Mutt
Professional
- Messages
- 1,056
- Reaction score
- 644
- Points
- 113
I think a lot of people have ever thought about how cellular networks work. After all, we use mobile phones almost every day. The number of subscribers is increasing every day, as is the area of network coverage. Old standards are replaced by new ones, and the "appetites" of mobile Internet users are also growing. If you are interested in how it all works, welcome under the cut! Since the infrastructure of cellular networks is quite large, and its description can take a whole book, in this article we will focus on the Um-interface through which our phones interact with the operator's equipment, as well as with other subscribers.
Beware,angry dog a lot of pictures!
Foreword
Cellular communication has appeared quite a long time ago. Back in the 40s of the twentieth century, research began with the aim of creating a mobile network. In 1956, the Mobile System A (MTA) car telephone network was launched in several cities in Sweden. In 1957, our compatriot L.I. Kupriyanovich publicly demonstrates a mobile phone he developed and a base station for it. Then the development of the civilian cellular communication system "Altai" will begin in the USSR, which in a few years will cover more than 30 and then even 114 Soviet cities. By the way, in some cities of the post-Soviet space "Altai" works to this day, for example, in Novosibirsk (numbering +7 (383) 349-8XXX)! In the 80s, Motorola launches its famous DynaTAC 8000X worth $ 3995. And only in 1992, following the NMT-450, AMPS, ETACS, D-AMPS and NMT-900, a cellular communication based on the GSM standard was launched in Germany.
Today, more than twenty years later, we use new generation networks like 3G and 4G, but GSM networks have not disappeared anywhere - they are still used by ATMs, terminals, alarms and even modern phones to save energy and maintain backward compatibility. In addition, new items like UMTS (or W-CDMA) and LTE have a lot in common with GSM. Unlike TCP / IP, for example, cellular networks are less accessible to study and research. There are many reasons: ranging from rather high prices for equipment, to the prohibition of the laws of most countries on the use of GSM frequencies without a license. In my opinion, understanding the principles of cellular networks is very important for specialists in the field of information security, and not only. That is why I decided to write this publication.
Content:
1. Introduction to cellular networks
1.1 Cellular service providers
By analogy with Internet providers, cellular services are provided by certain companies, most often referred to as “operators”. Each of them offers its own range of services, and also sets its own tariff plans. Most often, operators use their own equipment to build the main network infrastructure; some use the already existing one, for example, the operator Yota works on the basis of the equipment of the operator Megafon.
From the point of view of an ordinary subscriber of mobile networks, the operator's individuality lies in the quality of the communication services provided, a certain range of numbers, its own branded SIM-cards, as well as tariff plans. On the part of the operators themselves, as well as other telecommunications areas, the identification of each of them is carried out by the country code (MCC - Mobile Country Code) and a unique network code within the country (MNC - Mobile Network Code). In addition, subscribers are identified not by our usual phone number, but by the international subscriber identifier - IMSI (International Mobile Subscriber Identity), which is recorded in the subscriber's SIM card, as well as in the operator's database. Telephone numbers are simply "tied" to a specific IMSI, so that the subscriber can change the operator.
1.2 Principles for Providing Network Coverage
Coverage of a certain area with cellular communication is ensured by distributing transceiver devices over its area. I'm sure many have seen them on billboards, various buildings, and even on individual masts. Most often, they are several directional white antennas, as well as a small building where the wires stretch. So, in GSM terminology, such complexes are called base stations (BTS) and can consist of several transceiver devices - transceivers (TRX - Transmitter / Receiver).
A key feature of cellular communication is that the total coverage area is divided into cells (cells), which are determined by the coverage areas of individual base stations (BS). By the way, this is where the name "cellular communication" originated. Each base station covers one or more sectors and also has one or more transceivers in each sector, each of which emits a signal at a different frequency. Simply put, a cell is one of the coverage cells that has its own unique identifier called CI (Cell ID). Cells can be classified by the scale of the area covered: macro cell (up to 35 km, sometimes up to 70 km), ordinary cell (up to 5 km), micro cell (up to 1 km), pico cell (up to 300 meters) and femto cell (more often found indoors, cover tens of meters).
The base stations located nearby operate in different frequency bands, so that the cells of different operators can overlap partially or almost completely. The collection of base stations working together is called the LAC (Location Area Code). All base stations must broadcast their identification data, such as MCC, MNC, Cell ID, and LAC, due to which mobile phones are connected only to the BTS of their operator. In addition, mobile phones notify the network about their current location at a certain interval, i.e. LAC. This procedure is called Location Update, but more on that later.
1.3 Infrastructure of cellular networks
Base stations cannot exist on their own, therefore, being in a certain LAC, they connect to the base station controller - BSC (Base Station Controller). The controllers, in turn, perform load balancing, and also actively participate in the process of exchanging traffic between the network and their "slaves". The interaction between the BTS and the BSC is carried out via the A-bis interface . Within the network, most operators, most often, have several base station controllers, which via the A-interface and Gb-interface to the switching nodes of the network (MSC - Mobile Switching Center, SGSN - Serving GPRS Support Node).
MSC forms the core of the network infrastructure (Core Network), which includes the following main elements:
In addition, there is a billing system within the network infrastructure, where our "balance" is stored, charges for using services are debited, and various payment transactions are processed. The operator can attach other subsystems to the network core at his discretion.
1.4 Inter-operator communication
The networks of different operators interact with each other, so that, for example, Alice, being a subscriber of operator A, can call Bob, who is a subscriber of operator B. This network is called SS-7 or SS7, it works either on the basis of special wired / wireless communication networks, or over the internet (yes, yes, web over web). SS7 provides a set of protocols for communication between different operators. Roaming also works thanks to this network.
