summaryrefslogtreecommitdiff
path: root/2009/gsm_workshop-deepsec2009/gsm_workshop.tex
blob: 3b4de366f85181a0f7f6288490b7d0275b32d2bd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597

\newcommand{\degree}{\ensuremath{^\circ}}
%\documentclass[handout]{beamer}
\documentclass{beamer}

% This file is a solution template for:

% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.



% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice. 


\mode<presentation>
{
  \usetheme{Warsaw}
  % or ...

  \setbeamercovered{transparent}
  % or whatever (possibly just delete it)
}

\mode<handout>{
	\usepackage{handoutWithNotes}
	\pgfpagesuselayout{1 on 1 with notes portrait}[a4paper,border shrink=5mm]
	\usecolortheme{seahorse}
}

% ensure the page number is printed in front of the author name in the footer 
\newcommand*\oldmacro{}
\let\oldmacro\insertshortauthor% save previous definition
\renewcommand*\insertshortauthor{%
  \leftskip=.3cm% before the author could be a plus1fill ...
  \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}

\usepackage[english]{babel}
% or whatever

\usepackage[latin1]{inputenc}
% or whatever

\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.

\usepackage{subfigure}
\usepackage{hyperref}

\title{GSM Air Interface Security}

%\subtitle{and other GSM related fun}

\author{David~Burgess\inst{1} \and Harald~Welte\inst{2}}

\institute[Kestrel and others]{
\inst{1}OpenBTS, Kestrel Signal Processing (USA)
\and
\inst{2}OpenBSC, hmw-consulting.de (Germany)
}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.

\date[DeepSec 2009] % (optional, should be abbreviation of conference name)
{DeepSec conference, November 2009, Vienna/Austria}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
%   yourself) who are reading the slides online

\subject{GSM Security}
% This is only inserted into the PDF information catalog. Can be left
% out. 



% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:

% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}



% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
%  \begin{frame}<beamer>{Outline}
%    \tableofcontents[currentsection,currentsubsection]
%  \end{frame}
%}


% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command: 

%\beamerdefaultoverlayspecification{<+->}


\begin{document}

\begin{frame}
  \titlepage
\end{frame}


% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution: 

% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
%   15 and 30 frames, all told.

% - A conference audience is likely to know very little of what you
%   are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
%   enough. Leave out details, even if it means being less precise than
%   you think necessary.
% - If you omit details that are vital to the proof/implementation,
%   just say so once. Everybody will be happy with that.

\part{Introduction}

\begin{frame}{Introduction}
  \tableofcontents
  % You might wish to add the option [pausesections]
\end{frame}


\begin{frame}{Our Goals in this Workshop}
\begin{itemize}
	\item{Familiarize you with the internals of GSM systems.}
	\item{Examine security weaknesses in GSM systems.}
	\begin{itemize}
		\item{Theoretical weaknesses.}
		\item{Demonstrations.}
		\item{Products and practices.}
	\end{itemize}
	\item{Describe countermeasures to avoid these weaknesses\\ ...where possible.}
\end{itemize}
\end{frame}

\section{About the Speakers}

\subsection{David A.~Burgess}

\begin{frame}{About David A.~Burgess}{dburgess@kestrelsp.com}
\begin{itemize}
	\item Degrees in Electrical Engineering (BEE) and Computer Science (MSc).
	\item Signal processing experience: audio synthesis and simulation, radar, sonar and electronic warfare.
	\item First introduced to GSM in 1998 in SIGINT project.
	\item Provide software for fielded intelligence systems in use today.
	\item Started the OpenBTS project in mid-2007.
\end{itemize}
\end{frame}

\subsection{Harald Welte}

\begin{frame}{About Harald Welte}{hwelte@hmw-consulting.de}
\begin{itemize}
	\item Using + playing with Linux since 1994
	\item Kernel, bootloader, driver, firmware development since 1999
	\item IT security specialist, focus on network protocol security
	\item Board-level Electrical Engineering
	\item Interested in various protocols (RFID, DECT, GSM)
	\item netfilter/iptables, OpenPCD, OpenMoko, librfid, OpenEZX
	\item Main developer of OpenBSC project
\end{itemize}
\end{frame}

\section{Legal Disclaimer}

\begin{frame}{Legal Disclaimer}
\begin{itemize}
\item We are demonstrating normal GSM operations and security flaws using a private network and informed participants.
\item By leaving your GSM handset turned on during this workshop, you consent to participate in these demonstrations.
\item Nothing we do will damage your handset, but you may suffer temporary disruptions in service, unsolicited text messages and other annoyances.
\item Not all of the software used to demonstrate security weaknesses is not part of the normal OpenBTS or OpenBSC distributions.
\end{itemize}
\end{frame}

\subsection{Applicable Law -- US}

\begin{frame}{Applicable Law -- US}
\begin{itemize}
\item 47 USC 302 and 18 USC 2512 ban distribution or advertisement of jammers or intercept devices to the general public, limits import and manufacture.
\item 47 USC 333 bans interference with licensed operations.
\item 18 USC 2511 bans unauthorized intercept of communications ``not available to the public''.
\item 47 USC 605 bans publication of intercepted content.
\end{itemize}
\end{frame}

\begin{frame}{Applicable Law -- US}
US laws control ``devices''.  That normally means complete HW/SW systems.  Whether or not these laws can be applied to pure software is probably an open question. We do not intend to become test cases.
Another key phrase in some of these laws is ``primary purpose''.  User interfaces, default configurations, documentation and statements of intention are important in establishing ``primary purpose''.
\end{frame}

\subsection{Applicable Law -- EU}

\begin{frame}{Applicable Law -- EU}
\begin{itemize}
% You guys got any laws against this stuff?
\item Laws on jammers vary across Europe. Legal to own in some places, generally illegal to use but several countries make exceptions for jails.
\item EMC Directive 2004/108/EC: Use of equipment. Not applicable for R\&TTED devices
\item R\&TTED Directive 1999/5/EC: Declaration of Conformity sufficient, no strict need to invove certification lab
\item 2000/299/EC: Classification of radio equipment -- GSM900/GSM1800 equipment is "Class 1", can be redistributed all over Europe
\end{itemize}
\end{frame}

\begin{frame}{Applicable Law -- DE}
\begin{itemize}
	\item \S 317 StGB: Stoerung von Telekommunikationsanlagen
	\begin{itemize}
		\item Causing interference with or deactivating public telecommunications networks
		\item Punishable up to 5 years imprisonment
		\item Even the attempt is punishable
	\end{itemize}
	\item \S 202a StGB: Ausspaehen von Daten
	\begin{itemize}
		\item Accessing data intended for other recipients and which are specially protected against unauthorized access
		\item Punishable up to 3 years imprisonment
	\end{itemize}
	\item \S 303a StGB: Datenveraenderung
	\begin{itemize}
		\item Unauthorized deletion, modification or suppression of data
		\item Punishable up to 2 years imprisonment
		\item Even the attempt is punishable
	\end{itemize}
	\item \S 149 (1) Satz 10 TKG: Bussgeldvorschriften
	\begin{itemize}
		\item Transmitting without an apropriate license
		\item penalty of up to EUR 1,500 plus EUR 600/900
	\end{itemize}
\end{itemize}
\end{frame}


\subsection{Information Sources} 

\begin{frame}{Information Sources}
\begin{itemize}
	\item All information presented here is available form public sources
	\item Most of the information presented here is readily derived from public specifications, \emph{if you actually take the time to read them}
	\item Nothing presented here is subject to trade secret restrictions
	\item Nothing presented here was received under a government security clearance agreement
\end{itemize}
\end{frame}

\section*{Outlines}

\begin{frame}<handout:0>
  \nameslide{outline}
  \frametitle{Outline of Part I}
  \tableofcontents[hideallsubsections,part=2]
\end{frame}

\begin{frame}<handout:0>
  \nameslide{outline}
  \frametitle{Outline of Part II}
  \tableofcontents[hideallsubsections,part=3]
\end{frame}

\begin{frame}<handout:0>
  \nameslide{outline}
  \frametitle{Outline of Part III}
  \tableofcontents[hideallsubsections,part=4]
\end{frame}

\begin{frame}<handout:0>
  \nameslide{outline}
  \frametitle{Outline of Part IV}
  \tableofcontents[hideallsubsections,part=5]
\end{frame}

\begin{frame}<handout:0>
  \nameslide{outline}
  \frametitle{Outline of Part V}
  \tableofcontents[hideallsubsections,part=6]
\end{frame}

\begin{frame}<handout:0>
  \nameslide{outline}
  \frametitle{Outline of Part VI}
  \tableofcontents[hideallsubsections,part=7]
\end{frame}

\section{Researching GSM/3G security}

\subsection{An interesting observation}

\begin{frame}{GSM/3G protocol level security}
\begin{itemize}
	\item Observation
	\begin{itemize}
		\item Both GSM/3G and TCP/IP protocol specs are publicly available
		\item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
		\item GSM networks are as widely deployed as the Internet
		\item Yet, GSM/3G protocols receive no such scrutiny!
	\end{itemize}
	\item There are reasons for that:
	\begin{itemize}
		\item GSM industry is extremely closed (and closed-minded)
		\item Only about 4 closed-source protocol stack implementations
		\item GSM chipset makers never release any hardware documentation
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{The closed GSM industry -- Handset side}

\begin{frame}{The closed GSM industry}{Handset manufacturing side}
\begin{itemize}
	\item Only very few companies build GSM/3.5G baseband chips today
	\begin{itemize}
		\item Those companies buy the operating system kernel and the protocol stack from third parties
	\end{itemize}
	\item Only very few handset makers are large enough to become a customer
	\begin{itemize}
		\item Even they only get limited access to hardware documentation
		\item Even they never really get access to the firmware source
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{The closed GSM industry -- Network side}

\begin{frame}{The closed GSM industry}{Network manufacturing side}
\begin{itemize}
	\item Only very few companies build GSM network equipment
	\begin{itemize}
		\item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei
		\item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment
	\end{itemize}
	\item Only operators buy equipment from them
	\item Since the quantities are low, the prices are extremely high
	\begin{itemize}
		\item e.g. for a BTS, easily 10-40k EUR
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The closed GSM industry}{Operator side}
\begin{itemize}
	\item Operators are mainly banks today
	\item Typical operator outsources
	\begin{itemize}
		\item Billing
		\item Network planning / deployment / servicing
	\end{itemize}
	\item Operator just knows the closed equipment as shipped by manufacturer
	\item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance
\end{itemize}
\end{frame}

\subsection{Security implications}

\begin{frame}{The closed GSM industry}{Security implications}
The security implications of the closed GSM industry are:
\begin{itemize}
	\item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers
	\item No independent research on protocol-level security
	\begin{itemize}
		\item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis)
		\item Or on application level (e.g. mobile malware)
	\end{itemize}
	\item No open source protocol implementations
	\begin{itemize}
		\item which are key for making more people learn about the protocols
		\item which enable quick prototyping/testing by modifying existing code
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Security analysis of GSM}{How would you get started?}
If you were to start with GSM protocol level security analysis, where and
how would you start?
\begin{itemize}
	\item On the handset side?
	\begin{itemize}
		\item Difficult since GSM firmware and protocol stacks are closed and proprietary
		\item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too
		\item Known attempts
		\begin{itemize}
			\item The TSM30 project as part of the THC GSM project
			\item mados, an alternative OS for Nokia DTC3 phones
		\end{itemize}
		\item none of those projects successful so far
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Security analysis of GSM}{How would you get started?}
If you were to start with GSM protocol level security analysis, where and
how would you start?
\begin{itemize}
	\item On the network side?
	\begin{itemize}
		\item Difficult since equipment is not easily available and normally extremely expensive
		\item However, network is very modular and has many standardized/documented interfaces
		\item Thus, if equipment is available, much easier/faster progress
		\item Also, using SDR (software defined radio) approach, special-purpose / closed hardware can be avoided
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Security analysis of GSM}{The bootstrapping process}
\begin{itemize}
	\item Read GSM specs day and night (> 1000 PDF documents)
	\item Gradually grow knowledge about the protocols
	\begin{itemize}
		\item OpenBSC: Obtain actual GSM network equipment (BTS)
		\item OpenBTS: Develop SDR based GSM Um Layer 1
	\end{itemize}
	\item Try to get actual protocol traces as examples
	\item Start a complete protocol stack implementation from scratch
	\item Finally, go and play with GSM protocol security
\end{itemize}
\end{frame}


