WO2007027699A2 - Procedes d'identification, de suppression, de desactivation et de filtrage d'acces a distance de dispositifs sans fil d'interet a l'aide de recepteurs de temporisation et d'interception des signaux permettant de reduire la puissance, de minimiser la detection, et de minimiser les interferences collaterales - Google Patents

Procedes d'identification, de suppression, de desactivation et de filtrage d'acces a distance de dispositifs sans fil d'interet a l'aide de recepteurs de temporisation et d'interception des signaux permettant de reduire la puissance, de minimiser la detection, et de minimiser les interferences collaterales Download PDF

Info

Publication number
WO2007027699A2
WO2007027699A2 PCT/US2006/033738 US2006033738W WO2007027699A2 WO 2007027699 A2 WO2007027699 A2 WO 2007027699A2 US 2006033738 W US2006033738 W US 2006033738W WO 2007027699 A2 WO2007027699 A2 WO 2007027699A2
Authority
WO
WIPO (PCT)
Prior art keywords
wireless device
beacon
channel
wireless
attack
Prior art date
Application number
PCT/US2006/033738
Other languages
English (en)
Other versions
WO2007027699A3 (fr
Inventor
James D. Haverty
Original Assignee
Comhouse Wireless, Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from PCT/US2006/030159 external-priority patent/WO2007016641A2/fr
Application filed by Comhouse Wireless, Lp filed Critical Comhouse Wireless, Lp
Priority to US12/065,225 priority Critical patent/US20090311963A1/en
Priority to PCT/US2007/063493 priority patent/WO2007106694A2/fr
Publication of WO2007027699A2 publication Critical patent/WO2007027699A2/fr
Publication of WO2007027699A3 publication Critical patent/WO2007027699A3/fr
Priority to US13/424,153 priority patent/US8606171B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/04Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction, speed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/40Jamming having variable characteristics
    • H04K3/45Jamming having variable characteristics characterized by including monitoring of the target or target signal, e.g. in reactive jammers or follower jammers for example by means of an alternation of jamming phases and monitoring phases, called "look-through mode"
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/60Jamming involving special techniques
    • H04K3/65Jamming involving special techniques using deceptive jamming or spoofing, e.g. transmission of false signals for premature triggering of RCIED, for forced connection or disconnection to/from a network or for generation of dummy target signal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K2203/00Jamming of communication; Countermeasures
    • H04K2203/10Jamming or countermeasure used for a particular application
    • H04K2203/16Jamming or countermeasure used for a particular application for telephony
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Definitions

  • PCT/US2006/30159 James D. Haverty, Methods of remotely identifying, suppressing, and/or disabling wireless devices of interest, filed 1 August 2006.
  • the U.S. National Phase of the present patent application will also be a continuation-in-part of the U.S. National Phase of PCT/US2006/30159.
  • PCT/US2006/30159 also claims priority from the above provisional patent applications and from the provisional patent application, 60/704,808, Haverty, Methods of remotely identifying, suppressing, and or disabling wireless devices of interest, filed 02/08/2000.
  • Each of the provisional patent applications and PCT/US2006/30159 is incorporated by reference into the present patent application in its entirety and for all purposes.
  • the present patent application refers to a filtering system which is implemented in the same fashion as the interrogation system of PCT/US2006/30159 but extends the uses to which the capabilities of the interrogation system may be put.
  • New material in the present patent application includes an improved description of the wireless network operations under a new heading General Description of Wireless Network Operations, of the CDMA and GSM signaling and protocols under the headings CDMA and CDMA 2000 and GSM, GPRS and EDGE respectively, and descriptions of additional ways in which the filtering system may be used in the sections titled CDMA Access Filtering Techniques for the CDMA standard and GSM Access Filtering Techniques for the GSM standard.
  • the invention relates to the methods of controlling a transceiver to remotely interrogate wireless devices on demand in some prescribed operational area so as to identify the presence of said device, whether it is friend or foe, and subsequently disabling the device based on its identity or enticing it to transmit to facilitate its location.
  • wireless devices in criminal and terrorist activities have made it desirable for law enforcement officials to be able to identify and subsequently suppress, ring, locate, or when necessary even disable clandestine wireless devices.
  • Such devices may be concealed in containers or on persons, may be connected to detonators or other activators, or may be being used for purposes of terrorism, unauthorized intelligence collection.
