How does the radio interface work in GSM networks

I think many have ever thought about how cellular networks work. After all, we use mobile phones almost every day. The number of subscribers is increasing every day, as well as the area of ​​network coverage ... Old standards are being replaced by new ones, and the "appetites" of mobile Internet users are growing. If you are interested in how it all works, welcome to cut! Since the infrastructure of cellular networks is quite large, and its description can take a whole book, in this article we will focus on the Um-interface, through which our phones interact with the equipment of the operator, as well as other subscribers.

Caution, the angry dog ​​has a lot of pictures!

Foreword

Cellular communication appeared a long time ago. Back in the 40s of the twentieth century, research began with the aim of creating a mobile communications network. In 1956, Mobile System A (MTA) was launched in several cities in Sweden. In 1957, our compatriot L.I. Kupriyanovich publicly demonstrates the mobile phone he developed and the base station for him. Then in the USSR, the development of the Altai civilian cellular communication system will begin, which in a few years will cover more than 30, and then even 114 Soviet cities. By the way, in some cities of the post-Soviet space Altai works to this day, for example, in Novosibirsk (numbering is +7 (383) 349-8XXX)! Motorola Launches Its Famous DynaTAC 8000X in the 80scosting $ 3995. And only in 1992, after the NMT-450, AMPS, ETACS, D-AMPS and NMT-900 in Germany, cellular communication based on the GSM standard was launched.

Today, after more than twenty years, we are using new generation networks, such as 3G and 4G, but GSM networks have not disappeared anywhere - they are still used by ATMs, terminals, alarms and even modern telephones to save energy and maintain backward compatibility. In addition, new products, such as UMTS (or W-CDMA) and LTE, have much in common with GSM. Unlike, for example, TCP / IP, cellular networks are less accessible for study and research. There are many reasons: starting from fairly high prices for equipment, ending with the prohibition of the laws of most countries on the use of frequencies of GSM bands without a license. In my opinion, an understanding of the principles of cellular networks is very important for specialists in the field of information security, and not only. That is why I decided to write this publication.

Content:

1. Introduction to Cellular Networks
   1.1 Cellular Service Providers
   1.2 Principles of Network Coverage
   1.3 Cellular Network Infrastructure
   1.4 Inter-Operator Interaction
   
2. Um interface (GSM Air Interface)
   2.1 Frequency bands
   2.2 Physical channels, multiple access sharing
   2.3 Logical channels
   2.4 What is burst?
   2.5 Types of burst
   2.6 Frequency Hopping
   2.7 Basic principles of interaction between MS and BTS
   2.8 Handover
   2.9 Speech coding
   
3. Security and privacy
   3.1 Main attack vectors
   3.2 Subscriber identification
   3.3 Authentication
   3.4 Traffic encryption
   

1. Introduction to cellular networks

1.1 Cellular Service Providers

By analogy with Internet providers, certain companies, most often called “operators”, provide cellular services. Each of them offers its own range of services, as well as sets its tariff plans. Most often, operators use their own equipment to build the main network infrastructure; some use the existing one, for example, in Russia, the Yota operator operates on the basis of the equipment of the Megafon operator.

From the point of view of an ordinary subscriber of mobile networks, the individuality of the operator lies in the quality of the provided communication services, a certain range of numbers, their own branded SIM-cards, as well as tariff plans. On the part of the operators themselves, as well as other telecommunication areas, each of them is identified by the country code (MCC - Mobile Country Code) and the unique network code within the country (MNC - Mobile Network Code). In addition, the identification of subscribers is carried out not according to the usual telephone number, but according to the international identifier of the subscriber - IMSI (International Mobile Subscriber Identity), which is recorded in the subscriber’s SIM card, as well as in the operator’s database. Phone numbers are simply “attached” to a specific IMSI, so that the subscriber can change the operator,

1.2 Principles of network coverage

Coverage of a particular area with cellular communications is provided by the distribution of transceiver devices over its area. I am sure many have seen them on billboards, various buildings, and even on individual masts. Most often, they are several directional antennas of white color, as well as a small building where the wires stretch. So, in GSM terminology, such complexes are called base stations (BTS) and can consist of several transceivers - transceivers (TRX - Transmitter / Receiver).



