You are on page 1of 45

Problems with GSM security

2G communication system only provides one-way authentication mechanism which just authenticates the identities of mobile users. Only provides access security-communications and signaling traffic in the fixed network are not protected. Does not address active attacks. Only as secure as the fixed networks to which they connect. Lawful interception only considered as an after-thought Terminal identity cannot be trusted Difficult to upgrade the cryptographic mechanisms Lack of user visibility

Attacks on GSM networks


Eavesdropping. This is the capability that the intruder eavesdrops signalling and data connections associated with other users. The required equipment is a modified MS. Impersonation of a user. This is the capability whereby the intruder sends signalling and/or user data to the network, in an attempt to make the network believe they originate from the target user. The required equipment is again a modified MS. Impersonation of the network. This is the capability whereby the intruder sends signalling and/or user data to the target user, in an attempt to make the target user believe they originate from a genuine network. The required equipment is modified BTS.

Man-in-the-middle. This is the capability whereby the intruder puts itself in between the target user and a genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and user data messages exchanged between the two parties. The required equipment is modified BTS in conjunction with a modified MS.
Compromising authentication vectors in the network. The intruder possesses a compromised authentication vector, which may include challenge/response pairs, cipher keys and integrity keys. This data may have been obtained by compromising network nodes or by intercepting signalling messages on network links.

Camping on a false BTS


An attack that requires a modified BTS and exploits the weakness that a user can be enticed to camp on a false base station. Once the target user camps on the radio channels of a false base station, the target user is out of reach of the paging signals of the serving network in which he is registered.

3G vs. GSM
A change was made to defeat the false base station attack. The security mechanisms include a sequence number that ensures that the mobile can identify the network. Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity. Mechanisms were included to support security within and between networks. Security is based within the switch rather than the base station as in GSM. Therefore links are protected between the base station and switch. Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM.

GSM authentication vector: temporary authentication data that enables an VLR/SGSN to engage in GSM AKA with a particular user. A triplet consists of three elements: a) a network challenge RAND, b) an expected user response SRES and c) a cipher key Kc. UMTS authentication vector: temporary authentication data that enables an VLR/SGSN to engage in UMTS AKA with a particular user. A quintet consists of five elements: a) a network challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.

Procedure for the MT to search for BTS around its vicinity

Mode of operation for fake BTS


BTS transmits on a beacon frequency of the victims provider, and that his BTS transmits the MCC and MNC of the same provider.

Search for the BTS There are several situations in which MS starts to look for a new BTS station to connect to.
We may divide them into scenarios in which the network signal is available and those in which it is not. In the first case MS does not receive any network signal. It starts then from checking all frequencies used by the BTS stations which were near to the location of the BTS to which MS was successfully connected last time. If none is found it switches to the search mode. In this mode it scans through the standard frequencies in order to find active BTS stations. In this case the attackers fake BTS must provide the following parameters of the real network: mobile country code MCC, mobile network code MNC, and network short name. This behavior can be triggered through several ways but usually it is done through jamming of the real BTS signal. In the second case MS is already connected to the network. In this situation there are only two events which may lead to selection of a new BTS. MS may find a BTS station with better signal than one to which it is connected to. In this case fake BTS station is sending signal on the frequency channel used by one of the BTS stations which are near the victims MS. This scenario is called a forced BTS reseclection.

Once a fake BTS is switched on and transmits the signal it is still not recognized by the victims MS. In order to force selection of his BTS attacker can exploit the fact that the MS measures on regular time periods the connection strength to the nearest BTS stations. Knowing frequencies of those connections he may setup the fake BTS to send a signal which will be stronger than any other from BTS stations in the nearest neighborhood. This signal should be send on the frequency of the station with the weakest one. When the received signal will be better than the signal of the existing connection, the MS will change the BTS automatically. This scenario will work only if the MS is in the stand-by mode and no active communication is undergoing. In case there is active communication, we are forcing the handover of this connection within the network. That cannot be done without access to MNOs BSC. Figure 2.12 shows an illustration of exemplary scenario. In this scenario MS is connected at the beginning to the BTS one. MS knows about the nearest BTS stations, particularly: BTS two, BTS three, and BTS four. The attacker is checking the frequency channel of each BTS station. Later when he will switch on his fake BTS it will start to send a signal on the same channel as the BTS four, which had

