\select@language {english} \addvspace {10\p@ } \addvspace {10\p@ } \contentsline {figure}{\numberline {2.1}{\ignorespaces Growth of mobile GSM subscriptions. Compiled from \cite {GSM2009,GSM_history2011,GSM_stats2011}}}{6} \contentsline {figure}{\numberline {2.2}{\ignorespaces The main components of a GSM network.}}{8} \contentsline {figure}{\numberline {2.3}{\ignorespaces Authentication procedure.}}{13} \contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900\tmspace +\thinmuskip {.1667em}MHz\ band.}}{15} \contentsline {figure}{\numberline {2.5}{\ignorespaces Theoretical arrangement of radio cells compared to a realistic alignment. Cells with the same number share the same frequency \cite {GSM2009}.}}{17} \contentsline {figure}{\numberline {2.6}{\ignorespaces Ciphering procedure for one frame of voice data. Adopted from \cite {kommsys2006}.}}{19} \contentsline {figure}{\numberline {2.7}{\ignorespaces The combination of FDMA and TDMA.}}{21} \contentsline {figure}{\numberline {2.8}{\ignorespaces Hierarchical composition of the different frames.}}{22} \contentsline {figure}{\numberline {2.9}{\ignorespaces Structural Comparison of different Burst types. After \cite {GSM2009}.}}{22} \contentsline {figure}{\numberline {2.10}{\ignorespaces Mapping of virtual channels on time slots.}}{24} \contentsline {figure}{\numberline {2.11}{\ignorespaces A commercial catcher by Rhode\tmspace +\thinmuskip {.1667em}\&\tmspace +\thinmuskip {.1667em}Schwarz \cite {fox} and a self built catcher introduced at Defcon 2010 \cite {def_catcher}.}}{28} \contentsline {figure}{\numberline {2.12}{\ignorespaces IMSI catching procedure. Adopted and simplified from \cite {mueller}.}}{29} \contentsline {figure}{\numberline {2.13}{\ignorespaces Takeover attack of an IMSI catcher on a base station.}}{31} \addvspace {10\p@ } \contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{38} \contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{39} \contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{41} \contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}text waiting for a passive subscriber.}}{43} \contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{47} \contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{48} \contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Normal neighbourhood}}}{48} \contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Tainted neighbourhood}}}{48} \contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{53} \contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{55} \contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{56} \contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{59} \contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Databases window.}}}{59} \contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Rules window.}}}{59} \contentsline {subfigure}{\numberline {(c)}{\ignorespaces {Filters window.}}}{59} \contentsline {subfigure}{\numberline {(d)}{\ignorespaces {PCH scan window.}}}{59} \contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{61} \addvspace {10\p@ } \contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets. From left to right the datasets are: \texttt {house\_area}, \texttt {ind\_park}, \texttt {cbd}, \texttt {airport}}}{66} \contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{70} \contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{71} \addvspace {10\p@ } \contentsline {figure}{\numberline {5.1}{\ignorespaces ICDS decision finding process outlined.}}{78} \addvspace {10\p@ } \addvspace {10\p@ } \contentsline {figure}{\numberline {B.1}{\ignorespaces Serial cable schematics.}}{93} \addvspace {10\p@ } \addvspace {10\p@ } \contentsline {figure}{\numberline {D.1}{\ignorespaces System Information 1 Message}}{102} \contentsline {figure}{\numberline {D.2}{\ignorespaces System Information 2 Message}}{103} \contentsline {figure}{\numberline {D.3}{\ignorespaces System Information 3 Message}}{104} \contentsline {figure}{\numberline {D.4}{\ignorespaces System Information 4 Message}}{105} \addvspace {10\p@ }