summaryrefslogtreecommitdiffstats
path: root/Tex/Content
diff options
context:
space:
mode:
Diffstat (limited to 'Tex/Content')
-rw-r--r--Tex/Content/Appendix.tex65
-rw-r--r--Tex/Content/Conclusion.tex46
-rw-r--r--Tex/Content/Detection.tex6
-rw-r--r--Tex/Content/Evaluation.tex2
-rw-r--r--Tex/Content/GSM_short.tex78
5 files changed, 131 insertions, 66 deletions
diff --git a/Tex/Content/Appendix.tex b/Tex/Content/Appendix.tex
index 11613d3..4dbd036 100644
--- a/Tex/Content/Appendix.tex
+++ b/Tex/Content/Appendix.tex
@@ -1,3 +1,68 @@
+\chapter{GSM}
+\section{Interfaces}
+\label{sec:interfaces}
+The following table contains a brief description of the interfaces used inside a GSM network.
+On the upper part the interfaces for the Network Subsystem are listed and on the lower part the interfaces for the Base Station Subsystem can be found.
+
+\begin{table}[h!]
+\centering
+\begin{tabular}{lll}
+\toprule
+Name &Between &Function\\
+\midrule
+$A$ &MSC $\leftrightarrow$ BSS &BSS management data for Mobility Management\\
+ & &and Call Control\\
+$B$ &MSC $\leftrightarrow$ VLR &MSC receives data about MSs in the current area\\
+ & & and sends data from Location Updates\\
+$C$ &MSC $\leftrightarrow$ HLR &MSC can request routing data during call setup\\
+ & &and send \eg charging information\\
+$D$ &HLR $\leftrightarrow$ VLR &Exchange of location-dependent subscriber data\\
+ & &and updating the HLR (MSRN \etc)\\
+$E$ &MSC $\leftrightarrow$ MSC &Executing a Handover when subscriber changes\\
+ & &to a new MSC\\
+$F$ &MSC $\leftrightarrow$ EIR &Checking white-/grey- and blacklists before\\
+ & &giving access to the network\\
+$G$ &VLR $\leftrightarrow$ VLR &Connects VLR of different MSCs to exchange\\
+ & &subscriber data during a handover\\
+\midrule
+$A_\text{bis}$ &BSC $\leftrightarrow$ BTS &BSC receives data from MS via the BTS\\
+$U_m$ &BTS $\leftrightarrow$ MS &Registration procedure, call data \etc as well\\
+ & &as broadcast information about the network\\
+ & &and the base station\\
+\bottomrule
+\end{tabular}
+\caption{Interface found in the GSM network.}
+\end{table}
+
+\newpage
+\section{Channel Combinations}
+\label{sec:combinations}
+The following table contains the possible combinations of channels inside the different Multiframes.
+The respective frame type is also indicated in the lower part of the table.
+\begin{table}[h!]
+\centering
+\begin{tabular}{lccccccccc}
+\toprule
+ &M1&M2&M3&M4&M5&M6&M7&M8&M9\\
+\midrule
+TCH/F &\cellcolor[gray]{0.7}&&&&&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}\\
+TCH/H &&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&&&\\
+TCH/H &&&\cellcolor[gray]{0.7}&&&&&&\\
+BCCH &&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&\\
+FCCH &&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&\\
+SCH &&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&\\
+CCCH &&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&\\
+SDCCH &&&&&\cellcolor[gray]{0.7}&&\cellcolor[gray]{0.7}&&\\
+SACCH &\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&\cellcolor[gray]{0.7}&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}\\
+FACCH &\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&&\cellcolor[gray]{0.7}&\\
+\midrule
+Multiframe Type &26&26&26&51&51&51&51&26&26\\
+\bottomrule
+\end{tabular}
+\caption{Possible mappings of channels onto Multiframes}
+\end{table}
+
+
\chapter{OsmocomBB}
This section contains general information about how to operate and setup the OsmocomBB framework and the Motorola C123.
\section{Installation}
diff --git a/Tex/Content/Conclusion.tex b/Tex/Content/Conclusion.tex
index 6f85c41..2fc47c6 100644
--- a/Tex/Content/Conclusion.tex
+++ b/Tex/Content/Conclusion.tex
@@ -1,16 +1,56 @@
\chapter{Conclusion}
-
This chapter will give a short summary of the whole project and its findings.
