AU2008200801B2 - Process and device to identify a mobile user in a digital cellular mobile radio network - Google Patents
Process and device to identify a mobile user in a digital cellular mobile radio network Download PDFInfo
- Publication number
- AU2008200801B2 AU2008200801B2 AU2008200801A AU2008200801A AU2008200801B2 AU 2008200801 B2 AU2008200801 B2 AU 2008200801B2 AU 2008200801 A AU2008200801 A AU 2008200801A AU 2008200801 A AU2008200801 A AU 2008200801A AU 2008200801 B2 AU2008200801 B2 AU 2008200801B2
- Authority
- AU
- Australia
- Prior art keywords
- end device
- user end
- simulator
- protocol
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn - After Issue
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Description
AUSTRALIA Patents Act 1990 COMPLETE SPECIFICATION Standard Patent Applicant(s): THALES Defence Deutschland GmbH Invention Title: PROCESS AND DEVICE TO IDENTIFY A MOBILE USER IN A DIGITAL CELLULAR MOBILE RADIO NETWORK The following statement is a full description of this invention, including the best method for performing it known to me/us: -2 Process and device to identify a mobile user end device in a digital cellular mobile radio network Embodiments of the present invention describe a process 5 for the identification of a mobile user end device in a digital cellular mobile radio network through which data are transmitted according to a CDMA (Code Divisional Multiple Access) process. In addition, embodiments of the invention describe a simulator for the identification of a 10 mobile end device in a digital cellular mobile radio network through which data are transmitted in a CDMA (Code Divisional Multiple Access) process. Security forces have among other matters the assignment to is solve crimes that have already been committed and/or to prevent crimes from occurring. An important factor in fulfillment of these assignments is the ability in specific situations to identify a suspect on the basis of mobile telephone use and to listen in on, record, and 20 evaluate conversations that the person holds over the mobile telephone. The security forces are empowered to do this through relevant legal ordinances and regulations. The goal is to gather the communication traces of a suspect in order to identify the person and/or the mobile 25 telephone that was used and to record and evaluate the conversations that were held. In the state of the art various mobile radio networks for the transmittal of data are known. Very widespread in use, 30 both in terms of network coverage as also in terms of the number of mobile user end devices, are GSM (Global System for Mobile Communications) mobile radio networks. For the past few years UMTS (Universal Mobile Telecommunications System) mobile radio networks have been available and are 35 becoming increasingly widespread. These two standards differ from each other for example in authentication, protection of integrity, and encrypting. While in GSM only 22176301 (GHMatters) 18/10/10 - 3 the mobile user end device is required to authenticate itself over a base station, UMTS also requires that the base station authenticates itself with the mobile user end device. In the context of the protection of integrity in s UMTS, the directing data that need to be transmitted over the'mobile radio network are for example protected by signatures against tampering. In order to encrypt the data that are to be carried over the mobile radio network, special encrypting processes are implemented for UMTS, io such as for example the Kazumi process. The UMTS encryption relates both to the user data as well as the direction data. While a GSM mobile radio network implements a combination of frequency multiplex processes (FDMA - Frequency Divisional Multiple Access) and time 15 multiplex processes (TDMA - Time Divisional Multiple Access) for the transmittal of data, a UMTS mobile radio network utilizes a code multiplex process (CDMA - Code Divisional Multiple Access) in with the data (signals) are transmitted to several sources or senders at the same 20 time. In this case the data are assigned specific code patterns (so called Scrambling Code). In addition there is for example a process, that is known according to DE 199 20 222 Al, for identification and 25 listening in on a mobile user end device in a digital cellular GSM mobile radio network. On the basis of the above noted examples and not complete listing of differences between a GSM mobile radio network and a mobile radio network, in which the data are transmitted 30 according to the code multiplex process, as for example in a UMTS mobile radio network, the processes known for GSM networks cannot be easily transferred to UMTS networks. The technical specification ETSI TS 133 108 V6.8.2 (3GPP 35 TS 33.108 version 6.8.2 Release 6) from January 2005 describes very broadly the general technical requirements for UMTS hand over interfaces, which allow "lawful 22176301 (GHMatters) 18/10/10 - 4 interception" a feature defined for UMTS networks. This feature must be realized in all technical equipment of public communication networks. It gives public institutions the possibility to dial up on existing UMTS 5 connections and to listen in on conversations held over these connections. If the provisions described in this document were not fulfilled in UMTS networks, the identification and the listening in on user end devices would not be possible right from the start due to missing 10 technical requirements. WO 2005/011 318 Al describes how a simulator introduced into a GSM radio cell for listening in on conversations held over a mobile telephone and operated as a virtual 15 base station only accepts registration of the to be listened on user end device and rejects the registration of other user end devices. The objective is to reduce the load of the virtual base station caused by other user end devices during the listening in on the to be listened on 20 user end device. For achieving this objective the virtual base station can transmit rejection signals to user end devices, which try to register with the virtual base station. 25 It would be advantageous if the present invention would develop a way to identify a mobile telephone in a mobile radio network in which data are transmitted according to a code divisional multiple access (CDMA) process, in particular a UMTS mobile radio network, and - where needed 30 - to also listen in on conversations held over the mobile telephone. The present invention provides in a first aspect a process fo:: the identification of a mobile user end device in a 35 digital cellular mobile radio network through which data are transmitted according to a first protocol, comprising the following steps all carried out in the realm of the 22176301 (GHMatters) 30/03/10 -5 first protocol: - in proximity to a user end device to be identified a simulator is arranged; - a measurement system determines in proximity to the 5 simulator parameters of the base stations relevant for the transmission of data and transfers the relevant parameters to the simulator; - the simulator is operated as a new base station taking into consideration the obtained parameters; 10 - the to be identified user end device recognizes the simulator as a new base station the simulator being arranged so that a registration of the to be identified user end device is enabled; at which point - an authentication procedure is commenced, the to be 15 identified user end device rejects the authentication procedure as erroneous, the simulator begins an identification procedure in the course of which the stimulator asks the to be identified user end device for its identification parameters, the simulator 20 receives the identification parameters of the to be identified user end device; and - the user end device is identified in the realm of the first protocol on the basis of the transmitted identification parameters. 