\part{The GSM network}

\begin{frame}{Part I -- The GSM network}
\tiny{\tableofcontents}
% You might wish to add the option [pausesections]
\end{frame}

\section{The GSM network -- Overview}

\begin{frame}{The GSM network}
  \begin{figure}[h]
  \centering
  \includegraphics[width=100mm]{gsm_network.png}
  \end{figure}
\end{frame}

\subsection{GSM network components}

\begin{frame}{GSM network components}
  \begin{itemize}
    \item The BSS (Base Station Subsystem)
    \begin{description}[BTS]
      \item[MS] (Mobile Station): Your phone
      \item[BTS] (Base Transceiver Station): The {\em cell tower}
      \item[BSC] (Base Station Controller): Controlling up to hundreds of BTS
    \end{description}
    \item The NSS (Network Sub System)
    \begin{description}[MSC]
      \item[MSC] (Mobile Switching Center): The central switch
      \item[HLR] (Home Location Register): Database of subscribers
      \item[AUC] (Authentication Center): Database of authentication keys
      \item[VLR] (Visitor Location Register): For roaming users
      \item[EIR] (Equipment Identity Register): To block stolen phones
    \end{description}
  \end{itemize}
\end{frame}

\subsection{GSM network structure}

\begin{frame}{GSM Network Structure}
\begin{description}[BTS]
\item[BTS] Generates the actual radio interface. Mostly an L1/L2. Serves a single cell sector.
	\begin{description}[TRX]
	\item[TRX] Transceiver inside a BTS, serves one physical channel (ARFCN)
	\end{description}
\item[BSC] Manages radio resources and some mobility functions. Serves up to a few dozen BTSs in a ``location area''.
\item[MSC] Actual call switching and top-level mobility functions.  May serve dozens of location areas.
\item[HLR] (and VLR) The subscriber databases, routing databasses and authentication centers.
\end{description}
\end{frame}

%\begin{frame}{GSM Network Structure}
%\includegraphics[width=100mm]{GSMNetwork.pdf}
%\end{frame}

\subsection{GSM network interfaces}

\begin{frame}{GSM network interfaces}
  \begin{description}[A-bis]
    \item[Um] Interface between MS and BTS
    \begin{itemize}
	\item the only interface that is specified over radio
    \end{itemize}
    \item[A-bis] Interface between BTS and BSC
    \item[A] Interface between BSC and MSC
    \item[B] Interface between MSC and other MSC
  \end{description}
  GSM networks are a prime example of an {\em asymmetric distributed} network,
  very different from the end-to-end transparent IP network.
\end{frame}

\begin{frame}{Think ISDN (E1/T1), not 802.11}
\begin{itemize}
	\item{Many computer networking people assume that cellular is similar to WiFi. \alert{It is NOT!}}
	\item{Cellular interfaces are modeled after TDM trunk lines, not Ethernet}
	\begin{itemize}
		\item{multiplexed L1 with dedicated channels}
		\item{HDLC-style L2}
		\item{ISDN-style L3}
	\end{itemize}
	\item Channel establishmend often takes \emph{seconds}
	\item Bandwidth is a scarce resource
	\item Message source and destination not part of every packet but implicitly known based on TDMA assignment.
\end{itemize}
\end{frame}

\subsection{GSM network identities}

\begin{frame}{GSM Identity \& Address Types}
\begin{description}[MSISDN]
	\item[IMSI] 15 digits, universally unique to the subscriber
	\item[TMSI] 32 bits, assigned temporarily within a network
	\item[IMEI] 15 digits, universally unique to the handset
	\item[MSISDN] a permanently-assigned E.164; the subscriber's phone number
	\item[MSRN] a temporary E.164 for routing to a mobile subscriber
\end{description}
\end{frame}

\section{GSM Um Interface}

\subsection{Overview}

\begin{frame}{Understanding Um}{Overview}
% Following GSM 04.03 Section 4
%\small{
\begin{itemize}
	\item Modeled after the U interface of ISDN
	\item Broadcast channels: SCH, BCCH, FCCH
	\item Common channels: CCCH (PCH \& AGCH), RACH
	\item Dedicated Channels: 
	\begin{description}[Dm]
		\item[Dm] SDCCH, FACCH, SACCH
		\item[Bm] TCH/H, TCH/F
	\end{description}
\end{itemize}
\end{frame}

\begin{frame}{Understanding Um}{Channels \& Layers}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{GSMLayers.pdf}
\end{figure}
\end{frame}

\subsection{Time Division Multiplex}

\begin{frame}{Understanding Um}{TDM Structure}
\begin{itemize}
	\item ARFCN (Absolute Radio Freq.~Chan.~Num.)-- A 270,833 Hz radio channel. ARFCNs within a BTS numbered C0, C1, etc.
	\item 8 timeslots per frame on each ARFCN, numbered T0..T7.
	\item ``physical channel'' -- one slot on one ARFCN, designated C0T0, C0T1, C1T5, etc.
	\item Physical channel TDM follows a 26- or 52-frame multiframe, carrying multiple logical channels.
\end{itemize}
\end{frame}

\begin{frame}{Understanding Um --TDM Example}
\begin{figure}[h]
	\centering
	\includegraphics[width=90mm]{26Multiframe.pdf}
	\caption{Example of traffic channel TDM}
\end{figure}
\end{frame}

\subsection{Logical Channels}

\begin{frame}{Understanding Um}{The Beacon}
The beacon is always on C0T0 and always constant full power
\begin{description}[CCCH]
	\item[SCH] (Sync.) -- TDM timing and reduced BTS identity
	\item[FCCH] (Freq.~Corr.) -- Fine frequency synchronization
	\item[BCCH] (Broadcast Control) -- Cell configuration and neighbor list
	\item[CCCH] (Common Control) -- a set of unicast channels
	\begin{description}[AGCH]
		\item[PCH] paging channel for network-originated transactions
		\item[AGCH] access grant channel
		\item[RACH] uplink access request
	\end{description}
\end{description}
\end{frame}

\begin{frame}{Understanding Um}{SCH -- Synchronization CHannel}
\begin{itemize}
	\item First channel acquired by a handset
	\item T1, T2, T3' -- TDM clocks for GSM frame number
	\item BCC -- 3 bits, identifies BTS in the local group
	\item NCC -- 3 bits, identifies network within a region
	\item BSIC is NCC:BCC
\end{itemize}
\end{frame}

\begin{frame}{Understanding Um}{BCCH -- Broadcast Control CHannel}
\begin{itemize}
	\item Second channel acquired by the handset.
	\item A repeating cycle of system information messages.
	\begin{description}[Type 4]
		\item[Type 1] ARFCN set
		\item[Type 2] Neighbor list
		\item[Type 3] Cell/Network identity, CCCH configuration
		\item[Type 4] Network identity, cell selection parameters
		\item[GPRS] adds a few more (7, 9, 13, 16, 17)
	\end{description}
\end{itemize}
\end{frame}

\begin{frame}{Understanding Um}{CCCH -- Common Control CHannel}
\begin{description}[AGCH]
	\item[PCH] Paging
	\begin{itemize}
		\item Unicast. Handsets addressed by IMSI or TMSI, never IMEI.
		\item Handset sees paging request and then requests service on RACH.
	\end{itemize}
	\item[RACH] Random Access
	\begin{itemize}
		\item Handset requests channel with RACH burst, 8-bit tag.
	\end{itemize}
	\item[AGCH] Access Grant
	\begin{itemize}
		\item BTS answers on AGCH, echoing tag and timestamp.
	\end{itemize}
\end{description}
\end{frame}

\begin{frame}{Understanding Um}{Dm Channels}
\begin{description}[SDCCH]
	\item[SDCCH] Most heavily used control channel: registration, SMS transfers, call setup in many networks.  Payload rate of 0.8 kb/s.
	\item[FACCH] Blank and burst channel steals bandwidth from traffic.  Used for in-call signaling, call setup in some networks.  Payload rate up to 9.2 kb/s on TCH/F.
	\item[SACCH] Low rate channel muxed onto every other logical channel type.  Used for timing/power control, measurement reports and in-call SMS transfers.
\end{description}
\end{frame}

\begin{frame}{Understanding Um}{Bm Channels}
\begin{itemize}
	\item Full rate TCH/F 22.7 kb/s raw rate, occupies a full slot
	\item Half rate TCH/H 11.4 kb/s raw rate, 2 per slot using every other frame
	\item Payloads:
	\begin{description}[Speech]
		\item[Speech] HR, FR, EFR, AMR
		\item[Fax]
		\item[CSD] Circuit Switched Data
	\end{description}
\end{itemize}
\end{frame}

\subsection{Miscellaneous}

\begin{frame}{Understanding Um -- Connectivity and ``Presence''}
\begin{itemize}
	\item A handset is connected to the network only when it is assigned to a dedicated channel, otherwise it is {\em IDLE} and listening passively to the beacon.
	\item Creation of a dedicated channel can take \emph{several seconds}.
	\item The network can only guess the status of an idle handset based on the last transaction or transaction attempt, which may be several minutes old even under \emph{the best} conditions.
	\item Even in a connected state, the signal between the handset and the network can disappear for several seconds at a time without resulting in loss of the channel.
\end{itemize}
\end{frame}

\begin{frame}{Frequency Hopping}
\begin{itemize}
	\item Intended to improve radio performance through diversity in fading and interference
	\item Two ways to implement hopping
	\begin{itemize}
		\item Baseband hopping: $N$ fixed-frequency transceivers are connected to $N$ baseband processors through a switch or commutator.  Allows CA of $N$ ARFCNs.  C0 can be in the CA.
		\item Synthesizer hopping: Each of $N$ baseband processors connects to a dedicated transceiver.  This requires transceivers that can be retuned and settled in less than 30~$\mu$s.  Allows CA to have $\gg N$ ARFNCs.  C0 is not in the CA.
	\end{itemize}
	\item Some networks implement synchronous hopping to prevent collisions of hopping bursts from neighboring cells.
\end{itemize}
\end{frame}

\begin{frame}{Frequency Hopping Parameters}
A {\em hopping sequence} is an ordered list of ARFCNs used by a given physical channel (PCH), synced to the GSM frame clock.
Each PCH can have an independent hopping sequence.
\begin{description}[MAIO]
	\item[CA] Cell Allocation, set of ARFCNs used for hopping in BTS
	\item[HSN] Hopping Sequence Number, parameter used in pseudorandom algorithm generating hopping sequence
	\item[MA] Mobile Allocation, subset of CA used by a particular PCH
	\item[MAIO] MA Index Offset, offset added to hopping sequence when indexing  MA.
\end{description}
\begin{itemize}
	\item CA is the same for every PCH in the BTS
	\item HSN, MA and MAIO can be different for every PCH, usually only MAIO is unique
\end{itemize}
\end{frame}


\begin{frame}{Understanding Um}{GPRS}
\begin{itemize}
	\item{More like a separate service running parallel to GSM.}
	\item{PCCCH and PBCCH used to make short-term assignments onto PDTCHs.}
	\item{Burst data rates up to 50 kb/s for half-duplex handset on GMSK network.}
	\item{Burst data rates up to 250 kb/s for full duplex handset on EDGE network.}
\end{itemize}
\end{frame}

