\select@language {english} \addvspace {10\p@ } \addvspace {10\p@ } \contentsline {figure}{\numberline {2.1}{\ignorespaces Growth of mobile GSM subscriptions. Compiled from \cite {GSM2009,GSM_history2011,GSM_stats2011}}}{4} \contentsline {figure}{\numberline {2.2}{\ignorespaces The main components of a GSM network.}}{6} \contentsline {figure}{\numberline {2.3}{\ignorespaces Authentication procedure.}}{13} \contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900 Mhz band.}}{16} \contentsline {figure}{\numberline {2.5}{\ignorespaces Theoretical arrangement of radio cells compared to a realistic alignment. Cells with the same number share the same frequency \cite {GSM2009}.}}{18} \contentsline {figure}{\numberline {2.6}{\ignorespaces Common base station configurations. Compiled from \cite {protocols1999}.}}{19} \contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Stantard configuration.}}}{19} \contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Umbrella cell configuration.}}}{19} \contentsline {subfigure}{\numberline {(c)}{\ignorespaces {Sectorised configuration.}}}{19} \contentsline {figure}{\numberline {2.7}{\ignorespaces Ciphering procedure for one frame of voice data. Adopted from \cite {kommsys2006}.}}{22} \contentsline {figure}{\numberline {2.8}{\ignorespaces The combination of FDMA and TDMA.}}{23} \contentsline {figure}{\numberline {2.9}{\ignorespaces Hierarchical Composition of the different frames.}}{25} \contentsline {figure}{\numberline {2.10}{\ignorespaces Structural Comparison of different Burst types. After \cite {GSM2009}.}}{26} \contentsline {figure}{\numberline {2.11}{\ignorespaces Mapping of virtual channels on time slots.}}{27} \contentsline {figure}{\numberline {2.12}{\ignorespaces Snippet of a Multiframe-configurations for a base station from \cite {kommsys2006}.}}{31} \contentsline {figure}{\numberline {2.13}{\ignorespaces A commercial catcher by Rhode \& Schwarz \cite {fox} and a self built catcher introduced at Defcon 2010 \cite {def_catcher}.}}{33} \contentsline {figure}{\numberline {2.14}{\ignorespaces IMSI catching procedure. Adopted and simplified from \cite {mueller}.}}{34} \addvspace {10\p@ } \contentsline {figure}{\numberline {3.1}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{40} \contentsline {figure}{\numberline {3.2}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{43} \contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message with annotations \cite {protocols1999}.}}{44} \contentsline {figure}{\numberline {3.4}{\ignorespaces T-Mobile and Vodafone stations at the Technische Fakult\"at.}}{48} \contentsline {figure}{\numberline {3.5}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{49} \contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Normal neighbourhood}}}{49} \contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Tainted neighbourhood}}}{49} \contentsline {figure}{\numberline {3.6}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52} \contentsline {figure}{\numberline {3.7}{\ignorespaces The ICDS main window.}}{54} \addvspace {10\p@ } \addvspace {10\p@ } \addvspace {10\p@ } \addvspace {10\p@ } \addvspace {10\p@ } \addvspace {10\p@ }