25 As per embodiments of the invention, processes are proposed through which relevant parameters of mobile radio network base stations in close proximity to a simulator can be located for the data transfer and can be drawn on. 30 In this case the simulator is in close proximity of theto be identified user end devices; that is, that it is arranged within the radio cell in which the user end device is registered. The located parameters may include in particular the scrambling codes and/or the transmission 35 strengths of the base stations that are used by the base stations that are arranged in proximity to the simulator. The scrambling code is a code pattern, with which the various transmitters are coded within the frame of a code 22176301 (GHMatters) 18110/10 - 6 multiplex process for the transmission of data. At that point the simulator may be operated as a new base station selectively with a different Location Area Code than the original base station in which the identified user end 5 device was originally registered. For this purpose, the simulator may have access to necessary means, for example a base station which enables the operation of a simulator as a base station in a mobile radio network. 10 In addition the simulator may send system information in fact within the same frequency band as the original base station, though at a higher transmission power than the original base station. The emission of another Location Area Code (LAC) may simulate to the to be identified user 15 end device a movement of the user end device in a new spatial area to which the other LAC is assigned. However, the same objective may also be achieved if the simulator sends data with the same LAC as the original base station but with a higher power than the original base station, or 20 at least with a power which makes the to be identified user end device to receive the data from the simulator with a higher power than the data received from the original base station. In this way the user end device may be compelled to make an automatic registration with the 25 simulator. For this purpose the user end device performs a so called Location Update. On the basis of the identification parameters, the identification of the user end device may take place. The 30 identification parameters include for example an IMSI (International Mobile Subscriber Identity), a TMSI (Temporary Mobile Subscriber Identity), P-TMSI (Packet TMSI) and/or an IMEI (International Mobile Equipment Identity). These identification parameters are sufficient 35 to adequately develop a connection between the simulator and the to be identified user end device for the purpose of listening to the conversation being held over the user 22176301 (GHMatters) 30103/10 - 7 end device. For this purpose the simulator may have available sufficient means, for example a user end device which permits the operation of the simulator as a user end device for the development of a connection to the to be 5 identified user end device and for monitoring the connection and/or the conversation. According to a preferred method of the invention, the measurement system is designed as a monitor-user end 10 device which can be a part of the simulator. Because user end devices transmit regardless of the relevant parameters of base stations in the mobile radio network in close proximity to the user end device needed for data transmissions, measurement systems based on the ideas of 15 the invention can be employed. The actual name and the personal data of the user of the user end device may be registered with the operator (known as a provider) of the mobile radio network and can be 20 requested from it in the context of an official inquiry. Usually only the provider has access to cross-reference lists that enable the attribution of the IMSI to a user and/or of the IMSI to a call number. The TMSI is - as the nane itself points out - only of a temporary nature and 25 does not permit a clear attribution to a particular user or to a particular call number. For this reason, it is important for embodiments of the invention that not only the TMSI but also the IMSI is available. 30 If the to be identified user end device transmits, at identification to the simulator, only the TMSI (Temporary Mobile Subscriber Identity) as the identification parameter, then the authentication procedure can begin. If the to be identified user end device however expects an 35 authentication procedure, then it is proposed according to the further advantageous embodiment of the invention that after the registration of the user end device with the 22176301 (GHMatters) 30103/10 -8 simulator - an authentication procedure is commenced; - the to be identified user end device rejects the authentication procedure as erroneous; s - the simulator again begins an identification procedure in the course of which the simulator asks the to be identified user end device for its IMSI (International Mobile Subscriber Identity) or IMEI (International Mobile Equipment Identity); and 10 - the simulator receives the IMSI or the IMEI of the to be identified user end device. According to this further embodiment initially an authentication procedure is started. However because the 15 sinulator, and/or the new base station, cannot identify themselves as being part of the simulator (which is required however in UMTS networks), the to be identified user end device rejects the authentication procedure as erroneous, for example on the basis of a MAC error. Thus 20 the simulator begins the identification procedure, through wh:-ch the to be identified user end device simulates an impression that the new base station (which is in fact a part of the simulator itself) requires, for identification purposes, the identification parameters (e.g. IMSI or 25 IMEI) of the to be identified user end device. Thereafter the user end device transmits its IMSI or IMEI to the simulator on the basis of which a clear identification of the user end device is possible. 30 According to a preferred embodiment of the invention, it is proposed that - the attempt to register with the simulator by the user end device to be identified, after the user end device has recognized the simulator as a new base 35 station, be rejected or the connection between the user end device and the new base station be interrupted and/or disrupted by some other means; and 22176301 (GHMatters) 30/03/10 - 9 - on the basis of a protocol to be used in the mobile radio network for the transmission of data the user end device be compelled to automatically register at another base station of another radio cell of another s mobile radio network for the transmission of data according to another protocol. As an advantage the to be identified user end device is forced upon rejection of the registration attempt into the io mobile radio network to automatically register with a base station of a GSM (Global System for Mobile Communication) radio cell. Primarily the telephone conversations held over the identified user end device and the GSM radio cell are listened to with the aid of common listening methods 15 for GSM mobile radio networks. Upon successful identification