\section{The Layers of the Um Interface}

\begin{frame}{Understanding Um}{The Layers}
The Layers are not exactly the ISO model, but a similar theme.
\begin{description}
	\item[L1] The radiomodem, TDM and FEC functions
	\item[L2] Frame segmentation and retransmission
	\item[L3] Connection \& mobility management
	\item[L4] Relay functions between BSC and other entities
\end{description}
\end{frame}


\begin{frame}{Understanding Um}{The Layers}
\begin{figure}[h]
	\centering
	\includegraphics[width=85mm]{L2Figure.pdf}
	\caption{Layers of a Dm channel}
\end{figure}
\end{frame}

\subsection{Um Layer 1}

\begin{frame}{Understanding Um}{L1}
\begin{itemize}
	\item Analog radio path (transceiver, amplifiers, duplexer, antenna)
	\item{GMSK or GMSK/EDGE radiomodem (``L0'')}
	\item{TDM to define logical channels}
	\item{FEC (Forward Error Correction)}
	\begin{itemize}
		\item{Rate-1/2 convolutional code is typical.}
		\item{40-bit Fire code parity word on most control channels.}
		\item{4-burst or 8-burst interleaving is typical.}
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{L1 Overview (see handout)}
\begin{figure}[h]
	\centering
	\includegraphics[width=50mm]{UmL1Overview.pdf}
\end{figure}
\end{frame}

\begin{frame}{Example -- OpenBTS L1 Dm Receive Path}
\small{
\begin{enumerate}
	\item Tune, filter and decimate down to a 270.833~kHz baseband channel.
	\item Demodulate GMSK with Laurent approximation, one burst at a time, to get probability estimates channel bits.  (Soft-output demod.)
	\item Demux burst to the the logical channel based on current frame number.
	\item Deinterleave bursts according to T2 or T3.  Mark bits from missing bursts as unknown bits.
	\item Apply soft input Viterrbi decoder to L1 frame to recover L2 frame and parity word.
	\item Compute parity word for received L2 frame.
	\item If parity computed and received parity match, pass frame up to L2.
\end{enumerate}
}
\end{frame}


\begin{frame}{Um Radiomodem}
\begin{itemize}
	\item Gaussian Minimum Shift Keying -- constant modulus to simplify amplifier design
	\item Each timeslot carries a radio burst:
	\begin{itemize}
		\item guard period (between slots)
		\item tail bits (at start and end of modulated data)
		\item midamble (in center of burst)
		\item payload bits (on each side of midamble)
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Um ``Normal'' Burst}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{NormalBurst.pdf}
	(From Wikipedia.)
\end{figure}
\end{frame}

\begin{frame}{Um L1 Interleaving}
\begin{itemize}
	\item Every GSM data frame is spread over 4 or 8 radio bursts.
	\begin{itemize}
		\item 4-burst block interleave on most channels
		\item 8-burst diagonal interleave on TCHs
	\end{itemize}
	\item Loss of one burst means 1/4 or 1/8 missing channel bits, scattered throughout a frame.
	\item Allows a slow-hopping system to achieve many performance gains associated with fast-hopping.
\end{itemize}
\end{frame}

\begin{frame}{Um L1 Decoding}
\begin{itemize}
	\item Most channels use a rate-1/2 4th-order convolutional code.
	\item With a soft-input decoder, you can discard 1/2 of the input bits and still recover a frame.
	\item Dm channels use a 40-bit Fire parity code, designed to correct burst errors up to 12 bits long.
	\item Parity coding on Bm channels is media-specific. 
\end{itemize}
\end{frame}

\begin{frame}{Um Training Sequence}
\begin{itemize}
	\item used to train equalizer for multipath mitigation
	\item 26 symbols long, intended for use with 16-symbol correlator (12 dB processing gain)
	\item chosen for good autocorrelation, low cross-correlation
	\item with midamble \& tails, GSM TCH is 22\% known bits, 38 dB processing gain over 1 second
\end{itemize}
\end{frame}

\begin{frame}{Um Clock Control}
\begin{itemize}
	\item MS has VCTCXO with natural error of a few kHz.
	\item BTS has VCOCXO with natural error of a few Hz, calibrated regularly.
	\item MS makes an initial search over a wide frequency window, then uses FCCH to calibrate VCTCXO to the BTS.
	\item Once locked, the MS will not make another wide search unless it loses service completely.
	\item GSM Specification mandates an accuracy of the carrier clock 30 ppb, that's less than 50 Hz @ 900MHz
\end{itemize}
\end{frame}

\begin{frame}{Um Timing Advance}
\begin{itemize}
\small{
\item Guard period 30~$\mu$s, a round trip distance of 4.5~km.
\item If a burst arrives delayed by more than 30~$\mu$s it can collide with the next timeslot at the receiver.
\item Avoid collisions with with active timing advance (TA) control.
\begin{itemize}
	\item BTS measures timing error of arriving burst midamble.
	\item MS reports current TA value in physical header on SACCH
	\item BTS calculates new TA and sends it back on the SACCH physical header
\end{itemize}
\item Maximum TA of 63 symbols limits normal GSM range to 35 km.
}
\end{itemize}
\end{frame}

\begin{frame}{Um Uplink Power Control}
\begin{itemize}
	\item BTS controls uplink power to reduce dynamic range requirements in the receiver.
	\item Power is controlled in roughly 2 dB steps in a closed loop:
	\begin{itemize}
		\item BTS measures power of arriving burst.
		\item MS reports current tx power value in physical header on SACCH.
		\item BTS calculates new tx power and sends it back in physical header on the SACCH.
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Um Downlink Power Control}
\begin{itemize}
	\item BTS can use downlink power control on carriers other than C0 to minimize interference with other BTSs.
	\item Power is controlled in a closed loop:
	\begin{itemize}
		\item MS measures power of arriving bursts.
		\item MS reports current RSSI in measurement reports on SACCH.
		\item BTS adjusts its output power on that MS's timeslot to meet RSSI target.
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Um Discontinuous Transmission (DTX)}
\begin{itemize}
	\item On average, a participant in a call is silent half of the time.
	\item GSM allows an MS or BTS to suspend transmission during silent periods, just sending an occasional keep-alive frame.
	\item Vocoders generate ``comfort noise'' during silent periods.
	\item For the MS, this saves battery power.
	\item For the BTS, this minimizes interference with other cells.
\end{itemize}
\end{frame}

\subsection{Um Layer 2}

\begin{frame}{Understanding Um}{L2}
\begin{itemize}
	\item L1 drops frames, but L3 assumes a reliable link.
	\item L1 uses fixed-length frames, but L3 uses variable-length messages.
	\item L2 (Data Link Layer) bridges the gap with segmentation, sequencing and retransmission.
	\item ISDN uses LAPD for L2, derived from HDLC, derived from SDLC, dating back to IBM's SNA mainframe networks.
\end{itemize}
\end{frame}

\begin{frame}{Understanding Um}{L2}
\begin{itemize}
	\item{LAPDm on Dm channels, a HDLC derivative, similar to ISDN's LAPD but simplified.}
	\item{LLC on GPRS channels, another HDLC derivative.}
	\item{GSM defines no L2 in Bm channels.}
	\begin{itemize}
		\item{Speech/fax are just media and have no L2.}
		\item{CSD typically used with PPP for L2.}
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Understanding Um}{L2 LAPDm}
\begin{itemize}
\small{
	\item Frame types UI, UA, SABM RR, REJ, I.
	\item Address, Control and Length fields in header. Some fields implied on some channel types.
	\item Asynchronous Balanced Mode (ABM, ``multiframe mode'')
	\begin{itemize}
		\item 3-bit sequence numbers, in RR-, REJ- and I-frame control headers. NS for sent, NR for acked
		\item T200 timeout for repeating unacked frames
		\item channel abandoned after too many timeouts
	\end{itemize}
	\item Idle frame filling.
}
\end{itemize}
\end{frame}

\subsection{Um Layer 3}

\begin{frame}{Understanding Um}{L3 Sublayers}
\begin{description}[SMSCP]
	\item[RR] Radio Resource -- assigns and releases logical channels. Terminates in BSC
	\item[MM] Mobility Management -- location, authentication. Terminates in BSC and MSC
	\item[GMM] (GPRS Mobility Management) -- location, authentication. Terminates in BSC and SGSN
	\item[CC] (Call Control) -- Q.931, like ISDN. Terminates in MSC
	\item[SMSCP] (SMS Connection Protocol) -- tunnel from handset to SMSC
\end{description}
\end{frame}

\begin{frame}{Example Transaction -- Location Update}
\begin{figure}[h]
	\centering
	\includegraphics[width=70mm]{LadderLU.pdf}
\end{figure}
% Demo with OpenBTS and OpenBSC.
\end{frame}

\begin{frame}{Example Transaction -- MO Call Setup}
\begin{figure}[h]
	\centering
	\includegraphics[width=50mm]{LadderMOC.pdf}
\end{figure}
% Demo with OpenBTS and OpenBSC
\end{frame}

\begin{frame}{Example Transaction -- MT Call Setup}
\begin{figure}[h]
	\centering
	\includegraphics[width=50mm]{LadderMTC.pdf}
\end{figure}
% Demo with OpenBTS and OpenBSC
\end{frame}

\subsection{Short Message Service}

\begin{frame}{SMS -- Layers}
GSM TS 04.11 and 03.40 define SMS in five layers:
\begin{description}[L1]
\item[L1] is taken from the Dm channel type used, either SDCCH or SACCH. This layer terminates in the BTS.
\item[L2] is normally LAPDm, but can be LLC in GPRS devices. In LAPDm SMS uses SAPI 3. This layer terminates in the BTS.
% Does SMS-CP really terminate in the MSC? Or in the BSC?
\item[L3] the connection layer, defined in GSM 04.11 5. This layer terminates in the MSC.
\item[L4] the relay layer, defined in GSM 04.11 6. This layer terminates in the MSC.
\item[L5] the transfer layer, defined in GSM 03.40. This layer terminates in the SMSC.
\end{description}
As a general rule, every PDU transferred in L(n) requires both a transfer and an acknowledgment on L(n-1).
\end{frame}

\begin{frame}{SMS Connection Layer (L3)}
\begin{itemize}
	\item Terminates in the MSC.
	\item No addressing.  Just peers on Dm link.
	\begin{description}[CP-ERROR]
		\item[CP-DATA] carries an RPDU.
		\item[CP-ACK] acks CP-DATA.
		\item[CP-ERROR] nacks CP-DATA with cause code.
	\end{description}
\end{itemize}
\end{frame}

\begin{frame}{SMS Relay Layer (L4)}
\begin{itemize}
	\item Terminates in MSC.
	\item Addresses are SMSC E.164s.
	\begin{description}[RP-ERROR]
		\item[RP-DATA] carries a TDPU to submit/deliver SMS between the MS and network.
		\item[RP-SMMA] polls network for SMS.
		\item[RP-ACK] acks RP-DATA. May carry TPDU.
		\item[RP-ERROR] nacks RP-DATA with cause code. May carry TPDU.
	\end{description}
\end{itemize}
\end{frame}

\begin{frame}{SMS Transfer Layer (L5)}
\begin{itemize}
	\item Terminates in the SMSC.
	\item Addresses are user E.164s.
	\begin{description}[SMS-DELIVER-REPORT]
		\item[SMS-DELIVER] carries user data to MS.
		\item[SMS-DELIVER-REPORT] acks/nacks SMS-DELIVER
		\item[SMS-SUMBIT] carrier user data from MS.
		\item[SMS-SUBMIT-REPORT] acks/nacks SMS-SUBMIT.
		\item[SMS-STATUS-REPORT] reports status of previously submitted SMS.
		\item[SMS-COMMAND] can delete or cancel status report for a previously submitted SMS.
	\end{description}
\end{itemize}
\end{frame}

\begin{frame}{SMS User Data Header (L6)}
\begin{itemize}
	\item Endpoints are user devices.
	\item The User Data part of the TPU has an optional header, the UDH, described in GSM 03.40 9.2.3.24.
	\begin{itemize}
		\item Segmentation for long messages.
		\item Message waiting indications.
		\item SIM Toolkit Security Header, wraps STK APDU.
		\item WCMP, for WAP transport
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{MT-SMS in L3 \& L4}
\begin{figure}[h]
	\centering
\includegraphics[width=90mm]{MTSMS.pdf}
\end{figure}
\end{frame}

\begin{frame}{MO-SMS in L3 \& L4}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{MOSMS.pdf}
\end{figure}
\end{frame}

