\select@language {english} \contentsline {chapter}{\numberline {1}Introduciton}{1} \contentsline {section}{\numberline {1.1}Structure}{1} \contentsline {chapter}{\numberline {2}GSM}{3} \contentsline {section}{\numberline {2.1}A Historical Perspective}{3} \contentsline {section}{\numberline {2.2}The GSM Network}{5} \contentsline {subsection}{\numberline {2.2.1}Mobile Station}{6} \contentsline {subsection}{\numberline {2.2.2}Network Subsystem}{9} \contentsline {subsubsection}{Mobile Switching Center}{9} \contentsline {subsubsection}{Home Location Register}{10} \contentsline {subsubsection}{Visitor Location Register}{12} \contentsline {subsubsection}{Equipment Identification Register}{12} \contentsline {subsubsection}{Authentication Center}{12} \contentsline {subsection}{\numberline {2.2.3}Intelligent Network}{14} \contentsline {subsection}{\numberline {2.2.4}Base Station Subsystem}{15} \contentsline {subsubsection}{Frequencies and the Cellular Principle}{15} \contentsline {subsubsection}{Base Transceiver Station}{18} \contentsline {subsubsection}{Baste Station Controller}{20} \contentsline {subsubsection}{Transcoding rate and Adaption Unit}{21} \contentsline {section}{\numberline {2.3}The $U_m$ Interface}{22} \contentsline {subsection}{\numberline {2.3.1}Radio Transmission}{23} \contentsline {subsubsection}{Frame Numbering}{24} \contentsline {subsubsection}{Burst Types}{26} \contentsline {subsection}{\numberline {2.3.2}Logical Channels}{27} \contentsline {subsubsection}{Dedicated Channels}{28} \contentsline {subsubsection}{Common Channels}{28} \contentsline {subsubsection}{Combinations}{29} \contentsline {subsection}{\numberline {2.3.3}Layers}{30} \contentsline {paragraph}{Physical Layer (Layer 1):}{30} \contentsline {paragraph}{Data Link (Layer 2):}{30} \contentsline {paragraph}{Network (Layer 3):}{30} \contentsline {section}{\numberline {2.4}IMSI-Catcher}{32} \contentsline {subsection}{\numberline {2.4.1}Mode of Operation}{33} \contentsline {subsubsection}{Attacks}{35} \contentsline {paragraph}{MS is in normal cell selection mode:}{35} \contentsline {paragraph}{MS is already connected to a network:}{35} \contentsline {subsubsection}{Risks and Irregularities}{36} \contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{36} \contentsline {chapter}{\numberline {3}IMSI Catcher Detection}{39} \contentsline {section}{\numberline {3.1}Framework and Hardware}{39} \contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{39} \contentsline {subsubsection}{Project Status}{40} \contentsline {subsubsection}{OsmocomBB and ICDS}{41} \contentsline {subsection}{\numberline {3.1.2}Motorola C123}{41} \contentsline {section}{\numberline {3.2}Procedure}{42} \contentsline {subsection}{\numberline {3.2.1}Information Gathering}{43} \contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{45} \contentsline {subsubsection}{Neighbourhood Structure}{47} \contentsline {subsubsection}{Base Station Evaluation}{49} \contentsline {subsection}{\numberline {3.2.3}Forged Parameters}{50} \contentsline {subsubsection}{Database Rules}{50} \contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{51} \contentsline {subsection}{\numberline {3.3.1}Implemetation}{51} \contentsline {subsection}{\numberline {3.3.2}Configuration}{53} \contentsline {subsection}{\numberline {3.3.3}Operation}{53} \contentsline {paragraph}{Sweep scans:}{56} \contentsline {paragraph}{Location Area Database:}{57} \contentsline {paragraph}{Quick check:}{57} \contentsline {chapter}{\numberline {4}Evaluation}{59} \contentsline {chapter}{\numberline {5}Conclusion}{61} \contentsline {section}{\numberline {5.1}Related Projects}{61} \contentsline {section}{\numberline {5.2}Future Work}{61} \contentsline {chapter}{Bibliography}{I} \contentsline {chapter}{\numberline {A}OsmocomBB}{VII} \contentsline {section}{\numberline {A.1}Installation}{VII} \contentsline {section}{\numberline {A.2}Usage}{VIII} \contentsline {section}{\numberline {A.3}Serial Cable Schematics}{VIII} \contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{XI} \contentsline {section}{\numberline {B.1}Extextions}{XI} \contentsline {section}{\numberline {B.2}Example Configuration}{XI} \contentsline {chapter}{\numberline {C}System Information}{XIII} \contentsline {chapter}{\numberline {D}Evaluation Data}{XIX} \contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XIX} \contentsline {section}{\numberline {D.2}ICDS Scans}{XIX} \contentsline {chapter}{Acronyms}{XXI}