summaryrefslogtreecommitdiff
path: root/2009/gsm_workshop-deepsec2009/reference_materials/index.html
blob: 05536ab53e204ed04714b3693adb687dc2b30556 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<html>

<head>
	<title>Public Sources</title>
</head>



<body>


<center>
<h1>Public Sources for the Um Security Workshop</h1>
<hr>
</center>

<p>
<h2>Introduction</h2>
This is a catalog of public sources used as supporting references in the DeepSec 2009 workshop on GSM Air Interface security.
Some people will assert that these materials form some kind of trade secret, but the presence of this material on the public internet shows us that they are clearly dead wrong.
Make your own downloads now, though, before these links go stale; some of them changed within the last six weeks.

<p>
<h2>IMSI-Catchers</h2>
<h3>Theory</h3>
<ul>
<li><a href="http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/seminare/itsss07/imsi_catcher.pdf">Daehyun Strobel paper</a>, a good academic presentation of the theory of IMSI-catcher operation.
<li><a href="http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf">Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication</a>.  Describes attacks on A5/1 and A5/2, IMSI-catcher attacks that can reproduce compromised or previously used Kc and gives a good description of general IMSI-catcher operation.
</ul>
<h3>Products</h3>
<ul>
<li><a href="./DatongDX300.pdf">Datong DX 300</a>, probably based on an IP-Access nano-BTS.
<li><a href="http://www.viewsystems.com/pdf/CIA_11_20_06.pdf">C.I.A</a>.  This looks like the Datong DX 300, resold under another name.
<li><a href="http://www.secintel.com/pc-982-26-intelligent-jamming-system.aspx">IJS 6000</a>, an "intelligent jammer" for the prison market.
<li><a href="http://www.tecore.com/solutions/intellinac.cfm">Tecore iNAC</a>, another intelligent jammer.
<li><a href="./TEC_INTELLIJAM.pdf">Tecore Intellijam</a>, an earlier Tecore product.
<li><a href="http://www.martoneradiotech.com/btsgeo.htm">MRT BTS-Geo</a>.  This speaks for itself.
</ul>
<h3>Legal Documents</h3>
<h4>Intellectual Property Disputes</h4>
Lawsuits are interesting because they force the exposure of information.  The plaintiffs in such cases often argue for sealed records, but the courts and the defendants may be of a different mind.
<ul>
<li><a href="./mmivcellxion_judgment_11march2009.pdf">MMI v. Cellxion in the UK High Court</a>.  This gives a good summary of IMSI-catcher theory and exposes some of the connections among companies in this market.
<li><a href=""></a>
</ul>
<h4>Other Legal Documents</h4>
<ul>
<li><a href="./EP1051053.pdf">EP 1051053</a>, the original Rohde-Scwarz IMSI-catcher patent.
<li><a href="./07010223.pdf">WO 2007/010223</a>, patent on IMSI catcher for multiple BTS and NodeB
<li><a href="./09047477.pdf">WO 2009/047477</a>, patent on downgrading a 3G phone to 2G for IMSI-catcher purposes.
<li><a href="./07088344.pdf">WO 2007/088344</a>, patent on acquiring IMSI/IMEI in a 3G network.
<li><a href="./07088344.pdf">WO 2007/088344</a>, patent on acquiring IMSI/IMEI in a 3G network.
<li><a href="./07010220.pdf">WO 2007/010220</a>, patent on the silent call for locating a MS.
<li><a href="./TecoreTestLicense.pdf">An FCC announcement of Tecore's test of a selective jammer</a>.
</ul>

<p>
<h2>Passive Interceptors</h2>
There is less public avertising of interceptors than of IMSI-catchers.
<ul>
<li><a href="http://www.smithmyers.com/documents/csm88xxg.pdf">Smith-Myers CSM88xxG series</a>.
<li><a href="http://www.global-security-solutions.com/PGFDigitalCellularIntercepter.htm">Some random passive interceptor</a>.  It's not clear  made this, but there are many like it in the market.  Note the comments on "Encyption Modes".
</ul>

<p>
<h2>DF/Geolocation</h2>
<ul>
<li><a href="http://www.eecs.berkeley.edu/~nikhils/seminar/formulation.pdf">Berkeley student seminar</a> on using MUSIC and antenna arrays for AOA estimation.
<li><a href="http://andyric.de/papers/BelloniRichterKoivunenEUSIPCO2006.pdf">A detailed performance analysis</a> of diffent array types and parameter selections for MUSIC-based AOA estimation.
<li><a href="http://www.martoneradiotech.com/artemis.htm">MRT Artemis</a>.  A particularly good unit for urban operations.
</ul>

<p>
<h2>STK/Applet Attacks</h2>
<ul>
<li><a href="http://eprint.iacr.org/2004/158.pdf">Mobile Terminal Security</a>.  Describes GSM Java security mechanisms and a trojan horse applet for obtaining SIM PINs.
<li><a href="http://www.riscure.com/contact/article-on-sim-attack-scenario.html">SIM Attack Scenario</a>, a less technical description of a Trojan horse for SIM PINs.
</ul>

<p>
<h2>Secure Handsets</h2>
<ul>
<li><a href="http://www.tripleton.com/products/secure-phones/secure-mobile-phone.htm">Tipleton "Enigma"</a>.
<li><a href="http://www.cryptophone.de/">GSMK Cryptophone</a>.
</ul>

<p>
<h2>Core Network Attacks</h2>
<ul>
<li><a href="http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005">Greek case of illegal telephone tapping by exploiting lawful interception features in the core network</a>
<li><a href="http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-mobile-phones.pdf">Locating Mobile Phones using SS7</a>
</ul>


</body>

</html>
personal git repositories of Harald Welte. Your mileage may vary