A No-jamming Selective Interception System of the GSM Terminals

Kan Zhou, Aiqun Hu,

Southeast University Nanjing, China
AbstractThis paper presents a new interception system which is intended to be placed in a restricted area for security purpose. It can get the unique identity, such as IMSI, of passed mobile phones, and further check these identities in a local cache to selectively block the communication of these phones. We will analyze the GSM protocol which is relevant to the interception system and later present the performance of such a system by real tests and demonstrate its feasibility. Keywords- IMSI; Interception; Electronic surveillance

Yubo Song

Department of of Information Science and Engineering

of such a system. Section concludes the paper.

. BACKGROUND
The theory of real-time detector of idle GSM mobile phones is described in [1]. It uses a jamming device such as [3] to block all the downlink active carries in the detected area and provides a pseudo carrier. Since MS can not communicate with all the true carriers in that area, they will detect this pseudo one and perform self-identification for emergency calls. In other words, this detector uses indiscriminate frequency jamming to get mobile identities and blocks all MS in that area. An advanced interception system which can selectively jam MS is present in [2]. It is a combination of a detector in [1] and a selective interceptor. The detector forces the MS to make self-identification, and then the selective interceptor captures the MS identity through monitoring information exchange between MS and the detector. By comparing the identity with a local repository, this interceptor decides whether to trigger a local jamming device to generate interferences that disturb active downlink carriers. Therefore, the MSs activity is controlled. However, ideal blocking in [2] must be made before user traffic flow starts which is a hard real-time constrain; besides there is only an instance in which the remaining transaction information is ciphered so the interceptor cannot monitor further messages. This means the interception system must be very complex. In addition, both schemes described above need as many jamming modules as active carriers received; therefore the cost is relatively high.

. INTRODUCTION
A Real-time GSM Interceptor is equipment located in a restricted area that can detect and record IMSI number of passed mobile phones. Through comparing these IMSI numbers with a local cache we can decide whether to block certain mobile stations (MS). Selective blocking of MS has obvious advantages particular in security areas where user access must be controlled and it is what the system is designed for. The unique feather of this interception system is that it does not use any jamming unit to block individual calls or interfere with normal radio frequency; in fact it is a pseudo-base station that can make mobile stations connect to it and then either accept or reject them. In a word, this system is much simpler and more flexible than former ones [2]. This paper is described as follows. In Section , we describe existing GSM interception systems. Section presents how our interception system works. In Section , we analyze GSM protocol according to how we can obtain MS IMSI numbers, and propose a blocking method. Section presents realistic tests to verify the performance and feasibility

978-1-4244-3709-2/10/$25.00 2010 IEEE

. INTERCEPTION SYSTEMS
A. Obtain the IMSI number The whole interception system is present in Fig. 1. The mobile phone with engineering mode in this system detects all true active carriers in the target area, and sorts them in descending mode according to "cell reselection criterion" parameter C2. The computer gets the carrier information list from the phone and choose one carrier which is not strong enough, like the sixth or the last one, as the pseudo carrier of this interception system. The reason why we use an existed carrier is that this carrier is present in the BCCH allocation (BA) lists of other true carriers, which is broadcasted in information messages. Therefore, if our pseudo carrier is the same as one of the carriers in such a list mentioned above, MS will connect to our pseudo base station automatically under certain circumstance. In that case, we do not need any jamming device and since MS must need a period of time to detect failure of affect carrier if jammed, the speed would be faster to let MS connect to our pseudo BS automatically. It would be argued that the existed carrier may interfere with our pseudo carrier because they are the same. However, the carrier we choose is weak enough (it is one of the last several in the list), according to GSM specification [6], if the carrier to interference power ratio >9dB, then MS will consider the true carrier as noise and connect to our pseudo-base station successfully under certain conditions. In order to make our pseudo-base station seem real to MS, the BCCH of our pseudo-base station must carry the same mobile country code and mobile network code as the local true BS. As a result, we have to prepare different interception systems for different operators. Moreover, the location area identity (LAI) of BCCH must be different from those existed in nearby true carriers which can be obtain through our detect phone, so that a location update procedure will be triggered if any mobile phone tries to connect to our pseudo-base station, and then we can get IMSI of these phones. B. Local Identity Check and Blocking In this paper, we propose a method to check if specific MS are privileged or not. Briefly, its operation can be described as follows. 1) The interceptor communicates with a remote server to get the identity repository. In this case, real-time blocking will not be affected by connecting speed. 2) Someone may ask how IMSI numbers can correspond to phone numbers or peoples names. For one thing, we can get them from mobile switch centre (MSC). For the other, we can use a device demonstrated in section V to get the IMSI number of a certain SIM card. 3) The interceptor checks obtained IMSI numbers in a local identity database. If they are not listed or privileged, the interceptor can either accept or reject these phones cell reselection request with specific reasons. On the contrary, the pseudo-base station should reject it with cause 13 (Roaming not allowed in this location area) [5] (Annex G), so the MS will switch to another BS which is true. In Section V, we will verify these estimations by means of realistic tests.
Figure 1. Interception System. Local identity check and selective blocking