of the user end device, the user end device may thus be pointed to a conventional GSM mobile radio network. This can take place for example 20 through defined information elements (IE), through interference (so called jamming) of the UMTS connection, or through other suitable means. Upon a disruption or interference of the UMTS connection, the user end device is directed to create a connection over an alternative 25 mobile radio network, particularly over the GSM network, on the basis of the protocol used for the data transmission in the mobile radio network. This takes place for example in the context of a so called "Cell Reselection" procedure. Following the development of the 30 connection to the GSM network, the entire conversation process in the user end device may proceed in the usual manner according to the GSM standard. In order to listen to the conversations, usual processes may be applied such as for example those that are known from DE 199 20 222 Al. 35 Reference is specifically made to this document in regard to the known methods for listening into a user end device in a GSM network. In this respect the content of this 22176301 (GHMatters) 18/10110 - 10 document is incorporated herein by reference. According to another advantageous embodiment of the present invention it is proposed that following the 5 identification of the user end device - by means of a monitor user end device the determined identification parameters and the security capabilities of the identified user end device be transmitted to a real base station of the mobile 10 radio network; - the real base station sends back RAND (random number) and AUTN (authentication token) to the monitor user end device; - the simulator interrupts the connection to the real 15 base station of the mobile radio network; - the simulator is operated as an other base station of an other radio cell of GSM mobile radio network and builds a connection to the identified device; - an authentication procedure is initiated between the 20 identified user end device and the simulator; and - where the authentication procedure is successfully terminated, the simulator causes the identified user end device not to use encryption in the subsequent data transmission. 25 The simulator may establish upon interruption of the connection to the real base station of the mobile radio network another connection to the identified user end device over a base station of a GSM (Global System for 30 Mobile Communication) radio cell. The monitor user end device is a preferred part of the simulator. The RAND and AUTN number sets that the simulator may obtain from a real base station of the 35 mobile radio network may involve parameters that are required in UMTS for the authentication of a base station in relation to a user end device. The monitor user end 22176301 (GHMatters) 30/03/10 - 11 device typically simulates a real base station, in other words a desired connection, and causes the real base stE.tion to thus transmit RAND and AUTN to the simulator. From the point of view of the real base station, the 5 simulator is a real user end device. In this embodiment it is only possible with the assistance of the RAND and AUTN parameters to establish a conversation connection between a base station and an identified user end device that is to be listened to. 10 The establishment of a connection to the user end device that is to be listened to may proceed on the basis of a simulated GSM base station of a GSM radio cell of a GSM mobile radio network. The simulated GSM base station is is preferably part of the simulator. Following successful authentication, the simulated GSM base station sends security parameters to the user end device that is to be listened to. The security parameters may encompass, among other things, a command to the user end device, to operate 20 without encryption (the so-called "No Encryption" parameter); that is, to transmit non-encrypted data. The proposed concept according to this embodiment works with two different mobile radio networks, namely the UMTS 25 and the GSM networks. For this reason, the to be listened to user end device must be a Multi-Radio-Mode user end device which supports several differing mobile radio networks, namely UMTS and GSM networks. The concept encompasses a simulated UMTS base station, and a monitor 30 user end device. The delay periods between the access to the authentication parameters and the suppression of the encryption should be as short as possible in order to prevent the real UMTS network from sending new RAND and AUTN prior to the encryption suppression. The delay 35 periods should be in the realm of a few seconds, maximally within a minute. 22176301 (GHMatters) 30/03/10 - 12 The present invention provides in a second aspect a simulator characterized by -- a measurement system for obtaining, from base stations located in the spatial proximity, parameters s relevant for the transfer of data to the simulator; - means of operating the simulator as a new base station while taking into consideration the obtained parameters, however with a different Location Area Code (LAC); and 10 - means for identifying the user end device on the basis of transmitted identification parameters. As a preferred method the measurement system is designed as a monitor user end device. 15 According to a preferred embodiment of the present invention it is proposed that the simulator feature means for the execution of the processes according to the invention. 20 The present invention provides in a third aspect a simulator, arranged in spatial proximity to a to be identified mobile user end device, for the identification of the mobile user end device in a digital cellular mobile 25 radio network, through which data are transmitted according to a first protocol, comprising: - a measurement system for the determination of the relevant parameters for the data transmission of base stations of the mobile radio network in spatial 30 proximity to the simulator; - means for operating the simulator as a new base station in the mobile radio network subject to the determined parameters; - means for receiving identification parameters of the 35 to be identified user end device during the registration of the user end device with the simulator, whereby 22176301 (GHMatters) 30103/10 - 13 - an authentication procedure is started, the to be identified user end device rejects the authentication procedure as erroneous, the simulator starts an identification procedure during which the simulator 5 calls the to be identified user end device for its identification parameters and the simulator receives the identification parameters of the to be identified user end device; and - means for the identification of the user end device io within the field (realm) of the first protocol on the basis of the transmitted identification parameters. The present invention provides in a fourth aspect a process to execute a perceptual or manipulative access to is a mobile user end device in a digital cellular mobile radio network through which data are transmitted according to a first protocol, comprising the following steps: - providing a simulator within the digital cellular mobile radio network, the simulator being operated as 20 a new base station and arranged so that a registration of the to be identified user end device is enabled; - the user end device is identified by determination of the IMSI (International Mobile Subscriber Identity) 25 contained on a SIM (Subscriber Identity Module) card or of a