GSM
GSM (from the name of the Groupe Spécial Mobile group, it is renamed into Global System for Mobile Communications later) (russk. SPS-900) — a global digital format for mobile cellular communication, with separation of frequency channel by the principle of TDMA and average degree of security. It is developed under the auspices of European telecommunications standards institute (ETSI) in the late eighties.
General information
GSM treats networks of the second generation (2 Generation) though for 2010 conditionally is in phase 2.75G thanks to numerous expansions (1G — analog cellular communication, 2G — digital cellular communication, 3G — the broadband digital cellular communication switched by multi-purpose computer networks including the Internet).
Cell phones are issued for 4 frequency ranges: 850 MHz, 900 MHz, 1800 MHz, 1900 MHz.
Depending on the number of ranges, phones are subdivided into classes and a variation of frequencies depending on the region of use.
- Single-range — phone can work at one of frequencies. Now are not issued, but there is a possibility of the manual choice of a certain frequency in some phone models, for example Motorola C115, or using the engineering menu of phone.
- Dual Band — for Europe, Asia, Africa, Australia 900/1800 and 850/1900 for America and Canada.
- Tri Band — for Europe, Asia, Africa, Australia 900/1800/1900 and 850/1800/1900 for America and Canada.
- Quad Band — support all ranges 850/900/1800/1900.
In the GSM standard GMSK modulation with the value of a rated band of VT — 0.3 where In — filter band width on level minus 3 dB, T — duration of one bit of the digital message is applied.
GSM is the most widespread standard of communication today. According to [2] GSM (GSMA) association 82% of the world market of mobile communication are the share of this standard, 29% of the population of the globe use global GSM technologies. GSMA include operators of more than 210 countries and territories now.
Development stages
GSM at first meant Groupe Special Mobile, by the name of group of the analysis which created the standard. Now it is known as Global System for Mobile Communications (A global System for Mobile Communication) though the word "Communication" does not join in reduction. Development of GSM began group of 26 European national telephone companies in 1982. The European conference of mail and telecommunication administrations (CEPT), aimed to construct the cellular system of the range of 900 MHz, uniform for all European countries. The rare celebration of the European Union, achievement of GSM became "some of the most convincing demonstrations what cooperation in the European industry can be is reached in global market".
In 1989 the European Telecommunication Institute of Standards (ETSI) took charge of for further development of GSM. In 1990 the first recommendations were published. The specification was published in 1991.
Commercial networks GSM began to work in the European countries in the middle of 1991 GSM is developed later, than normal cellular communication and was in many respects better designed. The North American analog — PCS, grew up from the roots standards including TDMA and CDMA digital technologies, but for CDMA really increased possibility of service was never confirmed.
GSM Phase 1
1982 (Groupe Special Mobile) there is 1990 of Global System for Mobile Communications. The first commercial network in January, 1992. The digital format, maintains data transfer rate to 9.6 kbps. Became completely outdated, equipment manufacturing under it is stopped.
In 1991 services of the standard of GSM "PHASE 1" were entered.
Enter them:
- Readdressing of a call (Call forwarding).
- The possibility of transfer of incoming calls to other phone number when number is occupied or the subscriber does not answer; when phone is switched off or is out of an area of coverage of network, etc. Besides, readdressing of faxes and data is possible.
- Call barring. Prohibition on all entering / outgoing calls; prohibition on outgoing trunk calls; prohibition on incoming calls, except for intra network.
- Waiting of a call (Call waiting). This service allows to accept an incoming call during already continuing conversation. At the same time the first subscriber or will still be in touch, or the conversation with it can be complete.
- Deduction of a call (Call Holding). This service allows, without terminating communication with one subscriber, to call (or to answer an incoming call) to other subscriber.
- Global roaming (Global roaming). At visit of any of the countries with which your operator signed the relevant agreement you can use the GSM cell phone without change of number.
GSM Phase 2
1993. The range of 1900 MHz in 1995 includes. The digital format, maintains data transfer rate to 9.6 kbps. Became outdated. The second stage of development of GSM "PHASE 2" which was completed in 1997, provides such services:
- Number identification of the defiant line (Calling Line Identification Presentation). At an incoming call on the screen the calling number is highlighted.
