See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/318579182

Cross layer attacks on GSM mobile networks using software defined radios

Conference Paper · January 2017

DOI: 10.1109/CCNC.2017.7983134

CITATIONS READS

10 885

3 authors:

Kamrul Hasan Sachin Shetty

Tennessee State University Old Dominion University
29 PUBLICATIONS 85 CITATIONS 312 PUBLICATIONS 5,764 CITATIONS

SEE PROFILE SEE PROFILE

Taiwo R. Oyedare
Virginia Tech (Virginia Polytechnic Institute and State University)
18 PUBLICATIONS 141 CITATIONS

SEE PROFILE

All content following this page was uploaded by Kamrul Hasan on 23 December 2017.

The user has requested enhancement of the downloaded file.

 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC)

Cross Layer Attacks on GSM Mobile Networks

Using Software Defined Radios
Kamrul Hasan, Sachin Shetty Taiwo Oyedare
Virginia, Modeling, Analysis and Simulation Center Bradley Department of Electrical and Computer Engineering
Old Dominion University, Norfolk, VA, USA Virginia Tech, Blacksburg, USA
Email: [khasa001, sshetty]@odu.edu Email: [email protected]

Abstract—The ubiquitous adoption of cellular technolo- exchanged between the base station and mobile devices.
gies, such as, Long Term Evolution (LTE) and Wide-band For example, information include, radio frequencies used
Code Division Multiple Access (WCDMA) has not dimin- in operating environments, hopping parameters, number
ished the impact of Global System for Mobile communica-
tion (GSM) technologies. Despite 20 years of deployment, of mobile devices operating in an area, connection times,
GSM still poses significant security threats to its users etc. This information allows the adversary to selectively
due to adversaries exploiting protocol vulnerabilities. In impair control channels with less power and extending
this paper, we present an attack which leverages cross- the damage to multiple mobile devices in a wide area.
layer information from network or data link layers to In addition, the knowledge of network information con-
craft an attack vector targeting the physical layer. The
cross-layer attack provides attacker sufficient knowledge tained in the control channel can also be used to deploy a
to specifically target cells, control channels, and mobile man-in-the middle rogue base station to launch additional
stations (MS) with minimal investment of communication attacks.
and energy resources. We have designed and implemented In this paper, we present an approach to conduct cross-
an experimental testbed, which comprises of, software layer attacks in GSM networks. The cross-layer attack
defined radios (SDR) (USRP and gnuradio), open source
GSM channel sniffer (gr-gsm), and distributed processing will focus on eavesdropping control messages sent from
engine (Apache Spark). The experimental testbed will also base station to mobile device and analyzing the messages
facilitate cloning a base transceiver station (BTS) which will to extract information to launch attacks targeting multiple
benefit from availability of cross-layer information to create mobile devices. We designed and instrumented an exper-
customized attack vectors. The cross-layer attack capability imental testbed comprising of software defined radio for
on our experimental testbed provides a cost effective scheme
to achieve desired benefits with optimal usage of commu- passive scanning. SDRs have found wide application due
nication and energy resources. Experimental results shows to their reduced cost and simplicity of launching an attack
that the testbed can be used to successfully attack multiple compared readily available, high budget passive monitor-
mobile stations with minimal usage of power resources. ing system like Textronix’s k-18 protocol analyzer [3].
The rest of this paper is organized as follows; in
I. I NTRODUCTION Section II we present a review of relevant related work;
According to International Telecommunication Union in Section III we present the cross-layer attack technique,
(ITU) [1], by the end of 2015 around 3.2 billion people in Section IV we show the implementation of the model
in the world used the Internet. Over 7 billion people using an experimental testbed. In Section V we evaluate
have a mobile subscription, while over 3.74 billion of the attack model and in Section VI we conclude and
the population lived in region with access to GSM [2]. provide future work.
However, GSM is plagued by several vulnerabilities,
such as, lack of mutual authentication, point-to-point II. R ELATED W ORK
encryption, etc. Song et al [4] discuss two types of fake BTS attacks
Several researchers have proposed localized Denial of which use mobile phone’s IMSI or IMEI and a selective
Service (DoS) attacks for mobile networks. However, jamming attack to block mobile phones. Aragon et al [5]
the impact of these localized DoS attacks is limited also made use of SDR and OpenBTS to setup a fake BTS
and is severely constrained by the power budget of in order to impersonate the network and then eavesdrop
the adversary. The attacks are only capable of limiting communications. However, both efforts to attack mobile
service availability for the user equipment in the ad- stations were not power conserving.
versary’s range. However, attacks which leverage cross- Yubo et al [6] implemented a GSM/UMTS phone
layer information are capable of effectively attacking number intercepter on a pseudo base station with a mobile
mobile networks. The cross layer attacks do not randomly terminal capable of transmitting any frames. Their effort
saturate all possible communication channels. Instead, only shows how to intercept a phone number in a generic
the attacks adopt low power techniques to passively cellular network. It is not clear if the technique will
sniff broadcast control channels to capture messages work with GSM network. Toorani et al [7] presented an
sent from the base station to the mobile devices. These analytical model to describe GSM. However, the model
clear text broadcast messages contain control information was not empirically validated in an experimental setting.