The second section will then bring up some aspects where the \gls{icds} could be improved to yield results either faster or more accurate.
\section{Summary}
-
The aim of this project was to find ways of unveiling whether an IMSI catcher is being operated in the close perimeter or not; in other words to find out whether it is safe to initiate a phone call or not.
-The main premise that distinguishes this project from other similar projects like the Osmocom 'catcher catcher' is that the system developed is operating in a completely passive manner.
+The main premise that distinguishes this project from other similar projects like the also OsmocomBB based 'catcher catcher' is that the system developed is operating in a completely passive manner.
Therefore it can only operate on a limited amount of information, namely on information that is broadcasted on publicly available channels.
The benefit this yields over other projects is that the IMSI Catcher Detection System itself is completely invisible to the IMSI catcher.
+Chapter 2 laid out basic concepts of \gls{gsm} communication to create a basis for understanding why and how an IMSI catcher works.
+Some more detailed concepts on the $U_m$ interface were discussed to enable the reader to grasp the concept of logical channels and how they can later be used to harvest information in a passive manner.
+The chapter concluded with an account of how an IMSI catcher operates by outlining the two main ways of attacking a subscriber --- one by creating a new cell for the subscriber to connect to and the other by overtaking an already existent cell.
+Chapter 3 started by explaining how the OsmocomBB framework was used to build the \gls{icds} as well as how to configure and use the system.
+The two main sources of information, the \gls{bcch} and the \gls{pch} were introduced along with the different parameters that the \gls{icds} bases its findings on.
+An outline of how this finding is reached is illustrated in Figure \ref{fig:decision_process}.
+At first a sweep scan is conducted or an old project is loaded to supply the \gls{icds} with base information of the surrounding base stations.
+During the scan or after the data has been loaded the \gls{icds} evaluates different rules on the data either with or without consulting databases with local information depending on configuration and whether it is available or not.
+\begin{figure}
+\centering
+\includegraphics{../Images/flowchart}
+\caption{ICDS decision finding process outlined.}
+\label{fig:decision_process}
+\end{figure}
+The results show that some IMSI catcher configurations can be uncovered by these rules which check basic configuration data obtained from System Information messages.
+In addition to this data broadcasted on the \gls{bcch} reception levels and \glspl{lac} are also monitored over time to unveil attacks in which existing base stations are replaced by IMSI catchers.
+This leaves IMSI catchers that have a consistent configuration and blend well in their surroundings concerning the reception levels as well as do not actively try to make mobile phones contact them by broadcasting a new \gls{lac}.
+To handle this case the \gls{icds} can monitor the \gls{pch} of the base station in question to gather Paging Messages and Immediate Assignments.
+Since an IMSI catcher is not part of the providers network no paging messages will be forwarded to the connected subscribers.
+These findings have been confirmed with the experiments in Chapter 4 where different attack scenarios have been tested.
+In cases where the \gls{icds} was not able to uncover the IMSI catcher by rule evaluation the \gls{pch} scan yielded the desired result.
\section{Future Work}
+There are several ways in which the \gls{icds} could be improved.
+The experiments showed that one of the main issues is the duration of the sweep scans.
+If a \gls{bts} is replaced right after it has been scanned it can take up to six minutes until it is scanned again and the IMSI catcher is uncovered.
+That is the time that is needed to do a complete sweep scan.
+The \gls{icds} could be refined so that only base stations of a particular provider are monitored so the duration of sweep scans is cut down, this could also be done upon entering User Mode.
+
+In case of the Open Source IMSI Catcher no Paging Messages were sent.
+However it would be possible for a catcher that is aware of this evaluation criterion to send fake Paging Messages to arbitrary \glspl{tmsi} to deceive the \gls{icds}.
+To face this the \gls{icds} could be extended.
+Since Paging Messages would be unreliable in such a case one would have to use Immediate Assignments.
+The experiments have shown that this might increase scanning time on the \gls{pch} since these messages are much more rare than pagings.
+An Immediate Assignment sent to a subscriber contains the dedicated channel on which the conversation between the base station and the mobile phone is to continue.
+At this point the \gls{icds} already uses the information about dedicated channel to see whether frequency hopping is used or not.
+If an Immediate Assignment is caught by the \gls{icds} one could follow on the assigned channel and catch the Cipher Mode Message.
