Threat patterns in GSM system Usage of mobile devices in business simpli es, speeds up and optimizes business processes. However, it is necessary to understand that the more complicated the device is the more threats it is subjected to. Please note that the list of threats mentioned here is not full, but it contains the description of the main ways of information leakage. The full description of threat patterns can be found in «Mobile Security Reference Architecture» document, prepared by Federal CIO Council of USA and US Department of Homeland Security (May, 2013). The descriptive information is simpli ed and intended only for introduction of the procedures. More detailed information or technical speci cations are available in the Internet. Basic threat patterns: 1. LESS Law Enforcement Support System (SORM - rus.) Operational-Investigative works a system of technical means for conducting Pic. 1. LESS 2. Service Provider (Mobile Connection Operator). Pic. 2. Service Provider www.lux-telecom.com Tel: +74996490928 [email protected] + 442033188305 3. Mobile devices and software producers/developers (Operating System (OS)) Pic. 3. Operating System (OS) 4. Traf c interception in a radio channel (Intercept complexes: active, semiactive, passive and other interceptors). Pic. 4. Traf c interception in a radio channel www.lux-telecom.com Tel: +74996490928 [email protected] + 442033188305 Pic. 5. Implementation scheme Methods of protection: 1. Dynamic identi ers (IMSI+Ki, IMEI). 2. Forced encryption in GSM network. Algorithm A5/1. 3. Security policy on a SIM level. 4. Voice changing. 5. Calling party number substitution. 6. Absence of location data. 7. Absence of billing data 8. Inability to establish a fact of a call between subscribers. Principles of countermeasures: To get a mobile device or a SIM under technical control, it is necessary to know its identi ers. All communication networks around the world are controlled by the state regulatory institutions and technically connected to LESS (Law Enforcement Support System all information about this system is available on the Internet). The main identi er of a mobile device is IMEI (International Mobile Equipment Identity). This parameter is passed in the network. The main identi er of a subscriber is IMSI (International Mobile Subscriber Identity subscriber's individual www.lux-telecom.com Tel: +74996490928 [email protected] + 442033188305 number). This parameter is passed in the network. Public parameter MSISDN (Mobile Subscriber Integrated ServicesDigital Number) a number of a mobile subscriber of a digital network with integrated services for providing connection in GSM, UMTS standards, etc. This parameter is not passed in the network, but can be compared to IMSI. These parameters are enough to get all necessary information and to use it for analytical conclusions. Gaining these identi ers by means of LESS, intercept complexes and other mechanisms it is possible to get the following information about a subscriber: LUX TELECOM and usual SIM operation algorithms in GSM network The process of network logon and cell selection 1. When a mobile device with a usual SIM is switched on, the process of frequency scanning and cell selection starts. A cell with the highest level of signal is selected. Lux Telecom works only with a cell which signal is of the second height. This provides the protection against intercept complexes. 2. After synchronization procedure, equipment identi cation and subscriber's authentication in a network starts. Usual SIM performs subscriber's authentication according to the A3 algorithm. This protocol performs SRES key computation that allows to complete the authentication procedure. To compute SRES key A3 algorithm uses IMSI and Ki parameters. In a usual SIM the IMSI parameter is 'sewed' in a SIM, and it is not changing. Lux Telecom has several pro les with different IMSI+Ki parameters. Pic.6. Lux Telecom www.lux-telecom.com Tel: +74996490928 [email protected] + 442033188305 Pic.7. Lux Telecom Encryption in GSM network Encryption of a session is performed by means of A5 algorithm that implements Kc (session key) for computations. Kc, in its turn, is computed by A8 algorithm that implements Ki and RAND parameters. In a usual SIM Ki parameter doesn't change as well as IMSI parameter. Lux Telecom implements several pro les. Each pro le has its own pair of IMSI+Ki. To lower the encryption level from A5/1 to A5/2 or A5/0, the mobile operator or intercept complex sends a service command to the MSISDN number of a mobile subscriber. A usual SIM-card has its MSISDN bound to a particular pair IMSI+Ki, and the issuing operator stores it. Lux Telecom does not belong to any mobile operator and does not have strictly bound MSISDN because it uses several pro