IMEI (International Mobile Equipment Identity) assigned to the user end device, - whereby the entire identification occurs within the range of the digital cellular network in which the 30 data are transmitted according to the first protocol, and - the mobile user end device, upon the identification of the mobile user end device, is directed toward 35 processing the perceptual or manipulative access in a 2217630_1 (GHMatters) 18/10/10 - 14 different mobile radio network by transmission of the data according to a second protocol. The present invention provides in a fifth aspect a process 5 for the execution of perceptual or manipulative access to a mobile user end device in a digital cellular mobile radio network through which data are transferred according to a primary protocol. The perceptual or manipulative access to the user end device comprises an interception, a 1o determination of bearings and a locating of the user end device. What is proposed is that the end device is initially identified by some process in which it is located using an IMSI (International Mobile Subscriber Identity) contained on a SIM (Subscriber Identity Module) 15 Card or by an IMEI (International Mobile Equipment Identity) assigned to the user end device. The entire identification of the user end device occurs within the environment of the digital cellular mobile radio network through which the data are transferred according to the 20 first protocol (for example UMTS protocol). The identification begins with the operation of the UTRAN simulator within the mobile radio network as a virtual base station so that the to-be-identified user end device registers there and it ends with the determination of IMEI 25 and/or IMSI. Thereafter the identified user end device is redirected to another mobile radio network for the execution of the perceptual or manipulative accesses through which data are transferred according to a second protocol(for example, GSM protocol). In this manner 30 generally known processes can be relied on for the interception, determination of bearings or locating of the identified user end device. Without limitation to functionality, the perceptual or manipulative access to the user end device can rely on existing mechanisms and 35 tools. Preferably the perceptual or manipulative of access to the 24426601 (GHMatters) 18/10/10 - 14a mobile user end device comprises a determination of bearings or a locating of the user end device. This takes place for example when information relating to the user end device, and especially information by which the s position of the user end device can be determined, is transmitted to the UTRAN simulator. This information is preferably values for the field strengths with which the user end device receives signals from visible base stations of the mobile radio network. By recognizing the 10 network topology, especially of the position of the base stations, the bearings of the user end device can be determined and/or it can be located. While the determination of bearings solely comprises the determination of the user end device's direction, the 15 locating shall also consist of a determination of the distance to the end device. Alternatively or additionally, information that is obtained via a satellite based positioning system (for example, Global Positioning System, GPS) relating to the position of the user end 20 device can be transmitted from the user end device to the UTRAN simulator. This GPS information can be utilized on its own to locate the user end device or it can be used to correct the position of the user end device established via the field strengths and the strengths of the received 25 signals. The present invention provides in a fifth aspect a process to execute the perceptual or manipulative access to a 2442660_1 (GHMatters) 18110J10 - 15 mobile user end device in a digital cellular mobile radio network through which data are transmitted according to a first protocol, comprising the following steps: - the user end device is identified by determination of 5 the IMSI (International Mobile Subscriber Identity) contained on a SIM (Subscriber Identity Module) card or of a IMEI (International Mobile Equipment Identity) assigned to the user end device, - whereby the entire identification occurs within the 10 range of the digital cellular network in which the data are transmitted according to the first protocol, and - the mobile user end device, upon the identification of the mobile user end device, is directed toward is processing the gathering or manipulating of access in a different mobile radio network by transmission of the data according to a second protocol. A preferred design example for the invention is more 20 closely shown in the following discussion with reference to the figures. They show: Figure 1 a simulator according to an embodiment of the invention for the identification of a mobile 25 user and device in a digital cellular mobile radio network according to a preferred design form; Figure 2 a depiction of a UMTS radio cell with 30 differing Location Area Codes; Figure 3 a flow chart of a process according to an embodiment of the invention for the identification of a user end device according 35 to a primary design form; Figure 4 a flow chart of a process according to an 22176301 (GHMatters) 30103/10 - 16 embodiment of the invention for the identification of a user end device according to a second design form; and s Figure 5 a flow chart of a process according to an embodiment of the invention for listening to a user end device according to the preferred design form. 10 Security forces have, among other matters, the assignment to solve crimes that have already taken place and / or to prevent crimes from occurring. An important aspect in fu~.filling these assignments is the ability in specific we.1 grounded situations to identify a suspect on the 15 basis of mobile telephone use and to listen in on, record, and evaluate conversations that the person holds over the mobile telephone. There are various mobile radio networks for the 20 transmission of data. Very widely used in terms of network coverage as well as in terms of the number of mobile user end devices in use are GSM (Global System for Mobile Communications) - mobile radio networks. For the past several years UMTS (Universal Mobile Telecommunications 25 System) mobile radio networks have become more available and increasingly used. Both standards differ for example in authentication, integrity protection, and encryption. A further difference is that in UMTS a so-called Code Division Multiple Access (CDMA) process is employed while 30 in GSM a combination of Frequency Division Multiple Access and Time Division Multiple Access (FDMA/TDMA) processes are relied upon. On the basis of these significant differences, the processes and devices used for the identification and listening to a mobile user end device 35 cannot be carried over to the UMTS networks. Embodiments of the present invention propose for the first 22176301 (GHMatters) 30/03/10 - 17 time a process through which at site identification and listening of user end devices belonging to suspects is possible even in UMTS mobile radio networks. s A device is shown in Figure 1 for executing the process according to the invention. The device appropriate to the invention is a so called UTRAN (UMTS Terrestrial Radio Access Network) Simulator. The simulator 1 includes a simulated UMTS base station 2, which is designated as 10 NodeB, and a simulated monitor user end device 3, which works according to the UMTS standard and is designated as Monitor UE (User Equipment). In addition the simulator 1 includes a RNC (Radio Network Controller) functionality 4. Between the simulated NodeB 2 and the RNC-functionality 4, 15 a so called lub intersection 5 is provided. In addition, a directing and service calculator 10 is provided which directs the steps of the process according to embodiments of the invention. 