Showing posts with label GSM. Show all posts
Showing posts with label GSM. Show all posts

Tuesday 31 August 2010

EDGE evolution to REDHOT


EDGE is more than three times as efficient as GSM/GPRS in handling packet-switched data. Using EDGE, operators can support 3x more subscribers than GPRS, either by increasing the data rate per subscriber to 300 kbps, according to network & device capabilities, or adding voice capacity. EDGE uses the same TDMA frame structure, logic channel and 200 kHz carrier as GSM; existing cell plans remain intact. No change is needed in the core network. Neither new spectrum nor a new operating licence is needed. EDGE is a mature, mainstream global technology which allows operators to compete, to protect investments/assets, and stimulate growth of mobile multimedia services. Upgrading to EDGE is a natural step for operators to offer high performance mobile data services over GSM.

The performance of EDGE has improved steadily since its introduction in the market in 2003, and today offers users the possibility of data speeds up to 250kbps, with a latency of less than 150ms. This is sufficient for any current data service to be attractive to customers. According to GSA’s latest EDGE Fact Sheet (August 19, 2010 and available as a free download from www.gsacom.com) over 80% of GSM/GPRS operators globally have committed to deploying EDGE in their networks. 531 GSM/EDGE networks are in commercial service in 196 countries, and thousands of EDGE-capable user devices are launched.

A key part of the evolution is the opportunity to deploy more than a single RF carrier. Downlink Dual Carrier (DLDC) is the first step in evolving EDGE, doubling data rates to 592 kbps on existing EDGE-capable networks.

Downlink speed quadrupled:
up to 1.2 Mbps per user initially
(the standard enables up to 1.9 Mbps per user)
• Dual Carrier first phase implementation 10 timeslots per user; standard enables up to 16 timeslots per user
• EGPRS-2 DL (REDHOT) level B maximum 118.4 kbps per timeslot

Uplink speed up to 474 kbps per user
(the standard enables up to 947 kbps per user)
• EGPRS-2 UL (HUGE) level B with maximum 118.4 kbps per timeslot
• Peak implementation today 4 timeslots per user (standard enables up to 8 timeslots per user)

The EGPRS-2 feature is expected in the market in 2012.

More information is available in the GSA Report 'EDGE Evolution' released on Aug 23 2010. Available to download from GSACOM here.

Tuesday 3 August 2010

Double whammy for GSM Security

Via PC World:

A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.

How does the GSM snooping work?

Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.

What happens to the calls?

Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.

But, aren't my calls encrypted?

Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."

What wireless provider networks are affected?

Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.

Does 3G protect me from this hack?

This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.

Another one from CNET:

A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.

Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.

"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."

An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.

Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.

To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.

More information about the tool and the privacy issues is on the Security Research Labs Web site.


Monday 1 March 2010

GSM-UMTS Network migration towards LTE


Another interesting white-paper from 3G Americas. The following from their press release:

A 3rd Generation Partnership Project (3GPP) specification, LTE will serve to unify the fixed and mobile broadband worlds and will open the door to new converged multimedia services. As an all-IP-based technology, LTE will drive a major network transformation as the traditional circuit-based applications and services migrate to an all-IP environment, though introducing LTE will require support and coordination between a complex ecosystem of application servers, devices/terminals and interaction with existing technologies. The report discusses functionality and steps GSM-UMTS network operators may use to effectively evolve their networks to LTE and identifies potential challenges and solutions for enabling the interaction of LTE with GSM, GPRS and UMTS networks.

“This white paper reveals solutions that facilitate a smooth migration for network operators as they deploy LTE,” stated Chris Pearson, president of 3G Americas. “3GPP has clearly defined the technology standards in Release 9 and Release 10, and this paper explores the implementation of these standards on 3GPP networks.”



A reported
130 operators around the world have written LTE into their technology roadmaps. In December 2009, TeliaSonera launched the world’s first LTE networks in Norway and Sweden and an estimated 17 operators are expected to follow in its footsteps in 2010.

