c atching and u nderstanding gsm
play

C ATCHING AND U NDERSTANDING GSM SIGNALS Master Thesis Fabian van - PowerPoint PPT Presentation

Mar 21, 2023 •276 likes •829 views

C ATCHING AND U NDERSTANDING GSM SIGNALS Master Thesis Fabian van den Broek Radboud University Nijmegen 30 March 2010 Some Numbers Some Numbers $ 600 Billion Some Numbers $ 600 Billion 90% of population has coverage Some Numbers

  1. C ATCHING AND U NDERSTANDING GSM SIGNALS Master Thesis Fabian van den Broek Radboud University Nijmegen 30 March 2010

  2. Some Numbers

  3. Some Numbers • $ 600 Billion

  4. Some Numbers • $ 600 Billion • 90% of population has coverage

  5. Some Numbers • $ 600 Billion • 90% of population has coverage • 4.1 billion mobile users

  6. Some Numbers • $ 600 Billion • 90% of population has coverage • 4.1 billion mobile users But has GSM been properly tested?

  7. Cellular technology

  8. GSM system overview

  9. The Um interface

  10. Software Defined Radio

  11. Software Defined Radio • USRP • Gnu Radio • Air Probe Have these new SDR products made GSM less secure?

  12. Software Defined Radio • USRP • Gnu Radio • Air Probe Have these new SDR products made GSM less secure?

  13. Software Defined Radio • USRP • Gnu Radio • Air Probe Have these new SDR products made GSM less secure?

  14. Software Defined Radio • USRP • Gnu Radio • Air Probe Have these new SDR products made GSM less secure?

  15. and then....

  16. The Um interface

  17. Frequency band (GSM900)

  18. Frequency band (II)

  19. Frequency band (III)

  20. Frequency band (III)

  21. Frequency division

  22. Combined up and down link frequency

  23. Combined up and down link frequency

  24. Numbered with ARFCNs

  25. Frequency division

  26. Frequency division

  27. GSM messages 49 06 1b 32 22 02 f4 80 − 11 7 f d8 04 28 15 65 04 − a9 00 00 1c 13 2b 2b 55 06 19 00 00 00 00 20 − 00 10 10 00 00 00 00 00 − 01 00 00 a9 00 00 2b

  28. KPN system information 1: 49 06 1b 32 22 02 f4 80 − 11 7 f d8 04 28 15 65 04 − a9 00 00 1c 13 2b 2b 0: 49 010010 −− Pseudo Length : 18 1: 06 0 −−−−−−− Direction : From o r i g i n a t i n g s i t e 1: 06 − 000 −−−− 0 TransactionID 1: 06 −−−− 0110 Radio Resouce Management 2: 1b 00011011 RRsystemInfo3C 3: 32 12834 [0 x3222 ] Cell i d e n t i t y 5: 02 204 Mobile Country Code ( Netherlands ) 6: f4 08 f Mobile Network Code (KPN Telecom B.V . ) 8: 11 4479 [0 x117f ] Local Area Code 10: d8 1 −−−−−−− Spare b i t ( should be 0) 10: d8 − 1 −−−−−− MSs in the c e l l s h a l l apply IMSI attach / detach procedure 10: d8 −− 011 −−− Number of blocks : 3 10: d8 −−−−− 000 1 basic physical channel f o r CCCH, not combined with SDCCHs 11: 04 00000 −−− spare b i t s ( should be 0) 11: 04 −−−−− 100 6 multi frames period f o r paging request 12: 28 00101000 T3212 TimeOut value : 40 13: 15 0 −−−−−−− spare b i t ( should be 0) 13: 15 − 0 −−−−−− Power c o n t r o l i n d i c a t o r i s not set 13: 15 −− 01 −−−− MSs s h a l l use uplink DTX 13: 15 −−−− 0101 Radio Link Timeout : 24 14: 65 011 −−−−− Cell Reselect Hyst . : 6 db RXLEV 14: 65 −−− xxxxx Max Tx power l e v e l : 5 15: 04 0 −−−−−−− No a d d i t i o n a l c e l l s in SysInfo 7 − 8 15: 04 − 0 −−−−−− New establishm cause : not supported 15: 04 −− xxxxxx RXLEV Access Min permitted = − 110 + 4dB 16: a9 10 −−−−−− Max. of retransmiss : 4 16: a9 −− 1010 −− s l o t s to spread TX : 14 16: a9 −−−−−− 0 − The c e l l i s barred : no 16: a9 −−−−−−− 1 Cell reestabl . i . c e l l : not allowed 17: 00 −−−−− 0 −− Emergency c a l l EC 10: allowed 17: 00 00000 −−− Acc c t r l c l 11 − 15: 0 = permitted , 1 = forbidden 17: 00 −−−−−− 00 Acc c t r l c l 8 − 9: 0 = permitted , 1 = forbidden 17: 00 −−−−−−− 0 Ordinary subscribers (8) 17: 00 0 Ordinary subscribers (9)

