summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom2012-06-05 20:44:14 +0200
committerTom2012-06-05 20:44:14 +0200
commitdd4d4ba73c93d22e9639855586824282c4ea5163 (patch)
treebf06cc594073cc1aba12ad22122b804cedf14a0c
parentfinished suggestions on chapter 4 (diff)
downloadimsi-catcher-detection-dd4d4ba73c93d22e9639855586824282c4ea5163.tar.gz
imsi-catcher-detection-dd4d4ba73c93d22e9639855586824282c4ea5163.tar.xz
imsi-catcher-detection-dd4d4ba73c93d22e9639855586824282c4ea5163.zip
second round of improvements up to chapter 4
-rw-r--r--Tex/Content/Declaration.tex3
-rw-r--r--Tex/Content/Detection.tex240
-rw-r--r--Tex/Content/Evaluation.tex21
-rw-r--r--Tex/Content/GSM_short.tex231
-rw-r--r--Tex/Content/Motivation.tex38
-rw-r--r--Tex/Master/Glossary.tex4
-rw-r--r--Tex/Master/Master.acn582
-rw-r--r--Tex/Master/Master.aux323
-rw-r--r--Tex/Master/Master.bbl5
-rw-r--r--Tex/Master/Master.blg61
-rw-r--r--Tex/Master/Master.ist2
-rw-r--r--Tex/Master/Master.lof48
-rw-r--r--Tex/Master/Master.log204
-rw-r--r--Tex/Master/Master.lot28
-rw-r--r--Tex/Master/Master.pdfbin18950381 -> 18951256 bytes
-rw-r--r--Tex/Master/Master.synctex.gzbin733547 -> 740100 bytes
-rw-r--r--Tex/Master/Master.toc88
-rw-r--r--Tex/Master/Titlepage.tex3
18 files changed, 948 insertions, 933 deletions
diff --git a/Tex/Content/Declaration.tex b/Tex/Content/Declaration.tex
index c95c17e..bd11a20 100644
--- a/Tex/Content/Declaration.tex
+++ b/Tex/Content/Declaration.tex
@@ -1,6 +1,7 @@
\noindent{\huge \textbf{Declaration}}\\\\\\
I hereby declare that this thesis has been composed by me without any assistance and I have not used any sources or tools other than those cited.
-Furthermore I declare that this thesis has not been accepted in any other previous application for a degree.
+Furthermore, I declare that I have acknowledged the work of others by providing detailed references.
+I also declare that this thesis or parts of it have not been accepted in any other previous application for a degree, project or examination.
\vfill
\rule{5cm}{.5pt}\\
diff --git a/Tex/Content/Detection.tex b/Tex/Content/Detection.tex
index 7367322..ca20bff 100644
--- a/Tex/Content/Detection.tex
+++ b/Tex/Content/Detection.tex
@@ -1,25 +1,25 @@
\chapter{IMSI Catcher Detection System}
-This chapter will give an overview of the \gls{icds} and the technologies and techniques used.
+This chapter will give outline the \gls{icds} and the technologies and techniques used.
The first part summarises the frameworks and hardware upon which the system has been developed.
From this point on the second part explains how this framework can be used to harvest information and describes the process that is used by the \gls{icds} to evaluate this information.
The last part shows how to configure and use the system to gather information from the surroundings and unveil IMSI catchers.
\section{Framework and Hardware}
The following section will give an overview of the OsmocomBB framework and how it works in conjunction with the Motorola C123 mobile phone to enable information harvesting for the \gls{icds}.
-OsmocomBB is one of many \gls{osmo} projects\footnote{Osmocom, \url{http://osmocom.org/} [Online; Accessed 04.2012]}. It delivers an Open Source implementation for the base band chip for certain mobile phones.
+OsmocomBB is one of many \gls{osmo} projects\footnote{Osmocom, \url{http://osmocom.org/} [Online; Accessed 04.2012]}. It delivers an open source implementation for the base band chip for certain mobile phones.
Another \gls{osmo} project is OpenBTS which delivers software for configuring and operating a \gls{bts}.
-OpenBTS was used to realise the Open Source IMSI Catcher \cite{dennis} and the base station that will be used later to evaluate the performance of the \gls{icds}.
+OpenBTS was used to realise the open source IMSI Catcher \cite{dennis} and the base station that will be used later to evaluate the performance of the \gls{icds}.
\subsection{OsmocomBB}
-OscmocomBB implements the baseband part of \gls{gsm} as an Open Source project.
-Baseband part in this case means that it is an Open Source software to control the baseband chip inside the mobile phone.
+OscmocomBB implements the baseband part of \gls{gsm} as an open source project.
+Baseband part in this case means that it is an open source software to control the baseband chip inside the mobile phone.
The baseband chip is the processor that manages the radio functionality of a mobile device.
-The goal is to have, by using compatible hardware, a phone using free software only as opposed proprietary baseband implementations.
+The goal is to have a phone, when using compatible hardware, operating on open source software only as opposed to proprietary baseband implementations.
Therefore the project scope is implementing \gls{gsm} Layer 1--3 as well as hardware drivers for the baseband chipset.
A simple user interface on the phone is planned but not yet implemented.
At this stage a verbose user interface on the computer is used.
-The implementation being Open Source could be beneficial to multiple areas \cite{osmo_rationale}:
+The implementation being open source is beneficial to multiple areas \cite{osmo_rationale}:
\begin{itemize}
\item \textbf{Security:} The software running on the baseband chips is highly proprietary and closed.
The source is often disclosed only to the mobile phone manufacturers using the specific chipset.
@@ -28,16 +28,16 @@ The implementation being Open Source could be beneficial to multiple areas \cite
An open source implementation as a reference could serve to educate more developers generally interested in the subject of mobile communications and thus improve products and software.
Additionally this implementation enables universities to hold practical lab courses and interested individuals to do hands-on experiments.
\item \textbf{Research:} A free implementation can decouple research on \gls{gsm} technologies from the industry since key technologies are no longer only available to researchers employed by a specific company.
- Additionally this way security holes can be uncovered more easily.
+ Additionally this way security holes can be uncovered and fixed more easily.
Modifications to the protocol stack can be deployed and tested in a real environment.
- It is also possible to redirect all received and sent packages directly
+ It is also possible to redirect all received and sent packages directly to Wireshark\footnote{Wireshark, \url{http://www.wireshark.org/} [Online; Accessed 04.2012]} for further analysis.
\end{itemize}
\subsubsection{Project Status}
-At this point layer two and three do not actually run on the phone but rather on a computer to which the phone is connected via a serial cable.
+At this point Layer 2 and Layer 3 do not actually run on the phone but rather on a computer to which the phone is connected via a serial cable.
Layer 1 runs inside the custom firmware on the \gls{me} itself, since the procedures involving Layer 1 are time critical.
This has advantages as well as disadvantages.
-The disadvantage is that in order to run an application written using OsmocomBB you always have to have a notebook in addition to the phone.
+The disadvantage is that in order to run an application written using OsmocomBB you always have to have a computer in addition to the phone.
The benefit however is that during the development process, the phone does not have to be touched after an initial deployment of the firmware.
This means code can be modified, compiled and tested locally without the need of remote debugging.
Experimenting is considerably easier this way.
@@ -46,11 +46,11 @@ It is called Layer 1 Control, L1CTL.
The current state of the project is, according to a presentation given on the 27$^\text{th}$ chaos communication congress\footnote{27C3 public wiki (Day 3), \url{http://events.ccc.de/congress/2010/wiki/Welcome} [Online; Accessed 04.2012]} by Dieter Spaar and Harald Welte, that the network Layers 1--3 are fully implemented, SIM cards can be accessed or emulated and \gls{gsm} cell selection and reselection are working.
A3/A8 as well as A5/1 and A/52, Full Rate and Enhanced Full Rate codecs are there, so it is possible to do voice calls with an OsmocomBB application written for that purpose, called \texttt{mobile}.
-It features a terminal/telnet based interface much like Cisco routers however there is no user interface for the phone so far.
+It features a terminal\,/\,telnet based interface much like Cisco routers however there is no user interface for the phone so far.
\subsection{Motorola C123}
\label{sec:osmo_phones}
-Since the general idea behind OsmocomBB was to become a vendor independent Open Source \gls{gsm} implementation for everyone to use, there were certain requirements the targeted hardware would have to meet.
+Since the general idea behind OsmocomBB was to become a vendor independent open source \gls{gsm} implementation for everyone to use, there were certain requirements the targeted hardware would have to meet.
For the consumer side requirements these were having a low price and a good availability.
This criterion rules out \gls{diy} approaches since the number of produced devices would be low and thus costly or a significant technical knowledge would be expected from all users to assemble the hardware.
For the developer side this would also mean implementing a lot on the lower levels of analog logic.
@@ -90,9 +90,9 @@ In order to use the Motorola C123 in combination with the OsmocomBB framework th
This has to be done using a RS332 serial cable that is connected to the 2.5\,mm audio jack.
The audio jack of the Motorola C123 and other Calypso based mobile phones typically have a 3.3 V serial port on their audio jacks.
These cables are normally referred to as T191 unlock cables.
-A variety of stores around the internet sell the cables ready made for about \$10--\$15\footnote{FoneFunShop, \url{http://www.fonefunshop.co.uk/cable_picker/773_Motorola_T191_W220_W375_OSMOCOM_etc._USB_Unlock_Cable.html} [Online; Accessed 04.2012]}.
+A variety of stores around the internet sell the cables ready made for about \$10--\$15\footnote{FoneFunShop, \url{http://www.fonefunshop.co.uk/table_picker/773_Motorola_T191_W220_W375_OSMOCOM_etc._USB_Unlock_Cable.html} [Online; Accessed 04.2012]}.
One must be careful when using the PC's serial port to communicate with the phone though.
-Since the phone's serial operates at 3.3\,V and is internally connected to the 2.8\,V IO-pins of the baseband processor, directly connecting it to the computers 12\,V serial port will destroy the hardware.
+Since the phone's serial operates at 3.3\,V and is internally connected to the 2.8\,V IO-pins of the baseband processor, directly connecting it to the computer's 12\,V serial port will destroy the hardware.
Therefore it is recommended to use a USB serial cable.
Schematics for such an unlock cable are given in Appendix \ref{sec:osmo_serial_schematics}.
@@ -103,9 +103,9 @@ The process of acquiring, compiling and running the OsmocomBB framework itself i
When setting up the system it is recommended \emph{not} to use a virtual machine.
The bootloader and the firmware can fail to be deployed correctly if a virtual machine is used as development system.
-This is because the protocol used by Motorola to do the actual flashing process is \emph{very} time critical and thus timeouts can occur that are caused by the overhead the virtual machine imposes on the hardware/software communication.
+This is because the protocol used by Motorola to do the actual flashing process is \emph{very} time critical and thus timeouts can occur that are caused by the overhead the virtual machine imposes on the hardware\,/\,software communication.
-As can be seen in the figure, Layer 1 of the OsmocomBB \gls{gsm} stack runs on the phone which is connected via a serial cable to the computer running the \gls{icds}.
+As can be seen in Figure \ref{fig:osmo_setup} Layer 1 of the OsmocomBB \gls{gsm} stack runs on the phone which is connected via a serial cable to the computer running the \gls{icds}.
On the computer side the \texttt{osmocon} program provides a general interface to the phone.
\texttt{Osmocon} is also used to load the firmware up to the Motorola C123.
Other software can communicate with \texttt{osmocon} and subsequently with the phone using Unix sockets.
@@ -116,7 +116,7 @@ Other software can communicate with \texttt{osmocon} and subsequently with the p
\label{fig:osmo_setup}
\end{figure}
-The program \texttt{Catcher}, the OsmocomBB part of the \gls{icds}, is a modified version of the \texttt{cell\_log} by Andreas Eversberg that interfaces with \texttt{osmocon} to harvest information from \glspl{bts} and forward it to the core \gls{icds}.
+The program \texttt{catcher}, the OsmocomBB part of the \gls{icds}, is a modified version of the \texttt{cell\_log} by Andreas Eversberg that interfaces with \texttt{osmocon} to harvest information from \glspl{bts} and forward it to the core \gls{icds}.
It can be seen as a Layer 3 program that scans through available frequencies and reads information from the \gls{bcch} whenever one such channel is available on the frequency at hand.
The forwarding is done directly via \texttt{stdout} since it runs as a child process of the \gls{icds}.
In a similar way, \texttt{pch\_scan} gathers information on the \gls{pch} of a specific base station.
@@ -124,23 +124,23 @@ The functionality of \texttt{catcher} and \texttt{pch\_scan} will be explained i
\section{Procedure}
The main goal of the \gls{icds} is to reach a conclusion on whether it is safe to initiate a phone call or not, in other words if the base station our mobile phone will connect to is trustworthy.
-As mentioned before, as soon as a subscriber connects to an IMSI catcher it automatically gives up information on his/her location.
+As mentioned before, as soon as a subscriber connects to an IMSI catcher it automatically gives up information on his\,/\,her location.
Therefore this project will use a passive approach on information harvesting, meaning we will only use information that is broadcasted or freely available as to not give up any hints of the \gls{icds} being active.
To that end a four-step process is taken.
-First the information is gathered.
+First \emph{information is gathered}.
This process is explained in detail in Section \ref{sec:info_gathering}.
-After information on the surrounding \glspl{bts} is ready in the \gls{icds}, a set of checks is evaluated on each base station individually, with each yielding a specific result for the station.
-These checks are called \emph{Rules} and discussed further along with the next two steps in Section \ref{sec:info_evaluation}.
-Afterwards the results the Rules yielded for each base station have to be aggregated into one single result for each \gls{bts}.
-At last, after every \gls{bts} has its evaluation it can be decided whether to tell the subscriber if it is safe to initiate a phone call or not.
+After information on the surrounding \glspl{bts} is ready inside the \gls{icds}, a set of checks is evaluated on each base station individually, with each yielding a specific result for the station.
+These checks are called \emph{rules} and discussed further along with the next two steps in Section \ref{sec:info_evaluation}.
+Afterwards the results the rules yielded for each base station have to be aggregated into one single result for each \gls{bts} by an \emph{evaluator}.
+At last, after every \gls{bts} has its evaluation it can be decided whether to \emph{tell the subscriber} if it is safe to initiate a phone call or not.
\subsection{Information Gathering}
\label{sec:info_gathering}
As explained in Section \ref{sec:common_channels} every base station has an associated \gls{bcch} where information about the station and its network is spread.
\gls{bcch} frames are always sent inside a 51-Multiframe.
After the \gls{ms} has synchronised using the values on the \gls{fcch} and \gls{sch} it can determine which kind of information is hosted inside the \gls{bcch} message.
-These so called System Information Messages originate at the \gls{bsc} and are produced for each \gls{bts} individually and then periodically broadcasted.
+These so called \emph{System Information Messages} originate at the \gls{bsc} and are produced for each \gls{bts} individually and then periodically broadcasted.
Since all the required information would not fit inside a single frame there are different kinds of System Information Messages that are distinguished by their \gls{tc} and host different kinds of information.
The type can be extracted using the \gls{fn} of the frame the message is sent in \cite{GSM2009}:
\[\text{TC}=(\text{FN} \text{ div } 51)\text{ mod } 8\]
@@ -171,7 +171,7 @@ Afterwards \texttt{catcher} tunes the phone to those specific frequencies where
At each such frequency it waits until all the System Information Messages are gathered and extracts parameters where possible.
The parameters along with the raw data are forwarded to the main \gls{icds} application for further evaluation.
An example of a fully parsed System Information Type 2 can be seen in Figure \ref{fig:si1} \cite{protocols1999}.
-The Neighbouring Cell List which is a very valuable source of information is located in the middle of the message.
+The Neighbouring Cell List which is a very valuable source of information is located in inside the highlighted section of the message.
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/sysinfo2}
@@ -185,10 +185,9 @@ The parameters harvested so far are:
\item MCC: The Mobile Country Code the base station is broadcasting.
\item MNC: The Mobile Network Code the base station is broadcasting.
\item ARFCN: The \gls{arfcn} on which the base station is located.
- \item rxlev: Receiving strength in db.
+ \item rxlev: Receiving strength in dB.
This parameter is measured by the Motorola C123 and not part of the System Information Messages.
Even small changes in the location can have a large impact on this parameter due to shadowing and reflection.
- However it can be used in certain cases as will be discussed in Section \ref{sec:fake_parameters}.
\item BSIC: Because of frequency reuse in a cellular network it is possible that two different base stations can sent at the same \gls{arfcn}.
In order for the \gls{ms} to keep these apart the \gls{bsic} is also broadcasted.
It consists of a \gls{ncc} identifying the provider, so the \gls{ms} can filter out messages that it does not need beforehand and the \gls{bcc} that must be unique for a given provider over all base station in a large area.
@@ -227,28 +226,28 @@ The \texttt{pch\_scan} listens for activity on this channel and harvests the fol
Each base station is evaluated the moment the data completely arrived at the \gls{icds} application.
Additionally when a new \gls{bts} has been found and added all formerly discovered stations are also re-evaluated since new discoveries can have an impact on the rules that evaluate the context surrounding an old base station.
-As mentioned above, evaluation is done based on constructs called Rules.
-Each Rule represents one check that can be performed on a base station and yields a result based on its findings.
-A Rule can also be seen as a mapping from a set of input parameters to one of the values \emph{Critical}, \emph{Warning}, \emph{Ok}, \emph{Ignore}.
+As mentioned above, evaluation is done based on constructs called \emph{rules}.
+Each rule represents one check that can be performed on a base station and yields a result based on its findings.
+A rule can also be seen as a mapping from a set of input parameters to one of the values \emph{Ok}, \emph{Warning}, \emph{Critical}, \emph{Ignore}.
\[\lbrace \text{Base station parameters}\rbrace \mapsto \lbrace \text{Ok}\lvert\text{Warning}\lvert\text{Critical}\lvert\text{Ignore}\rbrace\]
A \emph{Critical} result means that the base station evaluated has a critical configuration error or critical settings that are not found on normal base stations, \eg unknown provider names or empty neighbourhood lists.
This station should not be trusted.
If a \emph{Warning} status is yielded the \gls{bts} at hand has some concerning features but it could not be said whether it really is an IMSI catcher or sheer coincidence.
-An example would be a base station having a Neighbouring Cell List of which none of the cells therein have actually been found up to that point.
+An example would be a base station having a Neighbouring Cell List of which none of the cells therein have actually been discovered up to that point.
The list could either be a fake or it could simply be coincidence that the scan has not found any.
They could have been out of range for example.
In some cases a rule cannot yield a finding.
That is when the state is explicitly set to \emph{Ignore} so the evaluator knows that this rule should have no influence on the final outcome.
-This is the case for example when trying to find whether the base station uses encryption or not and no other subscriber connects until a set timeout is reached.
+This is the case for example when a rule refers to a parameter that has not been looked up or scanned.
If everything went as expected, \emph{Ok} is returned.
-The Rules can be divided into four different categories depending on how they work and which situations they are tailored to.
+The rules can be divided into four different categories depending on how they work and which situations they are tailored to.
Most of the rules are parametrised so they can be tweaked to different environments and standards.
-The different Rule categories are \emph{Configuration Rules}, \emph{Context Rules}, \emph{Databse Rules} and \emph{Scan Rules}.
+The different rule categories are \emph{Configuration Rules}, \emph{Context Rules}, \emph{Databse Rules} and \emph{Scan Rules}.
\subsubsection{Configuration Rules}
The first set of rules called \emph{Configuration Rules} targets the base station itself.
@@ -275,7 +274,7 @@ ARFCN\,/\,Provider Map &Checks whether the ARFCN is in the officially registere
\end{table}
A few things have to be noted when configuring these rules.
-Since there is no official listing or rule how the \gls{lac} is derived the LAC/Provider Mapping Rule needs knowledge of the area in which the \gls{icds} is used.
+Since there is no official listing or rule how the \gls{lac} is derived the LAC\,/\,Provider Mapping Rule needs knowledge of the area in which the \gls{icds} is used.
The \gls{icds} itself can be used to gather that knowledge but it has to be done prior to using the rule for base station evaluation.
The \gls{arfcn} range each provider has registered in Germany can be looked up at the website of the Bundesnetzagentur\footnote{Bundesnetzagentur Vergabeverfahren, \url{http://www.bundesnetzagentur.de/cln_1911/DE/Sachgebiete/Telekommunikation/RegulierungTelekommunikation/Frequenzordnung/OeffentlicherMobilfunk/VergabeVerfahrenDrahtlosNetzzugang/vergabeVerfahrenDrahtlosNetzzugang_node.html} [Online, Accessed 04.2012]} which is needed for the ARFCN\,/\,Provider Mapping Rule.
@@ -284,9 +283,9 @@ If these are set in a consistent way this set of rules is not sufficient to iden
Therefore another set of rules has to be added that incorporates information of the surrounding nodes.
\subsubsection{Context Rules}
-The second set of Rules is called \emph{Context Rules}.
-As the name suggests these Rules serve the purpose of checking how well a given \gls{bts} fits into its neighbourhood.
-Table \ref{tab:context_rules} shows which Rules have been implemented.
+The second set of rules is called \emph{Context Rules}.
+As the name suggests these rules serve the purpose of checking how well a given \gls{bts} fits into its neighbourhood.
+Table \ref{tab:context_rules} shows which rules have been implemented.
\begin{table}
\centering
\begin{tabular}{ll}
@@ -312,10 +311,10 @@ Cell ID Uniqueness &Checks whether there are other cells with the same\\
For the LAC Median Deviation the median was chosen over the average since an extreme value (ill configured IMSI catcher) would have too strong an impact on the average to which all the \gls{bts} are compared.
It could even have such a strong effect on the average that legitimate base stations would fall below the threshold and be recognised as catchers.
-The threshold when a deviation is evaluated as being 'Critical' can be set in the configuration section for the Rule.
+The threshold when a deviation is evaluated as being \emph{Critical} can be set in the configuration section for the rule.
A value of 0 would mean that no deviation from the median is allowed.
This could lead to problems as some experimental scans have shown.
-However in none of the scans more than two different Location Areas have been found per provider and since these were neighbouring areas, the difference in the code was only 1.
+However in none of the scans more than two different \glspl{la} have been found per provider and since these were neighbouring areas, the difference in the code was only 1.
For the Freiburg area a 1\% threshold for the deviation yielded good results.
\paragraph{Neighbourhood Structure}
@@ -330,18 +329,19 @@ The E-Plus subgraph has been enlarged.
\end{figure}
It can be seen that for each provider, the neighbourhood forms an isolated, nearly fully connected subgraph.
Nodes with a green background have an \emph{Ok} rating, while the red node has a \emph{Critical} rating.
-The bordering white nodes have not yet been discovered therefore they have no outgoing edges.
+The bordering white nodes have not yet been discovered and evaluated therefore they have no outgoing edges.
This could be the case because they are too far away for the Motorola to receive or because of signal damping due to shadowing and reflection effects.
In the \gls{icds} the aspect of isolated subgraphs for neighbourhoods is captured inside the \emph{Pure Neighbourhoods Rule}.
An interesting fact is that one node inside the E-Plus subgraph on the upper right is marked \emph{Critical}.
-This is because it is a \gls{bts} of the universities own \gls{gsm} network.
+This is because it is a \gls{bts} of the university's own \gls{gsm} network.
It was set up to be in a E-Plus neighbourhood but is not consistent with the E-Plus nodes surrounding it.
Therefore it is marked by the \gls{icds}.
+%TODO: cite richy
The node was set up inside the E-Plus neighbourhood for another Master project\footnote{Cite Richy} at the Chair of Communication Systems where the goal was to estimate the most probably position of a subscriber given his\,/\,her reception strengths.