“LTE is receiving widespread support and powerful endorsements from industry leaders around the world, but it is important to keep in mind that the evolution to LTE will require a multi-year effort,” Pearson said. “LTE must efficiently and seamlessly coexist with existing wireless technologies during its rise to becoming the leading next-generation wireless technology.”

Operators planning LTE deployments must consider the implications of utilizing LTE in an ecosystem comprising 2G, 3G and future “4G” wireless technologies. Therefore, operators planning an LTE deployment will need to offer multi-technology devices with networks that allow mobility and service continuity between GSM, EDGE, HSPA and LTE.


Thursday 11 February 2010

UICC and USIM in 3GPP Release 8 and Release 9


In good old days of GSM, SIM was physical card with GSM "application" (GSM 11.11)

In the brave new world of 3G+, UICC is the physical card with basic logical functionality (based on 3GPP TS 31.101) and USIM is 3G application on a UICC (3GPP TS 31.102). The UICC can contain multiple applications like the SIM (for GSM), USIM and ISIM (for IMS). There is an interesting Telenor presentation on current and future of UICC which may be worth the read. See references below.

UICC was originally known as "UMTS IC card". The incorporation of the ETSI UMTS activities into the more global perspective of 3GPP required a change of this name. As a result this was changed to "Universal Integrated Circuit Card". Similarly USIM (UMTS Subscriber Identity Module) changed to Universal Subscriber Identity Module.

The following is from the 3G Americas Whitepaper on Mobile Broadband:

UICC (3GPP TS 31.101) remains the trusted operator anchor in the user domain for LTE/SAE, leading to evolved applications and security on the UICC. With the completion of Rel-8 features, the UICC now plays significant roles within the network.

Some of the Rel-8 achievements from standards (ETSI, 3GPP) are in the following areas:

USIM (TS 31.102)
With Rel-8, all USIM features have been updated to support LTE and new features to better support non-3GPP access systems, mobility management, and emergency situations have been adopted.

The USIM is mandatory for the authentication and secure access to EPC even for non-3GPP access systems. 3GPP has approved some important features in the USIM to enable efficient network selection mechanisms. With the addition of CDMA2000 and HRPD access technologies into the PLMN, the USIM PLMN lists now enable roaming selection among CDMA, UMTS, and LTE access systems.

Taking advantage of its high security, USIM now stores mobility management parameters for SAE/LTE. Critical information like location information or EPS security context is to be stored in USIM rather than the device.

USIM in LTE networks is not just a matter of digital security but also physical safety. The USIM now stores the ICE (In Case of Emergency) user information, which is now standardized. This feature allows first responders (police, firefighters, and emergency medical staff) to retrieve medical information such as blood type, allergies, and emergency contacts, even if the subscriber lies unconscious.

3GPP has also approved the storage of the eCall parameters in USIM. When activated, the eCall system establishes a voice connection with the emergency services and sends critical data including time, location, and vehicle identification, to speed up response times by emergency services. ECalls can be generated manually by vehicle occupants or automatically by in-vehicle sensors.

TOOLKIT FEATURES IMPROVEMENT (TS 31.111)
New toolkit features have been added in Rel-8 for the support of NFC, M2M, OMA-DS, DM and to enhance coverage information.

The contactless interface has now been completely integrated with the UICC to enable NFC use cases where UICC applications proactively trigger contactless interfaces.

Toolkit features have been updated for terminals with limited capabilities (e.g. datacard or M2M wireless modules). These features will be notably beneficial in the M2M market where terminals often lack a screen or a keyboard.

UICC applications will now be able to trigger OMA-DM and DS sessions to enable easier device support and data synchronization operations, as well as interact in DVB networks.

Toolkit features have been enriched to help operators in their network deployments, particularly with LTE. A toolkit event has been added to inform a UICC application of a network rejection, such as a registration attempt failure. This feature will provide important information to operators about network coverage. Additionally, a UICC proactive command now allows the reporting of the signal strength measurement from an LTE base station.