  29. KPN system information 2: 55 06 19 00 00 00 00 20 − 00 10 10 00 00 00 00 00 − 01 00 00 a9 00 00 2b 0: 55 010101 −− Pseudo Length : 21 1: 06 0 −−−−−−− Direction : From o r i g i n a t i n g s i t e 1: 06 − 000 −−−− 0 TransactionID 1: 06 −−−− 0110 Radio Resouce Management 2: 19 00011001 RRsystemInfo1 3: 00 00 −−−−−− Bitmap 0 format 7: 20 −− 1 −−−−− Cell A l l o c a t i o n : ARFCN 94 9: 10 −−− 1 −−−− Cell A l l o c a t i o n : ARFCN 77 10: 10 −−− 1 −−−− Cell A l l o c a t i o n : ARFCN 69 16: 01 −−−−−−− 1 Cell A l l o c a t i o n : ARFCN 17 19: a9 10 −−−−−− Max. of retransmiss : 4 19: a9 −− 1010 −− s l o t s to spread TX : 14 19: a9 −−−−−− 0 − The c e l l i s barred : no 19: a9 −−−−−−− 1 Cell reestabl . i . c e l l : not allowed 20: 00 −−−−− 0 −− Emergency c a l l EC 10: allowed 20: 00 00000 −−− Acc c t r l c l 11 − 15: 0 = permitted , 1 = forbidden 20: 00 −−−−−− 00 Acc c t r l c l 8 − 9: 0 = permitted , 1 = forbidden 20: 00 −−−−−−− 0 Ordinary subscribers (8) 20: 00 −−−−−− 0 − Ordinary subscribers (9) 20: 00 −−−−− 0 −− Emergency c a l l ( 1 0 ) : Everyone 20: 00 −−−− 0 −−− Operator Specific (11) 20: 00 −−− 0 −−−− Security service (12) 20: 00 −− 0 −−−−− Public service (13) 20: 00 − 0 −−−−−− Emergency service (14) 20: 00 0 −−−−−−− Network Operator (15) 21: 00 00000000 Acc c t r l c l 0 − 7: 0 = permitted , 1 = forbidden 21: 00 00000000 Ordinary subscribers (0 − 7)

  30. KPN system information [0 x3222 ] Cell i d e n t i t y Mobile Country Code ( Netherlands ) Mobile Network Code (KPN Telecom B.V . ) [0 x117f ] Local Area Code Cell A l l o c a t i o n : ARFCN 94 Cell A l l o c a t i o n : ARFCN 77 Cell A l l o c a t i o n : ARFCN 69 Cell A l l o c a t i o n : ARFCN 17

  31. The KPN cell

  32. The KPN cell

  33. No Frequency hopping

  34. Frequency hopping (I)

  35. Frequency hopping (II)

  36. Immediate Assignment 31 06 3 f 00 52 f0 ab 85 − ad e0 01 01 0 f 2b 2b 2b − 2b 2b 2b 2b 2b 2b 2b 0: 31 001100 −− Pseudo Length : 12 1: 06 0 −−−−−−− Direction : From o r i g i n a t i n g s i t e 1: 06 − 000 −−−− 0 TransactionID 1: 06 −−−− 0110 Radio Resouce Management 2: 3 f 0 − 111111 RRimmediateAssignment 2: 3 f − x −−−−−− Send sequence number : 0 3: 00 −−−−−− 00 Page Mode: Normal paging 3: 00 − 0 −−−−−− No meaning 3: 00 −− 0 −−−−− Downlink assign to MS: No meaning 3: 00 −−− 0 −−−− This messages assigns a dedicated mode resource 4: 52 −−−−− 010 Timeslot number : 2 4: 52 01010 −−− Chan . Descript . : SDCCH/8 + SACCH/C8 or CBCH (SDCCH/ 8 ) 5: f0 111 −−−−− Training seq . code : 7 5: f0 −−− 1 −−−− HoppingChannel 6: ab . . . . . . . . Mobile A l l o c a t i o n Index Offset (MAIO) 2 6: ab −− 101011 Hopping Seq . Number : 43 7: 85 100 −−−−− Establishing Cause : Answer to paging 7: 85 −−− xxxxx Random Reference : 5 8: ad xxxxxxxx T1 / T2 / T3 9: e0 xxxxxxxx T1 / T2 / T3 10: 01 −− xxxxxx Timing advance value : 1 11: 01 00000001 Length of Mobile A l l o c a t i o n : 1 12: 0 f −−−− 1 −−− Mobile A l l o c a t i o n ARFCN #4 12: 0 f −−−−− 1 −− Mobile A l l o c a t i o n ARFCN #3 12: 0 f −−−−−− 1 − Mobile A l l o c a t i o n ARFCN #2 12: 0 f −−−−−−− 1 Mobile A l l o c a t i o n ARFCN #1

