10/ 18/ 12 RRLP – M obile ( in) secur it y

1/ 2secur it y. osm ocom . or g/ t r ac/ wiki/ RRLP

Osmocom{BB|OpenBSC|DECT|TETRA|SIMTRACE|SECURITY|GMR|SDR|OP25|planet|lists}

RRLP

RRLP is the Radio Resource LCS (Location Service) Protocol as specifiedfirst in GSM TS 04.31

It allows the GSM network operator to obtain very precise locationinformation about a mobile phone, much more precise than is required fornormal operation of the cellular network.

The use of RRLP has been specified for emergency calls. However, nothing in its specificationrestricts its use to this application.

In all known phones, RRLP operation is completely invisible to the user of the phone.

As GSM networks do not need to authenticate themselves, anyone can run a false BTS attackand successively obtain precise position information on a given mobile phone.

The popular Free Software implementations of the GSM network OpenBSC and OpenBTS bothsupport RRLP inquiries to mobile phones

Contrary to the user-plane based SUPL?, RRLP works entirely in the signaling plane of thenetwork. As such, the RRLP protocol level is not accessible to user applications on a phone. For adiscussion of RRLP, SUPL and the various different location measurement methods for mobilephones, please check this excellent article: http://www.gpsworld.com/gps/wireless-choices-lbs-control-plane-and-user-plane-architectures-1576

RRLP Modes

RRLP operates in different modes.

MS-based GPS

In this method, the phone operates a stand-alone GPS receiver like it can be found in personalnavigation devices.

The GPS receiver will do the regular GPS receive process, i.e.

iterate over the list of 64 possible scrambling codes and acquire the C/A signaldecode the actual data signal modulated onto the C/A carriermeasure the timing difference of arrival (TDOA) of the various satellite signalscompute a location estimate (GPS coordinates) based on the measurements

This complete GPS position fix is then communicated to the SMLC inside the GSM core network.

Assistance Data

Most RRLP capable phones will request GPS assistance data from the network.

The operation of the GPS receiver is similar to the regular MS-based GPS aporach describedabove, however the GPS receiver is now an A-GPS receiver that already knows thealmanac/ephemeris data and can thus much more quickly acquire the signal.

osmocom-lcs.git contains a program that obtains the ephemeris data from an u-blox GPS receiverand structures/encodes it in the format needed by RRLP

MS-assisted GPS

RRLPRRLP Modes

MS-based GPSAssistance Data

MS-assisted GPSE-OTD

10/ 18/ 12 RRLP – M obile ( in) secur it y

2/ 2secur it y. osm ocom . or g/ t r ac/ wiki/ RRLP

In MS-assisted GPS, the MS does not compute the actual location. Instead, the location/positionof the phone is computed in the SMLC (part of the GSM core network).

The SMLC provides detailed information about the current GPS signal to the phone, such as:

which satellites are currently in the visible part of the hemisphere (and implicitly theirscrambling code)the expected doppler shift observed at the MS location, caused by satellite movementrelative to MSthe expected code phase, i.e. the difference between a specified GSM bit and the GPSsignal chip / bitthe azimuth and elevation of the satellite

Based on this information, the phone does not have to do a full search/acquisition like a stand-alone GPS receiver.

Instead, it can do a very narrow search for each satellite in question, as it already knows

at which doppler shift / range to expect the signalwhich pseudo-random scrambling sequence to usea very narrow position within the scrambling sequence

This significantly reduces the need for cross-correlation inside the phone.

E-OTD

FIXME