A key feature of cellular communication is that the total coverage area is divided into cells (cells), defined by the coverage areas of individual base stations (BS). By the way, the name “cellular communication” came from here. Each base station covers one or more sectors, and also has one or more transceivers in each sector, each of which emits a signal at its own frequency. Simply put, a cell is one of the coverage cells that has its own unique identifier called CI (Cell ID). Cells can be classified according to the scale of the territory covered: macrocell (up to 35 km, sometimes up to 70 km), regular cell (up to 5 km), microcell (up to 1 km), pico cell (up to 300 meters) and femtocell (more common indoors, cover tens of meters).



Nearby base stations operate in different frequency ranges, due to which the cells of various operators can overlap partially or almost completely. The set of base stations working together is called the Location Area Code - LAC (Location Area Code). All base stations must broadcast their identification data, such as MCC, MNC, Cell ID, as well as LAC, so mobile phones are connected only to their operator’s BTS. In addition, mobile phones with a certain interval notify the network of their current location, i.e. Lac. This procedure is called Location Update, but more on that later.

1.3 Cellular Infrastructure

Base stations cannot exist on their own, therefore, being in a specific LAC, they are connected to the base station controller - BSC (Base Station Controller). The controllers, in turn, perform load balancing, and also actively participate in the process of traffic exchange between the network and their "subordinates". The interaction of BTS and BSC is via the A-bis interface . Within the network, most operators, most often, have several base station controllers that use the A-interface and Gb-interface to the switching nodes of the network (MSC - Mobile Switching Center, SGSN - Serving GPRS Support Node).

MSC forms the core of the network infrastructure (Core Network), which includes the following main elements:

• HLR (Home Location Register) - a database containing the personal data of each subscriber, including a phone number, tariff plan, a list of connected services, as well as information about the SIM card used by the subscriber.
  
• VLR (Visitor Location Register) - a temporary database of subscribers who are in the coverage area of ​​a particular mobile switching center. Each base station in the network is assigned to a specific VLR, so that the subscriber cannot be present in several VLRs at the same time.
  
• AuC (Authentication Center) is a subscriber authentication center that verifies the authenticity of each SIM card connected to the network.
  
• SMSC (SMS Center) is a short text messaging center that stores and routes them.
  
• GMSC (Gateway MSC) is a gateway that provides access to landline telephone networks. Thanks to this element, calls between subscribers of cellular and city telephone networks are possible.
  
• SGSN (Serving GPRS Support Node) is a GPRS subscriber servicing node that acts as a connection point between the base station system (BSS) and the core network (Core Network). SGSN can be called an analogue of the GSM MSC switch. SGSN monitors the delivery of data packets, monitors online users, converts GSM frames to formats used by the TCP / IP protocols of the global Internet computer network, registers or “attaches” subscribers newly “appearing” in the network coverage area, encryption data, processing incoming billing information, and also provides interaction with the register of own subscribers of the HLR network. Unlike the above items, the SGSN connects directly to the BSC.
  

In addition, there is a billing system inside the network infrastructure where our “balance” is stored, a fee for using services is debited, and various payment transactions are processed. The operator can attach other subsystems to the core of the network at its discretion.

1.4 Interoperator interaction

The networks of various operators interact with each other, due to which, for example, Alice, being a subscriber to operator A, can call Bob, who is a subscriber to operator B. This network is called OKS-7 or SS7, it either works on the basis of special wired / wireless communication networks, or over the Internet (yes, yes, network over network). SS7 provides a set of protocols for the interaction of various operators. Roaming also works thanks to this network.

2. Um interface (GSM Air Interface)

2.1 Frequency bands

Any equipment in cellular networks interacts through certain interfaces. As already mentioned, the exchange of data between the base station and the subscriber is carried out through the Um-interface , which is primarily a radio interface, therefore, data exchange occurs in the process of receiving / transmitting radio waves. Radio waves are the same electromagnetic radiation as heat or light. Ultraviolet, X-ray and ionizing radiation are also types of electromagnetic radiation with certain frequency ranges and certain wavelengths. Remember this picture?