les. Even if Lux Telecom gets into the area of BSS (Base Station Subsystem), and the command of encryption cancellation is executed by means of broadband message Paging Request, this command will not be executed as Lux Telecom algorithm does not include such mechanism. Calls A subscriber with a usual SIM-card after number dialing presses the Call-button. At this stage, a mobile device sends ALERT signal via FACCH (Fast Associated Control Channel) to the BSS (Base Station Subsystem). Then this signal goes to MSC (Mobile Switching Center). MSC sends Address Complete message to the calling subscriber (the party that originates the call). The subscriber who made a call hears the dial tone, and the destination party hears ringing sound. If the number (MSISDN) of one of the subscribers is known, it is possible to get all the call details from the operator's billing and the session itself. Also it is possible to intercept the session over the air by intercept complexes. Lux Telecom user after number dialing presses the Call-button. At this stage, the call is aborted. At the same time the encrypted command is sent through the signal channel to the Lux Telecom security server ATS (Automatic Telephone Station). Lux's ATS through SS7 requests VLR (Visitor Location Register) for a temporary number MSRN (Mobile Station Roaming Number) for this particular SIM and this particular call. As soon as the operator has allocated MSRN to a SIM, Lux ATS starts calling this number. At this stage the call to Lux Telecom starts. When the Lux subscriber answers this call, the rst leg opens. Then Lux ATS starts calling the second/destination party. www.lux-telecom.com Tel: +74996490928 [email protected] + 442033188305 When the second party answers the call, the second leg opens (Call Back technology). Using this mechanism for call making it is not possible to get the information from the operator's billing, as it is unknown what operator Lux Telecom is registered to, and as a result there is no public identi er - MSISDN by means of which IMSI, Ki and IMEI parameters are obtained. Even if the second subscriber is under control it is impossible to understand who he's had a conversation with, as the session consists of two legs, and both legs are separated by Lux server ATS, and as a result it is not possible to de ne the circle of your contacts. Acceptance of calls A call to a usual SIM-card is performed according to the standard procedures. After the performance of call procedure and TMSI assignment (Temporary Mobile Subscriber Identity) in the VLR coverage area, traf c is terminated and the session is considered as set-up. The operator's billing records the information about the device that originates the call, the location of the call accepting device during the session, call duration, etc. A call to Lux Telecom is performed in a following way: a virtual number - DID is assigned to Lux Telecom. DID number accepts call from a network, changes it into SIP protocol and routes it to Lux ATS. Lux ATS, in its turn, de nes a subscriber who this DID belongs to, and starts the call procedure described above. Thus, it is not possible to locate Lux Telecom and to detect a connection between both subscribers, as Lux ATS stands in between. Phonetic control Considering the fact that mobile operators actively introduce into their networks mechanisms of subscriber searching by phonetic characteristics (voice print), Lux Telecom allows to change the acoustic characteristics of your voice for inbound and outbound calls. This mechanism is especially useful if the call from Lux Telecom is made on a usual SIM. CONCLUSION Not having a billing on operator's side Lux Telecom makes it impossible to obtain the information necessary for analytical analysis: circle of contacts (CDRs), location, real identi ers (voice). P.S. It is necessary to understand that mobile phone is a proprietary device, black box and no one but manufacturer knows what is set in phone's settings. Sometimes even manufacturer doesn't know about bugs in phones' system. Also, it is very important to understand that operators' tools are constantly developing. Analytical tools that detect single-use phones by their patterns in billing system are constantly upgrading. Billing records information about rst and last call made from a phone, total amount of calls and proportional cast of unique users that have been connected with a help of this SIM card / device. With access to billing systems of all national operators, the moment when subscriber gets rid of old phone and starts using new one can be easily established. Using geolocation data, one can identify the area where the suspicious subscriber lives. www.lux-telecom.com Tel: +74996490928 [email protected] + 442033188305
© Copyright 2026 Paperzz