Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
The document discusses routing protocol attacks against routers. It provides an overview of common routing protocols like RIP, OSPF, BGP and CDP. It then describes different attacks against these protocols like spoofing, injection of malformed packets, autonomous system scanning and denial of service attacks. The document emphasizes the need for safeguards like disabling unnecessary protocols, implementing authentication and filtering to protect against routing protocol attacks.
This document discusses different types of multiplexing used in communications. It describes Frequency-Division Multiple Access (FDMA), Time-Division Multiple Access (TDMA), and Code-Division Multiple Access (CDMA). For CDMA, it explains that all users can transmit simultaneously using the same frequency by multiplying each user's narrowband signal by a unique wideband spreading code. The receiver detects the desired user's signal using the same code while other signals appear as noise. Processing gain and system capacity equations for CDMA are also provided. Future work is planned to evaluate CDMA interference and capacity using simulation software.
This document provides an overview and analysis of nation-state malware targeting telecommunications networks, specifically focusing on the Regin malware. It discusses the technical capabilities and architecture of Regin, analyzing how it infiltrates networks and implants modules. The document also explores other attack vectors such as SS7 and potential vulnerabilities in GPRS/IPX networks that malware could exploit. Dynamic demonstrations are provided of instrumenting Regin and simulating its attacks on networks and systems.
The document discusses router and routing protocol attacks. It provides an overview of common routing protocols like RIP, OSPF, BGP and discusses their vulnerabilities. Specific attacks against these protocols are described like route injection attacks, spoofing, denial of service attacks. The document emphasizes the need for routing protocol security best practices like authentication, access control and monitoring to prevent such attacks.
Layer 2 protocols like CDP, VTP, DTP, and HSRP are vulnerable to attacks if not properly secured. An attacker can use tools like Yersinia to perform reconnaissance on layer 2 protocols to gain information about devices, protocols, and network topology. Common attacks include denial of service attacks, traffic hijacking, and bypassing network restrictions. To prevent attacks, companies should secure switches, use secure trunking configurations, disable unused ports and protocols, and deploy security features like DHCP snooping.
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
The document discusses routing protocol attacks against routers. It provides an overview of common routing protocols like RIP, OSPF, BGP and CDP. It then describes different attacks against these protocols like spoofing, injection of malformed packets, autonomous system scanning and denial of service attacks. The document emphasizes the need for safeguards like disabling unnecessary protocols, implementing authentication and filtering to protect against routing protocol attacks.
This document discusses different types of multiplexing used in communications. It describes Frequency-Division Multiple Access (FDMA), Time-Division Multiple Access (TDMA), and Code-Division Multiple Access (CDMA). For CDMA, it explains that all users can transmit simultaneously using the same frequency by multiplying each user's narrowband signal by a unique wideband spreading code. The receiver detects the desired user's signal using the same code while other signals appear as noise. Processing gain and system capacity equations for CDMA are also provided. Future work is planned to evaluate CDMA interference and capacity using simulation software.
This document provides an overview and analysis of nation-state malware targeting telecommunications networks, specifically focusing on the Regin malware. It discusses the technical capabilities and architecture of Regin, analyzing how it infiltrates networks and implants modules. The document also explores other attack vectors such as SS7 and potential vulnerabilities in GPRS/IPX networks that malware could exploit. Dynamic demonstrations are provided of instrumenting Regin and simulating its attacks on networks and systems.
The document discusses router and routing protocol attacks. It provides an overview of common routing protocols like RIP, OSPF, BGP and discusses their vulnerabilities. Specific attacks against these protocols are described like route injection attacks, spoofing, denial of service attacks. The document emphasizes the need for routing protocol security best practices like authentication, access control and monitoring to prevent such attacks.
Layer 2 protocols like CDP, VTP, DTP, and HSRP are vulnerable to attacks if not properly secured. An attacker can use tools like Yersinia to perform reconnaissance on layer 2 protocols to gain information about devices, protocols, and network topology. Common attacks include denial of service attacks, traffic hijacking, and bypassing network restrictions. To prevent attacks, companies should secure switches, use secure trunking configurations, disable unused ports and protocols, and deploy security features like DHCP snooping.
Diameter protocol has been introduced to replace in many aspects SS7/SIGTRAN in the LTE and VoLTE networks, and such as these 2G/3G networks, Diameter also has its dedicated global roaming network named IPX (IP eXchange) that allows international roaming for LTE users..
Back in the days Diameter was already used by the PCRF in 2G/3G networks for charging purposes, but its usage has been extended to completely replace the signalization role of SS7/SIGTRAN in LTE networks. SS7/SIGTRAN security flows are now public after several publications, but what about Diameter security ? By replacing old and insecure protocols, does Diameter come with built-in security?
During the presentation, we will study how the IPX infrastructure operates and how security is taken into account nowadays regarding the newest 4G telecom technologies. Getting into different point of view allowed us to find major Diameter vulnerabilities via the IPX, which affect almost all the network elements HSS, MME, GMLC, PCRF, PDN GW, including DNS serving telecom TLDs. Understanding the mistakes that led to a former generation of telecom networks we came out with insecure protocols will maybe help us to push security by design in the future.
Nevertheless, as a telecom provider we will provide recommendations to secure LTE infrastructures and share technical countermeasures we have implemented against different Diameter attacks and fraud scenarios to protect our network and customers. Along with recommendations, we will present some ways on how to self audit and do self monitoring of your network, as we consider that telecom providers need to take back the control of their networks!
Troopers website link: https://www.troopers.de/events/troopers16/653_assaulting_ipx_diameter_roaming_network/
Worldwide attacks on SS7/SIGTRAN networkP1Security
Publication performed by Alexandre De Oliveira and Pierre-Olivier Vauboin during Hackito Ergo Sum 2014
Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.
MGCP is a protocol used to control media gateways that convert between audio signals and data packets. It uses a master-slave architecture with a media gateway controlled by a call agent. MGCP commands include CRCX to create connections, MDCX to modify them, and DLCX to delete them. Basic call flows include the media gateway registering with the call agent, creating a call by requesting digits and notifying of events, and terminating a call by deleting connections on hook events.