Signal Jamming
Using this technique, the attacker will first send a distortion signal on the frequency of the existing connection between the victims MS and BTS. If these distortions are strong enough, the connection will be broken. Later, the MS will automatically start BTS search procedure in order to find a substitute for the jammed one. In such a way it may select the attackers BTS but it may also happen that the signal from another BTS will have a better quality and the MS will select it. In order to be sure that the selections result will be a fake BTS, the attacker may try to jam for a short while the signals from the other closest BTS, based on the neighbor list. The biggest advantage of jamming all nearest BTS stations is that we may force a situation in which the MS will go into a BTS signal search mode and start scanning all frequency channels, not only the neighbor list ones. As a result, the attacker may lure the MS to connect to a fake BTS on any supported by the phone ARCFN channel. That will give him much better connection quality.

Cell Selection and Re-selection


According to [4] (Section 6.6), MS will synchronize to and read the BCCH information for the 6 strongest non-serving carriers, and at least every 5s the MS shall calculate the value of C1 (path loss criterion parameter) and C2 for the serving cell and re-calculate C1 and C2 values for non serving cells. A cell reselection may take place if following condition is met: 1) The calculated value of C2 for a non-serving suitable cell exceeds the value of C2 for the serving cell for a period of 5 seconds (both cells are in the same location area). 2) The calculated value of C2 for a non-serving suitable cell exceeds the value of C2 for the serving cell by at least CELL_RESELECT_HYSTERESIS dB as defined by the BCCH data from the current serving cell for a period of 5 seconds (the two cells are in different location areas). 3) The path loss criterion (C1) for current serving cell falls below zero for a period of 5 seconds. This indicates that the path loss to the cell has become too high. 4) Current serving cell is barred. 5) MS downlink signaling failure counter (DSC) expires, which takes a time TF

If we can make the value of C2 for the fake-base station calculated by MS higher than the value of C2 for the serving cell by at least CELL_RESELECT_HYSTERESIS dB, then a cell reselection will happen (we can use this feather to give CELL_RESELECT_HYSTERESIS of our fake-base station a large value to prevent MS switch to other BS easily).

The path loss criterion parameter C1 used for cell selection and reselection is defined by: C1 = (A - Max(B,0)) where A = RLA_C RXLEV_ACCESS_MIN , B = MS_TXPWR_MAX_CCH P except for the class 3 DCS 1 800 MS where: B = MS_TXPWR_MAX_CCH + POWER OFFSET P RLA_C = received level averages

The value of C2 is defined as follows. C2 = C1 + CELL_RESELECT_OFFSET -TEMPORARY OFFSET * H(PENALTY_TIME - T) for PENALTY_TIME <> 11111

C2 = C1 - CELL_RESELECT_OFFSET for PENALTY_TIME = 11111


Where T is a timer implemented for each cell in the list of strongest carriers, CELL_RESELECT_OFFSET is used to give different priorities to different bands when multiband operation is used,

TEMPORARY_OFFSET applies a negative offset to C2 for the duration of PENALTY_TIME after the timer T has started for that cell,
PENALTY_TIME is the duration for which TEMPORARY_OFFSET applies. CELL_RESELECT_OFFSET, TEMPORARY_OFFSET, PENALTY_TIME and CELL_BAR_QUALIFY are optionally broadcast on the BCCH of the cell. If not broadcast, the default values are CELL_BAR_QUALIFY = 0, and C2 = C1. [1]

Mobile Initialization
There are three main goals of the mobile initialization procedure:

Frequency Synchronization. As the terminal is switched on, it scans over the available GSM RF channels and takes several readings of their RF levels to obtain an accurate estimate of the signal strengths. Starting with the channel with the highest level, the terminal searches for the frequency correction burst on the BCCH. If no frequency correction burst is detected, it then moves to the next highest level signal and repeats the process until it is successful. In this event, the terminal will then synchronize its local oscillator with the frequency reference of the base station transceiver. Timing Synchronization. After frequency synchronization has been achieved, the terminal will search for the synchronization burst for the timing information present on the SCH. If it is not successful, it then moves to the next highest level signal and repeats the process starting from the frequency synchronization procedure until it is successful. In this event, it moves to the BCCH to acquire overhead system information. Overhead Information Acquisition. After timing synchronization has been achieved, the terminal will search for overhead information on the BCCH. If the BCCH information does not include the current BCCH number, it will restart the

