Pages

Saturday, May 25, 2013

SNIFFER FOR MOBILE PHONES

SNIFFER FOR MOBILE PHONES

ABSTRACT

The cell phone though the mobile communication system is proved to be an advantageous method of communication over wired communication, there is another problem that is the mobile phones get lost or get misplaced. The losses are increasing day by day and there has been very little effort that has been done to obtain the lost mobile phone.
        The main scope for this paper is “The proposal for the detection for the lost mobile phones.” Every day over thousand of mobile phones get misplaced and lost, though an effective way for the blocking of the lost mobile to prevent unwanted user has been done by the manufacturers of the mobile by usage of International Mobile Equipment Identifier (IMEI) has been done but however there has been no development or very little progress in this area to find the misplaced mobile phones.
     Our proposal has a look that appears little bit costlier while initial set up is done but however the cost is gradually reduced or cut down. Here the same IMEI number that has been used for blocking calls is utilized for the purpose of detection, which is stored in mobile phone. The scope of this may look limited by various factors like natural and artificial disturbances; we feel that this can be a big step that may help the users, service providers, manufacturers in an effective way .The directional antenna is an important device that is to be designed and used as it plays a major role in this project.

2. A Brief Introduction to GSM:

Global System for Mobile Communications (GSM) is the most popular mobile phone system in the world. According to a press release by the GSM Association recently, there are more than 747.5 million subscribers in over 184 countries today by the time of September 2002, accounting for 71.2% of the World's digital market and 69% of the World's wireless market. The number of subscribers worldwide is expected to surpass one billion by the end of 2003[7].
 The name GSM first comes from a group called Group Special Mobile (GSM), which was formed in 1982 by the European Conference of Post and Telecommunications Administrations (CEPT) to develop a pan-European cellular system that would replace the many existing incompatible cellular systems already in place in Europe. But when GSM service started in 1991,the abbreviation "GSM" was renamed to Global System for Mobile Communications from Group Special Mobile. The typical architecture of GSM network was shown in figure 1.



Fig.1. The architecture of GSM

The GSM network can be divided into three parts. The Mobile Station carries the subscriber; the Base Station Subsystem controls the radio link with the Mobile Station; the Network Subsystem, the main part of which is the Mobile services Switching Center, performs the switching of calls between the mobile and other fixed or mobile network users, as well as management of mobile services, such as authentication. Not shown is the Operations and Maintenance center, which oversees the proper operation and setup of the network. The Mobile Station and the Base Station Subsystem communicate across the air interface or radio link. The Base Station Subsystem and the Network Subsystem are also called the fixed network.

2.1 Mobile Station
The mobile station (MS) consists of mobile equipment and a Subscriber Identity Module (SIM) card. The most common mobile equipment is the mobile phone. By inserting the SIM card into a cellular phone, the user is able to receive calls at that phone, make calls from that phone, or receive other subscribed services. The mobile equipment uniquely identifies the International Mobile Equipment Identity (IMEI).
The SIM card stores the sensitive information such as the International Mobile Subscriber Identity (IMSI), Ki (a secret key for authentication), and other user information. All this information may be protected by personal identity number (PIN).
The SIM card itself is a smart card and is in accordance with the smart card standard (ISO 7816-1, -2). The GSM 11.11 has the detailed specification about the SIM card.

2.2 Base Station Subsystem
The Base Station Subsystem consists of the Base Transceiver Station (BTS) and the Base Station Controller (BSC). The Base Transceiver Station houses the radio transceivers that define a cell and handles the Radio link protocols with the Mobile Station. In a large urban area, there will potentially be a large number of BTS deployed. The Base Station Controller manages the radio resources for one or more BTS. It handles Radio channel Setup, frequency hopping, and handovers. The BSC is the connection between the mobile and the Mobile service Switching Center (MSC). The BSC also translates the 13 kbps voice channel used over the radio link to the standard 64 kbps channel used by the Public Switched Telephone Network or ISDN.