  • a legitimate wireless device may even have been inadvertently enabled in a secure environment.
  • Law enforcement officials further need to be able to identify and quarantine wireless devices in emergency situations or in situations where use of wireless devices is prohibited, such as prisons, hospitals or baggage screening areas and to determine the identifying information of a wireless device prior to locating and intercepting the wireless device and collecting either voice or data from the wireless device.
  • the wireless standards prescribe that a wireless device register (or re-register) with the system when the wireless device detects a beacon in its registration area that is "better” than the beacon the wireless device is currently monitoring.
  • the "better” beacon has either greater signal strength or better quality compared to the beacon which the wireless device is currently monitoring.
  • the wireless device obtains the thresholds for making such determinations from parameter settings in the beacon currently being monitored. For example, all beacons broadcast one or more messages that include parameters for determining when a wireless device monitoring the beacon is to register with the "better" beacon.
  • a baiting beacon is a counterfeit beacon, i.e., a beacon that appears to the wireless device to belong to the network with which the wireless device interacts but is in fact not one of the network's beacons.
  • a known method for making a wireless device register with a baiting beacon is to generate a baiting beacon that is like one in the current registration area but differs from it in two respects:
  • the wireless devices in the operational area will automatically re-register with the baiting beacon.
  • the technique of proffering a baiting beacon has been further refined in prior art to include a directional antenna so as to focus the baiting beacon's signal in a direction (where a wireless device of interest is presumed to be located).
  • Directional focusing the baiting beacon both reduces both the required power consumption and the amount of interference with wireless devices that are not of interest.
  • interference is termed in the following collateral interference.
  • the obvious limitations of this technique are that it presumes some knowledge of where a device of interest is located and that it limits but does not eliminate collateral interference: any wireless device that is located within the directional beam will be affected, even if the device is outside the operational area.
  • the baiting beacon whose signal in the operational area is stronger than that of any other beacon in the operational area has the intrinsic and fundamental limitation that collateral interference cannot be limited to the operational area. Because the baiting beacon's signal must be greater than that of the strongest beacon in the operational area, and that in turn means that the signal will reach far beyond the operational area. Merely offering a stronger baiting beacon further means that the minimum power level for the beacon must be a level which is just above the threshold of the strongest legitimate beacon in the operational area. The need for such high power levels makes it difficult to design portable baiting beacons that are both light in weight and have sufficient power to operate in close proximity to a legitimate beacon. Finally, the parameters received by the wireless devices from the legitimate beacon dictate how long the wireless device must detect the stronger signal before attempting to reregister, and that in turn determines how quickly a wireless device can be made to register with the baiting beacon.
  • the wireless device can be interrogated.
  • Many interrogation techniques can be derived directly from a reading of the cellular standards.
  • IMSI International Standard Mobile Identifier
  • TMSI Temporary Mobile Identifier
  • IMEI equipment electronic serial number
  • the actual dialed number of the wireless device known in the art as the Mobile Identification Number (MIN) is not stored in the wireless device but instead is stored in the network and hence cannot be queried using these standard interrogation techniques.
  • MIN Mobile Identification Number
  • this includes issuing an authentication rejection which tells the subscriber identity module (SIM) chip embedded in the wireless device to prohibit all incoming and outgoing calls or hijacking the wireless device and issuing an artificial IMSI detach.
  • SIM subscriber identity module
  • the IMSI detach tells the network that the wireless device is powering down. The network responds to the message by ceasing to route incoming calls to the wireless device.
  • the effect of the authentication rejection on the SIM is reversed when the wireless device is power cycled.
  • the effect of the IMSI detach is reversed when the wireless device is power cycled or it spontaneously reregisters with the network.
  • a critical requirement is that the any intervention be either prophylactic or immediately reactive such that it denies access to either unapproved or otherwise unfriendly wireless devices. More specifically, an intervention must be able to prevent incoming calls to devices being used as perhaps detonators and/or be able to disable outgoing calls such as might be placed by prisoners or other unapproved users, while at the same time allowing approved devices to make and receive calls unmolested. Another important requirement is- the ability to provide limited . access such as allowing a call to go through in order to obtain information about the call (e.g., identifying the dialed numbers of incoming or outgoing calls) and then subsequently shutting off access before the call is connected. Related is the ability to prolong communication for purposes such as locating a device by crippling rather than jamming communications and thus permitting a call to stay up while rendering the call's content mostly unintelligible.