- Calling Line Identification Restriction. Using this service it is possible to prohibit determination of own number at connection with other subscriber.
- Group call (Multi party).
- The mode of a teleconference or conference communication allows to integrate up to five subscribers in group and to conduct negotiations between all members of the group at the same time.
- Creation of the closed group to ten subscribers (Closed User Group). Allows to create a user group which members can communicate only among themselves. Most often the companies providing terminals to the employees for work resort to this service.
- Information on conversation cost. Here enter the timer which considers time for lines, and the counter of calls. Also thanks to this service it is possible to check the credit which remained on the account. Also other service is possible: "Council for payment" (Advice of Charge). Upon the demand of the user there is a check of cost and a conversation time when the device is in touch.
- Service of the additional line (Alternative Line Service). The user can purchase two numbers which will be attributed to one module SIM. In this case communication is executed on two lines, with providing two accounts, two voice boxes, etc.
- Short text messages (Short Message Service). A possibility of acceptance and transfer of short text messages (up to 160 signs).
- System of voice messages (Voice Mail). The service allows to transfer incoming calls to the personal answering machine (voice mail) automatically. It is possible to use it only if at the subscriber the service "readdressing of calls" is activated.
GSM Phase 2+
The next stage of development of networks of the standard of GSM "PHASE 2+" is not connected with specific year of implementation. New services and functions are standardized and implemented after preparation and the approval of their technical descriptions. All works on the stage "Phase 2+" were carried out by European telecommunications standards institute (ETSI). The number of the services which are already implemented and being in a stage of a statement exceeds 50. Among them it is possible to select the following:
- the improved software of the SIM card;
- the improved full-high-speed speech coding of EFR (Enhanced Full Rate);
- possibility of interaction between the GSM and DECT systems;
- fall forward of data transmission thanks to packet data transmission of GPRS (General Packet RadioService) or at the expense of a data transmission system on switched channels of HSCSD (High Speed Circuit Switched Data).
The provided services
GSM provides support of the following services:
- Data services (synchronous and asynchronous data exchange, including packet data transmission — GPRS). These services do not guarantee compatibility of terminal devices and provide only information transfer to them and from them.
- Transfer of the voice information.
- Transfer of short messages (SMS).
- Fax messaging.
Additional (optional to providing) services:
- Determination of the calling number and restriction of such determination.
- Unconditional and conditional forwarding of a call on other number.
- Waiting and deduction of a call.
- Conference communication (simultaneous speech communication between three and more mobile stations).
- Prohibition on the services determined by the user (trunk calls, roaming calls, etc.)
- Voice mail.
and many other services.
Advantages and shortcomings
Advantages of the GSM standard:
- Smaller in comparison with analog standards NMT-450 AMPS-800 () the sizes and weight of telephone sets at bigger operating time without recharge of the accumulator. It is reached generally at the expense of the equipment of the base station which constantly analyzes the signal level, accepted from the subscriber's station. When it is higher required, on the cell phone the command to reduce emitting power is automatically given.
- High quality of communication at the sufficient density of placement of base stations.
- High capacity of network, possibility of a large number of simultaneous connections.
- The low level of industrial radio noises with these frequency ranges.
- Improved (in comparison with the analog systems) protection against interception and illegal use that is reached by application of encryption algorithms with the separated key.
- Effective encoding (compression) of the speech. The EFR technology was developed by Nokia Corporation company and afterwards became an industry standard of coding/decoding for GSM technology.
- Wide circulation, especially in Europe, a wide choice of the equipment. Today the GSM standard is supported by 228 operators who are officially registered in Association of operators of GSM from 110 countries.
- Possibility of roaming. It means that the subscriber of one of GSM networks can use the cellular phone number not only at himself "at home", but also move worldwide passing from one network into another without leaving the directory number. Process of transition of network to network is automatic, and the user of the GSM phone does not have need in advance to notify the operator (in networks of some operators, restrictions for providing roaming to the subscribers can work, more detailed information can be obtained having addressed directly the GSM to the operator)
GSM standard shortcomings:
- Distortion of the speech at digital processing and transfer.
