\select@language {english} \contentsline {chapter}{\numberline {1}Introduction}{1} \contentsline {section}{\numberline {1.1}Motivation}{1} \contentsline {section}{\numberline {1.2}Structure}{2} \contentsline {section}{\numberline {1.3}Disclaimer}{2} \contentsline {section}{\numberline {1.4}On Typesetting}{3} \contentsline {chapter}{\numberline {2}GSM}{5} \contentsline {section}{\numberline {2.1}A Historical Perspective}{5} \contentsline {section}{\numberline {2.2}The GSM Network}{7} \contentsline {subsection}{\numberline {2.2.1}Mobile Station}{8} \contentsline {subsection}{\numberline {2.2.2}Network Subsystem}{11} \contentsline {subsubsection}{Mobile Switching Center}{11} \contentsline {subsubsection}{Home Location Register}{12} \contentsline {subsubsection}{Visitor Location Register}{13} \contentsline {subsubsection}{Authentication Center}{14} \contentsline {subsection}{\numberline {2.2.3}Base Station Subsystem}{15} \contentsline {subsubsection}{Frequencies and the Cellular Principle}{15} \contentsline {subsubsection}{Base Transceiver Station}{17} \contentsline {subsubsection}{Base Station Controller}{18} \contentsline {section}{\numberline {2.3}The $U_m$ Interface}{20} \contentsline {subsection}{\numberline {2.3.1}Radio Transmission}{20} \contentsline {subsubsection}{Frame Numbering}{21} \contentsline {subsubsection}{Burst Types}{23} \contentsline {subsection}{\numberline {2.3.2}Logical Channels}{24} \contentsline {subsubsection}{Dedicated Channels}{25} \contentsline {subsubsection}{Common Channels}{25} \contentsline {subsubsection}{Combinations}{26} \contentsline {subsection}{\numberline {2.3.3}Layers}{26} \contentsline {paragraph}{Physical Layer (Layer 1):}{26} \contentsline {paragraph}{Data Link (Layer 2):}{26} \contentsline {paragraph}{Network (Layer 3):}{27} \contentsline {section}{\numberline {2.4}IMSI-Catcher}{27} \contentsline {subsection}{\numberline {2.4.1}Mode of Operation}{28} \contentsline {subsubsection}{Attacks}{30} \contentsline {paragraph}{MS is in normal cell selection mode:}{30} \contentsline {paragraph}{MS is already connected to a network:}{30} \contentsline {subsubsection}{Risks and Irregularities}{32} \contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{32} \contentsline {chapter}{\numberline {3}IMSI Catcher Detection System}{35} \contentsline {section}{\numberline {3.1}Framework and Hardware}{35} \contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{35} \contentsline {subsubsection}{Project Status}{36} \contentsline {subsection}{\numberline {3.1.2}Motorola C123}{37} \contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{38} \contentsline {section}{\numberline {3.2}Procedure}{39} \contentsline {subsection}{\numberline {3.2.1}Information Gathering}{39} \contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{43} \contentsline {subsubsection}{Configuration Rules}{44} \contentsline {subsubsection}{Context Rules}{45} \contentsline {paragraph}{Neighbourhood Structure}{46} \contentsline {subsubsection}{Database Rules}{49} \contentsline {subsubsection}{Scan Rules}{50} \contentsline {subsubsection}{Remaining Issues and Paging}{51} \contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{52} \contentsline {section}{\numberline {3.3}Implementation}{52} \contentsline {subsection}{\numberline {3.3.1}Architecture}{52} \contentsline {subsection}{\numberline {3.3.2}Configuration}{54} \contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{55} \contentsline {subsection}{\numberline {3.3.4}Usage}{58} \contentsline {paragraph}{Conducting sweep scans:}{58} \contentsline {paragraph}{Using and obtaining Cell ID Information:}{58} \contentsline {paragraph}{Building or using a Local Area Database:}{60} \contentsline {paragraph}{Conducting a PCH Scan:}{60} \contentsline {paragraph}{Utilising User Mode:}{61} \contentsline {section}{\numberline {3.4}Related Projects}{62} \contentsline {chapter}{\numberline {4}Evaluation}{63} \contentsline {section}{\numberline {4.1}Performance Evaluation}{63} \contentsline {subsection}{\numberline {4.1.1}Scan Duration}{64} \contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{65} \contentsline {subsection}{\numberline {4.1.3}PCH Scans}{66} \contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{67} \contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{67} \contentsline {subsubsection}{Modifications to the ICDS Configuration}{69} \contentsline {subsection}{\numberline {4.2.2}Configuration and Context Rules Evaluation}{69} \contentsline {subsection}{\numberline {4.2.3}Scan Rules Evaluation}{71} \contentsline {subsection}{\numberline {4.2.4}Database Rules Evaluation}{71} \contentsline {subsection}{\numberline {4.2.5}Realistic Scenarios}{72} \contentsline {subsubsection}{IMSI Catcher as a new Cell}{74} \contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{74} \contentsline {chapter}{\numberline {5}Conclusion}{75} \contentsline {section}{\numberline {5.1}Summary}{75} \contentsline {section}{\numberline {5.2}Future Work}{77} \contentsline {chapter}{Bibliography}{79} \contentsline {chapter}{\numberline {A}GSM}{87} \contentsline {section}{\numberline {A.1}Interfaces}{87} \contentsline {section}{\numberline {A.2}Channel Combinations}{88} \contentsline {chapter}{\numberline {B}OsmocomBB}{89} \contentsline {section}{\numberline {B.1}Installation}{89} \contentsline {section}{\numberline {B.2}Usage}{90} \contentsline {section}{\numberline {B.3}Serial Cable Schematics}{91} \contentsline {chapter}{\numberline {C}IMSI Catcher Detection System}{93} \contentsline {section}{\numberline {C.1}Extextions}{93} \contentsline {section}{\numberline {C.2}Example Configuration}{95} \contentsline {chapter}{\numberline {D}System Information}{99} \contentsline {chapter}{\numberline {E}Evaluation Data}{105} \contentsline {section}{\numberline {E.1}Rx and LAC Change Test}{105} \contentsline {section}{\numberline {E.2}Database Rules Test}{105} \contentsline {chapter}{Acronyms}{107}