This document discusses exploiting vulnerabilities at layer 2, including VLAN hopping, CAM table attacks, and spanning tree attacks. It describes how VLAN hopping works by spoofing frames with 802.1Q tags to access other VLANs. CAM table attacks overflow the content addressable memory table to cause flooding. Spanning tree attacks can manipulate the root bridge election process. The document provides details on these attacks and potential mitigations like port security and private VLANs.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
Implementing QoS Solutions for H.323 Video Conferencing over IPVideoguy
This document discusses implementing Quality of Service (QoS) solutions for H.323 video conferencing over IP networks. It begins by outlining the prerequisites for understanding H.323 protocols and components. It then provides background on H.323 and characterizes video conference traffic. The document describes how to plan network capacity and determine per-call bandwidth needs. It recommends classifying and prioritizing traffic using DiffServ codes and queues like Low Latency Queueing (LLQ). Sample configurations are provided to shape traffic and interwork H.323 terminals with QoS.
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
Open BTS: Emergency GSM Messaging & Monitoring System for Civil Protection is proposed as a solution ready-to-deploy in the event of natural disaster, in that areas where GSM networks are temporarily down.
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
This document is a list of graduation projects for the Faculty of Engineering at Cairo University's Department of Electronics and Electrical Communications Engineering for 2008/2009. It lists 61 projects with titles related to communications engineering. The projects are organized with the main advisor and project title.
Wireless transmission options for security & surveillance: point-to-point, point-to-multipoint, mesh - pros and cons of each; mistakes to avoid; steps to successful wireless deployment; case studies; questions to ask your wireless technology provider.
The document contains information about several individuals and an outline for a presentation on H.323. The outline discusses what H.323 is, its scope and importance, its historical development stages, the elements that make up an H.323 system, the core protocols that define H.323 communication, how H.323 calls are signaled, and the future prospects of H.323.
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
Telecommunications Infrastructure Security
Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden. This document discusses vulnerabilities in SS7 that allow unauthorized access to telecommunications infrastructure. It describes how SS7 was designed for reliability over security. It also outlines various entry points like STP connectivity, SIGTRAN protocols, and vulnerabilities in 3G femtocells that can be exploited to conduct attacks. The document warns that the traditional walled garden of telecom networks is opening up due to these issues and becoming harder to secure.
This white paper gives an overview of new solutions provided by telecom operators to support the “Internet of Things” (IoT) vision. This scan describes the developments and planning and compares three technologies; AntTail’meshnetworks, LORA and NB-IoT.
Speaker: Michael Iedema
"OpenBTS implements a complete GSM stack for voice and SMS. It also supports GPRS and UMTS 3G data standards. With an off-the-shelf server and SDR (software defined radio), it is now possible to build real mobile networks. These networks can be used to support true fixed-mobile convergence, bring coverage to remote areas or just experiment and innovate within the cellular network itself. Because OpenBTS converts all cellular signalling and media directly to SIP and RTP, the development environment should be familiar!"
ElastixWorld
Santiago de Chile
October 2014
This document from a vendor seeks potential partners and summarizes their business portfolio, which includes wireless communication solutions such as a 250km point-to-point link, encrypted VoIP systems for security and government customers, wireless backhaul products, outdoor and indoor WiFi options, SCADA narrowband radios for electricity utilities, and a managed services billing platform for mobile virtual network operators. It provides high-level descriptions and applications for each solution.
This document outlines a framework for conducting a security penetration test of the Diameter protocol. It describes the basic equipment needed, including virtual machines running Open Source Diameter software and penetration testing tools. It also discusses setting up simulated 4G network elements like the PCRF, HSS and MME to test Diameter in a more complete network environment. The goal is to identify vulnerabilities in Diameter by developing a taxonomy similar to one created for the SS7 protocol. This will provide much needed security analysis of the widely used Diameter protocol.
H.323 is a standard for multimedia communications over packet-based networks. It defines protocols for real-time audio, video and data communications between endpoints such as terminals, gateways and multipoint control units. As an umbrella standard, H.323 references other protocols for functions like call signaling, bandwidth negotiation and transmission of audio and video data. H.323 provides scalable and flexible multimedia communication capabilities and has been widely adopted for voice and video conferencing over both internet and private networks.
This document analyzes the security of the Z-Wave wireless protocol. The authors developed a tool called Z-Force to capture and inject Z-Wave radio packets. Through analyzing Z-Wave communication and door lock firmware, they discovered details of the encryption and authentication algorithms. They found a vulnerability in how door locks handle the key exchange process that could allow resetting the encryption key, allowing unauthorized access.
Bluetooth is an open wireless technology standard for exchanging data over short distances. It was developed in 1994 initially to replace cables connecting devices like mobile phones and laptops. Bluetooth specifications define a protocol stack and use a radio technology called frequency-hopping spread spectrum in the 2.4GHz band. It allows for ad-hoc network topologies like piconets and scatternets. Profiles define how Bluetooth can be used in different applications. Bluetooth is now used in many consumer electronics products and future uses may include applications like home automation and location-based services.
The document discusses several wireless communication standards including WiFi, Bluetooth, and IEEE 802.11/802.15. It provides details on the protocol layers, frequency bands, modulation techniques, encryption methods, and medium access control protocols used. It compares the infrastructure and ad hoc modes, packet formats, and security approaches of WiFi and Bluetooth wireless networks.
Diameter protocol has been introduced to replace in many aspects SS7/SIGTRAN in the LTE and VoLTE networks, and such as these 2G/3G networks, Diameter also has its dedicated global roaming network named IPX (IP eXchange) that allows international roaming for LTE users..
Back in the days Diameter was already used by the PCRF in 2G/3G networks for charging purposes, but its usage has been extended to completely replace the signalization role of SS7/SIGTRAN in LTE networks. SS7/SIGTRAN security flows are now public after several publications, but what about Diameter security ? By replacing old and insecure protocols, does Diameter come with built-in security?
During the presentation, we will study how the IPX infrastructure operates and how security is taken into account nowadays regarding the newest 4G telecom technologies. Getting into different point of view allowed us to find major Diameter vulnerabilities via the IPX, which affect almost all the network elements HSS, MME, GMLC, PCRF, PDN GW, including DNS serving telecom TLDs. Understanding the mistakes that led to a former generation of telecom networks we came out with insecure protocols will maybe help us to push security by design in the future.