. PROTOCOL ANALYSIS
A. cell selection and reselection According to [4] (Section 6.6), MS will synchronize to and read the BCCH information for the 6 strongest non-serving carriers, and at least every 5s the MS shall calculate the value of C1 (path loss criterion parameter) and C2 for the serving

cell and re-calculate C1 and C2 values for non serving cells. If we can make the value of C2 for the pseudo-base station calculated by MS higher than the value of C2 for the serving cell by at least CELL_RESELECT_HYSTERESIS dB, then a cell reselection will happen. In addition, since the LAI of the pseudo-carrier is different from all the true carriers, a location update procedure will follow, from which we can get the IMSI of MS. B. Blocking Method In this section, we propose an interceptor to selectively block mobile phones. After mobiles phones perform location update procedure on the pseudo-base station, we can choose whether to block it according to their IMSI. If they are not privileged, the interceptor accepts these phones cell reselection requests. When these accepted phones want to make phone calls or send SMS, the pseudo-base station just reject them. As long as these phones do not disconnect from our pseudo-base station, their behaviors are constrained. However, for those mobile phones which are privileged, the pseudo-base station should send a reject message with cause 13 (Roaming not allowed in this location area) [5] (Annex G), so the MS will put the LAI in a black list for 12 hours and switch to a true base station, therefore the MS can make calls normally. A. Function tests and Performance All realistic tests were performed in the library, Southeast University. We used the GSM network of China Mobile. There are 83 students in the reading room (about 95% students in our city use China Mobile) and some students on the second floor may be affected by our interception system. We observe the spectrum of our pseudo-base station with a ROHED SCHWARZ FSP SPECTRUM ANALYZER. The frequency of the pseudo-base station turns at 947MHz, which corresponding to the ARFCN (Absolute Radio Frequency Channel Number) of 60. When MS come into the target area, the interception system can get their IMSI through location update procedure. The time elapsed between the start of the interception system and the first IMSI caught is 9 seconds.

. INTERCEPTION SYSTEMS FEASIBILITY

This interception system is mainly comprised of three modules: a detector, a GSM RF device and a main board with Atom processor. Instead of using a phone as mentioned before, we use a Siemens GSM module as the detector. It gets the location of the target area as well as all true GSM carriers information nearby and transports them to the main board via a serial interface. The main board then sets the pseudo carrier as the carrier with the lowest C2 value and starts the GSM RF device. The GSM RF device serves as a digital base band and IF section of a radio communication system. The data gets from this device is transmitted to the main board through an Ethernet interface, and the remaining work such as control logic, mobile management as well as radio resource management is done in software on the main board.

Figure 2. The number of IMSI caught versus time

Figure 2 shows the number of IMSI caught in one test. The curve was drawn by Microsoft Excel 2003, and it shows the data of the first 42s because there was almost no variation afterwards. In [2], the enhanced selective interceptor needs more than 2500 seconds to reach a 90% hit, and it has only 150ms to check the identity of MS and trigger the jamming unit if needed. Obviously, our system is much more efficient and enjoys great flexibility. Among all the MS, those which are privileged can connect to the true BS within 6~10 seconds and make phone calls successfully. However, for those unprivileged MS, if we make the pseudo-base station accept them, although they look normal, they can not make calls.

B. Expand the target area Since we cannot increase the transmit power of the GSM RF device unlimitedly, the bound of the target area within which the C2 value of our pseudo-base station remains highest is limited. However, we can make inner pseudo-base stations use new carriers.

jamming device. Whats more important, this system is not subject to time constrains (in [2], the jamming unit must start within a certain instant). This obviously simplifies the design and reduces the whole cost. This interception system can get the IMSI of MS which enter the target area, and block non-privileged users by means of the method presented in Section -C. We have described the implementation of this interceptor in Section and tested its performance. The results demonstrate that our design is feasible and can meet real-time demands.

REFERENCES
[1] J. Vales-Alonso, F. I. de Vicente, F. J. Gonzlez-Castao, and J.M. Pou-sada-Carballo, Real-time detector of GSM terminals, IEEE

Commun.Lett., vol. 5, pp. 275276, 2001. [2] Francisco J. Gonzlez-Castao, Fernando Isasi Javier Vales-Alonso, de Vicente, and Jos M. J.

Pousada-Carballo, Fig. 3 pseudo-base stations in a large target area

Manuel

Fernndez-Iglesias, Real-Time Interception Systems for the GSM Protocol, IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 51, NO.

Obviously, peripheral pseudo-base stations in Figure 3

can always get proper weak carrier from true BS. Nevertheless, since there may not be enough weak true carriers for inner pseudo-base stations, we can assign new carriers to them and broadcast these new BCCH carriers in the BA (BCCH Allocation) list of all the peripheral pseudo-base stations. When a mobile station enters this target area, it must be captured by peripheral pseudo-base stations and gets the list which indicates the BCCH carriers of the surrounding cells (including those pseudo ones), as a result, when the mobile station go through the center of the target area, it can still discover those pseudo-base stations and consider them as its first choice. This approach also needs more than one true carrier, but at most times, they are not hard to get for the peripheral pseudo-base stations, and the number of new carriers for those inner ones can be expanded unlimitedly.

5, SEPTEMBER 2002. [3] J.M. Pousada-Carballo, F. J. Gonzlez-Castao, F. I. de Vicente, andM.J. Fernndez-Iglesias, Jamming system for mobile communications,Electron. Lett., vol. 34, pp. 21662167, 1998. [4] ETSI Digital cellular telecommunications system (Phase 2+); Radio subsystem link control, (GSM 05.08 version 8.5.0 Release 1999), Document ETSI TS 100 911 V8.5.0 (2000-10) [5] ETSI Digital cellular telecommunications system (Phase 2+); Mobile radio interface layer 3 specification, (GSM 04.08 version 7.8.0 Release 1998), Document ETSI TS 100 940 V7.8.0 (2000-10) [6] ETSI Digital cellular telecommunications system (Phase 2+); Radio transmission and reception, (GSM 05.05 version 8.5.1 Release 1999), Document ETSI EN 300 910 V8.5.1 (2000-11)

. CONCLUSIONS
In this paper, we have presented a real-time selective interception system of the GSM Terminals. Unlike other Terminal detectors or interceptors which need as many jamming units as true carriers received, we do not need any