Skip to main content
SpringerLink
Log in

Implementing an Affordable and Effective GSM IMSI Catcher with 3G Authentication

  • Conference paper
  • First Online:
Book cover International Conference on Security and Privacy in Communication Networks (SecureComm 2014)

  • 1324 Accesses

Abstract

Recently revealed information on secret agencies eavesdropping on the politicians’ phone calls all over the world, have shown how common practice it is. Although the insecurity of the mobile telecommunication system GSM has been known in the scientific community, these events made it clear to the public. Particularly, the extent and usage of such techniques demonstrates its relevance in the current society. In this paper, we will demonstrate techniques used to intercept mobile calls and analyze the feasibility of man-in-the-middle attacks in real-life scenarios. We show how to build an affordable and effective IMSI catcher which works even when mutual authentication between phone and a network is enforced. The methods to detect it and other potential countermeasures are discussed as well.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Alongside with GSM which is the common denominator of supported protocols.

  2. 2.

    Older phones, which do not support UMTS authentication will ignore it.

  3. 3.

    The case of LTE is not considered in this paper and left out for future work.

  4. 4.

    Up to 6 cells in GSM and up to 15 in UMTS.

  5. 5.

    Not all the phones supported by XGoldmon provide such option.

  6. 6.

    Another explanation would be the pervasive use of IMSI catchers in Germany of course.

  7. 7.

    Both SII and SIII models.

  8. 8.

    The results may vary depending on the dissectors available to Wireshark tool.

  9. 9.

    Corresponding bug #5353 dates back to 2009 with no indication of any progress or intention to fix it so far.

  10. 10.

    See the recent bug #960007 for tracking developments.

  11. 11.

    Bug #838.

  12. 12.

    Bug #1276208.

  13. 13.

    64 bit build used in this case.

  14. 14.

    FISH shell syntax used: http://fishshell.com/.

References

  1. 3GPP: Digital cellular telecommunications system (Phase 2+); Radio subsystem link control. Technical Specification TS 100.911 v8.23.0, 3G Partnership Project, October 2005

    Google Scholar 

  2. 3GPP: Digital cellular telecommunications system (Phase 2+); Functions related to Mobile Station (MS) in idle mode and group receive mode. Technical Specification TS 143.022 v11.0.0, 3G Partnership Project, October 2012

    Google Scholar 

  3. 3GPP: Smart Cards; UICC-Terminal interface; Physical and logical characteristics. Technical Specification TS 102.221 v11.0.0, 3G Partnership Project, June 2012

    Google Scholar 

  4. 3GPP: Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); 3G security; Security architecture. Technical Specification TS 131.102 v11.5.1, 3G Partnership Project, July 2013

    Google Scholar 

  5. 3GPP: Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Mobile radio interface Layer 3 specification; Core network protocols; Stage 3. Technical Specification TS 124.008 v11.8.0, 3G Partnership Project, October 2013

    Google Scholar 

  6. 3GPP: Universal Mobile Telecommunications System (UMTS); 3G security; Security architecture. Technical Specification TS 33.102 v11.5.1, 3G Partnership Project, July 2013

    Google Scholar 

  7. 3GPP: Universal Mobile Telecommunications System (UMTS); LTE; Service aspects; Service principles. Technical Specification TS 122.101 v11.9.0, 3G Partnership Project, July 2013

    Google Scholar 

  8. Ball, J.: NSA monitored calls of 35 world leaders after US official handed over contacts. The Guardian, October 2013. http://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls

  9. Fox, Dirk: Der IMSI-Catcher. Datenschutz und Datensicherheit 26, 212–215 (2002)

    Google Scholar 

  10. Golde, N., Redon, K., Borgaonkar, R.: Weaponizing femtocells: the effect of rogue devices on mobile telecommunication. In: Network & Distributed System Security Symposium 2011, February 2012

    Google Scholar 

  11. GSM Association: European Mobile Industry Observatory 2011 (2011)

    Google Scholar 

  12. Hufelschulte, J.: GroGeheimdiensten abgehört. Focus, November 2013. http://www.focus.de/politik/deutschland/_id_3428205.html

  13. Kalenderi, M., Pnevmatikatos, D.N., Papaefstathiou, I., Manifavas, C.: Breaking the gsm a5/1 cryptography algorithm with rainbow tables and high-end fpgas. In: FPL, pp. 747–753 (2012)

    Google Scholar 

  14. Log messages convertor for phones with XGold baseband processor: XGoldmon. https://github.com/2b-as/xgoldmon

  15. Mayer, T.: IMSI Catcher Detection System. Master Thesis at the Chair of Communication Systems at Freiburg University, June 2012

    Google Scholar 

  16. Meyer, U., Wetzel, S.: A man-in-the-middle attack on UMTS. In: Proceedings of the 3rd ACM workshop on Wireless security, WiSe 2004, pp. 90–97. ACM, New York (2004)

    Google Scholar 

  17. Meyer, U., Wetzel, S.: On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks. In: Proceedings of IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC2004), September 2004. IEEE (2004)

    Google Scholar 

  18. Mjølsnes, S.F., Tsay, J.K.: Computational Security Analysis of the UMTS and LTE Authentication and Key Agreement Protocols. CoRR abs/1203.3866 (2012)

