Ahmed an educated methodology to help review GSM networks


Ahmed Mohammd Altarawneh & Prof. Dr. Alaa H
King Hussein Faculty for Computing Sciences
Princess Sumaya University for Technology
Amman, Jordan
[email protected]

Abstract— Worldwide framework to versatile correspondences
(GSM) will be the greater part well known telecommunication protocol utilized
within telecommunication networks. Those telecommunications business
employments a mix about 2G (GSM), 3G (Universal portable Telecommunications
Service-UMTS) Furthermore 4G (Long term Evolution-LTE) frameworks with right
correspondence overall. Nonetheless telecommunications industry keeps high
percentage of their deployed framework utilizing GSM advances. GSM offers
around the world roaming also intercontinental for at whatever accessible GSM
system. Clients are expected with be mindful of the time permits security
dangers. This worth of effort highlights Shortcomings Also issues in the GSM
standard, What’s more displays an educated methodology to help review GSM
networks to vulnerabilities

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now


Keywords— Sniffing GSM, RTL-SDR,
GSM Vulnerability,

 GSM attack, Security, Privacy, Universal Software Radio Peripheral (USRP).



With the
exponential growth in the communication field Such as communication through
voice, video, data packets etc., it is a critical task to modify the radio
devices in an Easy and cost effective manner. SDR technology provides a
flexible, cost effective solution to drive communication with wide reaching
benefits to the end users Software Defined Radio can be defined as a radio in
which some or all of the physical functions are software defined. Traditional Hardware
based radio devices can only be modified through Physical intervention which
results in high production cost and limited flexibility. With the advent of
SDR, through Software upgrades, it is possible to enhance multi-mode, Multi-band
or multi-functional wireless devices thereby

Providing an
efficient and inexpensive solution to this Problem. To implement SDR, a free
and open source   software Development
tool kit known as GNU radio is available 1.


The concept of GSM emerged
from a cell-based mobile radio system at Bell Laboratories in the early
1970s.The concept of GSM emerged from a cell based mobile radio system at Bell
Laboratories in the early 1970s.GSM is the name of a standardization group
established in 1982 to create a common European mobile telephone standard. GSM
is the most widely accepted standard in telecommunications and it is
implemented globally. As of 2014 it has become the de facto global standard for
mobile communications – with over 90% market share, operating in over 219
countries and territories .GSM was developed using digital technology. It has
an ability to carry 64 kbps to 120 Mbps of data rates 2.



 Despite the rapid change in cellular
technologies, Mobile Network Operators (MNOs) keep a high percentage of their
deployed infrastructure using GSM technologies. With about 3.5 billion
subscribers, GSM remains as the only standard for cellular communications.
However, the security criteria envisioned 30 years ago, when the standard was
designed, are no longer sufficient to ensure the security and privacy of the
users. Furthermore, even with the newest fourth generation (4G) cellular
technologies starting to be deployed, these networks could never achieve strong
security guarantees because the MNOs keep backwards compatibility given the
huge amount of GSM subscribers. Recent research has shown that mobile devices
data can be used as an effective way to track individuals. This presents a
problem related to users’ privacy, as their location allows the carriers to
profile and track their movement(s) 3.


The most advanced penetration
testing platform, Kali Linux could be a handful solution for any start in the
matter. Under Kali-Linux Rolling one can find and ready to use, many tools like
Wireshark for network sniffing. The main advantage of the Kali-Linux
distribution against the Ubuntu or Delian is, in fact, related to the special
packages installed that are useful in software penetration and testing.
Nevertheless, there is no distribution ready for GSM sniffing so; there are
many to be done before starting the capturing. The most important step is

identify a low-cost SDR that is suited for the sniffing approach. One of the low-cost
SDR available on the market is



Software Defined RADIO:

SDR technology is an adaptive
future proof solution for wireless networks that aims to replace the
conventional radio hardware by building an open-architecture based radio system

Software which is reconfigurable
and reprogrammable. It supports different functional modules of the radio
system such as modulation, demodulation, signal generation, coding, link layer
protocols etc. in software. SDR is a promising technology in radio
communication that uses software techniques on digitized radio signals. It
turns hardware problems into software problems. Compared to conventional radio,
it can switch between different architectures and there is a significant improvement
in price/performance over traditional radio. Even it has the ability to change
waveform function on-the-fly, receive and broadcast multiple channels at the
same time as well as upgrade the software over the air. Since it is possible to
receive and transmit signals simultaneously, Software Radio can act as a bridge
between different radio networks. SDR is of growing importance to wireless
communication industry, military and public safety sector. SDR technologies
will even endow space and planetary exploration systems with increased
capability and reduced power consumption than the conventional systems 5.