  37. Immediate Assignment HoppingChannel Mobile A l l o c a t i o n Index Offset (MAIO) 2 Hopping Seq . Number : 43 Mobile A l l o c a t i o n ARFCN #4 Mobile A l l o c a t i o n ARFCN #3 Mobile A l l o c a t i o n ARFCN #2 Mobile A l l o c a t i o n ARFCN #1

  38. Message Sequence

  39. Message Sequence

  40. Message Sequence

  41. Message Sequence

  42. Message Sequence

  43. Message Sequence

  44. Message Sequence

  45. Hopping Problem

  46. Conclusion • Still hard to eavesdrop in general • Other attacks have become feasible • The GSM system can still use a lot of testing

  47. Questions

  48. A single sub-frequency

  49. A single sub-frequency

  50. Time division

  51. Time division

  52. Bursts

  53. Logical channels

  54. Offset

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U NDERSTANDING L ATCHING S OLENOID T ECHNOLOGY W HAT IS A LATCHING SOLENOID ? A latching

U NDERSTANDING L ATCHING S OLENOID T ECHNOLOGY W HAT IS A LATCHING SOLENOID ? A latching

U NDERSTANDING L ATCHING S OLENOID T ECHNOLOGY W HAT IS A LATCHING SOLENOID ? A latching solenoid utilizes the electrical current pulse or internal permanent magnet material to maintain a set position without the constant application of

447 views • 6 slides
M ATCHING NLO C ALCULATIONS WITH P ARTON S HOWER : THE PO SITIVE -W EIGHT H ARDEST E MISSION G

M ATCHING NLO C ALCULATIONS WITH P ARTON S HOWER : THE PO SITIVE -W EIGHT H ARDEST E MISSION G

M ATCHING NLO C ALCULATIONS WITH P ARTON S HOWER : THE PO SITIVE -W EIGHT H ARDEST E MISSION G ENERATOR Carlo Oleari Universit` a di Milano-Bicocca, Milan LAPTh, Annecy 29 November 1 December 2011 Theory introduction Basics of

775 views • 73 slides
of Op f Optical ical Flo low w an and St Ster ereo eo Matc atching hing Pengpeng Liu,

of Op f Optical ical Flo low w an and St Ster ereo eo Matc atching hing Pengpeng Liu,

Flo low2Stereo: w2Stereo: Eff ffective ective Se Self lf-Sup Supervised ervised Lea earning rning of Op f Optical ical Flo low w an and St Ster ereo eo Matc atching hing Pengpeng Liu, Irwin King, Michael Lyu, Jia Xu The

113 views • 10 slides
2. . 3. . 4. .. .. 11. Reasoning with respect to Time 2 U NDERSTANDING T IME IN T EXT

2. . 3. . 4. .. .. 11. Reasoning with respect to Time 2 U NDERSTANDING T IME IN T EXT

A S TRUCTURED L EARNING A PPROACH TO T EMPORAL R ELATION E XTRACTION Qiang Ning , Zhili Feng, Dan Roth Computer Science University of Illinois, Urbana-Champaign & University of Pennsylvania 1 T OWARDS N ATURAL L ANGUAGE U NDERSTANDING 1. .