2.3 Network Subsystem
The central component of the Network Subsystem is the Mobile services Switching Center
(MSC). It acts like a normal switching node of the PSTN or ISDN, and in addition provides all the functionality needed to handle a mobile subscriber, such as registration, authentication, location updating, handovers, and call routing to a roaming subscriber. These services are provided in conjunction with several functional entities, which together form the Network Subsystem. The MSC provides the connection to the public fixed network (PSTN or ISDN), and signaling between functional entities uses the ITUT
Signaling System Number 7 (SS7). The Home Location Register (HLR) and Visitor Location Register (VLR), together with the MSC, provide the Call routing and (possibly international) roaming capabilities of GSM. The HLR contains all the administrative information of each subscriber registered in the corresponding GSM network, along with the current location of the mobile. There is logically one HLR per GSM network, but it may be implemented as a distributed database. The Visitor Location Register contains selected administrative information from the HLR, necessary for call control and provision of the subscribed services, for each mobile currently located in the geographical area controlled by the VLR. Although each functional entity can be implemented as an independent unit, most manufacturers of switching equipment implement one VLR together with one MSC, so that the geographical area controlled by the MSC corresponds to that controlled by the VLR.
The other two registers are used for authentication and security purposes. The Equipment Identity Register (EIR) is a database that contains a list of all valid mobile equipment on the network, where each mobile station is identified by its International Mobile Equipment Identity (IMEI). An IMEI is marked as invalid if it has been reported stolen or is not type approved. The Authentication Center is a protected database that stores a copy of the secret key stored in each subscriber' s SIM card, which is used for authentication and ciphering of the radio channel.

3. Concept of channel in mobile communication:
     The channel in the mobile communication refers to the frequency that is being used for the purpose of communication. Generally there are two types of channel in mobile communication. One of the channel is the traffic channel (physical channel) and the control channel. The physical channel is used for transmission of the voice data and the signaling information. The physical channel carry different massages to be sent. These are called as the logical channel.

3.1Broadcast Control Channel

    Also known as: BCCH

Broadcast Control Channel (BCCH) is a downlink GSM Broadcast Channel .
The BCCH is transmitted by a Base Transceiver Station (BTS) to provide the signaling information required by the MS (Mobile Station) to access and identify the network. The BCCH will include information such as the LAC (Location Area Code).
            When the MS are switched on the MS searches for the BTS, it scans the entire channel. It scans the list of entire frequency that is allotted to the service provider .It finds a strongest carrier it checks if it is a control channel. It does so by searching a particular logical channel called as broadcast control channel (BCCH). The frequency carrying BCCH contains important information like LA identity, synchronization information and network identity. Without such information the MS cannot work in the network. The information is broadcast at regular interval leading to broadcast control channel (BCCH) When the MS finishes analyzing the information in BCCH; it then has the information to work with the network. However the MS roams to another cell, it must repeat the process of reading FCCH, BCCH in the new cell. If the mobile subscriber then wishes to make or receive a call, the common control channel (CCCH) must be used.

3.2 TRAFFIC CHANNEL (TCH):
Ones the call set up procedure has been done or completed on the control physical channel, the MS tunes to traffic physical channel. It uses the traffic channel (TCH) logical channel.
There are two types of traffic channel (TCH):
·         The full rate TCH: It transmits full rate speech (13 kbit/ sec). A full rate TCH occupies one physical channel.
·         Half rate TCH:It transmits half rate speech (6.5 kbits/sec). Two half rate TCH can share one physical channel, thus doubling the capacity of the channel.
4. Concept of IMEI.
4.1 Mobile security with IMEI
With mobile phones becoming the popular target of thieves, it becomes important for subscribers to get acquainted with some practical measures to keep their mobiles safe.
         One of the most important one happens to be the International Mobile Equipment Identity (IMEI). In case a mobile phone is stolen, all that a subscriber has to do is call the network service provider, explain about the theft and give the IMEI. The network will immediately deactivate the stolen phone's SIM card to prevent unauthorized calls being made.