\section{Um Testing Tools}

\subsection{Trace Phones}

\begin{frame}{Um Testing Tools -- Nokia DCT-3}
\begin{itemize}
	\item Nokia DCT-3 handsets (1998-2003) include testing features in their firmware.  These features can be enabled to covert these phones into useful test equipment.
	\item ``Field Test Mode'' can be enabled in many models through keypad sequences, serial port or IR ports.
	\item Some models (3310, for example) can provide full L2 traces through the serial port.  These traces can be decoded with gammu and wireshark.
\end{itemize}
\end{frame}

\begin{frame}{Um Testing Tools -- Other Trace Tools}
\begin{itemize}
	\item Many Motorola handsets have a ``Netmonitor'' feature, similar to Nokia's Field Test Mode.
	\item Other tools can give functionality similar to 3310 trace feature, but with more convenience and at $10\times$ to $50\times$ the cost.
	\begin{itemize}
		\item Sagem OT-series engineering handsets.
		\item Ericsson TEMS handsets.
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Um Testing Tools -- Example}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{TEMS.pdf}
\end{figure}
\small{(TEMS system, from Ericsson brochure.  Watch the road, buddy.)}
\end{frame}

\begin{frame}{Um Testing Tools -- Emulators/Testers}
\begin{itemize}
\small{
\item Handset emulators to exercise BTS units:
\begin{itemize}
	\item Verify beacon content and modulation, measure RACH response, run standard transactions. Some include Abis support for end-to-end testing.
	\item Rohde \& Schwarz CMD57, used for US\$4.5k-6k, for example.
\end{itemize}
\item Network emulators to exercise handsets:
\begin{itemize}
	\item Generate beacon, verify modulation, answer RACH, run standard transactions.
	\item Hewlett Packard 8922, used for US\$10k-20k, for example.
\end{itemize}
}
\end{itemize}
\end{frame}

\subsection{OpenBSC}

\begin{frame}{Open Source GSM Tools}{OpenBSC}
What is OpenBSC
\begin{itemize}
	\item A {\em GSM network in a box} software
	\item Implements minimal subset of BSC, MSC, HLR, SMSC
	\item Is Free and Open Source Software licensed under GNU GPLv2+
	\item Supports Siemens BS-11 BTS (E1) and ip.access nanoBTS (IP based)
	\item Has classic 2G signalling, voice and SMS support
	\item Implements various GSM protocols like
	\begin{itemize}
		\item A-bis RSL (TS 08.58) and OML (TS 12.21)
		\item TS 04.08 Radio Resource, Mobility Management, Call Control
		\item TS 04.11 Short Message Service
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{OpenBSC software architecture}
\begin{itemize}
	\item Implemented in pure C, similarities to Linux kernel
	\begin{itemize}
		\item Linked List handling, Timer API, coding style
	\end{itemize}
	\item Single-threaded event-loop / state machine design
	\item Telnet based command line interface {\em Cisco-style}
	\item Input driver abstraction (mISDN, Abis-over-IP)
\end{itemize}
\end{frame}

\begin{frame}{OpenBSC: GSM network protocols}{The A-bis interface}
  \begin{description}[Layer 4+]
    \item[Layer 1] Typically E1 line, TS 08.54
    \item[Layer 2] A variant of ISDN LAPD with fixed TEI's, TS 08.56
    \item[Layer 3] OML (Organization and Maintenance Layer, TS 12.21)
    \item[Layer 3] RSL (Radio Signalling Link, TS 08.58)
    \item[Layer 4+] transparent messages that are sent to the MS via Um
  \end{description}
\end{frame}

\begin{frame}{OpenBSC: How it all started}
\begin{itemize}
	\item In 2006, I bought a Siemens BS-11 microBTS on eBay
	\begin{itemize}
		\item This is GSM900 BTS with 2 TRX at 2W output power (each)
		\item A 48kg monster with attached antenna
		\item 200W power consumption, passive cooling
		\item E1 physical interface
	\end{itemize}
	\item I didn't have much time at the time (day job at Openmoko)
	\item Started to read up on GSM specs whenever I could
	\item Bought a HFC-E1 based PCI E1 controller, has mISDN kernel support
	\item Found somebody in the GSM industry who provided protocol traces
\end{itemize}
\end{frame}

\begin{frame}{OpenBSC: Timeline}
\begin{itemize}
	\item In November 2008, I started the development of OpenBSC
	\item In December 2008, we did a first demo at 25C3
	\item In January 2009, we had full voice call support
	\item In June 2009, I started with actual security related stuff
	\item In August 2009, we had the first field test with 2BTS and > 860 phones
\end{itemize}
\end{frame}

\begin{frame}{OpenBSC: Field Test at HAR2009}
\begin{figure}[h]
\subfigure{\includegraphics[width=5cm]{bts_tree_full.jpg}}
\subfigure{\includegraphics[width=5cm]{openbsc_host.jpg}}
\end{figure}
\end{frame}


\subsection{OpenBTS}

\begin{frame}{Open Source GSM Tools: OpenBTS}
\begin{itemize}
	\item Open implementation of Um L1 \& L2, an all-software BTS.
	\item L1/L2 design based on an object-oriented dataflow approach.
	\item Includes L3 RR functions normally found in BSC.
	\item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network.  L3 is like an ISDN/SIP gateway.
	\item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments.
\end{itemize}
\end{frame}

\begin{frame}{Open Source GSM Tools: OpenBTS}
\begin{itemize}
	\item Started work in August 2007, first call in January 2008, first SMS in December 2008.
	\item First public release in September 2008, assigned to FSF in October 2008.
	\item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada.
	\item Latest release (2.5) is about 13k lines of C++.
	\item Now part of GNU Raido project, distributed under GPLv3
\end{itemize}
\end{frame}

\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast}
\begin{figure}[h]
	\centering
	\includegraphics[width=85mm]{NevadaTestSite.jpg}
\end{figure}
\end{frame}

\subsection{airprobe}

\begin{frame}{Open Source GSM Tools: Airprobe}
\begin{itemize}
	\item {\em airprobe} is a collection of Um protocol analyzer tools using the USRP software defined radio
	\item A number of different Um receiver implementations
	\begin{description}[gsm-receiver]
		\item[gssm] One of the two early Um receiver implementations (M\&M clock recovery)
		\item[gsmsp] The other early Um receiver implementation
		\item[gsm-tvoid] For a long time the Um receiver with best performance
		\item[gsm-receiver] The latest generation of Um receiver
	\end{description}
	\item Today, gsm-receiver seems to be the most popular choice
\end{itemize}
\end{frame}

\begin{frame}{Open Source GSM Tools: Airprobe}
\begin{itemize}
	\item Some other airprobe tools
	\begin{description}[viterbi\_gen]
		\item[gsmdecode] A standalone text-mode Um L2 frame parser
		\item[wireshark] Dissector code for feeding Um frames into wireshark
		\item[gsmstack] An unfinished more modular implementation of a Rx-only L1
		\item[viterbi\_gen] Generate C++ implementations of a viterbi decoder
	\end{description}
	\item Still under development, no user friendly solution
	\begin{itemize}
		\item gsmtap frame format needs to be added as clean wireshark interface
		\item receivers need automatic frequency scanning
		\item full solution needs proper UI
	\end{itemize}
\end{itemize}
\end{frame}




\part{Um Security Features  ...and their shortcomings}

\begin{frame}{Part II - Um Security Features}
\tiny{\tableofcontents}
% You might wish to add the option [pausesections]
\end{frame}

\subsection{Theory}

\begin{frame}{Known GSM security problems}{Scientific papers, etc}
\begin{itemize}
	\item No mutual authentication between phone and network
	\begin{itemize}
		\item leads to rogue network attacks
		\item leads to man-in-the-middle attacks
		\item is what enables IMSI-catchers
	\end{itemize}
	\item Weak encryption algorithms
	\item Encryption is optional, user never knows when it's active or not
	\item DoS of the RACH by means of channel request flooding
	\item RRLP (Radio Resource Location Protocol)
	\begin{itemize}
		\item the network can obtain GPS fix or even raw GPS data from the phone
		\item combine that with the network not needing to authenticate itself
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{The Baseband}

\begin{frame}{Known GSM security problems}{The Baseband side}
\begin{itemize}
	\item GSM protocol stack always runs in a so-called baseband processor (BP)
	\item What is the baseband processor
	\begin{itemize}
		\item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones)
		\begin{itemize}
			\item Runs some RTOS (often Nucleus, sometimes L4)
			\item No memory protection between tasks
		\end{itemize}
		\item Some kind of DSP, model depends on vendor
		\begin{itemize}
			\item Runs the digital signal processing for the RF Layer 1
			\item Has hardware peripherals for A5 encryption
		\end{itemize}
	\end{itemize}
	\item The software stack on the baseband processor
	\begin{itemize}
		\item is written in C and assembly
		\item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..)
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Observations}

\begin{frame}{Interesting observations}{Learned from implementing the stack}
While developing OpenBSC, we observed a number of interesting
\begin{itemize}
	\item Many phones use their TMSI from the old network when they roam to a new network
	\item Various phones crash when confronted with incorrect messages.  We didn't even start to intentionally send incorrect messages (!)
	\item There are tons of obscure options on the GSM spec which no real network uses.  Potential attack vector by using rarely tested code paths.
\end{itemize}
OpenBTS developers observed the same.
\end{frame}


\section{GSM Security Features}

\begin{frame}{GSM Security Overview}
% This slide is just to establish a context for the rest of the discussion.
\begin{itemize}
	\item Anonymization -- The TMSI is assigned on a temporary basis and is substituted for the IMSI whenever possible.
	\item Authentication -- Challenge-response dialog based on 128-bit secret key $K_i$ and A3 \& A8 algorithms.
	\item Ciphering -- Authentication produces a 64-bit ciphering key $K_C$ as a byproduct that is used to encrypt Dm and Bm channels with one of the A5 algorithms.
	\item Hopping -- Not intended as a security feature, but makes interception considerably more difficult.
\end{itemize}
\end{frame}

\subsection{TMSI -- Anonymization}

\begin{frame}{GSM Security: TMSI -- Anonymity}
\begin{itemize}
	\item For anonymity, transmitting the IMSI in cleartext is avoided
	\item However, we still need to identify the MS that has requested a channel activation
	\item TMSI is a 32bit number and used as substitute for IMSI
	\item MS identifies itself the first time by IMSI, then the network allocates a TMSI.
	\begin{itemize}
		\item MS stores allocated TMSI in SIM, even across reboots
		\item network stores TMSI in HLR
	\end{itemize}
	\item Network can reallocate TMSI at will
	\begin{itemize}	
		\item e.g. during location update
		\item e.g. every 4 transactions (call, sms, ...)
	\end{itemize}
	\item TMSI reallocation can happen after A5 encryption is started
\end{itemize}
\end{frame}