  • Indiscriminate jamming of all communications over some prescribed operational area is known in the art.
  • the obvious problem with such jamming is that it prevents all calls (including emergency), whether incoming or outgoing, within the operational area.
  • Indiscriminate jamming also often consumes large amounts of power.
  • the potential for collateral interference outside of the operational area is high.
  • a disablement command such as an authentication rejection in GSM (SIM disable) or a maintenance lock order in CDMA, or
  • this methodology will fail as the device will have been allocated to a traffic channel before it can be interrogated and it is not until the end of the call, when it is too late to intervene, that an interrogator can gain the attention of the wireless device.
  • Interrogation followed by disablement are in many cases not reversible and may require a power cycling by the user to undo the disablement.
  • the fact that the user may be unaware of the situation exacerbates the problem as it may be hours to perhaps days before the user discovers that the wireless device is disabled.
  • a wireless device that is being interrogated cannot make or receive calls.
  • the interrogation process must be constantly repeated.
  • the constantly repeated interrogation may prevent any wireless device from gaining access to the system while in the operational area It also does not deal with the problem of an otherwise legitimate wireless device that enters an operational area where the device is not approved and is disabled but cannot be re-enabled until the device is power cycled. The same is the case with collateral wireless devices on persons that live or work near an operational area.
  • An operational area is likely to be a small subset of the entire area serviced by the wireless service provider, making spatial filtering extremely difficult. This makes the potential for collateral interference very high for persons that live and work in proximity to an operational area as they will routinely- be affected because there is no efficient mechanism for adding them to the approved list.
  • Problems not solved by known techniques of enticing wireless devices to reregister with a baiting beacon include: limiting or eliminating collateral interference and false alarms in some operational area; minimizing the power required for the baiting beacon; minimizing the time required for the baiting beacon to elicit a registration; and distinguishing wireless devices that are permitted in the operational area from those that are not permitted there.
  • Problems not solved by known techniques of querying enticed wireless devices include: guaranteeing that a subscriber is not alerted that a wireless device has been disabled, re-enabling a wireless device on demand; the determining the MIN of the wireless device; defeating the encryption without directly attacking the key; and querying wireless devices that operate on the UMTS standard.
  • Problems not solved by known techniques are further: selectively and efficiently give only approved wireless devices access to the network; reacting in a timely fashion to the dynamic conditions in an operational area; limiting collateral interference to an operational area; and surgically tailoring attacks on communications between wireless devices and beacons so as to achieve minimum power consumption while being maximally inconspicuous.
  • the object of the invention is attained by a method for interfering with a communication between a beacon and a wireless device that is made according to a wireless standard.
  • the method includes determining a characteristic of a signal produced during the communication.
  • the characteristic is one that is required for the communication by the wireless standard and then generating an interference signal.
  • the interference signal is specifically adapted to the characteristic and interferes with the characteristic such that the wireless device and the beacon cannot interact as provided for the communication by the wireless standard.
  • FIG. 1 - shows full duplex communications employed by wireless networks
  • FIG .2 - Shows the roaming and registration process used in wireless networks.
  • FIG. 3 - shows a summary of the registration signaling process with a particular beacon.
  • FIG. 4 - shows a summary of the call setup signaling process.
  • FIG .5 - shows the operation and scope of the filtering system.
  • FIG. 6 - shows the preferred embodiment of a filtering system transceiver.
  • FIG. 7 - shows a known method of creating a baiting beacon to entice a wireless device to register.
  • FIG 8 - shows a method of enticing a wireless device to register with a baiting beacon having minimum power consumption and minimal collateral interference
  • FIG. 9 - shows creating baiting beacons to cover multiple service providers operating in the same frequency band.
  • FIG 10 - shows a method of interrogating an wireless device and using measurement reports transmitted by the wireless device to estimate its location.
  • FIG. 11 - shows a simplified representation of a CDMA signal structure.
  • FIG. 12 - shows a simplified representation of a CDMA signal structure for the forward channel.
  • FIG. 13 - shows a simplified representation of a CDMA signal structure for the reverse channel.
