tag:blogger.com,1999:blog-2773536350893785230.post3366813223116382608..comments2023-12-27T22:41:33.117+01:00Comments on Taddong: Selective attack with a rogue GSM/GPRS base stationRaul Sileshttp://www.blogger.com/profile/06709503832135757060noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-2773536350893785230.post-24295005363958299472011-05-09T16:34:36.169+02:002011-05-09T16:34:36.169+02:00Hi,
assuming that the mobile station is currently...Hi,<br /><br />assuming that the mobile station is currently registered in the legitimate base station (normal case), it will initiate a Location Update Procedure after the "Cell Reselection Procedure", run in the mobile station, decides to change to the rogue cell. First message will be a "Location Update Request" of type "Normal Location Updating" (not IMSI attach) where it will, as you mentioned, include its previous TMSI for identification.<br /><br />After that message, several intermediate steps can occur before the completion of the "Location Update Procedure". Whether these steps should be performed or not is always decided by the network. One of these steps is the "Identification Procedure". In our case, our rogue base station initiates this "Identification Procedure" asking for the IMSI. That is the way we obtain the IMSI.<br /><br />After that, the network finishes the "Location Update Procedure" by sending "Location Update Procedure REJECT" message or "Location Update Procedure ACCEPT" message, depending on the case.<br /><br />We cover this and many other details in our <a href="http://www.taddong.com/en/TR_GSMSecurity.html" rel="nofollow">2G/3G security course</a>.Jose Picohttps://www.blogger.com/profile/07792388506501969140noreply@blogger.comtag:blogger.com,1999:blog-2773536350893785230.post-91890862859087435262011-05-09T14:38:37.570+02:002011-05-09T14:38:37.570+02:00Jose,
How do you force the mobile to run what you...Jose,<br /><br />How do you force the mobile to run what you call "registration attempt" (IMSI attach, I assume)?<br /><br />Without that, if the phone is only running location update, it identifies by TMSI, which probably means that you can't discriminate the victim from "the rest".Anonymousnoreply@blogger.com