So, the range of radio waves is also divided into daughter frequency ranges, for example, the ranges LF (30-300 kHz), MF (300-3000 kHz) and HF (3-30 MHz) are most often used for radio communications and broadcasting; Broadcasting is carried out in the ranges of VHF (30-300 MHz), UHF (300-3000 MHz) and SHF (3-30 GHz); Wireless networks, such as WiFi, as well as satellite television work in the same SHF. What interests us most is the UHF band, in which GSM networks operate. According to the 3GPP TS 45.005 standard, they have allocated as many as 14 daughter bands for UHF on the air, and different bands are used in different countries. Consider the most common:

Specifications	GSM-850	P-GSM-900	E-GSM-900	DCS-1800	PCS-1900
Uplink, MHz	824.2 - 849.2	890.0 - 915.0	880.0 - 915.0	1710.2 - 1784.8	1850.2 - 1909.8
Downlink, MHz	869.2 - 893.8	935.0 - 960.0	925.0 - 960.0	1805.2 - 1879.8	1930.2 - 1989.8
ARFCN	128 - 251	1 - 124	975 - 1023, 0 - 124	512 - 885	512 - 810

P-GSM-900, E-GSM-900 and DCS-1800 are mainly used in Europe and Asia. Ranges GSM-850 and PCS-1900 are used in the USA, Canada, certain countries of Latin America and Africa.

Any range allocated for the cellular network is divided into many segments (usually 200 KHz each), some of which are called Downlink - here only the base stations (BTS) transmit data, partly - Uplink, where only telephones (MS) are broadcast. Pairs of such segments, where one belongs to Downlink and the other Uplink, form radio frequency channels called ARFCN (Absolute radio-frequency channel number). In other words, the phone cannot receive and transmit data at the same frequency; instead, when transmitting, it switches to Uplink frequencies, and when receiving to Downlink, the switching process is very fast.

2.2 Physical channels, multiple access sharing

With the ranges sorted out. Now imagine a small enclosed room in which there are a lot of people. If at a certain point in time everyone starts talking, it will be difficult for the interlocutors to understand each other. Some will begin to speak louder, which will only worsen the situation for others. So, in physics this phenomenon is called interference . In other words, interference can be called wave superposition. For cellular networks, GSM is a spurious phenomenon, so multiple access sharing technologies come to the rescue.

The need for multiple access sharing has arisen for a long time and is used both in wired communications (I2C, USB, Ethernet), and in wireless. In cellular networks, FDMA (Frequency Division Multiple Access) technologies are most often used ,TDMA (Time Division Multiple Access) and CDMA (Code Division Multiple Access) . The first two are used together in the second generation networks - GSM. CDMA is the foundation of modern cellular networks that surpass GSM both in terms of security and maximum data transfer rate. What kind of magic is this?

For radio systems, there are two main resources - frequency and time. Frequency division multiple access, when a specific frequency is allocated to each receiver and transmitter, is called FDMA. The time division, when each pair of the transmitter-receiver is allocated the entire spectrum or most of it for a selected period of time, is called TDMA. In CDMA there are no restrictions on frequency and time. Instead, each transmitter modulates the signal using the individual numeric code currently assigned to each user, and the receiver calculates the desired part of the signal using a similar code. In addition, there are several more technologies: PAMA (Pulse-Address Multiple Access) , PDMA (Polarization Division Multiple Access) , SDMA (Space Division Multiple Access)however, their description is beyond the scope of this article.

FDMA
The principle of this method is that the available frequency spectrum is divided between receivers and transmitters into equal or unequal frequency bands, some of which are allocated under Downlink (traffic from BTS to MS), part under Uplink (traffic from MS to BTS). We have already talked about this.

TDMA
Together with frequency division (FDMA), GSM uses the time division method - TDMA. According to TDMA, the entire data stream is divided into frames, and the frames, in turn, are divided into several time slots, which are distributed between the transceiver devices. Consequently, the telephone can exchange information with the network only at certain intervals allocated to it.



Frames are combined into multiframes, which are of two types:

Control Multiframe (contains 51 frames)


Traffic Multiframe (contains 26 frames)


Multiframes form superframes, and already superframes form hyperframes. You can learn more about the structure of frames and their organization here (image source) and here .