20 In addition, the simulator 1 includes a simulated GSM base station 12 which is designated as a base station (BS) and a simulated GSM end station 13, which works according to the GMS standard. The simulated UMTS user end device 3 and the simulated GSM user end device 13 can be incorporated 25 into a single unit. This is easily possible because the UMTS user end device normally include a GSM functionality in order to ensure a secure and reliable connection in areas with insufficient UMTS coverage. In any case the simulator 1 includes a BSC (Base Station Controller) 30 functionality 14. Between the simulated BS 12 and the BSC functionality, an intersection 15 is provided. In addition an external measurement system 11 is provided which measures the parameters relevant for UMTS of the 35 base stations in the vicinity of simulator 1. Naturally the measurement system 11 can also be integrated into the simulator 1. A UMTS monitor user end device 3 is 22176301 (GHMatters) 30/03/10 - 18 preferably used as the measurement system 11 so that no additional measurement systems are required. The measurement system 3 and / or 11 establish an overview of the cellular UMTS environment which is then transmitted to 5 the UTRAN simulator 1. The simulator 1 is engaged for the implementation of the process in a real UMTS environment which includes a real base station (NodeB) 6 and a real user end device (UE) 7. 10 Naturally there can be more base stations in the UMTS environment than the illustrated base station 6 and more user end devices then the illustrated user end device 7. The user end device 7 is the to be identified and possibly to be listened to user end device and is designated as the 15 Target-UE. An optional UMTS user end device becomes, according to the terminology used herein, a Target-UE 7 when it is registered (also partially) or has been booked in the UTRAN simulator 1. Between the real user end device 7 and the simulated NodeB 2, a Uu air intersection 8 is 20 provided. Between the simulated end device 3 and the real Nod.eB 6 a further air intersection 9 is provided. In figure 2 a cellular UMTS mobile radio network is represented that comprises many radio cells 120-128, 130 25 133. Some of the radio cells 120-128 belong to a first so called Location Area whereby all radio cells are attributed to the same Location Area Code (LAC) (for example LAC=1000). Other radio cells 130-133 belong to a second Location Area whereby all radio cells 130-133 are 30 attributed to the same Location Area Code (for example LAC'=2000) which differs from the first Location Area Code. Base stations (NodeBs) cover one or more of the radio cells (120-128), 130-133. The base stations are however not shown in order to preserve the clear arrangement of 35 Figure 2. Figure 3 shows a flow chart of the process according to an 22176301 (GHMatters) 30/03/10 - 19 embodiment of the invention for the identification of the end device 7. The process begins in a function block 20. ThE simulator 1 is attributed to the spatially near to the to be identified UMTS user end device 7 in a UMTS network 5 (function block 21). The UTRAN simulator is operated in one of the geographic radio cells 120-128, 130-133 in which the base station is booked on the to be identified user end device 7. It is possible that the user end device 7 is booked together with other user end devices on the 10 base station. With the measurement system 3, 11; the base stations surrounding the simulator 1 with parameters relevant to UMTS are measured in a function block 22 and /or captured by some other method and transmitted to the simulator 1. These parameters include for example so 15 called Scrambling Codes of the radio cells 120-128, 130 133, the transmission power of the base stations, the identification parameters of NodeBs, and systems information. 20 In a function block 23, the UTRAN simulator 1 sends on its part system information in the same frequency band as the neighboring base stations but with higher transmission power so that the user end devices located spatially near to the simulator 1 (and thereby also the to be identified 25 user end device 7) are recognized by the simulator 1 as new (simulated) base stations. Furthermore the simulator 1 transmits with a different Location Area Code (for example LAC=3000) so that the spatially near to the simulator 1 located user end devices (and thereby also the to be 30 identified user end device 7) obtain the impression that they have moved spatially into a new area with a new LAC. The LAC of the simulated base station 2 is selected in such a manner that it is not used by the regular base stations 6 in the vicinity of the simulator 1. 35 A so called location update procedure is initiated thereby in these user end devices (and thus also in the to be 22176301 (GHMatters) 30103/10 - 20 identified user end device 7) within the scope of which the user end devices register with their identification parameters at the simulated base station 2 (function block 24). The identification parameters include for example a 5 IMSI (International Mobile Subscriber Identity), a TMSI (Temporary Mobile Subscriber Identity) and / or an IMEI (International Mobile Subscriber Identity). On the basis of these identification parameters the identification of the user end device 7 thus takes place in function block 10 25, The process for the identification of the user end device 7 ends in a function block 26. The simulated spatial region with a new LAC is shown in a figure 2 via reference indicator 140. is The actual name and the personal data of the user end device 7 user are registered with the operator (so called provider) of the mobile radio network and can be accessed there possibly in the scope of an official investigation or through other methods. Only the provider has at its 20 disposal the so called Cross-Reference lists which enable the attribution of the IMSI to a user and / or of the IMSI to a call number. The TMSI is - as the name already indicates - only temporary in nature and permits thus no clear attribution of a specific user or a specific call 25 number. For this reason it is important that the ISI of the IMEI and not the TMSI be present. In the event the to be identified user end device 7 is transmitted upon registration with simulator 1 in function 30 block 24 only with the TMSI (Temporary Mobile Subscriber Identity) as an identification parameter and waits for an authentication procedure, the invention can be supplemented according to the process flow chart in Figure 4 such that subsequent to the registration of the user end 35 device 7 with the simulator 1 in a function block 27 the authentication procedure is started. However because the simulator 1 and/or the simulated base station 2 cannot 22176301 (GHMatters) 30/03/10 - 21 identify itself as part of the simulator 1 in relation to user end device 7 (which is actually not required in UMTS networks), the to be identified user end device 7 rejects in a function block 28 the authentication procedure for 5 example on the basis of a MAC error. Thus the simulator 1 starts on