2. Um-interface (GSM Air Interface)
2.1 Frequency bands
Any equipment in cellular networks interacts through specific interfaces. As already mentioned, the exchange of data between the base station and the subscriber is carried out through the Um-interface, which is primarily a radio interface, therefore, data exchange occurs in the process of receiving / transmitting radio waves. Radio waves are electromagnetic radiation just like heat or light. Ultraviolet, X-ray and ionizing radiation are also types of electromagnetic radiation with specific frequency ranges and specific wavelengths. Remember this picture?
So, the radio wave range is also divided into subsidiary frequency ranges, for example, the LF (30-300 kHz), MF (300-3000 kHz) and HF (3-30 MHz) ranges are most often used for radio communication and broadcasting; TV broadcasting is conducted in the VHF (30-300 MHz), UHF (300-3000 MHz) and SHF (3-30 GHz) bands; wireless networks such as WiFi, as well as satellite TV work in the same SHF. Most of all we are interested in the UHF band in which the GSM networks operate. According to the 3GPP TS 45.005 standard, as many as 14 subsidiary bands for UHF are allocated to them on the air, and different bands are used in different countries. Let's consider the most common ones:
P-GSM-900, E-GSM-900 and DCS-1800 are used primarily in Europe and Asia. The GSM-850 and PCS-1900 bands are used in the USA, Canada, selected countries of Latin America and Africa.
Any band allocated for a cellular network is divided into many segments (usually 200 KHz), some of which are called Downlink - here only base stations (BTS) transmit data on the air, part - Uplink, where only telephones (MS) broadcast. Pairs of such segments, where one belongs to Downlink and the other to Uplink, form radio frequency channels called ARFCN (Absolute radio-frequency channel number). In other words, the phone cannot receive and transmit data on the same frequency; instead, when transmitting, it switches to Uplink frequencies, and when receiving to Downlink, and the switching process occurs very quickly.
2.2 Physical channels, multiple access separation
With the ranges sorted out. Now imagine a small closed room with a lot of people. If at a certain point in time everyone starts talking, it will be difficult for the interlocutors to understand each other. Some will speak louder, which will only make things worse for others. So, in physics this phenomenon is called interference. In other words, interference can be called superposition of waves. For GSM cellular networks, this is a parasitic phenomenon, so multiple access separation technologies come to the rescue.
The need for sharing multiple access has arisen for a long time and is used in both wired communications (I2C, USB, Ethernet) and wireless. FDMA (Frequency Division Multiple Access) technologies are most often used in cellular networks, TDMA (Time Division Multiple Access) and CDMA (Code Division Multiple Access). The first two are used together in second generation networks - GSM. CDMA is the backbone of modern cellular networks that outperform GSM in both security and maximum data rates. What kind of magic is this?
There are two main resources for radio systems - frequency and time. Frequency division multiple access, where each receiver and transmitter is assigned a specific frequency, is called FDMA. Time division, when all or most of the spectrum is allocated to each receiver-transmitter pair for a given period of time, is called TDMA. In CDMA, there are no restrictions on frequency and time. Instead, each transmitter modulates the signal using a different numerical code currently assigned to each user, and the receiver calculates the desired portion of the signal using a similar code. In addition, there are several more technologies: PAMA (Pulse-Address Multiple Access), PDMA (Polarization Division Multiple Access), SDMA (Space Division Multiple Access) however, their description is beyond the scope of this article.
FDMA
The principle of this method is that the available frequency spectrum is divided between receivers and transmitters into equal or unequal frequency bands, part of which is allocated for Downlink (traffic from BTS to MS), part for Uplink (traffic from MS to BTS). We have already spoken about this.
TDMA
Together with frequency division (FDMA), GSM uses the time division method - TDMA. According to TDMA, the entire data stream is divided into frames, and the frames, in turn, are divided into several timeslots, which are distributed between the transceiver devices. Consequently, the phone can exchange information with the network only at certain intervals allotted to it.
Frames are combined into multiframes, which are of two types:
Control Multiframe (contains 51 frames)
Traffic Multiframe (contains 26 frames)
Multiframes form superframes, and already superframes form hyperframes. You can learn more about the structure of frames and their organization here (source of images) and here .
As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames and the numbers of timeslots in them. Typically, base stations use one or more ARFCN channels, one of which is used to identify the presence of the BTS on the air. The first timeslot (index 0) of the frames of this channel is used as the base control channel (base-control channel or beacon-channel). The rest of the ARFCN is allocated by the operator for CCH and TCH channels at its discretion.
2.3 Logical channels
Logical channels are formed on the basis of physical channels. Um-interface implies the exchange of both user information and service information. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented by means of physical:
Traffic channels are divided into two main types: TCH / F - Full rate channel with maximum speed up to 22.8 Kbps and TCH / H - Half rate channel with maximum speed up to 11.4 Kbps. These types of channels can be used for voice transmission (TCH / FS, TCH / HS) and user data (TCH / F9.6, TCH / F4.8, TCH / H4.8, TCH / F2.4, TCH / H2. 4), for example, SMS.
Service information channels are divided into:
2.4 What is burst?
On-air data is transmitted in the form of sequences of bits, most often called "burst", within timeslots. The term "burst", the most suitable analogue of which is the word "burst", should be familiar to many radio amateurs, and most likely appeared in the compilation of graphical models for the analysis of radio broadcast, where any activity is like waterfalls and splashes of water. You can read more about them in this great article (source of images), we will focus on the most important thing. A schematic representation of a burst might look like this:
Guard Period
In order to avoid interference (ie overlapping of two busrts), burst duration is always shorter than the timeslot duration by a certain value (0.577 - 0.546 = 0.031 ms), called "Guard Period". This period is a kind of margin of time to compensate for possible time delays in signal transmission.
Tail Bits
These markers define the start and end of the burst.
Info
Burst payload, such as subscriber data or service traffic. Consists of two parts.
Stealing Flags
These two bits are set when both pieces of TCH burst data are transmitted on the FACCH. One transmitted bit instead of two means that only one part of the burst is transmitted on the FACCH.