As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames, and time slot numbers in them. Typically, base stations use one or more ARFCN channels, one of which is used to identify the presence of BTS on the air. The first time slot (index 0) of the frames of this channel is used as the base service channel (base-control channel or beacon channel). The remainder of the ARFCN is allocated by the operator for the CCH and TCH channels at its discretion.

2.3 Logical channels

On the basis of physical channels logical channels are formed. Um-interface involves the exchange of both user information and service. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented through physical:

• traffic channels (TCH - Traffic Channel),
• service information channels (CCH - Control Channel).

Traffic channels are divided into two main types: TCH / F - Full rate channel with a maximum speed of up to 22.8 Kbit / s and TCH / H - Half rate channel with a maximum speed of up to 11.4 Kbit / s. These types of channels can be used for voice (TCH / FS, TCH / HS) and user data (TCH / F9.6, TCH / F4.8, TCH / H4.8, TCH / F2.4, TCH / H2. 4), for example, SMS.

Service information channels are divided into:

• Broadcast (BCH - Broadcast Channels).
  
  • FCCH - Frequency Correction Channel. Provides information needed by a mobile phone for frequency correction.
  • SCH - Synchronization Channel. Provides the mobile phone with the information necessary for TDMA synchronization with the base station (BTS), as well as its BSIC identity .
  • BCCH - Broadcast Control Channel. It transmits basic information about the base station, such as the way of organizing service channels, the number of blocks reserved for access grant messages, as well as the number of multiframes (51 TDMA frames each) between Paging requests.
• General Purpose Channels (CCCH - Common Control Channels)
  
  • PCH - Paging Channel. Looking ahead, I’ll tell you that Paging is a kind of ping of a mobile phone that allows you to determine its availability in a certain coverage area. This channel is designed specifically for this.
  • RACH - Random Access Channel. Used by mobile phones to request their own SDCCH service channel. Exclusively uplink channel.
  • AGCH - Access Grant Channel. On this channel, base stations respond to RACH requests of mobile phones, allocating SDCCH, or immediately TCH.
• Native channels (DCCH - Dedicated Control Channels)
  Native channels, like TCH, are allocated to certain mobile phones. There are several subspecies:
  
  • SDCCH - Stand-alone Dedicated Control Channel. This channel is used for authentication of a mobile phone, exchange of encryption keys, location update procedure (location update), as well as for making voice calls and exchanging SMS messages.
  • SACCH - Slow Associated Control Channel. Used during a call, or when the SDCCH channel is already in use. With its help, BTS transmits to the telephone periodic instructions on changing timings and signal strength. In the opposite direction there is data on the received signal level (RSSI), TCH quality, as well as the signal level of the nearest base stations (BTS Measurements).
  • FACCH - Fast Associated Control Channel. This channel is provided along with the TCH and allows you to send urgent messages, for example, during the transition from one base station to another ( Handover ).
  
  

2.4 What is burst?

Data is transmitted on the air in the form of sequences of bits, most often called “burst”, inside time slots. The term “burst”, the most suitable analogue of which is the word “burst”, should be familiar to many radio enthusiasts, and most likely appeared when drawing up graphic models for the analysis of radio air, where any activity is similar to waterfalls and water splashes. You can read more about them in this wonderful article (source of images), we will focus on the most important thing . A schematic representation of burst might look like this:



Guard Period
In order to avoid interference (that is, the overlap of two busrt on top of each other), the burst duration is always shorter than the time slot duration by a certain value (0.577 - 0.546 = 0.031 ms), called the “Guard Period”. This period is a kind of margin of time to compensate for possible time delays in signal transmission.

Tail Bits
These markers determine the beginning and end of burst.

Info
Burst payload, for example, subscriber data, or service traffic. Consists of two parts.

Stealing Flags
These two bits are set when both parts of the burst data of the TCH channel are transmitted on the FACCH channel. One transmitted bit instead of two means that only one burst is transmitted on the FACCH.

Training Sequence
This part of burst is used by the receiver to determine the physical characteristics of the channel between the telephone and the base station.