Nevertheless, as a telecom provider we will provide recommendations to secure LTE infrastructures and share technical countermeasures we have implemented against different Diameter attacks and fraud scenarios to protect our network and customers. Along with recommendations, we will present some ways on how to self audit and do self monitoring of your network, as we consider that telecom providers need to take back the control of their networks!
Troopers website link: https://www.troopers.de/events/troopers16/653_assaulting_ipx_diameter_roaming_network/
Worldwide attacks on SS7/SIGTRAN networkP1Security
Publication performed by Alexandre De Oliveira and Pierre-Olivier Vauboin during Hackito Ergo Sum 2014
Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.
MGCP is a protocol used to control media gateways that convert between audio signals and data packets. It uses a master-slave architecture with a media gateway controlled by a call agent. MGCP commands include CRCX to create connections, MDCX to modify them, and DLCX to delete them. Basic call flows include the media gateway registering with the call agent, creating a call by requesting digits and notifying of events, and terminating a call by deleting connections on hook events.
This document discusses exploiting vulnerabilities at layer 2, including VLAN hopping, CAM table attacks, and spanning tree attacks. It describes how VLAN hopping works by spoofing frames with 802.1Q tags to access other VLANs. CAM table attacks overflow the content addressable memory table to cause flooding. Spanning tree attacks can manipulate the root bridge election process. The document provides details on these attacks and potential mitigations like port security and private VLANs.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
Implementing QoS Solutions for H.323 Video Conferencing over IPVideoguy
This document discusses implementing Quality of Service (QoS) solutions for H.323 video conferencing over IP networks. It begins by outlining the prerequisites for understanding H.323 protocols and components. It then provides background on H.323 and characterizes video conference traffic. The document describes how to plan network capacity and determine per-call bandwidth needs. It recommends classifying and prioritizing traffic using DiffServ codes and queues like Low Latency Queueing (LLQ). Sample configurations are provided to shape traffic and interwork H.323 terminals with QoS.
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
Open BTS: Emergency GSM Messaging & Monitoring System for Civil Protection is proposed as a solution ready-to-deploy in the event of natural disaster, in that areas where GSM networks are temporarily down.
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
This document is a list of graduation projects for the Faculty of Engineering at Cairo University's Department of Electronics and Electrical Communications Engineering for 2008/2009. It lists 61 projects with titles related to communications engineering. The projects are organized with the main advisor and project title.
Wireless transmission options for security & surveillance: point-to-point, point-to-multipoint, mesh - pros and cons of each; mistakes to avoid; steps to successful wireless deployment; case studies; questions to ask your wireless technology provider.
The document contains information about several individuals and an outline for a presentation on H.323. The outline discusses what H.323 is, its scope and importance, its historical development stages, the elements that make up an H.323 system, the core protocols that define H.323 communication, how H.323 calls are signaled, and the future prospects of H.323.
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
Telecommunications Infrastructure Security
Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden. This document discusses vulnerabilities in SS7 that allow unauthorized access to telecommunications infrastructure. It describes how SS7 was designed for reliability over security. It also outlines various entry points like STP connectivity, SIGTRAN protocols, and vulnerabilities in 3G femtocells that can be exploited to conduct attacks. The document warns that the traditional walled garden of telecom networks is opening up due to these issues and becoming harder to secure.
This white paper gives an overview of new solutions provided by telecom operators to support the “Internet of Things” (IoT) vision. This scan describes the developments and planning and compares three technologies; AntTail’meshnetworks, LORA and NB-IoT.
Speaker: Michael Iedema
"OpenBTS implements a complete GSM stack for voice and SMS. It also supports GPRS and UMTS 3G data standards. With an off-the-shelf server and SDR (software defined radio), it is now possible to build real mobile networks. These networks can be used to support true fixed-mobile convergence, bring coverage to remote areas or just experiment and innovate within the cellular network itself. Because OpenBTS converts all cellular signalling and media directly to SIP and RTP, the development environment should be familiar!"
ElastixWorld
Santiago de Chile
October 2014
This document from a vendor seeks potential partners and summarizes their business portfolio, which includes wireless communication solutions such as a 250km point-to-point link, encrypted VoIP systems for security and government customers, wireless backhaul products, outdoor and indoor WiFi options, SCADA narrowband radios for electricity utilities, and a managed services billing platform for mobile virtual network operators. It provides high-level descriptions and applications for each solution.
This document outlines a framework for conducting a security penetration test of the Diameter protocol. It describes the basic equipment needed, including virtual machines running Open Source Diameter software and penetration testing tools. It also discusses setting up simulated 4G network elements like the PCRF, HSS and MME to test Diameter in a more complete network environment. The goal is to identify vulnerabilities in Diameter by developing a taxonomy similar to one created for the SS7 protocol. This will provide much needed security analysis of the widely used Diameter protocol.
H.323 is a standard for multimedia communications over packet-based networks. It defines protocols for real-time audio, video and data communications between endpoints such as terminals, gateways and multipoint control units. As an umbrella standard, H.323 references other protocols for functions like call signaling, bandwidth negotiation and transmission of audio and video data. H.323 provides scalable and flexible multimedia communication capabilities and has been widely adopted for voice and video conferencing over both internet and private networks.
This document analyzes the security of the Z-Wave wireless protocol. The authors developed a tool called Z-Force to capture and inject Z-Wave radio packets. Through analyzing Z-Wave communication and door lock firmware, they discovered details of the encryption and authentication algorithms. They found a vulnerability in how door locks handle the key exchange process that could allow resetting the encryption key, allowing unauthorized access.
Bluetooth is an open wireless technology standard for exchanging data over short distances. It was developed in 1994 initially to replace cables connecting devices like mobile phones and laptops. Bluetooth specifications define a protocol stack and use a radio technology called frequency-hopping spread spectrum in the 2.4GHz band. It allows for ad-hoc network topologies like piconets and scatternets. Profiles define how Bluetooth can be used in different applications. Bluetooth is now used in many consumer electronics products and future uses may include applications like home automation and location-based services.
The document discusses several wireless communication standards including WiFi, Bluetooth, and IEEE 802.11/802.15. It provides details on the protocol layers, frequency bands, modulation techniques, encryption methods, and medium access control protocols used. It compares the infrastructure and ad hoc modes, packet formats, and security approaches of WiFi and Bluetooth wireless networks.