Some of the attacks discussed in Section \ref{sec:attacks} imply a certain structure of the neighbourhood graph.
-Since the IMSI catcher tries lock in \glspl{ms} that have connected from switching back to a normal cell, the neighbourhood list of such a catcher cell would either be empty or would only host neighbour cells that have a lower reception strength than itself.
+Since the IMSI catcher tries to lock in \glspl{ms} that have connected from switching back to a normal cell, the neighbourhood list of such a catcher cell would either be empty or would only host neighbour cells that have a lower reception strength than itself.
An empty Neighbouring Cell List is represented in the graph by a node that has been discovered and has no outgoing edges.
A Neighbouring Cell list containing only imaginary nodes serves the same purpose.
\begin{figure}
@@ -387,9 +387,9 @@ A Neighbouring Cell list containing only imaginary nodes serves the same purpose
Figure \ref{fig:structure_comparison} shows a simplified regular neighbourhood graph compared to a graph with two catcher nodes inside.
In this case catcher C chose the attack where it replaces a previously existent \gls{bts} whereas catcher D opened up a new cell.
Replacing has several advantages, one being already integrated in the neighbourhood of other nodes.
-Mobile phones will constantly monitor the reception strength of all neighbouring nodes and thus also the reception strength of the IMSI catcher.
+Mobile phones will constantly monitor the reception strength of all neighbouring nodes and thus also the reception strength of the IMSI catcher which replaced one.
For catcher D it is the other way around, it has only outgoing edges.
-This means that this cell is not known by any other node of the same provider (of course the catchers provider is fake!).
+This means that this cell is not known by any other node of the same provider.
Nevertheless it has some outgoing edges to nodes with significantly less transmission strength to not stick out too much as a completely isolated node.
Combinations of these two approaches are also possible.
These thoughts are basically what is captured inside the \emph{Neighbourhood Structure Rule}.
@@ -401,13 +401,13 @@ For both attack types presented it is possible to find a parameter configuration
Therefore the Configuration Rules and most of the Context Rules will yield an \emph{Ok} result.
The Neighbouring Cell List is a bit different.
-Since the catcher wants to keep lured subscribers it will normally have an empty list or a list pointing only to \glspl{bts} that have a lower reception level.
+Since the catcher wants to keep lured subscribers it will normally have an empty list or a list pointing only to \glspl{bts} imaginary neighbours.
Both of these cases can be detected.
However the operator \emph{may} also choose to set a list consistent with the neighbouring cells.
This would lower the chances of success for the catcher but also make it blend better in its environment and thus harder to detect.
-For the \gls{cid} there are basically two possibilities depending on which attack is used.
-The first possibility is that the IMSI catcher opens up a new cell and the second one is that it replaces a formerly existent cell.
+For the \gls{cid} there are basically two possibilities depending on which attack type is used.
+The first possibility was that the IMSI catcher opens up a new cell and the second one was that it replaces a formerly existent cell.
In the first case parameters can be chosen in a consistent way although a new \gls{cid} has to be chosen, as the \gls{cid} needs to be unique.
In the second case all parameters can be copied from the original cell.
Both possibilities can be resolved by adding outside knowledge to the \gls{icds} thus circumventing the problem of other parameters being forged.
@@ -427,14 +427,14 @@ Local Area Databse &Checks whether the LAC of the given BTS deviates.\\
\label{tab:database_rules}
\end{table}
-Table \ref{tab:database_rules} rules that each handles one of these cases.
+Table \ref{tab:database_rules} shows the rules that each handles one of these cases.
The first case is the easier of both.
We know that the catcher cell has a new \gls{cid} that has not been there before.
Therefore the \emph{Cell ID Database Rule} has two different means to exploit this fact:
\begin{itemize}
\item A database of \glspl{cid} can be learned by the \gls{icds} beforehand.
This can be used to detect new \glspl{cid} that have not been seen before.
- \item A commercial \gls{cid} database can be used to compare against the \glspl{cid} found by the \gls{icds}.
+ \item A commercial or public \gls{cid} database can be used to compare against the \glspl{cid} found by the \gls{icds}.
A web service also offered by most providers of Cell ID databases.
\end{itemize}
The three largest Cell ID databases are the two commercial ones by Ericson\footnote{Ericson Labs, \url{https://labs.ericsson.com/apis/mobile-location/} [Online; Accessed 04.2012]} and combain\footnote{Mobile Positioning Solutions, \url{http://location-api.com/} [Online; Accessed 04.2012]} as well as the free alternative OpenCellID\footnote{OpenCellID, \url{http://www.opencellid.org/} [Online; Accessed 04.2012]} \cite{wiki_cells}.
@@ -442,15 +442,14 @@ Ericson and combain have trial modes, where the first 1000 requests are free for
Another free alternative with a large coverage is Google Mobile Maps, that also offers a web service where \glspl{cid} and their respective \glspl{lai} can be checked against their database to obtain localisation information (or simply check if they are part of the database).
By adding this information new cells can be identified.
-The second where an existing cell is replaced is a bit more complicated since its parameters are an exact copy of the old cell.
+The second attack type where an existing cell is replaced is a bit more complicated since its parameters are an exact copy of the old cell.
Attacking by replacing a cell works in a way that the cell with the worst reception is targeted.
-That way when the IMSI catcher finished replacing it, the reception goes up a significant amount and the mobile phone will initiate a handover to that cell.
+That way when the IMSI catcher finished replacing it, the reception goes up a significant amount and the mobile phone will move over to that cell.
The difference in reception can be used to identify this kind of attack.
-In general the reception cannot be well used as a parameter because shadowing and reflection can substantially change the reception from one moment to the other.
-However when reception intervals are logged for a fixed location like an office and important calls made from that specific location can be protected against this kind of attack.
-To that end the \gls{icds} can monitor reception levels to build up databases with information about the reception intervals of the particular cells in different locations.
+In general the reception cannot be used well as a parameter because shadowing and reflection can substantially change the reception from one moment to the other.
+However if reception intervals are logged for a fixed location like an office then important calls made from that specific location can be protected against this kind of attack.
+To that end the \gls{icds} can monitor reception levels to build up databases with information on the reception intervals of the cells in different, fixed locations.
The \emph{Local Area Database Rule} then checks if reception levels differ significantly for a given location.
-If no database has been build beforehand but the \gls{icds} is stationary the \emph{rx Level Rule} can watch the reception level during the course of a scan and ensure that no change occurred suddenly.
\subsubsection{Scan Rules}
\begin{table}
@@ -467,17 +466,17 @@ LAC Change &Watches out for changes in LACs.\\
\label{tab:scan_rules}
\end{table}
At this stage, if local information is present, an IMSI catcher should be identified with a high probability.
-However if local information has not been gethered in advance, the main idea of Database Rules can still be applied.
-In contrast to the other three categories of Rules mentioned before \emph{Scan Rules} evaluate parameters or better, parameter changes over time.
+However if local information has not been gathered in advance, the main idea of Database Rules can still be applied.
+In contrast to the other three categories of rules mentioned before, \emph{Scan Rules} evaluate parameter changes over time.
This means parameters are being monitored over the duration of one or multiple sweep scans and changes are noted.
-The \emph{rx Change Rule} is basically the the same as the \emph{Local Area Database Rule} on a scan to scan basis.
+The \emph{rx Change Rule} builds upon the same idea as the \emph{Local Area Database Rule}, only applied to a scan to scan basis.
Changes in reception are evaluated against the last known reception level for each base station.
When watching for parameter changes the \gls{lac} is another interesting parameter.
If a mobile phone connects to an IMSI catcher due to its better reception level the mobile phone will not immediately announce itself thus the IMSI catcher has no knowledge that a new subscriber connected to it.
A mobile phone announces itself by sending Location Updates to the network, this is only done when a certain timeout is reached or when the phone enters a new \gls{la}.
-Since this timeout can be very large (the lowest value possible is 6 minutes) an IMSI catcher usually sends another \gls{lac} than the original cell to force the \gls{ms} to announce itself by sending a Location Update.
-IMSI catchers showing this kind of behaviour are filtered out by the \emph{LAC Change Rule}
+Since this timeout can be very large (the lowest value possible is 6 minutes) an IMSI catcher usually sends a different \gls{lac} than the original cell to force the \gls{ms} to announce itself by sending a Location Update.
+IMSI catchers showing this kind of behaviour are uncovered by the \emph{LAC Change Rule}
\subsubsection{Remaining Issues and Paging}
\label{sec:paging}
@@ -486,25 +485,25 @@ If a catcher is configured in a consistent way, replaces a cell and by chance ha
An IMSI catcher is not part of a provider's network, it is merely a proxy for a base station.
At best it can route calls into a network but it cannot take calls that are intended for a subscriber and route them.
-Therefore an IMSI catcher will not page connected subscribers while a normal base station will have a very high number of Pagings depending on the number of subscribers that are connected.
+Therefore an IMSI catcher will not page connected subscribers while a normal base station will have a very high number of pagings depending on the number of subscribers that are connected.
This is a significant difference between a catcher and a regular base station.
This is an additional information that can be used to identify an IMSI catcher.
-\emph{PCH Scan} tunes the Motorola C123 to the \gls{pch} of a particular base station and gathers Paging Messages and \glspl{ia}.
+The program \texttt{pch\_scan} tunes the Motorola C123 to the \gls{pch} of a particular base station and gathers Paging Messages and \glspl{ia}.
If no Paging Messages could be collected during longer period of scanning it is a strong indicator towards being confronted with an IMSI catcher.
Additionally when \glspl{ia} are found the scan extracts whether the assigned channel is a frequency hopping channel or not.
Since frequency hopping is considered a security feature by providers, all German providers always assign frequency hopping channels.
An IMSI catcher however may not support hopping since it does not have multiple frequencies at hand.
The \emph{PCH Scan} feature has not been implemented as a regular rule since each given base station needs some time to be scanned.
-If that would be done on a regular basis for every station that has been discovered it would delay the whole scan by a large amount and the time difference between re-evaluations would be very high.
+If that would be done on a regular basis for every station that has been discovered it would delay the whole scan by a large amount of time and the interval between re-evaluations would be very high.
Therefore it was implemented as an extra feature to be used when needed.
The \gls{icds} also uses this method on particularly filtered base stations in \emph{User Mode} as will be explained in Section \ref{sec:user_mode}.
\subsection{Base Station Evaluation}
\label{sec:evaluators}
All the rules are evaluated for each base station.
-Aggregation of these rule results into a single result is done by modules called \emph{Evaluators}.
+Aggregation of these rule results into a single result is done by modules called \emph{evaluators}.
Currently there are three different evaluators implemented inside the \gls{icds}, with varying degrees of customisability.
\begin{itemize}
\item Conservative Evaluator: This is a worst-case evaluator.
@@ -515,7 +514,10 @@ Currently there are three different evaluators implemented inside the \gls{icds}
\item Grouped Evaluator: With this evaluator rules can be grouped together.
Inside each group the result for the group is found by majority vote whereas the final result is conservatively found by comparing all the group results.
\end{itemize}
-The different kinds of evaluators can be used to tweak the whole system more to a specific environment or purpose, if specific rules or groups of rules are given more weight.
+The different kinds of evaluators can be used to tweak the whole system more to a specific environment or purpose, if specific rules are given more weight.
+They are meant more for experimental purpose if the \gls{icds} is used as a toolbox for analysing base stations, to give more freedom in use to the operator.
+In case of the system being used in \emph{User Mode} or for the sole purpose of finding whether an IMSI catcher is active or not, the conservative evaluator should almost always be the evaluator of choice and tweaking should be done on the rule parameters rather than on the evaluator.
+
After a result has been determined for each station, all the results are again aggregated into a final result.
The overall result depends on which mode the \gls{icds} is used in.
If it is used as analysis tool the final result will be a conservatively aggregated result over all the stations in the list.
@@ -536,36 +538,36 @@ The first section focuses on architectural aspects and how the architecture can
\end{figure}
Figure \ref{fig:architecture} shows a diagram describing the system architecture, the modules in light blue have been implemented for this project.
The application consists of two main parts.
-One part, the \texttt{catcher}, is implemented inside the OsmocomBB framework, the other part, \texttt{PyCatcher}, is a Python application that uses \texttt{catcher} to harvest information and evaluate it afterwards.
-Since the way \texttt{catcher} works has already been described in Section \ref{sec:info_gathering} this section will focus on the Python application part.
+One part, the \texttt{catcher}, is implemented inside the OsmocomBB framework, the other part, \emph{PyCatcher}, is a Python application that uses \texttt{catcher} and \texttt{pch\_scan} to harvest information and evaluate it afterwards.
+Since the way these two sub-programs work has already been described in Section \ref{sec:info_gathering} this section will focus on the Python application part.
-As mentioned before layer 1 of the \gls{gsm} stack is implemented in the firmware running on the Motorola C123.
-Layer 2 and 3 are implemented on the computer and are used by the \texttt{catcher} and \texttt{pch\_scan} software to harvest information from the \gls{bcch}.
+As mentioned before Layer 1 of the \gls{gsm} stack is implemented in the firmware running on the Motorola C123.
+Layer 2 and Layer 3 are implemented on the computer and are used by the \texttt{catcher} and the \texttt{pch\_scan} software to harvest information from the \gls{bcch} and \gls{pch} respectively.
-The \texttt{PyCatcher} application was designed with a \gls{mvc} approach in mind to make it easy to implement new functionality.
+The PyCatcher application was designed with a \gls{mvc} approach in mind to make it easy to implement new functionality.
The \gls{mvc} pattern is used to separate the data model of an application from the logic as well as from the way it is presented to the user.
That way each of the different components can be exchanged without affecting the other two.
-An additional module has been added, the \texttt{OsmoConnector} that is loaded by the controller and spawns \texttt{catcher} as a child process.
+An additional module has been added, the \emph{OsmoConnector} that is loaded by the controller and spawns \texttt{catcher} as a child process.
It takes the output back in and transforms it into an object oriented representation of the discovered base stations.
These are then handed over and update the data model.
This way it can be ensured that only coherent and complete information is incorporated in the data model.
Another benefit is that the parsing module is isolated from the main program logic.
-\texttt{OsmoConnector} is also the module that spawns \texttt{pch\_scan} when requested by the \texttt{Controller}.
+OsmoConnector is also the module that spawns \texttt{pch\_scan} when requested by the controller.
-The \texttt{Controller} is the main part of the program and instantiates all the other modules.
+The \emph{controller} is the main part of the program and instantiates all the other modules.
It loads data from the model, triggers the evaluation and sends the results to the view to be displayed.
As discussed before there are several rules that can be evaluated for each base station.
These rules are stored within the controller and can be enabled or disabled by using the view that relays new rule configurations back to the controller to be applied.
Whenever a new evaluation is requested the controller evaluates the active rules and gives the results to the active evaluator, afterwards the results are send to the view for display to the user.
Note that all the structures used are view independent, this way the current view could easily be exchanged with a web interface for example.
-The \texttt{View} in this project consists of a GTK3 window with several forms for user input.
-It is bound to the controller using PyGTK.
-Details on the \texttt{View} and how to use it will be explained in Section \ref{sec:icds_operation}.
+The \texttt{view} in this project consists of a GTK3\footnote{The GTK+ Project, \url{http://www.gtk.org/} [Online; Accessed 06.2012]} window with several forms for user input.
+It is bound to the controller using PyGTK\footnote{PyGTK, \url{http://www.pygtk.org/} [Online; Accessed 06.2012]}.
+Details on the view and how to use it will be explained in Section \ref{sec:icds_operation}.
-Rules and Evaluators were designed in a plugin fashion, since these are the main points where the program can be enhanced and new ideas can be realised.
-Implementing a new rule or a new evaluator works by extending the rule or evaluator base class and implementing one method inside that derived class that contains the actual logic.
-After that they only need to be added to the list of included evaluators and rules inside the \texttt{Controller}.
+Rules and evaluators were designed in a plugin fashion, since these are the main points where the program can be enhanced and new ideas can be realised.
+Implementing a new rule or a new evaluator works by extending the rule or evaluator base class and implementing one method inside the derived class that contains the actual logic.
+After that they only need to be added to the list of evaluators and rules included inside the controller.
Appendix \ref{sec:extensions} gives an example of how this can be done.
\subsection{Configuration}
@@ -575,20 +577,23 @@ Appendix \ref{sec:extensions} gives an example of how this can be done.
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
\begin{lstlisting}
dictionary = {
- "key_1": value_1, #single value
- "key_2": [value_2,value_3] #value range
+ 'key_1': value_1, #single value
+ 'key_2': (value_2,value_3) #value range
+ 'key_3': [value_5, value_6] #list of values
}
+
+variable = value_7 #simple variable
\end{lstlisting}
\end{minipage}
\caption{Configuration Dictionary in the settings file.}
\label{fig:python_dict}
\end{figure}
The configuration of the system is done in the file \texttt{settings.py}.
-All configuration is done with python dictionaries, where each module has its own dictionary inside which it can have an arbitrary number of parameters with their respective values.
-Figure \ref{fig:python_dict} shows an example with the two common cases used for parameters in this project.
+All configuration is done within the python language, where each module has its own dictionary inside which it can have an arbitrary number of parameters with their respective values or if only few parameters are required they are read in as simple variables.
+Figure \ref{fig:python_dict} shows an example with the four common expressions used for parameters in this project.
The file consists of five main sections.
-The first one contains parameters that are needed for the correct operation of the \gls{icds} system and have to be edited:
+The first one contains parameters that are needed for the correct operation of the \gls{icds} system and have to be edited depending on the environment:
\begin{itemize}
\item \texttt{Device\_settings}: The setting for the mobile phone that is used.
In case the Motorola C123 is used, this section does not need to be edited.
@@ -606,7 +611,7 @@ This way python code can also be used to change settings dynamically depending o
The \gls{icds} main application has to be started with root privileges since it needs to work with Unix sockets and open up connections to the Motorola C123.
This should be done by starting up the \texttt{main} class that initialises everything else.
\[\texttt{sudo python /path-to-project/Src/PyCatcher/src/main.py}\]
-After a brief loading time the main window shown in Figure \ref{fig:icds} should appear if a valid configuration is set up.
+After a brief loading time the main window shown in Figure \ref{fig:icds} will appear if a valid configuration is set up.
\begin{figure}
\centering
@@ -617,7 +622,7 @@ After a brief loading time the main window shown in Figure \ref{fig:icds} should
The different elements shown in the main window are:
\begin{enumerate}
-\item Firmware Loader: This button is used to load the OsmoconBB firmware onto the Motorola C123.
+\item Firmware Loader: This button is used to load the OsmocomBB firmware onto the Motorola C123.
For this to work, the mobile phone must be connected correctly to the computer and available on the configured \texttt{tty} interface.
After pressing the button on-screen instructions will lead the user through the process of flashing.
@@ -626,7 +631,7 @@ During this process the Base Station List (11) and the Base Station Graph (13) w
Re-evaluation on all base stations is done for every new \gls{bts} that has been found.
\item Filter Window: This brings up the window shown in Figure \ref{fig:filters_window}, where different view filters for the Base Station List and the Base Station Graph can be set.
-Note that these filters do not modify the underlying data model or the behaviour of the scanner, the manipulate merely the view.
+Note that these filters do not modify the underlying data model or the behaviour of the scanner, they merely manipulate the view.
Hidden base stations will be scanned and added to the data model independent from the filters set, so they can be viewed at a later point if necessary.
Available filters are:
\begin{itemize}
@@ -636,10 +641,10 @@ Available filters are:
These two filters can arbitrarily be combined together.
Filters are designed the same way as rules and evaluators, a new filter can be implemented by derivation of the base class.
-\item Rules Window: All the Rules implemented inside the \gls{icds} will be brought up with a check box to enable or disable these Rules.
+\item Rules Window: All the rules implemented inside the \gls{icds} will be brought up with a check box to enable or disable these rules.
Disabling means that they will not be considered for the evaluation of a base station.
A screenshot can be seen in Figure \ref{fig:rules_window}.
-If Rules are changed during a sweep scan, everything will be re-evaluated according to the new Rules set without interrupting the scan.
+If rules are changed during a sweep scan, everything will be re-evaluated according to the new rules set without interrupting the scan.
\item Evaluator Window: This window will let the user choose which evaluator already discussed in Section \ref{sec:evaluators} to use for \gls{bts} evaluation.
Choosing a new evaluator will also trigger a re-evaluation of all the data collected so far.
@@ -652,15 +657,15 @@ Base stations that are filtered out are not considered.
These settings are mandatory if the Local Area Database Rule or the Cell ID Rule is going to be used.
It is also possible here to export the current scan as a \gls{csv} file or a Sqlite database to be used in other programs.
-\item PCH Scan Window: This button brings up a dialog in which an \gls{arfcn} or a list of \glspl{arfcn} can be scanned to discover Paging Messages and \glspl{ia} on the \glspl{pch}.
+\item PCH Scan Window: This button brings up the dialog illustrated in Figure \ref{fig:pch_window} in which an \gls{arfcn} or a list of \glspl{arfcn} can be scanned to discover Paging Messages and \glspl{ia} on the \glspl{pch}.
The timeout sets the duration of a scan.
Results of the scan will be shows in a list in the lower part of the window after the scan is finished.
-\item Save/Load Project: The current state of the application can be saved as or loaded from a \texttt{.cpf} file.
+\item Save\,/\,Load Project: The current state of the application can be saved as or loaded from a \texttt{.cpf} file.
This enables the user to continue a scan at a later time or to compare different data sets scanned at different points in time or locations with one another.
\item User Mode: The \gls{icds} is ultimately meant to be a tool that can be used by end users to check whether it is safe to initiate a phone call or not.
-This dialog presents a way the already configured tool could be presented to end users.
+This dialog presents a way the already configured tool could be shown to end users.
Only the provider is to be entered and a final evaluation will be returned once the \gls{icds} is done with the process.
\item Base Station List: This list gives an overview of which base stations have been discovered so far along with some distinguishing information including its evaluation.
@@ -691,7 +696,7 @@ Zooming can also be done with the mouse wheel and it is possible to drag the gra
\subsection{Usage}
\label{sec:user_mode}
This section will list some common use cases and explain how to setup and operate the system to achieve the desired result.
-Button numbering refers back to Figure \ref{fig:icds} and Figure \ref{fig:dialogs}.
+Button numbering refers back to Figure \ref{fig:icds}.
\paragraph{Conducting sweep scans:} This is the normal mode of operation, scanning and evaluating all base stations in the perimeter.
This is also used for gathering various kinds of information to be used for analysis later.
@@ -705,33 +710,32 @@ The number of times a specific \gls{bts} has been scanned is shown in the \emph{
\paragraph{Using and obtaining Cell ID Information:} \gls{cid} information can be obtained through several different means.
The Databases window shown in Figure \ref{fig:databases_window} can be brought up by pressing (7).
-In the upper part settings concerning the acquisition of \gls{cid} can be found.
+In the upper part settings concerning the acquisition of \glspl{cid} can be found.
The operator has the choice between three different methods which can also be used in combination.
-\emph{Google Mobile Maps Service} compares the station's CellIDs and \glspl{lai} to the ones in the Google database.
+\emph{Google Mobile Maps Service} compares the stations' \glspl{cid} and \glspl{lai} to the ones in the Google database.
If they are found they are marked as such and additionally their location information will be set.
\emph{OpenCellID Web Service} performs the same task if activated.
-As of now OpenCellID has a very low coverage compared to Google's service but it has been included since it is an open source approach that is actively developed and updated constantly.
-The \emph{Use Local Databse} feature allows to use a previously build Location Area Database as \gls{cid} Database for lookups.
-For this purpose the location to be used as database has to be entered in the textfield.
+As of now OpenCellID has a very low coverage compared to Google's service but it has been included since it is an open source approach that is in development and updated constantly.