2.5 Types of burst

Each logical channel corresponds to certain types of burst:



Normal Burst
Sequences of this type implement traffic channels (TCH) between the network and subscribers, as well as all kinds of control channels (CCH): CCCH, BCCH, and DCCH.

Frequency Correction Burst
The name speaks for itself. Implements a one-way FCCH downlink channel, which allows mobile phones to more accurately tune to the BTS frequency.

Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only SCH, which is designed to identify the presence of base stations on the air. By analogy with beacon packets in WiFi networks, each burst is transmitted at full power, and also contains information about BTS necessary for synchronization with it: frame rate, identification data ( BSIC), and others.

Dummy Burst
A dummy burst transmitted by a base station to fill in unused time slots. The fact is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may seem to be far from the base station. To avoid this, BTS fills in unused time slots with meaningless traffic.

Access burst
When establishing a connection with the BTS, the mobile phone sends a request for a dedicated SDCCH on the RACH. The base station, having received such a burst, assigns the subscriber its FDMA system timings and answers on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially information on time delays is not known by the phone or the base station. If the RACH request does not fall into the time slot, the mobile phone sends it again after a pseudo-random period of time.

2.6 Frequency Hopping

Quote from Wikipedia:

Pseudo-random frequency-hopping spread spectrum (FHSS) is a method of transmitting information on the radio, the feature of which is the frequent change of the carrier frequency. The frequency changes in accordance with a pseudo-random sequence of numbers known to both the sender and the receiver. The method increases the noise immunity of the communication channel.

Frequency Hopping (FHSS) is one of the methods of spreading the spectrum . In addition to GSM networks, a variation of this method is used in Bluetooth. What for?

• Reducing the effect of interference. Due to the frequent change of frequency, interference can affect the signal only for a short period of time.
  
• Data protection from unauthorized access. Without knowing the algorithm by which the signal frequency changes, it is impossible to extract the necessary data from a noise-like stream.
  
• Complication of jamming. Frequency Hopping makes it difficult to “target” (ie jamming a specific device, or a set of devices) jamming a signal. In this case, it is necessary to jam the entire occupied frequency range, which requires the use of more expensive and powerful equipment.
  

2.7 Basic principles of interaction between MS and BTS

To begin with, what happens when you turn on your mobile phone. Most often, even if the phone is turned off with the battery inserted, it continues to work. A small program called the “bootloader” is running at this time. The bootloader waits for the power key to be pressed, starts the charging process when the charger is connected, and sometimes an alarm. It all depends on the specific phone model. As soon as the power key is pressed, the process of loading the operating system begins, which first checks for the presence of a SIM card, and then starts scanning the air in search of the operator’s network. Even if there is no SIM card, the phone still connects to the nearest base station, making it possible to make an emergency call. If the SIM card is in place, a Location Update request is made, notifying the network of the current subscriber's LAN. Then, the base station requests an IMEI phone and an IMSI SIM card to identify the subscriber (Identity Request). If the provided IMEI differs from the one with which the subscriber connected before, the operator can send the Internet settings. By the way, you can even find a stolen phone. Then authorization is performed, after which the phone can be in one of two states:

• IDLE - “idle mode”. The phone does not transmit any network data while listening to CCCH.
  
• DEDICATED - an active connection is established between the network and the telephone, during which the telephone periodically transmits signal quality information to the network, and also exchanges user data.
  

Now let's dwell on the process of connecting to the network. Each base station necessarily has a broadcast channel CCCH, which is located on the zero time slot of a specific ARFCN. In the process of scanning the air, the phone sequentially switches the tuner frequency, measuring the power of the received signal. As soon as the BTS with the strongest signal is found, the phone switches to its synchronization channel (SCH). Then, having received the first Synchronization Burst, the phone determines the order of the time slots, as well as the BSIC identification data, which consists of NCC (Network Color Code) and BCC (Base station Color Code). The list of allowed and forbidden identifiers for connection is stored on the SIM-card.

