2010 International Conference on Multimedia Information Networking and Security

A GSM/UMTS Selective Jamming System

Song Yubo Zhou Kan Yao Bingxin Chen Xi

School of Information
Science and Engineering
Southeast University
Nanjing, China
songyubo@seu.edu.cn
School of Information
Science and Engineering
Southeast University
Nanjing, China
zhoukan@seu.edu.cn
College of Electronics and
Information Engineering
Nanjing University of
Technology
Nanjing, China
yaobingxin@vip.sina.com
School of Management
Nanjing University
Nanjing, China
doctor_chan@163.com

Abstract—This paper presents a new GSM/UMTS jamming
system which is intended to be placed in a restricted area for
security purpose. A pseudo base station was constructed to
attempt connecting with mobile terminals. While the terminals
are trying to access, the system will get the unique identity,
such as IMSI and IMEI, and further check these identities in
the repository. The system will selectively block the
communication of these mobile terminals. We will analyze the
GSM protocol which is relevant to the interception system and
later present the performance of such a system by real tests
and demonstrate its feasibility.
GSM/UMTS; jamming system; IMSI-catcher
I. INTRODUCTION
A Real-time GSM Jamming System is equipment located
in a restricted area that can detect and record IMSI number
of passed mobile phones. Through comparing these IMSI
numbers with a local cache we can decide whether to block
certain mobile stations (MS). Selective blocking of MS has
obvious advantages particular in security areas where user
access must be controlled and it is what the system is
designed for. The unique feather of this interception system
is that it does not use any jamming unit to block individual
calls or interfere with normal radio frequency; in fact it is a
pseudo base station that can make mobile stations connect to
it and then either accept or reject them. Our system support
both GSM and UMTS networks. In a word, this system is
much simpler and more flexible than former ones [2].
This paper is described as follows. In Section Ⅱ, we
describe existing GSM jamming systems. Section Ⅲ
presents how our interception system works. In Section Ⅳ,
we analyze GSM protocol according to how we can obtain
MS IMSI numbers, and propose a blocking method. Section
Ⅴ presents realistic tests to verify the performance and
feasibility of such a system. Section Ⅵ concludes the paper.
II. BACKGROUND
The theory of real-time jamming system of idle GSM
mobile phones is described in [1]. It uses a jamming device
such as [3] to block all the downlink active carries in the
detected area and provides a pseudo carrier. Since MS can
not communicate with all the true carriers in that area, they
will detect this pseudo one and perform self-identification for
emergency calls. In other words, this detector uses
indiscriminate frequency jamming to get mobile identities
and blocks all MS in that area.
An advanced interception system which can selectively
jam MS is present in [2]. It is a combination of a detector in
[1] and a selective interceptor. The detector forces the MS to
make self-identification, and then the selective interceptor
captures the MS identity through monitoring information
exchange between MS and the detector. By comparing the
identity with a local repository, this interceptor decides
whether to trigger a local jamming device to generate
interferences that disturb active downlink carriers. Therefore,
the MS’s activity is controlled.
However, ideal blocking in [2] must be made before user
traffic flow starts which is a hard real-time constrain; besides
there is only an instance in which the remaining transaction
information is ciphered so the interceptor cannot monitor
further messages. This means the interception system must
be very complex. In addition, both schemes described above
need as many jamming modules as active carriers received;
therefore the cost is relatively high.
III. THE GMS/UMTS JAMMING SYSTEM
A. Obtain the IMSI number
The whole interception system is present in Fig. 1. The
mobile phone with engineering mode in this system detects
all true active carriers in the target area, and sorts them in
descending mode according to "cell reselection criterion"
parameter C2. The computer gets the carrier information list
from the phone and choose one carrier which is not strong
enough, like the sixth or the last one, as the pseudo carrier of
this interception system. The reason why we use an existed
carrier is that this carrier is present in the BCCH allocation
(BA) lists of other true carriers, which is broadcasted in
information messages. Therefore, if our pseudo carrier is the
same as one of the carriers in such a list mentioned above,
MS will connect to our pseudo base station automatically
under certain circumstance. In that case, we do not need any
jamming device and since MS must need a period of time to
detect failure of affect carrier if jammed, the speed would be
faster to let MS connect to our pseudo BS automatically. It
would be argued that the existed carrier may interfere with
our pseudo carrier because they are the same. However, the
carrier we choose is weak enough (it is one of the last several
in the list), according to GSM specification [6], if the carrier