+The \emph{Use Local Databse} feature allows to use a previously build Local Area Database as Cell ID Database for lookups.
+For this purpose the location to be used as database has to be entered in the textfield, \eg 'office' or 'home'.
Offline lookups can be done that way, which are considerably faster that online lookups, the raw data used by the OpenCellID project can also be downloaded and used as a offline version for reference that way.
Since these lookups take some time if performed using webservices, this is not done while the scan is taking place, to not delay the acquisition of information from new base stations.
-Pressing the button below the checkboxes will add the \gls{cid} Database information from the selected sources to all the stations currently in the base station list.
+Pressing the button below the checkboxes will add the Cell ID Database information from the selected sources to all the stations currently in the base station list.
If more than one service is activated lookups will be done starting with the Google service, if active and using the next one in line only if the previous lookup failed.
-Having at least one service activated and run on the base station list is a precondition for the \gls{cid} Rule to work.
+Having at least one service activated and run on the base station list is a precondition for the Cell ID Database Rule to work.
-\paragraph{Building or using a Local Area Database:} Having set up the correct location in the \emph{Current Location} field of the databases window and having a valid database for that location are preconditions for the Location Are Database Rule to work.
+\paragraph{Building or using a Local Area Database:} Having set up the correct location in the \emph{Current Location} field of the databases window and having a valid database for that location are preconditions for the Local Area Database Rule to work.
To build up a database for a specific location a sweep scan for this location has to be done.
-After the sweep scan is finished, the current location has to be set in the dialog and the button for adding/updating the database has to be pressed.
+After the sweep scan is finished, the current location has to be set in the dialog and the button for adding\,/\,updating the database has to be pressed.
If there was no existing database for that location it will be created, otherwise the database will be updated with the new information acquired by the sweep scan.
-To raise the quality of a Location Area Database it is recommended to do multiple sweep scans and integrate them rather than to only rely on a single scan.
+To enhance the quality of a Local Area Database it is recommended to do multiple sweep scans and integrate them rather than relying on a single scan only.
This raises the probability that all \gls{bts} in the perimeter are found is higher and it solidifies the interval in which the base station signal strength varies.
\paragraph{Conducting a PCH Scan:} A \gls{pch} scan can be conducted in addition to a sweep scan or as a standalone method therefore no scan data needs to be present.
-If scan data is present however this feature will automatically augment the present data with its findings.
The first parameter is a comma separated list of \glspl{arfcn} that will be scanned.
The second parameter is the timeout.
-A scan for a particular \gls{arfcn} will tune in on the \gls{pch} of each \gls{arfcn} given and wait there until the timeout is reached gathering all paging messages that occur during the time period.
-In the lower part of the dialog, after the scan has finished, a number will be given for each base station of how many pagings occured on average in five seconds.
+A scan for a particular \gls{arfcn} will tune in on the \gls{pch} of each \gls{arfcn} given and wait there until the timeout is reached gathering all paging messages and \gls{ia} that are sent in that time interval.
+In the lower part of the dialog, after the scan has finished, the statistics for the scanned \glspl{bts} will occur.
\begin{figure}
\centering
@@ -744,16 +748,14 @@ In the lower part of the dialog, after the scan has finished, a number will be g
There is only one input field in the dialog as Figure \ref{fig:user_mode} illustrates.
The user has to enter the provider name in this field and push the \emph{Start Evaluation} button.
From the scan data, the \gls{icds} extracts the base station with the highest reception for the given provider since this would be the station a \gls{ms} would connect to if started up.
-It then performs a \gls{pch} scan on that station and accumulates the results from this additional scan with the data from the sweeps scan in a conservative manner.
-Timeouts and retry attempts are taken from the \gls{pch} scan dialog.
-Any adjustment made there will carry over in User Mode.
+If the station already has been evaluated as \emph{Critical}, \emph{User Mode} will instantly yield this as result.
+In all other cases it performs an additional \gls{pch} scan on that station to rule out the scenario where a catcher has not been detected by the currently active set of rules.
After the evaluation has been completed, the picture on the bottom will change to reflect the result found.
\section{Related Projects}
-IMSI catcher detection is a topic that has not emerged until recently therefore not a lot of work and research has been done upon that topic.
-This is mainly due to the fact that is was very hard to get information from the mobile network onto a computer for evaluation.
-A fact that changed, or to be exact is now more accessible due to the OsmocomBB framework.
+IMSI catcher detection is a topic that has not emerged until recently therefore not a lot of work and research has been done upon that subject.
+This is mainly due to the fact that is was very hard to get information from the mobile network onto a computer for evaluation and the threat seemed to be not as large as today with cheap self build IMSI catchers.
About the same time as this project, in December 2011, another project was announced with the same goals of detecting an IMSI catcher.
The project is called 'Catcher Catcher'\footnote{Catcher Catcher Wiki, \url{http://opensource.srlabs.de/projects/catcher/wiki/Tutorial} [Online; Accessed 05.2012]} and also builds up on the OsmocomBB framework.
@@ -761,10 +763,10 @@ The goals are the same however the means are very different.
As a codebase 'Catcher Catcher' uses the \texttt{mobile} application, a software that implements the firmware part of a mobile phone.
This results in an active approach to IMSI catcher detection.
An active connection is established between the phone and the base station in question.
-One could say they try to identify the catcher by letting a bait phone get caught by it.
+Basically this means that identification is done be letting a bait-phone get caught.
-The advantage compared to the passive approach this project uses is that one has more sure means at hand of identifying a potential catcher.
-Features that are already implemented are\cite{catcher_catcher}:
+The advantage compared to the passive approach of this project uses is that one has more sure means at hand of identifying a potential catcher.
+Features that are already implemented are \cite{catcher_catcher}:
\begin{itemize}
\item Encryption: Check whether encryption is enabled when doing a phone call.
\item IMEI: \gls{imei} is not requested in Cipher Mode Complete message.
@@ -777,5 +779,5 @@ As one can see, missing encryption and reception of a silent text message are ve
This however comes at the cost of being discovered oneself.
Additionally if the IMSI catcher is configured only to allow specific IMSI numbers an active approach cannot be used to evaluate it.g
-It is not clear whether the project has been abandoned since December 2012 or whether it is developed further.
-Activity on the wiki has seized after December 2012. \ No newline at end of file
+It is not clear whether the project has been abandoned or whether it is developed further.
+Activity on the Wiki and Git has seized after December 2012. \ No newline at end of file
diff --git a/Tex/Content/Evaluation.tex b/Tex/Content/Evaluation.tex
index ffaa953..b809c14 100644
--- a/Tex/Content/Evaluation.tex
+++ b/Tex/Content/Evaluation.tex
@@ -352,29 +352,14 @@ The next step was to put the \gls{icds} into \emph{User Mode} with T-Mobile as i
It selected the IMSI catcher cell as its target cell because of the good reception level and since it's evaluation was \emph{Ok} an additional PCH scan was started.
No paging messages or \glspl{ia} were caught so the end result was a \emph{Critical} status for the IMSI catcher cell.
-\begin{figure}
-\centering
-\includegraphics{../Images/replace_attack}
-\caption{Takeover attack of an IMSI catcher on a base station.}
-\label{fig:takeover_attack}
-\end{figure}
\subsubsection{IMSI Catcher replacing an old Cell}
The second scenario simulated the attack where the IMSI catcher replaces a base station with a bad reception in the neighbourhood of the cell the \gls{ms} is connected to.
This way the reception drastically improves on that particular frequency suggesting to the \gls{ms} that the subscriber moved to the close perimeter of that \gls{bts} and .
-Figure \ref{fig:takeover_attack} illustrates this particular attack.
-
-The station with the \gls{arfcn} 42 has the lowest reception with its signal to noise ratio of -95\,dB.
-In this particular scenario the \gls{ms} would first connect to the station on 23 because of its good reception.
-After that the IMSI catcher is turned on also on \gls{arfcn} 42.
-Due to its location it has the best reception level of all the available base station.
-Since it replaced station 42 it is most likely in the neighbourhood list of 23.
-When the \gls{ms} conducts a neighbouring cell measurement it will find that the catcher has the best reception and will switch to it.
-Disconnection and cell re-selection of the \gls{ms} could also be achieved instantly by jamming \gls{arfcn} 23.
-For this experiment, the cell to be replaced was the universities own base station at \gls{arfcn} 877.
-Since the catcher sends a different \gls{lac} the \gls{ms} will send a location update to the IMSI catcher announcing its presence.
+We used the university base station on \gls{arfcn} 877 as our target.
+A sweep scan was conducted with the \gls{icds} and after the base station had been found the IMSI catcher was started on the same frequency.
-Due to its strong increase in reception and the change in the \gls{lac} the IMSI catcher cell obtained a \emph{Critical} status immediately after it had been scanned a second time.
+Due to its strong increase in reception and the change in the \gls{lac} the IMSI catcher cell obtained a \emph{Critical} status immediately after \gls{arfcn} 877 had been scanned a second time.
Also due to this fact the reception level differed too much from the interval that had been measured for this \gls{cid} in the \emph{Local Area Database} also yielded a \emph{Critical} rating.
\emph{User Mode} did not start a PCH scan since the evaluation had already been \emph{Critical}. \ No newline at end of file
diff --git a/Tex/Content/GSM_short.tex b/Tex/Content/GSM_short.tex
index 4d73706..6a39850 100644
--- a/Tex/Content/GSM_short.tex
+++ b/Tex/Content/GSM_short.tex
@@ -2,25 +2,25 @@
\label{ch:gsm}
This chapter will give a short overview of some important aspects of \gls{gsm} networks and protocols.
The first section presents a brief historical summary on the evolution of \gls{gsm} and how it came to be what it is today.
-In Section \ref{sec:network} the system architecture and its components as well as essential protocol basics will be explained, important to understand which place in the network an IMSI-catcher tries to take over.
-The $U_m$ interface will be described in detail in Section \ref{sec:Um} since this is the main source for gathering information from IMSI-catchers.
-Section \ref{sec:catcher} will finally explain how an IMSI-catcher works and how it replaces the system components as well as state from a technical and law perspective why these devices have become a threat to all-day privacy.
+In Section \ref{sec:network} the system architecture and its components as well as essential protocol basics will be explained important to understand which place in the network an IMSI catcher tries to take over.
+The $U_m$ interface will be described in detail in Section \ref{sec:Um} since this is the main source for gathering information from IMSI catchers.
+Section \ref{sec:catcher} will finally explain how an IMSI catcher works and how it replaces the system components as well as state from a technical and law perspective why these devices have become a threat to all-day privacy.
\section{A Historical Perspective}
The acronym GSM was originally derived from \emph{Group Sp\'{e}ciale Mobile}.
This committee was part of the \gls{cept} 1982, with the task of developing a pan-Eurpean digital cellular mobile radio standard in the 900\MHz band.
-1986 the frequency range was officially licensed.
+In 1986 the frequency range was officially licensed.
The foundation of this task group was a direct answer to the development of independent and incompatible analog radio networks during the 80's.
Examples of such networks were the C-Netz in Germany, the \gls{tacs} in the UK and \gls{nmt} in Scandinavia.
In February 1987 the committee submitted the basic parameters of GSM.
-Not after after, in September, the \gls{MoU} was signed in Copenhagen by 15 members of 13 Countries that were dedicated to deploy GSM in their respective countries.
+Not after, in September, the \gls{MoU} was signed in Copenhagen by 15 members of 13 countries that were dedicated to deploy GSM in their respective countries.
This agreement was the foundation for allowing international operation of mobile stations using the standard interfaces agreed upon earlier that year.
\gls{cept} itself was around since 1959 and its members founded the \gls{etsi} in 1988.
In the same year the committee submitted the first detailed specification for the new communications standard.
The acronym was reinterpreted in 1991 after the committee became a part of the \gls{etsi} in 1989 to \emph{Global System for Mobile Communications}.
The very same year the specifications for \gls{dcs1800} were submitted.
-These were essentially the same specifications translated to the 1800\MHz band and the foundation for the USA's 1900\MHz band.
+These were essentially the same specifications translated to the 1800\MHz band and the basis for the USA's 1900\MHz band.
Under the umbrella of the \gls{etsi}, many \glspl{stc} began to work on different aspects of mobile communication, like network aspects (SMG 03) or security aspects (SMG 10).
SMG 05 dealt with future networks and especially with UMTS specifications which eventually became an independent body inside the \gls{etsi}.
@@ -74,7 +74,7 @@ In 1998 the \gls{3gpp} was founded by five organisational partners with the goal
These partners were the \gls{arib}, the \gls{etsi}, the \gls{atis}, the \gls{tta} and the \gls{ttc}.
The focus was later expanded in the light of the \emph{International Mobile Communications-2000}-project \cite{3gpp_Proposal2000} by the \gls{itu} to:
\begin{itemize}
- \item Development and maintenance of \gls{gsm} and \gls{gprs}, including \gls{edge}, which are standards for high speed packet oriented data transmission via \gls{gsm}.
+ \item Development and maintenance of \gls{gsm} and \gls{gprs}, including \gls{edge} which are standards for high speed packet oriented data transmission via \gls{gsm}.
\item Development of a third generation mobile communication system on the basis of the old \gls{gsm} protocol. This standard is called \gls{umts}.
\item An IP based multimedia system.
\end{itemize}
@@ -82,7 +82,7 @@ Up to now the \gls{3gpp} has enhanced mobile standards.
In 2005 the first \gls{hsdpa} network went online.
\gls{hsdpa} \cite{hsdpa} is a protocol that enables mobile users to download data with speeds up to 84\,MBit/s since release 9.
\gls{hsupa} \cite{hsupa} is a related protocol in the \gls{hspa} family that provides similar functionality for uploading data.
-These and other specification are published on the \gls{3gpp} website\footnote{3GPP - Specification Groups,\url{http://www.3gpp.org/} [Online; Accessed 04.2012]}.
+These and other specification are published on the \gls{3gpp} website\footnote{3GPP - Specification Groups, \url{http://www.3gpp.org/} [Online; Accessed 04.2012]}.
\section{The GSM Network}
\label{sec:network}
@@ -100,13 +100,13 @@ There are different notions of how to distribute these components into functiona
In the following the classification by Sauter \cite{kommsys2006} will be used.
It describes the main parts as:
\begin{itemize}
- \item \textbf{\gls{bss}:} this part is also called radio network and contains all the technology necessary for connecting mobile subscribers to the telephone network and routing their calls.
- These calls originate from the \gls{ms} that will be explained in section \ref{sec:ms}, and travel over the air interface to the receiver stations for further processing.
- The air interface or $U_m$ interface will be explained in section \ref{sec:Um}, whereas the rest of the subsystem will be discussed in section \ref{sec:bss}.
- \item \textbf{\gls{nss}:} the core network, as it is sometimes called, consists of several entities that are used to establish and route a connection.
- This is not only limited to calls within the provider's network but also into other provider's networks or the \gls{pstn}.
+ \item \gls{bss}: this part is also called radio network and contains all the technology necessary for connecting mobile subscribers to the telephone network and routing their calls.
+ These calls originate from the \gls{ms} that will be explained in Section \ref{sec:ms}, and travel over the air interface to the receiver stations for further processing.
+ The air interface or $U_m$ interface will be explained in Section \ref{sec:Um}, whereas the rest of the subsystem will be discussed in Section \ref{sec:bss}.
+ \item \gls{nss}: the core network, as it is sometimes called, consists of several entities that are used to establish and route a connection.
+ This is not only limited to calls within the provider's network but also into other providers' networks or the \gls{pstn}.
The databases that contain subscriber information and location information for connected users are located here.
- \item \textbf{\gls{in}:} this part of the network augments the core network with \gls{vas} \cite{ITU1200}.
+ \item \gls{in}: this part of the network augments the core network with \gls{vas} \cite{ITU1200}.
In order to provide extra functionality the \gls{in} consists of several \gls{scp} databases.
Some of the most widely used services are in fact services of the \gls{in} and not core services.
Examples are prepaid cards, home areas\footnote{This service defines a geographical area, in which lower rates are calculated for mobile calls.} or telephone number portability.
@@ -116,14 +116,14 @@ The system developed in this project works inside the base station subsystem act
Therefore the following theory section will focus mainly on this part, including the radio interface between the phone and the base station to establish a basic understanding of how the system is able to passively harvest information.
The \gls{nss} will only be discussed as far as it is relevant to understanding how an IMSI catcher operates.
-Since the \gls{in} is not involved in any procedure concerning this project further explanation will also be omitted.
+Since the \gls{in} is not involved in any procedure concerning this project further explanation will be omitted.
\subsection{Mobile Station}
\label{sec:ms}
-With the advent of portable microprocessors in the 80's mobile phones became possible.
-Advance in technology up to today yielded ever smaller mobile phones with ever more functionality year by year to a point where not the technology itself was the constraining factor for size but the user interface, \eg button and display sizes.
+With the advent of portable microprocessors in the 80's mobile phones became technically possible.
+Advances in technology up to today yielded ever smaller mobile phones with ever more functionality year by year to a point where not the technology itself was the constraining factor for size but the user interface, \eg button and display sizes.
This trend changed however with the upcoming of so called smart-phones.
-With weight being the driving factor and not size resolution and display sizes started to increase again but the devices became ever thinner.
+With weight being the driving factor and not size, resolution and display sizes started to increase again but the devices became ever thinner.
What hasn't changed is the basic distinction between \gls{me} and \gls{sim}, the parts of which a \gls{ms} consists.
It is hard to deliver a consistent definition for what a \gls{me} is.
@@ -133,10 +133,11 @@ Some of the most important mandatory features are \cite{protocols1999}:
\item \gls{dtmf} signalling capability.
\item \gls{sms} capability.
\item The ciphering algorithms A5/1 and A5/2 need to be implemented.
- \item Display capability for short messages and dialled numbers, as well as available \gls{plmn}s.
+ \item Display capability for short messages and dialled numbers, as well as available \glspl{plmn}.
\item A cyphering indicator that shows the user whether encryption is activated on the current connection or not.
+ This feature is disabled in most devices as not to confuse the user.
\item Machine fixed \gls{imei}.
- In a strict sense this disqualifies many modern mobile phones since the \gls{imei} is not fixed onto the device itself but rather is part of the software or firmware.
+ In a strict sense this disqualifies many modern mobile phones since the \gls{imei} is not fixed onto the device itself but is rather part of the software or firmware.
Tools like \emph{ZiPhone}\footnote{Unlock iPhone 4, Jailbreak iPhone, \url{http://www.ziphone.org/} [Online; Accessed 04.2012]} for iOS devices\footnote{Apple iOS5, \url{http://www.apple.com/ios/} [Online; Accessed 04.2012]}, especially iPhone, can change this supposedly unchangeable identifier.
\end{itemize}
@@ -145,13 +146,13 @@ However it is more common nowadays that \gls{me} supports two bands, three bands
These are called dual-band, tri-band and quad-band devices respectively.
As the name suggests the \gls{sim} card is essentially a data storage that holds user specific data.
-This separation is interesting for the \gls{gsm} user since it allows him/her to exchange the \gls{me} without having to contact the provider.
+This separation is interesting for the \gls{gsm} user since it allows him\,/\,her to exchange the \gls{me} without having to contact the provider.
Thus it can be used on different frequency bands and is one of the preconditions for roaming.
The \gls{sim} card can either be in plug-in format or ID-1 SIM format which is normally used for telephone cards, credit cards or car installed \gls{me}.
The plug-in format is also called ID-000 and can be found in ISO/IEC 7810 \cite{ISO7810}.
-The most important information stored on a \gls{sim} card are the \gls{imsi} and the \gls{ki}.
A subset of other parameters stored on the \gls{eeprom} of the card can be seen in Table \ref{tab:simdata}.
+The most important information stored on a \gls{sim} card are the \gls{imsi} and the \gls{ki}.
\begin{table}
\centering
@@ -193,14 +194,14 @@ A brief description of the protocol and functionalities can be found in Sauter's
The \gls{imsi} as described in GSM 23.003 \cite{GSM23003} uniquely identifies a subscriber.
It has at most 15 digits and is divided into three parts, \gls{mcc}, \gls{mnc} and \gls{msin} of which only the last part is the personal identification number of the subscriber.
\[\underbrace{262}_{\text{MCC (Germany)}} \underbrace{01}_{\text{MNC (T-Mobile)}} \underbrace{9876543210}_{MSIN}\]
-The first two are also called \gls{hni}.
+The first two groups together are also called \gls{hni}.
The three digit \gls{mcc} describes the country code, the area of domicile of the mobile subscriber.
The \gls{mnc} is an identification number for the home \gls{plmn}.
-This can either have two or three digits depending on the \gls{mcc}.
+It can either have two or three digits depending on the \gls{mcc}.
It is not recommended by the specification and thus not defined to mix two and three digit \gls{mnc}s for a single \gls{mcc}.
These country codes are assigned by the \gls{itu} in ITU E.212 \cite{ITU212}.
An excerpt can be found in Table \ref{tab:countrycodes}.
-The third part, the \gls{msin} is a number consisting of up to ten digits which is used for authentication of the mobile subscriber against his provider.
+The third part, the \gls{msin} is a number consisting of up to ten digits which is used for authenticating the mobile subscriber against the network.
\gls{mnc} and \gls{msin} together are called \gls{nmsi}.
\begin{table}
\centering
@@ -242,18 +243,17 @@ A1 &Austria &01, 09\\
\subsection{Network Subsystem}
\label{sec:nss}
The most important task of the Network Subsystem or Network Switching Subsystem is to establish connections and route calls between different locations.
-This is done by so called \gls{msc} that can route a call either to another \gls{msc}, into the \gls{pstn} or another provider's network.
+This is done by the so called \gls{msc} that can route a call either to another \gls{msc}, into the \gls{pstn} or another provider's network.
Apart from routing, the \gls{nss} also provides the means to administer subscribers inside the network.
Facilities to support this task are the \gls{hlr}, the \gls{vlr} as well as the \gls{ac}.
These will now be described in further detail.
-The \gls{smsc} is also part of this subsystem handling text messages.
-The \gls{eir} shown in the picture can be thought of as a database containing lists whether to allow a particular \gls{imsi} access to the network or not.
A possible arrangement of these components is displayed in Figure \ref{fig:gsm_network}.
+The \gls{eir} shown in the picture can be thought of as a database containing lists whether to allow a particular \gls{imsi} access to the network or not.
\subsubsection{Mobile Switching Center}
The \gls{msc} is the component that does the actual routing of calls and therefore is the core component of the \gls{nss}.
It basically works like any other \gls{isdn} exchange device with additional functionality to manage mobility.
-Since the amount of signalling inside a \gls{plmn} would be far to big for a single \gls{msc} there is one for every \gls{la}.
+Since the amount of signalling inside a \gls{plmn} would be far too much for a single \gls{msc} there is one for every \gls{la}.
Amongst others its most important tasks are \gls{cc} and \gls{mm}.
\gls{cc} entrails registration when the subscriber connects to the network as well as routing the calls or text messages from one registered subscriber to another.
@@ -264,32 +264,33 @@ The above part is also true for pure landline switching centres.
What sets a mobile switching centre apart from these is called \gls{mm}.
Since the participants can freely move around the network and thus cannot be identified the same way as a fixed landline participant, authentication before using the offered services is important.
Another consequence of mobility is that the network has to keep track of where a subscriber is and through which \gls{msc} it can be reached.
-This is done via Location Updates which update the current location in the databases for other \glspl{msc} to look up.
+This is done via \emph{Location Updates} which update the current location in the databases for other \glspl{msc} to look up.
Also during calls if the subscriber leaves the respective service area of the switching centre, the call needs to be transferred without being interrupted.
-A procedure called Handover achieves just that.