- Communication at distance no more than 120 [1] from the next base station even when using amplifiers and directional antennas. Therefore the covering of a certain area requires the bigger number of transmitters, than in NMT-450 and AMPS.
Standards and radio interface
In the GSM standard 4 ranges of work are determined (still there is the fifth):
900/1800 MHz (it is used in Europe, Asia)
Characteristics | GSM-900 | GSM-1800 |
Transmit frequencies of MS and acceptance of BTS, MHz | 890 - 915 | 1710 - 1785 |
Frequencies of acceptance of MS and transfer of BTS, MHz | 935 - 960 | 1805 - 1880 |
Duplex frequency space of acceptance and transfer, MHz | 45 | 95 |
Quantity of frequency channels of communication with width of 1 communication channel of 200 kHz | 124 | 374 |
Band width of a communication channel, kHz | 200 | 200 |
GSM-900
Digital format of mobile communication in frequency range from 890 to 915 MHz (from phone to the base station) and from 935 to 960 MHz (from the base station to phone). The quantity of real communication channels much more than is written above in the table, t. to there is also time division of TDMA channels, t.e at the same frequency can work several subscribers with time separation.
In some countries the frequency range of GSM-900 was expanded to 880 — 915 MHz (MS-> BTS) and 925 — 960 MHz (MS <- BTS), благодаря чему максимальное количество каналов связи увеличилось на 50. Such modification was called E-GSM (extended GSM).
GSM-1800
Modification of GSM-900 standard, digital format of mobile communication in frequency range from 1710 to 1880 MHz.
Specific Features:
- The maximum emitting power of mobile phones of GSM-1800 standard — 1 W, for comparison at GSM-900 — 2 W. Bigger time of continuous work without recharge of the accumulator and decrease in level of a radio emission.
- High capacity of network that is important for the large cities.
- Possibility of use of the telephone sets working in GSM-900 and GSM-1800 standards at the same time. Such device functions in GSM-900 network, but, getting to zone GSM-1800, switches — manually or automatically. It allows the operator to use more rationally a frequency resource, and to clients — to save money at the expense of low rates. In both networks the subscriber uses one number. But use of the device in two networks is possible only when these networks belong to one company, or between the companies working in the different ranges the agreement on roaming is signed.
The problem consists that the coverage for each base station is much less, than in standards GSM-900, AMPSDAMPS/-800 NMT-450. The bigger number of base stations is necessary. The radiated frequency, the more penetration (it is characterized by so-called depth skin layer) is higher than radio waves and the less capability to be reflected and bend around barriers.
850/1900 MHz (it is used in the USA, Canada, the certain countries of Latin America and Africa)
Characteristics | GSM-850 | GSM-1900 |
Transmit frequencies of MS and acceptance of BTS, MHz | 824 - 849 | 1850 - 1910 |
Frequencies of acceptance of MS and transfer of BTS, MHz | 869 - 894 | 1930 - 1990 |
Duplex frequency space of acceptance and transfer, MHz | 45 | 80 |
Structure of GSM
The GSM system consists of three main subsystems:
- subsystem of base stations (BSS — Base Station Subsystem),
- switching subsystem (NSS — Network Switching Subsystem),
- maintenance center (OMC — Operation and Maintenance Centre).
In a separate class of the equipment of GSM terminal devices — mobile stations (MS — Mobile Station), also known as mobile (cellular) phones are selected.
Subsystem of base stations
BSS consists of actually base stations (BTS — Base Transceiver Station) and controllers of base stations (BSC — Base Station Controller). The area covered by GSM network is broken into cells of hexagonal form. Diameter of each hexagonal cell can be a miscellaneous — from 400 m to 50 km. The maximum theoretical radius of a cell is 120 km[1] that is caused by a limited system capability of synchronization to compensation of a delay time of a signal. Each cell becomes covered by one BTS, at the same time cells partially block each other, that the possibility of transfer of service of MS at its movement from one honeycombs remains in another without rupture of connection (Transaction of transfer of service of the mobile phone (MS) from one base station (BTS) to another at the time of transition of the mobile phone of limit of reach of the current base station during the conversation, or a GPRS session is called a technical term of "Handover"). It is natural that actually the signal from each station extends, covering the area in the form of a circle, but at intersection the correct hexagons turn out. Each base has six next because entered problems of floor planning of stations such as minimization of zones of overlapping of a signal from each station. The bigger number of the neighboring stations, than 6 — does not provide special benefits. Considering coverage boundaries of a signal from each station already in overlapping area, we just receive — hexagons.