+Since an IMSI catcher will disable encryption to tap into calls, the Cipher Mode Message would contain A5/0 as its encryption algorithm.
+This feature could be used to handle cases of fake Paging Messages or Immediate Assignments, however it would take longer to conduct the \gls{pch} scan.
+Another problem would be that it requires another subscriber that is connected to the IMSI catcher initiating a call.
+On the other hand a regular base station using encryption can also be verified this way.
+
+These approaches are not strictly passive since they require another participant to become active.
+Although not strictly passive the \gls{icds} would still be invisible thus fulfilling the premise of not being uncovered itself.
diff --git a/Tex/Content/Detection.tex b/Tex/Content/Detection.tex
index 9591776..cc84981 100644
--- a/Tex/Content/Detection.tex
+++ b/Tex/Content/Detection.tex
@@ -614,10 +614,10 @@ Zooming can also be done with the mouse wheel and it is possible to drag the gra
\end{enumerate}
\begin{figure}
\centering
-\subfigure[Filters window.]{\includegraphics[width=.4\textwidth]{../Images/filter_window}\label{fig:filters_window}}
+\subfigure[Databases window.]{\includegraphics[width=.4\textwidth]{../Images/databases_window}\label{fig:databases_window}}
\subfigure[Rules window.]{\includegraphics[width=.4\textwidth]{../Images/rules_window}\label{fig:rules_window}}\\
-\subfigure[Databases window.]{\includegraphics[width=.4\textwidth]{../Images/databases}\label{fig:databases}}
-\subfigure[Encryption window (not yet implemented).]{\includegraphics[width=.4\textwidth]{../Images/databases}\label{fig:encryption_window}}
+\subfigure[Filters window.]{\includegraphics[width=.4\textwidth]{../Images/filter_window}\label{fig:filters_window}}
+\subfigure[PCH scan window.]{\includegraphics[width=.4\textwidth]{../Images/pch_window}\label{fig:pch_window}}
\caption{Dialogs for different settings.}
\end{figure}
The procedure of operation differs depending on the purpose.
diff --git a/Tex/Content/Evaluation.tex b/Tex/Content/Evaluation.tex
index 5254d31..dd8464b 100644
--- a/Tex/Content/Evaluation.tex
+++ b/Tex/Content/Evaluation.tex
@@ -124,7 +124,7 @@ That was to be expected as formerly discussed in Section \ref{sec:paging} becaus
\toprule
& \multicolumn{2}{c}{\texttt{house\_area}} &\phantom{a}& \multicolumn{2}{c}{\texttt{cbd}} &\phantom{a} & \multicolumn{2}{c}{\texttt{airport}}\\
\cmidrule{2-3} \cmidrule{5-6} \cmidrule{8-9}
-&Pagings&Imm. Ass.& &Pagings &Imm. Ass.& &Pagings&Imm. Ass.\\
+&Pagings&IAs& &Pagings &IAs.& &Pagings&IAs.\\
\midrule
T-Mobile& 89&3& &75&3& &109&4\\
E-Plus& 119&1& &67&2& &70&1\\
diff --git a/Tex/Content/GSM_short.tex b/Tex/Content/GSM_short.tex
index 41e93ba..6330dd2 100644
--- a/Tex/Content/GSM_short.tex
+++ b/Tex/Content/GSM_short.tex
@@ -270,38 +270,7 @@ A procedure called Handover achieves just that.
For this central role to work it is necessary to be connected to all the other components of the \gls{nss}.
This is done via different connections called Interfaces.
-A brief description of what the different interfaces in a GSM network are and what their respective function is can be seen in Table \ref{tab:interfaces}.