The document provides a detailed overview of wireless networking standards and technologies, including:
- 802.11 wireless LAN standards such as 802.11a/b/g which specify PHY layers for wireless transmission
- Security standards such as 802.1X, EAP, RADIUS, WPA, and WPA2 which define authentication and encryption for wireless networks
- Related standards like 802.1D, 802.1Q, 802.2, and 802.3 that interact with 802.11 networks
- Networking protocols like IP, IPX, and AppleTalk that can be used over 802.11 networks
- Regulatory bodies that govern wireless communications
The document discusses the Frequency-Hopping (FH) PHY used in 802.11 wireless networks. It describes key aspects of FH transmission including frequency slots, time slots, and hopping patterns. It also covers Gaussian Frequency Shift Keying (GFSK) modulation, the FH PHY Convergence Procedure (PLCP) for framing data, and the Frequency-Hopping PMD Sublayer for the 1Mbps and 2Mbps FH PHYs. Regulatory domains for hopping sequences are also discussed.
The physical layer overview document discusses:
1. The physical layer architecture and clear channel assessment function.
2. The standardized physical layers for 802.11 including frequency hopping, direct sequence, and infrared.
3. Licensed and unlicensed frequency bands where 802.11 operates, requiring spread spectrum technology in unlicensed bands.
The document provides an introduction to fundamentals of computer design. It discusses the evolution of computers from large room-sized machines to handheld devices. It outlines three main classes of computing - desktops, servers, and embedded systems - and highlights their key design considerations and performance metrics. The quantitative principles of computer design involve measuring execution time and its components, such as instruction count and clock cycles per instruction, to evaluate and compare performance.
This document discusses frequency hopping in wireless communication systems. It begins by explaining that in frequency hopping systems, each call hops between a defined set of frequencies to reduce the impact of poor signal quality on any single frequency. This provides frequency diversity and averages out interference. The document then discusses various types of frequency hopping including baseband and synthesizer hopping. It also covers topics like why frequency hopping is used, factors like multipath fading and interference, and specifications of frequency hopping systems including hopping sequences, mobile allocation lists, and fractional loading.
It is the repeated switching of frequencies during radio transmission, often to minimize the effectiveness of "electronic warfare" - that is, the unauthorized interception or jamming of telecommunications.
The Differences Between Bluetooth, ZigBee and WiFiMostafa Ali
Understanding Differences Between Bluetooth, ZigBee and WiFi.
It's not about what is the best it's just a description, the best you have to choose for your project what is suitable more?
This document provides an overview of Wi-Fi and Bluetooth technologies. It discusses how Wi-Fi allows wireless internet access and is widely available in public places. It also describes Bluetooth's technical features like encryption, authentication, and its goals of being a cable replacement and providing short-range wireless connectivity for both data and voice. The document concludes by comparing Wi-Fi and Bluetooth.
Frequency hopping spread spectrum (FHSS) works by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver. The transmitter hops from one frequency to another, transmitting short bursts of information on each channel in turn. The receiver hops in synch to receive the signals. This makes the signal resistant to interference and jamming as an eavesdropper would need to know the hop sequence to intercept the entire message coherently.
Frequency hopping spread spectrum (FH-SS) is a type of spread spectrum technique where the available channel bandwidth is divided into a large number of frequency slots arranged continuously. A transmitted signal occupies one or more of the available frequency slots, with the frequencies selected pseudo-randomly based on the output of a pseudo-noise generator. There are two types of FH-SS: slow FH-SS where one or more data bits are transmitted within one hop, and fast FH-SS where one data bit is divided over multiple hops. FH-SS provides advantages like improved interference rejection, code division multiplexing for CDMA, secure communication, and increased capacity and spectral efficiency. It is used in military communication systems, satellite communication,
Bluetooth is a wireless technology standard for exchanging data over short distances. It was developed as a replacement for cables in connecting devices like mobile phones, headphones, laptops, and other electronics. The document discusses Bluetooth definitions, protocols, topology, security features, applications, and comparisons to other wireless technologies like infrared and WiFi. It also covers Bluetooth's advantages in mobility and connectivity as well as some limitations and security risks.
Modern devices with spread spectrum application opportunities for wireless co...Олександр Мазуренко
Can be downloaded here: https://drive.google.com/open?id=0B5J_auuoZpgbZTFzLWJhM3FiUW8
Topic: ”Modern devices with spread spectrum application opportunities for wireless communications services performing”
Theses:
- Technologies and devices of “Covert Wireless Communications”.
- Test results of new devices of the company.
- Features of new devices of the company.
- Opportunities and prospects of wireless communication services based on products of the company.
This document proposes enhancing the security of wireless networks using physical layer protection. It discusses weaknesses in conventional encryption systems and proposes encrypting data at the physical layer instead of the MAC layer. This is done by using physical layer transforms like XOR, scrambling, or phase shifting based on a cipher stream. Encrypting at the physical layer makes the decrypted data difficult for hackers to record. Simulation results show the proposed techniques do not degrade communication performance for modulation schemes up to QAM-16 over AWGN channels. Future work includes analyzing different error coding schemes' effects on hacking complexity and exploring joint encryption and error coding.
This document provides an overview of hole punching techniques for establishing direct peer-to-peer connections between devices located behind firewalls or network address translation (NAT). It describes ICMP, TCP, and UDP hole punching protocols. Hole punching allows two devices to connect by establishing outbound connections through a third-party server that exchanges the devices' private address and port information. This allows the devices to try connecting to each other directly. The document also discusses NAT and its advantages and disadvantages.
5. Firetide Next Generation Wireless Infrastructure for City Surveillance.pdfPawachMetharattanara
Firetide is a market leader in wireless mesh infrastructure technology. It has over 20,000 installations worldwide for applications requiring real-time video surveillance. Firetide's wireless mesh networking equipment has the best performance in the market due to its core routing protocol. It is currently replacing underperforming wireless networks for over 30% of its business in video and voice applications. Firetide leads the market in wireless video surveillance with over 1,000 municipal installations in the US and is also widely used internationally.
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Ultra-wideband (UWB) is a short-range, high-bandwidth wireless technology that can provide data transmission rates up to 480 Mbps. It operates by transmitting short pulses across a wide spectrum of frequency bands between 3.1-10.6 GHz. UWB offers advantages over other wireless technologies like Bluetooth and WiFi by providing faster data transfer speeds, better multipath performance, and precise localization capabilities. Potential applications of UWB include wireless USB, high quality video transmission, and radar/imaging systems.