     IMEI is a unique 15-digit code used to identify an individual GSM mobile telephone to a mobile network. It can be displayed on most phones by dialing *#06#. The code is also printed on the compliance plate under the battery. The number consists of four groups that look like this: 
nnnnnn--nn-nnnnnn-n

   The first set of numbers is the Type Approval Code (TAC). The first two digits represent the country code. The rest make up the final assembly code. And the second group of numbers identifies the manufacturer. The third set is the serial number and the last single digit is an additional number (usually 0).
   IMEI numbers of cellular phones connected to a GSM network are stored in a database (EIR - Equipment Identity Register) containing all valid mobile
phone equipment. Whenever a phone logs onto a particular network to make or receive calls, its IMEI number is emitted and gets registered.
   In case of stolen phones, the service provider can pass on the information to the police. They will further trace the user through the SIM card. “However, this technology is not available in Code Division Multiple Access (CDMA) mobiles”.

4.2 WHAT IS AN IMEI NUMBER?
The GSM MoU's IMEI (International Mobile Equipment Identity) numbering system is a 15-digit unique code that is used to identify the GSM/DCS/PCS phone to a GSM/DCS/PCS network.

When a phone is switched on, this unique IMEI number is transmitted and checked against a database of blacklisted or greylisted phones in the network's EIR (Equipment ID Register).

This EIR determines whether the phone can log onto the network to make and receive calls.

4.3 How to display a phone's IMEI number:
  • Type *#06# on the keypad. This code works on most phones.
4.4 What effect does a listing of an IEMI number with an EIR have?
If the EIR and IMEI numbers match, the networks can do a number of things. They can for example greylist or blacklist a phone:
  • Greylisting will allow the phone to be used, but it can be tracked to see who has it (via the SIM info).
  • Blacklisting bars the phone from being used on any network where there is an EIR match.
4.5 IEMI Example:

 490154100837810

490154 
Type Approval Code (TAC)
The first two digits is the code for the country approval.

10 - Final Assembly Code (FAC)
01,02
AEG
07 , 40
Motorola
10, 20
Nokia
30
Ericsson
40, 41, 44
Siemens
47
Option International
50
Bosch
51
Sony
51
Siemens
51
Ericsson
60
Alcatel
70
Sagem
75
Dancall
80
Philips
85
Panasonic

    083781 - Phone Serial Number
    0 - Additional Number
5.Blacklisted or Barred Handsets
5.1 what is it all about???
A phone may be blacklisted (or barred) for many different reasons, but the most common reason is that it has been reported either lost or stolen! It is only the networks (Orange, T-Mobile, O2, Vodafone etc) that have the facility to blacklist a handset. 

If you are unfortunate enough to either lose or even worse have your phone stolen you should report it to your service provider (your network) immediately! Your service provider can then blacklist the handset so that it can no longer be used to make or receive any calls. The networks do this by adding your phones serial number onto a national blacklist database (Central Equipment Identity Register). Effectively the handset becomes absolutely useless and the thief is in possession of a pretty paperweight! :-))

 5.2 So How Does Blacklisting Work?
Every mobile phone has a unique serial number. This serial number is called the IMEI number (International Mobile Equipment Identity). It can normally be found underneath the phones battery and it is 15 digits long. 
Now each time you switch your phone on or attempt to make a call the network systems check the IMEI number of the handset you are using. At this point the IMEI number of your handset is cross-referenced with the Central Equipment Identity Register. If the IMEI number of your handset is on the CEIR then the network will either:
1) Refuse to send a signal to your phone (No signal strength at all)
2) OR WILL supply a signal but will not allow any outgoing or
 incoming calls.

If your IMEI number is on the CEIR your handset is blacklisted and therefore useless. By spreading the word that "stolen handsets will not work" it is hoped that street crime can be reduced!



5.3 How to Check If Your Phone is blacklisted!!
Different networks blacklist handsets in different ways:

·Orange & O2: 
If you place an active orange or O2 sim into a blacklisted handset your phone will not show any signal strength at all! If the handset is a Nokia then a "SIM card registration failed" message will also be displayed. If your handset is an 
Ericsson then an "Invalid Mobile" message will be displayed. For most other manufacturers the handset will simply show no signal!

Vodafone & T-Mobile
If you place an active Vodafone or T-Mobile sim into a blacklisted handset, the phone will appear to function perfectly UNTIL you try to make an outgoing call. When you try to call out from the handset you will hear a sequence of beeps and then the call will be dropped!!