  • FIG. 14 - shows a simplified representation of a CDMA signal structure for an access probe. . - . -
  • FIG. 15 - shows a generalized depiction of the multipathed CDMA pilot and an interfering pilot signal with multiple delays.
  • FIG. 16 - shows an example of attacking the a CDMA code channel by matching the delay spreads and allowing the decimated long code randomization to work on behalf of the filtering system to effect interference.
  • FIG. 17 - shows a pilot or symbol delay dithering technique to randomly delay a signal to match the multipath spread of a CDMA signal so as to corrupt sets of symbols that will be contiguous after the deinterleaving process.
  • FIG. 18 - shows the generalized CRC attack.
  • FIG. 19 - shows an example of using commercially available test signal generation equipment and the associated beacon settings that to implement a baiting beacon for a CDMA wireless device.
  • FIG. 20 shows various classes of interfering CDMA signals.
  • FIG. 21 - shows an example of the a surgical CDMA attack timed to the CDMA pilot.
  • FIG. 22 - show a method of herding a wireless device to an unused channel.
  • FIG. 23 - shows methods of hooking a wireless device on an unused channel which is used as a technique to effectively disable the wireless device.
  • FIG. 24 - shows a method of effecting a reverse channel denial-of-service attack by generating confusing access probes.
  • FIG. 25 - shows the process of allowing only a particular beacon for access and surgically attacking CDMA forward-channel signals that-gain access -thereby.
  • FIG 26 - shows a generalized representation of the signals generated by a GSM beacon.
  • FIG 27 - shows a generalized representation of GSM beacon/wireless device signaling interaction.
  • FIG. 28 - shows a signal flow diagram for a GSM Location Update Request (registration).
  • FIG. 29 - shows a signal flow diagram for a GSM call setup.
  • FIG 30 - shows examples of surgical attacks on the GSM training sequence.
  • FIG 31 - shows the signal structure for GSM traffic (voice) signaling.
  • FIG 32 - shows a block diagram for generating sets of interfering GSM signals for wideband signal attacks against frequency hoppers.
  • FIG. 33 - shows an example of using commercially available test signal generation equipment to implement a baiting beacon for a GSM wireless device.
  • FIG. 34 - shows GSM wireless device interrogation methods.
  • FIG. 35 - shows a method of hijacking a GSM wireless device so as to co-opt the network to provide the MIN of the wireless device.
  • FIG. 36 - shows GSM wireless device herding methods.
  • FIG 37 - shows a method whereby a GSM wireless device can be selectively disabled and re-enabled.
  • FIG 38 - shows a method for disabling any or all UMTS wireless devices.
  • Cellular - Wireless communication in any of the generally accepted bands allocated for individual commercial subscriber based voice or data communications.
  • Handset - A mobile device used by a subscriber for voice communication and is a particular type of wireless device. This term is often used interchangeably with wireless device.
  • Wireless Device any device be it a mobile wireless device, a portable data assistant or pager that operates on any cellular, PCS or similar system that nominally provides for voice and data communications.
  • CDMA 2000 Code Division Multiplexed Access as governed by the TIA IS-95 and IS-2000 standards.
  • GSM Global System for Mobile Communications
  • ETSI ETSI standard describing a second generation system for mobile wireless communications.
  • Collateral Wireless Devices Any wireless device operating outside of the operational area or approved wireless devices operating in the operational area.
  • Beacon A generic term used for the signal broadcast by a cell tower that continuously provides cell tower and system level information as well as timing so as to aid a wireless device in gaining access to a wireless network.
  • Operational Area A predefined area in which all wireless devices will be affected by the interrogator.
  • IMSI International Mobile Standard Identifier - A unique identifier that is either associated with a specific subscriber or a wireless device used thereby.
  • TMSI Temporary Mobile Standard Identifier - A temporary identification number used as local shorthand while the wireless device is operational in a system.
  • Registration Area A contiguous geographic region encompassing some number of cell towers.
  • a wireless device will reregister with the cellular network each time it enters a new registration zone so as to facilitate the routing of incoming calls.
  • the MIN is synonymous with the "dialed" phone number of a wireless device as opposed to the subscriber identity codes such as IMSI or TMSI.
  • the MIN and IMSI are de facto synonymous but the term MIN is used when it necessary to refer specifically to the dialed number without regard to standard.
