For a mission in a south american country we fear of being tracked specially by the mobile network operators GSM initial attach parameters writing. For this we want to log out (enough space in iPhone 5S) the writing process from the carrier (MNO or MVNO) to the USIM tapped out on a de-packaged microSD card flash memory.
Did anybody this before and can give advice as its a unique moment in time when the carrier does the initial attach process definded by 3GPP R12.
We kindly ask the communitiy for help as its a case around drug dealing crime
Hi Rolf
I did respond to another of your posts on malware (http//www.forensicfocus.com/Forums/viewtopic/t=13836/) but you didn't respond. I am not sure if this is a language barrier issue between us or we are both thinking on different subjects.
I will have a go with your questions below
GSM initial attach parameters.
Do you mean at the stage of "Explicit IMSI Attach"?
For this we want to log out (enough space in iPhone 5S) the writing process from the carrier (MNO or MVNO) to the USIM tapped out on a de-packaged microSD card flash memory.
Has your University not looked at man-in-the-middle interception equipment?
initial attach process definded by 3GPP R12.
Please confirm which particular standard/s you are referring?
Thanks
1st I apologize for not answering to your reply. We here (law enforcement) are under high pressure and huge workload, working hours 18 and more, so was not able to respond and next case in a hurry.
Yes, we fear about the explicit initial attach referred in TS 23.012 of 3GPP. As we cannot 'read' out of the encrypted parameters stored on the USIM we try to catch them 'in the moment' they are written into USIM. Just think about we fear they track/tap or manipulate our communication. Crypto communication is for nothing they are heavily equiped with decryption DPI high-end engines in real-time. But I have to know what they write on our USIMs! I know this is a unique problem nobogy has, just we.
The moment the MNO writes on the USIM we tap this by wires attached out to a flash memory on a microSD card. We connect at the female nanoSIM tray PINs for writing to the flash memory.
I cannot expose more of our setup as crime always listen and read behind your shoulders, but I try to find others facing the same difficult tech issues.
Sorry for not being able to technically correct describing the issue.
Hi Rolf thank you for coming back.
I read how difficult and unique your situation is and no doubt you are having internal liaison chats with Interpol or Europol or both; they should be able to assist you with your more sensitive enquiries.
Have you looked at producing a module for the iPhone 5s (you didn't confirm phone model number or iOS version for monitoring e.g. _CTServerConnectionCellMonitorGetCellInfo() ) taken from specific parts of openBTS ( http//
You mentioned USIM and referred to 3GPP. The assumption you make here is that the mobile networks your iPhone 5s comes into contact with are all pure GSM networks in the target zone - do you know that for certain?
Have you selected which specific iPhone 5s model - A1533, A1530, A1528, A1518, A1457, A1453? Also which iOS version?
Have you selected a particular USIM or are you using one that is off-the-shelf?
Hi Greg, thank you!
The _CTServerConnectionCellMonitorGetCellInfo issue I will doublecheck, good hint.
Will use a iPhone 5S (A1457) and iOS 9.3 beta 3 (13E5200d) with a Movistar SIM-card as
belonging to Telefonica as Claro is Mexican we do not trust.
Our sensor says in this specific area 4G LTE is not up, but not fully sure as network upgrade
expansion can change or due to atmospheric humidity in this area radio propagation can change
too (daytime related).
The same time using the iPhone on Movistar we attach a SatSleeve via Thuraya over the Kairo Groundstation for our live log.
3G normally has the A5/3 (64bit) cipher implemented, but we have to measure domestically in COL, wondering if 'AnytimeInterrogation' is activated there and the SS7 routing paths internationally because we test the roaming option of a home SIM (requesting encryption key from home MSC)
Questioning and additional issues to consider everytime welcomed!
P.S. we get support, but I want to learn as much as I can by myself (goes deeper in my brain)
Hi Rolf
Defining the elementary files in your Movistar SIM-card (I note you are not using the acronym USIM) might assist you regarding network related elements. The relevance being, identify which baseband information is share with the phone and which information shared with the SIM(USIM). Perhaps you may wish to look at the following standards
Location Management
3GPP TS 23.012 V12.0.0 (2014-09)
Non-Access-Stratum (NAS) functions related to Mobile Station (MS) in idle mode
3GPP TS 23.122 V12.8.0 (2015-09)
Non-Access Stratum (NAS) configuration Management Object (MO)
3GPP TS 24.368 V12.4.0 (2015-09)
Characteristics of the Universal Subscriber Identity Module (USIM) application
3GPP TS 31.102 V12.10.0 (2016-01)
Security related network functions (covers A5/3 64-bit key ciphering (Kc))
3GPP TS 43.020 V13.0.0 (2016-01)
You mentioned you wanted to conduct tests on the SIM-card; a useful guiding standard that can help you
Subscriber Identity Module (SIM) conformance test specification
3GPP TS 11.17 V8.2.0 (2005-06)
You confirmed you would be using iPhone 5S (A1457) and iOS 9.3 beta 3 (13E5200d). Ok so this is iPhone 5s (Global) – Models A1457, A15181, A15281, A1530 - which suggests to me two options for you regarding accessing higher and lower baseband information which is usually available via third party API e.g. available to a phone under developer license or jail-broken. I am assuming you have run the test *3001#12345#*
You mentioned "because we test the roaming option of a home SIM (requesting encryption key from home MSC)". But e.g. triplets can still be forwarded to visited-Network for use up to e.g. 5 calls and MS monitored/location via visited-Network VLR. Will you also be considering the following
Numbering, addressing and identification
Mobile Station Roaming Number (MSRN) for PSTN/ISDN routeing
3GPP TS 23.003 V12.8.0 (2015-09)
Lastly, regarding this arrangement "Movistar SIM-card as belonging to Telefonica as Claro is Mexican we do not trust" you may wish (moreover, need) to ask your internal liaison about the IRA between the operators regarding communications in the clear (non-ciphered). To learn little bit about mobile roaming the GSMA produced these documents
http//
http//
http//
http//
Hope these observations help.
Thank you Greg for your profound working material and the links, I very appreciate this.
One question here remains, if the mobile operator has changed to 4G LTE we have to think about diameter protocol and DRA. Encryption will be different too but I guess A5/4 nobody has implemented amongst carriers I guess.
Will dig through with fun and happy to learn -) Thanks a lot!!
We here searched for the trillium poster online, but somehow removed from Radisys. Is there a source to find the poster online again? On netmanias.com we found some good technical overviews too.
Advanced untraceable, anti-tapping / anti gsm-interceptor mobile phones
http//
And it is Forensic Bullet-Proof -
The XCell Basic phone cannot be accessed and investigated by forensic software and hardware. Firmware cannot be read/wright or cloned by unlocking boxes.
The phone cannot be accessed, read or analysed by any mobile forensic equipment. Physical extraction and file system extraction is blocked by security filter.
I see you as a trusted source but my boss will tell me Do not trust - check yourself. As they are in Geneva will jump and have a look to speak with them.
Thank you for recommendation!