5.4 Unlocking & blacklisting, is there any Connection?
The answer is that there used to be a connection before O2 and Vodafone started blacklisting handsets! Orange and T-Mobile have been blacklisting handsets for a long time (It is only recently that O2 and Vodafone also started blacklisting handsets). 
NB Orange & T-Mobile always lock their handsets!(e.g. an Orange handset will only accept an Orange sim and will not accept an O2, Voda or T-Mobile sim)

So if you reported your Orange or T-Mobile handset missing to your network it became barred/blacklisted! BUT it was only barred on your home network. Therefore unlocking the barred handset would enable it to work on every network except the one it was originally locked too! Therefore the phone still had some commercial value, as it would function on at least 3 out of the 4 networks.

It wasn't long before Orange and T-Mobile began to combine their individual blacklist databases. Therefore a phone barred on Orange was also barred on T-Mobile and vice versa. Even at this point the barred handset could be unlocked and used but only on 2 out of a possible 4 networks (O2 & Vodafone).

The government eventually stepped in and forced O2 and Vodafone to update their systems and introduced the CEIR. Now that all the networks share a central blacklist database, even if a barred handset is unlocked it still remains useless on ALL UK networks!


5.5 How Do Criminals Get Around The Blacklisting    Scheme/CEIR?
So now that handsets are blacklisted on all networks what do the criminals do to get around this? They find ways to change handset IMEI numbers! Amazingly it is only recently that the altering/changing of IMEI numbers has become illegal! Home Secretary David Blunkett introduced a new law making re-programming IMEI numbers punishable by up to five years in jail. This new law became active on the 4th October 2002. (This new law does not effect handset unlocking). 

Never the less it is possible to change IMEI numbers on certain handsets. So if an individual obtains a blacklisted handset, they can change the IMEI number and the handset will then work again!! 

In my opinion the responsibility now lies with the handset manufactures. They need to make it as difficult as possible to change IMEI numbers. To be fair some manufactures are doing their bit (but some are not!). For example Nokia's older DCT 3 range of handsets has been well and truly cracked. Anyone that searches the Internet for a short period of time would be able to find an IMEI change solution. BUT Nokia's new DCT4 range of handsets remains UN beaten with regards to changing the IMEI. This is largely down to the type of memory used to store the IMEI number. Nokia have chosen to use OTP (one time programmable) memory, which by its very name indicates that data can’t be over written. (Unless you change the UEM/memory chip - technically this is out of the realms of most criminals!)

The criminals do have an alternative to changing IMEI's, and this is to send the barred handsets overseas! The blacklist database (or CEIR) is only used by the UK networks. Therefore a handset that is barred in the UK will work fine in a different country! Apparently a large number of UK barred handsets find themselves in Italy, Spain and France etc. The Barred handset works fine in any country outside the UK!! 

The solution to this exporting problem is simple. Rather than a national database the mobile industry is now looking to build an international database. If/when this is introduced blacklisted handsets will not work anywhere in the world!




Check out the immobilize campaign link below for further information on blacklisting:


6. Design for the sniffer

The sniffer for the mobile includes the mobile includes the following important concepts.
·         Design of a sniffer base station.
·         Design of unidirectional antenna.
·         Software that is used for tracking the lost mobile phone’s IMEI number.


6.1.the design for sniffer base station
·         The sniffer is a small base station; it includes transmitter and receiver circuit.
·         It should operate at a frequency that is much different from the frequency that is being operated by the operator in the current cell and the near by one’s.
·         In addition to this the main other requirement is the design for highly powerful unidirectional antenna with very low beam width.
·         The design for base station is an important requirement. Mobile phones as well as the base station has low power transmitter is also transmitting at low power.
·         The transmitter of the “sniffer” can be low power transmitter.
·         This helps in the process of reducing the interference of the device with the devices that are in the other cells.

6.2.design of a unidirectional antenna.