This document discusses General Packet Radio Service (GPRS) and provides details about its network architecture, features, advantages, applications and mobility management model. GPRS is an overlay network over GSM that provides packet-switched data services, enabling multiple users to share network resources. It utilizes TCP/IP protocols and supports various data and internet applications.
The document provides an overview of ZigBee/IEEE 802.15.4 wireless technology. It discusses the need for low-power, low-cost wireless connectivity for applications like home automation, medical devices, and industrial sensors. It describes the ZigBee Alliance's role in developing networking and application standards on top of the IEEE 802.15.4 physical radio specification. Key features of ZigBee networks include low power consumption, large network capacity, low data rates, and flexibility for many applications.
This document provides an overview of different hole punching techniques used to establish direct connections between devices located behind firewalls or network address translation (NAT) devices. It discusses ICMP, TCP, and UDP hole punching. ICMP hole punching exploits a NAT's acceptance of inbound ICMP packets to transfer data between NATs without an external server. TCP hole punching uses a rendezvous server to exchange connection details between devices and establish an outbound connection. UDP hole punching similarly relies on an external server to initially set up UDP port mappings between devices that can then be used for direct communication.
This document summarizes a research paper on a CDMA-based MAC protocol for wireless ad hoc networks. The protocol, called CA-CDMA, addresses the near-far problem in CDMA systems by incorporating distributed power control and interference feedback between nodes. Simulation results show that CA-CDMA can increase throughput by up to 280% compared to 802.11 by allowing simultaneous transmissions through power control. Future work may involve combining CA-CDMA with other capacity enhancement techniques like directional antennas or multi-rate support.
This document provides an overview of wireless personal area networks (WPANs), including Bluetooth, ZigBee, and Ultra-Wideband. It describes the key features and applications of each technology, how their protocols are structured, and how they compare to each other. Bluetooth supports data rates up to 2 Mbps over short ranges and is used in devices like phones, laptops, and printers. ZigBee focuses on low power consumption and supports thousands of nodes in a mesh network for uses like smart homes and buildings. Ultra-Wideband provides high data rates over short ranges and is used in applications like TVs, DVD players, and mobile devices.
Webinar: BlueNRG-LP - Bluetooth 5.2 de longo alcance para aplicações industriaisEmbarcados
O BlueNRG-LP é uma solução de SoC sem fio Bluetooth® Low Energy programável de ultrabaixa energia. Ele incorpora os IPs de rádio RF de 2,4 GHz de última geração da STMicroelectronics combinando desempenho incomparável com vida útil de bateria extremamente longa. É compatível com a especificação de núcleo Bluetooth® Low Energy SIG versão 5.2 endereçando conectividade ponto a ponto e rede Bluetooth Mesh e permite que redes de dispositivos em grande escala sejam estabelecidas de maneira confiável. O BlueNRG-LP também é adequado para comunicação sem fio de rádio proprietária de 2,4 GHz para lidar com aplicações de latência ultrabaixa.
Assista a gravação em: https://www.embarcados.com.br/webinars/webinar-bluenrg-lp-bluetooth-5-2-de-longo-alcance-para-aplicacoes-industriais/
Wireless intelligent networking allows service providers to introduce new services quickly through an evolving network architecture. It uses standards like CAMEL and WIN to enable features controlled outside the switch like pre-paid calling. The architecture includes elements like the SCP and IP that contain service logic and resources, interacting with other networks through signaling protocols like SS7.
LINKSTAR TECHNOLOGIES LIMITED - COMPANY PROFILE AND CAPABILITYBALA CHANDER
Linkstar Technologies is an electronics design and manufacturing company headquartered in Hong Kong with facilities in Bangalore, India. It provides value solutions for communications products, including design, development, and manufacturing of electronics and communication products from concept. It has expertise in design and development services, electronics manufacturing services, and vocoder modules for secure communications.
Track 3 session 8 - st dev con 2016 - music and voice over bleST_World
This document provides an overview of Roberto Sannino's presentation on BlueVoice, STMicroelectronics' solution for playing high-quality audio over Bluetooth Low Energy. BlueVoice uses advanced audio processing and compression techniques like ADPCM to stream compressed audio data over BLE at rates up to 64 kbps, enabling applications like voice-controlled devices, wireless audio, and the internet of audio things. The document describes BlueVoice's architecture, software libraries, development kits, and example applications to demonstrate voice streaming to mobile and cloud services using STM32 and BlueNRG hardware.
Global System for Mobile Communication Based Smart Home Security SystemIJERA Editor
Home security system is needed for occupants' convenience and safety. In this paper, we present the design and implementation of an affordable, low power consumption, and GSM (Global System for Mobile Communication) based wireless home security system. In existing system, the home network is engaged with non-wireless technology, where the installation and maintenance is difficult. So the system cost is very high. In our proposed system, these difficulties are overcome by introducing a wireless home network which contains a GPRS Gateway and three kinds of security nodes namely door security node, anti intrusion node and SMS node to inform the user. The nodes are easy installing. All the three nodes are connected to the microcontroller.
-Study of the functionality of 2MB mother board, providing E1 data interfaces
-CMS LAB,TEST EQUIPMENT, QUALITY CONTROL. - ABOUT BEL,ROTATIONAL PROGRAM.-FPGA,ADSP,DSO,VHDL.
-E1 EUROPEAN DATA FORMAT , LINK, SPECIFICATION
ENCODING TECHNIQUES- HDB3, AMI
This document provides an outline on voice over internet protocol (VoIP) covering topics such as how VoIP works, advantages of VoIP, types of codecs used for converting analog signals to digital data, signaling protocols like H.323 and SIP used for setting up and managing calls, and security considerations in VoIP like the use of SRTP for encryption. The document compares VoIP to traditional PSTN telephone networks and PBX systems, and explains that VoIP uses packet switching over the internet to make phone calls instead of dedicated circuits, allowing for upgrades with only increased bandwidth.