-
-\begin{table}
-\centering
-\begin{tabular}{lll}
-\toprule
-Name &Between &Function\\
-\midrule
-$A$ &MSC $\leftrightarrow$ BSS &BSS management data for Mobility Management\\
- & &and Call Control\\
-$B$ &MSC $\leftrightarrow$ VLR &MSC receives data about MSs in the current area\\
- & & and sends data from Location Updates\\
-$C$ &MSC $\leftrightarrow$ HLR &MSC can request routing data during call setup\\
- & &and send \eg charging information\\
-$D$ &HLR $\leftrightarrow$ VLR &Exchange of location-dependent subscriber data\\
- & &and updating the HLR (MSRN \etc)\\
-$E$ &MSC $\leftrightarrow$ MSC &Executing a Handover when subscriber changes\\
- & &to a new MSC\\
-$F$ &MSC $\leftrightarrow$ EIR &Checking white-/grey- and blacklists before\\
- & &giving access to the network\\
-$G$ &VLR $\leftrightarrow$ VLR &Connects VLR of different MSCs to exchange\\
- & &subscriber data during a handover\\
-\midrule
-$A_\text{bis}$ &BSC $\leftrightarrow$ BTS &BSC receives data from MS via the BTS\\
-$U_m$ &BTS $\leftrightarrow$ MS &Registration procedure, call data \etc as well\\
- & &as broadcast information about the network\\
- & &and the base station\\
-\bottomrule
-\end{tabular}
-\caption{Interfaces inside the core network (upper part) and the radio network (lower part)}
-\label{tab:interfaces}
-\end{table}
+A brief description of what the different interfaces in a GSM network are and what their respective function is can be seen in Appendix \ref{sec:interfaces}.
\subsubsection{Home Location Register}
The \gls{hlr} is the central database in which all personal subscriber related data is stored.
@@ -375,7 +344,7 @@ The \gls{bss} is the part of the network that provides the hard- and software fo
Its main components are the \gls{bsc}, the \gls{bts} and the \gls{trau}.
Connecting a mobile subscriber works via radio which is why this subsystem is sometimes also called the radio network \cite{kommsys2006}.
Inside the radio network of a certain area there is one \gls{bsc} that connects to multiple \glspl{bts} and one more \glspl{trau} depending on whether the \gls{trau} is attached to the \gls{bsc} or to all the \glspl{bts}.
-While the Transceiver station act as receiver for radio signals the controller coordinates the different receivers and relays the incoming signals to the core network.
+While the Transceiver station acts as receiver for radio signals the controller coordinates the different receivers and relays the incoming signals to the core network.
Since signals inside the core network are transmitted at other rates than in the radio network, rates need to be adapted which is done by the \gls{trau}.
Before discussing the individual components of this subsystem it is important to understand how the frequencies of the radio network are used and what architectural impacts this sparse resource has on the network and the components itself.
@@ -571,44 +540,27 @@ An illustration of how these multiplexing methods work together can be seen in F
\subsubsection{Frame Numbering}
Another important aspect is the frame hierarchy and the resulting frame numbering since it is used for ciphering as well as channel mapping and synchronisation.
-The frame number is broadcasted frequently on the \gls{sch} to keep mobile subscribers in sync and inform subscribers that are about to connect or request a channel for communication.
-Figure \ref{fig:frame_hierarchy} shows a complete diagram of the numbering scheme and frame hierarchy for reference.
+The frame number is one of the inputs required to generate the ciphering key and is broadcasted frequently on the \gls{sch} to keep mobile subscribers in sync.
-The timeslots on the lowest level of the hierarchy have a length of $4.615\text{\,ms} \div 8 = 577~\mu\text{s}$ and are also known as Bursts numbered from 0 to 7.
+The timeslots on the lowest level of the hierarchy have a length of $4.615\text{\,ms} \div 8 = 577~\mu\text{s}$ and are also known as Bursts numbered from 0 to 7.
Every new \gls{tdma} frame the sequence number is increased by one.
Since this number cannot be increased endlessly is repeated every 3\,h 28\,m 53\,s and 760\,ms.
This is the largest chunk in the frame hierarchy and it is called Hyperframe.
-Superframes and Multiframes are layers in between the Hyperframe and the \gls{tdma} frame.
-As can be seen in the diagram the two variants of Multiframes, the 26-Multiframe containing 26 \gls{tdma} frames transports traffic channels as well as the respective control channels and the 51-Multiframe with its 51 \gls{tdma} frames with signalling data only.
-Superframes wrap these different kinds of Multiframes into packages of the same size.
-So either 51 26-Multiframes can be carried by a Superframe or 51 26-Multiframes yielding a duration of 6\,s and 120\,ms each.
-Finally 2048 Superframes make up one Hyperframe.
+Superframes and Multiframes are layers between the Hyperframe and the \gls{tdma} frame which can occur in different configurations.
+The 51-Multiframe consists of 51 TDMA frames and carries only signalling data whereas the 26-Multiframe contains 26 TDMA frames and carries traffic and control channels.