When a MS enters the network, it first looks for beacon frequencies of the nearby Base Tranceivers by scanning all possible channels. All base stations transmit their beacon frequencies at a fixed frequency and power level. The MS finds the beacon frequency by searching the frequency with the highest signal level for a timeslot with a sequence of "00000..."-a sine wave-which is transmitted on the frequency Correction Channel (FCCH). FCCH is one logical channel in the physical channel called the Broadcast Control Channel (BCCH) and it is used for bit synchronization. BCCH is always on the 0-timeslot of the beacon frequency. After MS achieves bit synchronization, it finds the Synchronization Channel (SCH) from the BCCH physical channel. From the SCH, the MS derives frame synchronization. Then the MS can find the logical channel BCCH also located in the physical channel BCCH. The logical channel BCCH transmits important BTS information such as the frequency hopping sequences, other frequencies, and neighboring cells. When the MS is turned on, the network knows the location ares (LA) where the MS is located. A location area may consists of several cells. Thus the MS is paged in all cells.

Cell Selection

GSM MS List of States for the cell selection process

The GSM mobile station (MS) enters various states when switched on, but in the idle mode. Three such states are PLMN selection, cell selection and location registration that GSM standards described as a "set of states". The overall state of the mobile is thus a "composite of the states of the three processes". As TS 100 930 makes mention "In some cases, an event which causes a change of state in one process may trigger a change of state in another process, e.g., camping on a cell in a new registration area triggers an LR request." Below are those states relevant for MS cell selection but for a more detailed description of the behaviour of these states read GSM05.08. C1 Normal Cell Selection - This is the process of initial cell selection, searching all RF channels. C2 Stored List Cell Selection - This is the process of initial cell selection where BCCH carrier information (e.g. a BA list) for the selected PLMN is stored in the MS.

C3 Camped Normally - This is where the MS is camped on a cell of the selected PLMN and may be able to make and receive calls. (Whether or not the MS can make and receive calls depends on the state within the location registration

PLMN Selection
1.Home PLMN. The Multi-RAT MS shall search for the Home PLMN using all access technologies it is capable of and start its search using the " access technologies priority list" stored in the Subscriber Identity Module (SIM) 2.Each PLMN in the "user controlled PLMN list" stored in the SIM in priority order. The Multi-RAT MS shall try find each PLMN using the "access technologies priority list stored for each PLMN in the SIM. 3.Each PLMN in the "operator controlled PLMN list" stored in the SIM in priority order. The Multi-RAT MS shall try find each PLMN using the "access technologies priority list" stored for each PLMN in the SIM. 4.Other PLMN/access technology combinations with received high quality signal in random order. For GSM: SS > -85 dBm and WCDMA: CPICH RSCP > -95 dBm. 5.All other PLMN/access technology combinations in order of decreasing signal strength.

Conformance requirement

At switch on, or following recovery from lack of coverage,the MS selects the registered PLMN or equivalent PLMN (if it is available) using all access technologies that the MS is capable of and if necessary (in the case of recovery from lack of coverage, see TS 23.122, clause 4.5.2) attempts to perform a Location Registration. If successful registration is achieved, the MS indicates the selected PLMN.

If there is no registered PLMN, or if registration is not possible due to the PLMN being unavailable or registration failure, the MS follows either Automatic or Manual Network Selection Mode Procedure depending on its operating mode.

Cell Reselection to UMTS based on cell ranking

Camping Strategy for a Combined WCDMA/GSM Network

The choice of system for idle mode camping is important. The Multi-RAT MS should camp on the system where it is expected to set up its services and where it will be paged. In order for the Multi-RAT MS to be able to access UTRAN specific services it need to camp on UTRAN. The recommended strategy is therefore

camp on UTRAN whenever there is UTRAN coverage.


Outside UTRAN coverage the Multi-RAT MS will camp on GSM, to get accessto standard GSM services. Once a UTRAN cell is selected/reselected theparameter setting in UTRAN should try to keep the UE in UTRAN as long asthe quality and received signal strength of the UTRAN cell is good enough.The GSM parameter settings recommended in this engineering guidelineenable the camping strategy described above.