Training Sequence
This part of the burst is used by the receiver to determine the physical characteristics of the channel between the phone and the base station.
2.5 Types of burst
Each logical channel corresponds to certain types of burst:
Normal Burst
This type of sequence implements traffic channels (TCH) between the network and subscribers, as well as all kinds of control channels (CCH): CCCH, BCCH and DCCH.
Frequency Correction Burst
The name speaks for itself. Implements a one-way downlink FCCH, allowing mobile phones to more accurately tune to the BTS frequency.
Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only SCH, which is designed to identify the presence of base stations on the air. Similar to beacon packets in WiFi networks, each burst is transmitted at full power, and also contains information about the BTS necessary to synchronize with it: frame rate, identification data (BSIC), and others.
Dummy Burst
A dummy burst sent by the base station to fill unused timeslots. The fact is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may feel that it is far from the base station. To avoid this, BTS floods unused timeslots with meaningless traffic.
Access Burst
When establishing a connection with the BTS, the mobile phone sends a dedicated SDCCH request on the RACH. The base station, having received such a burst, assigns the subscriber its FDMA system timings and responds on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially neither the phone nor the base station knew information about time delays. If the RACH request does not hit the timeslot, the mobile phone sends it again after a pseudo-random time interval.
2.6 Frequency Hopping
Frequency Hopping (FHSS) is one of the spread spectrum techniques. In addition to GSM networks, a variation of this method is used in Bluetooth. What for?
2.7 Basic principles of interaction between MS and BTS
Let's start with what happens when you turn on your mobile phone. Most often, even if the phone is turned off with the battery inserted, it continues to work. At this time, a small program called a "bootloader" is running. The bootloader waits for the power key to be pressed, starts the charging process when the charger is connected, and sometimes an alarm. It all depends on the specific phone model. As soon as the power key is pressed, the process of loading the operating system begins, which first checks for the presence of a SIM card, and then starts scanning the air in search of the operator's network. Even if there is no SIM card, the phone still connects to the nearest base station, providing an emergency call option. If the SIM card is in place, a Location Update request is made, notifying the network about the current LAC of the subscriber. Then, the base station requests the IMEI of the phone and the IMSI of the SIM card to identify the subscriber (Identity Request). If the provided IMEI differs from the one with which the subscriber connected before, the operator can send the Internet settings. By the way, you can even find a stolen phone this way.
Then authorization is performed, after which the phone can be in one of two states:
Now let's take a closer look at the process of connecting to the network. Each base station necessarily has a CCCH broadcast channel, which is located on the zero timeslot of a specific ARFCN. In the process of scanning the air, the phone sequentially switches the tuner frequency, measuring the strength of the received signal. As soon as the BTS with the strongest signal is found, the phone switches to its sync channel (SCH). Then, upon receiving the first Synchronization Burst, the phone determines the time slot order as well as the BSIC identification, which consists of NCC (Network Color Code) and BCC (Base station Color Code). The list of allowed and prohibited identifiers for connection is stored on the SIM card.
As soon as the phone finds an allowed BCCH, a RACH request is sent, the base station allocates a specific physical channel, authenticates the subscriber, and also registers its arrival in the VLR and HLR. The phone is then in IDLE mode. When there is an incoming call or SMS message, all base stations of the current LAC start sending Paging Requests to notify the subscriber about any event. If the phone "heard" it, it answers, the network sends an Immediate Assignment packet describing the resources allocated to the subscriber (frequency, timeslot number, etc.). Much like Ping on the Internet. From this moment the phone is in DEDICATED mode until the connection is terminated.
If the subscriber himself acts as the initiator of the connection, he must first send a CM Service Request, and then wait for the Immediate Assignment from the network.
2.8 Handover
Handover (American version - handoff) - in cellular communications, the process of transferring a subscriber from one base station to another during a telephone conversation or data transfer session. This process occurs when a subscriber leaves the coverage area of one base station and enters the coverage area of another. Also, handover can be performed if the current base station is overloaded, or its physical channels are too noisy.
Handover is of two types:
2.9 Speech coding
As already mentioned, the speech of subscribers is transmitted on the TCH channel, which is of two types: Full Rate (FR) and Half Rate (HR). The following standards are used to encode the audio stream in GSM mobile networks (and not only):
3. Security and privacy
It's time to consider the basic algorithms for ensuring the privacy and security of subscriber data. Against the background of high-profile scandals and disclosures in the field of information security, this topic is quite relevant. GSM, like any other complex system, has its own protection mechanisms, as well as vulnerabilities, which we will consider in this chapter. I will not go into the jungle describing low-level bit conversion processes for encryption, etc., otherwise the article will turn into a huge pot-bellied book. Who cares, you can read these materials:
A bunch of presentations and articles on this topic in my GitHub repository
3.1 Basic attack vectors
Since the Um interface is a radio interface, all of its traffic is "visible" to anyone within range of the BTS. Moreover, you can analyze the data transmitted over the air without even leaving your home, using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and thedirect hands of the most ordinary computer.
There are two types of attacks: passive and active. In the first case, the attacker does not interact with the network or the attacked subscriber in any way - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it does not have as many prospects as an active one. An active attack involves the interaction of the attacker with the attacked subscriber and / or the cellular network.
The most dangerous types of attacks to which subscribers of cellular networks are exposed can be identified:
3.2 Subscriber identification
As mentioned at the beginning of the article, subscribers are identified using IMSI, which is recorded in the subscriber's SIM card and the operator's HLR. Mobile phones are identified by their serial number - IMEI. However, after authentication, neither IMSI nor IMEI openly fly over the air. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out with its help.
Attack Methods
Ideally, the subscriber's TMSI is known only to the mobile phone and cellular network. However, there are ways to bypass this protection. If you cyclically call a subscriber or send SMS messages (or better Silent SMS), watching the PCH channel and performing correlation, you can select the TMSI of the attacked subscriber with a certain accuracy.