Recom Systems Limited consulting services for mobile Service providers. We have unique system where mobile operators or an IT company Generate 50 Million US $ per month.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
2. 2
ROAD MAPROAD MAP
IntroductionIntroduction
Basic DefinitionsBasic Definitions
TopologyTopology
ProtocolsProtocols
Link Management & SecurityLink Management & Security
Applications and FutureApplications and Future
3. 3
IntroductionIntroduction
Aim :- To replace cables between mobiles, PCAim :- To replace cables between mobiles, PC
cards, headsets, desktops and other devices.cards, headsets, desktops and other devices.
Developed by Special Interest Group (SIG)Developed by Special Interest Group (SIG)
Association of I.T majors like Intel, IBM,Association of I.T majors like Intel, IBM,
Nokia and ToshibaNokia and Toshiba
4. 4
Bluetooth Verses InfraredBluetooth Verses Infrared
Slower than IR as timeSlower than IR as time
taken to discover thetaken to discover the
intended recipientintended recipient
Penetration of solidPenetration of solid
objectsobjects
Omni directionalOmni directional
Advantage of proximityAdvantage of proximity
so less time requirementso less time requirement
No such featureNo such feature
Unidirectional with 30Unidirectional with 30
degrees rangedegrees range
5. 5
BT Verses IRBT Verses IR
Data transfer rate 721Data transfer rate 721
KbpsKbps
30 feet range30 feet range
Mobility during dataMobility during data
transfertransfer
Internet compatibleInternet compatible
(emulating EIA TIA 232)(emulating EIA TIA 232)
Rate is 4 MbpsRate is 4 Mbps
Range very lessRange very less
Relatively stationaryRelatively stationary
6. 6
Bluetooth DefinitionsBluetooth Definitions
Piconet : Collection ofPiconet : Collection of
devices connected viadevices connected via
Bluetooth in ad hocBluetooth in ad hoc
fashion. Limited to 8fashion. Limited to 8
units in a Piconetunits in a Piconet
Scatternet : Two orScatternet : Two or
more independentmore independent
unsynchronized Piconet.unsynchronized Piconet.
7. 7
DefinitionsDefinitions
Master : A device inMaster : A device in
Piconet whose clockPiconet whose clock
and hopping sequenceand hopping sequence
are used toare used to
synchronize all thesynchronize all the
devices. It alsodevices. It also
numbers thenumbers the
communicationcommunication
channelschannels
8. 8
DefinitionsDefinitions
Slave : All other devicesSlave : All other devices
in the Piconet exceptin the Piconet except
mastermaster
MAC : 3-bit mediaMAC : 3-bit media
access control addressaccess control address
used to differentiateused to differentiate
between participatingbetween participating
unitsunits
9. 9
Bluetooth technologyBluetooth technology
Implemented using short range transreceiversImplemented using short range transreceivers
Specifications comprises a system solutionSpecifications comprises a system solution
consisting of a hardware, a software &consisting of a hardware, a software &
interoperability requirementsinteroperability requirements
Uses globally available unlicensed ISM radioUses globally available unlicensed ISM radio
band of 2.4 GHz.band of 2.4 GHz.
Frequency range 2.4 – 2.484 GHzFrequency range 2.4 – 2.484 GHz
10. 10
BT technologyBT technology
Advantage of using an unlicensed frequencyAdvantage of using an unlicensed frequency
band is that it is globally acceptableband is that it is globally acceptable
11. 11
Types of LinksTypes of Links
Asynchronous Connection Links (ACL)Asynchronous Connection Links (ACL)
Supports symmetrical, asymmetrical, packet-Supports symmetrical, asymmetrical, packet-
switched & point to multipoint linksswitched & point to multipoint links
Data Transfer Rate: 433.9 Kbps(sym.)Data Transfer Rate: 433.9 Kbps(sym.)
732.2 Kbps in one, 57.6 Kbps in732.2 Kbps in one, 57.6 Kbps in
reverse(asymmetric)reverse(asymmetric)
12. 12
Types of LinksTypes of Links
Synchronous Connection Oriented LinksSynchronous Connection Oriented Links
(SCO)(SCO)
Provide symmetrical, circuit-switched & point toProvide symmetrical, circuit-switched & point to
point connectionspoint connections
13. 13
Audio and VideoAudio and Video
For voice coding 64 Kbps channels areFor voice coding 64 Kbps channels are
requiredrequired
Channels are derived through use of PCM orChannels are derived through use of PCM or
CVSDMCVSDM
Video encoding decoding using MPEG –4Video encoding decoding using MPEG –4
formatformat
Radio links use freq. hopping spread spectrumRadio links use freq. hopping spread spectrum
techniquestechniques
14. 14
Spread SpectrumSpread Spectrum
Method of wireless communication that takesMethod of wireless communication that takes
a narrow band signal and spreads it over aa narrow band signal and spreads it over a
broader portion of the available frequencybroader portion of the available frequency
band.band.
CDMA applies the same conceptCDMA applies the same concept
15. 15
Advantages of SpreadAdvantages of Spread
Spectrum TechniqueSpectrum Technique
Prevents Interference : where transmissionPrevents Interference : where transmission
disruption by external source such as noise fromdisruption by external source such as noise from
electromagnetic devices.electromagnetic devices.
Prevents Jamming : where stronger signalPrevents Jamming : where stronger signal
overwhelms the weaker one.overwhelms the weaker one.
No reflection off solids.No reflection off solids.
No interception : where unauthorized usersNo interception : where unauthorized users
capture signal to determine the content.capture signal to determine the content.
16. 16
Performance CharacteristicsPerformance Characteristics
FeaturesFunctionsFeaturesFunctions PerformancePerformance
1.Connection Type1.Connection Type
2.Spectrum2.Spectrum
3.Transmission Power3.Transmission Power
4.Aggregate Data Rate4.Aggregate Data Rate
5.Range5.Range
6.Supported stations6.Supported stations
Spread spectrumSpread spectrum
2.4GHz. ISM band2.4GHz. ISM band
1 milliwatt1 milliwatt
1 Mbps using frequency1 Mbps using frequency
hoppinghopping
Up to 30 feetUp to 30 feet
Up to 8 devices perUp to 8 devices per
piconetpiconet
17. 17
FeaturesFunctionsFeaturesFunctions PerformancePerformance
Voice ChannelsVoice Channels Up to 3Up to 3
Data SecurityData Security For authentication a 128For authentication a 128
bit key; for encryptionbit key; for encryption
key size configurable (8-key size configurable (8-
128 bits)128 bits)
AddressingAddressing Each bit has 48 bit MACEach bit has 48 bit MAC
addressaddress
18. 18
Bluetooth TopologyBluetooth Topology
Ad-hoc connection where each Piconet is identifiedAd-hoc connection where each Piconet is identified
by a different hopping sequenceby a different hopping sequence
Synchronization in unlicensed ISM band notSynchronization in unlicensed ISM band not
permitted but BT devices do it using TDMpermitted but BT devices do it using TDM
Service discovery protocol allows wider applicationsService discovery protocol allows wider applications
ex: create LANex: create LAN
Clustering avoided using technical safeguards.Clustering avoided using technical safeguards.