978-1-5090-6196-9/17/$31.00 ©2017 IEEE 357

 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC)

Our approach is different from the approaches ex- B. Parsing GSM Control Messages
plained above in that: (1) we find the optimum time when The SDR based GSM sniffing capability records data
the highest number of MSs are attached to our cloned and control messages. In our efforts to launch cross-layer
BTS (2) we attack at the optimum time which saves cost attacks, control messages provide the relevant informa-
by conserving the power of the adversary. These process tion for data link and network layers to create attack
are explained in results section of this paper. vectors which can be launched in the physical layer.
III. C ROSS L AYER ATTACK ON GSM N ETWORK
C. Extract Cross-Layer Information
Fig. 1 shows the layered structure of GSM air interface.
The cross layer information extracted from GSM con-
The layer 3 is the network layer which is the most
trol messages include ARFCN, UTRA absolute radio
important layer for this work as the attacker gets all the
frequency channel number (UARFCN), EUTRA absolute
valuable information from this layer. The main logical
radio frequency number (EARFCN), power information,
channel that is our focus is the broadcast control channel
LAI, carrier name, international mobile subscriber iden-
(BCCH) which gives the BTS information (such as
tity (IMSI), temporary international mobile subscriber
Absolute Radio Frequency Channel Number - ARFCN,
identity (TMSI), cell reselection hysteresis and so on.
Location Area Code - LAC, Location Area Identity - LAI,
ARFCN is a unique number given to each radio channel
Cell Reselection Hysteresis - CRH and Received Level
in GSM to calculate the exact frequency of the radio
Minimum - RXLEVMin) and paging control channel
channel [8]. In the GSM 1900 band, ARFCN 512 to 885
(PCH) which gives the number of mobile stations in a
are typically assigned.
serving cell.
The UARFCN and EARFCN represents neighbor cell
information for 3G and 4G networks respectively. The
power information indicates the maximum downlink
power observed by the sniffer. LAI reflects the global
identity of a particular location of a carrier. The carrier
name is mapped from mobile country code (MCC) and
mobile network code (MNC) in a particular country. IMSI
is a 15 digit number which represents the identity of
the subscriber that is stored on the memory part of the
subscriber identity module (SIM). TMSI is used in place
of IMSI for security purpose while data is sent on an
air interface between mobile station and base transceiver
station (BTS). Cell reselection hysteresis (CRH) is the
additional amount of power that is needed to force a
mobile station to decamp from its current BTS to a more
powerful BTS. These cross-layer information can be used
Fig. 1: Cross Layer Architecture to launch an attack vector in the physical layer of GSM
network.
The cross-layer attack on GSM network will involve
a passive sniffer which can eavesdrop communication D. Create Attack Vectors
between base station and mobile device to extract data In our work, we discuss two types of cross-layer attack
link and network layer messages. Fig. 2 provides the strategy namely; physical layer jamming attack and BTS
series of steps needed to conduct the cross-layer attack cloning attack.
on GSM network. 1) Physical Layer Jamming Attack: In physical layer
jamming attack, the attacker collects information from the
control channel data, and initiates a physical layer attack
by a signal generator to disrupt communication between
mobile station and BTS. The advantage of this attack is
the ability to target specific channels which are currently
Fig. 2: Cross-layer attack on GSM network operating in the cell and reduce power budget.
2) BTS Cloning Attack: In BTS cloning attack, a man-
in-the-middle rouge BTS is deployed. The rogue BTS
A. Passive Sniffing of GSM Network has access to the cross layer information and can present
The passive sniffing of downlink and uplink channels itself to the mobile station as a legitimate BTS. Once the
in GSM network is carried out by recording data from mobile station connects to the rogue BTS, the rogue BTS
GSM air interface using SDR. Universal Software Radio can successfully carry out its malicious intent.
Peripheral (USRP) and GNURadio based SDR provides
capability to passively sniff wide range of communication IV. I MPLEMENTATION OF THE M ODEL
channels. Specifically, we have used a GSM air interface In this section we discuss the implementation of the
analysis tool to only sniff GSM channels. cross layer attack on an experimental testbed platform.