In addition, having access to the SS7 inter-operator communication network, you can find out the IMSI and LAC of its owner by the phone number. The problem is that in the SS7 network, all operators "trust" each other, thereby reducing the level of confidentiality of their subscribers' data.
3.3 Authentication
To protect against spoofing, the network authenticates the subscriber before starting to serve it. Besides the IMSI, the SIM card stores a randomly generated sequence called Ki, which it only returns in a hashed form. Ki is also stored in the operator's HLR and is never transmitted in cleartext. In general, the authentication process is based on the four-way handshake principle:
Attack Methods
Busting Ki with RAND and SRAND values can take quite a long time. In addition, operators can use their own hashing algorithms. There is quite a bit of information on the net about brute force attempts. However, not all SIM cards are perfectly protected. Some researchers have been able to directly access the file system of the SIM card and then extract the Ki.
3.4 Traffic encryption
According to the specification, there are three algorithms for encrypting user traffic:
Methods of Attack
As already mentioned, having sniffing equipment and a computer with 2 TB of memory and the Kraken program, you can find A5 / 1 session encryption keys rather quickly (a few seconds), and then decrypt anyone's traffic. German cryptologist Karsten Nohl demonstrated in 2009 how to hack A5 / 1. A few years later, Karsten and Sylvian Muno demonstrated the interception and decryption of a telephone conversation using several old Motorola phones (OsmocomBB project).
Conclusion
My long story has come to an end. In more detail and from a practical point of view, it will be possible to get acquainted with the principles of cellular networks in the series of articles Acquaintance with OsmocomBB, as soon as I add the remaining parts. I hope I managed to tell you something new and interesting. I look forward to your feedback and comments!
List of used literature
habrastorage.org
Beware,
Foreword
Cellular communication has appeared quite a long time ago. Back in the 40s of the twentieth century, research began with the aim of creating a mobile network. In 1956, the Mobile System A (MTA) car telephone network was launched in several cities in Sweden. In 1957, our compatriot L.I. Kupriyanovich publicly demonstrates a mobile phone he developed and a base station for it. Then the development of the civilian cellular communication system "Altai" will begin in the USSR, which in a few years will cover more than 30 and then even 114 Soviet cities. By the way, in some cities of the post-Soviet space "Altai" works to this day, for example, in Novosibirsk (numbering +7 (383) 349-8XXX)! In the 80s, Motorola launches its famous DynaTAC 8000X worth $ 3995. And only in 1992, following the NMT-450, AMPS, ETACS, D-AMPS and NMT-900, a cellular communication based on the GSM standard was launched in Germany.
Today, more than twenty years later, we use new generation networks like 3G and 4G, but GSM networks have not disappeared anywhere - they are still used by ATMs, terminals, alarms and even modern phones to save energy and maintain backward compatibility. In addition, new items like UMTS (or W-CDMA) and LTE have a lot in common with GSM. Unlike TCP / IP, for example, cellular networks are less accessible to study and research. There are many reasons: ranging from rather high prices for equipment, to the prohibition of the laws of most countries on the use of GSM frequencies without a license. In my opinion, understanding the principles of cellular networks is very important for specialists in the field of information security, and not only. That is why I decided to write this publication.
Content:
- Introduction to Cellular Networks
1.1 Cellular Service Providers
1.2 Network Coverage Principles
1.3 Cellular Network Infrastructure
1.4 Interoperability - Um-interface (GSM Air Interface)
2.1 Frequency bands
2.2 Physical channels, multiple access separation
2.3 Logical channels
2.4 What is burst?
2.5 Types of burst
2.6 Frequency Hopping
2.7 Basic principles of interaction between MS and BTS
2.8 Handover
2.9 Speech coding - Security and confidentiality
3.1 Main attack vectors
3.2 Subscriber identification
3.3 Authentication
3.4 Traffic encryption
1. Introduction to cellular networks
1.1 Cellular service providers
By analogy with Internet providers, cellular services are provided by certain companies, most often referred to as “operators”. Each of them offers its own range of services, and also sets its own tariff plans. Most often, operators use their own equipment to build the main network infrastructure; some use the already existing one, for example, the operator Yota works on the basis of the equipment of the operator Megafon.
From the point of view of an ordinary subscriber of mobile networks, the operator's individuality lies in the quality of the communication services provided, a certain range of numbers, its own branded SIM-cards, as well as tariff plans. On the part of the operators themselves, as well as other telecommunications areas, the identification of each of them is carried out by the country code (MCC - Mobile Country Code) and a unique network code within the country (MNC - Mobile Network Code). In addition, subscribers are identified not by our usual phone number, but by the international subscriber identifier - IMSI (International Mobile Subscriber Identity), which is recorded in the subscriber's SIM card, as well as in the operator's database. Telephone numbers are simply "tied" to a specific IMSI, so that the subscriber can change the operator.
1.2 Principles for Providing Network Coverage
Coverage of a certain area with cellular communication is ensured by distributing transceiver devices over its area. I'm sure many have seen them on billboards, various buildings, and even on individual masts. Most often, they are several directional white antennas, as well as a small building where the wires stretch. So, in GSM terminology, such complexes are called base stations (BTS) and can consist of several transceiver devices - transceivers (TRX - Transmitter / Receiver).
A key feature of cellular communication is that the total coverage area is divided into cells (cells), which are determined by the coverage areas of individual base stations (BS). By the way, this is where the name "cellular communication" originated. Each base station covers one or more sectors and also has one or more transceivers in each sector, each of which emits a signal at a different frequency. Simply put, a cell is one of the coverage cells that has its own unique identifier called CI (Cell ID). Cells can be classified by the scale of the area covered: macro cell (up to 35 km, sometimes up to 70 km), ordinary cell (up to 5 km), micro cell (up to 1 km), pico cell (up to 300 meters) and femto cell (more often found indoors, cover tens of meters).