its part in a function block 29 an identification procedure whereby the to be identified user end device received a simulated impression 7 that simulated base station 2 requires the IMSI of the to be 10 identified user end device 7 for reasons of identification. Thereupon the user end device 7 transmits in a function block 30 its IMSI to the simulator 1 on the basis of which the clear identification of the user end device 7 is possible within the function block 25. The 15 process ends in function block 26. Subsequent to the identification of the target user end device 7 according to the processes in figure 3 and figure 4, conversations received on or sent from the user end 20 device 7 can be listened to by various methods. According to a first embodiment the flow chart of which is illustrated in Figure 5, the process to listen in on the user end device 7 begins in a function block 40. In a function block 41 the identification of the user end 25 device 7 takes place. The block 41 thus includes all process steps 20 to 26 of Figure 3 and/or 20 to 30 of Figure 4. Thereupon the Location Update procedures of the user end device 7 are rejected by the simulator 1 and/or the simulated base station 2 in a function block 42. 30 At this point the user end device 7 registers in a function block 43 according to a so called Cell Reselection procedure over the simulated GSM base station 12 in a GSM radio cell of a GSM network. UMTS user end 35 devices must also be able according to their standard to be used in a GSM network. The rejection of a target user end device 7 by the UMTS network in the GSM network can 22176301 (GHMatters) 30/03/10 - 22 take place by various methods. Thus the rejection can occur for example through a command (a predetermined information) which is transmitted over a so called BCCH (Broadcast Control Channel). Alternatively the rejection s can also take place through optional information which is transmitted over the so called FACH (Forward Access Channel) or the so called DCCH (Dedicated Control Channel). The UTRAN simulator that is located in the UMTS user end devices contain this command (this information) 10 and book themselves into an existing GSM network. One can imagine that the connection to the UMTS network can be restricted by other means for example through disruption (so called jamming) and can in the end be terminated. 15 Al. conversations that are received or sent over the target user end device 7 are now no longer carried over the UMTS network but over the GSM network. More specifically the conversations are carried over the simulated GSM base station 12, the simulated GSM user end 20 device 13, and further to a real GSM base station 16. In a function block 44 the conversations can be listened to over a target user end device 7 in the GSM environment as it has been disclosed for example in DE 199 20 222 Al. The process then ends in a function block 45. 25 Naturally it is also possible to listen in to the conversations held over the target user end device 7 but also to perform already the identification of the user end device 7 in the GSM environment with conventional means. 30 Thus even before the Location Update procedure is ended, it is diverted from the UMTS network to the GSM network and its IMSI and IMEI identity parameters are captured there in the GSM environment by means of known processes. Furthermore at that point a further manipulation of the 35 target user end device 7 is possible. It is also possible according to embodiments of the 22176301 (GHMatters) 30103/10 - 23 present invention to listen to conversations held over the target user end device 7 through a so called Quasi Transparent process. For this it is required that the simulator 1 initially obtain security information from the 5 real UMTS base station 6 and then build with this information a connection between a simulated GSM base station 12 and the user end device 7. In addition, with the aid of the identification parameters of the end user device 7 obtained prior thereto in the context of the 10 identification, a connection needs to be built from the GSM user end device 13 to the real GSM base station 16. Conversations from or to the target user end device 7 are now no longer held directly to the real base station 6 and / or 16, but only indirectly over the UTRAN simulator 1. 15 The listened to conversations can be recorded in full or in part in simulator 1 for example for later evaluation or evidentiary requirements. Furthermore the conversations are mandatorily directed over the GSM network and not over the UMTS network even if sufficient UMTS coverage exists. 20 In the claims which follow and in the preceding description of the invention, except where the context requires otherwise due to express language or necessary implication, the word "comprise" or variations such as 25 "comprises" or "comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but no: to preclude the presence or addition of further features in various embodiments of the invention. 30 It is to be understood that, if any prior art publication is referred to herein, such reference does not constitute an admission that the publication forms a part of the common general knowledge in the art, in Australia or any otier country. 35 22176301 (GHMatters) 30/03/10
Claims (23)
1. Process for the identification of a mobile user end device in a digital cellular mobile radio network, 5 through which data are transmitted according to a first protocol, comprising the following steps executed within the range (realm) of the first protocol: - a simulator is arranged in proximity to the to 1o be identified user end device; - from a measurement system relevant parameters for data transmissions by mobile radio network base stations in proximity to the simulator are determined and transferred to the simulator; 15 - subject to the determined parameters, the simulator is operated as a new base station; - the to be identified user end device recognizes the simulator as a new base station, the simulator being arranged so that a registration 20 of the to be identified user end device is enabled, at which point - an authentication procedure is started, the to be identified user end device rejects the authentication procedure as erroneous, the 25 simulator starts an identification procedure during which the simulator requests the to be identified user end device for its identification parameters and the simulator receives the identification parameters of the 30 to be identified user end device; and - the user end device is identified within the range (realm) of the first protocol on the basis of the transmitted identification parameters. 35
2. Process according to claim 1, wherein the 2217630_1 (GHMatters) 18/10/10 - 25 registration of the to be identified user end device is rejected at the simulator after the identification procedure or the connection between the user end device and the new base station is 5 interrupted or disrupted by other means, the user end device is forced to automatically register with another base station of another radio cell of an alternative mobile radio network through which the data are transmitted according to a second protocol io that differs from the first protocol, the to be identified user end device transmits its identification parameters within the range (realm) of the second protocol in the context of a registration with the alternative mobile radio is network, and the simulator receives the identification parameters of the user end device.
