Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract—This paper presents a new GSM/UMTS jamming indiscriminate frequency jamming to get mobile identities
system which is intended to be placed in a restricted area for and blocks all MS in that area.
security purpose. A pseudo base station was constructed to An advanced interception system which can selectively
attempt connecting with mobile terminals. While the terminals jam MS is present in [2]. It is a combination of a detector in
are trying to access, the system will get the unique identity, [1] and a selective interceptor. The detector forces the MS to
such as IMSI and IMEI, and further check these identities in make self-identification, and then the selective interceptor
the repository. The system will selectively block the captures the MS identity through monitoring information
communication of these mobile terminals. We will analyze the
exchange between MS and the detector. By comparing the
GSM protocol which is relevant to the interception system and
identity with a local repository, this interceptor decides
later present the performance of such a system by real tests
and demonstrate its feasibility.
whether to trigger a local jamming device to generate
interferences that disturb active downlink carriers. Therefore,
GSM/UMTS; jamming system; IMSI-catcher the MS’s activity is controlled.
However, ideal blocking in [2] must be made before user
traffic flow starts which is a hard real-time constrain; besides
I. INTRODUCTION there is only an instance in which the remaining transaction
A Real-time GSM Jamming System is equipment located information is ciphered so the interceptor cannot monitor
in a restricted area that can detect and record IMSI number further messages. This means the interception system must
of passed mobile phones. Through comparing these IMSI be very complex. In addition, both schemes described above
numbers with a local cache we can decide whether to block need as many jamming modules as active carriers received;
certain mobile stations (MS). Selective blocking of MS has therefore the cost is relatively high.
obvious advantages particular in security areas where user
access must be controlled and it is what the system is III. THE GMS/UMTS JAMMING SYSTEM
designed for. The unique feather of this interception system
is that it does not use any jamming unit to block individual A. Obtain the IMSI number
calls or interfere with normal radio frequency; in fact it is a The whole interception system is present in Fig. 1. The
pseudo base station that can make mobile stations connect to mobile phone with engineering mode in this system detects
it and then either accept or reject them. Our system support all true active carriers in the target area, and sorts them in
both GSM and UMTS networks. In a word, this system is descending mode according to "cell reselection criterion"
much simpler and more flexible than former ones [2]. parameter C2. The computer gets the carrier information list
This paper is described as follows. In Section Ⅱ, we from the phone and choose one carrier which is not strong
describe existing GSM jamming systems. Section Ⅲ enough, like the sixth or the last one, as the pseudo carrier of
presents how our interception system works. In Section Ⅳ, this interception system. The reason why we use an existed
we analyze GSM protocol according to how we can obtain carrier is that this carrier is present in the BCCH allocation
MS IMSI numbers, and propose a blocking method. Section (BA) lists of other true carriers, which is broadcasted in
Ⅴ presents realistic tests to verify the performance and information messages. Therefore, if our pseudo carrier is the
same as one of the carriers in such a list mentioned above,
feasibility of such a system. Section Ⅵ concludes the paper.
MS will connect to our pseudo base station automatically
II. BACKGROUND under certain circumstance. In that case, we do not need any
jamming device and since MS must need a period of time to
The theory of real-time jamming system of idle GSM detect failure of affect carrier if jammed, the speed would be
mobile phones is described in [1]. It uses a jamming device faster to let MS connect to our pseudo BS automatically. It
such as [3] to block all the downlink active carries in the would be argued that the existed carrier may interfere with
detected area and provides a pseudo carrier. Since MS can our pseudo carrier because they are the same. However, the
not communicate with all the true carriers in that area, they carrier we choose is weak enough (it is one of the last several
will detect this pseudo one and perform self-identification for in the list), according to GSM specification [6], if the carrier
emergency calls. In other words, this detector uses
814
810
819
We observe the spectrum of our pseudo-base station with still discover those pseudo-base stations and consider them
a ROHED SCHWARZ FSP SPECTRUM ANALYZER. The as its first choice. This approach also needs more than one
frequency of the pseudo-base station turns at 947MHz, true carrier, but at most times, they are not hard to get for the
which corresponding to the ARFCN (Absolute Radio
Frequency Channel Number) of 60. When MS come into the
target area, the interception system can get their IMSI
through location update procedure. The time elapsed
between the start of the interception system and the first
IMSI caught is 9 seconds.