358
 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC)

A. SDR Based Sniffing of GSM Control Messages BTS increases its power by adding the Cell Reselect
The Ettus SDR USRP2 with CBX daughterboard (1.2 Hysteresis (CRH) power to the original BTS power. On
to 6 GHz) and VERT 900 Vertical Antenna (range 1710- the other hand, if IM SIT hresh is met and EARFCN or
1990MHZ) [9] which supports the T-Mobile and AT & UARFCN is not present, the cloned BTS can be started
T GSM 1900 band in our location was used as a test-bed directly. Also, if IM SIT hresh is not met no action is
to record the data from air. The GNU software toolkit is taken. When the cloned BTS starts downlink transmission
installed on a laptop running on Linux operating system. through any of the neighboring ARFCN frequency with
The GNU radio serves as the interface between the laptop greater power, the MS under the original serving BTS
and the SDR [10]. The gr-gsm module is used to scan tries to latch onto the cloned BTS.
GSM channels and decode control messages [11]. To eliminate encryption over the air interface, the
cloned BTS proposes to the MS to use A5\0 algorithm.
B. GSM Protocol Analyzer The MS tries to register with the cloned BTS as the power
We employed Wireshark [12], an open source protocol level is higher than the original BTS. The cloned BTS sets
analyzer to extract cross-layer information from GSM a timer for 41 seconds as soon as the transmission begins
control messages collected by gr-gsm for further analysis. [4]. Once the timer expires, the cloned BTS authenticates
all IMSIs that are trying to register. This approach allows
C. Data Analysis of GSM Control Messages the cloned BTS to launch attacks in the particular cell
Although, Wireshark saves the parsed data as a pcap with a relatively low amount of power. This type of
file, it also has the capability of converting it to text file malicious attack would make MS subscribers dissatisfied
and then sent to our data analysis platform spark [13] to because once they have been registered under the cloned
get the optimum time when maximum MS is camped on BTS, they would not be able to receive any incoming
the desired BTS cell. calls or short messaging service (SMS). As a matter of
fact, they cannot make any outgoing call unless they are
D. Cross-Layer Based Attack Vectors permitted by the cloned BTS, who uses the opportunity
We use openBTS to deploy a man-in-the-middle rogue to trick them into thinking that they are still connected
base station which appears a trusted base station to any to a original BTS.
MS and SDR based GSM signal generator to launch the
V. E VALUATION OF ATTACK
physical layer attack. SDR is used as a signal generator
to generate the desired power to launch a physical layer The cross-layer attack’s effectiveness is evaluated
attack irrespective of the wireless technology (2G, 3G based on the ability to maximize the number of IMSI
or 4G). OpenBTS, on the other hand, is an open source subscriptions to the cloned BTS with minimal power