20. 20
LMP and SDPLMP and SDP
LMP : responsible for link setup & controlLMP : responsible for link setup & control
between Bluetooth devices, including thebetween Bluetooth devices, including the
control and negotiations of baseband packetcontrol and negotiations of baseband packet
sizessizes
SDP : device information, services andSDP : device information, services and
characteristics of services can be queried.characteristics of services can be queried.
22. 22
Link ManagementLink Management
Peer to Peer communication using LMPPeer to Peer communication using LMP
Link ManagerLink Manager
Messages Exchanged (PDU’s)Messages Exchanged (PDU’s)
Within 30 secondsWithin 30 seconds
PDUPDU
55 different types of PDU’s55 different types of PDU’s
7 bit op code7 bit op code
23. 23
AUTHENTICATIONAUTHENTICATION
General Response MessagesGeneral Response Messages
LMP_acceptedLMP_accepted
LMP_not_acceptedLMP_not_accepted
Challenge- Response SchemeChallenge- Response Scheme
Verifier sends(LMP_au_rand)Verifier sends(LMP_au_rand)
Response is a function of challenge ,Claimant ‘sResponse is a function of challenge ,Claimant ‘s
(BD_ADDR)&Secret Key(BD_ADDR)&Secret Key
Common Secret key is required for proper calculationCommon Secret key is required for proper calculation
24. 24
PAIRINGPAIRING
When no Common Link Key:When no Common Link Key:
128 bit Initialization Key based on PIN and128 bit Initialization Key based on PIN and
random no.random no.
Calculation of Response on keyCalculation of Response on key
Verifier Approves the Link KeyVerifier Approves the Link Key
Response not correct then ErrorResponse not correct then Error
Code authentication failure (LMP_detach)Code authentication failure (LMP_detach)
25. 25
Link Key is Created after authenticationLink Key is Created after authentication
Link Key Created may be eitherLink Key Created may be either
combination of Keys or one of the unit’scombination of Keys or one of the unit’s
unit key(LMP_unit _key &unit key(LMP_unit _key &
LMP_comb_key)LMP_comb_key)
Waiting Interval:Waiting Interval:
Increased exponentiallyIncreased exponentially
26. 26
ENCRYPTIONENCRYPTION
Is an Option.Is an Option.
Master’s Will in piconetMaster’s Will in piconet
Master & Slave must AgreeMaster & Slave must Agree
Point to Point or also broadcast packet’sPoint to Point or also broadcast packet’s
27. 27
ENCRYPTIONENCRYPTION
StartStart StopStop
Master is configured toMaster is configured to
Transmit unencryptedTransmit unencrypted
packets and receivepackets and receive
encrypted .encrypted .
Slave is configured ToSlave is configured To
Transmit and ReceiveTransmit and Receive
encrypted packetsencrypted packets
Master is configured toMaster is configured to
Transmit and ReceiveTransmit and Receive
encrypted packetsencrypted packets
Master is configured toMaster is configured to
Transmit encrypted andTransmit encrypted and
receive unencrypted .receive unencrypted .
Slave is configured ToSlave is configured To
Transmit and ReceiveTransmit and Receive
unencrypted .unencrypted .
Master is configured toMaster is configured to
Transmit and ReceiveTransmit and Receive
unencrypted .unencrypted .
28. 28
Clock Offset RequestClock Offset Request
Every Device has an Internal System ClockEvery Device has an Internal System Clock
Timing and frequncy determined by the master inTiming and frequncy determined by the master in
Piconet.Piconet.
Difference between slave’s and master’s.Difference between slave’s and master’s.
Clock offset is updated on each time a packetClock offset is updated on each time a packet
is received.is received.
29. 29
BLUETOOTH SECURITYBLUETOOTH SECURITY
Built in SecurityBuilt in Security
Frequency HoppingFrequency Hopping
Pseudorandom code sequencePseudorandom code sequence
Lasts 0.4 secondsLasts 0.4 seconds
75 channels in 2.4GHZ75 channels in 2.4GHZ
Authentication preventing spoofing unwanted accessAuthentication preventing spoofing unwanted access
Encryption makes data unintelligible.Encryption makes data unintelligible.
Inhibiting user-friendly hence 3 levels of security.Inhibiting user-friendly hence 3 levels of security.
30. 30
Security ModesSecurity Modes
Mode 1:Mode 1:
Absence of security (Bypassing Link –Level securityAbsence of security (Bypassing Link –Level security
functions)functions)
Exchange of vCard and vCalendersExchange of vCard and vCalenders
Mode 2:Mode 2:
Service Level Security for parallel applicationsService Level Security for parallel applications
Mode 3:Mode 3:
Link Level SecurityLink Level Security
LM enforces security at connection set up.LM enforces security at connection set up.
Link KeysLink Keys
31. 31
Key Length(8 and 128 bits)Key Length(8 and 128 bits)
128 bit challenge and 32 bit response .128 bit challenge and 32 bit response .
Depends on Level of SecurityDepends on Level of Security
Maximum length limited by HardwareMaximum length limited by Hardware
32. 32
LAYOUTLAYOUT
FIELDS OF APPLICATION.FIELDS OF APPLICATION.
BLUETOOTH ADVANTAGEBLUETOOTH ADVANTAGE
SHORTCOMINGS OF THESHORTCOMINGS OF THE
TECHNOLOGY.TECHNOLOGY.
COMPARISON WITH IR & WLAN.COMPARISON WITH IR & WLAN.
MISNOMERS.MISNOMERS.
