a Code

C el l A l lo c a t i on : ARFCN 94C el l A l lo c a t i on : ARFCN 77C el l A l lo c a t i on : ARFCN 69C el l A l lo c a t i on : ARFCN 17

The KPN cell

http://find/



The KPN cell

http://find/



No Frequency hopping

http://find/



q y pp g

Frequency hopping (I)

http://find/



q y pp g ( )

Frequency hopping (II)

http://find/



Immediate Assignment

http://goforward/

http://find/



31 0 6 3 f 00 5 2 f 0 ab 8 5 − ad e0 01 01 0 f 2b 2b 2b − 2 b 2 b 2 b 2 b 2 b 2 b 2 b0: 31 001100−− Pseudo Length : 12

1 : 0 6 0−−−−−−−

D i r e c t i o n : From o r i g i n a t i n g s i t e1 : 06 −000−−−− 0 T r a n s ac t i o n ID1 : 06 −−−−0110 Radio Resouce Management2 : 3 f 0−111111 RRimmediateAssignment2 : 3 f −x−−−−−− Send sequence number: 03 : 00 −−−−−−00 Page Mode: Normal paging3 : 00 −0−−−−−− No meaning3 : 00 −−0−−−−− Do wnl i n k a ssi g n to MS: No me an in g3 : 00 −−−0−−−− Th i s messa ges a ssi g n s a d e d i ca te d mode re so u rce

4 : 52 −−−−−

010 T i m e s l o t num ber : 24: 52 01010−−− Chan. De sc ri pt . : SDCCH/8 + SACCH/ C8 or CBCH (SDCCH/ 8 )5 : f 0 111−−−−− T r a in i ng seq . code : 75 : f 0 −−−1−−−− HoppingChannel6 : ab . . . . . . . . M ob il e A l l o c a t i o n I nd ex O f f s e t ( MAIO ) 26 : ab −−101011 Hopping Seq . Number: 437 : 8 5 100−−−−− E s t a b l i s h i n g Cause : A ns wer t o p a gi n g7 : 85 −−−xxxxx Random Reference : 58 : ad x x xx x xx x T1 / T2 / T3

9 : e0 x x xx x xx x T1 / T2 / T31 0 : 01 −−x x x xx x T i mi n g a dv an ce v a l u e : 11 1 : 01 00000001 L en gt h o f M o bi l e A l l o c a t i o n : 11 2 : 0 f −−−−1−−− Mo b i l e Al l o ca t i o n ARFCN #41 2 : 0 f −−−−−1−− Mo b i l e Al l o ca t i o n ARFCN #31 2 : 0 f −−−−−−1− Mo b i l e Al l o ca t i o n ARFCN #21 2 : 0 f −−−−−−−1 M o b il e A l l o c a t i o n ARFCN # 1

Immediate Assignment

http://goforward/

http://find/

http://goback/



HoppingChannelM ob il e A l l o c a t i o n I nd ex O f f s e t ( MAIO ) 2Hopping Seq . Number : 43

Mo b i l e Al l o ca t i o n ARFCN #4Mo b i l e Al l o ca t i o n ARFCN #3Mo b i l e Al l o ca t i o n ARFCN #2Mo b i l e Al l o ca t i o n ARFCN #1

Message Sequence

http://find/

http://goback/



Message Sequence

http://find/

http://goback/



Message Sequence

http://find/



Message Sequence

http://find/



Message Sequence

http://find/



Message Sequence

http://find/



Message Sequence

http://find/



Hopping Problem

http://find/



Conclusion

http://find/



• Still hard to eavesdrop in general

• Other attacks have become feasible• The GSM system can still use a lot of testing

Questions

http://find/



A single sub-frequency

http://find/



A single sub-frequency

http://find/



Time division

http://find/



Time division

http://find/



Bursts

http://find/



Logical channels

http://find/

http://goback/



Offset

http://find/

http://goback/



http://find/

http://goback/

Pres Thesis

Documents