8/13/2019 Schneider-2011!03!15 GSM Overview

1/34

8/13/2019 Schneider-2011!03!15 GSM Overview

2/34

!'()(!! GSM Research 2

Overview

!( GSM *nfrastructure

2( Analysis of GSM

)( +ur o,n GSM net,or%

-( Security

-(! .ocali&ation

-(2 *MS*/Catcher

-() 0ncryption A'1!

8/13/2019 Schneider-2011!03!15 GSM Overview

3/34

!'()(!! GSM Research )

1. GSM Infrastructure

GSM is a cellular net,or%

.argest mobile net,or% ,orld ,ide

Subscriber vie,

/ Mobile Station3 Cell phone

3 S*M card

/ 4ase Station 5ransceiver 645S7

3 8rovides access to the net,or%over the air interface

3 Different fre9uency bands

GSM :'# 0GSM ;# DCS !:# 8CS !;

8/13/2019 Schneider-2011!03!15 GSM Overview

4/34

!'()(!! GSM Research -

1. GSM Infrastructure

+perator 1

8/13/2019 Schneider-2011!03!15 GSM Overview

5/34

!'()(!! GSM Research '

Overview

!( GSM *nfrastructure

2( Analysis of GSM

)( +ur o,n GSM net,or%

-( Security

-(! .ocali&ation

-(2 *MS*/Catcher

-() 0ncryption A'1!

8/13/2019 Schneider-2011!03!15 GSM Overview

6/34

!'()(!! GSM Research =

2. GSM Analysis

Analysis from the subscriber point of vie,/ 2?

3 Fle@ible soft,are radio

3 GSM signals can be captured(3 Data processing is done ,ith

airprobe(>)?

Nokia 3310

Universal Software Radio Peripheral (USRP)

[1] Gamm! http!""wamm#e"$amm"[%] USRP from &tts Resear'h! http!""www#etts#'om

[3] airproe! https!""svn#erlin#'''#de"proe'ts"airproe"

http://wammu.eu/gammu/http://www.ettus.com/https://svn.berlin.ccc.de/projects/airprobe/https://svn.berlin.ccc.de/projects/airprobe/http://www.ettus.com/http://wammu.eu/gammu/

8/13/2019 Schneider-2011!03!15 GSM Overview

7/34!'()(!! GSM Research

2. GSM Analysis

8/13/2019 Schneider-2011!03!15 GSM Overview

8/34!'()(!! GSM Research :

2. GSM Analysis

Analysis from the provider point of vie,/ Access to a real/,orld GSM net,or% is hard to get(

/ 5herefore ,e have set up our o,n GSM net,or%

called RB/GSM(

/ Research net,or% for3 8laying ,ith the GSM topic in a meaningful ,ay

3 Statistics about user behavior ,ithin the net,or%

3 8ositioning of Mobile Station

3 GSM encryption A'1!

3 "hat information can1,ill be gathered by the

providerE

3 o, to protect the user in a GSM net,or%E

8/13/2019 Schneider-2011!03!15 GSM Overview

9/34!'()(!! GSM Research ;

Overview

!( GSM *nfrastructure

2( Analysis of GSM

)( +ur o,n GSM net,or%

-( Security

-(! .ocali&ation

-(2 *MS*/Catcher

-() 0ncryption A'1!

8/13/2019 Schneider-2011!03!15 GSM Overview

10/34!'()(!! GSM Research !

3. Our own GSM network

GSM net,or% RB/GSM/ Soft,are

3 +pen4SC>!?

+pen/Source soft,are implementation of a GSM

4ase Station Controller3 .CR>2?

3 Asteris%>)?

oice communication server for routing the calls

/ ard,are3 ip(access

8/13/2019 Schneider-2011!03!15 GSM Overview

11/34!'()(!! GSM Research !!

3. Our own GSM network

GSM net,or% RB/GSM

Some facts

) 45S

! 4SCMSC HI Asteris%

Databases HI SJ.

Connection to

/ S*8

/ *SD!?

[1] /smo'om--! http!""#osmo'om#or$" ,otorola 1%3

http://bb.osmocom.org/http://bb.osmocom.org/

8/13/2019 Schneider-2011!03!15 GSM Overview

33/34

!'()(!! GSM Research ))

4.3 Encry"tion A)*1

Rainbo, 5ables/ Si&e !( 54

/ Calculated ,ith A5* graphic cards(

/ Available on the *nternet via bittorrent(

Attac% is based on %no,n plainte@t

/ Some signaling messages are %no,n both

unencrypted and encrypted(

/Session %ey $

ccan be calculated in seconds(

/ 8rivate %ey $ican not be calculated ,ith this

attac%( 4ut this is not necessary to decode the

encrypted data(

8/13/2019 Schneider-2011!03!15 GSM Overview

34/34

4.3 Encry"tion A)*1

GSM encryption is no longer secure BUT:More and more devices are using GSM

to transmit data(

/ Mobile 5A< for online ban%ing

5A< transmitted via SMS

/ ending machines

*nformation about the fill level

/ Rail,ay GSM

*nformation about the status of the train

/ Smart meter

*nformation about the electricity consumption

*s this really a good ideaE