  • CRC Cyclic Redundancy Check - A collection of bits that is appended to a packet of data which is used to detect if one or more bits in said packet was erroneously received.
  • SDCCH - GSM designator for a Stand- Alone Dedicated Control Channel SACCH - GSM designator for a Slow Associated Control Channel
  • FACCH - GSM designator for a Fast Associated Control Channel BCCH - GSM designator for the Broadcast Control Channel SCH - GSM designator for the Synchronization Channel
  • SIM - Subscriber Identity Module - A removable module (chip) that is inserted in a GSM or UMTS based wireless device such that wireless device assumes the identity of the information contained therein.
  • All communications between the wireless device and the network is full-duplex, i.e., the network transmits via a beacon to the wireless device on what is designated as a forward channel (also known in the art as a downlink channel) and the wireless device simultaneously transmits to the network beacon on the reverse channel (also known in the art as an uplink channel) as shown in FIG 1.
  • Each forward channel (101) is either a time or code channel operating within some frequency channel and sets of these frequency channels are collected in a contiguous forward spectral band (102). Paired with each forward channel is a matching reverse frequency, time and/or code channel (103) and sets of these channels are collected in a contiguous reverse spectral band (104). All timing between the wireless device and the network is established on the forward channel.
  • the timing on the reverse channel is synchronized to the timing on the paired forward channel.
  • a receiver thus need only synchronize to the forward channel to know the timing of both less any uncharacterized propagation delays.
  • Most towers also employ sectored antennas that concentrate transmitted energy in a particular direction (105) ⁇ sector) while at the same time making it only sensitive to received energy from this sector. This has several purposes including spectrum management such that it limits transmit energy propagation to a sector so as to improve frequency reuse while simultaneously increasing the receiver sensitivity of the tower to a wireless device operating in that same sector.
  • a tower's sectors have an influence on how best to attack a signal with respect to access filtering, as it can often be the case that a wireless device of interest may either receive or be received by a tower differently based on the location of the wireless device relative to the tower's sectors.
  • beacon All towers. broadcast a specifically crafted signal known -in the art as a beacon:
  • the beacon is continuously broadcast and contains identifying and access information that enables the wireless device to identify a tower as an access point on the network and to determine if it is suitably compatible with the wireless device.
  • Beacons also incorporate other signaling such as paging and access grant channels that enable a wireless device to negotiate with the network for access.
  • AU beacons operate on a fixed forward frequency channel. For purposes of this discussion a beacon is synonymous with a tower unless expressly noted.
  • All wireless devices must arbitrate for access to a network using a precisely synchronized and orchestrated protocol, whether making or receiving phone calls. While the signaling protocols are specific to a standard, the generalized process is shown in FIG 2.
  • the wireless device Upon power up, the wireless device scans prescribed forward bands looking for beacons broadcast by each tower (201). If one or more beacons are identified, the wireless device will chose the best beacon (be it for quality, signal strength or compatibility) and attempt a registration (202). The purpose of registration is to indicate to the wireless network that the wireless device is on and therefore able to accept incoming calls or connections. Once registered with the network, the wireless device monitors the network awaiting incoming calls. All standards provide for a registration area (203) (known variously in the standards as a registration zone or a location area).
  • Embedded in the signal of each beacon is a common registration area code that indicates that a given beacon is part of a set of beacons (204) - presumably grouped over a contiguous geographic region such as a part of a city.
  • the purpose of the registration area is to allow the wireless device to roam in the registration area without having to expressly register with each and every beacon it might sense. Instead the wireless device will unilaterally choose which beacon it shall monitor within some registration (205) area awaiting incoming pages from the network (typically indicative of an incoming call). Since a wireless device will roam as it may, the network does not have any sense as to which beacon the wireless device may be monitoring and hence sends any pages intended for the wireless device simultaneously to all of the beacons in the registration area to ensure reception (206).
  • the process of registration is generalized in FIG. 3. Having scanned the operational band, the wireless device synchronizes to the beacon (301) and then analyzes a set of system information messages that are continuously repeated by the beacon (302). Among other things, these messages identify a particular beacon (including the service provider operating said the beacon) and specify how to gain access to the network through this beacon. Included in the specification of how to gain access are parameters specifying any secondary beacon, the beacon's timing, the revision of the protocol used by the beacon, or the type and revision of wireless devices it will accommodate.