Cell Reselection to UMTS

It is important to coordinate the parameters in GSM and UTRAN to achieve the wanted inter RAT cell reselection behaviour and thus a smooth coexistence.For extensive information on the cell reselection algorithm from UTRAN toGSM and corresponding parameters, parameter ranges and default values,seeReference [15]. The recommended cell reselection parameter setting in the following subchapters are coordinated with the corresponding parameter recommendationsfor UTRAN to GSM cell reselection found inReference [15].

Measurements for mobiles on dedicated channels and for cellreselection to UMTS based on cell ranking

Besides measurements on surrounding GSM/GPRS/EGPRS cells a Multi-RAT MS also performs measurements on UTRAN neighbouring cells. These measurements are performed in a different way than for GSM cells and may beless frequently than measurements on GSM. In general UTRAN measurements are done during spare time, that is, GSM measurements have priority and UTRAN measurements are done if there is time left. In order to reduce unnecessary measurements and to optimize Multi-RAT MSbattery consumption, the GSM network controls when the measurementson UTRAN cells shall be performed with the parameters QSI and QSC. The parameters QSI and QSC define thresholds and also indicate whether thesemeasurements shall be performed when the signal strength (SS) of the servingcell is below or above the threshold. It can be used to avoid unnecessarymeasurements on UTRAN cells and does not control the behaviour ofMulti-RAT MSs in terms of making decisions for cell reselection and handover. QSI is used for idle and packet switched modes and broadcast on BCCH andPBCCH (if enabled), while QSC is used for active mode, sent on SACCH. [3]

Cell Reselection Process


In order to always camp on the best cell the UE performs the cell reselection procedure in the following cases:

When the cell on which it is camping is no longer suitable. When the UE, in camped normally state, has found a better neighboring cell than the cell on which it is camping.

When the UE is in limited service state on an acceptable cell.


When the UE triggers a cell reselection evaluation process, it performs ranking of cells that fulfill the following criteria.

Cells are ranked according to the R criteria:

Qmeas is the quality value of the received signal. Qmeas may be derived from the averaged CPICH Ec/No or CPICH RSCP for WCDMA cells. Qmeas uses the averaged received signal level for GSM cells. CPICH RSCP is always used as a measurement quantity when WCDMA cells are compared with GSM cells.

Cell reselection criteria are used for intra-frequency, inter-frequencyand inter-RAT cells. Decision on when measurements on intra-frequencies should be performed is made using the parameter sIntraSearch in relation to Squal.

The decision on when measurements on GSM frequencies should be performed is made using the parameter sRATSearch.

The UE is also supposed to be able to measure on interfrequency cells. The decision on when measurements on interfrequencies should be performed is made using the parameter sInterSearch in relation to Squal.

At switch on or recovery from lack of coverage

At switch on, or following recovery from lack of coverage, the MS selects the registered PLMN or equivalent PLMN (if it is available) using all access technologies that the MS is capable of and if necessary attempts to perform a Location Registration. As an alternative option to this, if the MS is in automatic network selection mode and it finds coverage of the HPLMN, the MS may register on the HPLMN and not return to the registered PLMN. The operator is able to control by SIM configuration (parameter Last RPLMN Selection Indication) whether an MS that supports this option shall perform this alternative behaviour. If successful registration is achieved, the MS indicates the selected PLMN. If there is no registered PLMN, or if registration is not possible due to the PLMN being unavailable or registration failure, the MS follows one of the following two procedures depending on its PLMN selection operating mode. At switch on, if the MS provides the optional feature of user

At switch on, if the MS is in manual mode and neither registered PLMN nor PLMN that is equivalent to it is available but EHPLMN is available, then instead of performing the manual network selection mode procedure the MS may select and attempt registration on the highest priority EHPLMN. If the EHPLMN list is not available or is empty and the HPLMN is available, then the MS may select and attempt registration on the HPLMN. The MS remains in manual mode. If successful registration is achieved, then the current serving PLMN becomes the registered PLMN and the MS does not store the previous registered PLMN for later use. As an exception, if registration is not possible on recovery from lack of coverage due to the registered PLMN being unavailable, an MS attached to GPRS services may, optionally, continue looking for the registered PLMN for an implementation dependent time. An MS attached to GPRS services should use the above exception only if one or more PDP contexts are currently active.