CONTACT MANAGER
Rel-8 defined a multimedia phone book (3GPP TS 31.220) for the USIM based on OMA-DS and its corresponding JavaCard API (3GPP TS 31.221).

REMOTE MANAGEMENT EVOLUTION (TS 31.115 AND TS 31.116)
With IP sessions becoming prominent, an additional capability to multiplex the remote application and file management over a single CAT_TP link in a BIP session has been completed. Remote sessions to update the UICC now benefit from additional flexibility and security with the latest addition of the AES algorithm rather than a simple DES algorithm.

CONFIDENTIAL APPLICATION MANAGEMENT IN UICC FOR THIRD PARTIES
The security model in the UICC has been improved to allow the hosting of confidential (e.g. third party) applications. This enhancement was necessary to support new business models arising in the marketplace, with third party MVNOs, M-Payment and Mobile TV applications. These new features notably enable UICC memory rental, remote secure management of this memory and its content by the third party vendor, and support new business models supported by the Trusted Service Manager concept.

SECURE CHANNEL BETWEEN THE UICC AND TERMINAL
A secure channel solution has been specified that enables a trusted and secure communication between the UICC and the terminal. The secure channel is also available between two applications residing respectively on the UICC and on the terminal. The secure channel is applicable to both ISO and USB interfaces.

RELEASE 9 ENHANCEMENTS: UICC: ENABLING M2M AND FEMTOCELLS
The role of femtocell USIM is increasing in provisioning information for Home eNodeB, the 3GPP name for femtocell. USIMs inside handsets provide a simple and automatic access to femtocells based on operator and user-controlled Closed Subscriber Group list.

Work is ongoing in 3GPP for the discovery of surrounding femtocells using toolkit commands. Contrarily to macro base stations deployed by network operators, a femtocell location is out of the control of the operator since a subscriber can purchase a Home eNodeB and plug it anywhere at any time. A solution based on USIM toolkit feature will allow the operator to identify the femtocells serving a given subscriber. Operators will be able to adapt their services based on the femtocells available.

The upcoming releases will develop and capitalize on the IP layer for UICC remote application management (RAM) over HTTP or HTTPS. The network can also send a push message to UICC to initiate a communication using TCP protocol.

Additional guidance is also expected from the future releases with regards to the M2M dedicated form factor for the UICC that is currently under discussion to accommodate environments with temperature or mechanical constraints surpassing those currently specified by the 3GPP standard.

Some work is also expected to complete the picture of a full IP UICC integrated in IP-enabled terminal with the migration of services over EEM/USB and the capability for the UICC to register on multicast based services (such as mobile TV).

Further Reading:

Thursday 17 September 2009

Wireless Subscribers Forecast 2014



Source: Informa Telecoms & Media, WCIS+, June 2009

Via: 3G Americas Whitepaper, HSPA to LTE-Advanced: 3GPP Broadband Evolution to IMT-Advanced (4G)

Thursday 27 August 2009

Security of Mobiles and Networks to be tested soon


Security researcher Karsten Nohl has issued a hacking challenge that could expose T-Mobile and AT&T cell phone users -- including Gphone and iPhone patrons -- to eavesdropping hacks within six months.

Nohl, a computer science Ph.D/ candidate from the University of Virginia, is calling for the global community of hackers to crack the encryption used on GSM phones. He plans to compile this work into a code book that can be used to decipher encrypted conversations and data that gets transmitted to and from GSM phones.

Nohl’s motive: he wants to compel the telecoms to address a security weakness that has been known for years. He estimates it will take 80 volunteer programmers six months to crunch the data to break the GSM encryption; 160 volunteers could cut that time to six weeks.“It looks like in a matter of months criminals world-wide will be able to intercept mobile phone conversations,” says Simon Bransfield-Garth, CEO of mobile security firm Cellcrypt. “The immediate impact is not just businesses and corporations, but potentially all of us who use mobile phones.”

The Chaos Computer Club has told the FT that in the couple of months it will be releasing code capable of cracking GSM with just a laptop and an antenna.