GNU Radio Platform

It is an open source software
tool kit that enables building of a Software Defined Radio. Different
functionalities like modulation, demodulation, filtering, encoding, decoding,

Source coding, channel coding
etc. are provided as software codes. The advantage of implementing
functionalities as

Software modules provides
re-configurability property to SDR. Traditionally, for example, if a modulation
scheme of a radio had to be changed , the entire analog circuitry employed for
modulation have to be changed. Using SDR, only the code needed for the task has
to be changed. GNU Radio provides a graphical user interface with GNU Radio
Companion (GRC). Experiments can be done by connecting signal processing blocks
written in C++ and python. The programmer builds a radio by creating a graph
where the nodes are signal processing primitives and the edges represent the
data flow between them 6.


Universal Software Radio

USRP is a device which allows a
creation of a SDR using any computer with an USB 2.0 port. It is a hardware
module that provides both transmission and reception capabilities over a wide
range of frequencies. The motherboard comprises the FPGA chip to do expensive
signal processing and daughterboard is having AD/DA converter and RF
front end. It has a motherboard and can support four daughter boards. The
motherboard cost around 700 dollars and each daughterboard cost around 75 dollars
to 475 dollars based on the application requirement 7.



Till date USRP (Universal
Software Radio Peripheral) is a popular hardware device for doing real-time
communication experiments in SDR. But now, a 20 dollars revolution from OSMO
SDR has introduced a hardware called RTL-SDR Realtek RTL2832U which is the
cheapest one .The DVBT (Digital Video Broadcast Terrestrial) dongle proved to
be efficient for SDR purposes as the chip is able to transmit raw I/Q
samples to the host. The operating frequency range of RTL-SDR is from 64 to
1700 MHz, with sample rate of 3.2MS/s 8.


 GSM is a very well-known cellular standard, so
we only provide a very brief background on some aspects of particular relevance
for our work in this section.  It consists of three major interconnected
subsystems that interact between themselves and with the users through certain
network interfaces.


The subsystems are:-

a) Base Station Subsystem (BSS)

b) Network and Switching Subsystem

c) Operation Support Subsystem


The Mobile
Station (MS) is also a subsystem, but is usually considered to be part of the
BSS for architecture purposes. Equipment and services are designed within GSM
to support one or more of these specific subsystems9.


Base Station Subsystem (BSS)


The BSS is in charge of providing
connectivity between the mobiles and the network. It consists of the Mobile
Station (MS), the Base Transceiver Station (BTS), and the Base Station
Controller (BSC). The MS is used to provide the user an interface to
communicate with the GSM network. It includes the mobile equipment (ME) and the
Subscriber Identity Module (SIM). The SIM is used to provide the identity of
the user to the network. The BTS transmits and receives the signals from the
MSs and controls the transmission power, modulation, voice coding/decoding and
encryption of the signals. The BSC controls a set of BTSs as well as the
handover, radio channels, paging and other control functions 10.



Network and Switching Subsystem


The NSS is in charge of the
switching functions, locating the MSs and the interconnection with other
networks. It consists of the Mobile Switching Center (MSC), the Home Location
Register (HLR), the Visitor Location Register (VLR), and the Gateway Mobile Switching
Center (GMSC). The MSC is the main element in the NSS, it controls different
BSCs and it is responsible for routing incoming/outgoing calls and for the
mobility functions of the terminals such as registration and location of the
MSs. The HLR is a static database that contains specific parameters of the
subscriber (location information, authorized services, type of terminal,
etc).The VLR is a dynamic database and it is associated with one MSC, it stores
information of the terminals that are registered with the MSC. When a MS
registers with the network, the corresponding VLR verifies the different
parameters with the HLR of the home network. The GMSC is the interconnection
point between the GSM network and external networks for which it provides gateway
functions 11.



c) Operation Support Subsystem (OSS)

A The OSS controls,
in a centralized manner, the management and maintenance of the GSM subsystems.
It consists of the Authentication Center (AuC), and the Equipment Identity
Register (EIR). The AuC contains a database that stores the identification and
authentication of every subscriber. It stores the International Mobile
Subscriber Identity (IMSI) and the permanent key associated with every SIM
(Ki).The EIR is a database that stores lists of the MSs identified by their
International Mobile Station Equipment Identity (IMEI). It is used to determine
if the MSs are authorized, unauthorized or in need to be monitored.