software-based GSM access point. [14]. These attack vec- expenditure. In our experimental testbed, we collected
tors would be used to launch an attack on unsuspecting data continuously for one week and computed the average
mobile stations. IMSI subscription on an hourly basis. We used linear
1) Implementation of Physical Layer Jamming Attack: regression to predict IMSI for future subscriptions due
In this attack strategy, the attack vector is generated to dynamism involved with mobile stations connecting
if the IM SIT hresh is met and EARFCN or UARFCN and disconnecting from the GSM network. The linear re-
is available. The IM SIT hresh is the threshold which gression model is able to predict the time when maximum
the SDR can allocate channel to camp as many MS as number of IMSI would be connected to cloned BTS. The
possible at a particular instant. If the threshold is met ability to predict this information ahead of time provides
and EARFCN or UARFCN is available, the attack vector cloned BTS with the capability to launch the attack vector
comprises of baseband jamming to jam the 4G and 3G at a precise time to maximize IMSI subscriptions with
channel by using information in EARFCN and UARFCN minimal power expenditure. The evaluation of the attack
respectively. Jamming the 3G and 4G band forces the vector was conducted at two different physical locations.
MS to search for cell reselection option and camp to Table I shows the results for both theoretical and
the only available 2G network. At this point the attacker experimental scenarios for deploying a cloned BTS so
can also jam the GSM control channel frequency 1974.2 as to execute the attack vectors. Theoretically, to launch
MHz (T-Mobile in our experiment) on the physical layer the cloned BTS the power requirement is -122 dBm for
by calculating from the ARFCN. This type of attack can LAC 1 and -130 dBm for LAC 2 but during our ex-
disrupt the communication between all the MS and BTS perimentation the actual power requirement is -121 dBm
of that serving cell. and -131 dBm which validates the theoretical expectation.
2) Implementation of the BTS cloning attack: Due to Furthermore, in theory, the maximum time to register
the one way authentication in GSM between the MS all MSs under a cell to a BTS is 41 seconds for any
and BTS, the MS has no way of verifying whether a environment, in our experiment, our registering time for
serving BTS is genuine or cloned. Cloned BTS exploits LAC 1 is 12 seconds and LAC 2 is 15 seconds, this is
this opportunity to mimic the original BTS by defining its because our experiments run on six test phones due to
LAI (MCC + MNC + LAC) similar to the original BTS regulation concerns. The difference in registering time
except a change in the LAC in order to trigger a forceful can be also attributed to differing wireless propagation
handover. In order to ensure this handover, the cloned environments.

359
 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC)