The base stations located nearby operate in different frequency bands, so that the cells of different operators can overlap partially or almost completely. The collection of base stations working together is called the LAC (Location Area Code). All base stations must broadcast their identification data, such as MCC, MNC, Cell ID, and LAC, due to which mobile phones are connected only to the BTS of their operator. In addition, mobile phones notify the network about their current location at a certain interval, i.e. LAC. This procedure is called Location Update, but more on that later.
1.3 Infrastructure of cellular networks
Base stations cannot exist on their own, therefore, being in a certain LAC, they connect to the base station controller - BSC (Base Station Controller). The controllers, in turn, perform load balancing, and also actively participate in the process of exchanging traffic between the network and their "slaves". The interaction between the BTS and the BSC is carried out via the A-bis interface . Within the network, most operators, most often, have several base station controllers, which via the A-interface and Gb-interface to the switching nodes of the network (MSC - Mobile Switching Center, SGSN - Serving GPRS Support Node).
MSC forms the core of the network infrastructure (Core Network), which includes the following main elements:
- HLR (Home Location Register) is a database containing personal data of each subscriber, including phone number, tariff plan, list of connected services, as well as information about the SIM card used by the subscriber.
- VLR (Visitor Location Register) is a temporary database of subscribers who are in the coverage area of a certain mobile switching center. Each base station in the network is assigned to a specific VLR, so a subscriber cannot be present in several VLRs at the same time.
- AuC (Authentication Center) is a subscriber authentication center that authenticates each SIM card that connects to the network.
- SMSC (SMS Center) is a short text messaging center for storing and routing short text messages.
- GMSC (Gateway MSC) is a gateway that provides access to wired landline telephone networks. It is thanks to this element that calls are possible between subscribers of cellular and city telephone networks.
- SGSN (Serving GPRS Support Node) is a GPRS subscriber service node that acts as a connection point between the base station system (BSS) and the core network (Core Network). The SGSN can be called an analogue of the MSC switch of the GSM network. SGSN performs control of delivery of data packets, monitoring of online users, conversion of GSM frames into formats used by TCP / IP protocols of the global computer network Internet, registration or "attachment" of subscribers who have "reappeared" in the network coverage area, encryption data processing, processing of incoming billing information, and also provides interaction with the register of own subscribers of the HLR network. Unlike the above elements, the SGSN connects directly to the BSC.
In addition, there is a billing system within the network infrastructure, where our "balance" is stored, charges for using services are debited, and various payment transactions are processed. The operator can attach other subsystems to the network core at his discretion.
1.4 Inter-operator communication
The networks of different operators interact with each other, so that, for example, Alice, being a subscriber of operator A, can call Bob, who is a subscriber of operator B. This network is called SS-7 or SS7, it works either on the basis of special wired / wireless communication networks, or over the internet (yes, yes, web over web). SS7 provides a set of protocols for communication between different operators. Roaming also works thanks to this network.
2. Um-interface (GSM Air Interface)
2.1 Frequency bands
Any equipment in cellular networks interacts through specific interfaces. As already mentioned, the exchange of data between the base station and the subscriber is carried out through the Um-interface, which is primarily a radio interface, therefore, data exchange occurs in the process of receiving / transmitting radio waves. Radio waves are electromagnetic radiation just like heat or light. Ultraviolet, X-ray and ionizing radiation are also types of electromagnetic radiation with specific frequency ranges and specific wavelengths. Remember this picture?
So, the radio wave range is also divided into subsidiary frequency ranges, for example, the LF (30-300 kHz), MF (300-3000 kHz) and HF (3-30 MHz) ranges are most often used for radio communication and broadcasting; TV broadcasting is conducted in the VHF (30-300 MHz), UHF (300-3000 MHz) and SHF (3-30 GHz) bands; wireless networks such as WiFi, as well as satellite TV work in the same SHF. Most of all we are interested in the UHF band in which the GSM networks operate. According to the 3GPP TS 45.005 standard, as many as 14 subsidiary bands for UHF are allocated to them on the air, and different bands are used in different countries. Let's consider the most common ones:
| Characteristics | GSM-850 | P-GSM-900 | E-GSM-900 | DCS-1800 | PCS-1900 |
|---|---|---|---|---|---|
| Uplink, MHz | 824.2 - 849.2 | 890.0 - 915.0 | 880.0 - 915.0 | 1710.2 - 1784.8 | 1850.2 - 1909.8 |
| Downlink, MHz | 869.2 - 893.8 | 935.0 - 960.0 | 925.0 - 960.0 | 1805.2 - 1879.8 | 1930.2 - 1989.8 |
| ARFCN | 128 - 251 | 1 - 124 | 975 - 1023, 0 - 124 | 512 - 885 | 512 - 810 |
Any band allocated for a cellular network is divided into many segments (usually 200 KHz), some of which are called Downlink - here only base stations (BTS) transmit data on the air, part - Uplink, where only telephones (MS) broadcast. Pairs of such segments, where one belongs to Downlink and the other to Uplink, form radio frequency channels called ARFCN (Absolute radio-frequency channel number). In other words, the phone cannot receive and transmit data on the same frequency; instead, when transmitting, it switches to Uplink frequencies, and when receiving to Downlink, and the switching process occurs very quickly.
2.2 Physical channels, multiple access separation
With the ranges sorted out. Now imagine a small closed room with a lot of people. If at a certain point in time everyone starts talking, it will be difficult for the interlocutors to understand each other. Some will speak louder, which will only make things worse for others. So, in physics this phenomenon is called interference. In other words, interference can be called superposition of waves. For GSM cellular networks, this is a parasitic phenomenon, so multiple access separation technologies come to the rescue.
The need for sharing multiple access has arisen for a long time and is used in both wired communications (I2C, USB, Ethernet) and wireless. FDMA (Frequency Division Multiple Access) technologies are most often used in cellular networks, TDMA (Time Division Multiple Access) and CDMA (Code Division Multiple Access). The first two are used together in second generation networks - GSM. CDMA is the backbone of modern cellular networks that outperform GSM in both security and maximum data rates. What kind of magic is this?