Fig.1 The Unidirectional Antenna Pattern
·         Though the trans receiver in a sniffer plays an important role in the direction of mobile phone but however it is the directional antenna that has a major role in the design of a transmitter. Hence the proper design of a directional antenna is required.
·         Antenna is a device which works on a specified frequencies range for transmitting or receiving the data signals.
·         In general, an antenna transmits more power in some directions then in others.
·         Two-dimensional diagram is used to show radiation pattern of directional antenna is shown in fig.1.
·         In addition to this it is necessary that the transmitter should be a low power transmitter.
·         Gain and directivity are intimately related in antenna.
·         The directivity of antenna is a statement of how the RF energy is focused in one or two directions, because the amount of RF energy remains the same, but it is distributed over a less area, the apparent signal strength is higher.
·         This apparent increase in signal strength is the antenna gain.
·         The gain is measured in decibels over either a dipole (dBd) or theoretical construct called an isotropic radiator (dBi).
·         The isotropic radiator is a spherical signal source that radiates equally well in all directions.
·         One-way to view the omni directional pattern is that it is it is a slice taken horizontally through the three dimensional sphere.   
6.3.software for the tracking
·         The software part also plays a major role in the tracking of the lost mobile phone.
·         The mobile phone that is lost has certain IMEI number that is embedded into the chip.
·         The software that is to be designed in such a way that the software has the input as the IMEI number of the lost mobile phone.
·         After getting the input of the lost mobile phone’s IMEI numbers it checks the common port for getting the information weather the information is available in regard to the lost IMEI number.
·         In this way the software gets the information from the antenna, to detect the lost mobile phone.
·         The programming can be done with C or JAVA with VB and Oracle at the back end providing the data base information.
7.Working of sniffer device
·         The sniffer is a transreceiver that works on the frequency that is in special unused range that is operated by the service provider.
·         The fig 2 and 3 shows the working of the sniffer, the first one gives the normal connection of the lost mobile phone with the cellular network.
·         First the IMEI of the lost mobile phone has to be reported to the service provider, who keeps in track of the record of the lost mobile phones.
·         Then the MTSO which keeps it to track of all mobile phones, their IMEI numbers, their location under which cell, under which BTS

The next fig shows the sniffer that gets in to work. After the information is provided by the MTSO; the sniffer located in the particular cell gets into action by detecting if the mobile phone is available. The base station disconnects the connection with the lost mobile phone while the connection between the sniffer and mobile phone is established; the sniffer is operated in the frequency that is different from the frequency from the frequency adopted by the cell and the near by ones. Hence the interface from the nearby cell can be avoided. The directional antenna is used for the purpose of finding the location of the mobile phone.


     Here the antenna pattern is plotted ones the signal of the mobile phone is obtained. The number of antenna pattern for different position of the same mobile phone is used to find the exact location, but however in this method the directional antenna used must be of very small beam width.

8.MERITS AND DEMERITS:

Each and every technology has it’s own merits and demerits, at times the merits overcome the demerits and at other it is vice versa. Though the sniffer device for the mobile phones has it’s own merits in terms for the of using the IMEI number for the detection of lost mobile, the frequency that it uses is high frequency in the range of 850-950 MHZ where there is a slight effect of the reflection of the signal from the ground, but however the effect is less pronounced and the other demerit here is that even though the directivity of the antenna is less the distance of the propagation should be restricted and the device is handheld and  automated one. But however this new technique that provides a light for the detection of the lost mobile phones.

9.CONCLUSION:
The given paper gives an idea about development of “sniffer for the detection of lost mobile phones”. The design involved the following steps:
  • Design of a sniffer base station.
  • Design of unidirectional antenna.
  • Development of software for tracking a lost mobile phone.
Though this method appears little bit complex involving the design of the sniffer but however the large-scale detection the overall effective cost of the design and detection scales down. Though there are certain boundary conditions or criteria that have to be qualified for the identification of lost mobile like the power of the mobile should be good enough. The mobile phone should not be in the shadow region etc., but however this method can be improved by using modern technologies and devices.

 10.BIBLIOGRAPHY:

  1. PROCEEDING OF NATIONAL SEMINAR ON EMERIGING WIRELESS TECHNOLOGIES 2005.
  2. William Stallings “wireless communication”.

No comments:

Post a Comment