Академический Документы
Профессиональный Документы
Культура Документы
40
Since GSM is a wireless communication network, and there specific system parameters such as the location area and
is a need to keep track of all the subscribers and equipment, network codes, frequency hopping sequence (if used),
GSM specifies user, equipment and location identifiers. These neighboring cell information, channel configuration and
addresses serve the purpose of mobility management and required power level. The FCCH->SCH->BCCH cycle is used
addressing of network elements [7]. Most important of these by the MS to identify its home network.
identifiers are International Mobile Subscriber Identity (IMSI),
Temporary Mobile Subscriber Identity (TMSI), Mobile The CCCH are generally used to carry signaling
Subscriber ISDN Number (MSISDN), International Mobile information necessary for execution of management functions
Equipment Identity (IMEI), Location Area Identifier (LAI) [8]. They are divided into three subtypes; the Paging Channel
and Base Station Identity Code (BSIC). (PCH), which is used on downlink to ‘page’ a MS of incoming
traffic, which might be voice or data, the Random Access
In GSM terminology, there is a stark distinction between a Channel (RACH), which is the uplink counterpart to the PCH,
physical channel and a logical channel. Physical channels are used by the MS to initiate a request to the network, (e.g., to
defined in terms of frequency and time, which are the actual make a call or send an SMS), and the Access Grant Channel
frequencies and timeslots used by MS or BTS for (AGCH), used after the MS initiates a request on RACH or
communication. The logical channels, on the other hand, are responds to paging on PCH to allocate another logical channel
mapped onto these physical channels. At any particular instant to the MS, so that the resources on broadcast channel are not
in time a frequency/timeslot used by GSM PLMN may either overwhelmed by the signaling taking place between the MS
be a traffic channel or one of the control channels depending and the BTS.
on the channel configuration used by that network.
Alternatively, a logical channel defines the function and The DCCH are generally used for various types of traffic
operation of a physical channel at a particular point in time channels as well as for power control, timing advance,
[8]. signaling, and other call related information exchange. Three
subtypes constitute the DCCH; the Standalone Dedicated
The logical channels in GSM are broadly categorized in two Control Channel (SDCCH), which is a two way signaling
types: Common Channels (CCH) and Dedicated Channels channel used for exchange of messages associated with call
(DCH). As illustrated by Fig. 5, the CCH consists of establishment, authentication, cyphering parameter exchange,
Broadcast Channels (BCH) and Common Control Channels location updating, SMS, and other management functions, the
(CCCH), whereas the DCH is divided into Dedicated Control Slow Associated Control Channels (SACCH), associated to an
Channels (DCCH) and the Traffic Channels (TCH). SDCCH or a traffic channel and used by the BTS to inform
the MS of neighboring cell frequencies, time alignment and
Fig. 5. GSM Logical Channel hierarchy power control, or by the MS to inform the BTS about received
signal’s strength, and the Fast Associated Control Channels
(FACCH), which are always associated with a traffic channel
and are used to transmit urgent signaling messages by
‘stealing’ time-slots [6].
41
redundancy bits. This is known as chaannel coding and consecutive bursts and the othher four sub-blocks are mapped
employs different algorithms for signaling annd data channels. onto the odd-numbered bits of o next four consecutive bursts.
This way, each normal burstt, which can carry two 57 bit
For speech signals, the 260 bits are divided
d into three payloads, contains traffic from
m two separate 456-bit speech
classes: Class Ia, Class Ib and Class II bits. This
T trifurcation is blocks, and each speech blocck is divided into 16 separate
done according to the function and importannce of the bits [9]. payloads. This adds robustnesss and error tolerance to GSM
50 bits are assigned to Class Ia, which is thhe most important signals.
class. Class Ib and Class II are assigned 132 and 78 bits,
respectively. Three parity bits for Class Ia are computed and Fig. 7. Speech block
b interleaving [10]
prepended to the class Ib bits, raising the number of bits in
Class Ib to 135. Class Ia and Class Ib are thent concatenated,
making the total number of bits in Class I to 185. Additional 4
bits (all 0s) are then appended to Classs I, which is a
requirement of actual convolutional encodinng, and hence the
total number of bits rises to 189. The enncoding operation
outputs two bits for every input bit, thus the number of Class I
bits are doubled to 378 from 189. Finaally, the 78 least
significant bits from Class II are appended to the Class I bits
without protection, resulting in a speech blocck of 456 bits.