Automatic Network Selection Mode


The MS selects and attempts registration on other PLMN/access technology combinations, if available and allowable, in the following order: 1)either the HPLMN (if the EHPLMN list is not present or is empty) or the highest priority EHPLMN that is available (if the EHPLMN list is present); 2)each PLMN/access technology combination in the User Controlled PLMN Selector with Access Technology data file in the SIM (in priority order); 3)each PLMN/access technology combination in the

In 2 and 3 , the MS shall search for all access technologies it is capable of, before deciding which PLMN to select. In 1, the MS shall search for all access technologies it is capable of. No priority is defined for the preferred access technology and thepriority is an implementation issue, but "HPLMN Selector with Access Technology" data file on the SIM may be used to optimise the Procedure.

In 1, an MS using a SIM without access technology information storage (i.e. the "HPLMN Selector with Access Technology" data file is not present) shall search for all access technologies it is capable of and shall assume GSM access technology as the highest priority radio access technology. In 5) , the MS shall order the PLMN/access technology combinations in order of decreasing signal quality within each access technology. The order between PLMN/access technology combinations with different access technologies is an MS implementation issue.

If successful registration is achieved, the MS indicates the selected PLMN. If registration cannot be achieved because no PLMNs are available and allowable, the MS indicates no service to the user, waits until a new PLMN is available and allowable and then repeats the procedure. If there were one or more PLMNs which were available and allowable, but an LR failure made registration on those PLMNs unsuccessful or an entry in any of the lists forbidden LAs for roaming, or forbidden LAs for regional provision of service prevented a registration attempt, the MS selects the first such PLMN again and enters a limited service state. [4]

MS and BTS transmission at the same time

GSM Physical and logical channel concept

Frequencies in the uplink = 890.2 + 0.2 (N-1) MHz Frequencies in the downlink = 935.2 + 0.2 (N-1) MHz where, N is from 1 to 124 called ARFCN

As same antenna is used for transmit as well as receive, there is 3 time slots delay introduced between TS0 of uplink and TSO of d

Traffic Channel

A traffic channel (TCH) is used to carry speech and data traffic. Traffic channels are defined using a 26-frame multiframe, or group of 26 TDMA frames. The length of a 26-frame multiframe is 120 ms, which is how the length of a burst period is defined (120 ms divided by 26 frames divided by 8 burst periods per frame). Out of the 26 frames, 24 are used for traffic, 1 is used for the Slow Associated Control Channel (SACCH) and 1 is currently unused (see Figure 2). TCHs for the uplink and downlink are separated in time by 3 burst periods, so that the mobile station does not have to transmit and receive simultaneously, thus simplifying the electronics. [6]

Traffic channels are bi-directional. Their frequency separation (uplink and downlink) amounts to 45 MHz in the 900 MHz band and 75 MHz in the 1.8 GHz Band. In addition there is a tim e shift of 3 Burst Periods (BP) between transmitting and receiving which allows the same Time slot Number to be used for up and downward transmission. [7]

About GSM channels

References
(1) SONG, Y., ZHOU, K., CHEN, X.. Fake BTS Attacks of GSM System on Software Radio Platform. JournalCell of Networks, North America, 7, feb. 2012. Reselection to UMTS Available at: <http://ojs.academypublisher.com/index.php/jnw/article/view/jnw0702275281>. Date accessed: 01 May. 2013. (2) Ika Sthlberg, Radio jamming attacks against two popular mobile networks, Helsinki University of Technology Seminar on Network Security. 2000. (3) User Description, GSM-UMTS-LTE CellReselection and Handover, Ericsson.com

(4) GSM UMTS PLMN Selection, Leliwa Technical Bulletin


(5) GSM Tutorial, available at: http://www.rfwireless-world.com/Tutorials/gsmtutorial.html (6) John Scourias, Overview of the Global System for Mobile Communications, available at: http://ccnga.uwaterloo.ca/~jscouria/GSM/gsmreport.html (7) About the GSM-Dm-Channels, Available at:

You might also like