\subsection{A3/A8 -- Authentication}

\begin{frame}{GSM Security: A3/A8 -- Keys involved}
\begin{itemize}
	\item Much of GSM security is based on a 128-bit shared secret, $K_i$.
	\item There is one copy of $K_i$ inside in the SIM.
	\begin{itemize}
		\item regular SIM cards do not permit reading it back
		\item of course, SIM card maker or operator might have a special key for that
	\end{itemize}
	\item There is another copy of $K_i$ in the AUC (Auth Center)
	\item $K_i$ is never exposed directly anywhere.
\end{itemize}
\end{frame}

\begin{frame}{GSM Security: A3/A8 -- Authentication}
%Specified in TS 04.08 4.3.2, 03.20 03.20
\begin{enumerate}
	\item Network generates 128 bit random value (RAND)
	\item Network sends RAND to the MS in the MM Authentication Request message
	\item MS forms a 32-bit hash (SRES) by encrypting RAND with A3 algorithm, using $K_i$ as a key. Network performs identical SRES calculation
	\item MS sends back its SRES value in the RR Authentication Response message
	\item Network compares its calculated SRES value to the value provided by MS. If they match, the MS is authenticated.
	\item Both the MS and the network also compute a 64-bit ciphering key ($K_C$) from RAND and $K_i$ using the A8 algorithm. Both parties save this value for later use when ciphering is enabled.
\end{enumerate}
\end{frame}

\begin{frame}{GSM Security: A3/A8 -- Authentication}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{LadderAuth.pdf}
\end{figure}
% Demo with OpenBTS and OpenBSC
\end{frame}

\subsection{A5 -- Ciphering}

\begin{frame}{GSM Security: A5 -- Ciphering}
\begin{itemize}
	\item A5 is a family of symmetric ciphers inside the GSM Um Layer 1
	\begin{description}[A5/4..8]
		\item[A5/0] means no encryption
		\item[A5/1] is the {\em secure} cipher variant
		\item[A5/2] is the {\em weak} cipher variant
		\item[A5/3] is the UMTS replacement; can be used on GSM, too
		\item[A5/4..8] mentioned in protocol spec but never defined
	\end{description}
	\item MS indicates A5 capabilities in classmark procedure
	\begin{itemize}
		\item Compromised MS software could indicate no A5/1 capability to the network
		\item Network can decide to use A5/0 even if the phone supports A5/1,2,3
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{GSM Security: A5 -- Ciphering}
\begin{itemize}
	\item Encryption Key $K_C$ is produced as result to A3/A8 authentication
	\item Re-keying can be initiated by the network at any given time by means of the authentication procedure
	\item $K_C$ as a result of authentication is stored on SIM
	\item $K_C$ can be read and written by the phone itself
	\begin{itemize}
		\item OS on Baseband Processor typically has some kind of API to access SIM
		\item However, quite often direct access to $K_C$ is not permitted
		\item Still, baseband processor software exploits do exist!
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{GPRS Security}
\begin{itemize}
	\item GPRS uses same A3/A8 Authentication as GSM
	\item GPRS uses its own GEA family of ciphers
	\begin{itemize}
		\item Algorithm spec as secret as A5
		\item However, no leaked / reverse engineered implementation yet
		\item No academic or practical attacks known (yet?)
	\end{itemize}
	\item GEA is used on Layer 2 (LLC), not Layer 1 as in GSM
	\begin{itemize}
		\item Encryption between MS and SGSN, does not terminate at BTS
		\item Not possible to capture unencrypted data on backhaul anymore
	\end{itemize}
\end{itemize}
\end{frame}


\subsection{Frequency Hopping}

\begin{frame}{GSM Security: Frequency Hopping}
\begin{itemize}
	\item Requires that an interceptor support hopping or have sufficient bandwidth to capture the entire carrier allocation.
	\item Complicates decryption for a hopping interceptor, since you may have to decrypt a channel assignment before you even know where to tune next.  (Wideband interceptors do not have this problem.)
	\item Hopping parameters can be reverse engineered from the spectrum if call activity is low.
	\item But you may not need to reverse engineer much:
	\begin{itemize}
		\item The CA is global and usually divided into a small number (1 or 2) of non-overlapping MAs.
		\item The HSN is usually the same for every assignment in the cell
		\item In networks with synchronized cells, the HSN is the same even accross cells
	\end{itemize}
\end{itemize}
\end{frame}


\section{GSM Security -- Design Flaws}

\begin{frame}{GSM Security -- Bad Assumption}
\begin{block}{Bad Assumption}
No rogue actors in L3
\end{block}
\begin{itemize}
	\item Any entity that can implement L1 and L2 correctly is assumed to be legitimate until a challenge fails
	\item This was a common telco security assumption in the 1980's, back when equipment was big and expensive and all of the networks were run by governments and quasi-governmental monopolies
	\item It is an assumption inherited from wireline telcos, and is even weaker in the wireless world
\end{itemize}
\end{frame}

\subsection{Oversights}

\begin{frame}{GSM Security -- Oversights}
\begin{block}{Oversight}
No authentication of the network
\end{block}
\begin{itemize}
\item GSM allows the network to authenticate a handset, but provides no means for the handset to authenticate the network
\item Authentication is based on challenge-response, but the only comparison happens in the network end
\item Any entity that can present a network-side Um interface is assumed to the legitimate, making it easy to create the GSM equivalent of a rogue access point.
\end{itemize}
\end{frame}


\begin{frame}{GSM Security -- Oversights}
\begin{block}{Oversight}
Handset cannot release in L3 RR
\end{block}
\begin{itemize}
\item The channel release operation must always be initiated by the network
\item As long as the handset sees a valid idle pattern in L2, it can be made to hold an active channel indefinitely
\end{itemize}
\end{frame}

\begin{frame}{GSM Security -- Oversights}
\begin{block}{Oversight}
The network controls privacy
\end{block}
\begin{itemize}
	\item GSM privacy controls are in the network, not in the handset
	\item Ciphering indications controlled by carrier.
	\item Any entity that assumes the role of the network takes control of the privacy features as well.
	\item Once camped, the MS is essentially a slave of the BTS.
\end{itemize}
\end{frame}


\begin{frame}{GSM Security -- Oversights}
\begin{block}{Oversight}
Ciphering was an afterthought
\end{block}
\begin{itemize}
	\item Ciphering was added to the system low in L1, below FEC
	\item L2 idle frames generate a lot of known plaintext
	\item FEC lowers the entropy of the plaintext stream
	\item The A5 ciphering algorithms were not subject to adequate review by cryptographic experts prior to standardization
	\item Encryption at L1 cannot be end-to-end since L1 terminates in the BTS, \emph{so microwave backhaul can still be fully exposed}
\end{itemize}
\end{frame}

\begin{frame}{GPRS Security -- Oversights}
\begin{block}{Oversight}
GPRS uses same $K_C$ key generation (A3/A8) as GSM
\end{block}
\begin{itemize}
\item Even if GPRS has stronger crypto algorithm, $K_C$ is generated the same way as in GSM
\item $K_C$ key recovery attack using A5/2 can be performed using same random challenge
\item GPRS traffic can thus be recorded and later reviewed if MS with same SIM enters IMSI-Catcher and is presented with challenge from the recording
\end{itemize}
\end{frame}

\begin{frame}{GSM Security -- Oversights}
\begin{block}{Oversight}
UMTS handsets also support GSM
\end{block}
\begin{itemize}
	\item Many GSM security problems are fixed in UMTS, but all UMTS handsets fall back to 2.5G GSM operation when UMTS is not available.
	\item UMTS handsets can be ordered to fall back to GSM by a rogue 3G Node B before mutual authentication even happens.
	\item UMTS handsets can be forced into the GSM mode by jamming the UMTS service.
\end{itemize}
\end{frame}

\begin{frame}{GSM Security -- Anachronism}
\begin{block}{Anachronism}
Predates public key encryption
\end{block}
\begin{itemize}
	\item Network cannot authenticate the initial access attempt
	\item Any transaction must begin with the revelation of some subscriber ID over an unencrypted channel
	\item All security depends on the protection of $K_i$
	\item Once $K_i$ is broken, the SIM is permanently compromised
\end{itemize}
\end{frame}

\subsection{Intentional Weaknesses}

\begin{frame}{GSM Security -- Intentional Weaknesses}
\begin{block}{Intentional Weakness}
A5/1 \& A5/2
\end{block}
\begin{itemize}
	\item Western governments were reluctant to export ``strong'' encryption to other parts of the world, so they defined two ciphering algorithms, A5/1 for the US and Europe and A5/2 for everywhere else
	\item The specification requires that any handset support both of these algorithms, so the cryptosystem is exported anyway and determined party can reverse-engineer either A5 from a standard handset.
\end{itemize}
\end{frame}

\begin{frame}{GSM Security -- Intentional Weaknesses}
% This is old information.
% Still need a good reference to verify this in recent systems.
\begin{block}{Intentional Weakness}
Carriers do not use the full range of $K_i$, $K_C$.
\end{block}
\begin{itemize}
	\item The spec allows 128 bits for $K_i$, but most carriers use only 64.
	\item The spec allow 64 bits for $K_C$, but most carriers use only 54.
\end{itemize}
\end{frame}

\begin{frame}{GSM Security -- Intentional Weaknesses}
\begin{block}{Intentional Weakness}
Security features are optional
\end{block}
\begin{itemize}
	\item Authentication is optional
	\item A5/0 means no ciphering at all and all handsets support it
	\item TMSIs are optional
	\item A3/A8 is selected by the operator, used to be COMP128
\end{itemize}
\end{frame}


\subsection{Handset Bugs}

\begin{frame}{GSM Security -- Handset Bugs}
\begin{itemize}
% Other good ones?  OTA-related?
	\item TMSI exposure bugs compromise anonymization
	\item Many handsets crash or hang when presented with erroneous message formats or sequences
	\item Many features of the protocol are not widely used and therefore probably not well tested
	\item Many handsets vendor specific OTA and SIM support features not subject to outside review
\end{itemize}
\end{frame}

\section{GSM Best Practises}

\subsection{General}

\begin{frame}{GSM Best Practices -- General}
\begin{itemize}
% We will linger on each of these points for a few minutes.
	\item{Perform authentication and start ciphering as early as possible in a transaction, on the Dm channel.}
	\item{Never send subscriber E.164 over Um.  E.164's are the easiest kind of subscriber ID to find in public records and there's no need to tell a handset its own phone number.}
\end{itemize}
\end{frame}

\subsection{TMSI's}

\begin{frame}{GSM Best Practices -- TMSIs}
\begin{itemize}
% We will linger on each of these points for a few minutes.
	\item{Never expose IMSI and TMSI in cleartext during the same transaction.  Once the IMSI/TMSI pairing is exposed, the TMSI is useless.}
	\item{Reassign TMSIs frequently.  If the user has the same TMSI for more than a few days, it is just as traceable as the IMSI.  TMSI reassignment policies are operator-dependent and vary widely.}
\end{itemize}
\end{frame}

\subsection{Frequency Hopping}

\begin{frame}{GSM Best Practices -- Hopping}
\begin{itemize}
% We will linger on each of these points for a few minutes.
	\item Use hopping for Dm channels whenever possible.  The start of a Dm transaction is never encrypted, so you use hopping to obscure it.
	\item Choose cell allocation ARFCNs with wide frequency separation, if possible given your licensed frequencies.  This makes whole-cell interception much more expensive.
	\item Use uplink and downlink DTX and power control.  This makes it more difficult to reverse-engineer hopping parameters through statistical analysis.
\end{itemize}
\end{frame}

\begin{frame}{Typical GSM Security Configurations}
\begin{itemize}
	\item Developed world -- best practices, for the most part.  These networks are about as secure as possible given the limitations of the spec.
	\item Police state -- no ciphering, often no hopping.  Many countries outlaw ciphering to make life easier for their domestic intelligence services.  Some have two networks, one for officials and one for everyone else.
	\item In Between -- ciphering traffic, but not control.
\end{itemize}
\end{frame}

\begin{frame}{``Best Practice'' Example -- Aaaaa in the US}
Aaaaa follows security procedures typical of large GSM carriers in the US \& EU.
\begin{itemize}
	\item Immediate assignment is to a hopping SDCCH
	\item Immediate authentication, then ciphering
	\item Second assignment is to encrypted, hopping TCH
	\item TMSIs are typically reassigned several times each day.
\end{itemize}
\end{frame}

\begin{frame}{``Worst Practices'' Example -- Bbbbb Mobile in the US}
Bbbbb is a US iDEN network, not GSM but with very similar L2 \& L3
protocols. These same procedures are used by GSM carriers an many parts of the
world.
\begin{itemize}
	\item Immediate assignment is to a non-hopping SDCCH.
	\item No authentication or encryption.
	\item Second assignment is to a non-hopping TCH, often on C0.
	\item TMSIs are stable for days or even weeks at a time.
\end{itemize}
\end{frame}

