


Latest news and information on 3G, 4G, 5G wireless and technologies in general.
More info on their website (http://www.ict-freedom.eu/). You can see their scenario document that shows different interference scenarios and also compares different approaches including those of Femto Forum, 3GPP and WiMAX.
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren't my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."
What wireless provider networks are affected?
Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.
The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.
Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.
"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."
An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.
Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.
To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.
More information about the tool and the privacy issues is on the Security Research Labs Web site.
Testing UMTS by Dan Fox, Anritsu
Its nearly three years since I wrote an FAQ on UMTS Testing. So when I got my hands on this book the other day, I so wanted to read it. It would be a while before I manage to go through the book in detail but my initial impression is that this book looks quite good.
Since the book deals with Protocol Testing, the testing has been grouped into three categories:
There is a chapter explaining each of these. The Conformance testing is of interest to me as I have been involved directly and indirectly with this for quite some years now. The book explains the process, standards required and submission of tests to GCF/PTCRB.
For those whom testing does not hold much charm, they can gain greater understanding of the concepts by reading Part II of the book. One thing I really liked in this book is that the diagrams explain the concepts very well. Rather than copying them straight from the 3GPP specifications, they have been improved and re-done by the author. Basic things like 'Dynamic TFCI selection' and 'Layer 2 transport channel processing flow for the 12.2 kbps RMC' are explained clearly using the diagrams.
There is just the right amount of detail in the chapters for Physical Layer, Layer 2 (MAC, RLC, PDCP) and Layer 3 (RRC, NAS). Further chapters show message flow sequence charts explaining things like 'setting up of speech call' and 'location updating procedure'. I have some basic sequence diagrams for message flow in the Tutorial section but the ones in the book are comparatively more detailed.
The book mainly covers UMTS, with an introduction to HSPA. It would be worthwhile to have the next edition covering LTE in detail. The main reason being that there are lots of changes in the case of LTE. The Air Interface has changed, the channels are different. The NAS messages and entities are different. UMTS (and HSPA) use TTCN-2 for testing but LTE uses TTCN-3. UMTS does not use MIMO (MIMO available for HSPA from Release 7 onwards) but LTE would generally always use MIMO.
Overall, this seems to be a useful book and I am looking forward to reading it in detail.