             V: GSM SECURITY

GSM security is
addressed in two aspects: authentication and encryption. Authentication avoids
fraudulent access by a cloned MS. Encryption avoids unauthorized listening.

A secret key, Ki, is used to achieve
authentication. Ki is stored in the AuC as well as in the SIM. The Ki value is
unknown to the subscriber. To initiate the authentication process; the home
system of the MS generates a 128-bit random number called RAND. This number is
sent to the MS. By exercising an algorithm, A3, both the network (AuC) and the
MS (SIM) use Ki and RAND to produce a signed result (SRES). The SRES generated
by the MS is sent to the home system and is compared with the SRES generated by
the AuC. If they are not identical, the access request is rejected. Note that
if the SRES and RAND generated by the AuC are sent from the HLR to the visited
VLR in advance, the SRES comparison can be done at the visited VLR. Algorithm
A3 is dependent on the GSM service provider. Since the visited system may not
know the A3 algorithm of a roaming MS, authentication result SRES is generated
at the home system of the MS 12.

If the MS is accepted for access, an
encryption key produced by an algorithm, A8, with Ki and RAND as inputs. Like
A3, A8 is specific to the home system has generated Kc, this encryption key is
sent to the visited system. Kc and the TDMA frame number encoded in the
data-bits are used by an algorithm, A5, to cipher and decipher the data stream
between the MS and the visited system. The same A5 algorithm may be used in all
systems participating in the GSM service 12.

The cellular service providers has
track the location of mobile subscribers in a efficient way by making competent
use of the radio resources. In order to accomplish that, the large areas that
being served from a cellular network are parted into smaller geographical regions
like the well-known Location Areas (LA, LAC). Then, the broadcast messages will
be addressed in those smaller areas. Identifying the paging requests that carry
TMSIs of the users, we can suppose if an individual resides in that area in
case we know the specific temporary ID. Moreover, the temporary ID is the only
identifier by observing the broadcasted messages of paging procedure so it
could be a difficult procedure to map the temporary ID with the telephone
number of the user.

From the GSM specifications and from
mobile network operators is strict policy is considered that the IMSI must sent
as rarely as possible, to avoid it being located and tracked. However by
reviewing the above and as it observed during our experiments and attacks,
there multiple times that network authenticates its users by the IMSI.

Across the history of the GSM standard,
there have been many attacks to the protocol. In 1998, reverse engineering
techniques were applied to break the 3GPP subscriber authentication algorithms
implementation 3. Since then, numerous attacks to the different versions of
the encryption algorithms have been reported in 13, 14 and 15.


In this section, we
describe our scenario, the tools needed to perform the attack and we detail the
implementation of the attack.

vI.1 Tools

We now briefly
describe the set of tools used to perform the attack:

Kali Linux OS (2017.3,

Kali Linux is a
Debian-derived Linux distribution designed for digital forensics and
penetration testing. It is maintained and funded by Offensive Security Ltd.
Mati Aharoni, Devon Kearns and Raphaël Hertzog are the core developers.


Wireshark is a
network analysis tool previously known as Ethereal. It captures packet in real
time and display them in human readable format. Basically, it is a network
packet analyzer which provides the minute details about your network protocols,
decryption, packet information, etc. It is an open source and can be used on
Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. The
information that is retrieved via this tool can be viewed through a GUI or the
TTY mode TShark Utility.


Airprobe is a GSM
air interface analysis tool 16.

Kalibrate (kal):

It is an
open-source software project used to scan the GSM frequencies of the base
stations in the vicinity and capable of determining the local oscillator
frequency offset 17.

GNU Radio:

It is an
open-source toolkit that offers real-time signal processing as well as the
possibility to implement different radio technologies.

RTL-SDR Dongle:

RTL-SDR is a
special commodity hardware that consisted to be as wideband software defined
radio (SDR) scanner. RTL can be used with a DVB-T TV Tuner dongle. RTL-SDR is a
very broadband (60MHz to 1700MHz) product and has a large scale of applications
on different things. RTL can be used as a telecommunication “antenna” for TV


VI.2 Implementation

Beginning with the
RTL-SDR we have to install the Kalibrate utility. Kalibrate is a useful tool that
enables us to identify the available principal GSM channels in our area.
Kalibrate-RTL or kal is a Linux program used to scan for GSM BTSs in a given
frequency band.

System Information

We start our
analysis from System Information messages. Generally this type of message
contains the info that MS needs in order to communicate with the network. As we
can see there are different types of such messages each one contains various
piece of information.