  • the wireless device Presuming the beacon is compatible with the wireless device, the wireless device will send a precisely timed and crafted signal burst (known in GSM/UMTS as Random Access Channel, RACH, burst or in CDMA as an access probe) (303) on a reverse frequency, time and/or code channel that is either implied or expressly dictated by parameters in the messages.
  • a precisely timed and crafted signal burst (known in GSM/UMTS as Random Access Channel, RACH, burst or in CDMA as an access probe) (303) on a reverse frequency, time and/or code channel that is either implied or expressly dictated by parameters in the messages.
  • RACH Random Access Channel
  • CDMA Code Division Multiple Access Channel
  • Any number of wireless devices may be attempting to access a beacon simultaneously. Until a wireless device is recognized by the network and allocated a unique forward/reverse channel pair (be it frequency, timing or coding) that uniquely separates it from all other wireless devices, collisions between the wireless devices and other wireless devices (305) attempting to access the beacon are possible (304).
  • Wireless protocols provide for this scenario by means of a "response/back-off ' scheme.
  • the wireless device After sending the attention burst, the wireless device awaits a response at a specific time (306) from the beacon (in either the paging or channel assignment time slot allocation of the beacon depending on standard) acknowledging that the beacon has received the burst and in some standards (e.g., GSM and UMTS) this same response redirects the device to move to a channel (307) that has been uniquely reserved for any subsequent communication between the wireless device and the beacon. If the response is not forthcoming then it is presumed by the wireless device that the beacon did not hear the request (either because of collision or poor reception) and the device waits a pseudo-random period of time ("backs off) (308) before attempting to burst again.
  • a pseudo-random period of time (“backs off)
  • the competing devices will each back off for a different period of time before reattempting to burst. Because each wireless device backs off for a different period of time, the probability of their continual collision becomes vanishingly small and therefore both (or all) devices eventually gain access to the network.
  • Wireless devices can also initiate registration.
  • An example is timed registration wherein a wireless device will automatically reregister with the system at some periodic interval as dictated by information in the beacon.
  • the registration interval is strictly at the discretion of the wireless network and can be both arbitrary and highly variable with periods of tens of minutes or more being typical. Therefore a detection system based on simply waiting for a wireless device to spontaneously register is not viable. Furthermore such detection system would be forced to monitor one or more reverse channels associated with each beacon in the operational area and without the use of highly specific and expensive directional antennas or sophisticated location technology, there is little hope of distinguishing reverse channel messages from clandestine wireless devices from reverse channel messages from collateral devices.
  • the wireless device is able to make or receive calls.
  • the general process for making and receiving calls is shown in FIG 4.
  • the wireless device receives a page on one of the logical channels provided by the beacon that the wireless device is currently monitoring (401).
  • the protocol provides for sending a page to a particular wireless device only at prescribed times. This enables the wireless device to conserve power by shutting down its receiver between these times by shutting down the receiver
  • the wireless device will attempt to gain access to the wireless network as described for the registration process above (402, 403). In either case, the wireless device and the network will then perform the additional step of signaling back and forth to set up the call (404), culminating with the device moving to what is known variously as the traffic or conversation state where the wireless device begins to communicate with the network over an expressly reserved pairing of forward and reverse channels (405).
  • the filtering system which carries out the baiting, interrogation, disablement and filtering operations on the wireless devices is called in the following a filtering system.
  • a preferred embodiment of the filtering system is shown FIG. 5.
  • the filtering system consists of a transceiver (501) that is capable of acting as a baiting beacon, a wireless device and an active interferer.
  • a functional transceiver block diagram is shown in FIG. 6.
  • the transceiver first scans the environment (502) in search of relevant beacons that can be detected in some operational area. It then transmits some number of interfering signals (503) that are tailored to these signals in both strength and bandwidth so as to blind all of the wireless devices present in some predefined operational area — which is typically but not necessarily defined to be some radius from the transceiver.
  • Placement or orientation of the transceiver may result in other geometries.
  • the transceiver proffers a baiting beacon (504) paired with a receiver that will entice all wireless devices within some smaller radius (up to and including the whole of the operational area) to register (505).