The base station (BTS) provides acceptance/signal transmission between MS and the controller of base stations. BTS is autonomous and is based on modularity. Directional antennas of base stations can be located on towers, roofs of buildings, etc.
The controller of base stations (BSC) controls connections between BTS and a subsystem of switching. Management of a priority of connections, data transfer rate, distribution of radio channels, collecting of statistics, control of different radio measurements, appointment and management of the Handover procedure is also included into its power.
Switching subsystem
NSS is constructed of the following components:
The switching center (MSC — Mobile Switching Centre)
MSC controls a certain geographical zone with located on it BTS and BSC. Performs connection setup to the subscriber and from him in GSM network, provides the interface between GSM and the PSTN, other networks of a radio communication, data networks. Also performs functions of routing of calls, call management, relay transfer of service when moving MS from one cell in another. After end of a call of MSC processes data on it and transfers them to the center of calculations for formation of the account for the provided services, collects statistical data. MSC also constantly monitors the provision MS, using data from HLR and VLR that is necessary for fast stay and connection establishment with MS in case of her call.
The house register of location (HLR — Home Location Registry)
Contains the database of the subscribers attributed to it. Here information on the services provided to this subscriber, information on a status of each subscriber necessary in case of his call and also the International mobile subscriber identity (IMSI — International Mobile Subscriber Identity) which is used for authentication of the subscriber contains (through AUC). Each subscriber is attributed to one HLR. To these HLR have access all MSC and VLR in this GSM network, and in case of internetwork roaming — and MSC of other networks.
The guest register of location (VLR — Visitor Location Registry)
VLR provides monitoring of movement of MS from one zone in another and contains the database about the moving subscribers being at present in this zone, including subscribers of other GSM systems — so-called roamers. Data on the subscriber are removed from VLR if the subscriber moved to other zone. Such scheme allows to reduce amount of requests for HLR of this subscriber and, therefore, holding time of a call.
The register of identification of the equipment (EIR — Equipment Identification Registry)
Contains the database necessary for establishment of authenticity of MS on IMEI (International Mobile Equipment Identity). Creates three lists: white (it is allowed to use), gray (some problems with identification of MS) and black (MS, prohibited to application). At the Russian operators (and the most part of operators of the CIS countries) only white lists are used that does not allow to solve a problem of theft of mobile phones once and for all. In case of entering by the owner of the, but already stolen from it phone in the black list — it [phone] ceases to work and, therefore, is not of any commercial interest to thieves.
The center of authentication (AUC — Authentication Centre)
Here authentication of the subscriber, to be exact — SIM (Subscriber Identity Module) is made. Access to network is allowed only after passing of the SIM procedure of authentication in the course of which the random number of RAND then on AUC and MS in parallel there is an enciphering of number of RAND the Ki key for this SIM by means of a special algorithm comes from AUC to MS. Then with MS and AUC "the signed responses" — SRES (Signed Response) which are result of this enciphering return to MSC. On MSC responses are compared, and in case of their coincidence authentication is considered successful.
Subsystem of OMC (Operations and Maintenance Centre)
It is connected to other components of network and provides quality control of work and management of all network. Processes alarm signals at which intervention of personnel is required. Provides check of network condition, a possibility of call admittance. Makes a software update on all elements of network and some other functions.
Sources of threats in the GSM system
All descriptive information is most simplified and is intended only for acquaintance with procedures. More detailed information or technical specifications can be found in open access [2][3].
Main sources of threats:
1. SORM - The system of technical means, for ensuring functions of Investigation and search operations.
2. Supplier of service (Cellular operator)
3. Mobile device manufacturers and management systems (Operating system).
4. Interception of traffic in a radio channel (interception complexes: active, semi-active, passive, etc. means of interception).