Most signaling blocks usedd on logical channels have an
As for the signaling information, which coonsists of 184 bits,
a 40 bit fire code is appended to the innformation block, identical interleaving scheme; the only difference being that
followed by 4 bits (again all 0s), raising the number of bits to they are spread across four, instead of eight, interleaving
228. The same convolution coding as used for speech bits, is bursts [10].
carried out for the 228 signaling bits, resultting in a signaling
information block of 456 bits. Frequency hopping is also emmployed in GSM (optionally) to
improve radio performance thhrough diversity in fading and
The complex coding schemes of speeech and signaling interference. SFH is essentially done by using different
channel are shown in Fig. 6. frequencies for the transmisssion of adjacent bursts at a
hopping rate of about 216.685 channels per second,
Fig. 6. Channel Coding corresponding to the TDMA A frame duration. Frequency
hopping in GSM can employ either Cyclic Hopping algorithm,
in which the next frequency iss determined in accordance to a
predefined list of frequencies, or Random Hopping algorithm,
in which the frequencies folloow a predefined pseudo-random
pattern. In hardware, there are a two methods available to
implement frequency hopping; Baseband Hopping, in which N
fixed-frequency transceivers are connected to N baseband
processors through a switch orr commutator, allowing Channel
Allocation (CA) of N ARF FCNs, where CA is list of
frequencies available for hoppping, and Synthesizer Hopping,
in which each of N basebaand processors connects to a
dedicated transceiver, allowingg CA to have much more than N
ARFCNs.
42
Multiple versatile and inexpensive SDRs have
h emerged that
Here, the beacon channels aree differentiated from the traffic
bring the RF domain within the reach of ann average security
channels by expanding the freequency base and using the fact
investigator. Some of these SDRs are:- that the beacon channels have bandwidth of 200 kHz (Fig. 9),
(a) RTL2832U based SDRs and have a strong periodic peaak that occurs 68 kHz above the
(b) FUNcube Dongle center frequency (FCCH burrst). This peak can be easily
identified using the ‘Peak-Holdd’ function available in the WX
(c) Universal Software Radio Perippheral (USRP) FFT GUI.
(d) Modified Motorola Phones Fig. 9. Expanded FFT
F of a single ARFCN
43
only continuous spectrum), hence the secondd approach seemed Fig. 11. RR Immediaate Assignment Message
more appropriate to tackle frequency hoopping in current
scenario.
Table II: PL
LMN Analysis
44
Fig. 13. CC Call Setup message This procedure was tested in lab by using two MSs
that were using same PLMN annd ARFCN. This meant that the
downlink signaling for botth the MSs were captured
simultaneously since they werew using the same BTS for
communication. MS1 was callled from MS2 for one minute
and the timing was calculatedd using the procedure described
above. The calculation yieldedd the call duration as 59.316595
seconds, which proved the procedure
p valid. Also, it was
determined that the associatedd TMSI remains the same even
after making the call, which is a definite security concern.
V. CON
NCLUSION
Finally, it can be stated thatt the GSM communications are
demonstrated to be unsafe, andd the task of GSM interception is
no longer limited to governmeent agencies. Today, an average
hacker can purchase the requireed hardware for less than $3000
to capture raw GSM traffic or to t perform an active attack. The
By using tshark instead of Wireshark, andd a string finding- knowledge of how GSM operates is, of course, available
dependent algorithm on MATLAB, the data captured can also openly, and for a potential eavesdropper with significant
be stored in a text file in a fixed format. Thhis can be used to knowledge of GSM specifications, creating and debugging the
provide a summary of the entire signaling taking place in a software remains the only challlenge. In this paper, few of the
given cell. The filter used on tshark to for few
f message types open-source tools are discusssed along with the developed
are listed in Table III. system for eventual extractioon of useful information from
captured downlink GSM burstts, and thus, awareness is raised
Table III: tshark filters by proving that GSM netwoorks are unsafe, so that users,
operators and equipment mannufacturers can further enhance
CC Call Setup gsm_a.dtap_msg_cc__type == 0x05
Release gsm_a.dtap_msg_cc__type == 0x2d
the security of the GSM operattions. Uplink, however, remains
Release Complete gsm_a.dtap_msg_cc__type == 0x2a an area that remains a challeenge to be captured passively
owing to the difficulties arisinng from lack of synchronization
Using the resulting frame number from the first filter in information. Only through uplinku decoding can valuable
Table III as the frame number when the caall is initiated, and information, such as IMSI-TM MSI association, call durations,
the other two filters in conjunction to get end of call frame and geo-location, be made acccessible for the creation of a
(since without uplink, the call duration can only
o be calculated complete GSM Protocol Analyyzer and Decoder.
if both the phones are connected to the samee ARFCN on same
BTS), the total call duration can be calcculated using the REFERRENCES
following equations, [1] International Telecommunication Union
U (ITU), “The World in 2011: ICT
Facts and Figures,” October 2011.
.
[2] I. Mansfield, “Worldwide Mobile Subscriptions Number More Than Five
Billion,” October 2010.
45
[5] J. Malsbury, Ettus LLC. Application Note - Selecting an RF
Daughterboard. http://www.ettus.com. October, 2012.
[12] http://gnuradio.org/
[13] R. Fitzsimons. Find a GSM base station manually using a USRP April,
2007
46