3. Process according to claim 2, wherein after identification of the user end device it is denied 20 to the alternative mobile radio network, through which the data are transmitted according to a second protocol that differs from the first protocol, for the purpose of an interception, a determination of bearings, and/or a locating. 25
4. Process according to claim 1, wherein a UMTS protocol is used as the first protocol in the mobile radio network. 30
5. Process according to claim 1, wherein a GSM protocol is used as the second protocol in the alternative mobile radio network.
6. Process according to claim 1, wherein in the 35 measurement system determines Scrambling Codes, operating frequencies, or transmission strengths used by surrounding base stations to be the relevant 22176301 (GHMatters) 18/10/10 - 26 parameters for data transmission.
7. Process according to claim 1, wherein the to be identified user end device transmits upon 5 registration with the simulator or in the context of the identification procedure at least one of the following identification parameters to the simulator: IMSI, TMSI, P-TMSI and IMEI. 10
8. Process according to claim 7, comprising the following steps, if the to be identified user end device transmits upon registration with the simulator solely the TMSI as the identification parameter: 15 - an identification procedure is started and upon rejection by the to be identified user end device; - an authentication procedure is started; - the to be identified user end device rejects 20 the authentication procedure as erroneous; - the simulator starts again an identification procedure during the course of which the simulator calls for the to be identified user end device's IMSI or IMEI; and 25 - the simulator receives the IMSI or the IMEI of the to be identified user end device.
9. Process according to claim 1, characterised in that the simulator transmits in the same frequency band 30 yet at a higher performance than the base stations in the proximity of the simulator.
10. Process according to claim 1, characterised in that the simulator is operated in the same or in a 35 spatially proximately located geographical radio cell, in the base station of which the to be identified user end device was originally registered 2217630_1 (GHMatters) 18/10/10 - 27 (booked in).
11. Process according to claim 1, wherein the to be identified user end device is fooled by the presence s of the simulator operating as the new base station, simulating a movement of the user end device into a new spatial field that is assigned another Location Area Code and, on the basis of the first protocol that is used in the mobile radio network for the 10 transmission of data, and as a result of the first protocol that is used in the mobile radio network for the transmission of data, the user end device is forced to automatically register with the simulator. 15
12. Process according to claim 1, comprising the following steps: - a monitor user end device transmits the determined identification parameters of the 20 identified user end device and its security capability to a real base station of the mobile radio network; - the real base station sends back to the monitor user end device a random number and an 25 authentication token; - the simulator interrupts the connection to the real base station of the mobile radio network; - the simulator is operated as a different base station of another radio cell of a GSM-mobile 30 radio network and builds a different connection to the identified user end device; - an authentication procedure is started between the identified user end device and the simulator; and 35 - provided the authentication procedure ends successfully, the simulator causes the identified user end device not to use any 2217630_1 (GHMatters) 18/10/10 - 28 encryption during the subsequent data transmission.
13. A simulator, arranged in spatial proximity to a to s be identified mobile user end device, for the identification of the mobile user end device in a digital cellular mobile radio network, through which data are transmitted according to a first protocol, comprising: io - a measurement system for the determination of the relevant parameters for the data transmission of base stations of the mobile radio network in spatial proximity to the simulator; 15 - means for operating the simulator as a new base station in the mobile radio network subject to the determined parameters; - means for receiving identification parameters of the to be identified user end device during 20 registration of the user end device with the simulator, whereby - an authentication procedure is started, the to be identified user end device rejects the authentication procedure as erroneous, the 25 simulator starts an identification procedure during which the simulator calls the to be identified user end device for its identification parameters and the simulator receives the identification parameters of the 30 to be identified user end device; and - means for the identification of the user end device within the field (realm) of the first protocol on the basis of the transmitted identification parameters. 35
14. Simulator according to claim 13, wherein the simulator comprises means to reject the registration 22176301 (GHMatters) 18110/10 - 29 attempt of the to be identified user end device with the simulator after the identification procedure or to interrupt or to disrupt the connection between the user end device and the new base station in a s different manner, whereby the user end device is accordingly forced to transmit for an automatic registration at another base station of another radio cell of an alternative mobile radio network through which data are transmitted according to a 1o second protocol that differs from the first protocol, the to be identified user end device transmits its identification parameters within the field (realm) or the second protocol in the course of the registration with the alternative mobile 15 radio network, and the simulator comprises means for receiving the identification parameters of the to be identified user end device.
15. Process to execute a perceptual or manipulative 20 access to a mobile user end device in a digital cellular mobile radio network through which data are transmitted according to a first protocol, comprising the following steps: - providing a simulator within the digital 25 cellular mobile radio network, the simulator being operated as a new base station and arranged so that a registration of the to be identified user end device is enabled; - the user end device is identified by 30 determination of the IMSI (International Mobile Subscriber Identity) contained on a SIM (Subscriber Identity Module) card or of a IMEI (International Mobile Equipment Identity) assigned to the user end device, 35 - whereby the entire identification occurs within 22176301 (GHMatters) 18/10/10 - 30 the range of the digital cellular network in which the data are transmitted according to the first protocol, and - the mobile user end device, upon the 5 identification of the mobile user end device, is directed toward processing the perceptual or manipulative access in a different mobile radio network by transmission of the data according to a second protocol. 10
16. Process according to claim 15, wherein the first protocol is a Universal Mobile Telecommunications System (UMTS) protocol. is
17. Process according to claim 15, wherein the first protocol is a Global System for Mobile Communications (GSM) protocol.
18. Process according to claim 15, wherein the 20 perceptual and manipulative access to the mobile user end device comprises a determination of the bearings or a locating of the user end device.
19. Process according to claim 15, wherein the 25 perceptual and manipulative access to the user end device comprises of a transmission of information relating to the user end device.