+A procedure called \emph{Handover} achieves just that.
For this central role to work it is necessary to be connected to all the other components of the \gls{nss}.
-This is done via different connections called Interfaces.
-A brief description of what the different interfaces in a GSM network are and what their respective function is can be seen in Appendix \ref{sec:interfaces}.
+This is done via different connections called interfaces.
+A brief description of what the different interfaces in a \gls{gsm} network are and what their respective function is can be seen in Appendix \ref{sec:interfaces}.
\subsubsection{Home Location Register}
-The \gls{hlr} is the central database in which all personal subscriber related data is stored.
+The \gls{hlr} is the central database in which all subscriber related data is stored.
The entries can be divided into two classes, permanent administrative and temporary data.
Part of this administrative data is which services a subscriber has access to and which are prohibited (\eg roaming in certain networks).
The data itself is indexed with the customer's \gls{imsi} to which multiple telephone numbers can be registered.
-Since these \glspl{msisdn} are independent from the \gls{imsi} a subscriber can change his telephone number and thus also move the telephone number along should he/she decide to switch to a new provider.
-Basic services that access is stored for in the \gls{hlr} are amongst others the ability to receive and initiate telephone calls, use data services or send text messages.
+Since these \glspl{msisdn} are independent from the \gls{imsi} a subscriber can change his telephone number and thus also move the telephone number along should he\,/\,she decide to switch to a new provider.
+Access to basic services is stored inside the \gls{hlr}.
+Examples of such services are the ability to receive and initiate telephone calls, use data services or send text messages.
Additional services called Supplementary Services like call forwarding or display of phone numbers during calls can also be set or unset in this database.
It is up to the provider if these services are available freely or are bound to a fee.
The temporary data enfolds the current \gls{vlr} and \gls{msc} address as well as the \gls{msrn} which is essentially a temporary location dependent ISDN number.
\subsubsection{Visitor Location Register}
-As can be seen in Figure \ref{fig:gsm_network} there can be multiple \glspl{vlr} one for each area in a network.
+As can be seen in Figure \ref{fig:gsm_network} there can be multiple \glspl{vlr}, one for each area in a network.
These registers can be seen as caches for data located in the \gls{hlr}.
Thus they are intended to reduce signalling between the \gls{msc} and the \gls{hlr}.
-Each time a subscriber enters a new area that is serviced by a new \gls{msc}, data for this subscriber is transferred to the respective \gls{vlr} from the \gls{hlr}.
+Each time a subscriber enters a new area that is serviced by a new \gls{msc}, data for this subscriber is transferred to the respective \gls{vlr} from the central \gls{hlr}.
Such data includes the \gls{imsi} and the \gls{msisdn} as well as information on which services are available to that particular subscriber.
-Additionally the subscriber is assigned a one-time \gls{imsi} called \gls{tmsi} and information in which \gls{la} the \gls{ms} was registered last is transmitted.
+Additionally the subscriber is assigned a one-time \gls{imsi} called \gls{tmsi} and the \gls{la} in which the \gls{ms} was registered last is transmitted.
In this way the regular \gls{imsi} is not used and can thus not be harvested by tapping into the radio channel.
While it is possible to operate the \gls{vlr} as a standalone entity, in most cases it is implemented as a software component of the individual \gls{msc}.
@@ -316,11 +317,11 @@ The steps of the procedure can be summarized as follows:
\begin{itemize}
\item RAND: a 128 bit random number.
\item SRES: a 32 bit number called signed response, which is generated by A3 with \gls{ki} and RAND as inputs.
- \item Kc: the ciphering key that is used to cypher the data during transmission.
+ \item Kc: the ciphering key that is used to cipher the data during transmission.
It is also generated with \gls{ki} and RAND using the algorithm A8.
\end{itemize}
To save signalling bandwidth usually more than one authentication triplet is generated and returned to the \gls{msc} by the \gls{ac}.
- It should be noted that, since a separate cyphering key \gls{kc} is used, the secret key never leaves the \gls{ac}.
+ It should be noted that, since a separate ciphering key \gls{kc} is used, the secret key never leaves the \gls{ac}.
In the second case either a previously generated authentication triplet is used or new authentication triplets are requested.
\item RAND is transmitted to the \gls{ms} by the \gls{msc} where the signed response SRES* is created by the \gls{sim} card using A3, \gls{ki} and RAND.
@@ -330,13 +331,14 @@ The steps of the procedure can be summarized as follows:
\item If SRES and SRES* match, the subscriber is authenticated.
\end{enumerate}
-Remarkable properties of this procedure are that by using a cyphering key that is generated by a random number and a secret key, the secret key itself never leaves the \gls{ac}.
+Remarkable properties of this procedure are that by using a ciphering key that is generated by a random number and a secret key, the secret key itself never leaves the \gls{ac}.
Apart from that the use of a random number prevents replay attacks on SRES.
It should also be noted that this way of authenticating only works for authenticating the subscriber to the network.
It is a one way authentication.
The subscriber needs to trust the network.
-This is a design flaw that IMSI-Catchers use to lure \gls{ms} into their fake network.
+This is the basic design flaw that IMSI catchers abuse.
In \gls{umts} networks that flaw was fixed and the authentication procedure was made mutual \cite{kommsys2006}.
+However since it will take considerable time until all areas are services by \gls{umts}, phones still have a fall-back mechanism to use \gls{gsm} if no \gls{umts} station is available.
\subsection{Base Station Subsystem}
\label{sec:bss}
@@ -399,7 +401,7 @@ F_\text{Downlink} &=F_\text{Uplink} + 45
For other bands the numbers differ and can be seen in Table \ref{tab:frequencies} along with their respective \gls{arfcn} numbers but the functionality is the same.
-An additional method called time multiplexing which will be explained in further detail in Section \ref{sec:Um}, makes is possible to map $125 \cdot 8 = 1000$ channels that could be used for voice transmission over that band.
+An additional method called time multiplexing which will be explained in further detail in Section \ref{sec:Um}, makes is possible to map $125 \cdot 8 = 1000$ channels that could be used for voice transmission onto that band.
Some of these channels need to be used for signalling.
Even though the number by itself seems high it would never suffice to service a large urban area.
This is one of the reasons why another frequency band in the 1800\MHz range has been opened with 75\MHz up- and downlink supporting 375 channels.
@@ -407,7 +409,7 @@ That by itself would also never suffice to service the huge number of subscriber
The range of one receiver station is drastically reduced to service only a small area.
This is called the cell of the \gls{bts} which in theory can be approximated by a hexagon, each of which has its own \glspl{cid}.
Each of these cells is assigned a different frequency to avoid interference.
-However after a certain distance, the frequency reuse distance $D$, is covered the exact same frequency can be used again by another \gls{bts}.
+However after a certain distance, \emph{frequency reuse distance} $D$, is covered the exact same frequency can be used again by another \gls{bts}.
$D$ is chosen large enough so that interference doesn't have an impact on overall call quality.
Figure \ref{fig:cells} shows such an arrangement.
Also a comparison with realistic cells can be seen which differ in their appearance from the optimized hexagon model.
@@ -465,7 +467,7 @@ Due to the nature of a mobile network certain other tasks have to be performed h
A \emph{signalling channel} is needed when a subscriber wants to start a call or send a text message.
The \gls{ms} sends a channel request message to the \gls{bsc} which needs to check if any \glspl{sdcch} are free.
-If there are free channels, one of those channels is activated via the \gls{bts} and an immediate assignment message is sent via the \gls{agch} containing the number of the assigned channel.
+If there are free channels, one of those channels is activated via the \gls{bts} and an \gls{ia} is sent via the \gls{agch} containing the number of the assigned channel.
From this point on the \gls{ms} can sent data on the assigned channel that reach the \gls{msc}.
For incoming calls a prior step has to be taken.
The \gls{msc} sends a message to the \gls{bsc} that contains the \gls{imsi}, \gls{tmsi} and \gls{la} of the subscriber that is being called or texted.
@@ -476,12 +478,12 @@ After a signalling channel is found that way, a \emph{voice channel} can be init
The \gls{msc} sends an assignment request message to the \gls{bsc} after the start of the call has been determined on the previously assigned \gls{sdcch} between the \gls{msc} and the \gls{ms}.
A free \gls{tch} is assigned and the \gls{ms} can tune in to this channel and send an acknowledgement to the \gls{bsc}, which in turn sends an acknowledgement that the assignment has been completed to the \gls{ms} and the \gls{msc}.
-Since the voice data is sensitive for privacy it is encrypted before it is sent to the \gls{nss}.
+Since the voice data is sensitive it is encrypted before it is sent to the \gls{nss}.
Voice data is a continuous stream originating at the mobile phone and accordingly has to be encrypted using a stream cipher.
-The stream cypher key $K_c$ that is generated by the authentication centre.
+The stream cipher key $K_c$ is generated by the authentication centre.
It is generated by the A8 algorithm on the \gls{sim} card with a random number (RAND) and the secret key \gls{ki} as input.
Since the transmission of voice data is split into frames it suffices to encode the data on a per frame basis.
-\gls{kc} and the current frame number are the inputs for the algorithm A5 which generates a 114 bit cyphering sequence that can be XORed with the frame.
+\gls{kc} and the current frame number are the inputs for the algorithm A5 which generates a 114 bit ciphering sequence that can be XORed with the frame.
This sequence changes every frame since it uses the current frame number as input.
The complete procedure is outlined in Figure \ref{fig:cypher}.
\begin{figure}
@@ -512,7 +514,7 @@ Efficiency in this case can be seen as maximizing the quotient of transmission r
The first section will explain how transmission in a \gls{gsm} network is handled on the physical level and what techniques are used to maximize throughput.
Afterwards the notion of logical channels, virtual channels that are mapped on top of the actual transmission, will be discussed and which channels are of importance for this project.
-The last section compares the network layers of the \gls{gsm} stack to the ISO/OSI layer model, to give a basis for understanding where the framework employed in the practical part is situated in that hierarchy.
+The last section compares the network layers of the \gls{gsm} stack to the ISO\,/\,OSI layer model, to give a basis for understanding where the framework employed in the practical part is situated in that hierarchy.
\subsection{Radio Transmission}
\label{sec:radio}
@@ -542,9 +544,11 @@ An illustration of how these multiplexing methods work together can be seen in F
Another important aspect is the frame hierarchy and the resulting frame numbering since it is used for ciphering as well as channel mapping and synchronisation.
The frame number is one of the inputs required to generate the ciphering key and is broadcasted frequently on the \gls{sch} to keep mobile subscribers in sync.
-The timeslots on the lowest level of the hierarchy have a length of $4.615\text{\,ms} \div 8 = 577~\mu\text{s}$ and are also known as Bursts numbered from 0 to 7.
+An overview of the numbering hierarchy is illustrated in Figure \ref{fig:frame_hierarchy}.
+The timeslots on the lowest level of the hierarchy have a length of $4.615\text{\,ms} \div 8 = 577~\mu\text{s}$ and are also known as \emph{Bursts} numbered from 0 to 7.
+Depending on what the Burst is used for the internal structure can differ but the duration is always the same.
Every new \gls{tdma} frame the sequence number is increased by one.
-Since this number cannot be increased endlessly is repeated every 3\,h 28\,m 53\,s and 760\,ms.
+Since this number cannot be increased endlessly it is repeated every 3\,h 28\,m 53\,s and 760\,ms.
This is the largest chunk in the frame hierarchy and it is called Hyperframe.
Superframes and Multiframes are layers between the Hyperframe and the \gls{tdma} frame which can occur in different configurations.
The 51-Multiframe consists of 51 TDMA frames and carries only signalling data whereas the 26-Multiframe contains 26 TDMA frames and carries traffic and control channels.
@@ -571,18 +575,19 @@ If the \gls{ms} asks for a channel assignment in frame $n$ and a channel is assi
\subsubsection{Burst Types}
As suggested by the paragraph above there are different kinds of Bursts which are shown in \ref{fig:burst_types} \cite{GSM2009}.
-In addition to data bits and known fixed bit sequences every frame has tail bits, which mark the beginning and the end of a frame.
-The fixed bit sequence is called training sequence and appears in conjunction with the data bit sequences.
-During a radio transmission procedure the signal can be distorted by shadowing, reflection, or other factors which would result in a loss of data.
+In addition to \emph{data bits} and known fixed bit sequences every frame has \emph{tail bits}, which mark the beginning and the end of a frame.
+The fixed bit sequence is called \emph{training sequence} and appears in conjunction with the data bit sequences.
+During a radio transmission procedure the signal can be distorted by shadowing, reflection or other factors which would result in a loss of data.
But since the training sequence is known it is possible to reconstruct the original signal by comparing the incoming training sequence with the expected one and thus conserving the data bits.
-All Bursts contain Guard Times which separate them from the next Burst.
-This is necessary subscribers can move around and thus slight variations in timing may occur.
+All Bursts contain \emph{guard times} which separate them from the next Burst.
+This is necessary because subscribers can move around and thus slight variations in timing may occur.
These variations could result in the collision of data from several different sources rendering it unusable.
-For subscribers that move at considerable speeds \eg in a car this is not sufficient and an extra mechanism called Timing Advance is used.
+For subscribers that move at considerable speeds \eg in a car this is not sufficient and an extra mechanism called \emph{Timing Advance} is used.
Basically the farther a subscriber is away from a base station the earlier a burst has to be sent, to compensate for the distance.
The value for the Timing Advance is determined by the \gls{bsc} after receiving a channel request message from the mobile station and afterwards constantly updated by the respective \gls{bts}.
+The different Burst types are:
\begin{itemize}
\item Normal Burst: The basic information transmitting Burst.
All information on traffic and control channels is transmitted by this Burst except for the \gls{rach}.
@@ -592,13 +597,13 @@ The value for the Timing Advance is determined by the \gls{bsc} after receiving
It may also be used by the \gls{ms} to do time synchronisation for \gls{tdma} frames.
The periodic broadcasting of this frame is also called \gls{fcch} and shares a frequency with the \gls{bcch} as will be shown in the next section.
\item Synchronisation Burst: This Burst contains time synchronisation information from the \gls{bts} to the \gls{ms} as well as the running \gls{tdma} frame number.
- Periodic broadcastings of this Burst form the \gls{sch}.
+ Periodic broadcasting of this Burst forms the \gls{sch}.
\item Dummy Burst: When no other Bursts are sent on the frequency carrying the \gls{bcch} this one is transmitted to fill the gap.
- This way the \gls{ms} can keep up doing measurements even if no data needs to be transmitted.
+ This way the \gls{ms} can keep up doing quality measurements even if no data needs to be transmitted.
\item Access Burst: The Burst that is used to transmit data on the \gls{rach}.
- Since everyone can sent on the \gls{rach} without being given a timeslot via Slotted Aloha procedure the guard times of this Burst are high as to reduce the probability of data collisions.
+ Since everyone can sent on the \gls{rach} without being given a timeslot via Slotted Aloha\footnote{Slotted Aloha is a medium access procedure in which each participant can send data in predefined timeslots. If collisions occur the data is discarded and each participant has to wait a random time interval before sending again.} procedure the guard times of this Burst are high as to reduce the probability of data collisions.
\end{itemize}
-The information in this section described the physical properties of the Air Interface also called Layer 1 when referring to the standard ISO/OSI model.
+The information in this section described the physical properties of the Air Interface also called Layer 1 when referring to the standard ISO\,/\,OSI model.
A short description of the other layers will be presented in Section \ref{sec:layers}.
\subsection{Logical Channels}
@@ -613,7 +618,7 @@ Since not all information has to be sent all the time these different informatio
\end{figure}
Mapping of these channels on the physical interface works in two dimensions.
-The first dimension is frequency and the second is the time slot.
+The first dimension is the frequency and the second is the time slot.
Figure \ref{fig:channels} shows this mapping of channels onto time slots over the course of multiple \gls{tdma} frames for one fixed frequency.
This way each timeslot over the course of multiple frames can be regarded as a virtual channel.
These resulting virtual channels can now be used by a multitude of logical channels to transmit information.
@@ -628,7 +633,7 @@ These are point to point channels.
\item \gls{tch}: A data channels that is used to transmit voice data or data service packages.
\item \gls{facch}: A channel for transmission of urgent signalling data, \eg Handover signalling.
This data doesn't have to be send often it shares a timeslot with the \gls{tch} and uses the stealing flags to insert its own data.
- \item \gls{sacch}: The uplink of this channel is used by the \gls{ms} to transmit quality measurements of the cell and neighbouring cells to the base station, so the network can do handover decisions accordingly.
+ \item \gls{sacch}: The uplink of this channel is used by the \gls{ms} to transmit quality measurements of the cell and neighbouring cells to the base station, so the network can do Handover decisions accordingly.
The downlink is used for Timing Advance data and power management data for the \gls{ms}.
\item \gls{sdcch}: On this channel signalling information is sent to a subscriber as long as no \gls{tch} has been assigned during the initialisation of a call.
Text messages and Location Updates are also transmitted on this channel.
@@ -637,21 +642,21 @@ These are point to point channels.
\subsubsection{Common Channels}
\label{sec:common_channels}
The common channels contain data interesting to all subscribers, thus having a broadcast nature.
+This channels are the main source of information gathered by the \gls{icds}.
These are point to multi-point channels.
\begin{itemize}
\item \gls{sch}: When the \gls{ms} is looking for a cell to connect, this synchronisation channel is used.
\item \gls{fcch}: Used by \glspl{ms} to fine tune to the frequency of a certain base station and helps to find the start of a 51-Multiframe.
- \item \gls{bcch}: This channel is used to transmit information about the network and the base station itself through different system information messages.
+ \item \gls{bcch}: This channel is used to transmit information about the network and the base station itself through different \emph{System Information Messages}.
These contain the network name and cell identification as well as neighbourhood information on cells in the area and much more.
This channel will be the main source of information for this project since it allows harvesting information without actively participating in the network and will thus be discussed in further detail in Chapter \ref{sec:info_gathering}.
- \item \gls{pch}: If a subscriber is not assigned a dedicated channel yet, \ie he/she is not active, they are notified on this channel if there is an incoming call or text.
+ \item \gls{pch}: If a subscriber is not assigned a dedicated channel yet, \ie he\,/\,she is not active, they are notified on this channel if there is an incoming call or text.
The subscribers are identified by their \gls{tmsi} which has been previously assigned upon entering the network so the \gls{imsi} does not have to be broadcasted.
This channel will be used as an additional source of information for the \gls{icds}.
\item \gls{rach}: A subscriber that has been notified over the \gls{pch} can contact the network and request a \gls{sdcch}.
Since this is a channel used by all connected and idle \glspl{ms}, access has to be regulated.
As the name implies access is random thus it can happen that two or more \gls{ms} try to send at the same time.
- Slotted Aloha is used to handle access meaning there are fixed timeslots on which \glspl{ms} can send data.
- If collisions occur the data is discarded and each \gls{ms} has to wait a random time interval before sending again.
+ Slotted Aloha is used to handle access.
\item \gls{agch}: This is the channel used to respond to a \gls{ms} if a request has been made on the \gls{rach}.
The acknowledgement message also contains information on which \gls{sdcch} to use.
\end{itemize}
@@ -662,25 +667,24 @@ There is a complex multiplexing scheme defined in GSM 05.02 \cite{gsm0502} that
A table containing the possible combinations can be found in Appendix \ref{sec:combinations}.
The mapping of these specific Multiframe-configurations onto timeslots is not arbitrary either.
Normally TS-0 and TS-1, the first two time slots, are used handle channels with signalling information.
-The \gls{bcch} for example, which we will use to harvest information uses TS-0 of the carrier frequency.
+The \gls{bcch} for example, which we will use to harvest information uses TS-0 on the carrier frequency.
\subsection{Layers}
\label{sec:layers}
-Design-wise the layers of the $U_m$ interface resemble the layers of the ISO/OSI model reference model specified by the \gls{itu}.
-This section will give a short overview over the first three layers with respect to the air interface \cite{protocols1999}.
-It is important for further understanding to know what functionality can be found on which of the three lower layers, since the framework employed to gather information in this project will directly work on and with those layers.
+Design-wise the layers of the $U_m$ interface resemble the layers of the ISO\,/\,OSI reference model specified by the \gls{itu}.
+This section will give a short overview over the first three layers with respect to the air interface \cite{protocols1999} since these are the ones that the employed framework works on.
\paragraph{Physical Layer (Layer 1):} This layer provides the facilities for the actual transmission of data.
In case of the $U_m$ interface this is the actual radio equipment.
This layer does not know data types like user or signalling data.
The data that it receives from Layer 2 are either single bits or an array of bits.
-On the algorithmic side of the $U_m$ interface the \gls{gmsk} modulation that is used to encode the data of a Burst into radio signals is part of Layer 1.
+On the algorithmic side of Layer 1 the \gls{gmsk} modulation is used to encode the data a Burst contains into radio signals.
\paragraph{Data Link (Layer 2):} On Layer 2 packaging is done.
The notion of data frames is introduced to have chunks of information on which error checking and potential retransmission of corrupted data can be performed.
-The Layer 2 protocol \gls{hdlc} is used as a basis for \gls{ss7} as well as for \gls{lapd}.
-\gls{hdlc} and its derivatives use start/stop markers and checksums to form data frames.
-The Layer 2 format changes through the course of the network while the data packages of layer 3 may stay the same.
+The Layer 2 protocol \gls{hdlc} is used as a basis for \gls{ss7} as well as for \gls{lapd}, which are the basic protocols a classical telephone network operates upon.
+\gls{hdlc} and its derivatives use start\,/\,stop markers and checksums to form data frames.
+The Layer 2 format changes through the course of the network while the data packages of Layer 3 may stay the same.
When a transmission from a \gls{ms} to the \gls{bts} is done \gls{lapdm} is used which is essentially the same as the Layer 2 \gls{isdn} protocol with a few simplifications.
From the \gls{bts} to the \gls{bsc} \gls{lapdm} converts to \gls{lapd} and afterwards is exchanged to \gls{mtp2}.
For the air interface \gls{lapdm} along with channel coding and Burst formatting form Layer 2.
@@ -694,7 +698,7 @@ Therefore in a strict sense \gls{mm} and \gls{cc} information does not belong to
\section{IMSI-Catcher}
\label{sec:catcher}
-An \gls{imsi}-Catcher is a device that is used to capture the \gls{imsi} and \gls{imei} numbers of mobile subscribers.
+An IMSI catcher is a device that is used to capture the \gls{imsi} and \gls{imei} numbers of mobile subscribers.
The knowledge of the \gls{imsi} and \gls{imei} numbers can be exploited to either tap into the participant's calls or pinpoint the location of the subscriber \cite{fox}.
Another less known functionality is that if catchers do not relay intercepted calls they can be used to suppress mobile communication in a certain area \eg during a police operation \cite{imsi_wiki}.
@@ -702,11 +706,11 @@ This topic came up in conjunction with crime fighting and prevention with the ad
A mobile phone cannot be tapped in the same way as a landline phone since the subscriber can change places and also phones thus there is no designated line associated with him\,/\,her.
This has proven to be a challenge to the authorities.
-In 1996 Rohde \& Schwarz a company based in Munich, Germany has developed a device called \emph{GA 090} which was the first \gls{imsi}-catcher.
+In 1996 Rohde\,\&\,Schwarz a company based in Munich, Germany has developed a device called \emph{GA 090} which was the first IMSI catcher.
Its was capable of yielding a list with all the \gls{imsi} numbers in the perimeter as well as pinpointing the location of a subscriber given the \gls{imsi}.
Short thereafter the \emph{GA 900} was presented which had the additional capability of tapping into calls that originated from a particular \gls{imsi}.
-These commercial versions of catchers produced by Rohde \& Schwarz were priced between 200\,000\,\euro{} and 300\,000\,\euro{} in 2001 \cite{fox}.