RESEARCHES ON THE TECHNOLOGY.RESEARCHES ON THE TECHNOLOGY.
FUTURE ASPECTS.FUTURE ASPECTS.
33. 33
APPLICATIONSAPPLICATIONS
WAP enabled smart phones.WAP enabled smart phones.
Electronic trading via handheld devices.Electronic trading via handheld devices.
ad hoc Home/personal area network.ad hoc Home/personal area network.
3G Telephony.3G Telephony.
34. 34
BLUETOOTH ADVANTAGEBLUETOOTH ADVANTAGE
Increased mobility in office by connectingIncreased mobility in office by connecting
various peripherals with BT.various peripherals with BT.
VVoice and data transmission possibleoice and data transmission possible
721 kbps suffices most of the common uses.721 kbps suffices most of the common uses.
Built in sufficient encryption andBuilt in sufficient encryption and
authentication.authentication.
Cheaper insatllation & maintainence.Cheaper insatllation & maintainence.
35. 35
ERROR CORRECTIONERROR CORRECTION
1/3 rate FEC (Forward Error Correction)1/3 rate FEC (Forward Error Correction)
2/3 rate FEC2/3 rate FEC
ARQ unnumbered scheme (Automatic RepeatARQ unnumbered scheme (Automatic Repeat
Request).Request).
This reduces the available bandwidth.This reduces the available bandwidth.
36. 36
RADIATION THREATSRADIATION THREATS
Penetration depth of RF is about 1.5 cm atPenetration depth of RF is about 1.5 cm at
2450 MHz and about 2.5 cm at 900 MHz2450 MHz and about 2.5 cm at 900 MHz
It cannot generate enough heat to produce fireIt cannot generate enough heat to produce fire
hazards.hazards.
Radiation not beamed but dispersed in allRadiation not beamed but dispersed in all
direction.direction.
But in long run EM radiation can cause illBut in long run EM radiation can cause ill
effects in some persons.effects in some persons.
37. 37
LOOPHOLES IN SECURITYLOOPHOLES IN SECURITY
Key initialization is not reliable.Key initialization is not reliable.
Unit key can leak the information in traffic.Unit key can leak the information in traffic.
BT device address can be used to generate logsBT device address can be used to generate logs
of transaction.of transaction.
Battery draining denial of service scheme.Battery draining denial of service scheme.
38. 38
BLUETOOTH v/s INFRAREDBLUETOOTH v/s INFRARED
BT IrDABT IrDA
Range-10 to 100 mRange-10 to 100 m 20 cm to 2 m20 cm to 2 m
Omnidirectional comm.Omnidirectional comm. Bidirectional comm.Bidirectional comm.
Peak data rate- 1mbpsPeak data rate- 1mbps 16 mbps16 mbps
Can support 8 devices inCan support 8 devices in
piconetpiconet
2 devices can interact2 devices can interact
at timeat time
39. 39
BLUETOOTH vs WLANBLUETOOTH vs WLAN
WLAN BTWLAN BT
VendorsVendors Proxim, 3COM,Proxim, 3COM,
Symbol, CiscoSymbol, Cisco
Most chipMost chip
vendorsvendors
SPEEDSPEED 11-54 Mbps11-54 Mbps 1-2 Mbps1-2 Mbps
No. of access ptsNo. of access pts
requiredrequired
Every 200 feetEvery 200 feet Every 30 feetEvery 30 feet
DistanceDistance
coveragecoverage
Upto 300 feetUpto 300 feet Upto 30 feetUpto 30 feet
interferenceinterference 2.4 GHz band is2.4 GHz band is
significant heresignificant here
pollutedpolluted
interferenceinterference
CostCost expensiveexpensive CheaperCheaper
(Rs1200-300)(Rs1200-300)
40. 40
IrDa ResponseIrDa Response
Infra com launches RED BEAMERInfra com launches RED BEAMER
technology.technology.
Indirect and diffused IR will increase mobilityIndirect and diffused IR will increase mobility
of IR devices.of IR devices.
Transmission at only 56kbps.Transmission at only 56kbps.
41. 41
BLUETOOTH FACTSBLUETOOTH FACTS
Its not WLAN. Data throughput is much lessIts not WLAN. Data throughput is much less
in BT.in BT.
BT can jam WLAN as both use 2.4GHz RF.BT can jam WLAN as both use 2.4GHz RF.
Not designed to carry heavy traffic loads.Not designed to carry heavy traffic loads.
Not suitable in server-based applications.Not suitable in server-based applications.
42. 42
PIONEERS IN RESEARCHPIONEERS IN RESEARCH
IBM- Watch pad and cyber phones.IBM- Watch pad and cyber phones.
MS- Intelligent apps for Windows.MS- Intelligent apps for Windows.
INTEL-wireless PC Cards, access points.INTEL-wireless PC Cards, access points.
MOTOROLA & TOSHIBA-pc mobileMOTOROLA & TOSHIBA-pc mobile
interface via bluetooth.interface via bluetooth.
GENERAL MOTORS- Better communicationGENERAL MOTORS- Better communication
in cars.in cars.
NEC-launched BT enabled notebook.NEC-launched BT enabled notebook.
44. 44
BLUETOOTH FUTUREBLUETOOTH FUTURE
100 million devices in use and around 2005100 million devices in use and around 2005
650 million devices will be deployed.650 million devices will be deployed.
19% vehicles will be bluetooth enabled by19% vehicles will be bluetooth enabled by
2007.2007.
45. 45
SOME PRODUCTS INSOME PRODUCTS IN
MARKETMARKET
Ericsson R520 Bluetooth/WAP/GPRS/TribandEricsson R520 Bluetooth/WAP/GPRS/Triband
Ericsson T36 Bluetooth/WAP/HSCSD/TribandEricsson T36 Bluetooth/WAP/HSCSD/Triband
Alcatel OneTouch 700 GPRS, WAP, BluetoothAlcatel OneTouch 700 GPRS, WAP, Bluetooth
TDK Bluetooth Product RangeTDK Bluetooth Product Range
Bluetooth-enabled Nokia 9110 linked to a FujiFilmBluetooth-enabled Nokia 9110 linked to a FujiFilm
digital cameradigital camera
Ericsson Bluetooth GSM HeadsetEricsson Bluetooth GSM Headset
Ericsson CommunicatorEricsson Communicator