As soon as the phone finds an allowed BCCH, a RACH request is sent, the base station allocates a specific physical channel, authenticates the subscriber, and also registers his arrival in the VLR and HLR. After that, the phone is in IDLE mode. When an incoming call or SMS message, all base stations of the current LAC start sending Paging Requests to notify the subscriber about any event. If the phone “heard” it, it answers, the network sends an Immediate Assignment packet describing the resources allocated to the subscriber (frequency, time-slot number, etc.). Very similar to Ping on the Internet. From this moment, the phone is in DEDICATED mode until the connection is disconnected.

If the subscriber himself acts as the initiator of the connection, he must first send a CM Service Request, and then wait for the Immediate Assignment from the network.

2.8 Handover

Handover (American version - handoff) - in cellular communication, the process of transferring a subscriber from one base station to another during a telephone conversation or data transfer session. This process occurs when the subscriber leaves the coverage area of ​​one base station and enters the coverage area of ​​another. A handover can also be performed if the current base station is overloaded or its physical channels are too noisy.

Handover is of two types:

• Жесткий handover («break-before-make»). В этом случае соединение с текущей BTS прерывается, после чего создается соединение с новой. Из недостатков можно выделить вероятность кратковременного разрыва сессии данных, либо непредвиденного завершения вызова. В устаревших на сегодня аналоговых системах связи при жестком handover можно было услышать короткий щелчок или гудок. :)
  
• Мягкий handover («make-before-break»). В этом случае телефон, не разрывая соединения с текущей BTS, устанавливает соединение с одной или несколькими другими, после чего передает сессию новой BTS и разрывает соединение с предыдущей. Недостатком данного метода являются более высокая цена компонентов телефона, позволяющих поддерживать соединение сразу с несколькими базовыми станциями.
  

2.9 Кодирование речи

As already mentioned, the speech of subscribers is transmitted on the TCH channel, which is of two types: Full Rate (FR) and Half Rate (HR). The following standards are applied for encoding an audio stream in GSM mobile networks (and not only):

• GSM-FR (Full Rate, 13 Kbps) is the first digital speech coding standard that provides fairly low sound quality compared to modern standards. Despite the existence of more modern codecs, GSM-FR is still very widely used.
  
• GSM-HR (Half Rate, 5.6 Kbps) is a codec used by phones in power saving mode. It takes up half the bandwidth of the Full Rate channel. Battery savings can be up to 30%.
  
• GSM-EFR (Enhanced Full Rate, 12,2 Кбит/с) — алгоритм сжатия, разработанный компанией Nokia и университетом Шербрук, являющийся продолжением развития алгоритма GSM-FR. Обеспечивает хорошее качество связи, однако потребление электроэнергии при его использовании увеличивается примерно на 5% относительно GSM-FR.
  
• AMR (Adaptive multi rate) — является алгоритмом адаптивного кодирования с переменной скоростью. Имеет широкое применение в сетях GSM и UMTS, обеспечивая высокую емкость сети одновременно с высоким качеством звука. Скорость кодирования/декодирования выбирается в зависимости от окружающих условий и загрузки сети.
  

3. Безопасность и конфиденциальность

It's time to consider the basic algorithms for ensuring the confidentiality and security of subscribers' data. Amid high-profile scandals and revelations in the field of information security, this topic is quite relevant. GSM, like any other complex system, has its own protection mechanisms, as well as vulnerabilities, which we will consider in this chapter. I will not go into the wilds, describing the low-level processes of bit conversion during encryption, etc., otherwise the article will turn into a huge pot-bellied book. Anyone interested can read these materials:

Wikipedia, GSM Security
Habrahabr, GSM Network Security: data encryption
A bunch of presentations and articles on this topic in my GitHub repository

3.1 Basic attack vectors

Since the Um-interface is a radio interface, all its traffic is “visible” to anyone who is within the range of the BTS. Moreover, you can even analyze the data transmitted through the radio without leaving your home using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and direct hands are the most ordinary computer.

There are two types of attack: passive and active. In the first case, the attacker does not interact with either the network or the attacked subscriber - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it has not so many prospects as the active one. Active attack involves the interaction of the attacker with the attacked subscriber and / or cellular network.

You can highlight the most dangerous types of attacks to which subscribers of cellular networks are exposed:

• Sniffing
• Leak of personal data, SMS and voice calls
• Location Leak
• Spoofing (FakeBTS or IMSI Catcher)
• Remote SIM capture, arbitrary code execution (RCE)
• Denial of Service (DoS)

3.2 Caller ID

As already mentioned at the beginning of the article, subscriber identification is performed by IMSI, which is recorded in the subscriber’s SIM card and operator’s HLR. Mobile phones are identified by serial number - IMEI. However, after authentication, neither IMSI nor IMEI in open form over the air fly. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out precisely with its help.

Attack Methods
Ideally, a TMSI subscriber is known only to a mobile phone and cellular network. However, there are ways to circumvent this protection. If you cyclically call a subscriber or send SMS messages (preferably Silent SMS), observing the PCH channel and performing correlation, you can select the TMSI of the attacked subscriber with a certain accuracy.

In addition, having access to the SS7 interoperator network, you can find out the IMSI and LAC of its owner by phone number. The problem is that in the SS7 network, all operators “trust” each other, thereby reducing the privacy level of their subscribers' data.

3.3 Authentication

To protect against spoofing, the network authenticates the subscriber before starting its service. In addition to IMSI, a randomly generated sequence called Ki is stored in the SIM card, which it returns only in hashed form. Ki is also stored in the HLR operator and is never transmitted in clear text. In general, the authentication process is based on the principle of a four-way handshake:

1. The subscriber performs a Location Update Request, then provides an IMSI.
2. The network sends a pseudo random RAND value.
3. The phone’s SIM card hashes Ki and RAND using the A3 algorithm. A3 (RAND, Ki) = SRAND.
4. The network also hashes Ki and RAND according to the A3 algorithm.
5. If the SRAND value on the subscriber side matches the calculated value on the network side, then the subscriber has passed authentication.

Attack Methods
Ki enumeration, with RAND and SRAND values, can take quite a while. In addition, operators can use their hash algorithms. There is quite a bit of information about brute force attempts on the network. However, not all SIM cards are perfectly protected. Some researchers were able to directly access the file system of the SIM card, and then extract Ki.

3.4 traffic encryption

According to the specification, there are three user traffic encryption algorithms:

• A5/0 — формальное обозначение отсутствия шифрования, так же как OPEN в WiFi-сетях. Сам я ни разу не встречал сетей без шифрования, однако, согласно gsmmap.org, в Сирии и Южной Корее используется A5/0.
  
• A5/1 — самый распространенный алгоритм шифрования. Не смотря на то, что его взлом уже неоднократно демонстрировался на различных конференциях, используется везде и повсюду. Для расшифровки трафика достаточно иметь 2 Тб свободного места на диске, обычный персональный компьютер с Linux и программой Kraken на борту.
  
• A5/2 — алгоритм шифрования с умышленно ослабленной защитой. Если где и используется, то только для красоты.
  
• A5/3 — на данный момент самый стойкий алгоритм шифрования, разработанный еще в 2002 году. В интернете можно найти сведения о некоторых теоретически возможных уязвимостях, однако на практике его взлом еще никто не демонстрировал. Не знаю, почему наши операторы не хотят использовать его в своих 2G-сетях. Ведь для СОРМ это далеко не помеха, т.к. ключи шифрования известны оператору и трафик можно довольно легко расшифровывать на его стороне. Да и все современные телефоны прекрасно его поддерживают. К счастью, его используют современные 3GPP-сети.
  

Attack methods
As already mentioned, having sniffing equipment and a computer with 2 TB of memory and Kraken, you can quickly find A5 / 1 session encryption keys (a few seconds) and then decrypt any traffic. German cryptologist Karsten Nohl in 2009 demonstrated a way to break A5 / 1. A few years later, Karsten and Sylvian Muno demonstrated the interception and method of decrypting a telephone conversation using several old Motorola phones (OsmocomBB project).

Conclusion

My long story has come to an end. In more detail and on the practical side, the principles of the operation of cellular networks can be found in the series of articles Getting to Know OsmocomBB , as soon as I add the remaining parts. I hope I managed to tell you something new and interesting. Waiting for your feedback and comments!