In comments made to the German edition of the Financial Times, the hacking group claims that governments, and criminals, are already using the technique which can break the encryption used to protect 2G GSM calls in near-real time using existing systems. The group says a public exposure of the technique will take place in the next month or two and allow anyone equipped with a laptop and an antenna to listen in to GSM phone calls.

GSM uses a range of algorithms for key generation, authentication, and encrypting connections. This latest crack is focused on the last element which relies on a range of algorithms known as A5 and numbered from zero to three. A5/0 indicates that no encryption is used, such as in countries still under ITAR* restrictions, A5/1 is the European standard that seems to be the target of this latest breach, A5/2 is used in the USA and generally considered weaker than A5/1, while A5/3 is the strongest of the lot and mandated by the 3G GSM standard.

GSM has been cracked before, the early algorithms used were weak and kept secret (and thus not exposed to public scrutiny), a situation made worse by network operators padding the keys with zeros to reduce the cost of SIM cards. This made a weak algorithm that relied on obscurity even weaker. But since then, the standard has proved surprisingly secure, and even today specialist equipment will take half an hour to break a call, so real-time listening to GSM calls has been restricted to James-Bond types with unlimited budgets.

But the Chaos Computer Club reckons they've found a way to share those super-spy eavesdropping capabilities with anyone, which should have implications for celebrities using mobile phones, but will probably have a more immediate impact on low-level drug dealers who've long relied on the security of GSM for their business.

All encryption breaks eventually, as computing power rises, and systems like GSM are designed with a specific lifetime during which the encryption is expected to remain secure. Changing the encryption is possible, but A5 is managed by the handset rather than the SIM and network operators have to support legacy handsets for long periods even if the latest models could be equipped with better encryption.

But the rest us will probably just hold tight until everyone is using 3G networks, at least in developed countries, where A5/3 is used and should remain secure for another decade or two.

Wednesday 8 July 2009

Wireless Cellular Security

Arvind, an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation:







There are lots of interesting Questions and Answers. One interesting one is:

Does number portability mean that data within an AuC is compromised?

Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.

You can read all Q&A's here.

I wrote a tutorial on UMTS security many years back. Its available here.

Thursday 5 February 2009

GSM: Architecture, Protocols and Services




There is a new book on GSM in the market. Now it makes me wonder that since we are all focussing on 3.6G, 3.75G, 3.9G, 4G, etc., etc. what would be the point of a GSM book?

The following is from the preface of the book:

The GSM family (GSM, GPRS, EDGE) has become one of the most successful technical innovations in history. As of June 2008, more than 2.9 billion subscribers were using GSM, corresponding to a market share of more than 81%, and its story continues, even now, despite the introduction and development of next-generation systems such as IMT-2000 or UMTS (3G) and even systems beyond 3G, dubbed IMT-Advanced.

At the same time, wireless local area networks have substantially expanded the wireless market, sometimes drawing market share from GPRS and 3G (e.g. in public WiFi hotspots), sometimes coexisting (e.g. in UMTS home routers used as a replacement for fixed wire connections). However, these are used typically for low mobility applications. Mobile communication with all of its features and stability has become increasingly important: cellular and GSM technology, plus, of course, lately 3G, GSMs sister technology, so-to-say.

Another impressive trend has emerged since our last edition: the permanent evolution in the handheld market, producing fancy mobile phones with cameras, large memory, MP3 players, Email clients and even satellite navigation. These features enable numerous nonvoice or multimedia applications, from which, of course, only a subset is or will be successful on the market.

In this third edition, we concentrate again on the architecture, protocols and operation of the GSM network and outline and explain the innovations introduced in recent years. The main novelties in this book are the presentation of capacity enhancement methods such as sectorization, the application of adaptive antennas for Spatial Filtering for Interference Reduction (SFIR) and Space Division Multiple Access (SDMA), a detailed introduction to HSCSD and EDGE for higher data rates, and an update of the available GSM services, specifically introducing the Multimedia Messaging Service (MMS).