978-0-7695-4258-4/10 $26.00 © 2010 IEEE 818

809
813
DOI 10.1109/MINES.2010.172
to interference power ratio >9dB, then MS will consider the
true carrier as noise and connect to our pseudo-base station
successfully under certain conditions.
In order to make our pseudo-base station seem real to MS,
the BCCH of our pseudo-base station must carry the same
mobile country code and mobile network code as the local
true BS. As a result, we have to prepare different interception
systems for different operators. Moreover, the location area
identity (LAI) of BCCH must be different from those existed
in nearby true carriers which can be obtain through our
detect phone, so that a location update procedure will be
triggered if any mobile phone tries to connect to our pseudo-
base station, and then we can get IMSI of these phones.
Figure 1. Jamming System. Local identity check and selective blocking
B. Local Identity Check and Blocking
In this paper, we propose a method to check if specific
MS are privileged or not. Briefly, its operation can be
described as follows.
1) The interceptor communicates with a remote server
to get the identity repository. In this case, real-time blocking
will not be affected by connecting speed.
2) Someone may ask how IMSI numbers can
correspond to phone numbers or people’s names. For one
thing, we can get them from mobile switch centre (MSC).
For the other, we can use a device demonstrated in section
V to get the IMSI number of a certain SIM card.
3) The interceptor checks obtained IMSI numbers in a
local identity database. If they are not listed or privileged,
the interceptor can either accept or reject these phones’ cell
reselection request with specific reasons. On the contrary,
the pseudo-base station should reject it with cause 13
(Roaming not allowed in this location area) [5] (Annex G),
so the MS will switch to another BS which is true.
In Section V, we will verify these estimations by means
of realistic tests.
814
810
819
IV. PROTOCOL ANAYLSIS
A. Cell Selection and Reselection
According to [4] (Section 6.6), MS will synchronize to
and read the BCCH information for the 6 strongest non-
serving carriers, and at least every 5s the MS shall calculate
the value of C1 (path loss criterion parameter) and C2 for the
serving cell and re-calculate C1 and C2 values for non
serving cells.
If we can make the value of C2 for the pseudo-base
station calculated by MS higher than the value of C2 for the
serving cell by at least CELL_RESELECT_HYSTERESIS
dB, then a cell reselection will happen. In addition, since the
LAI of the pseudo-carrier is different from all the true
carriers, a location update procedure will follow, from which
we can get the IMSI of MS.
B. Blocking Method
In this section, we propose an interceptor to selectively
block mobile phones. After mobiles phones perform location
update procedure on the pseudo-base station, we can choose
whether to block it according to their IMSI. If they are not
privileged, the interceptor accepts these phones’ cell
reselection requests. When these accepted phones want to
make phone calls or send SMS, the pseudo-base station just
reject them. As long as these phones do not disconnect from
our pseudo-base station, their behaviors are constrained.
However, for those mobile phones which are privileged, the
pseudo-base station should send a reject message with cause
13 (Roaming not allowed in this location area) [5] (Annex
G), so the MS will put the LAI in a black list for 12 hours
and switch to a true base station, therefore the MS can make
calls normally.
V. INTERCEPTION SYSTEM’S FEASIBILTY
This interception system is mainly comprised of three
modules: a detector, a GSM RF device and a main board
with Atom processor.
Instead of using a phone as mentioned before, we use a
Siemens GSM module as the detector. It gets the location of
the target area as well as all true GSM carriers’ information
nearby and transports them to the main board via a serial
interface. The main board then sets the pseudo carrier as the
carrier with the lowest C2 value and starts the GSM RF
device. The GSM RF device serves as a digital base band
and IF section of a radio communication system. The data
gets from this device is transmitted to the main board
through an Ethernet interface, and the remaining work such
as control logic, mobile management as well as radio
resource management is done in software on the main board.
A. Function Tests and Performance
All realistic tests were performed in the library, Southeast
University. We used the GSM network of China Mobile.
There are 83 students in the reading room (about 95%