Protection methods:
- Dynamic identifiers (IMSI+Ki, IMEI)
- Forced enciphering in GSM network algorithm A5/1.
- Security policy at the level of SIM.
- Distortion of a voice
- Substitution of number calling.
- Lack of data of a location
- Lack of billing data
- Impossibility of factual determination of a call between subscribers.
Principles of counteraction:
To set engineering control behind the mobile phone or the SIM card, it is necessary to know their identifiers. All networks of communication are around the world controlled by the state regulators and are technically connected to SORM (all information on this system is available on the Internet).
For the mobile device the main identifier is IMEI (International Mobile Equipment Identity is an international mobile equipment identity). This parameter is transferred to networks.
For the subscriber the identifier is IMSI (International Mobile Subscriber Identity is an international mobile subscriber identity (the individual subscriber number). This parameter is transferred to networks.
The public MSISDN parameter - (Mobile Subscriber Integrated Services Digital Number) — number of the mobile subscriber of a digital network with integration of services for communication in the GSM, UMTS standards and so forth. This parameter is not transferred to networks, but is comparable to IMSI.
These parameters are sufficient for obtaining necessary operational information and use of these data for analytical outputs. Having these identifiers on means of SORM, complexes of interception and other actions, it is possible to obtain the following information on the subscriber:
- on IMEI it is possible to receive everything IMSI SIM cards which were used in this device and as a result all billing data on these SIM cards (A location, a circle of contacts, the SMS, MMS, a voice, the URL addresses, logins and passwords, etc.);
- on IMSI it is possible to receive all of IMEI devices and IMSI SIM cards which were used in these devices and as a result there are available same billing data, as in the previous case.
SECURE SIM has no billing at one of operators as is not their property. SECURE SIM has no MSISDN in a public access.
Operation algorithm of SECURE SIM and normal SIM in GSM network
Registration procedure of phone in network and the choice of cell
After each turning on of phone there is a procedure of the choice of network and registration of the subscriber in this network.
- After turning on of phone from normal SIM, scanning of frequencies and the choice of cell with the highest signal level is made. SECURE SIM works only with a cell the signal level which the second most important is. This algorithm provides protection against interception complexes.
- After the procedure of synchronization there is an identification of the equipment and authentication of the subscriber in network. The normal SIM card makes the procedure of authentication in network of the operator according to Algorithm A3. This protocol makes calculation of the SRES key which allows to complete the procedure of authentication. For calculation of the SRES key in algorithm A3 are used the IMSI and Ki parameter. In a normal sim card the IMSI parameter is sewed in the SIM card, and it does not change. In SECURE SIM several profiles with IMSI+Ki pairs.
Enciphering in GSM network
Enciphering of a session provides encryption algorithm A5 which uses Ks (a session key) in the calculations. Ks it is in turn calculated by algorithm A8 which uses the Ki and RAND parameters. In the normal SIM card the Ki parameter is invariable, as well as IMSI. SECURE SIM uses several profiles with IMSI+Ki pairs.
To lower A5/1 kriptovaniye level to A5/2 or A5/0, the operator in return or a complex of interception sends an office command to number of the mobile subscriber of MSISDN. At the normal SIM card the mobile number MSISDN is tied to the specific IMSI+Ki pair and is stored at the operator of the issuer. SECURE SIM does not belong to any of operators and has no strictly attached MSISDN as has several profiles. Even if SECURE SIM gets to a zone of a subsystem of base stations of BSS and the command about removal of a kriptovaniye is made on means of the broadband message PagingRequest, it will not be able to execute this command as this actuator in an algorithm SECURE SIM is absent.
Call
The subscriber of the normal SIM card after set number presses the call key. At this moment phone by means of high-speed link of management of FACCH sends a signal of ALERT to BSS (a subsystem of base stations), and from there to MSC (switching center). Further the switch sends the message of AddressComplete on the calling party. The subscriber the made call hears beeps, and the second subscriber a call call.
Knowing the mobile number of the subscriber A or B (MSIDIN) it is possible to receive all parts of a call and a session from billing of the operator. It is also possible to intercept this session by air by means of an interception complex.