\section{Lawful Intercept}

\begin{frame}{Lawful Intercept}
\small{
\begin{itemize}
	\item Security flaw deliberately designed into all carrier-grade telecom systems.
	\item Required by law in most markets (US CELEA, UK RIPA, EU 17 Jan 1995 resolution).
	\item Allows intercepting party to access call traffic at the switching center.
	\item In principle, a law enforcement agency petitions a court for an order to get access to specific traffic.
	\item Lawful intercept features have been exploited by attackers to eavesdrop on high-profile individuals (Athens 2004-2005).
\end{itemize}
}
\end{frame}

\begin{frame}{With lawful intercept, why bother with Um?}
\begin{block}{Why not just get a warrant and tap the core network?}
\begin{itemize}
	\item Maybe you are operating in \emph{someone else's} country
	\item Maybe you cannot trust the telco or its employees
	\item Maybe you need tactical flexibility
	\item Maybe you just forgot all about the rule of law
% Mexico story.
\end{itemize}
\end{block}
\end{frame}



\part{Passive Interception and Handset Geolocation}

\begin{frame}{Part III -- Passive Interception and Geolocation}
\tableofcontents
% You might wish to add the option [pausesections]
\end{frame}

\section{Passive Interception}

\begin{frame}{Example -- Smith-Myers}
\begin{figure}[h]
	\centering
	\includegraphics[width=85mm]{CSM88xxg.pdf}
	\caption{A typical passive intercept radio}
\end{figure}
\end{frame}

\subsection{The A5 Obsession}

\begin{frame}{The A5 Obsession}
\begin{itemize}
	\item Many discussions of passive intercept quickly devolve to A5 tutorials and not much else.
	\item In the many applications, A5 is a non-issue.
	\begin{itemize}
		\item Maybe telco doesn't use ciphering.
		\item Maybe the attacker knows $K_i$
		\item Maybe the attacker can obtain $K_C$ from the SIM
		\item Recording the encrypted data and later providing the same challenge to the phone by means of an IMSI-Catcher can also recover the $K_C$
	\end{itemize}
	\item Just decoding speech is of little practical value without the control messages.
\end{itemize}
\end{frame}

\begin{frame}{Publicized A5 Attacks}
\begin{itemize}
	\item Academic cryptoanalysis of A5/1 cipher: EC1997, FSE2000, Crypto 2003, SAC 2005, ...
	\item Commercial A5/1 crackers exist in intelligence agencies
	\item Attacks based on a code book attack, mapping from known output to secret state
	\item First community project to compute rainbow tables in 2007/2008 but never released
	\item New distributed project now working with CUDA graphics cards and FPGA's
\end{itemize}
\end{frame}

\subsection{Uplink Intercept}

\begin{frame}{Uplink Intercept is Hard}
\begin{itemize}
	\item MS uplink transmission is 10-30 dB below downlink.
	\item MS is in the ground clutter, not on a tower.
	\item Big antennas improve performance but draw attention.
	\item Uplink intercept range is usually $<$1 km, even with good equipment, unless you have a high vantage point.
	\item Uplink strongest at the edges of the BTS coverage, but then reselection and handover are problems.
\end{itemize}
\end{frame}

\begin{frame}{Good Demod Gives Flexibility}
\begin{itemize}
	\item Multi-antenna, vector-channel.
	\begin{itemize}
		\item Doubling number of antennas gives 3-6 dB improvement, expanding range 30\%-70\%.
		\item Greatly improves performance against multipath.
		\item Improves performance against CCI.
	\end{itemize}
	\item Soft demodulation.  GSM's rate-1/2 FEC means that you can lose 1/2 of the radio bursts and still recover data, \emph{as long as you know which half is lost}.
\end{itemize}
\end{frame}

\section{Geolocation}

\begin{frame}{Timing, Power and Location}
\begin{block}{Geoobservables}
\begin{itemize}
	\item A geoobservable is any physical measurement that places a constraint on the geographic location of an object.
	\item The GSM TA value is a geoobservable.  So is the TDOA of the MS and BTS signals at the interceptor. So is an AOA estimate from a DF antenna.
	\item Measurement reports of power levels from neighboring BTS units are also geoobservables, if you know their coverage areas.
	\item Given enough independent geoobservables, you can estimate the location of the MS.
\end{itemize}
\end{block}
\end{frame}

\begin{frame}{Direct Measurement of Geoobservables}
\begin{itemize}
	\item GSM midamble can be used as a marker for parameter estimation on Um. (\emph{That's why it's there.})
	\item Cross correlation with a reference training sequence can yield a TOA estimate.
	\item Cross correlation between antennas in an array can yield an AOA estimate.
	\item Frequency estimation can yield Doppler offset estimate, a useful geooservable for a moving receiver.
\end{itemize}
\end{frame}

%\begin{frame}{TOA Measurement Example}
%Need a figure.
%\end{frame}

\subsection{Power-Scanning Direction Finding (DF)}

\begin{frame}{Power-Scanning DF}
\begin{columns}
\begin{column}{5cm}
	\begin{figure}[h]
		\includegraphics[width=40mm]{rohde_schwarz-gsm_df.png}
	\end{figure}
\end{column}
\begin{column}{5cm}
	\begin{itemize}
		\item The operator waves it around watching a power meter, like something out of a wildlife program.
		\item It is a crude device, but useful at very close ranges.
	\end{itemize}
\end{column}
\end{columns}
\end{frame}

\subsection{AOA -- Angle of Arrival}

\begin{frame}{Doppler AOA Estimation}
\begin{figure}[h]
	\centering
	\includegraphics[width=70mm]{DopplerDF.jpg}
	\caption{Imagine a spinning antenna}
\end{figure}
\end{frame}

\begin{frame}{Doppler AOA Estimation}
\begin{itemize}
	\item For the spinning antenna, Doppler effect produces a frequency offset that varies with the angle relative to the target.  Estimate Doppler offsets and you can estimate the AOA.
	\item The spinning antenna can be simulated by switching rapidly among antennas in a circular array, usually 4.
	\item Accuracy is on the order of $\pm 10 \degree$, so many estimates are require to average out the errors.
\end{itemize}
\end{frame}

\begin{frame}{Doppler AOA Estimation}
\begin{figure}[h]
	\centering
	\includegraphics[width=75mm]{DatongDoppler.jpg}
	\caption{Classic Datong DF1, from datongarchive.googlepages.com}
\end{figure}
\end{frame}

\begin{frame}{MUSIC AOA Estimation}
\small{
\begin{itemize}
	\item Signal is received by a compact array of many precisely-placed elements.
	Array response is measured at many angles in a calibration procedure.
	\item AOA estimated by comparing array response to calibration data with MUSIC algorithm.
	\item Calibration is sensitive to vehicle shape and antenna array mounting location.  May require calibration specific to vehicle type.
	\item High gain from multiple antenna elements allows estimation on very weak signals.  Total processing gain of a 16-element array on a single GSM midamble is 20-23 dB.
	\item Accuracy at the Cram\'er-Rao bound, generally sub-degree, even for negative SNR.
\end{itemize}
}
\end{frame}

\begin{frame}{MUSIC AOA Estimation}
\begin{figure}[h]
	\centering
	\includegraphics[width=90mm]{DFArrays.pdf}
	\caption{\tiny{(From ``PERFORMANCE OF ROOT-MUSIC ALGORITHM USING REAL-WORLD ARRAYS'', Fabio Belloni, Andreas Richter, and Visa Koivunen.)}}
\end{figure}
\end{frame}


\begin{frame}{Typical AOA Geolocation Tool}
\begin{figure}[h]
	\centering
	\includegraphics[width=80mm]{AOAExample.pdf}
	\caption{Display from UI-DF application}
\end{figure}
\end{frame}

\subsection{SACCH Data as Geoobservables}

\begin{frame}{SACCH Data as Geoobservables}
\begin{itemize}
	\item MS reports its current TA and tx power level on every SACCH message and BTS sends commanded values on downlink.
	\item The MS-BTS distance is $c$ times $1/2$ the TA, or 553 m/sym.
	\item Knowing the true locations of interceptor and BTS you can also estimate interceptor-MS distance from MS-BTS TOA.
	\item Watch TAs from multiple BTSs during handover for more geooservables.
\end{itemize}
\end{frame}


\begin{frame}{SACCH Data as Geoobservables}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{MSGeoExample.pdf}
\end{figure}
\end{frame}

\subsection{Pitfall -- Multipath}

\begin{frame}{Geolocation Pitfall -- Multipath}
\begin{itemize}
	\item Creates false images for MUSIC systems
	\item Breaks Doppler systems entirely
	\item Adds unknown offsets to TOA estimates
	\item A serious challenge to tracking in urban areas
	\item Errors often have one-sided distributions that break classical linear estimators
	\item Can be mitigated with non-linear statistical techniques
\end{itemize}
\end{frame}

\begin{frame}{Downlink-Only Intecept}
\begin{itemize}
	\item LAPDm always echos back the first message in a transaction, which always contains an unencrypted IMSI or TMSI.
	\item Calling party E.164s and MT SMS.
	\item DTMF echoed back in downlink acks.
	\item SACCH timing and power data gives some MS location information, even in downlink.
	\item BCCH/CCCH useful for network mapping.
\end{itemize}
\end{frame}

\section{The Identity Problem}

\begin{frame}{The Identity Problem}
\begin{itemize}
	\item Intercept is useless if you cannot identify the parties.
	\item 3 IDs that matter:
	\begin{description}[E.164]
		\item[IMSI] most stable on Um
		\item[TMSI] most likely to see on Um
		\item[E.164] in public records, but rarely on Um
	\end{description}
	\item Knowing a target's \emph{friend's} E.164 is actually more useful, since \emph{that} might appear in the downlink.
\end{itemize}
\end{frame}

\begin{frame}{Getting IMSI/TMSI from E.164}
\begin{itemize}
	\item ``Silent paging''
	\begin{enumerate}
		\item Call E.164 and hang up before alerting starts.
		\item Watch PCH for paging activity.
		\item Repeat 1, 2 and watch for correlated IMSI or TMSI.
	\end{enumerate}
	\item ``Silent SMS'' -- Send type 0 SMS TPDU and watch downlink activity.
	\item Wait for an MT call from a known associate's E.164 and unwind the transaction from a log.
\end{itemize}
\end{frame}

\section{Passive Intercept Systems}

\subsection{Small Scale}

\begin{frame}{Small Scale Systems}
\begin{itemize}
	\item For intercepting a single target.
	\item Ideally, at least two receivers:
	\begin{enumerate}
		\item One to always watch the beacon.
		\item One to follow the target, hopping if needed.
	\end{enumerate}
	\item Portable, usually in a vehicle.
	\item Interactive GUI, usually on a laptop.
\end{itemize}
\end{frame}

\begin{frame}{Forcing Traffic}
\begin{itemize}
	\item Q: How do you intercept a multi-ARFCN BTS on a single-ARFCN interceptor?
	\item A: If there's a non-hopping C0, DOS the other ARFCNs.
	\begin{itemize}
		\item Get a pile of cheap phones and place calls until you occupy all of the channels you can't intercept.  (Be sure to use prepaid SIMs!)
		\item Use narrowband jamming to block ARFCNs you can't intercept.
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Large Scale}

\begin{frame}{Large Scale Systems}
\begin{itemize}
	\item Intercepting many cells at once.
	\item Single wide-band radio intercepts whole carrier spectrum.
	\item Many software receivers running in parallel.
	\item Spews data.  Output bandwidth is the sum of the backhauls.
	\item Fixed installation or dedicated vehicle.
	\item GUI is mostly through database tools.
\end{itemize}
\end{frame}