students in our city use China Mobile) and some students on
the second floor may be affected by our interception system.
 We observe the spectrum of our pseudo-base station with
a ROHED SCHWARZ FSP SPECTRUM ANALYZER. The
frequency of the pseudo-base station turns at 947MHz,
which corresponding to the ARFCN (Absolute Radio
Frequency Channel Number) of 60. When MS come into the
target area, the interception system can get their IMSI
through location update procedure. The time elapsed
between the start of the interception system and the first
IMSI caught is 9 seconds.
Figure 2. The number of IMSI caught versus time
Figure 2 shows the number of IMSI caught in one test.
The curve was drawn by Microsoft Excel 2003, and it shows
the data of the first 42s because there was almost no
variation afterwards.
In [2], the enhanced selective interceptor needs more than
2500 seconds to reach a 90% hit, and it has only 150ms to
check the identity of MS and trigger the jamming unit if
needed. Obviously, our system is much more efficient and
enjoys great flexibility.
Among all the MS, those which are privileged can
connect to the true BS within 6~10 seconds and make phone
calls successfully. However, for those unprivileged MS, if
we make the pseudo-base station accept them, although they
look normal, they can not make calls.
B. Expand the Target Area
Since we cannot increase the transmit power of the GSM
RF device unlimitedly, the bound of the target area within
which the C2 value of our pseudo-base station remains
highest is limited. However, we can make inner pseudo-base
stations use new carriers.
Obviously, peripheral pseudo-base stations in Figure 3
can always get proper weak carrier from true BS.
Nevertheless, since there may not be enough weak true
carriers for inner pseudo-base stations, we can assign new
carriers to them and broadcast these new BCCH carriers in
the BA (BCCH Allocation) list of all the peripheral pseudo-
base stations. When a mobile station enters this target area, it
must be captured by peripheral pseudo-base stations and gets
the list which indicates the BCCH carriers of the surrounding
cells (including those pseudo ones), as a result, when the
mobile station go through the center of the target area, it can
815
811
820
still discover those pseudo-base stations and consider them
as its first choice. This approach also needs more than one
true carrier, but at most times, they are not hard to get for the
peripheral pseudo-base stations, and the number of new
carriers for those inner ones can be expanded unlimitedly.
Figure 3. pseudo-base stations in a large target area
VI. CONCLUSIONS
In this paper, we have presented a real-time selective
interception system of the GSM Terminals. Unlike other
Terminal detectors or interceptors which need as many
jamming units as true carriers received, we do not need any
jamming device. What’s more important, this system is not
subject to time constrains (in [2], the jamming unit must start
within a certain instant). This obviously simplifies the design
and reduces the whole cost. This interception system can get
the IMSI of MS which enter the target area, and block non-
privileged users by means of the method presented in Section
Ⅳ -C. We have described the implementation of this
interceptor in Section Ⅴ and tested its performance.
The results demonstrate that our design is feasible and
can meet real-time demands.
REFERENCES
[1] J. Vales-Alonso, F. I. de Vicente, F. J. González-Castaño, and J.M.
Pou-sada-Carballo, “Real-time detector of GSM terminals,” IEEE
Commun.Lett., vol. 5, pp. 275–276, 2001.
[2] Francisco J. González-Castaño, Javier Vales-Alonso, José M.
Pousada-Carballo, Fernando Isasi de Vicente, and Manuel J.
Fernández-Iglesias, “Real-Time Interception Systems for the GSM
Protocol,” IEEE TRANSACTIONS ON VEHICULAR
TECHNOLOGY, VOL. 51, NO. 5, SEPTEMBER 2002.
[3] J.M. Pousada-Carballo, F. J. González-Castaño, F. I. de Vicente,
andM.J. Fernández-Iglesias, “Jamming system for mobile
communications,”Electron. Lett., vol. 34, pp. 2166–2167, 1998.
[4] ETSI “Digital cellular telecommunications system (Phase 2+); Radio
subsystem link control, (GSM 05.08 version 8.5.0 Release 1999),”
Document ETSI TS 100 911 V8.5.0 (2000-10)
[5] ETSI “Digital cellular telecommunications system (Phase 2+);
Mobile radio interface layer 3 specification, (GSM 04.08 version
7.8.0 Release 1998),” Document ETSI TS 100 940 V7.8.0 (2000-10)
[6] ETSI “Digital cellular telecommunications system (Phase 2+); Radio
transmission and reception, (GSM 05.05 version 8.5.1 Release
1999),” Document ETSI EN 300 910 V8.5.1 (2000-11)