The subscriber of Tottoli GSM after dialing clicks Call. The applet of the SIM card intercepts a call and redirects it on our service number. We use several service numbers which are tied to different servers in the different countries. Service numbers are delivered to the SIM card on OTA technology (On The Air), without participation of the subscriber. Thus, each call from the subscriber is made on unique service number. Further the call is forwarded on automatic telephone exchange of Tottoli GSM. This method of communication is steady and safe for the subscriber as several network entry points are used. Unfortunately, the similar mechanism is supported not in all countries and not all operators, in this case it is necessary to use CallBack which on properties of security does not differ from a direct call (CallThru).
At this logic of commission of a call it is impossible to obtain information from billing of the operator as it is unknown at what operator the Tottoli GSM SIM card is registered at present, there is no public identifier MSISDN by which it would be possible to receive IMSI, Ki and IMEI. Even if the subscriber of B is on control, it is impossible to understand with whom there was a conversation as the session consists of two plechy in which rupture there is a server automatic telephone exchange. Thus, it is impossible to define a circle of your communication.
Acceptance of a call
The call on the normal SIM card occurs according to standard procedures. After accomplishment of the procedure of a call and appointment of TMSI (the temporary identifier of the mobile station) in an area of coverage of VLR, there is a landing of traffic, and the session is considered set. At the same time billing of the operator fixes from what device the call, location of the accepting device at the time of the session is initiated (location), a conversation time, etc.
The call on Tottoli GSM is performed as follows. Virtual number (DID) which, receiving a call from network, transforms it to the SIP protocol and routes on automatic telephone exchange is assigned to the Tottoli GSM SIM card. In turn the automatic telephone exchange defines the specific subscriber to whom this DID is appropriated starts the procedure of a call described above. Thus, it is impossible to define location of Tottoli GSM and interrelation between both subscribers, in a gap there is always an automatic telephone exchange.
Phonetic control
Considering the fact that operators actively implement in the networks search mechanisms of the subscriber on phonetic signs (voice print) of SECURE SIM gives the chance to distort acoustic characteristics for the entering and outgoing calls. This mechanism is especially useful if the call with AYSIM is made on normal SIM.
Result
SECURE SIM, without having billing at operators makes impossible obtaining necessary information for analytical work (a circle of contacts (detailings), locations (location), real identifiers, voices).
PS
Always it is necessary to remember that phone – the proprietary device, a black box what tabs in it, nobody knows except the producer, and is frequent and the producer can not know about some bugs. It is also necessary to understand that operator tools are constantly improved. The analytical tools revealing disposable phones on patterns in billing are constantly upgraded: date of the first and last call from phone, a total quantity of calls and the proportional list of unique subscribers which contacted from this sim card / device is fixed. Having access to billing systems of all national operators, it is possible to define when got rid of one phone and began to call with the following, and having connected these geolocations here it is possible to reveal an area of dwelling of the suspicious subscriber.
Notes
- ↑ 1,0 1,1 Caucasus Mineralnye Vody region a standard mode theoretical restriction of range — 35 kilometers, but in the Extended Cell mode (ECell) are admissible a talk at distances to 120 kilometers[1].
- ↑ the internetadanny list is not complete, but reflects the main ways of information leak. More complete model of threats is described in the document "Mobile Security Reference Architecture" prepared by Federal council of heads of information services (Federal CIO Council) of the USA and the U.S. Department of Homeland Security (May, 2013).
- ↑ Tottoli GSM: Sources of threats in the GSM system
Links
- The GSM Association
- 3GPP — the Current level of standardization of GSM, free standards
- Scheme of numbering of specifications 3GPP
- European telecommunications standards institute (ETSI)
- Booklet of WHO "Creation of dialog about risks from electromagnetic fields" (pdf 2.68Mb)
- "Offers of WHO on the Project of Studying of Influence of Electromagnetic Fields; Influence of Mobile Telecommunications by Radiopolya on Health; Recommendations to Public authorities"
- In detail about the main thing: Networks of cellular mobile communication in the GSM standard. Samuylov K. E., Nikitina M. V.