summaryrefslogtreecommitdiffstats
path: root/Tex/Master/Master.toc
blob: 6375272781314107dc3de926d2fa49785bee505c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
\select@language {english}
\contentsline {chapter}{\numberline {1}Introduction}{1}
\contentsline {section}{\numberline {1.1}Motivation}{1}
\contentsline {section}{\numberline {1.2}Structure}{2}
\contentsline {section}{\numberline {1.3}Disclaimer}{2}
\contentsline {section}{\numberline {1.4}On Typesetting}{3}
\contentsline {chapter}{\numberline {2}GSM}{5}
\contentsline {section}{\numberline {2.1}A Historical Perspective}{5}
\contentsline {section}{\numberline {2.2}The GSM Network}{7}
\contentsline {subsection}{\numberline {2.2.1}Mobile Station}{8}
\contentsline {subsection}{\numberline {2.2.2}Network Subsystem}{11}
\contentsline {subsubsection}{Mobile Switching Center}{11}
\contentsline {subsubsection}{Home Location Register}{12}
\contentsline {subsubsection}{Visitor Location Register}{13}
\contentsline {subsubsection}{Authentication Center}{14}
\contentsline {subsection}{\numberline {2.2.3}Base Station Subsystem}{15}
\contentsline {subsubsection}{Frequencies and the Cellular Principle}{15}
\contentsline {subsubsection}{Base Transceiver Station}{17}
\contentsline {subsubsection}{Base Station Controller}{18}
\contentsline {section}{\numberline {2.3}The $U_m$ Interface}{20}
\contentsline {subsection}{\numberline {2.3.1}Radio Transmission}{20}
\contentsline {subsubsection}{Frame Numbering}{21}
\contentsline {subsubsection}{Burst Types}{23}
\contentsline {subsection}{\numberline {2.3.2}Logical Channels}{24}
\contentsline {subsubsection}{Dedicated Channels}{25}
\contentsline {subsubsection}{Common Channels}{25}
\contentsline {subsubsection}{Combinations}{26}
\contentsline {subsection}{\numberline {2.3.3}Layers}{26}
\contentsline {paragraph}{Physical Layer (Layer 1):}{26}
\contentsline {paragraph}{Data Link (Layer 2):}{26}
\contentsline {paragraph}{Network (Layer 3):}{27}
\contentsline {section}{\numberline {2.4}IMSI-Catcher}{27}
\contentsline {subsection}{\numberline {2.4.1}Mode of Operation}{28}
\contentsline {subsubsection}{Attacks}{30}
\contentsline {paragraph}{MS is in normal cell selection mode:}{30}
\contentsline {paragraph}{MS is already connected to a network:}{30}
\contentsline {subsubsection}{Risks and Irregularities}{32}
\contentsline {subsection}{\numberline {2.4.2}Law Situation in Germany}{32}
\contentsline {chapter}{\numberline {3}IMSI Catcher Detection System}{35}
\contentsline {section}{\numberline {3.1}Framework and Hardware}{35}
\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{35}
\contentsline {subsubsection}{Project Status}{36}
\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{37}
\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{38}
\contentsline {section}{\numberline {3.2}Procedure}{39}
\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{39}
\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{43}
\contentsline {subsubsection}{Configuration Rules}{44}
\contentsline {subsubsection}{Context Rules}{45}
\contentsline {paragraph}{Neighbourhood Structure}{46}
\contentsline {subsubsection}{Database Rules}{49}
\contentsline {subsubsection}{Scan Rules}{50}
\contentsline {subsubsection}{Remaining Issues and Paging}{51}
\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{52}
\contentsline {section}{\numberline {3.3}Implementation}{52}
\contentsline {subsection}{\numberline {3.3.1}Architecture}{52}
\contentsline {subsection}{\numberline {3.3.2}Configuration}{54}
\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{55}
\contentsline {subsection}{\numberline {3.3.4}Usage}{58}
\contentsline {paragraph}{Conducting sweep scans:}{58}
\contentsline {paragraph}{Using and obtaining Cell ID Information:}{58}
\contentsline {paragraph}{Building or using a Local Area Database:}{60}
\contentsline {paragraph}{Conducting a PCH Scan:}{60}
\contentsline {paragraph}{Utilising User Mode:}{61}
\contentsline {section}{\numberline {3.4}Related Projects}{62}
\contentsline {chapter}{\numberline {4}Evaluation}{63}
\contentsline {section}{\numberline {4.1}Performance Evaluation}{63}
\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{64}
\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{65}
\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{66}
\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{67}
\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{67}
\contentsline {subsubsection}{Modifications to the ICDS Configuration}{69}
\contentsline {subsection}{\numberline {4.2.2}Configuration and Context Rules Evaluation}{69}
\contentsline {subsection}{\numberline {4.2.3}Scan Rules Evaluation}{71}
\contentsline {subsection}{\numberline {4.2.4}Database Rules Evaluation}{71}
\contentsline {subsection}{\numberline {4.2.5}Realistic Scenarios}{72}
\contentsline {subsubsection}{IMSI Catcher as a new Cell}{74}
\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{74}
\contentsline {chapter}{\numberline {5}Conclusion}{75}
\contentsline {section}{\numberline {5.1}Summary}{75}
\contentsline {section}{\numberline {5.2}Future Work}{77}
\contentsline {chapter}{Bibliography}{79}
\contentsline {chapter}{\numberline {A}GSM}{87}
\contentsline {section}{\numberline {A.1}Interfaces}{87}
\contentsline {section}{\numberline {A.2}Channel Combinations}{88}
\contentsline {chapter}{\numberline {B}OsmocomBB}{89}
\contentsline {section}{\numberline {B.1}Installation}{89}
\contentsline {section}{\numberline {B.2}Usage}{90}
\contentsline {section}{\numberline {B.3}Serial Cable Schematics}{91}
\contentsline {chapter}{\numberline {C}IMSI Catcher Detection System}{93}
\contentsline {section}{\numberline {C.1}Extextions}{93}
\contentsline {section}{\numberline {C.2}Example Configuration}{95}
\contentsline {chapter}{\numberline {D}System Information}{99}
\contentsline {chapter}{\numberline {E}Evaluation Data}{105}
\contentsline {section}{\numberline {E.1}Rx and LAC Change Test}{105}
\contentsline {section}{\numberline {E.2}Database Rules Test}{105}
\contentsline {chapter}{Acronyms}{107}