\subsection{Intercept Data Organization}

\begin{frame}{Organizing Intercept Data}
\begin{itemize}
	\item Intercept system vs.\ test tool.  Different applications and goals.  Legal distinction of ``primary purpose''.
	\item Wireshark vs.\ databases.  Wireshark is a great diagnostic tool, but serious interceptors uses SQL.
	\item Live audio vs.\ traffic ``corpus''.  Log \emph{every} vocoder frame with the time, frame number and BTS identity.
	\item Good interceptors never discard data.  Field work is dangerous and expensive.  Squeeze every bit and never throw anything away.
\end{itemize}
\end{frame}

\begin{frame}{Intercept Data Mining}
\begin{itemize}
	\item Save every message, even if you can't decode it.
	\item Merge databases from multiple collectors and missions.
	\item Map social networks from control channel data.
	\item Identify talkers by tracing call establishment.
	\item Reconstruct user movements by merging databases and searching location updating operations.
\end{itemize}
\end{frame}


\part{IMSI-Catchers}

\begin{frame}{Part IV -- IMSI-Catchers}
\tableofcontents
% You might wish to add the option [pausesections]
\end{frame}

\section {The False BTS}

\subsection{Basics}

\begin{frame}{False BTS Basis \#1}
\begin{block}{Problem}
The handset does not authenticate the network.
\end{block}
\begin{itemize}
	\item Any device that can generate the network-side Um interface can be used to spoof a cellular carrier.
	\item All you need to do is terminate L3 locally and run a partial simulation of the carrier's core network.
	\item Once you overcome the technical hurdle of generating Um, the rest is depressingly easy.
\end{itemize}
\end{frame}

\begin{frame}{False BTS Basis \#2}
\begin{block}{Problem}
Ciphering is optional.
\end{block}
\begin{itemize}
	\item If ciphering were mandatory, it would allow the handset a means of authenticating the network Oh well...
\end{itemize}
\end{frame}

\subsection{History}

\begin{frame}{False BTS IP History}
\begin{itemize}
	\item Patents are public records:
	\begin{itemize}
		\item Early Nokia work
		\item R\&S EP 1051053 -- the first real IMSI-catcher patent
	\end{itemize}
	\item Litigation produces public records:
	\begin{itemize}
		\item MMI v CellXion -- lots of discussion of IMSI-catcher history, identified several IMSI-catcher developers
		\item Martone v Burgess -- public identification of IMSI-catcher developers working for the US gov't
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Virtual Basestation}

\begin{frame}{R\&S ``Virtual Basestation''}
\begin{figure}[h]
	\centering
	\includegraphics[width=75mm]{VBTSFigure.pdf}
	\caption{From EP 1051053}
\end{figure}
\end{frame}

\begin{frame}{False BTS Design Approaches}
\begin{itemize}
	\item Early R\&S designs (GA 090) based on BTS emulators.
	\item Standard approach: mini-BTS and laptop with T1/E1 card.  Hardware similar to OpenBSC w/BS11.
	\item Abis-over-IP quickly replacing T1/E1 systems (CellXion/Datong DX series).  Hardware same as OpenBSC w/NanoBTS.
	\item All-software BTS units with tighter L3 integration starting to appear (MRT-BTS).  Software approach more similar to OpenBTS.
\end{itemize}
\end{frame}

\subsection{Examples}

\begin{frame}{False BTS Example -- Datong}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{DatongDX300.pdf}
	\caption{From Datong brochure}
\end{figure}
\end{frame}

\begin{frame}{False BTS Example -- MRT}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{MRTBTS.pdf}
	\caption{From MRT, Inc. public web pages}
\end{figure}
\end{frame}

\begin{frame}{False BTS Example -- Tecore}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{Intellijam.pdf}
	\caption{From Tecore public web pages}
\end{figure}
\end{frame}


\section{Behavior}

\subsection{Cell Selection}

\begin{frame}{Cell Selection Behavior}
\begin{itemize}
	\item ``Capture'' technique based on handset's BTS selection rules, GSM 03.22 4 and GSM 04.08 4.2.
	\item Use the same MCC/MNC/NCC as the local GSM carrier.
	\item Choose an ARFCN from the serving cell's neighbor list.
	\item Ramp up power gradually to avoid congestion.
	\item Can also use CRO to increase effective power advantage.
\end{itemize}
\end{frame}

\begin{frame}{Mobility Behavior}
\begin{itemize}
	\item Based on rules of GSM 04.08 4.
	\item When the handset enters a new ``location area'' it will attempt to register.
	\item So the IMSI-catcher advertises LAC different from any of the other cells in the area.
	\item Set timer T3212 for registrations on 6-minute intervals or change LAC to induce registration, like a broadcast ping to all camped handsets.
\end{itemize}
\end{frame}

\subsection{Location Update}

\begin{frame}{Key Transaction -- Location Update}
\begin{figure}[h]
	\centering
	\includegraphics[width=70mm]{LadderLU.pdf}
\end{figure}
\end{frame}


\begin{frame}{Location Update Options}
\begin{itemize}
	\item Location update request includes IMSI or TMSI of MS, plus MCC/MNC/LAC of previous serving cell.
	\item Authentication and ciphering are optional, so don't use them.
	\item Can request IMSI, TMSI or IMEI during update operation.
	\item Can assign a new TMSI.
	\item Can accept or refuse location update attempt \emph{based on inspection of ID}.
\end{itemize}
\end{frame}

\subsection{Location Update Accept/Reject Tricks}

\begin{frame}{Accept/Reject Tricks}
\begin{itemize}
	\item If IMSI-catcher accepts registration, the handset remains camped to IMSI-catcher and ignores real network. DOS.
	\item Reject cause codes matter:
	\begin{description}[not roaming in LA]
		\item[illegal MS] locks handset until SIM is removed.
		\item[no roaming in LA] denies service \emph{in any cell with the same LAC} until next time phone power-cycles.
		\item[IMSI not in VLR] kicks the phone back to the carrier with little or no disruption.
	\end{description}
\end{itemize}
\end{frame}

\begin{frame}{More Accept/Reject Tricks}
\begin{itemize}
	\item Send an ``MM Information'' message.
	\begin{itemize}
		\item Set network name on the display.
		\item Set the handset clock. (May allow smartphones to accept expired security certs, BTW.)
	\end{itemize}
	\item Query the handset GPS receiver.  (More on that later.)
\end{itemize}
\end{frame}

\section{Demonstrations}

\begin{frame}{Location Updating Demos}
\begin{itemize}
	\item Query and reject.
	\item Accept and DOS.
	\item Reject and lock.
\end{itemize}
\end{frame}

\subsection{Man-in-the-Middle}

\begin{frame}{Boy-In-the-Middle}
\begin{itemize}
	\item Accept target handset registrations.
	\item Allow MO call attempts, using A5/0.
	\item Connect call with wireline phone or another GSM handset, as in EP1051053 figure.
	\item Suppress CLID in the PSTN.
	\item Collect both sides of the conversation.
\end{itemize}
% Demo
\end{frame}

\begin{frame}{Man-In-the-Middle}
\begin{itemize}
	\item Accept target handset registrations.
	\item Allow MO call attempts, using A5/0.
	\item Connect call with VoIP carrier or ISDN.
	\item \emph{Spoof} CLID in the PSTN.
	\item Collect both sides of the conversation.
\end{itemize}
% Demo
\end{frame}

\subsection{Covert Call}

\begin{frame}{Covert Call -- Technique}
\begin{itemize}
	\item Starts like a normal MT call setup, but user is never alerted.
	\item Connection in RR and MM, but no CC/Q.931 steps.
	\item Phone goes to an active TCH and transmits an idle pattern.
	\item Phone is assigned a known training sequence, unique on its ARFCN, to make tracking easier.
	\item BTS controls power and channel release, tracks timing advance for distance estimate.
\end{itemize}
\end{frame}

\begin{frame}{Covert Call -- Applications}
\begin{itemize}
	\item Battery drain, by pushing tx power to maximum.
	\item Handset tracking via geoobservables.
	\begin{itemize}
		\item Timing advance and measurement reports.
		\item Midamble and idle pattern as markers for TOA \& AOA estimation.
	\end{itemize}
\end{itemize}
\end{frame}


\begin{frame}{IMSI-Catcher with Integrated Geolocation}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{BTSGEO.pdf}
	\caption{From MRT, Inc. public web pages}
\end{figure}
\end{frame}

\section{Beyond Voice Intercept}

\subsection{MT-SMS Attacks}

\begin{frame}{MT-SMS}
\begin{figure}[h]
	\centering
	\includegraphics[width=100mm]{MTSMS.pdf}
\end{figure}
\end{frame}

\begin{frame}{MT-SMS Attacks}
Source spoofing
\begin{itemize}
	\item A false BTS can control any header field, L3-L5, including the originating addresses (user \& SMSC) and timestamps
	\item Source address spoofing eliminates another security mechanism that a carrier or SIM application might use
	\item Plenty of other SMS attacks, especially for smartphones, do not require a false basesation. See ``Attcking SMS'' talk later this week
\end{itemize}
\end{frame}

\begin{frame}{MT-SMS Attacks -- TL-PID Types}
As described in GSM 03.40 Section 9.2.3.9
\begin{description}[Types 1-7]
	\item[Type 0] like a ping for SMS. Acked, then discarded silently.
	\item[Types 1-7] \emph{replace} previously stored SMS from this OA.
	\item[Type 31] Page.  Informs user to return call to OA.
	\item[Type 61] ME Data download.  Vendor-specific data, including OTA.
	\item[Type 62] ``Depersonalization'', GSM 02.22 9, requires SIM keys.
	\item[Type 63] SIM Data download.  Carries an ENVELOPE for a SIM Toolkit application.  Security is application-specific.
\end{description}
\end{frame}

\begin{frame}{MT-SMS Demos}
\end{frame}

\begin{frame}{MO-SMS}
\begin{figure}[h]
	\centering
	\includegraphics[width=80mm]{MOSMS.pdf}
\end{figure}
\end{frame}

\begin{frame}{MO-SMS Intercept}
\begin{itemize}
	\item Accept CP-DATA from MS with RP-DATA / TP-DATA payload.
	\item Respond with CP-ACK success.
	\item Send CP-DATA with RP-ACK payload reporting a success or a network failure.
	\item Get CP-ACK success from handset.
	\item Release channel.
\end{itemize}
\end{frame}

\subsection{Unstructured Supplementary Service Data (USSD)}

\begin{frame}{USSD}
\begin{itemize}
	\item Unstructured Supplementary Service Data, GSM 02.90.
	\item Similar to SMS, but session-oriented and faster.
	\item Used for interacting with core network applications \& ``value-added services'':
	\begin{itemize}
		\item Calling feature access and configuration.
		\item Payment systems and banking.
	\end{itemize}
	\item Can also be used as WAP transport.
\end{itemize}
\end{frame}

\begin{frame}{USSD}
\begin{figure}[h]
	\centering
	\includegraphics[width=80mm]{USSDGateway.pdf}
\end{figure}
\end{frame}