518 views • 18 slides
NAME YOUR T.U.N.E. T uning ones U nderstanding about the N uances of the E ducational Value of

NAME YOUR T.U.N.E. T uning ones U nderstanding about the N uances of the E ducational Value of

NAME YOUR T.U.N.E. T uning ones U nderstanding about the N uances of the E ducational Value of Diversity Recognize, Affirm, & Celebrate the Educational Value of Diversity Dr. Martha Sales, Executive Director, ISEC & TRiO Programs &

195 views • 3 slides
D RIVEN TO S UCCEED : U NDERSTANDING STUDENT MOTIVATION , & ITS RELATIONSHIP TO STUDENT

D RIVEN TO S UCCEED : U NDERSTANDING STUDENT MOTIVATION , & ITS RELATIONSHIP TO STUDENT

D RIVEN TO S UCCEED : U NDERSTANDING STUDENT MOTIVATION , & ITS RELATIONSHIP TO STUDENT SUCCESS J ARED B URTON A CADEMIC A DVISOR C OLLEGE OF S OCIAL & B EHAVIORAL S CIENCES U NIVERSITY OF A RIZONA A GENDA We will discuss ways to

309 views • 30 slides
M ULTICORE H ARDWARE S HARED R ESOURCES : U NDERSTANDING OF THE S TATE OF THE A RT Gabriel

M ULTICORE H ARDWARE S HARED R ESOURCES : U NDERSTANDING OF THE S TATE OF THE A RT Gabriel

C ONTENTION IN M ULTICORE H ARDWARE S HARED R ESOURCES : U NDERSTANDING OF THE S TATE OF THE A RT Gabriel Fernandez 1 , Jaume Abella 2 , Eduardo Quiones 2 , Christine Rochange 3 , Tullio Vardanega 4 and Francisco J. Cazorla 2,4 1 2 3 5 4 14

648 views • 23 slides
Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance

Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance

Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance and Security Division U.S. Agricultural Export Development Council Monday, November 18, 2019 Overview ew Welcome Global Programs: Curt Alt

386 views • 34 slides
Penn MEASURE M esothelioma and the E nvironment in A mbler S tudy: U nderstanding R isk from E

Penn MEASURE M esothelioma and the E nvironment in A mbler S tudy: U nderstanding R isk from E

Penn MEASURE M esothelioma and the E nvironment in A mbler S tudy: U nderstanding R isk from E xposures Frances K. Barg, PhD Douglas Wiebe, PhD Edward Emmett, MD, MPH Anil Vachani, MD, MSCE Charles Branas, PhD BoRit Asbestos Superfund Site

364 views • 9 slides
U NDERSTANDING GPA GPA GPA stands for Grade Point Average GPA is first calculated at the

U NDERSTANDING GPA GPA GPA stands for Grade Point Average GPA is first calculated at the

A DVANCED A CADEMICS A LVIN H IGH S CHOOL U NDERSTANDING GPA GPA GPA stands for Grade Point Average GPA is first calculated at the end of the 10 th grade year Alvin ISD AHS FLewis GPA is re-calculated at the end of each semester

303 views • 7 slides
Reading Reading P atience and Practice U nderstanding & Meaning R esilience- Risk taking P

Reading Reading P atience and Practice U nderstanding & Meaning R esilience- Risk taking P

The Orchard School Inspiring Success Reading Reading P atience and Practice U nderstanding & Meaning R esilience- Risk taking P rediction O racy S uccess E njoyment, Engagement Reading what children need Attitudes : - Confidence

330 views • 12 slides
10/11/2017 Challenging Behavior in Young Children: U nderstanding, Preventing, and Responding

10/11/2017 Challenging Behavior in Young Children: U nderstanding, Preventing, and Responding

10/11/2017 Challenging Behavior in Young Children: U nderstanding, Preventing, and Responding Effectively Working with Families and Other Experts & Barbara Kaiser www.challengingbehavior.com What does a partnership with families mean

549 views • 20 slides
U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN

U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN

U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN I NRIA / LIG / U NIV . G RENOBLE , F RANCE alexis.martin@inria.fr We do Need Benchmarking ! Benchmark : a standard or point of reference

764 views • 43 slides
1 Emergency Management at U niversity C ollege C ork - U nderstanding, C o-operation & C

1 Emergency Management at U niversity C ollege C ork - U nderstanding, C o-operation & C

1 Emergency Management at U niversity C ollege C ork - U nderstanding, C o-operation & C ommunication Nora Geary Corporate Secretary, UCC Chair of the UCC Emergency Management Team (EMT) Emergency Responses in U niversity C ollege C ork 2 -