I think that GSM is going to be the fallback option for most of the new technologies due to its worldwide deployment so now is the time for us to brush up our GSM concepts


Friday 22 June 2007

2.5 Billion GSM Subscribers Worldwide


Bellevue, WA, June 05, 2007 -
Today, 3G Americas reports that the number of GSM mobile wireless subscribers worldwide has reached 2.5 billion, a stunning 400% increase in GSM subscribers from only six years ago, according to the estimates of Informa's World Cellular Information Service. Every day, there are more than one million new additions to the GSM family of technology users receiving service from one of 700 commercial GSM networks across 218 countries and territories around the world.


“It’s unprecedented for almost any global industry to achieve the growth and success demonstrated by the GSM family of technologies, with an estimated 2.5 billion global customers today,” stated Chris Pearson, President of 3G Americas. “This level of wireless technology growth exceeds that of almost all other lifestyle-changing innovations.”
Looking back, it was almost one hundred years ago when the first so-called "mobile" phone call was made by Lars Ericsson in 1910— although not wireless, as Ericsson attached wires to a telephone pole terminal to make his call while on the road. 2007 marks the 60th anniversary of AT&T and Bell Laboratories' 1947 invention of the cellular phone. Today, it is estimated that more than 37% of the world's 6.6 billion people (US Census Bureau) use GSM technology.


GSM subscribers, including nearly 130 million UMTS/HSDPA subscriptions, currently comprise nearly 85% of the global mobile wireless market. GSM became the dominant Latin American mobile wireless technology in less than a decade since its launch in the region in 1998, acquiring 2 million subscribers by the year 2000, and 200 million by end of year 2006. The GSM family now serves 331 million customers in all the Americas as of 1Q 2007, and is available in every single country. This market leadership is due to the numerous technical and economic benefits of the GSM family of technologies for both operators and their customers.


GSM technologies, including GPRS, EDGE and UMTS/HSPA, offer overwhelming advantages in terms of global scope, scale, international roaming and service that are still unmatched by other mobile wireless technologies. As of May 2007, there are 169 UMTS operators in service across 71 countries, and 117 of those operators in 59 countries have deployed an enhanced version of UMTS called HSDPA. Additionally, nearly all UMTS/HSDPA devices manufactured today include the EDGE technology as the compatible fallback technology, allowing for global roaming and delivery of high-speed wireless data services.
HSPA (HSDPA/HSUPA) technology is poised to be the leading mobile broadband technology for the rest of the decade, outpacing alternative mobile broadband technologies by leveraging on the current installed base of the GSM family of technologies and providing the most efficient solution. It is expected that almost all GSM/EDGE operators will someday migrate to HSPA technology.


Pearson continued, “While other technologies are grabbing attention, HSPA is being rolled out around the world, separating future promise from that which is available today. Building upon the enormous foundation of customers and commercial deployment of GSM, and the broad research and development by vendors, HSPA will continue in its mobile broadband leadership position for years to come.”


For white papers, statistics and more information on the GSM family of technologies, visit http://www.3gamericas.org/.

About 3G Americas: Unifying the Americas through Wireless Technology
The mission of 3G Americas is to promote and facilitate the seamless deployment throughout the Americas of GSM and its evolution to 3G and beyond. The organization fully supports the Third Generation (3G) technology migration strategy to EDGE and UMTS/HSPA adopted by many operators in the Americas. The GSM family of technologies accounts for 85% of wireless mobile customers worldwide. 3G Americas is headquartered in Bellevue, WA with an office for Latin America and the Caribbean in Dallas, TX. For more information, visit our website at http://www.3gamericas.org/.


About Informa Telecoms & Media
Informa Telecoms & Media provides business intelligence and strategic services to the global telecoms and media markets. All of our products and services - from news, trend analysis and forecasting to industry data, face-to-face events and training - are driven by our deep understanding of the markets we serve and by our goal to help our clients make better business decisions. http://www.informatm.com/