\subsection{Radio Resource Location Protocol (RRLP)}

\begin{frame}{RRLP}{Radio Resource Location Protocol}
\begin{itemize}
	\item Radio Resource Location Protocol, GSM 04.31
	\item Protocol for accessing GPS receiver in a handset.
	\item Required for emergency call support in some markets.
	\item Can be queried whenever there is an active Dm channel.  Handset can be paged just to do RRLP. No notification to the user.
	\item All privacy controls are on the network side, so if someone spoofs the network the subscriber has no privacy.
\end{itemize}
\end{frame}

\begin{frame}{Some GPS Background}
\begin{itemize}
	\item GPS signal has 1.024 MHz bandwidth, transmitted synchronously from a fleet of MEO SVs.
	\item Positioning based on TOA measurements, but you need exact SV positions, clock deviations and atmospheric data to do the calculation.
	\item That information is modulated onto the GPS signal in the \emph{ephemeris} and \emph{almanac} messages.
	\item However, it is possible to measure TOA even if a signal is 20~dB too weak to allow demodulation.
\end{itemize}
\end{frame}


\begin{frame}{RRLP}
\begin{itemize}
	\item Most RRLP attempts require GPS assistance information (almanac and ephemeris) because MS GPS antennas are tiny and the MS is usually poorly placed.
	\item Some experiments with non-assisted RRLP:
	\begin{itemize}
		\item OpenBSC @ HAR 2009, Netherlands, 1\% success
		\item OpenBTS @ Burning Man 2009, US, 0.1\% success
	\end{itemize}
	\item \emph{BUT} in both tests $>90$\% of handsets \emph{did} support the protocol and most failures were due to lack of assistance data.  (Obviously, we need to try this again...)
\end{itemize}
\end{frame}

\begin{frame}{RRLP results at HAR 2009}
\begin{figure}[h]
	\centering
	\includegraphics[width=80mm]{HARRRLP.jpg}
\end{figure}
\end{frame}



\part{Part V -- Jammers}

\begin{frame}{Part V -- Jammers}
\tableofcontents
% You might wish to add the option [pausesections]
\end{frame}

\section{Jammers}

\begin{frame}{Jammers}
\begin{itemize}
	\item Radio interface DoS attack.
	\item Useful to disrupt local communication or to disable remote-contol weapons.
	\item Useful for forcing traffic though vulnerable points.
	\begin{itemize}
		\item Jam UMTS to force handsets to GSM.
		\item Jam specific BTS units to control handovers or force traffic to compromised sites.
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Downlink Jammers}

\begin{frame}{Downlink Jammers}
\begin{itemize}
	\item Downlink jamming overpowers the BTS signal at the handset.
	GMSK is a robust modulation, so you must really overpower, not just interfere.
	\item Downlink power levels are typically -70 to -100~dBm for normal service so you need at least -70 dBm to jam reliably.
	\item A 20 W vehicle-mounted wideband jammer has a reliable range of 100-200~m in an urban area.
	\item Most jammers are wideband, but single-ARFCN jamming of C0 affords much greater range at the same power levels.
\end{itemize}
\end{frame}

\begin{frame}{Example Jammer}
\begin{figure}[h]
	\centering
	\includegraphics[width=50mm]{Jammer.pdf}
	\caption{\tiny{Typical generic quadband downlink jammer, probably about 10~W/band, probably made in China, probably jams a lot more than GSM.}}
\end{figure}
\end{frame}

\subsection{Uplink Jammers}

\begin{frame}{Uplink Jammers}
\begin{itemize}
	\item Uplink jamming overpowers the handset signal at the BTS.
	\item Narrowband jamming does not require much more power than a standard handset, just 2~W to jam from the edge of a cell.
	\item Jamming the C0 makes the RACH/AGCH unusable. Also disrupts Dm channels on many BTS configurations.
	\item Jams the entire serving cell.  Most in-progress calls are unaffected, but no new calls can be established.
\end{itemize}
\end{frame}

\subsection{RACH Flood DoS}

\begin{frame}{RACH Flood DoS}
\begin{itemize}
	\item A more sophisticated uplink jamming attack.
	\item Mimics RACH bursts from a normal handset, but more rapidly, inducing resource exhaustion in the network.
	\item Requires very little power.  Peak power up to 1 W but low duty cycle.
	\item See Dieter Spaar ``A Practical DOS Attack to the GSM Network'' later this week.
\end{itemize}
\end{frame}


\part{Countermeasures}

\begin{frame}{Part VI -- Countermeasures}
\tableofcontents
% You might wish to add the option [pausesections]
\end{frame}


\section{Countermeasures}

\subsection{Against IMSI Catchers -- On the network side}

\begin{frame}{Operating Signature of an IMSI-Catcher}
The network operator will see:
\begin{itemize}
	\item Non-existent or distant LACs and invalid TMSIs in the location updates of handsets returning to the real network.
	\item Waves of heavy registration activity, especially if the IMSI-catcher is mobile or the operator is sloppy with power control.
\end{itemize}
With proper software in the BSC, a carrier might detect these symptoms automatically.
\end{frame}

\begin{frame}{IMSI-Catcher Counter-counter-measures}
\small{
To minimize the signature, the IMSI-catcher operator can:
\begin{itemize}
	\item Ramp power up and down slowly at the start and end of a operating session.  
	\begin{itemize}
		\item Slow ramp-up prevents congestion in the IMSI-catcher.
		\item Slow ramp-down prevents congestion in the carrier network.
	\end{itemize}
	\item Accept all handsets and save reported TMSIs as the phones are captured.
	\item Set LAC to match local network prior to shutdown; reassign original TMSIs in last wave of location updates.
\end{itemize}
Moving handsets still produce a signature, but a much more subtle one and none of these techniques can hide a mobile IMSI-catcher.
}
\end{frame}

\subsection{Against IMSI Catchers -- On the handset side}

\begin{frame}{Operating Signature of an IMSI-Catcher}
On most handsets, the user might notice:
\begin{itemize}
	\item Short battery life
	\item Encryption disabled on MO calls
	\item Failed MO attempts (if there's no man-in-the-middle support)
	\item Lack of MT calls
	\item Frequent visits to the AGCH
\end{itemize}
...and by the time you notice any of these it is probably too late.
\end{frame}

\begin{frame}{Operating Signature of an IMSI-Catcher}
On a field test handset, the user will see:
\begin{itemize}
	\item Frequent LAC change, even if you are stationary.
	\item Active traffic channel with no active call.
\end{itemize}
It may not be hard to write a smartphone application to detect these conditions.
\end{frame}

\begin{frame}{IMSI-Catcher Counter-measures}
\begin{itemize}
	\item Turn off your handset if you are not using it.
	\item Have people call you back, with their caller ID blocked.
	\item Use a field test handset and pay attention.
	\item Change SIMs frequently.
	\item Avoid handsets known to have TMSI retention bugs.
\end{itemize}
\end{frame}

\subsection{Countermeasures against A5/1 cracking}

\begin{frame}{Countermeasures against A5/1 cracking}
\begin{itemize}
	\item Rolling change-over to A5/3 even in GSM networks
	\begin{itemize}
		\item All modern 3G phones indicate A5/3 availability even on GSM
		\item So far, no networks known that use it
	\end{itemize}
	\item Re-keying intervals as short as possible
	\begin{itemize}
		\item Ensures one cracked session key will not last for long
	\end{itemize}
\end{itemize}
\end{frame}

\section{End-to-End Security}

\begin{frame}{\emph{True} Secure GSM}
\begin{itemize}
	\item Application-layer encryption over CSD.
	\begin{itemize}
		\item Uses normal Q.931-style call control for a point-to-point raw link, then runs encrypted vocoder frames over the link.
		\item Can call other like phones or a gateway service.
	\end{itemize}
	\item Application layer encryption with VoIP over GPRS.  Lie to the VoIP network about the media type and avoid transcoding.
\end{itemize}
\end{frame}

\begin{frame}{Example Secure GSM Handset}
\begin{figure}[h]
	\centering
	\includegraphics[width=90mm]{CryptoPhone.pdf}
	\caption{From GMSK website}
\end{figure}
\end{frame}

\section{The ultimate countermeasure}

\begin{frame}{An Open Source MS-side GSM stack}{And how this would help us with many of our problems}
\begin{itemize}
	\item Enables user to deactivate unwanted features
	\begin{itemize}
		\item No support for RRLP, SIM Toolkit, Network-initiated MO call or other abominations
		\item Do not answer arbitrary IMEI or IMSI inquiries without user approval
	\end{itemize}
	\item Enables us to implement important features
	\begin{itemize}
		\item Make silent SMS non-silent
		\item Reliable indication when phone is transmitting or not (silent call)
		\item Reliable indication if and which GSM and GPRS encryption is used
		\item IMSI-Catcher detection based on statistical analysis
		\item Defend against TOA/TDOA based geolocation by artificial TA increase/decrease
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{An Open Source MS-side GSM stack}
\begin{itemize}
	\item Unfortunately, the stack alone is not sufficient
	\begin{itemize}
		\item The stack needs to run on a baseband processor
		\item The baseband processor needs to run in an actual phone
		\item Cooperation from the industry unlikely, thus problem of deploying this stack much harder than it should be
	\end{itemize}
	\item Even the stack itself is a fair amount of work
	\begin{itemize}
		\item However, who would have thought of OpenBTS and OpenBSC coming along so quickly?
		\item It clearly can be done, even with very few dedicated people
	\end{itemize}
	\item Don't you too want a phone that you {\em own}, not the manufacturer or operator?
\end{itemize}
\end{frame}

\section{Summary}

\subsection{What we've learned}

\begin{frame}{Summary}{What we've learned}
\begin{itemize}
	\item The GSM industry is making security analysis very difficult
	\item It is well-known that the security level of the GSM stacks is very low
	\item We now have multiple solutions for sending arbitrary protocol data
	\begin{itemize}
		\item From a rogue network to phones (OpenBSC, OpenBTS)
		\item From an A-bis proxy to the network or the phones
	\end{itemize}
	\item There is ongoing work for an accessible phone-side GSM L1/L2/L3 implementation
\end{itemize}
\end{frame}

\subsection{Where we go from here}

\begin{frame}{TODO}{Where we go from here}
\begin{itemize}
	\item The basic protocol-level tools for security analysis of the GSM protocols exist
	\item It is up to the security community to make use of those tools (!)
	\item Don't you agree that TCP/IP security is boring?
	\item Join the GSM protocol security research projects today
	\item Boldly go where no man has gone before
\end{itemize}
\end{frame}

\subsection{Where we go from here}

\begin{frame}{Future plans}
\begin{itemize}
	\item Packet data (GPRS/EDGE) support in OpenBSC
	\begin{itemize}
		\item GPRS is used extensively on modern smartphones
		\item Enables us to play with those phones without a heavily filtered operator network
	\end{itemize}
	\item UMTS(3G) support in OpenBSC
	\item CSD support in OpenBTS
	\item Access to MS side layer 1
	\item Higher-level attacks based on existing lowe layers
	\begin{itemize}
		\item Playing with SIM Toolkit from the operator side
		\item Playing with MMS
		\item More exploration of RRLP
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Further Reading}

\begin{frame}{Further Reading}
\tiny{
\begin{itemize}
	\item Open source Software on a GSM protocol level
	\begin{description}[OpenBSC]
		\item[OpenBSC] \url{http://openbsc.gnumonks.org/}
		\item[OpenBTS] \url{htto://openbts.sourceforge.net/}
		\item[airprobe] \url{http://airprobe.org/}
	\end{description}
	\item References to GSM protocol documentation
	\begin{description}[Joachim G"oller]
		\item[Joachim G"oller] \url{http://www.informatik.hu-berlin.de/~goeller/}
		\item[nobbi] \url{http://www.nobbi.com/}
		\item[THC wiki] \url{http://wiki.thc.org/gsm}
	\end{description}
	\item A5 security related publications
	\begin{description}[]
		\item[A5 public] \url{http://groups.google.com/group/uk.telecom/msg/ba76615fef32ba32}
		\item[Biham2003] \url{http://cryptome.org/gsm-crack-bbk.pdf}
		\item[Biham2006] \url{http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf}
		\item[HAR2009] \url{https://har2009.org/program/attachments/119_GSM.A51.Cracking.Nohl.pdf}
		\item[rainbow tables] \url{http://reflextor.com/trac/a51/wiki}
	\end{description}
\end{itemize}
}
\end{frame}

\end{document}
personal git repositories of Harald Welte. Your mileage may vary