+Superframes can be seen as packages to wrap these different Multiframes in one package of the same length.
\begin{figure}
\centering
\includegraphics{../Images/Frames}
- \caption{Hierarchical Composition of the different frames.}
+ \caption{Hierarchical composition of the different frames.}
\label{fig:frame_hierarchy}
\end{figure}
-The frequency number thus is repeated every 3 hours this way which makes cracking the ciphering algorithm that has the sequence number as one of its inputs and thus intercepting a call considerably more difficult.
When a \gls{ms} and \gls{bts} start to communicate the frame number has to be obtained by the \gls{ms} through the \gls{sch} before it can ask for a channel.
This is important since the frame number is a vital information indicating the chronological order of control channels.
If the \gls{ms} asks for a channel assignment in frame $n$ and a channel is assigned to the \gls{ms}, the assigned channels refers back to the frame $n$ and thus the \gls{ms} can find its channel amongst the others.
-The last task mentioned above was synchronisation.
-Since the mobile station and the transceiver station cannot send at exactly the same time, uplink and downlink of a channel are shifted by three timeslots.
-The time in between uplink and downlink however cannot be fixed for all situations like that.
-During a call a participant may move around and since radio waves travel at the speed of light slight variations in timing need to be dealt with.
-If not data from two participants might overlap and be rendered unusable.
-To avoid this problem each Burst has a Guard Time at the beginning and at the end, where no data is transmitted.
-The complete structure of such a Normal Burst is outlined in Figure \ref{fig:burst_types}.
-However this does not suffice if a subscriber moves away or to a \gls{bts} at considerable speed.
-Therefore a mechanism called Timing Advance is used.
-Basically the farther a subscriber is away from a base station the earlier a burst has to be sent, to compensate for the distance.
-The value for the Timing Advance is determined by the \gls{bsc} after receiving a channel request message from the mobile station and afterwards constantly updated by the respective \gls{bts}.
-The channel request message itself has only little data and large Guard Times since Timing Advance can only be used after this first measurement.
-
\begin{figure}
\centering
\includegraphics{../Images/Bursts}
@@ -617,13 +569,20 @@ The channel request message itself has only little data and large Guard Times si
\end{figure}
\subsubsection{Burst Types}
-%TODO make explanation more consistent with image
As suggested by the paragraph above there are different kinds of Bursts which are shown in \ref{fig:burst_types} \cite{GSM2009}.
-All Bursts contain the before mentioned Guard Times which separate them from the next Burst.
+
In addition to data bits and known fixed bit sequences every frame has tail bits, which mark the beginning and the end of a frame.
-The training sequence is a fixed bit sequence that appears in conjunction with data bit sequences.
+The fixed bit sequence is called training sequence and appears in conjunction with the data bit sequences.
During a radio transmission procedure the signal can be distorted by shadowing, reflection, or other factors which would result in a loss of data.
But since the training sequence is known it is possible to reconstruct the original signal by comparing the incoming training sequence with the expected one and thus conserving the data bits.
+
+All Bursts contain Guard Times which separate them from the next Burst.
+This is necessary subscribers can move around and thus slight variations in timing may occur.
+These variations could result in the collision of data from several different sources rendering it unusable.
+For subscribers that move at considerable speeds \eg in a car this is not sufficient and an extra mechanism called Timing Advance is used.
+Basically the farther a subscriber is away from a base station the earlier a burst has to be sent, to compensate for the distance.
+The value for the Timing Advance is determined by the \gls{bsc} after receiving a channel request message from the mobile station and afterwards constantly updated by the respective \gls{bts}.
+
\begin{itemize}
\item Normal Burst: The basic information transmitting Burst.
All information on traffic and control channels is transmitted by this Burst except for the \gls{rach}.
@@ -699,6 +658,7 @@ These are point to multi-point channels.
\subsubsection{Combinations}
These channels cannot arbitrarily be mapped onto Multiframes.
There is a complex multiplexing scheme defined in GSM 05.02 \cite{gsm0502} that explains which channel combinations can occur inside a Multiframe.
+A table containing the possible combinations can be found in Appendix \ref{sec:combinations}.
The mapping of these specific Multiframe-configurations onto timeslots is not arbitrary either.
Normally TS-0 and TS-1, the first two time slots, are used handle channels with signalling information.
The \gls{bcch} for example, which we will use to harvest information uses TS-0 of the carrier frequency.