-Regulations prohibit the use of IMSI catchers for individuals since the frequency bands the \gls{gsm} network uses are reserved for providers.
+These commercial versions of catchers produced by Rohde\,\&\,Schwarz were priced between 200.000\,\euro{} and 300.000\,\euro{} in 2001 \cite{fox}.
+Regulations prohibit the use of IMSI catchers for individuals since the frequency bands the \gls{gsm} network uses are registered to providers.
However it cannot be guaranteed that such a catcher is not used illegally.
In addition to these commercial products different projects \cite{dennis, def_catcher} have shown that such devices can be built at a very low budget.
This only intensifies the risk that is imposed by the abusive usage of such a catcher.
@@ -716,7 +720,7 @@ Figure \ref{fig:catchers} shows a commercial model side by side with a self buil
\begin{figure}
\centering
\includegraphics[width=0.45\textwidth]{../Images/imsi_catcher}\hspace{1cm}\includegraphics[width=.45\textwidth]{../Images/usrp}
-\caption{A commercial catcher by Rhode \& Schwarz \cite{fox} and a self built catcher introduced at Defcon 2010 \cite{def_catcher}.}
+\caption{A commercial catcher by Rhode\,\&\,Schwarz \cite{fox} and a self built catcher introduced at Defcon 2010 \cite{def_catcher}.}
\label{fig:catchers}
\end{figure}
@@ -726,8 +730,8 @@ The next section will explain under which circumstances a catcher can be used in
\subsection{Mode of Operation}
\label{sec:catcher_operation}
-Basically an \gls{imsi}-Catcher masks itself as a base station and lures subscribers in its perimeter to connect to it without their knowledge.
-In the attack\cite{mueller} shown in Figure \ref{fig:catcher_catch} the IMSI catcher is broadcasting a new \gls{lai} to the \gls{ms} at very high power.
+Basically an IMSI catcher masks itself as a base station and lures subscribers in its perimeter to connect to it without their knowledge.
+In the attack \cite{mueller} shown in Figure \ref{fig:catcher_catch} the IMSI catcher is broadcasting a new \gls{lai} with the same \gls{cid} as an formerly existing base station to the \gls{ms} at very high power.
This lures the \gls{ms} to connect to the alleged base station due to stronger reception and announce itself since the \gls{lac} has changed.
\begin{figure}
@@ -764,55 +768,72 @@ The \gls{imei} is also harvested in a similar fashion if the observed person tri
\label{sec:attacks}
When operating a catcher the first and most important step is to actually trick the \gls{ms} into connecting to the catcher.
A lot of phones save the frequency they were tuned to last and upon connecting to the mobile network this is the first frequency they try.
-Therefore a \gls{ms} has to be set to 'normal cell selection' mode which means it starts scanning for the best base station available.
+Therefore a \gls{ms} has to be set to \emph{normal cell selection} mode which means it starts scanning for the best base station available.
Three ways of luring a subscriber to the forged cell were presented by Wehrle for the 'Open Source IMSI-catcher' project \cite{dennis}.
-The attacks differ on whether the \gls{ms} already is in normal cell selection mode or not, \ie it is connected to another \gls{bts}.
+These methods differ on whether the \gls{ms} already is in normal cell selection mode or not.
\paragraph{MS is in normal cell selection mode:}
-The \gls{imsi}-catcher has to emulate a cell configuration of the provider the target \gls{ms} is looking for broadcasting at any frequency.
-If the \gls{ms} stumbles upon the frequency it will connect.
-This is no method with 100\% accuracy however chances can be raised by broadcasting with higher power.
-Some \gls{imsi}-catchers even broadcast at a higher power than it would be allowed for normal \gls{bts} \cite{imsi_wiki} to make certain to be the strongest base station available to the \gls{ms}.
+The IMSI catcher has to fake a cell configuration consistent with the provider the target \gls{ms} is looking for broadcasting at any frequency.
+The \gls{ms} will choose the base station with the strongest reception levels so the catcher has to make sure that no other available station has a better reception than itself.
+Some IMSI catchers even broadcast at a higher power than it would be allowed for normal \gls{bts} \cite{imsi_wiki}.
\paragraph{MS is already connected to a network:}
-If this is the case then the connection to the current cell needs to be broken.
-It can be achieved either by jamming the frequency band of the cell the \gls{ms} is connected to thus forcing the \gls{ms} into cell selection or by getting the \gls{ms} to switch the cell to the catcher's.
-This can be done the following way.
-In this method the fact is abused that the \gls{ms} knows its neighbourhood (since it has been broadcasted by the \gls{bts}) and does regular quality measurements.
-The main idea is that the operator of the catcher chooses the frequency of a \gls{bts} that is in the neighbourhood of the \gls{bts} that the target \gls{ms} is connected to.
-This way the operator can make sure the \gls{ms} know this frequency and has quality measurements associated with it.
-Furthermore should the chosen \gls{bts}, the one that will be replaced by the catcher, have a bad signal to noise ratio (which is why the \gls{ms} is currently not connected to it).
-As soon as the catcher starts broadcasting on that frequency, quality measurements will radically improve and the \gls{ms} will initiate a change of cells to the catcher cell if the quality is above its current cell.
+If this is the case then the connection to the current cell needs to be broken or the \gls{ms} has to be convinced to switch the cell to the catcher's.
+A \gls{ms} that is in passive mode, meaning no active calls are conducted will do quality measurements on the neighbouring cells of the cell it is connected to.
+It will not scan for \emph{new} base stations.
+Therefore the IMSI catcher has to replace an existing base station that already is part of the neighbourhood of the current cell, so the \gls{ms} will do power measurements on its frequencies.
+\begin{figure}
+\centering
+\includegraphics{../Images/replace_attack}
+\caption{Takeover attack of an IMSI catcher on a base station.}
+\label{fig:takeover_attack}
+\end{figure}
+Figure \ref{fig:takeover_attack} illustrates the procedure.
+In the beginning the \gls{ms} is connected to \gls{arfcn} 23 since its the strongest station in the perimeter.
+It will nevertheless conduct power measurements on \gls{arfcn} 42 and \gls{arfcn} 61 since these are neighbours.
+The IMSI catcher is switched on sending also on \gls{arfcn} 42.
+When the \gls{ms} does its next power measurement on this \gls{arfcn} it will notice that the reception changed from -95\,dB to -52\,dB which is even better than the reception of the station it is currently connected to.
+Therefore it will change the cell to the catcher's.
+Since the catcher broadcasts a different \gls{lac} the \gls{ms} announces itself by sending a Location Update.
+
+This method will not work when a call is in progress.
+In that case the only way to immediately disconnect the subscriber from the \gls{bts} and force normal cell selection mode is by jamming the frequency that belongs to the \gls{bts}.
+
+It is important to note that from these three approaches of luring a \gls{ms} to connect to a fake base station two types of attack configurations for the IMSI catcher side can be distinguished.
+To mimic a cell of a certain provider the IMSI catcher has either to open up a cell with a new \gls{cid} or to replace a cell.
+In case of opening up a new cell, the IMSI catcher has to choose a consistent configuration that blends into the environment of the respective provider while in case of replacing a cell, the whole configuration has to be copied as to not raise suspicion.
+This fundamental distinction of IMSI catcher configurations will be of help later when trying to uncover these devices.
\subsubsection{Risks and Irregularities}
-An \gls{imsi}-catcher cannot target an individual subscriber, it always targets an area thus breaching the privacy of uninvolved subjects.
+An IMSI catcher cannot target an individual subscriber, it always targets an area thus breaching the privacy of uninvolved subjects.
Apart from that, a catcher that does not relay calls takes away the possibility for all connected people in the area to initiate calls.
Even if the the catcher routes calls into the network, since it only has one \gls{sim} card, it can only route a single call.
This can be very dangerous because no emergency calls can be submitted in that area during the time of operation which can be as long as five to ten minutes \cite{fox}.
Another irregularity apart from using no encryption is that people caught in this area cannot be reached on their mobile phones since they are not registered on the main network.
-As a consequence of the proxy functionality of the \gls{imsi}-catcher, when a call is routed into the network the recipient can only see the number the catcher is registered with or 'Number Withheld' however not the original number.
+As a consequence of the proxy functionality of the IMSI catcher, when a call is routed into the network the recipient can only see the number the catcher is registered with or 'Number Withheld' however not the original number.
\subsection{Law Situation in Germany}
\label{sec:catcher_law}
-First reports of an \gls{imsi}-catcher used by authorities in Germany dates back to 1997.
+First reports of an IMSI catcher used by authorities in Germany dates back to 1997.
Until November 2001 35 cases of use were officially confirmed by the \gls{bmi} \cite{fox}.
-It was used to fight of organised and serious crime like hostage-takings or drug traffic by the \gls{bka} and \gls{bgs}.
-Attempts have been made by the government to move the catcher out of the legal grey zone and use the 'GA 900' with its capabilities of tapping in to calls for crime prosecution.
+It was used to fight organised and serious crime like hostage-takings or drug traffic by the \gls{bka} and \gls{bgs}.
+Attempts have been made by the government to move the catcher out of the legal grey zone and use the \emph{GA 900} with its capabilities of tapping in to calls for crime prosecution.
At that time however the attempt was dismissed.
On 14$^\text{th}$ of August 2002 with Section §100i of the Strafprozessordnung (Code of Criminal Procedure) a law basis was given to the device.
Afterwards on 22$^\text{nd}$ of August 2006 this section and its accordance with the Grundgesetz (Constitution) was affirmed.
-The use of an \gls{imsi}-Catcher with prior authorisation by a judge does not affect peoples right to privacy nor does it contradict the Datenschutzbestimmungen (Secrecy of Confidential Data) or the Fernmeldegeheimnis (Secrecy of Confidential Communication).
+The use of an IMSI catcher with prior authorisation by a judge does not affect peoples' right to privacy nor does it contradict the Datenschutzbestimmungen (Secrecy of Confidential Data) or the Fernmeldegeheimnis (Secrecy of Confidential Communication).
In Austria the need for a prior authorisation by a judge was removed in January 2008.
During the first four months of 2008, 3800 cases of catcher use were reported in Austria \cite{imsi_wiki}.
Gradually, starting with §100i it has become easier for the police and agencies to use electronic surveillance.
-Although on 2004 it was decided by the Federal Court of Saxony, that electronic surveillance is not to be used in the substantially intimate sphere of private premises, this regulation can be overthrown if linked to the field of serious crimes and terrorism.
+Although on 2004 it was decided by the Federal Court of Saxony, that electronic surveillance is not to be used in the substantially intimate sphere of private premises.
+This regulation can be overthrown if linked to the field of serious crimes and terrorism.
Section §100a(1) describes that the police merely needs to show certain evidence underpinning a suspicion that a criminal act was committed \cite{criminal_justice}.
This threshold can often be overcome easily, since it is hard for courts to check evidence for sufficiency thoroughly given the short time frame of response.
Technically it would even be possible for the authorities to use a catcher without prior authentication by a judge since it is hard to proof that a catcher was used at a specific point in time.
-This fact makes is hard to prosecute or even unveil the illegal operation of an \gls{imsi}-catcher used by third parties or criminals.
+This fact makes is hard to prosecute or even unveil the illegal operation of an IMSI Catcher used by third parties or criminals.
These loose regulations, the hardness of detection together with the fact that third parties can buy or build catchers poses a grave threat to privacy of each individual person. \ No newline at end of file
diff --git a/Tex/Content/Motivation.tex b/Tex/Content/Motivation.tex
index 71c4ad4..c8b2483 100644
--- a/Tex/Content/Motivation.tex
+++ b/Tex/Content/Motivation.tex
@@ -4,36 +4,35 @@
Boundless communication for everyone, everywhere, any time.
That was the main idea and dream behind the development of the \gls{gsm} technology.
Considering its reception and growth \cite{GSM2009,GSM_history2011,GSM_stats2011} it can be said that \gls{gsm} was one of the most successful technologies of the last 30 years.
-Since the advent of portable radio equipment and portable microprocessors, mobile phones became technologically possible in the 80's.
+The advent of portable radio equipment and microprocessors in the 80's made mobile phones technologically possible.
From that point on commercialisation started with more and more providers emerging.
With more users, security became an ever more important aspect since confidential telephone calls were now made over radio instead of fixed landlines.
In 1996 a device was released that took advantage of a security hole in the \gls{gsm} protocol which enabled it to record phone calls and track users.
-This device was developed by Rhode \& Schwartz and was called IMSI catcher.
+This device was developed by Rhode\,\&\,Schwartz and was called IMSI catcher.
The name refers to the IMSI number, a unique identification of the user inside the \gls{gsm} network.
-It can be obtained by the device by impersonating a base station, which is the entry point of the subscriber to the network.
-By means of a classical man-in-the-middle attack the IMSI catcher lures the subscriber to connect to it and relay the information to a real base station while harvesting the needed information like calls or IMSI numbers.
+It can be obtained by the device by impersonating a base station which is the entry point of the subscriber to the network.
+By means of a classical man-in-the-middle attack the IMSI catcher lures the subscriber to connect to it and relay the information to a real base station while harvesting the needed information like calls or IMSI numbers invisibly.
This risk is intensified by the fact that several other projects like the Open Source IMSI catcher \cite{dennis} succeeded in building such an IMSI catcher at a very low cost, using hardware and software that is freely available.
With this hardware it is considerably easier to eavesdrop on and thus breach the privacy of a neighbour or record corporate phone calls than it was when only landlines were available.
-Up until now countermeasures to IMSI catchers have not been given much attention to since the commercial grade devices were only available to authorities and private abuse was thus not a large topic.
+Up until now countermeasures to IMSI catchers have not been given much attention to since the commercial grade devices were only available to authorities and private abuse was thus not a large issue.
This is where this project is aimed at.
-Different ways will be explored on how to identify an IMSI catcher based on its differences to a regular base station.
+In this project different ways will be explored on how to identify an IMSI catcher based on its differences to a regular base station.
Additionally information of the surrounding area and tracking of different parameters over time is used to isolate suspicious base stations in the perimeter.
-A toolbox is developed that makes it possible to gather and analyse information from all available base stations in an easy manner, the IMSI Catcher Detection System.
+We develop a toolbox that makes it possible to gather and analyse information from all available base stations in an easy manner, the \gls{icds}.
It is also designed to operate in an end user mode where only a very simplified version of the GUI is presented and an evaluation is yielded of whether it is safe to place a phone call or not at the moment.
-The tool operates in a completely passive manner only on information that is freely broadcasted, never connecting to base stations in question.
+The tool operates in a completely passive manner, only on information that is freely broadcasted, never connecting to base stations in question.
This way the system itself stays invisible to the base stations and thus potential IMSI catchers while evaluating them.
\section{Structure}
-The remainder of this thesis is structured as follows:
-The second chapter will give an overview of how a \gls{gsm} network is built up to create a general understanding of the infrastructure in which an IMSI catcher and the detection system work.
+The remainder of this thesis is structured as follows: the second chapter will give an overview of how a \gls{gsm} network is built up to create a general understanding of the infrastructure in which an IMSI catcher and the detection system are situated.
Protocol specifics of the interface on which the two systems operate, the interface between a mobile phone and the base station will be discussed in the second part.
-The chapter concludes with a description of how an IMSI catcher works and give an account of what kind of attacks are possible.
+The chapter concludes with a description of how an IMSI catcher works and gives an account of what kind of attacks are possible.
-In the third chapter, the software framework and hardware that is used to develop the IMSI Catcher Detection System is introduced.
-The different procedures used for information gathering and evaluation are also discussed in this chapter based on possible attacks an IMSI catcher can perform and differences in parameters to a valid base station.
+In the third chapter, the software framework and hardware is introduced on which the \gls{icds} is built upon.
+The different procedures used for information gathering and evaluation are also discussed in this chapter based on possible attacks an IMSI catcher can perform as well as the differences in parameters to a valid base station.
Finally a explanation of how to set up and operate the system together with some use cases is outlined.
The fourth chapter contains an evaluation of how the system performs in several categories.
@@ -41,18 +40,19 @@ First some general performance statistics and results on the individual methods
Afterwards a long-term test over the course of a week is done to examine the false positive and false negative rates of IMSI catcher detection.
The chapter ends with two simulated attack scenarios.
-In the last chapter, a short summary of the results will be given as well as am outlook of how the system can be extended.
+In the last chapter, a short summary of the results will be given as well as am outlook of how the system can be extended in several ways.
\section{Disclaimer}
-During the practical part of this thesis precautions have been taken not to interrupt or influence radio transmissions made by regular subscribers.
-They main part of the experiments is passive information gathering which only harvests information that is freely available and thus does not influence regular communication procedures.
+While conducting the practical part of this thesis precautions have been taken not to interrupt or influence radio transmissions made by regular subscribers.
+The main part of the experiments is passive information gathering which only harvests information that is freely available and thus does not influence regular communication procedures.
The IMSI catcher was configured in a way to not let subscribers connect, therefore it is not interfering with regular connection procedures.
+Operation of the IMSI catcher was restricted to the ARFCN 877 which is officially registered to the university.
\section{On Typesetting}
To make the thesis more readable a few conventions will be kept throughout this document.
-Important words or components of the IMSI Catcher Detection System will be printed \emph{emphasised}.
-\texttt{Typewriter} font will be used whenever a console command or a file name will be used in the running text.
+Important words or components of the \gls{icds} are printed \emph{emphasised}.
+\texttt{Typewriter} is used whenever a program or a file name are used in the running text.
Code examples can be distinguished by a code listing box that surrounds them.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}%
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
@@ -63,6 +63,6 @@ if __name___ == '__main__':
\end{minipage}\\
If a complete command line is given it will be put into a new line and the \texttt{typewriter} font will be used.
\[\texttt{sudo do\_it -t now}\]
-Generally a lot of acronyms will be used due to the nature of \gls{gsm} and telephony dialects, where every possible word has an acronym associated with it.
+Generally a lot of acronyms will be used due to the nature of \gls{gsm} and telephony dialects, where every possible word has an abbreviation associated with it.
The first appearance will always be written out followed by the acronym in parenthesis that will be used from that point henceforth.