Type 1: Channel type =
BCCH: Contains a list of ARFCN (Absolute Radio Frequency Channel Number) s of
the cell and RACH control parameters.

Type 2: Channel type =
BCCH: Contains neighbor cell description (list of ARFCNs of the cell) and BCCH
frequency list

Type 3: Channel type =
BCCH: Contains cell identity (cell ID) code decoded, Location Area Identity-LAI
(which involves Mobile Country Code (MCC), Mobile Network Code (MNC) and Location Area
Code (LAC)) and some GPRS information.

Type 4: Channel type =
BCCH: Contains LAI (MCC+MNC+LAC) decoded, Cell selection parameters and RACH
control parameters. Some GPRS information too.

Type 2ter: Channel type =
BCCH: Contains neighbor cell description (list of ARFCNs of the cell) with
Extended BCCH frequency list.

Type 2quater: Channel type =
BCCH: Is 3G message with information that we don’t take into account in this
study. Contains 3G-neighbor cell description.

Type 13: Channel type =
BCCH: They contain all the important information about GPRS like GPRS Cell
options and GPRS power control parameters.

Paging Request

Type 1: Channel type = CCCH

Contains: Mobile Identity 1
number (IMSI)

Page Mode = normal paging (P1)

Channel Needed.

Contains: Mobile Identity 1 and

Page Mode = normal paging (0)

Channel Needed

Type 2: Channel type = CCCH

Contains: Mobile Identity 1, 2
= TMSI/P-TMSI or IMSI Mobile Identity 3

Page Mode = normal paging (0)

Channel Needed

Type 3: Channel type = CCCH

Contains: Mobile Identity 1, 2,
3 and 4 = TMSI/P-TMSI (Not decoded)

Page Mode = normal paging (0)

Channel Needed


Assignment Message

Channel type = CCCH

Contains: Time Advance Value

Packet Channel Description
(Time Slot)

Page Mode = Extended Paging (1)

IMSI actually represents the unique
identity for the subscriber of the phone including the origin country and
mobile network that the subscriber subscribes. It basically identifies the user
of a cellular network and every cellular network has its own unique
identification. Basically, all GSM networks use IMSI as the primary identity of
a subscriber or user. The number that represents IMSI can be as long as 15
digits or shorter. The first three digits are the mobile country code (MCC) and
followed by the mobile network code (MNC). The information of IMSI is also
contained in the SIM card. IMSI are normally used by network operator to examine the
subscribers and whether to allow the subscriber to use another network
operator. By tracking your IMSI, the authority can actually track not just the
location of your phone but also who you are calling, at what time and where the
call is made.

Each location area of a public land
mobile network (PLMN) has its own unique identifier which is known as its
location area identity (LAI). This internationally unique identifier is used
for location updating of mobile subscribers. It is composed of a three decimal
digit mobile country code (MCC), a two to three digit mobile network code (MNC)
that identifies a Subscriber Module Public Land Mobile Network (SM PLMN) in
that country, and a location area code (LAC) which is a 16 bit number thereby
allowing 65536 location areas within one GSM PLMN.

The LAI is broadcast regularly through
a broadcast control channel (BCCH). A mobile station (e.g. cell phone)
recognizes the LAI and stores it in the subscriber identity module (SIM). If
the mobile station is moving and notices a change of LAI, it will issue a
location update request, thereby informing the mobile provider of its new LAI.
This allows the provider to locate the mobile station in case of an incoming
call. So we can say that this information are very sensitive to the privacy and
security of mobile phone users.



In this paper we presented an effective
attack that can exploit chronic and fundamental vulnerabilities that exist in
the GSM cellular technology. This attack could also have a serious impact at
the latest in use cellular technologies like UMTS and LTE. We learned about new
come commodity hardware RTL-SDR. RTL-SDR can also be characterized as an IMSI
catcher and when combined with some hardware and software can build a mechanism
of mobile user tracking. It is obvious that an individual equipped with that cheap
commodity hardware could compromise the GSM subscribers’ privacy and perform
some serious attacks. So, systems with broadcast paging protocols can leak
location information and the leaks can be observed with the available and low
cost commodity hardware presented in this paper. All these come to exploit the
proven vulnerabilities that exist in GSM network and related with the expose of
the user’s personal identities over the radio link. This research has shown
that with certain tools, a system can be created to audit GSM. It is proved
that the current protocols used in radio and wireless systems may not be as robust and secure
as originally thought.