VI. CONCLUSIONS
Figure 2. The number of IMSI caught versus time In this paper, we have presented a real-time selective
interception system of the GSM Terminals. Unlike other
Figure 2 shows the number of IMSI caught in one test. Terminal detectors or interceptors which need as many
The curve was drawn by Microsoft Excel 2003, and it shows jamming units as true carriers received, we do not need any
the data of the first 42s because there was almost no jamming device. What’s more important, this system is not
variation afterwards. subject to time constrains (in [2], the jamming unit must start
In [2], the enhanced selective interceptor needs more than within a certain instant). This obviously simplifies the design
2500 seconds to reach a 90% hit, and it has only 150ms to and reduces the whole cost. This interception system can get
check the identity of MS and trigger the jamming unit if the IMSI of MS which enter the target area, and block non-
needed. Obviously, our system is much more efficient and privileged users by means of the method presented in Section
enjoys great flexibility.
Ⅳ -C. We have described the implementation of this
Among all the MS, those which are privileged can
connect to the true BS within 6~10 seconds and make phone interceptor in Section Ⅴ and tested its performance.
calls successfully. However, for those unprivileged MS, if The results demonstrate that our design is feasible and
we make the pseudo-base station accept them, although they can meet real-time demands.
look normal, they can not make calls.
REFERENCES
B. Expand the Target Area [1] J. Vales-Alonso, F. I. de Vicente, F. J. González-Castaño, and J.M.
Since we cannot increase the transmit power of the GSM Pou-sada-Carballo, “Real-time detector of GSM terminals,” IEEE
Commun.Lett., vol. 5, pp. 275–276, 2001.
RF device unlimitedly, the bound of the target area within
[2] Francisco J. González-Castaño, Javier Vales-Alonso, José M.
which the C2 value of our pseudo-base station remains Pousada-Carballo, Fernando Isasi de Vicente, and Manuel J.
highest is limited. However, we can make inner pseudo-base Fernández-Iglesias, “Real-Time Interception Systems for the GSM
stations use new carriers. Protocol,” IEEE TRANSACTIONS ON VEHICULAR
Obviously, peripheral pseudo-base stations in Figure 3 TECHNOLOGY, VOL. 51, NO. 5, SEPTEMBER 2002.
can always get proper weak carrier from true BS. [3] J.M. Pousada-Carballo, F. J. González-Castaño, F. I. de Vicente,
Nevertheless, since there may not be enough weak true andM.J. Fernández-Iglesias, “Jamming system for mobile
communications,”Electron. Lett., vol. 34, pp. 2166–2167, 1998.
carriers for inner pseudo-base stations, we can assign new
[4] ETSI “Digital cellular telecommunications system (Phase 2+); Radio
carriers to them and broadcast these new BCCH carriers in subsystem link control, (GSM 05.08 version 8.5.0 Release 1999),”
the BA (BCCH Allocation) list of all the peripheral pseudo- Document ETSI TS 100 911 V8.5.0 (2000-10)
base stations. When a mobile station enters this target area, it [5] ETSI “Digital cellular telecommunications system (Phase 2+);
must be captured by peripheral pseudo-base stations and gets Mobile radio interface layer 3 specification, (GSM 04.08 version
the list which indicates the BCCH carriers of the surrounding 7.8.0 Release 1998),” Document ETSI TS 100 940 V7.8.0 (2000-10)
cells (including those pseudo ones), as a result, when the [6] ETSI “Digital cellular telecommunications system (Phase 2+); Radio
mobile station go through the center of the target area, it can transmission and reception, (GSM 05.05 version 8.5.1 Release
1999),” Document ETSI EN 300 910 V8.5.1 (2000-11)
815
811
820