20. Process according to claim 19, wherein, information 30 relating to the actual position of the user end device is transmitted within the realm of the information transmission.
21. Process according to claim 20, wherein values for 35 the field strengths are transmitted by which the user end device receives signals from visible base 22176301 (GHMatters) 18/10/10 - 31 stations belonging to the mobile radio network.
22. Process according to claim 20, wherein information relating to the position of the user end device is 5 transmitted by means of a satellite based positioning system.
23. A process or simulator substantially as herein described with reference to the drawings. 10 22176301 (GHMatters) 18110/10
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2012209008A AU2012209008B2 (en) | 2005-08-23 | 2012-07-31 | Process and device to identify a mobile user in a digital cellular mobile radio |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102005040002.7 | 2005-08-23 | ||
| PCT/EP2006/004747 WO2007022811A1 (en) | 2005-08-23 | 2006-05-19 | Method and device for identifying a mobile terminal in a digital cellular mobile radio network |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/EP2006/004747 Division WO2007022811A1 (en) | 2005-08-23 | 2006-05-19 | Method and device for identifying a mobile terminal in a digital cellular mobile radio network |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2012209008A Division AU2012209008B2 (en) | 2005-08-23 | 2012-07-31 | Process and device to identify a mobile user in a digital cellular mobile radio |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| AU2008200801A1 AU2008200801A1 (en) | 2008-03-13 |
| AU2008200801B2 true AU2008200801B2 (en) | 2010-11-25 |
Family
ID=39244044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2008200801A Withdrawn - After Issue AU2008200801B2 (en) | 2005-08-23 | 2008-02-20 | Process and device to identify a mobile user in a digital cellular mobile radio network |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2008200801B2 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2012209008B2 (en) * | 2005-08-23 | 2015-11-26 | Thales Defence Deutschland Gmbh | Process and device to identify a mobile user in a digital cellular mobile radio |
| US8737965B2 (en) | 2007-05-07 | 2014-05-27 | Battelle Energy Alliance, Llc | Wireless device monitoring systems and monitoring devices, and associated methods |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE19920222A1 (en) * | 1999-05-03 | 2000-11-09 | Rohde & Schwarz | Method for identifying the user of a mobile phone or for listening to outgoing calls |
| WO2005011318A1 (en) * | 2003-07-24 | 2005-02-03 | Siemens Aktiengesellschaft | Method for controlling the check-in of a mobile station of a radio communication system in a radio cell of a virtual base station and said virtual base station |
-
2008
- 2008-02-20 AU AU2008200801A patent/AU2008200801B2/en not_active Withdrawn - After Issue
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE19920222A1 (en) * | 1999-05-03 | 2000-11-09 | Rohde & Schwarz | Method for identifying the user of a mobile phone or for listening to outgoing calls |
| WO2005011318A1 (en) * | 2003-07-24 | 2005-02-03 | Siemens Aktiengesellschaft | Method for controlling the check-in of a mobile station of a radio communication system in a radio cell of a virtual base station and said virtual base station |
Non-Patent Citations (1)
| Title |
|---|
| 3GPP TS 33.108 version 6.8.2 Release 6, 24 January 2005 * |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2008200801A1 (en) | 2008-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2619998C (en) | Method and device for identifying a mobile terminal in a digital cellular mobile radio network | |
| Jover | LTE security, protocol exploits and location tracking experimentation with low-cost software radio | |
| EP1908319B1 (en) | Acquiring identity parameters by emulating base stations | |
| US9788196B2 (en) | Systems and methods for identifying rogue base stations | |
| Golde et al. | Let me answer that for you: Exploiting broadcast information in cellular networks | |
| US20070115886A1 (en) | Method of verifying integrity of an access point on a wireless network | |
| US20080020749A1 (en) | Method Of Controlling And Analysing Communications In A Telephone Network | |
| EP1995985A1 (en) | Method, measuring system, base station, network element and measuring device | |
| Song et al. | Fake bts attacks of gsm system on software radio platform | |
| US20100113025A1 (en) | Method and apparatus for forcing inter-rat handover | |
| KR101822575B1 (en) | System and method for locating a cellular communication device | |
| Hadžialić et al. | An approach to analyze security of GSM network | |
| CN104270762A (en) | Method for detecting false station in GSM and LTE network | |
| AU2008200801B2 (en) | Process and device to identify a mobile user in a digital cellular mobile radio network | |
| AU2012209008B2 (en) | Process and device to identify a mobile user in a digital cellular mobile radio | |
| US20090023424A1 (en) | Acquiring identity parameter | |
| Li et al. | The dark side of scale: Insecurity of direct-to-cell satellite mega-constellations | |
| Ziayi et al. | YAICD: Yet another IMSI catcher detector in GSM | |
| CA2645313A1 (en) | Method and device for identifying a mobile terminal in a digital cellular mobile radio network | |
| Park | Why we cannot win: on fake base stations and their detection methods | |
| Lee et al. | Securing the wireless emergency alerts system | |
| Aggrawal et al. | Analysis of GSM air interface using DVB-T receiver and GNU radio | |
| Ziayi et al. | Research Article YAICD: Yet Another IMSI Catcher Detector in GSM | |
| Oh et al. | Enabling Uncooperative Physical Localization in Cellular Networks | |
| Abdelrazek et al. | User privacy in legacy mobile network protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| CB | Opposition filed |
Opponent name: ROHDE & SCHWARZ GMBH & CO. KG |
|
| CFC | Opposition proceedings - application withdrawn |
Opponent name: ROHDE & SCHWARZ GMBH & CO. KG |
|
| MK12 | Application lapsed section 141(1)/reg 8.3(2) - applicant filed a written notice of withdrawal |