    Google Scholar 

  19. Ntantogian, C., Xenakis, C.: Questioning the feasibility of UMTS-GSM interworking attacks. Wirel. Pers. Commun. 65(1), 157–163 (2012)

    Article  Google Scholar 

  20. Open Source Hardware Transceiver for GSM: UmTRX. http://umtrx.org/

  21. Open Source MObile COMmunication: osmocom. http://osmocom.org/

  22. Range Network and community: OpenBTS. http://wush.net/trac/rangepublic

  23. Song, Y., Zhou, K., Chen, X.: Fake BTS Attacks of GSM system on software radio platform. J. Netw. 7(2), 275–281 (2012)

    Google Scholar 

  24. Tang, C., Naumann, D.A., Wetzel, S.: Analysis of authentication and key establishment in inter-generational mobile telephony. IACR Cryptology ePrint Archive 2013, 227 (2013)

    Google Scholar 

  25. Wehrle, D.: Open Source IMSI-Catcher. Master Thesis at the Chair of Communication Systems at Freiburg University, October 2009

    Google Scholar 

Download references

Acknowledgment

The author would like to thank Marta Piekarska for her help with field experiments and Kévin Redon for his help with German papers and draft review.

Author information

Authors and Affiliations

  1. Security in Telecommunications,Technische Universität Berlin, Berlin, Germany

    Max Suraev

Authors
  1. Max Suraev
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Max Suraev .

Editor information

Editors and Affiliations

  1. CAS, Institute of Information Engineering CAS, Beijing, China

    Jing Tian

  2. Institute of Information Engineering, CAS, Beijing, China

    Jiwu Jing

  3. IBM Thomas J. Watson Research Center, New York, New York, USA

    Mudhakar Srivatsa

Appendix: Experimental setup details

Appendix: Experimental setup details

In practice the attack consists of two phases: site survey and actual man-in-the-middle. The first phase is needed to gather information on the cells visible in particular area — this step is required to properly pick ARFCN on which attacking BTS should listen. The actual attack is then performed once target phone enters the area. Note that first phase does not have to be performed right before the attack — it is possible to gather this data separately.

1.1 Software

There are numerous open source projects implementing both network and mobile side of the GSM and, to some extent, 3G stack of protocols. This allows researchers unaffiliated with mobile industry to make independent inquiry into operation and security of mobile networks deployment.

Osmocom-BB [21] is an open source GSM stack implemented around Calypso chip used in old Motorola phones. It consists of several utilities including actual GSM phone implemented in software.

The command to start 2G phone is:

figure b

Tools like RSSI implemented on top of the Osmocom-BB stack were used to assess radio environment and monitor signal quality during the experiment. The following command will chain-load RSSI into Osmocom-compatible phone (Motorola model C123 and alike):

figure c

Xgoldmon [14] is the utility, which obtains debug stream from Intel/Infineon XGold baseband processor. It supports Samsung Galaxy S2/SIII, Note2 and Nexus phones. The read-only debug stream contains raw 3G messages including authentication request and response data. By writing IMSI of the target phone into programmable SIM card we can use xgoldmon-compatible attacking phone to issue authentication request and thus obtain authentication challenge made for the target phone as shown in Fig. 2.

OpenBTS [22] implements GSM base station with SIP backend. This makes experimental setup self-contained: no other components like BSC are required. During the experiment patched version of OpenBTS were used with additional functionality taken from Fairwaves version.

Due to version incompatibilities OpenBTS requires the explicit version of GNURadioFootnote 13 software stack to work properly with USRPv1. It can be supplied using following commands:Footnote 14

figure d

OpenBTS uses “open loop” power control, which means it does not actively control the transmission power of the cellphone. To successfully execute man-in-the-middle attack we should carefully assess radio environment and choose proper transmission power and a channel to operate on to make sure that radio interference from existing cells will not prevent our IMSI catcher from taking the role of preferred cell for cell selection.

To extract authentication information from xgoldmon the utility daemon was written. It parses the GSMTAP traffic and updates OpenBTS database with recent authentication data. This helps to automate the attack and further ease timing requirements. The authentication challenge contains SQN — sequence number, which is increased with every challenge so the current authentication challenge is invalidated as long as the phone receive authentication request with more recent sequence number.

Table 3. OpenBTS configuration options and cell (re)selection parameters
Full size table

1.2 Hardware

The open source implementations of GSM protocols rely on either SDR hardware where all the signal processing details are handled in the software itself or on the chips with known or reverse-engineered specifications, which allows for fine-grained control over the data sent to the network.

UmTRX [20] is open source hardware project implementing SDR transceiver capable of GSM and LTE operations. It is a successor to quite popular USRP hardware with better clocking and multi-channel capabilities available out of the box. Both USRPv1 with ClockTamer clock source and UmTRX were used during the experiments.

Motorola C123 phone with Osmocom-BB firmware and Nokia with net-monitor feature enabled were used for the site survey during the attack.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Suraev, M. (2015). Implementing an Affordable and Effective GSM IMSI Catcher with 3G Authentication. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23829-6_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23828-9

  • Online ISBN: 978-3-319-23829-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation