D. Foo Kune, J. Koelndorfer, N. Hopper, Y. Kim.  News  Nov 2011: Carrier IQ  Oct 2011: HTC Android phone location leakage  April 2011: iPhone and.

Slides:

Advertisements

Similar presentations

GSM infrastructure MSC, BSC, BTS, VLR, HLR, GSGN, GSSN

Advertisements

Tutorial 6 Mobile Communication Networks Mohamed Esam.

GSM CALL FLOW Mar7, MSCPSTNHLRGMSC MAP_SEND_ROUTING_ INFORMATION IAI (TUP) MS Terminated Call Procedure VLR MAP_PROVIDE_ROAMING_ NUMBER DCB MAP_PROVIDE_ROAMING_.

An Overview of GPRS Shourya Roy Pradeep Bhatt Gururaja K.

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

Cellular Networks II KAIST Yongdae Kim.

IN Intelligent Network Basic IN concept & technology

Cellular Communication. Evolution to cellular networks – communication anytime, anywhere radio communication was invented by Nokola Tesla and Guglielmo.

CELLULAR COMMUNICATIONS GSM/GPRS/EDGE. Groupe Speciale Mobile/Global System for Mobile.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.

GSM Global System for Mobile Communications

1 Channel Overview 3 Types 1.Broadcast Control Channel: Point to Multipoint, Downlink (BTS) to MS) (A)BCCH (Board cast Control Channel) It inform the Mobile.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Presentation on GSM Regional Telecom Training Centre Nikhilesh Mohanty

GSM System Architecture

GSM standard (continued)

1G PERSONAL COMMUNICATION SYSTEMS: AMPS (PART III) Ian F. Akyildiz Broadband & Wireless Networking Laboratory School of Electrical and Computer Engineering.

Modes Mobile Station ( MS )

Cellular Mobile Communication Systems Lecture 7

 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.

Evolution from GMS to UMTS

Mobile Technologies Introduction Basics of GSM Value Added Services SMS Short Codes Asterisk * LBS.

CDMA Network Structure and Components Lance Westberg.

GSM Network Structure Lance Westberg.

GSM TOWARDS LTE NETWORKS Lecture # 6. CELL PLANNING.

Network: Location Management Y. Richard Yang 3/21/2011.

GSM TOWARDS LTE NETWORKS Lecture # 2. CELLULAR GENERATIONS First Generation Wireless : Analog Second Generation Wireless (2G): Digital Second Generation.

GSM Signaling Protocol Architecture. Protocols above the link layer of the GSM signaling protocol architecture provide specific functions: Radio Resource.

Polytechnic University1 GSM MAC Original by: Ahmed Ibrahim, Chang Wu Ma, Danny Mangra, EL604, Fall 2001; Modified by Prof. M. Veeraraghavan Architecture.

Network components of the Switching Subsystem The switching Subsystem comprises the following subsystems. MSC (Mobile Switching Centre) HLR (Home location.

Cellular Mobile Communication Systems Lecture 8

Mobile Communication The Mobile Station (MS) is the user equipment in GSM. The MS is what the user can see of the GSM system, the cellular phone itself.

Speech decoding Channel decoding De-interleaving Burst Formatting

Wireless Communication GSM Network Architecture

Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.

Wireless Communications Technology Lesson 5: GSM Bellevue Community College Bob Young, Instructor.

GSM TOWARDS LTE NETWORKS

9/ EN/LZU R4A GSM System Survey Slide 1 Chapter 9: Traffic Cases.

PLMN Network Intelligence 2 © Manzur Ashraf. Switching.

GSM Mobile Computing IT644.

4.1 Architecture of the GSM system GSM is a PLMN (Public Land Mobile Network) – several providers setup mobile networks following the GSM standard within.

A SEMINAR REPORT ON CELLULAR SYSTEM Introduction to cellular system The cellular concept was developed and introduce by the bell laboratories in the.

 Set of procedures to:  track a mobile user  find the mobile user to deliver it calls  Current location of MS maintained by 2-level hierarchical strategy.

Ασύρματα Δίκτυα και Κινητές Επικοινωνίες

Global System for Mobile (GSM)

GSM System Survey Channel Concepts Syed Amir Abbas.

Communication Protocol Engineering Lab. Hyoung Joo. Nam. 1 GSM System Overview Wireless and Mobile Network Architecture Nam Hyoung-Joo

OMA GSM Communication Flow

Presented by S.SATHISH, , M.Tech(COS).

Cellular Networks 1. Overview 1G Analog Cellular 2G TDMA - GSM 2G CDMA - IS G 3G 4G and Beyond Cellular Engineering Issues 2.

GLOBAL SYSTEM FOR MOBILE COMMUNICATION

KAIST Yongdae Kim.  Full Professor at EE, KAIST ( ~)  Affiliated with CSRC and GIST  Formerly at the Univ. of Minnesota (2002 ~ 2012)  Contact.

1 Wireless Networks Lecture 17 GPRS: General Packet Radio Service (Part I) Dr. Ghalib A. Shah.

1 Lecture 20 EEE 441 Wireless And Mobile Communications.

Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.

9 Transmission and Switching Mohamed Ashour, German University in Cairo Mohamed Ashour Lecture Fall 2011 AC = authentication center BSS = base station.

Overview of the GSM for Cellular System

Visit for more Learning Resources

CALL & MOBILITY MANAGEMENT

Cellular Communication

GSM location updating procedure

Name:Shivalila A H,Shima

Subject Name: GSM Subject Code: 10EC843

חלק ב' – תקשורת תאית פרק 1. מבוא

GSM location updating procedure

GSM Call Setup.

Short messaging service in GSM

Presentation transcript:

D. Foo Kune, J. Koelndorfer, N. Hopper, Y. Kim

 News  Nov 2011: Carrier IQ  Oct 2011: HTC Android phone location leakage  April 2011: iPhone and Android location information  Default options  HLR (Home Location Register)  Apps allowing location tracking

 We have the victim’s mobile phone number  Can we detect if the victim is in/out of an area of interest?  Granularity? 100 km 2 ? 1km 2 ? Next door?  No collaboration from service provider  i.e. How much information leaks from the HLR over broadcast messages?  Attacks by passively listening  Paging channel  Random access channel Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr

PSTN MSC BSC VLR ATR HLR HSS BTS MS GSM Air Interface

 IMSI  a unique # associated with all GSM  TMSI  Randomly assigned by the VLR  Updated in a new area  PCCH  Broadcast paging channel  RACH  Random Access Channel  SDCCH  Standalone Dedicated Control Channel  LAC has multiple cell towers that uses different ARFCN BTS MS Paging Request PCCH Channel Request RACH Immediate Assignment PCCH Paging Response SDCCH Setup and Data

 Call the victim to ensure they have their phone on  The network uses an ID unknown to us  Watermark calls  2 or 3 calls with known delays in between  Abort each call before completion, 5 seconds after dialing  Paging messages issued, but victim’s phone never rings  Attempt to recover the watermark on the paging channel  Find paging messages with IDs and delays similar to the ones we used  Result  Case 1: watermark on PCCH is heard ▪ The victim is in the same LAC  Case 2: immediate assignment on AGCH is heard “regularly” ▪ The victim is within the same cell tower  Case 3: the RACH traffic from the victim’s phone is heard ▪ They are really close (20 m)

Motorola C118 ($30) VirtualBox running Ubuntu and OsmosomBB software (free) Serial cable and reprogrammer cable ($30) HTC Dream with custom Android Kernel ($100)

PSTN PCH Time dt

 Delay between the call initiation and the paging request: 3 sec  Median delay between call initiation and ring: 6 sec

 Is IA message sent to all towers in the same LAC?  How do we identify IA message?  No identifiable information  Check the correlation between IA and Paging request

Towers in this area are observable with a rooftop 12 db gain antenna Observer Downtown Minneapolis John’s newly shaved head Yagi antenna

Observer Start End Approximate areas covered by towers to which the victim’s phone was attached to