TABLE I: Comparison between expected and actual experimen-

tal results

Expec-
Expec-
Actual ted
ted Actual
Cloned Max
Loca- Cell Cloned Reg-
CRH BTS Reg-
tion PWR BTS ister-
(dBm) Tx ister-
(LAC) (dBm) Tx ing
PWR ing
PWR time
(dBm) time
(dBm)
(s)
LAC
-132 10 -122 -121 41 12
1
LAC
-142 12 -130 -131 41 15
2
Fig. 4: Comparison of attacker PWR consumption between
traditional attack and cross layer attack
Fig. 3 illustrates the number of IMSI collected for both
AT&T and T-Mobile networks at two different locations. ACKNOWLEDGMENT
We note that the maximum number of IMSI is observed
during 10:00 to 11:00 and 15:00 to 16:00 time slots. From This work was partially supported by DHS Award
Fig. 4 the results shown, it is clear that if the attacker 2014- ST-062- 000059, NSF CNS Award 1405681, ONR
attacks at the optimal time (between 10 a.m. and 11 a.m.) Award N00014-15-1-2444 and NEEC Contract N00174-
it would get the maximum number of MSs (AT & T: 250, 16-C-0015.
T-Mobile: 150) to exploit at 0.50 dBm and 0.81 dBm per R EFERENCES
MS . Conversely, if the attacker does not attack at the
[1] I. T. Union, “ITU releases 2015 ICT figures,” https://www.
optimal time, it still utilizes the same amount of power itu.int/net/pressoffice/press releases/2015/17.aspx, 2016, [Online;
(AT & T: -122 dBm, T-Mobile: -131 dBm) for a fewer Accessed 24-February-2016].
number of MSs like 30 for T-Mobile and 27 MSs for [2] G. S. for Mobile Communications Association, “New GSMA
Report Forecasts Half a Billion Mobile Subscribers in Sub-
AT&T which will cost 4.07 dBm/MS for T-Mobile and Saharan Africa by 2020.”
4.81 dBm/MS for AT&T from attacker , this is why our [3] Textronix, “K-18 Protocol Analyzer,” http://www.tek.com/
algorithm ensures that the adversary can launch an attack datasheet/k18-and-nsa, 2007, [Online; Accessed 3-June-2016].
[4] Y. Song, K. Zhou, and X. Chen, “Fake BTS attacks of GSM
with full power utilization. system on Software Radio Platform,” Journal of Networks, vol. 7,
no. 2, pp. 275–281, 2012.
[5] S. Aragon, F. Kuhlmann, and T. Villa, “SDR-Based Network Im-
personation Attack in GSM-Compatible Networks,” in Vehicular
Technology Conference (VTC Spring), 2015 IEEE 81st. IEEE,
2015, pp. 1–5.
[6] S. Yubo, H. Xili, and L. Zhiling, “The GSM/UMTS Phone Num-
ber Catcher,” in Multimedia Information Networking and Security
(MINES), 2011 Third International Conference on. IEEE, 2011,
pp. 520–523.
[7] M. Toorani and A. Beheshti, “Solutions to the GSM Security
Weaknesses,” in Next Generation Mobile Applications, Services
and Technologies, 2008. (NGMAST’08). The Second International
Conference on. IEEE, 2008, pp. 576–581.
[8] T. ETSI, “100 910 v8. 20.0 (2005-11),” Digital cellular telecom-
munications system (Phase 2+)Radio Transmission and Recep-
tion3GPP TS 05.05 version 8.20. 0 Release 1999, 2005.
[9] M. Ettus, “Universal Software Radio Peripheral,” https://www.
ettus.com/product/details/UN200-KIT, 2009, [Online; Accessed
10-February-2016].
Fig. 3: Average IMSI attach statistics of two carriers [10] G. Radio, “The GNU Software Radio,” https://gnuradio.org, 2007,
[Online; Accessed 10-February-2016].
[11] GitHub, “GNUradio Blocks and Tools for Receiving GSM
Transmissions,” https://github.com/ptrkrysik/gr-gsm, 2016, [On-
VI. C ONCLUSION line; Accessed 03-February-2016].
In this work we have been able to show how to use [12] G. Combs et al., “Wireshark-Network Protocol Analyzer,” Version
0.99, vol. 5, 2008.
open source softwares and SDR platform to collect cross [13] A. Spark, “Lightning-fast Cluster Computing,” https://spark.
layer information from GSM control channel in order apache.org, 2013, [Online; Accessed 10-February-2016].
to create attack that can disrupt communication from all [14] M. Iedema, Getting Started with OpenBTS. ” O’Reilly Media,
Inc.”, 2014.
mobile station to BTS from all carriers in a particular
cell in a cost effective manner. Our results from the test-
bed experiment of two different cell in our chosen test
location shows that we can identify the instant when the
cloned BTS would have the highest number of IMSI force
to camp onto it and hence, result in the most successful
attack at a relatively lower power requirements.

View publication stats

360