A complete list of all acronyms for reference can be found in the back of the document. \ No newline at end of file
diff --git a/Tex/Master/Glossary.tex b/Tex/Master/Glossary.tex
index db7215c..edd3b15 100644
--- a/Tex/Master/Glossary.tex
+++ b/Tex/Master/Glossary.tex
@@ -64,7 +64,7 @@
\newacronym{bts}{BTS}{Base Station Transceiver}
\newacronym{trau}{TRAU}{Transcoding Rate and Adaption Unit}
\newacronym{arfcn}{ARFCN}{Absolute Radio Frequency Number}
-\newacronym{cid}{CID}{Cell Identity}
+\newacronym[firstplural=Cell Identities (CIDs)]{cid}{CID}{Cell Identity}
\newacronym{sdcch}{SDCCH}{Standalone Dedicated Control Channel}
\newacronym{agch}{AGCH}{Access Grand Channel}
\newacronym{pch}{PCH}{Paging Channel}
@@ -88,7 +88,7 @@
\newacronym{lai}{LAI}{Location Area Identifier}
\newacronym{bka}{BKA}{Bundeskriminalamt}
\newacronym{bgs}{BGS}{Bundesgrenzschutz}
-\newacronym{bmi}{BMI}{Bundesminiterium des Inneren}
+\newacronym{bmi}{BMI}{Bundesministerium des Inneren}
\newacronym{osmo}{Osmocom}{Open source mobile communications}
\newacronym{icds}{ICDS}{IMSI Catcher Detection System}
\newacronym{diy}{DIY}{do-it-yourself}
diff --git a/Tex/Master/Master.acn b/Tex/Master/Master.acn
index 08ab0b0..f9185b9 100644
--- a/Tex/Master/Master.acn
+++ b/Tex/Master/Master.acn
@@ -2,7 +2,10 @@
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{1}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{1}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{1}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{1}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{2}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{2}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{3}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{3}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{5}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{5}
@@ -69,10 +72,10 @@
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{EEPROM?\glossaryentryfield{eeprom}{\glsnamefont{EEPROM}}{Electrically Erasable Programmable Read-Only Memory}{\relax }|setentrycounter{page}\glsnumberformat}{10}
+\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{10}
+\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{10}
+\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{Kc?\glossaryentryfield{kc}{\glsnamefont{Kc}}{Ciphering Key}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{Kc?\glossaryentryfield{kc}{\glsnamefont{Kc}}{Ciphering Key}{\relax }|setentrycounter{page}\glsnumberformat}{10}
@@ -85,9 +88,9 @@
\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{MSIN?\glossaryentryfield{msin}{\glsnamefont{MSIN}}{Mobile Subscriber Identification Number}{\relax }|setentrycounter{page}\glsnumberformat}{10}
-\glossaryentry{HNI?\glossaryentryfield{hni}{\glsnamefont{HNI}}{Home Network Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{10}
-\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{10}
-\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{10}
+\glossaryentry{HNI?\glossaryentryfield{hni}{\glsnamefont{HNI}}{Home Network Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{11}
+\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{11}
+\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{PLMN?\glossaryentryfield{plmn}{\glsnamefont{PLMN}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{11}
@@ -104,14 +107,13 @@
\glossaryentry{HLR?\glossaryentryfield{hlr}{\glsnamefont{HLR}}{Home Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{VLR?\glossaryentryfield{vlr}{\glsnamefont{VLR}}{Visitor Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{AC?\glossaryentryfield{ac}{\glsnamefont{AC}}{Authentication Center}{\relax }|setentrycounter{page}\glsnumberformat}{11}
-\glossaryentry{SMSC?\glossaryentryfield{smsc}{\glsnamefont{SMSC}}{Short Message Service Center}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{EIR?\glossaryentryfield{eir}{\glsnamefont{EIR}}{Equipment Identity Register}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{NSS?\glossaryentryfield{nss}{\glsnamefont{NSS}}{Network Subsystem}{\relax }|setentrycounter{page}\glsnumberformat}{11}
\glossaryentry{ISDN?\glossaryentryfield{isdn}{\glsnamefont{ISDN}}{Integrated Services Digital Network}{\relax }|setentrycounter{page}\glsnumberformat}{11}
-\glossaryentry{PLMN?\glossaryentryfield{plmn}{\glsnamefont{PLMN}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{11}
-\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{11}
+\glossaryentry{PLMN?\glossaryentryfield{plmn}{\glsnamefont{PLMN}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{12}
+\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{CC?\glossaryentryfield{cc}{\glsnamefont{CC}}{Call Control}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{MM?\glossaryentryfield{mm}{\glsnamefont{MM}}{Mobility Management}{\relax }|setentrycounter{page}\glsnumberformat}{12}
@@ -123,6 +125,7 @@
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{NSS?\glossaryentryfield{nss}{\glsnamefont{NSS}}{Network Subsystem}{\relax }|setentrycounter{page}\glsnumberformat}{12}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{HLR?\glossaryentryfield{hlr}{\glsnamefont{HLR}}{Home Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{12}
\glossaryentry{MSISDN?\glossaryentryfield{msisdn}{\glsnamefont{MSISDN}}{Mobile Subscriber Integrated Services Digital Network Number}{\relax }|setentrycounter{page}\glsnumberformat}{12}
@@ -168,8 +171,10 @@
\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{AC?\glossaryentryfield{ac}{\glsnamefont{AC}}{Authentication Center}{\relax }|setentrycounter{page}\glsnumberformat}{14}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{UMTS?\glossaryentryfield{umts}{\glsnamefont{UMTS}}{Universal Mobile Telecomunications System}{\relax }|setentrycounter{page}\glsnumberformat}{14}
+\glossaryentry{UMTS?\glossaryentryfield{umts}{\glsnamefont{UMTS}}{Universal Mobile Telecomunications System}{\relax }|setentrycounter{page}\glsnumberformat}{15}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{15}
+\glossaryentry{UMTS?\glossaryentryfield{umts}{\glsnamefont{UMTS}}{Universal Mobile Telecomunications System}{\relax }|setentrycounter{page}\glsnumberformat}{15}
\glossaryentry{BSS?\glossaryentryfield{bss}{\glsnamefont{BSS}}{Basestation Subsystem}{\relax }|setentrycounter{page}\glsnumberformat}{15}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{15}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{15}
@@ -183,16 +188,16 @@
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{15}
\glossaryentry{TRAU?\glossaryentryfield{trau}{\glsnamefont{TRAU}}{Transcoding Rate and Adaption Unit}{\relax }|setentrycounter{page}\glsnumberformat}{15}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{15}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{15}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{16}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{16}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{16}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{16}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{16}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{16}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{16}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{17}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{17}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{17}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{18}
@@ -214,6 +219,7 @@
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{18}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{AGCH?\glossaryentryfield{agch}{\glsnamefont{AGCH}}{Access Grand Channel}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{18}
@@ -225,11 +231,11 @@
\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{18}
-\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{18}
-\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{18}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{18}
-\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{18}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{18}
+\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{19}
+\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{19}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{19}
+\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{19}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{19}
\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{19}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{19}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{19}
@@ -243,9 +249,9 @@
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{19}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{19}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{19}
-\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{19}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{19}
-\glossaryentry{FACCH?\glossaryentryfield{facch}{\glsnamefont{FACCH}}{Fast Access Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{19}
+\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
+\glossaryentry{FACCH?\glossaryentryfield{facch}{\glsnamefont{FACCH}}{Fast Access Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{20}
@@ -287,55 +293,54 @@
\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{23}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{23}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{23}
-\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{23}
-\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{23}
+\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{24}
+\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{24}
\glossaryentry{TDMA?\glossaryentryfield{tdma}{\glsnamefont{TDMA}}{Time Division Multiple Access}{\relax }|setentrycounter{page}\glsnumberformat}{24}
-\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{24}
-\glossaryentry{FACCH?\glossaryentryfield{facch}{\glsnamefont{FACCH}}{Fast Access Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{24}
-\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{24}
+\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
+\glossaryentry{FACCH?\glossaryentryfield{facch}{\glsnamefont{FACCH}}{Fast Access Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
+\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{SACCH?\glossaryentryfield{sacch}{\glsnamefont{SACCH}}{Slow Access Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{FCCH?\glossaryentryfield{fcch}{\glsnamefont{FCCH}}{Frequency Correction Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{AGCH?\glossaryentryfield{agch}{\glsnamefont{AGCH}}{Access Grand Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{25}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{AGCH?\glossaryentryfield{agch}{\glsnamefont{AGCH}}{Access Grand Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
\glossaryentry{ITU?\glossaryentryfield{itu}{\glsnamefont{ITU}}{International Telecomunication Union}{\relax }|setentrycounter{page}\glsnumberformat}{26}
\glossaryentry{GMSK?\glossaryentryfield{gmsk}{\glsnamefont{GMSK}}{Gaussian Minimum Shift Keying}{\relax }|setentrycounter{page}\glsnumberformat}{26}
\glossaryentry{HDLC?\glossaryentryfield{hdlc}{\glsnamefont{HDLC}}{High Level Data Link Control}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{SS-7?\glossaryentryfield{ss7}{\glsnamefont{SS-7}}{Signaling System 7}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{LAPD?\glossaryentryfield{lapd}{\glsnamefont{LAPD}}{Link Access Procedure, D Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{HDLC?\glossaryentryfield{hdlc}{\glsnamefont{HDLC}}{High Level Data Link Control}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{LAPD$_m$?\glossaryentryfield{lapdm}{\glsnamefont{LAPD$_m$}}{LAPD Mobile}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{ISDN?\glossaryentryfield{isdn}{\glsnamefont{ISDN}}{Integrated Services Digital Network}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{LAPD$_m$?\glossaryentryfield{lapdm}{\glsnamefont{LAPD$_m$}}{LAPD Mobile}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{LAPD?\glossaryentryfield{lapd}{\glsnamefont{LAPD}}{Link Access Procedure, D Channel}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{MTP 2/SS7?\glossaryentryfield{mtp2}{\glsnamefont{MTP 2/SS7}}{Message Transfer Part 2/SS7}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{LAPD$_m$?\glossaryentryfield{lapdm}{\glsnamefont{LAPD$_m$}}{LAPD Mobile}{\relax }|setentrycounter{page}\glsnumberformat}{26}
-\glossaryentry{3GPP?\glossaryentryfield{3gpp}{\glsnamefont{3GPP}}{Third Generation Partnership Project}{\relax }|setentrycounter{page}\glsnumberformat}{26}
+\glossaryentry{SS-7?\glossaryentryfield{ss7}{\glsnamefont{SS-7}}{Signaling System 7}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{LAPD?\glossaryentryfield{lapd}{\glsnamefont{LAPD}}{Link Access Procedure, D Channel}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{HDLC?\glossaryentryfield{hdlc}{\glsnamefont{HDLC}}{High Level Data Link Control}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{LAPD$_m$?\glossaryentryfield{lapdm}{\glsnamefont{LAPD$_m$}}{LAPD Mobile}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{ISDN?\glossaryentryfield{isdn}{\glsnamefont{ISDN}}{Integrated Services Digital Network}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{LAPD$_m$?\glossaryentryfield{lapdm}{\glsnamefont{LAPD$_m$}}{LAPD Mobile}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{LAPD?\glossaryentryfield{lapd}{\glsnamefont{LAPD}}{Link Access Procedure, D Channel}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{MTP 2/SS7?\glossaryentryfield{mtp2}{\glsnamefont{MTP 2/SS7}}{Message Transfer Part 2/SS7}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{LAPD$_m$?\glossaryentryfield{lapdm}{\glsnamefont{LAPD$_m$}}{LAPD Mobile}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{3GPP?\glossaryentryfield{3gpp}{\glsnamefont{3GPP}}{Third Generation Partnership Project}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{27}
@@ -348,18 +353,16 @@
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{NSS?\glossaryentryfield{nss}{\glsnamefont{NSS}}{Network Subsystem}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{27}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{27}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{28}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{28}
@@ -367,290 +370,281 @@
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{30}
+\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{30}
+\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{30}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
+\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{30}
+\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{30}
+\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{30}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{30}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{BMI?\glossaryentryfield{bmi}{\glsnamefont{BMI}}{Bundesminiterium des Inneren}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{BKA?\glossaryentryfield{bka}{\glsnamefont{BKA}}{Bundeskriminalamt}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{BGS?\glossaryentryfield{bgs}{\glsnamefont{BGS}}{Bundesgrenzschutz}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{31}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{32}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{Osmocom?\glossaryentryfield{osmo}{\glsnamefont{Osmocom}}{Open source mobile communications}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{Osmocom?\glossaryentryfield{osmo}{\glsnamefont{Osmocom}}{Open source mobile communications}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{33}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{34}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{34}
-\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{34}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{34}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{34}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{31}
+\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{32}
+\glossaryentry{BMI?\glossaryentryfield{bmi}{\glsnamefont{BMI}}{Bundesministerium des Inneren}{\relax }|setentrycounter{page}\glsnumberformat}{32}
+\glossaryentry{BKA?\glossaryentryfield{bka}{\glsnamefont{BKA}}{Bundeskriminalamt}{\relax }|setentrycounter{page}\glsnumberformat}{32}
+\glossaryentry{BGS?\glossaryentryfield{bgs}{\glsnamefont{BGS}}{Bundesgrenzschutz}{\relax }|setentrycounter{page}\glsnumberformat}{32}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{35}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{35}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{35}
+\glossaryentry{Osmocom?\glossaryentryfield{osmo}{\glsnamefont{Osmocom}}{Open source mobile communications}{\relax }|setentrycounter{page}\glsnumberformat}{35}
+\glossaryentry{Osmocom?\glossaryentryfield{osmo}{\glsnamefont{Osmocom}}{Open source mobile communications}{\relax }|setentrycounter{page}\glsnumberformat}{35}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{35}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{DIY?\glossaryentryfield{diy}{\glsnamefont{DIY}}{do-it-yourself}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{36}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{36}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{36}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{37}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{FCCH?\glossaryentryfield{fcch}{\glsnamefont{FCCH}}{Frequency Correction Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{TC?\glossaryentryfield{tc}{\glsnamefont{TC}}{Type Code}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{FN?\glossaryentryfield{fn}{\glsnamefont{FN}}{Frame Number}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{TC?\glossaryentryfield{tc}{\glsnamefont{TC}}{Type Code}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{38}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{36}
+\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{36}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{36}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{36}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{37}
+\glossaryentry{DIY?\glossaryentryfield{diy}{\glsnamefont{DIY}}{do-it-yourself}{\relax }|setentrycounter{page}\glsnumberformat}{37}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{37}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{38}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{38}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{38}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{BSIC?\glossaryentryfield{bsic}{\glsnamefont{BSIC}}{Base Station Identification Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{NCC?\glossaryentryfield{ncc}{\glsnamefont{NCC}}{Network Color Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{BCC?\glossaryentryfield{bcc}{\glsnamefont{BCC}}{Base Station Color Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{FCCH?\glossaryentryfield{fcch}{\glsnamefont{FCCH}}{Frequency Correction Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{TC?\glossaryentryfield{tc}{\glsnamefont{TC}}{Type Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{FN?\glossaryentryfield{fn}{\glsnamefont{FN}}{Frame Number}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{TC?\glossaryentryfield{tc}{\glsnamefont{TC}}{Type Code}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{41}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{42}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{42}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{BSIC?\glossaryentryfield{bsic}{\glsnamefont{BSIC}}{Base Station Identification Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{NCC?\glossaryentryfield{ncc}{\glsnamefont{NCC}}{Network Color Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{BCC?\glossaryentryfield{bcc}{\glsnamefont{BCC}}{Base Station Color Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{42}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{42}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{42}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{44}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{44}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{46}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{46}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{46}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{46}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{46}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{46}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{46}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{46}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{46}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{47}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{46}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{46}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{50}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{54}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{52}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{CSV?\glossaryentryfield{csv}{\glsnamefont{CSV}}{Comma Separated Value}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{54}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{55}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{55}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{55}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{55}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{54}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{CSV?\glossaryentryfield{csv}{\glsnamefont{CSV}}{Comma Separated Value}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{57}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{58}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{58}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{58}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{58}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{58}
-\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{61}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{61}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{61}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{61}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{61}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{62}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{62}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{62}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{62}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{63}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{64}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{63}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{64}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{64}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{64}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{64}
-\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{64}
-\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{64}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{64}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{64}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{65}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{VLR?\glossaryentryfield{vlr}{\glsnamefont{VLR}}{Visitor Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{TRAU?\glossaryentryfield{trau}{\glsnamefont{TRAU}}{Transcoding Rate and Adaption Unit}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{HLR?\glossaryentryfield{hlr}{\glsnamefont{HLR}}{Home Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{VoIP?\glossaryentryfield{voip}{\glsnamefont{VoIP}}{Voice over IP}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{65}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{66}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{67}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{67}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{66}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{VLR?\glossaryentryfield{vlr}{\glsnamefont{VLR}}{Visitor Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{TRAU?\glossaryentryfield{trau}{\glsnamefont{TRAU}}{Transcoding Rate and Adaption Unit}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{HLR?\glossaryentryfield{hlr}{\glsnamefont{HLR}}{Home Location Register}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{VoIP?\glossaryentryfield{voip}{\glsnamefont{VoIP}}{Voice over IP}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{70}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{70}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{71}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{71}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{70}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{70}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{70}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{73}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
diff --git a/Tex/Master/Master.aux b/Tex/Master/Master.aux
index 06a1a16..bb7f99f 100644
--- a/Tex/Master/Master.aux
+++ b/Tex/Master/Master.aux
@@ -89,10 +89,10 @@
\citation{GSM0207}
\citation{protocols1999}
\citation{ISO7810}
-\citation{protocols1999}
-\citation{protocols1999}
\FN@pp@footnote@aux{3}{9}
\FN@pp@footnote@aux{4}{9}
+\citation{protocols1999}
+\citation{protocols1999}
\citation{kommsys2006}
\citation{GSM23003}
\citation{ITU212}
@@ -108,12 +108,12 @@
\newlabel{fig:authentication}{{2.3}{13}}
\@writefile{toc}{\contentsline {subsubsection}{Visitor Location Register}{13}}
\citation{kommsys2006}
-\citation{kommsys2006}
\@writefile{toc}{\contentsline {subsubsection}{Authentication Center}{14}}
\newlabel{sec:authentication}{{2.2.2}{14}}
\FN@pp@footnote@aux{5}{14}
\citation{kommsys2006}
\citation{kommsys2006}
+\citation{kommsys2006}
\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900\tmspace +\thinmuskip {.1667em}MHz\ band.}}{15}}
\newlabel{fig:frequency}{{2.4}{15}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}Base Station Subsystem}{15}}
@@ -146,29 +146,30 @@
\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces The combination of FDMA and TDMA.}}{21}}
\newlabel{fig:fdma_tdma}{{2.7}{21}}
\@writefile{toc}{\contentsline {subsubsection}{Frame Numbering}{21}}
-\@writefile{toc}{\contentsline {subsubsection}{Burst Types}{21}}
\@writefile{lof}{\contentsline {figure}{\numberline {2.8}{\ignorespaces Hierarchical composition of the different frames.}}{22}}
\newlabel{fig:frame_hierarchy}{{2.8}{22}}
\@writefile{lof}{\contentsline {figure}{\numberline {2.9}{\ignorespaces Structural Comparison of different Burst types. After \cite {GSM2009}.}}{22}}
\newlabel{fig:burst_types}{{2.9}{22}}
+\@writefile{toc}{\contentsline {subsubsection}{Burst Types}{23}}
\citation{kommsys2006}
\@writefile{lof}{\contentsline {figure}{\numberline {2.10}{\ignorespaces Mapping of virtual channels on time slots.}}{24}}
\newlabel{fig:channels}{{2.10}{24}}
+\FN@pp@footnote@aux{6}{24}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.2}Logical Channels}{24}}
\newlabel{sec:channels}{{2.3.2}{24}}
-\@writefile{toc}{\contentsline {subsubsection}{Dedicated Channels}{24}}
-\citation{gsm0502}
+\@writefile{toc}{\contentsline {subsubsection}{Dedicated Channels}{25}}
\@writefile{toc}{\contentsline {subsubsection}{Common Channels}{25}}
\newlabel{sec:common_channels}{{2.3.2}{25}}
+\citation{gsm0502}
\citation{protocols1999}
\citation{GSM0405}
\citation{GSM0406}
-\citation{protocols1999}
\@writefile{toc}{\contentsline {subsubsection}{Combinations}{26}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3.3}Layers}{26}}
\newlabel{sec:layers}{{2.3.3}{26}}
\@writefile{toc}{\contentsline {paragraph}{Physical Layer (Layer 1):}{26}}
\@writefile{toc}{\contentsline {paragraph}{Data Link (Layer 2):}{26}}
+\citation{protocols1999}
\citation{fox}
\citation{imsi_wiki}
\citation{fox}
@@ -185,7 +186,7 @@
\citation{mueller}
\citation{mueller}
\citation{fox}
-\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces A commercial catcher by Rhode \& Schwarz \cite {fox} and a self built catcher introduced at Defcon 2010 \cite {def_catcher}.}}{28}}
+\@writefile{lof}{\contentsline {figure}{\numberline {2.11}{\ignorespaces A commercial catcher by Rhode\tmspace +\thinmuskip {.1667em}\&\tmspace +\thinmuskip {.1667em}Schwarz \cite {fox} and a self built catcher introduced at Defcon 2010 \cite {def_catcher}.}}{28}}
\newlabel{fig:catchers}{{2.11}{28}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.1}Mode of Operation}{28}}
\newlabel{sec:catcher_operation}{{2.4.1}{28}}
@@ -195,174 +196,177 @@
\citation{fox}
\citation{dennis}
\citation{imsi_wiki}
-\citation{fox}
\@writefile{toc}{\contentsline {subsubsection}{Attacks}{30}}
\newlabel{sec:attacks}{{2.4.1}{30}}
\@writefile{toc}{\contentsline {paragraph}{MS is in normal cell selection mode:}{30}}
\@writefile{toc}{\contentsline {paragraph}{MS is already connected to a network:}{30}}
\citation{fox}
+\@writefile{lof}{\contentsline {figure}{\numberline {2.13}{\ignorespaces Takeover attack of an IMSI catcher on a base station.}}{31}}
+\newlabel{fig:takeover_attack}{{2.13}{31}}
+\citation{fox}
\citation{imsi_wiki}
\citation{criminal_justice}
-\@writefile{toc}{\contentsline {subsubsection}{Risks and Irregularities}{31}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{31}}
-\newlabel{sec:catcher_law}{{2.4.2}{31}}
+\@writefile{toc}{\contentsline {subsubsection}{Risks and Irregularities}{32}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{32}}
+\newlabel{sec:catcher_law}{{2.4.2}{32}}
+\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\citation{dennis}
\citation{osmo_rationale}
-\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {3}IMSI Catcher Detection System}{33}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {3}IMSI Catcher Detection System}{35}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {3.1}Framework and Hardware}{33}}
-\FN@pp@footnote@aux{6}{33}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{33}}
+\@writefile{toc}{\contentsline {section}{\numberline {3.1}Framework and Hardware}{35}}
+\FN@pp@footnote@aux{7}{35}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{35}}
\citation{osmo_slides}
\citation{osmo_wiki_c123}
\citation{osmo_wiki_c123}