There are two main resources for radio systems - frequency and time. Frequency division multiple access, where each receiver and transmitter is assigned a specific frequency, is called FDMA. Time division, when all or most of the spectrum is allocated to each receiver-transmitter pair for a given period of time, is called TDMA. In CDMA, there are no restrictions on frequency and time. Instead, each transmitter modulates the signal using a different numerical code currently assigned to each user, and the receiver calculates the desired portion of the signal using a similar code. In addition, there are several more technologies: PAMA (Pulse-Address Multiple Access), PDMA (Polarization Division Multiple Access), SDMA (Space Division Multiple Access) however, their description is beyond the scope of this article.
FDMA
The principle of this method is that the available frequency spectrum is divided between receivers and transmitters into equal or unequal frequency bands, part of which is allocated for Downlink (traffic from BTS to MS), part for Uplink (traffic from MS to BTS). We have already spoken about this.
TDMA
Together with frequency division (FDMA), GSM uses the time division method - TDMA. According to TDMA, the entire data stream is divided into frames, and the frames, in turn, are divided into several timeslots, which are distributed between the transceiver devices. Consequently, the phone can exchange information with the network only at certain intervals allotted to it.
Frames are combined into multiframes, which are of two types:
Control Multiframe (contains 51 frames)
Traffic Multiframe (contains 26 frames)
Multiframes form superframes, and already superframes form hyperframes. You can learn more about the structure of frames and their organization here (source of images) and here .
As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames and the numbers of timeslots in them. Typically, base stations use one or more ARFCN channels, one of which is used to identify the presence of the BTS on the air. The first timeslot (index 0) of the frames of this channel is used as the base control channel (base-control channel or beacon-channel). The rest of the ARFCN is allocated by the operator for CCH and TCH channels at its discretion.
2.3 Logical channels
Logical channels are formed on the basis of physical channels. Um-interface implies the exchange of both user information and service information. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented by means of physical:
- traffic channels (TCH - Traffic Channel),
- service information channels (CCH - Control Channel).
Traffic channels are divided into two main types: TCH / F - Full rate channel with maximum speed up to 22.8 Kbps and TCH / H - Half rate channel with maximum speed up to 11.4 Kbps. These types of channels can be used for voice transmission (TCH / FS, TCH / HS) and user data (TCH / F9.6, TCH / F4.8, TCH / H4.8, TCH / F2.4, TCH / H2. 4), for example, SMS.
Service information channels are divided into:
- Broadcast (BCH - Broadcast Channels).
- FCCH - Frequency Correction Channel. Provides information required by the mobile phone for frequency correction.
- SCH - Synchronization Channel. Provides the mobile phone with the information needed for TDMA synchronization with a base station (BTS) as well as its BSIC identity.
- BCCH - Broadcast Control Channel. Transmits basic information about the base station, such as the way of organizing the service channels, the number of blocks reserved for the granting messages, and the number of multiframes (51 TDMA frames each) between Paging requests.
- Common Control Channels (CCCH)
- PCH - Paging Channel. Looking ahead, I will tell you that Paging is a kind of ping of a mobile phone, which allows you to determine its availability in a certain coverage area. This channel is designed to do just that.
- RACH - Random Access Channel. Used by mobile phones to request their own SDCCH overhead. Exclusively Uplink channel.
- AGCH - Access Grant Channel. On this channel, base stations respond to RACH requests of mobile phones, allocating SDCCH, or immediately TCH.
- Dedicated Control Channels (DCCH) Dedicated
channels, like TCH, are allocated to specific mobile phones. There are several subspecies:- SDCCH - Stand-alone Dedicated Control Channel. This channel is used for mobile phone authentication, encryption key exchange, location update procedure, as well as for making voice calls and exchanging SMS messages.
- SACCH - Slow Associated Control Channel. Used during a conversation, or when the SDCCH channel is already in use. With its help, the BTS sends periodic instructions to the phone to change the timings and signal strength. In the opposite direction, there are data on the received signal strength (RSSI), TCH quality, as well as the signal strength of the nearest base stations (BTS Measurements).
- FACCH - Fast Associated Control Channel. This channel is provided together with the TCH and allows the transmission of urgent messages, for example, during the transition from one base station to another (Handover).
2.4 What is burst?
On-air data is transmitted in the form of sequences of bits, most often called "burst", within timeslots. The term "burst", the most suitable analogue of which is the word "burst", should be familiar to many radio amateurs, and most likely appeared in the compilation of graphical models for the analysis of radio broadcast, where any activity is like waterfalls and splashes of water. You can read more about them in this great article (source of images), we will focus on the most important thing. A schematic representation of a burst might look like this:
Guard Period
In order to avoid interference (ie overlapping of two busrts), burst duration is always shorter than the timeslot duration by a certain value (0.577 - 0.546 = 0.031 ms), called "Guard Period". This period is a kind of margin of time to compensate for possible time delays in signal transmission.
Tail Bits
These markers define the start and end of the burst.
Info
Burst payload, such as subscriber data or service traffic. Consists of two parts.
Stealing Flags
These two bits are set when both pieces of TCH burst data are transmitted on the FACCH. One transmitted bit instead of two means that only one part of the burst is transmitted on the FACCH.
Training Sequence
This part of the burst is used by the receiver to determine the physical characteristics of the channel between the phone and the base station.
2.5 Types of burst
Each logical channel corresponds to certain types of burst:
Normal Burst
This type of sequence implements traffic channels (TCH) between the network and subscribers, as well as all kinds of control channels (CCH): CCCH, BCCH and DCCH.
Frequency Correction Burst
The name speaks for itself. Implements a one-way downlink FCCH, allowing mobile phones to more accurately tune to the BTS frequency.
Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only SCH, which is designed to identify the presence of base stations on the air. Similar to beacon packets in WiFi networks, each burst is transmitted at full power, and also contains information about the BTS necessary to synchronize with it: frame rate, identification data (BSIC), and others.
Dummy Burst
A dummy burst sent by the base station to fill unused timeslots. The fact is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may feel that it is far from the base station. To avoid this, BTS floods unused timeslots with meaningless traffic.
Access Burst
When establishing a connection with the BTS, the mobile phone sends a dedicated SDCCH request on the RACH. The base station, having received such a burst, assigns the subscriber its FDMA system timings and responds on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially neither the phone nor the base station knew information about time delays. If the RACH request does not hit the timeslot, the mobile phone sends it again after a pseudo-random time interval.
2.6 Frequency Hopping
Frequency Hopping (FHSS) is one of the spread spectrum techniques. In addition to GSM networks, a variation of this method is used in Bluetooth. What for?
- Reducing the influence of interference. Due to frequent frequency changes, interference can only affect the signal for a short period of time.
- Data protection from unauthorized access. Without knowing the algorithm by which the signal frequency changes, it is impossible to extract the required data from the noise-like stream.
- Complicating signal jamming. Frequency Hopping makes it difficult to “target” (ie, jamming a specific device, or a set of devices) jamming a signal. In this case, it is necessary to jam the entire occupied frequency range, which requires the use of more expensive and powerful equipment.
2.7 Basic principles of interaction between MS and BTS
Let's start with what happens when you turn on your mobile phone. Most often, even if the phone is turned off with the battery inserted, it continues to work. At this time, a small program called a "bootloader" is running. The bootloader waits for the power key to be pressed, starts the charging process when the charger is connected, and sometimes an alarm. It all depends on the specific phone model. As soon as the power key is pressed, the process of loading the operating system begins, which first checks for the presence of a SIM card, and then starts scanning the air in search of the operator's network. Even if there is no SIM card, the phone still connects to the nearest base station, providing an emergency call option. If the SIM card is in place, a Location Update request is made, notifying the network about the current LAC of the subscriber. Then, the base station requests the IMEI of the phone and the IMSI of the SIM card to identify the subscriber (Identity Request). If the provided IMEI differs from the one with which the subscriber connected before, the operator can send the Internet settings. By the way, you can even find a stolen phone this way.
Then authorization is performed, after which the phone can be in one of two states:
- IDLE - "idle mode". The phone is not transmitting any network data while listening to the CCCH.
- DEDICATED - an active connection is established between the network and the phone, during which the phone periodically transmits information about the signal quality to the network, as well as exchanges user data.
Now let's take a closer look at the process of connecting to the network. Each base station necessarily has a CCCH broadcast channel, which is located on the zero timeslot of a specific ARFCN. In the process of scanning the air, the phone sequentially switches the tuner frequency, measuring the strength of the received signal. As soon as the BTS with the strongest signal is found, the phone switches to its sync channel (SCH). Then, upon receiving the first Synchronization Burst, the phone determines the time slot order as well as the BSIC identification, which consists of NCC (Network Color Code) and BCC (Base station Color Code). The list of allowed and prohibited identifiers for connection is stored on the SIM card.
As soon as the phone finds an allowed BCCH, a RACH request is sent, the base station allocates a specific physical channel, authenticates the subscriber, and also registers its arrival in the VLR and HLR. The phone is then in IDLE mode. When there is an incoming call or SMS message, all base stations of the current LAC start sending Paging Requests to notify the subscriber about any event. If the phone "heard" it, it answers, the network sends an Immediate Assignment packet describing the resources allocated to the subscriber (frequency, timeslot number, etc.). Much like Ping on the Internet. From this moment the phone is in DEDICATED mode until the connection is terminated.
If the subscriber himself acts as the initiator of the connection, he must first send a CM Service Request, and then wait for the Immediate Assignment from the network.
2.8 Handover
Handover (American version - handoff) - in cellular communications, the process of transferring a subscriber from one base station to another during a telephone conversation or data transfer session. This process occurs when a subscriber leaves the coverage area of one base station and enters the coverage area of another. Also, handover can be performed if the current base station is overloaded, or its physical channels are too noisy.
Handover is of two types:
- Hard handover ("break-before-make"). In this case, the connection with the current BTS is interrupted, after which a connection with the new one is created. Among the shortcomings, one can single out the likelihood of a short-term break in the data session, or an unexpected termination of the call. In today's outdated analog communication systems, with a hard handover, a short click or beep could be heard.
- Soft handover ("make-before-break"). In this case, the phone, without breaking the connection with the current BTS, establishes a connection with one or more others, after which it transmits the session to the new BTS and disconnects from the previous one. The disadvantage of this method is the higher price of the phone components, which make it possible to maintain a connection with several base stations at once.
2.9 Speech coding
As already mentioned, the speech of subscribers is transmitted on the TCH channel, which is of two types: Full Rate (FR) and Half Rate (HR). The following standards are used to encode the audio stream in GSM mobile networks (and not only):
- GSM-FR (Full Rate, 13 Kbps) is the first digital speech coding standard that provides a rather low sound quality compared to modern standards. Despite the existence of more modern codecs, GSM-FR is still very widely used.
- GSM-HR (Half Rate, 5.6 Kbps) is a codec used by phones in power saving mode. Occupies half of the Full Rate channel bandwidth. The battery can be saved up to 30%.
- GSM-EFR (Enhanced Full Rate, 12.2 Kbps) is a compression algorithm developed by Nokia and Sherbrooke University, which is a continuation of the development of the GSM-FR algorithm. Provides good quality of communication, however, power consumption when using it increases by about 5% compared to GSM-FR.
- AMR (Adaptive multi rate) is an adaptive variable rate coding algorithm. It is widely used in GSM and UMTS networks, providing high network capacity at the same time with high sound quality. The encoding / decoding speed is selected depending on the environment and network load.