609 views • 34 slides
U NDERSTANDING GLOBAL SEASONAL SYNCHRONIZATION OF INFECTIOUS DISEASES USING REMOTE SENSING Elena

U NDERSTANDING GLOBAL SEASONAL SYNCHRONIZATION OF INFECTIOUS DISEASES USING REMOTE SENSING Elena

InForMID : Tufts Initiative for the Forecasting and Modeling of Infectious Diseases U NDERSTANDING GLOBAL SEASONAL SYNCHRONIZATION OF INFECTIOUS DISEASES USING REMOTE SENSING Elena N. Naumova Tufts University School of Engineering, Medford MA USA

984 views • 70 slides
Bienvenue a 2015 Contemporary Scholars Conference D IVERSITY U

Bienvenue a 2015 Contemporary Scholars Conference D IVERSITY U

Bienvenue a 2015 Contemporary Scholars Conference D IVERSITY U NDERSTANDING E XPERIENCE I NNOVATION L EADERSHIP F RIENDSHIP F ELLOWSHIP N ETWORKING N etworking U nderstanding F riendship F ellowship I

614 views • 36 slides
Open-Source Cyber-Physical Network Infrastructure Tobias Betz 2017-12-13 Chair of Network

Open-Source Cyber-Physical Network Infrastructure Tobias Betz 2017-12-13 Chair of Network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Open-Source Cyber-Physical Network Infrastructure Tobias Betz 2017-12-13 Chair of Network Architectures and Services Department of

565 views • 22 slides
GSM Debugging Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Dieter Spaar,

GSM Debugging Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Dieter Spaar,

GSM Debugging Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Dieter Spaar, spaar@mirider.augusta.de Dieter Spaar, spaar@mirider.augusta.de Industry responds to GSM cracking attempts by creating new challenges the GSM call has

1.07k views • 19 slides
Understanding Spectrum Speaker: Predrag Spasojevic Students: Haris Kremo, Goran Ivkovic and

Understanding Spectrum Speaker: Predrag Spasojevic Students: Haris Kremo, Goran Ivkovic and

Understanding Spectrum Speaker: Predrag Spasojevic Students: Haris Kremo, Goran Ivkovic and Shridatt Sugrim Co-Advisors: Ivan Seskar, Larry Greenstein, and Melike Gursoy WINLAB Industrial Advisory Board Meeting Spring 2013 Topics ORBIT

611 views • 30 slides
17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2

17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2

3G Evolution Chapter 17 Outline 17 Chapter: The Uplink physical resource Uplink reference signals Uplink L1/L2 control signaling Uplink transmission scheme Uplink transport-channel processing PUSCH frequency hopping

676 views • 12 slides
Recorp: Receiver-Oriented Policies for Industrial Wireless Networks Ryan Brummet*, Octav Chipara,

Recorp: Receiver-Oriented Policies for Industrial Wireless Networks Ryan Brummet*, Octav Chipara,

Recorp: Receiver-Oriented Policies for Industrial Wireless Networks Ryan Brummet*, Octav Chipara, Ted Herman University of Iowa | Mobile Systems Laboratory Industrial Wireless Networks Applications process control systems Workload

459 views • 14 slides
UNIVERSITY OF MANCHESTER School of Computer Science CS3282: Digital communications Barry

UNIVERSITY OF MANCHESTER School of Computer Science CS3282: Digital communications Barry

UNIVERSITY OF MANCHESTER School of Computer Science CS3282: Digital communications Barry Cheetham Section 10 (shortened) Multiple access for wireless communications 4/05/06 CS3282 1 Multiple user access for wireless communications Allow

371 views • 6 slides
Run Your Own 6LoWPAN Based IoT Network 2016-10-11, Berlin Stefan Schmidt stefan@osg.samsung.com

Run Your Own 6LoWPAN Based IoT Network 2016-10-11, Berlin Stefan Schmidt stefan@osg.samsung.com

Run Your Own 6LoWPAN Based IoT Network 2016-10-11, Berlin Stefan Schmidt stefan@osg.samsung.com Samsung Open Source Group Agenda Motivation Linux-wpan Project Wpan-tools Hardware and Basic Setup Communication with RIOT and

731 views • 45 slides
Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread

Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread

CMPE 477 Wireless and Mobile Networks Lecture 6: Spread Spectrum Concept Frequency Hopping Spread Spectrum Direct Sequence Spread Spectrum CMPE 477 Spread Spectrum Problem of radio transmission: frequency dependent fading can

656 views • 17 slides

More recommend