i Security in GSM Network – All things in moderation

Security in GSM Network

1. The concepts:

  • International Mobile Station Equipment Identity (IMEI): distinctively identifies a mobile station internationally. It uniquely characterizes a mobile station and gives clues about the manufacturer and the date of manufacturing.

    • TAC: issued by the BABT (code 35) with the allocation number 2099.
    • FAC: indicating the phone was made during the transition period when FACs were being removed.
    • SNR: uniquely identifying a unit of this model.
    • CD: 1 so it is a GSM Phase 2 or higher.
  • International Mobile Subscriber Identity (IMSI):  is a number that uniquely identifies every user of a cellular network and stored in their Subscriber Identity Module (SIM).

    • MCC: It is short for mobile country code and is composed of three digits.
    • MNC: It is short for mobile network code and is composed of two digits.
    • MSIN: It is short for mobile subscriber identification number and is a unique identification for an MS in a PLMN..
  • Mobile Subscriber ISDN Number (MSISDN) – Phone Number: The authentic telephone number of a mobile station.

    • CC: Country Code.
    • NDC: National Destination Code, identifies one or part of a PLMN.
    • SN: Subscriber Number.
  • Location Area Identity (LAI): Each location area of a public land mobile network (PLMN) has its own unique identifier which is known as its location area identity.
  • Cell Identifier (CI): Using a Cell Identifier (CI) (maximum 2 × 8) bits, the individual cells that are within an LA can be recognized.
  • Temporary Mobile Subscriber Identity (TMSI): is the identity that is most commonly sent between the mobile and the network. TMSI is randomly assigned by the VLR to every mobile in the area, the moment it is switched on. The network can also change the TMSI of the mobile at any time. And it normally does so, in order to avoid the subscriber from being identified, and tracked by eavesdroppers on the radio interface.

2. GSM Security and Encrption Process:

2.1. Mobile Station Authentication:

  • The GSM network authenticates the identity of the subscriber through the use of a challenge-response mechanism. A 128-bit Random Number (RAND) is sent to the MS.

  • The MS computes the 32-bit Signed Response (SRES) based on the encryption of the RAND with the authentication algorithm (A3) using the individual subscriber authentication key (Ki).

  • Upon receiving the SRES from the subscriber, the GSM network repeats the calculation to verify the identity of the subscriber.

  • The individual subscriber authentication key (Ki) is never transmitted over the radio channel, as it is present in the subscriber’s SIM, as well as the AUC, HLR, and VLR databases. If the received SRES agrees with the calculated value, the MS has been successfully authenticated and may continue. If the values do not match, the connection is terminated and an authentication failure is indicated to the MS.

The calculation of the signed response is processed within the SIM. It provides enhanced security, as confidential subscriber information such as the IMSI or the individual subscriber authentication key (Ki) is never released from the SIM during the authentication process.

2.2. Signalling and Data Confidentiality:

  • The SIM contains the ciphering key generating algorithm (A8) that is used to produce the 64-bit ciphering key (Kc). This key is computed by applying the same random number (RAND) used in the authentication process to ciphering key generating algorithm (A8) with the individual subscriber authentication key (Ki).

  • GSM provides an additional level of security by having a way to change the ciphering key, making the system more resistant to eavesdropping. The ciphering key may be changed at regular intervals as required. As in case of the authentication process, the computation of the ciphering key (Kc) takes place internally within the SIM. Therefore, sensitive information such as the individual subscriber authentication key (Ki) is never revealed by the SIM.

  • Encrypted voice and data communications between the MS and the network is accomplished by using the ciphering algorithm A5. Encrypted communication is initiated by a ciphering mode request command from the GSM network. Upon receipt of this command, the mobile station begins encryption and decryption of data using the ciphering algorithm (A5) and the ciphering key (Kc).

2.3. Subscriber Identity Confidentiality:

To ensure subscriber identity confidentiality, the Temporary Mobile Subscriber Identity (TMSI) is used. Once the authentication and encryption procedures are done, the TMSI is sent to the mobile station. After the receipt, the mobile station responds. The TMSI is valid in the location area in which it was issued. For communications outside the location area, the Location Area Identification (LAI) is necessary in addition to the TMSI.

3. GSM sniffing script with Airprobe:

3.1. Prepare:

  • Install Airprobe:
$ git clone git://git.gnumonks.org/airprobe.git
$ cd airprobe/gsmdecode
$ ./bootstrap
$ ./configure
$ make
  • Fix ” No package ‘gnuradio-core’ found” error when installing Airprobe:
$ git clone https://github.com/scateu/airprobe-3.7-hackrf-patch
$ cd ../airprobe
$ path -p1 < ~/airprobe-3.7-hackrf-patch/zmiana.patch
$ cd /gsmdecode
$ ./bootstrap
  • Fix ” TypeError: in method ‘source_sptr_set_gain_mode’, argument 2 of type ‘bool‘ “: The workaround is to manually set the Gain Mode to True and False.
  • RTL-SDR (hardware) and driver.

3.2. Capture data with RTL-SDR, decode it with airprobe:

In termial:

$ cd ./airprobe/gsm-receiver/src/python
$ python ./gsm_receive_rtl.py -s 1e6 -f 944000000

Start Wireshark, open listen to loopback interface.


Leave a Reply