-\@writefile{toc}{\contentsline {subsubsection}{Project Status}{34}}
-\FN@pp@footnote@aux{7}{34}
-\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Technical specifications for the Motorola C123.}}{35}}
-\newlabel{tab:c123_specs}{{3.1}{35}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{35}}
-\newlabel{sec:osmo_phones}{{3.1.2}{35}}
-\FN@pp@footnote@aux{8}{35}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{36}}
-\newlabel{fig:osmo_c123}{{3.1}{36}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{36}}
+\FN@pp@footnote@aux{8}{36}
+\@writefile{toc}{\contentsline {subsubsection}{Project Status}{36}}
\FN@pp@footnote@aux{9}{36}
+\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Technical specifications for the Motorola C123.}}{37}}
+\newlabel{tab:c123_specs}{{3.1}{37}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{37}}
+\newlabel{sec:osmo_phones}{{3.1.2}{37}}
+\FN@pp@footnote@aux{10}{37}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{38}}
+\newlabel{fig:osmo_c123}{{3.1}{38}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{38}}
+\FN@pp@footnote@aux{11}{38}
\citation{GSM2009}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{37}}
-\newlabel{fig:osmo_setup}{{3.2}{37}}
-\@writefile{toc}{\contentsline {section}{\numberline {3.2}Procedure}{37}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{39}}
+\newlabel{fig:osmo_setup}{{3.2}{39}}
+\@writefile{toc}{\contentsline {section}{\numberline {3.2}Procedure}{39}}
\citation{GSM2009}
\citation{GSM2009}
\citation{protocols1999}
\citation{protocols1999}
\citation{protocols1999}
-\@writefile{lot}{\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{38}}
-\newlabel{tab:tc_mapping}{{3.2}{38}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{38}}
-\newlabel{sec:info_gathering}{{3.2.1}{38}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{39}}
-\newlabel{fig:si1}{{3.3}{39}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call/text waiting for a passive subscriber.}}{41}}
-\newlabel{fig:paging}{{3.4}{41}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{41}}
-\newlabel{sec:info_evaluation}{{3.2.2}{41}}
-\@writefile{lot}{\contentsline {table}{\numberline {3.3}{\ignorespaces Configuration Rules implemented inside the ICDS.}}{42}}
-\newlabel{tab:config_rules}{{3.3}{42}}
-\@writefile{toc}{\contentsline {subsubsection}{Configuration Rules}{42}}
-\@writefile{lot}{\contentsline {table}{\numberline {3.4}{\ignorespaces Context Rules implemented inside the ICDS.}}{43}}
-\newlabel{tab:context_rules}{{3.4}{43}}
-\FN@pp@footnote@aux{10}{43}
-\@writefile{toc}{\contentsline {subsubsection}{Context Rules}{43}}
-\@writefile{toc}{\contentsline {paragraph}{Neighbourhood Structure}{44}}
-\FN@pp@footnote@aux{11}{44}
-\FN@pp@footnote@aux{12}{44}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{45}}
-\newlabel{fig:neighbourhood_example}{{3.5}{45}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{46}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Normal neighbourhood}}}{46}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Tainted neighbourhood}}}{46}}
-\newlabel{fig:structure_comparison}{{3.6}{46}}
-\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{46}}
-\newlabel{tab:database_rules}{{3.5}{46}}
-\@writefile{toc}{\contentsline {subsubsection}{Database Rules}{46}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{40}}
+\newlabel{tab:tc_mapping}{{3.2}{40}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{40}}
+\newlabel{sec:info_gathering}{{3.2.1}{40}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{41}}
+\newlabel{fig:si1}{{3.3}{41}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call/text waiting for a passive subscriber.}}{43}}
+\newlabel{fig:paging}{{3.4}{43}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{43}}
+\newlabel{sec:info_evaluation}{{3.2.2}{43}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.3}{\ignorespaces Configuration Rules implemented inside the ICDS.}}{44}}
+\newlabel{tab:config_rules}{{3.3}{44}}
+\@writefile{toc}{\contentsline {subsubsection}{Configuration Rules}{44}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.4}{\ignorespaces Context Rules implemented inside the ICDS.}}{45}}
+\newlabel{tab:context_rules}{{3.4}{45}}
+\FN@pp@footnote@aux{12}{45}
+\@writefile{toc}{\contentsline {subsubsection}{Context Rules}{45}}
+\@writefile{toc}{\contentsline {paragraph}{Neighbourhood Structure}{46}}
+\FN@pp@footnote@aux{13}{46}
+\FN@pp@footnote@aux{14}{46}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{47}}
+\newlabel{fig:neighbourhood_example}{{3.5}{47}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{48}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Normal neighbourhood}}}{48}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Tainted neighbourhood}}}{48}}
+\newlabel{fig:structure_comparison}{{3.6}{48}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{48}}
+\newlabel{tab:database_rules}{{3.5}{48}}
+\@writefile{toc}{\contentsline {subsubsection}{Database Rules}{48}}
\citation{wiki_cells}
-\FN@pp@footnote@aux{13}{47}
-\FN@pp@footnote@aux{14}{47}
-\FN@pp@footnote@aux{15}{47}
-\@writefile{toc}{\contentsline {subsubsection}{Scan Rules}{47}}
-\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{48}}
-\newlabel{tab:scan_rules}{{3.6}{48}}
-\@writefile{toc}{\contentsline {subsubsection}{Remaining Issues and Paging}{48}}
-\newlabel{sec:paging}{{3.2.2}{48}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{49}}
-\newlabel{sec:evaluators}{{3.2.3}{49}}
-\@writefile{toc}{\contentsline {section}{\numberline {3.3}Implementation}{49}}
-\newlabel{sec:icds}{{3.3}{49}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{50}}
-\newlabel{fig:architecture}{{3.7}{50}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Architecture}{50}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{51}}
-\newlabel{fig:python_dict}{{3.8}{51}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{51}}
-\newlabel{sec:configuration}{{3.3.2}{51}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{52}}
-\newlabel{sec:icds_operation}{{3.3.3}{52}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{53}}
-\newlabel{fig:icds}{{3.9}{53}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Usage}{55}}
-\newlabel{sec:user_mode}{{3.3.4}{55}}
-\@writefile{toc}{\contentsline {paragraph}{Conducting sweep scans:}{55}}
-\@writefile{toc}{\contentsline {paragraph}{Using and obtaining Cell ID Information:}{55}}
-\newlabel{fig:databases_window}{{3.10(a)}{56}}
-\newlabel{sub@fig:databases_window}{{(a)}{56}}
-\newlabel{fig:rules_window}{{3.10(b)}{56}}
-\newlabel{sub@fig:rules_window}{{(b)}{56}}
-\newlabel{fig:filters_window}{{3.10(c)}{56}}
-\newlabel{sub@fig:filters_window}{{(c)}{56}}
-\newlabel{fig:pch_window}{{3.10(d)}{56}}
-\newlabel{sub@fig:pch_window}{{(d)}{56}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{56}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Databases window.}}}{56}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Rules window.}}}{56}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(c)}{\ignorespaces {Filters window.}}}{56}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(d)}{\ignorespaces {PCH scan window.}}}{56}}
-\newlabel{fig:dialogs}{{3.10}{56}}
-\@writefile{toc}{\contentsline {paragraph}{Building or using a Local Area Database:}{57}}
-\@writefile{toc}{\contentsline {paragraph}{Conducting a PCH Scan:}{57}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{58}}
-\newlabel{fig:user_mode}{{3.11}{58}}
-\@writefile{toc}{\contentsline {paragraph}{Utilising User Mode:}{58}}
-\@writefile{toc}{\contentsline {section}{\numberline {3.4}Related Projects}{58}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{49}}
+\newlabel{tab:scan_rules}{{3.6}{49}}
+\FN@pp@footnote@aux{15}{49}
+\FN@pp@footnote@aux{16}{49}
+\FN@pp@footnote@aux{17}{49}
+\@writefile{toc}{\contentsline {subsubsection}{Scan Rules}{49}}
+\@writefile{toc}{\contentsline {subsubsection}{Remaining Issues and Paging}{50}}
+\newlabel{sec:paging}{{3.2.2}{50}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{51}}
+\newlabel{sec:evaluators}{{3.2.3}{51}}
+\@writefile{toc}{\contentsline {section}{\numberline {3.3}Implementation}{51}}
+\newlabel{sec:icds}{{3.3}{51}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52}}
+\newlabel{fig:architecture}{{3.7}{52}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Architecture}{52}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{53}}
+\newlabel{fig:python_dict}{{3.8}{53}}
+\FN@pp@footnote@aux{18}{53}
+\FN@pp@footnote@aux{19}{53}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{53}}
+\newlabel{sec:configuration}{{3.3.2}{53}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{54}}
+\newlabel{sec:icds_operation}{{3.3.3}{54}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{55}}
+\newlabel{fig:icds}{{3.9}{55}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Usage}{57}}
+\newlabel{sec:user_mode}{{3.3.4}{57}}
+\@writefile{toc}{\contentsline {paragraph}{Conducting sweep scans:}{57}}
+\newlabel{fig:databases_window}{{3.10(a)}{58}}
+\newlabel{sub@fig:databases_window}{{(a)}{58}}
+\newlabel{fig:rules_window}{{3.10(b)}{58}}
+\newlabel{sub@fig:rules_window}{{(b)}{58}}
+\newlabel{fig:filters_window}{{3.10(c)}{58}}
+\newlabel{sub@fig:filters_window}{{(c)}{58}}
+\newlabel{fig:pch_window}{{3.10(d)}{58}}
+\newlabel{sub@fig:pch_window}{{(d)}{58}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{58}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Databases window.}}}{58}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Rules window.}}}{58}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(c)}{\ignorespaces {Filters window.}}}{58}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(d)}{\ignorespaces {PCH scan window.}}}{58}}
+\newlabel{fig:dialogs}{{3.10}{58}}
+\@writefile{toc}{\contentsline {paragraph}{Using and obtaining Cell ID Information:}{59}}
+\@writefile{toc}{\contentsline {paragraph}{Building or using a Local Area Database:}{59}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{60}}
+\newlabel{fig:user_mode}{{3.11}{60}}
+\@writefile{toc}{\contentsline {paragraph}{Conducting a PCH Scan:}{60}}
+\@writefile{toc}{\contentsline {paragraph}{Utilising User Mode:}{60}}
\citation{catcher_catcher}
-\FN@pp@footnote@aux{16}{59}
+\@writefile{toc}{\contentsline {section}{\numberline {3.4}Related Projects}{61}}
+\FN@pp@footnote@aux{20}{61}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {4}Evaluation}{61}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {4}Evaluation}{63}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {4.1}Performance Evaluation}{61}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Key values of the data sets used for performance tests.}}{61}}
-\newlabel{tab:key_data}{{4.1}{61}}
-\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets.}}{62}}
-\newlabel{fig:durations}{{4.1}{62}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{62}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}}{63}}
-\newlabel{tab:coverage}{{4.2}{63}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{63}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{63}}
+\@writefile{toc}{\contentsline {section}{\numberline {4.1}Performance Evaluation}{63}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Key values of the data sets used for performance tests.}}{63}}
+\newlabel{tab:key_data}{{4.1}{63}}
+\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets.}}{64}}
+\newlabel{fig:durations}{{4.1}{64}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{64}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}}{65}}
+\newlabel{tab:coverage}{{4.2}{65}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{65}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{65}}
\citation{dennis}
-\@writefile{lot}{\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Pagings and Immediate Assignments (per 10\tmspace +\thickmuskip {.2777em}s) for the four German providers at different locations.}}{64}}
-\newlabel{tab:pagings}{{4.3}{64}}
-\@writefile{toc}{\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{64}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{64}}
-\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{65}}
-\newlabel{fig:setup}{{4.2}{65}}
-\FN@pp@footnote@aux{17}{65}
-\FN@pp@footnote@aux{18}{65}
-\FN@pp@footnote@aux{19}{65}
-\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{66}}
-\newlabel{fig:openbts_parameters}{{4.3}{66}}
-\@writefile{toc}{\contentsline {subsubsection}{Modifications to the ICDS Configuration}{66}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Rule Evaluation}{66}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{67}}
-\newlabel{tab:err_configs}{{4.4}{67}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.5}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{68}}
-\newlabel{tab:par_change}{{4.5}{68}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Long-Term Test}{68}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.4}Attack Scenarios}{68}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.6}{\ignorespaces Results of the long-term evaluation.}}{69}}
-\newlabel{tab:longterm_test}{{4.6}{69}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.7}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{69}}
-\newlabel{tab:consistent_parameters}{{4.7}{69}}
-\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Takeover attack of an IMSI catcher on a base station.}}{70}}
-\newlabel{fig:takeover_attack}{{4.4}{70}}
-\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher as a new Cell}{70}}
-\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{70}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Pagings and Immediate Assignments (per 10\tmspace +\thickmuskip {.2777em}s) for the four German providers at different locations.}}{66}}
+\newlabel{tab:pagings}{{4.3}{66}}
+\@writefile{toc}{\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{66}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{66}}
+\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{67}}
+\newlabel{fig:setup}{{4.2}{67}}
+\FN@pp@footnote@aux{21}{67}
+\FN@pp@footnote@aux{22}{67}
+\FN@pp@footnote@aux{23}{67}
+\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{68}}
+\newlabel{fig:openbts_parameters}{{4.3}{68}}
+\@writefile{toc}{\contentsline {subsubsection}{Modifications to the ICDS Configuration}{68}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Rule Evaluation}{68}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{69}}
+\newlabel{tab:err_configs}{{4.4}{69}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.5}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{70}}
+\newlabel{tab:par_change}{{4.5}{70}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Long-Term Test}{70}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.4}Attack Scenarios}{70}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.6}{\ignorespaces Results of the long-term evaluation.}}{71}}
+\newlabel{tab:longterm_test}{{4.6}{71}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.7}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{71}}
+\newlabel{tab:consistent_parameters}{{4.7}{71}}
+\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher as a new Cell}{72}}
+\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{72}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion}{73}}
@@ -401,19 +405,20 @@
\bibcite{protocols1999}{17}
\bibcite{hsdpa}{18}
\bibcite{hsupa}{19}
-\bibcite{osmo_c123}{20}
-\bibcite{osmo_wiki_c123}{21}
-\bibcite{osmo_rationale}{22}
-\bibcite{criminal_justice}{23}
-\bibcite{kommsys2006}{24}
-\bibcite{overview1996}{25}
-\bibcite{def_catcher}{26}
-\bibcite{ITU1200}{27}
-\bibcite{ITU212}{28}
-\bibcite{dennis}{29}
-\bibcite{wiki_cells}{30}
-\bibcite{imsi_wiki}{31}
-\bibcite{blacklisting}{32}
+\bibcite{catcher_catcher}{20}
+\bibcite{osmo_c123}{21}
+\bibcite{osmo_wiki_c123}{22}
+\bibcite{osmo_rationale}{23}
+\bibcite{criminal_justice}{24}
+\bibcite{kommsys2006}{25}
+\bibcite{overview1996}{26}
+\bibcite{def_catcher}{27}
+\bibcite{ITU1200}{28}
+\bibcite{ITU212}{29}
+\bibcite{dennis}{30}
+\bibcite{wiki_cells}{31}
+\bibcite{imsi_wiki}{32}
+\bibcite{blacklisting}{33}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\@writefile{toc}{\contentsline {chapter}{\numberline {A}GSM}{81}}
@@ -438,7 +443,7 @@
\newlabel{sec:osmo_usage}{{B.2}{84}}
\@writefile{toc}{\contentsline {section}{\numberline {B.3}Serial Cable Schematics}{85}}
\newlabel{sec:osmo_serial_schematics}{{B.3}{85}}
-\FN@pp@footnote@aux{20}{85}
+\FN@pp@footnote@aux{24}{85}
\@writefile{lof}{\contentsline {figure}{\numberline {B.1}{\ignorespaces Serial cable schematics.}}{85}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
diff --git a/Tex/Master/Master.bbl b/Tex/Master/Master.bbl
index b3d29f3..ffc8f74 100644
--- a/Tex/Master/Master.bbl
+++ b/Tex/Master/Master.bbl
@@ -107,6 +107,11 @@ Medium access control (mac) protocol specification.
\newblock 3GPP TS 25.321,
\url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}, 2011.
+\bibitem{catcher_catcher}
+{\sc OsmocomBB}.
+\newblock Catcher catcher.
+\newblock \url{http://opensource.srlabs.de/projects/catcher/wiki}, 2011.
+
\bibitem{osmo_c123}
{\sc OsmocomBB}.
\newblock Motorola c123.
diff --git a/Tex/Master/Master.blg b/Tex/Master/Master.blg
index c95e783..b72852f 100644
--- a/Tex/Master/Master.blg
+++ b/Tex/Master/Master.blg
@@ -2,7 +2,6 @@ This is BibTeX, Version 0.99c (TeX Live 2009/Debian)
The top-level auxiliary file: Master.aux
The style file: acm.bst
Database file #1: ../Content/Bibliography.bib
-Warning--I didn't find a database entry for "catcher_catcher"
Warning--to sort, need author or key in GSM0207
Warning--to sort, need author or key in ISO7810
Warning--to sort, need author or key in GSM23003
@@ -14,45 +13,45 @@ Warning--to sort, need author or key in GSM23078
Warning--can't use both author and editor fields in GSM2009
Warning--empty journal in mueller
Warning--empty journal in dennis
-You've used 32 entries,
+You've used 33 entries,
2253 wiz_defined-function locations,
- 690 strings with 7814 characters,
-and the built_in function-call counts, 6640 in all, are:
-= -- 635
-> -- 177
+ 692 strings with 7884 characters,
+and the built_in function-call counts, 6854 in all, are:
+= -- 655
+> -- 184
< -- 0
-+ -- 83
-- -- 50
-* -- 336
-:= -- 1008
-add.period$ -- 83
-call.type$ -- 32
-change.case$ -- 122
++ -- 86
+- -- 52
+* -- 344
+:= -- 1043
+add.period$ -- 86
+call.type$ -- 33
+change.case$ -- 126
chr.to.int$ -- 0
-cite$ -- 43
-duplicate$ -- 265
-empty$ -- 722
-format.name$ -- 50
-if$ -- 1471
+cite$ -- 44
+duplicate$ -- 273
+empty$ -- 745
+format.name$ -- 52
+if$ -- 1518
int.to.chr$ -- 0
-int.to.str$ -- 32
+int.to.str$ -- 33
missing$ -- 14
-newline$ -- 150
-num.names$ -- 40
-pop$ -- 215
+newline$ -- 155
+num.names$ -- 42
+pop$ -- 223
preamble$ -- 1
-purify$ -- 93
+purify$ -- 96
quote$ -- 0
-skip$ -- 208
+skip$ -- 215
stack$ -- 0
-substring$ -- 252
-swap$ -- 51
+substring$ -- 257
+swap$ -- 53
text.length$ -- 0
text.prefix$ -- 0
top$ -- 0
-type$ -- 122
+type$ -- 126
warning$ -- 11
-while$ -- 48
-width$ -- 34
-write$ -- 292
-(There were 12 warnings)
+while$ -- 50
+width$ -- 35
+write$ -- 302
+(There were 11 warnings)
diff --git a/Tex/Master/Master.ist b/Tex/Master/Master.ist
index 74b626a..7ffd9fa 100644
--- a/Tex/Master/Master.ist
+++ b/Tex/Master/Master.ist
@@ -1,5 +1,5 @@
% makeindex style file created by the glossaries package
-% for document 'Master' on 2012-6-1
+% for document 'Master' on 2012-6-5
actual '?'
encap '|'
level '!'
diff --git a/Tex/Master/Master.lof b/Tex/Master/Master.lof
index 2b0b39f..4febf20 100644
--- a/Tex/Master/Master.lof
+++ b/Tex/Master/Master.lof
@@ -11,31 +11,31 @@
\contentsline {figure}{\numberline {2.8}{\ignorespaces Hierarchical composition of the different frames.}}{22}
\contentsline {figure}{\numberline {2.9}{\ignorespaces Structural Comparison of different Burst types. After \cite {GSM2009}.}}{22}
\contentsline {figure}{\numberline {2.10}{\ignorespaces Mapping of virtual channels on time slots.}}{24}
-\contentsline {figure}{\numberline {2.11}{\ignorespaces A commercial catcher by Rhode \& Schwarz \cite {fox} and a self built catcher introduced at Defcon 2010 \cite {def_catcher}.}}{28}
+\contentsline {figure}{\numberline {2.11}{\ignorespaces A commercial catcher by Rhode\tmspace +\thinmuskip {.1667em}\&\tmspace +\thinmuskip {.1667em}Schwarz \cite {fox} and a self built catcher introduced at Defcon 2010 \cite {def_catcher}.}}{28}
\contentsline {figure}{\numberline {2.12}{\ignorespaces IMSI catching procedure. Adopted and simplified from \cite {mueller}.}}{29}
-\addvspace {10\p@ }
-\contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{36}
-\contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{37}
-\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{39}
-\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call/text waiting for a passive subscriber.}}{41}
-\contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{45}
-\contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{46}
-\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Normal neighbourhood}}}{46}
-\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Tainted neighbourhood}}}{46}
-\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{50}
-\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{51}
-\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{53}
-\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{56}
-\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Databases window.}}}{56}
-\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Rules window.}}}{56}
-\contentsline {subfigure}{\numberline {(c)}{\ignorespaces {Filters window.}}}{56}
-\contentsline {subfigure}{\numberline {(d)}{\ignorespaces {PCH scan window.}}}{56}
-\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{58}
-\addvspace {10\p@ }
-\contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets.}}{62}
-\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{65}
-\contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{66}
-\contentsline {figure}{\numberline {4.4}{\ignorespaces Takeover attack of an IMSI catcher on a base station.}}{70}
+\contentsline {figure}{\numberline {2.13}{\ignorespaces Takeover attack of an IMSI catcher on a base station.}}{31}
+\addvspace {10\p@ }
+\contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{38}
+\contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{39}
+\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{41}
+\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call/text waiting for a passive subscriber.}}{43}
+\contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{47}
+\contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{48}
+\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Normal neighbourhood}}}{48}
+\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Tainted neighbourhood}}}{48}
+\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52}
+\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{53}
+\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{55}
+\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{58}
+\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Databases window.}}}{58}
+\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Rules window.}}}{58}
+\contentsline {subfigure}{\numberline {(c)}{\ignorespaces {Filters window.}}}{58}
+\contentsline {subfigure}{\numberline {(d)}{\ignorespaces {PCH scan window.}}}{58}
+\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{60}
+\addvspace {10\p@ }
+\contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets.}}{64}
+\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{67}
+\contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{68}
\addvspace {10\p@ }
\contentsline {figure}{\numberline {5.1}{\ignorespaces ICDS decision finding process outlined.}}{74}
\addvspace {10\p@ }
diff --git a/Tex/Master/Master.log b/Tex/Master/Master.log
index a1cd983..5f36c20 100644
--- a/Tex/Master/Master.log
+++ b/Tex/Master/Master.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 1 JUN 2012 17:55
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 5 JUN 2012 20:34
entering extended mode
%&-line parsing enabled.
**Master.tex
@@ -999,18 +999,18 @@ File: ../Images/unisiegel.pdf Graphic file (type pdf)
<use ../Images/unisiegel.pdf>
LaTeX Font Info: Font shape `T1/ptm/bx/sc' in size <20.74> not available
-(Font) Font shape `T1/ptm/b/sc' tried instead on input line 17.
-LaTeX Font Info: Try loading font information for U+msa on input line 26.
+(Font) Font shape `T1/ptm/b/sc' tried instead on input line 18.
+LaTeX Font Info: Try loading font information for U+msa on input line 27.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsa.fd
File: umsa.fd 2009/06/22 v3.00 AMS symbols A
)
-LaTeX Font Info: Try loading font information for U+msb on input line 26.
+LaTeX Font Info: Try loading font information for U+msb on input line 27.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsb.fd
File: umsb.fd 2009/06/22 v3.00 AMS symbols B
)
-LaTeX Font Info: Try loading font information for U+esvect on input line 26.
+LaTeX Font Info: Try loading font information for U+esvect on input line 27.
(/usr/share/texmf-texlive/tex/latex/esvect/uesvect.fd
@@ -1028,12 +1028,12 @@ Non-PDF special ignored!
LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <20.74> not available
(Font) Font shape `T1/ptm/b/n' tried instead on input line 1.
-Underfull \hbox (badness 10000) in paragraph at lines 1--4
+Underfull \hbox (badness 10000) in paragraph at lines 1--5
[]
-Underfull \hbox (badness 10000) in paragraph at lines 1--4
+Underfull \hbox (badness 10000) in paragraph at lines 1--5
[]
@@ -1058,7 +1058,7 @@ File: t1phv.fd 2001/06/04 scalable font definitions for T1/phv.
LaTeX Font Info: Font shape `T1/phv/bx/n' in size <10.95> not available
(Font) Font shape `T1/phv/b/n' tried instead on input line 149.
(./Master.lof
-LaTeX Font Info: Try loading font information for T1+pcr on input line 37.
+LaTeX Font Info: Try loading font information for T1+pcr on input line 38.
(/usr/share/texmf-texlive/tex/latex/psnfss/t1pcr.fd
File: t1pcr.fd 2001/06/04 font definitions for T1/pcr.
@@ -1143,12 +1143,19 @@ LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <14.4> not available
LaTeX Font Info: Font shape `T1/pcr/bx/n' in size <10.95> not available
(Font) Font shape `T1/pcr/b/n' tried instead on input line 60.
+Overfull \hbox (4.57838pt too wide) in paragraph at lines 53--65
+\T1/ptm/m/n/10.95 ment. Im-por-tant words or com-po-nents of the []ICDS are pri
+nted \T1/ptm/m/it/10.95 em-pha-sised\T1/ptm/m/n/10.95 . \T1/pcr/m/n/10.95 Typew
+riter
+ []
+
+
Underfull \hbox (badness 10000) in paragraph at lines 53--65
[]
-Underfull \vbox (badness 2302) has occurred while \output is active []
+Underfull \vbox (badness 1005) has occurred while \output is active []
[2])
(../Content/GSM_short.tex [3] [4
@@ -1171,7 +1178,7 @@ File: ../Images/Architecture.png Graphic file (type png)
LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <12> not available
(Font) Font shape `T1/ptm/b/n' tried instead on input line 121.
[8 <../Images/Architecture.png (PNG copy)>] [9] [10] [11]
-Underfull \vbox (badness 6808) has occurred while \output is active []
+Underfull \vbox (badness 2285) has occurred while \output is active []
[12]
<../Images/Authentication.png, id=97, 359.1819pt x 323.0469pt>
@@ -1184,10 +1191,7 @@ Underfull \vbox (badness 6808) has occurred while \output is active []
<../Images/Mapping.png, id=105, 337.28409pt x 115.19838pt>
File: ../Images/Mapping.png Graphic file (type png)
-<use ../Images/Mapping.png>
-Underfull \vbox (badness 1960) has occurred while \output is active []
-
- [15 <../Images/Mapping.png (PNG copy)>] [16]
+<use ../Images/Mapping.png> [15 <../Images/Mapping.png (PNG copy)>] [16]
<../Images/Cells.png, id=112, 98.72083pt x 88.8921pt>
File: ../Images/Cells.png Graphic file (type png)
@@ -1203,11 +1207,11 @@ File: ../Images/Cipher.png Graphic file (type png)
<use ../Images/Cipher.png>
Underfull \vbox (badness 2495) has occurred while \output is active []
- [19 <../Images/Cipher.png (PNG copy)>]
-<../Images/TDMAFDMA.png, id=128, 254.53494pt x 133.33815pt>
+ [19 <../Images/Cipher.png (PNG copy)>] [20]
+<../Images/TDMAFDMA.png, id=132, 254.53494pt x 133.33815pt>
File: ../Images/TDMAFDMA.png Graphic file (type png)
-<use ../Images/TDMAFDMA.png> [20]
+<use ../Images/TDMAFDMA.png>
<../Images/Frames.png, id=133, 331.28568pt x 291.39264pt>
File: ../Images/Frames.png Graphic file (type png)
@@ -1216,12 +1220,12 @@ File: ../Images/Frames.png Graphic file (type png)
File: ../Images/Bursts.png Graphic file (type png)
<use ../Images/Bursts.png> [21 <../Images/TDMAFDMA.png (PNG copy)>] [22 <../Ima
-ges/Frames.png (PNG copy)> <../Images/Bursts.png (PNG copy)>]
-<../Images/Channels.png, id=141, 272.60245pt x 169.47314pt>
+ges/Frames.png (PNG copy)> <../Images/Bursts.png (PNG copy)>] [23]
+<../Images/Channels.png, id=144, 272.60245pt x 169.47314pt>
File: ../Images/Channels.png Graphic file (type png)
-<use ../Images/Channels.png> [23] [24 <../Images/Channels.png (PNG copy)>]
-[25] [26] <../Images/imsi_catcher.jpg, id=155, 280.15778pt x 225.73222pt>
+<use ../Images/Channels.png> [24 <../Images/Channels.png (PNG copy)>] [25]
+[26] <../Images/imsi_catcher.jpg, id=155, 280.15778pt x 225.73222pt>
File: ../Images/imsi_catcher.jpg Graphic file (type jpg)
<use ../Images/imsi_catcher.jpg>
@@ -1232,89 +1236,90 @@ File: ../Images/usrp.jpg Graphic file (type jpg)
File: ../Images/catcher_attack.png Graphic file (type png)
<use ../Images/catcher_attack.png> [28 <../Images/imsi_catcher.jpg> <../Images/
-usrp.jpg>] [29 <../Images/catcher_attack.png (PNG copy)>] [30]
+usrp.jpg>] [29 <../Images/catcher_attack.png (PNG copy)>]
+<../Images/replace_attack.png, id=168, 356.94153pt x 162.67976pt>
+File: ../Images/replace_attack.png Graphic file (type png)
+
+<use ../Images/replace_attack.png> [30]
+Underfull \vbox (badness 10000) has occurred while \output is active []
+
+ [31 <../Images/replace_attack.png (PNG copy)>]
(/usr/share/texmf-texlive/tex/latex/ucs/data/uni-0.def
File: uni-0.def 2004/10/17 UCS: Unicode data U+0000..U+00FF
-) [31])
-(../Content/Detection.tex [32]
-Chapter 3.