3. Security and privacy
It's time to consider the basic algorithms for ensuring the privacy and security of subscriber data. Against the background of high-profile scandals and disclosures in the field of information security, this topic is quite relevant. GSM, like any other complex system, has its own protection mechanisms, as well as vulnerabilities, which we will consider in this chapter. I will not go into the jungle describing low-level bit conversion processes for encryption, etc., otherwise the article will turn into a huge pot-bellied book. Who cares, you can read these materials:
A bunch of presentations and articles on this topic in my GitHub repository
3.1 Basic attack vectors
Since the Um interface is a radio interface, all of its traffic is "visible" to anyone within range of the BTS. Moreover, you can analyze the data transmitted over the air without even leaving your home, using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and the
There are two types of attacks: passive and active. In the first case, the attacker does not interact with the network or the attacked subscriber in any way - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it does not have as many prospects as an active one. An active attack involves the interaction of the attacker with the attacked subscriber and / or the cellular network.
The most dangerous types of attacks to which subscribers of cellular networks are exposed can be identified:
- Sniffing
- Leak of personal data, SMS and voice calls
- Location data leak
- Spoofing (FakeBTS or IMSI Catcher)
- Remote SIM capture, arbitrary code execution (RCE)
- Denial of Service (DoS)
3.2 Subscriber identification
As mentioned at the beginning of the article, subscribers are identified using IMSI, which is recorded in the subscriber's SIM card and the operator's HLR. Mobile phones are identified by their serial number - IMEI. However, after authentication, neither IMSI nor IMEI openly fly over the air. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out with its help.
Attack Methods
Ideally, the subscriber's TMSI is known only to the mobile phone and cellular network. However, there are ways to bypass this protection. If you cyclically call a subscriber or send SMS messages (or better Silent SMS), watching the PCH channel and performing correlation, you can select the TMSI of the attacked subscriber with a certain accuracy.
In addition, having access to the SS7 inter-operator communication network, you can find out the IMSI and LAC of its owner by the phone number. The problem is that in the SS7 network, all operators "trust" each other, thereby reducing the level of confidentiality of their subscribers' data.
3.3 Authentication
To protect against spoofing, the network authenticates the subscriber before starting to serve it. Besides the IMSI, the SIM card stores a randomly generated sequence called Ki, which it only returns in a hashed form. Ki is also stored in the operator's HLR and is never transmitted in cleartext. In general, the authentication process is based on the four-way handshake principle:
- The subscriber makes a Location Update Request, then provides the IMSI.
- The network sends a pseudo-random RAND value.
- The phone's SIM card hashes Ki and RAND using the A3 algorithm. A3 (RAND, Ki) = SRAND.
- The network also hashes Ki and RAND using the A3 algorithm.
- If the SRAND value from the subscriber's side coincides with the one calculated on the network side, then the subscriber has been authenticated.
Attack Methods
Busting Ki with RAND and SRAND values can take quite a long time. In addition, operators can use their own hashing algorithms. There is quite a bit of information on the net about brute force attempts. However, not all SIM cards are perfectly protected. Some researchers have been able to directly access the file system of the SIM card and then extract the Ki.
3.4 Traffic encryption
According to the specification, there are three algorithms for encrypting user traffic:
- A5 / 0 is a formal designation for the lack of encryption, just like OPEN in WiFi networks. I myself have never seen a network without encryption, however, according to gsmmap.org, A5 / 0 is used in Syria and South Korea.
- A5 / 1 is the most widely used encryption algorithm. Despite the fact that his hacking has already been repeatedly demonstrated at various conferences, it is used everywhere and everywhere. To decrypt traffic, it is enough to have 2 TB of free disk space, a regular personal computer with Linux and the Kraken program on board.
- A5 / 2 is an encryption algorithm with deliberately weakened protection. If it is used where, it is only for beauty.
- A5 / 3 is currently the strongest encryption algorithm, developed back in 2002. On the Internet, you can find information about some theoretically possible vulnerabilities, but in practice, no one has yet demonstrated how to crack it. I don’t know why our operators do not want to use it in their 2G networks. Indeed, for SORM, this is far from being a hindrance, since the encryption keys are known to the operator and the traffic can be decrypted quite easily on his side. And all modern phones support it perfectly. Fortunately, modern 3GPP networks use it.
Methods of Attack
As already mentioned, having sniffing equipment and a computer with 2 TB of memory and the Kraken program, you can find A5 / 1 session encryption keys rather quickly (a few seconds), and then decrypt anyone's traffic. German cryptologist Karsten Nohl demonstrated in 2009 how to hack A5 / 1. A few years later, Karsten and Sylvian Muno demonstrated the interception and decryption of a telephone conversation using several old Motorola phones (OsmocomBB project).
Conclusion
My long story has come to an end. In more detail and from a practical point of view, it will be possible to get acquainted with the principles of cellular networks in the series of articles Acquaintance with OsmocomBB, as soon as I add the remaining parts. I hope I managed to tell you something new and interesting. I look forward to your feedback and comments!
List of used literature
- Principles of radio data transmission
en.wikipedia.org/wiki/Um_interface
en.wikipedia.org/wiki/GSM_frequency_bands
www.teletopix.org/gsm/what-is-burst-in-gsm-and-burst-types-in-gsm
en.wikipedia.org/wiki/Control_channel
www.etsi.org/deliver/etsi_gts/05/0502/03.08.00_60/gsmts_0502sv030800p.pdf
www.sharetechnote.com/html/FrameStructure_GSM.html
www.teletopix.org/gsm/how -26-and-51-multiframes-in-gsm
www.teletopix.org/gsm/bch-cbch-and-ccch-works-in-gsm
www.teletopix.org/gsm/dedicated-control-channel-dcch-in -gsm
en.wikipedia.org/wiki/Handover
www.teletopix.org/gsm/slow-and-fast-frequency-hopping-in-gsm
habrastorage.org
