Tuesday, January 29, 2013

Exploring GSM Vulnerabilities to Assess Mobile Users' Location

The privacy of about 5 billion GSM users worldwide is exposed. Their location is available to eavesdroppers while society keeps attention to vulnerabilities in software layers which may compromise the privacy of a very select group of users. The GSM networks depend on the mobile phones location to provide a good service. That dependency is intrinsic to the GSM protocol, where the phone must be near to an antenna in order to ensure a good radio signal quality between the mobile phone and the Base Transceiver Station. Unlike social networks or other Internet services where the users need to explicitly authorize the sharing of information about their location, the GSM protocol does it ubiquitously.

Using as excuse my master's degree, in the past years I've been fully entertained studying/researching about some GSM vulnerabilities that may expose the geolocation of users. During the work I've studied known vulnerabilities and I also made some patches on known GSM security tools which may be very handful to reproduce the experiments I've made to prove my point.

My work was divided into three different ways to assess the user geolocation, they are unrelated but information gather in one may be useful to others attacks. These three different attacks intend to collect the victim geolocation in the following accuracy levels: countryportion of the city and neighborhood. This may vary depending on the provider configuration. So, do not expect this to work on all cases.

To illustrate the attacks we use two different entities: the attacker and the victim. For the second and third attacks, besides knowing the mobile number of the victim,  the attacker also needs to have two OsmocomBB compatible mobile phones and some specific OsmocomBB patches that are explained in this post. For the first attack, the attacker just need to have an account in an HLR provider and, of course, the mobile number of the victim.

First attack, Country

By knowing the telephone number of the victim it is possible to track down its country of origin by the phone prefix. It is also possible to know if the number still valid, working and if the user is in roaming or not. If so, which country the user is.

All this information can be gather using an HRL query provider. Note, however, that just some providers are leaking such information. In some countries (like Brazil) the providers are not able to leak this information, due law enforcement. In the map bellow is possible to identify in which countries the information is available (in green) or not (in orange).

Depending on your HLR provider, the information about the country comes already parsed, as illustrated in the example bellow.

As further work, the MSC gateways could be used to map the geolocation of the users, however, a mapping of the region is needed to be done prior to the attack.

Second attack, Portion of the city

This attack relays on the fact that a mobile phone is always connected to a BTS, listening a broadcast channel which belongs to a virtual group called: LAC. Knowing that, the attacker can address some demand (SMS or call) to the victim phone number and wait to see the victim identification (IMSI or TMSI) being redirected by the network to an specific channel/time slot to receive the demanded content. Broadcast channels are always delivering messages to users, more than one per second which makes impossible to the attacker to identify the victim TMSI or IMSI in the first try, so subsequent attempts need to be made reducing a `possible-victim list`, narrow it to one if the victim is part of a LAC or zero if the victim is not part of it.

Bellow there is a graphic of my hometown, Recife, with the LACs in different colors. It gives us an idea how big the LACs are and consequently the accuracy of the attack.

Third attack, Neighborhood

This last attack is the one with the best accuracy. The idea is based on the fact that a SMS or a call will be delivered faster between two members of the same BTS/Tower. In different towers the message will be delivered from one tower to another and so one, until it reaches the final destination. By having the two phones on the same BTS, the message will be delivered directly to the destination as soon as it hit the tower.

Similar to the second attack, the ID of the victim on the network should be revealed before anything. After that, the attack jumps from tower to tower verifying the amount of time that the network takes to send the victim to a proper time slot/channel to receive the message.

The coverage area of a BTS may vary, it tends to be bigger in rural areas, with lower phone density and smaller in downtown, bellow is illustrated the area of coverage from BTSs in my hometown. Where F and E are the biggest and the smallest coverage area. Its sizes can be found on the table bellow.


Those problems are not new, they have been discussed for a while. The idea of this post was to give short intro about the subject by exposing the vulnerabilities.

All these hypothesis were proved on my dissertation. For further reading, including tests, have a look on my dissertation available here.

For information about the ways to circumvent or minimize those problems, fire me an e-mail.