-[33
+) [32])
+(../Content/Detection.tex [33] [34
-] <../Images/c123_pcb.png, id=181, 1284.8pt x 790.955pt>
+]
+Chapter 3.
+[35] <../Images/c123_pcb.png, id=188, 1284.8pt x 790.955pt>
File: ../Images/c123_pcb.png Graphic file (type png)
-<use ../Images/c123_pcb.png> [34] [35]
-<../Images/OsmoStructure.png, id=188, 387.00584pt x 79.13565pt>
+<use ../Images/c123_pcb.png> [36] [37]
+<../Images/OsmoStructure.png, id=196, 387.00584pt x 79.13565pt>
File: ../Images/OsmoStructure.png Graphic file (type png)
-<use ../Images/OsmoStructure.png> [36 <../Images/c123_pcb.png (PNG copy)>]
+<use ../Images/OsmoStructure.png> [38 <../Images/c123_pcb.png (PNG copy)>]
Underfull \vbox (badness 1694) has occurred while \output is active []
- [37 <../Images/OsmoStructure.png (PNG copy)>]
-<../Images/sysinfo2.png, id=196, 261.32832pt x 440.55792pt>
+ [39 <../Images/OsmoStructure.png (PNG copy)>]
+<../Images/sysinfo2.png, id=203, 261.32832pt x 440.55792pt>
File: ../Images/sysinfo2.png Graphic file (type png)
<use ../Images/sysinfo2.png>
LaTeX Warning: Float too large for page by 61.98238pt on input line 180.
-[38] [39 <../Images/sysinfo2.png (PNG copy)>]
-
-LaTeX Warning: Reference `sec:fake_parameters' on page 40 undefined on input li
-ne 191.
-
-<../Images/Paging.png, id=203, 167.95547pt x 144.61227pt>
+[40] [41 <../Images/sysinfo2.png (PNG copy)>]
+<../Images/Paging.png, id=210, 167.95547pt x 144.61227pt>
File: ../Images/Paging.png Graphic file (type png)
-<use ../Images/Paging.png> [40] [41 <../Images/Paging.png (PNG copy)>] [42]
-[43] <../Images/neighbourhoods_fak.png, id=217, 1829.83624pt x 2708.1175pt>
+<use ../Images/Paging.png> [42] [43 <../Images/Paging.png (PNG copy)>] [44]
+[45] <../Images/neighbourhoods_fak.png, id=224, 1829.83624pt x 2708.1175pt>
File: ../Images/neighbourhoods_fak.png Graphic file (type png)
<use ../Images/neighbourhoods_fak.png>
-LaTeX Warning: Float too large for page by 3.59608pt on input line 330.
+LaTeX Warning: Float too large for page by 3.59608pt on input line 329.
LaTeX Font Info: Font shape `T1/phv/bx/n' in size <14.4> not available
(Font) Font shape `T1/phv/b/n' tried instead on input line 365.
-[44] [45 <../Images/neighbourhoods_fak.png (PNG copy)>] [46] [47] [48] [49]
-<../Images/Architecture_software.png, id=238, 341.76483pt x 182.91537pt>
+[46] [47 <../Images/neighbourhoods_fak.png (PNG copy)>] [48] [49] [50] [51]
+<../Images/Architecture_software.png, id=245, 341.76483pt x 182.91537pt>
File: ../Images/Architecture_software.png Graphic file (type png)
-<use ../Images/Architecture_software.png> [50 <../Images/Architecture_software.
+<use ../Images/Architecture_software.png> [52 <../Images/Architecture_software.
png (PNG copy)>]
LaTeX Font Info: Font shape `T1/pcr/m/it' in size <10.95> not available
-(Font) Font shape `T1/pcr/m/sl' tried instead on input line 578.
- [51] <../Images/ICDS.png, id=246, 1325.95375pt x 864.22874pt>
+(Font) Font shape `T1/pcr/m/sl' tried instead on input line 580.
+ [53] <../Images/ICDS.png, id=253, 1325.95375pt x 864.22874pt>
File: ../Images/ICDS.png Graphic file (type png)
-<use ../Images/ICDS.png> [52] [53 <../Images/ICDS.png (PNG copy)>] [54]
-<../Images/databases_window.png, id=256, 366.36874pt x 459.7175pt>
+<use ../Images/ICDS.png> [54] [55 <../Images/ICDS.png (PNG copy)>] [56]
+<../Images/databases_window.png, id=264, 366.36874pt x 459.7175pt>
File: ../Images/databases_window.png Graphic file (type png)
<use ../Images/databases_window.png>
-<../Images/rules_window.png, id=257, 284.06125pt x 568.1225pt>
+<../Images/rules_window.png, id=265, 284.06125pt x 568.1225pt>
File: ../Images/rules_window.png Graphic file (type png)
<use ../Images/rules_window.png>
-<../Images/filter_window.png, id=258, 332.24126pt x 293.095pt>
+<../Images/filter_window.png, id=266, 332.24126pt x 293.095pt>
File: ../Images/filter_window.png Graphic file (type png)
<use ../Images/filter_window.png>
-<../Images/pch_window.png, id=259, 270.00874pt x 273.02pt>
+<../Images/pch_window.png, id=267, 270.00874pt x 273.02pt>
File: ../Images/pch_window.png Graphic file (type png)
-<use ../Images/pch_window.png> [55] [56 <../Images/databases_window.png> <../Im
+<use ../Images/pch_window.png> [57] [58 <../Images/databases_window.png> <../Im
ages/rules_window.png> <../Images/filter_window.png (PNG copy)> <../Images/pch_
-window.png>] [57] <../Images/user_window.png, id=273, 368.37625pt x 469.755pt>
+window.png>] [59] <../Images/user_window.png, id=280, 368.37625pt x 469.755pt>
File: ../Images/user_window.png Graphic file (type png)
-<use ../Images/user_window.png> [58 <../Images/user_window.png>]
+<use ../Images/user_window.png>
+Underfull \vbox (badness 7344) has occurred while \output is active []
-LaTeX Warning: Citation `catcher_catcher' on page 59 undefined on input line 76
-7.
-
-) (../Content/Evaluation.tex [59] [60
+ [60 <../Images/user_window.png>]) (../Content/Evaluation.tex [61] [62
]
@@ -1324,30 +1329,25 @@ Overfull \hbox (3.33815pt too wide) in paragraph at lines 16--30
[][]
[]
-[61] [62] [63] [64]
-<../Images/catcherICDS.jpg, id=297, 3474.9825pt x 1906.12125pt>
+[63] [64] [65] [66]
+<../Images/catcherICDS.jpg, id=304, 3474.9825pt x 1906.12125pt>
File: ../Images/catcherICDS.jpg Graphic file (type jpg)
-<use ../Images/catcherICDS.jpg> [65 <../Images/catcherICDS.jpg>]
+<use ../Images/catcherICDS.jpg> [67 <../Images/catcherICDS.jpg>]
Overfull \hbox (20.58582pt too wide) in paragraph at lines 236--242
\T1/ptm/m/n/10.95 Rules trig-gered: LAC/Provider Map-ping, Neigh-bour-hood Stru
c-ture, AR-FCN/Provider
[]
-[66] [67] [68] [69]
-<../Images/replace_attack.png, id=314, 356.94153pt x 162.67976pt>
-File: ../Images/replace_attack.png Graphic file (type png)
-
-<use ../Images/replace_attack.png> [70 <../Images/replace_attack.png (PNG copy)
->]) (../Content/Conclusion.tex [71] [72
-
-
-]
+[68] [69] [70] [71]) (../Content/Conclusion.tex [72]
Chapter 5.
<../Images/flowchart.png, id=324, 340.31943pt x 407.31372pt>
File: ../Images/flowchart.png Graphic file (type png)
-<use ../Images/flowchart.png> [73] [74 <../Images/flowchart.png (PNG copy)>])
+<use ../Images/flowchart.png> [73
+
+
+] [74 <../Images/flowchart.png (PNG copy)>])
[75] [76
@@ -1416,25 +1416,31 @@ Underfull \hbox (badness 1454) in paragraph at lines 83--88
[]
-Underfull \hbox (badness 10000) in paragraph at lines 143--148
+Underfull \hbox (badness 2035) in paragraph at lines 111--114
+[]\T1/ptm/m/sc/10.95 OsmocomBB\T1/ptm/m/n/10.95 . Catcher catcher. $\T1/pcr/m
+/n/10.95 http : / / opensource . srlabs . de /
+ []
+
+
+Underfull \hbox (badness 10000) in paragraph at lines 148--153
[]\T1/ptm/m/sc/10.95 Security, H. \T1/ptm/m/n/10.95 Imsi-catcher für 1500 euro
im eigen-
[]
-Underfull \hbox (badness 10000) in paragraph at lines 143--148
+Underfull \hbox (badness 10000) in paragraph at lines 148--153
\T1/ptm/m/n/10.95 bau. $\T1/pcr/m/n/10.95 http : / / www . heise . de / securi
ty / meldung /
[]
-Underfull \hbox (badness 10000) in paragraph at lines 143--148
+Underfull \hbox (badness 10000) in paragraph at lines 148--153
\T1/pcr/m/n/10.95 IMSI-[]Catcher-[]fuer-[]1500-[]Euro-[]im-[]Eigenbau-[]1048919
. html$\T1/ptm/m/n/10.95 ,
[]
[78]
-Underfull \hbox (badness 10000) in paragraph at lines 163--166
+Underfull \hbox (badness 10000) in paragraph at lines 168--171
[]\T1/ptm/m/sc/10.95 Wikipedia\T1/ptm/m/n/10.95 . Cell id. $\T1/pcr/m/n/10.95
http : / / bb . osmocom . org / trac / wiki /
[]
@@ -1580,36 +1586,32 @@ Underfull \hbox (badness 10000) in paragraph at lines 89--90
[101
-] [102] [103]) [104] (./Master.aux)
-
-LaTeX Warning: There were undefined references.
-
- )
+] [102] [103]) [104] (./Master.aux) )
Here is how much of TeX's memory you used:
- 25028 strings out of 493848
- 468895 string characters out of 1152824
- 738794 words of memory out of 3000000
- 27631 multiletter control sequences out of 15000+50000
+ 25033 strings out of 493848
+ 468950 string characters out of 1152824
+ 738815 words of memory out of 3000000
+ 27636 multiletter control sequences out of 15000+50000
83343 words of font info for 111 fonts, out of 3000000 for 9000
714 hyphenation exceptions out of 8191
61i,13n,72p,1076b,1344s stack positions out of 5000i,500n,10000p,200000b,50000s
-{/usr/share/texmf-texlive/fonts/enc/dvips/base/8r.enc}</usr/share/texmf-texli
-ve/fonts/type1/public/amsfonts/cm/cmex10.pfb></usr/share/texmf-texlive/fonts/ty
-pe1/public/amsfonts/cm/cmmi10.pfb></usr/share/texmf-texlive/fonts/type1/public/
-amsfonts/cm/cmmi12.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm
-/cmmi8.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmr10.pfb><
-/usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmr8.pfb></usr/share/te
-xmf-texlive/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texmf-texlive
-/fonts/type1/public/amsfonts/cm/cmsy8.pfb></usr/share/texmf-texlive/fonts/type1
-/public/eurosym/feymr10.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfon
-ts/latxfont/lcircle1.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrb
-8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrr8a.pfb></usr/share
-/texmf-texlive/fonts/type1/urw/courier/ucrro8a.pfb></usr/share/texmf-texlive/fo
-nts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/tim
-es/utmb8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmr8a.pfb></usr/
-share/texmf-texlive/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/
-fonts/type1/urw/times/utmri8a.pfb>
-Output written on Master.pdf (116 pages, 18950381 bytes).
+{/usr/share/texmf-texlive/fonts/enc/dvips/
+base/8r.enc}</usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmex10.pfb
+></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/shar
+e/texmf-texlive/fonts/type1/public/amsfonts/cm/cmmi12.pfb></usr/share/texmf-tex
+live/fonts/type1/public/amsfonts/cm/cmmi8.pfb></usr/share/texmf-texlive/fonts/t
+ype1/public/amsfonts/cm/cmr10.pfb></usr/share/texmf-texlive/fonts/type1/public/
+amsfonts/cm/cmr8.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/c
+msy10.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmsy8.pfb></
+usr/share/texmf-texlive/fonts/type1/public/eurosym/feymr10.pfb></usr/share/texm
+f-texlive/fonts/type1/public/amsfonts/latxfont/lcircle1.pfb></usr/share/texmf-t
+exlive/fonts/type1/urw/courier/ucrb8a.pfb></usr/share/texmf-texlive/fonts/type1
+/urw/courier/ucrr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrro
+8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/shar
+e/texmf-texlive/fonts/type1/urw/times/utmb8a.pfb></usr/share/texmf-texlive/font
+s/type1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/ut
+mr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmri8a.pfb>
+Output written on Master.pdf (116 pages, 18951256 bytes).
PDF statistics:
492 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 500000)
diff --git a/Tex/Master/Master.lot b/Tex/Master/Master.lot
index 3613df8..2c68aa1 100644
--- a/Tex/Master/Master.lot
+++ b/Tex/Master/Master.lot
@@ -5,20 +5,20 @@
\contentsline {table}{\numberline {2.2}{\ignorespaces Mobile Country and Network Codes. (R) denotes that the MCC is reserved but not operational as of yet, whereas (T) denotes a operational test network.}}{11}
\contentsline {table}{\numberline {2.3}{\ignorespaces Frequencies in the different bands \cite {kommsys2006}.}}{16}
\addvspace {10\p@ }
-\contentsline {table}{\numberline {3.1}{\ignorespaces Technical specifications for the Motorola C123.}}{35}
-\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{38}
-\contentsline {table}{\numberline {3.3}{\ignorespaces Configuration Rules implemented inside the ICDS.}}{42}
-\contentsline {table}{\numberline {3.4}{\ignorespaces Context Rules implemented inside the ICDS.}}{43}
-\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{46}
-\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{48}
-\addvspace {10\p@ }
-\contentsline {table}{\numberline {4.1}{\ignorespaces Key values of the data sets used for performance tests.}}{61}
-\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}}{63}
-\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Pagings and Immediate Assignments (per 10\tmspace +\thickmuskip {.2777em}s) for the four German providers at different locations.}}{64}
-\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{67}
-\contentsline {table}{\numberline {4.5}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{68}
-\contentsline {table}{\numberline {4.6}{\ignorespaces Results of the long-term evaluation.}}{69}
-\contentsline {table}{\numberline {4.7}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{69}
+\contentsline {table}{\numberline {3.1}{\ignorespaces Technical specifications for the Motorola C123.}}{37}
+\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{40}
+\contentsline {table}{\numberline {3.3}{\ignorespaces Configuration Rules implemented inside the ICDS.}}{44}
+\contentsline {table}{\numberline {3.4}{\ignorespaces Context Rules implemented inside the ICDS.}}{45}
+\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{48}
+\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{49}
+\addvspace {10\p@ }
+\contentsline {table}{\numberline {4.1}{\ignorespaces Key values of the data sets used for performance tests.}}{63}
+\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}}{65}
+\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Pagings and Immediate Assignments (per 10\tmspace +\thickmuskip {.2777em}s) for the four German providers at different locations.}}{66}
+\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{69}
+\contentsline {table}{\numberline {4.5}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{70}
+\contentsline {table}{\numberline {4.6}{\ignorespaces Results of the long-term evaluation.}}{71}
+\contentsline {table}{\numberline {4.7}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{71}
\addvspace {10\p@ }
\addvspace {10\p@ }
\contentsline {table}{\numberline {A.1}{\ignorespaces Interface found in the GSM network.}}{81}
diff --git a/Tex/Master/Master.pdf b/Tex/Master/Master.pdf
index 37d64f1..39e2cd3 100644
--- a/Tex/Master/Master.pdf
+++ b/Tex/Master/Master.pdf
Binary files differ
diff --git a/Tex/Master/Master.synctex.gz b/Tex/Master/Master.synctex.gz
index 5562cbe..9a90eb0 100644
--- a/Tex/Master/Master.synctex.gz
+++ b/Tex/Master/Master.synctex.gz
Binary files differ
diff --git a/Tex/Master/Master.toc b/Tex/Master/Master.toc
index 7370e46..ad7d0af 100644
--- a/Tex/Master/Master.toc
+++ b/Tex/Master/Master.toc
@@ -20,9 +20,9 @@
\contentsline {section}{\numberline {2.3}The $U_m$ Interface}{20}
\contentsline {subsection}{\numberline {2.3.1}Radio Transmission}{20}
\contentsline {subsubsection}{Frame Numbering}{21}
-\contentsline {subsubsection}{Burst Types}{21}
+\contentsline {subsubsection}{Burst Types}{23}
\contentsline {subsection}{\numberline {2.3.2}Logical Channels}{24}
-\contentsline {subsubsection}{Dedicated Channels}{24}
+\contentsline {subsubsection}{Dedicated Channels}{25}
\contentsline {subsubsection}{Common Channels}{25}
\contentsline {subsubsection}{Combinations}{26}
\contentsline {subsection}{\numberline {2.3.3}Layers}{26}
@@ -34,48 +34,48 @@
\contentsline {subsubsection}{Attacks}{30}
\contentsline {paragraph}{MS is in normal cell selection mode:}{30}
\contentsline {paragraph}{MS is already connected to a network:}{30}
-\contentsline {subsubsection}{Risks and Irregularities}{31}
-\contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{31}
-\contentsline {chapter}{\numberline {3}IMSI Catcher Detection System}{33}
-\contentsline {section}{\numberline {3.1}Framework and Hardware}{33}
-\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{33}
-\contentsline {subsubsection}{Project Status}{34}
-\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{35}
-\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{36}
-\contentsline {section}{\numberline {3.2}Procedure}{37}
-\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{38}
-\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{41}
-\contentsline {subsubsection}{Configuration Rules}{42}
-\contentsline {subsubsection}{Context Rules}{43}
-\contentsline {paragraph}{Neighbourhood Structure}{44}
-\contentsline {subsubsection}{Database Rules}{46}
-\contentsline {subsubsection}{Scan Rules}{47}
-\contentsline {subsubsection}{Remaining Issues and Paging}{48}
-\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{49}
-\contentsline {section}{\numberline {3.3}Implementation}{49}
-\contentsline {subsection}{\numberline {3.3.1}Architecture}{50}
-\contentsline {subsection}{\numberline {3.3.2}Configuration}{51}
-\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{52}
-\contentsline {subsection}{\numberline {3.3.4}Usage}{55}
-\contentsline {paragraph}{Conducting sweep scans:}{55}
-\contentsline {paragraph}{Using and obtaining Cell ID Information:}{55}
-\contentsline {paragraph}{Building or using a Local Area Database:}{57}
-\contentsline {paragraph}{Conducting a PCH Scan:}{57}
-\contentsline {paragraph}{Utilising User Mode:}{58}
-\contentsline {section}{\numberline {3.4}Related Projects}{58}
-\contentsline {chapter}{\numberline {4}Evaluation}{61}
-\contentsline {section}{\numberline {4.1}Performance Evaluation}{61}
-\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{62}
-\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{63}
-\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{63}
-\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{64}
-\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{64}
-\contentsline {subsubsection}{Modifications to the ICDS Configuration}{66}
-\contentsline {subsection}{\numberline {4.2.2}Rule Evaluation}{66}
-\contentsline {subsection}{\numberline {4.2.3}Long-Term Test}{68}
-\contentsline {subsection}{\numberline {4.2.4}Attack Scenarios}{68}
-\contentsline {subsubsection}{IMSI Catcher as a new Cell}{70}
-\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{70}
+\contentsline {subsubsection}{Risks and Irregularities}{32}
+\contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{32}
+\contentsline {chapter}{\numberline {3}IMSI Catcher Detection System}{35}
+\contentsline {section}{\numberline {3.1}Framework and Hardware}{35}
+\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{35}
+\contentsline {subsubsection}{Project Status}{36}
+\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{37}
+\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{38}
+\contentsline {section}{\numberline {3.2}Procedure}{39}
+\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{40}
+\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{43}
+\contentsline {subsubsection}{Configuration Rules}{44}
+\contentsline {subsubsection}{Context Rules}{45}
+\contentsline {paragraph}{Neighbourhood Structure}{46}
+\contentsline {subsubsection}{Database Rules}{48}
+\contentsline {subsubsection}{Scan Rules}{49}
+\contentsline {subsubsection}{Remaining Issues and Paging}{50}
+\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{51}
+\contentsline {section}{\numberline {3.3}Implementation}{51}
+\contentsline {subsection}{\numberline {3.3.1}Architecture}{52}
+\contentsline {subsection}{\numberline {3.3.2}Configuration}{53}
+\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{54}
+\contentsline {subsection}{\numberline {3.3.4}Usage}{57}
+\contentsline {paragraph}{Conducting sweep scans:}{57}
+\contentsline {paragraph}{Using and obtaining Cell ID Information:}{59}
+\contentsline {paragraph}{Building or using a Local Area Database:}{59}
+\contentsline {paragraph}{Conducting a PCH Scan:}{60}
+\contentsline {paragraph}{Utilising User Mode:}{60}
+\contentsline {section}{\numberline {3.4}Related Projects}{61}
+\contentsline {chapter}{\numberline {4}Evaluation}{63}
+\contentsline {section}{\numberline {4.1}Performance Evaluation}{63}
+\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{64}
+\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{65}
+\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{65}
+\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{66}
+\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{66}
+\contentsline {subsubsection}{Modifications to the ICDS Configuration}{68}
+\contentsline {subsection}{\numberline {4.2.2}Rule Evaluation}{68}
+\contentsline {subsection}{\numberline {4.2.3}Long-Term Test}{70}
+\contentsline {subsection}{\numberline {4.2.4}Attack Scenarios}{70}
+\contentsline {subsubsection}{IMSI Catcher as a new Cell}{72}
+\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{72}
\contentsline {chapter}{\numberline {5}Conclusion}{73}
\contentsline {section}{\numberline {5.1}Summary}{73}
\contentsline {section}{\numberline {5.2}Future Work}{75}
diff --git a/Tex/Master/Titlepage.tex b/Tex/Master/Titlepage.tex
index e0329e8..a6a57a0 100644
--- a/Tex/Master/Titlepage.tex
+++ b/Tex/Master/Titlepage.tex
@@ -5,6 +5,7 @@
\begin{fullsizetitle}
\thispagestyle{empty}
\begin{center}
+ \vspace{1.5cm}
% Logo
\includegraphics[width=0.5\textwidth]{../Images/unisiegel}\\[1cm]
@@ -14,7 +15,7 @@
% Title
\rule{0.7\linewidth}{0.5mm} \\[0.7cm]
- \textsc{\huge \bfseries Imsi-Catcher Detection}\\[0.4cm]
+ \textsc{\huge \bfseries Imsi Catcher Detection}\\[0.4cm]
\rule{0.7\linewidth}{0.5mm} \\[1.5cm]
% Author and supervisor