  • a baiting beacon 504
  • a receiver that will entice all wireless devices within some smaller radius (up to and including the whole of the operational area) to register
  • By controlling the signal level of this beacon it is possible to precisely control the proximity in which wireless devices will attempt to register.
  • a wireless device registers it can be subsequently interrogated (506) and checked against a friend or foe data base (507).
  • Wireless devices that are not on a approved list can subsequently be acted upon as selected by the operator of the data base. Actions which can be performed using the techniques described herein (508) can range from triggering an alarm to automatically disabling a wireless device. Further still, the wireless device can be interrogated to derive or otherwise facilitate the discovery of secondary information such as encryption keys and/or sequences or the dialed number (known in the art as the Mobile Identification Number - MIN).
  • secondary information such as encryption keys and/or sequences or the dialed number (known in the art as the Mobile Identification Number - MIN).
  • the filtering system can filter access to a network.
  • Access filtering can range from allowing specific beacons to operate in the operational area while monitoring the activity on the beacons and then filtering access to the beacons on a per-wireless device basis by attacking signaling specific to the wireless device (509) to extending the principals of beacon suppression described above to target all of the beacons (503) so as to effect a blanket DoS. or.
  • the transceiver consists of a receiver subsystem (601) and a generation subsystem (602).
  • the generation subsystem is synchronized to the receiver subsystem through the use of the baiting beacon feedback (603).
  • the baiting beacon is first turned on at some low power .
  • the baiting beacon has specially encoded parameters that distinguish it from other beacons but are superfluous to the wireless device and therefore ignored by it - one possibility is the addition of a message that is not prescribed in the standards.
  • the receiver then scans the environment. The receiver automatically detects the baiting beacon along with all of the other relevant beacons in the operational area and the receiver notes the timing difference between any relevant beacon and the baiting beacon.
  • the receiver allows the receiver to express to the generator the timing difference (604) between each relevant beacon and the baiting beacon with sub-microsecond precision. Additionally, the receiver receives the parameters that will need to be cloned to implement the baiting beacon (605).
  • the critical feature of this technique is that it completely decouples the receiver timing from the generator timing. More specifically it eliminates any of the vagaries of timing delay between the receiver and generator that would otherwise require arduous calibration to deal with and instead simply specifies the difference in timing between the generator and any given relevant beacon as seen by the receiver.
  • the ability to achieve this degree of timing precision makes it possible to make micro-surgical attacks on critical sections of signaling waveforms.
  • the microsurgical attacks need only attack vulnerable parts of the waveform.
  • the vulnerable parts are generally only a very small fraction of the wave form, and consequently the micro-surgical attacks minimize the required average power to suppress a waveform.
  • This is particularly relevant with regard to standards such as CDMA that are intrinsically resistant to unsophisticated jamming attacks such as white noise.
  • having precise timing allows the generator to not only attack these sections of the waveforms but indeed turn this to its advantage as described under the topics for the individual standards while reducing the required transmit power by possibly several orders of magnitude.
  • the incorporation of the data base allows the system to allow pre-approved wireless devices or classes of wireless devices to operate unmolested in the operational area while unapproved devices are disabled.
  • An important advantage of the filtering techniques disclosed herein is that it is not necessary to precisely know the location of the wireless device.
  • An example is a prison situation where it is only necessary to disable a wireless device as opposed to actually locating it. This enables prison staff to use their wireless devices while suppressing all other wireless devices (510).
  • the filtering system can force the wireless device to transmit in a quiescent part of the spectrum so as to facilitate location of the wireless device.
  • the filtering system can also cause the wireless device to ring.
  • the wireless device can be interrogated to derive or otherwise facilitate the discovery of secondary information such as encryption keys and/or sequences or the dialed number (known in the art as the Mobile Identification Number - MIN)
  • a transceiver that may be used to implement baiting beacons and interference signals is the ComHouse Wireless Network Subscriber Test (NST), which may be purchased from ComHouse Wireless LP, 221 Chelmsford St., Chelmsford, MA 01824.
  • the unit is a software defined radio capable of testing both wireless devices and base stations using the GSM and CDMA standards.
  • NST can interrogate wireless devices by acting as a beacon and can scan cellular environments so as to identify and analyze beacons, and can generate multiple simultaneous signals which can be used as interference signals.
  • the interference signals may be customized to surgically attack or manipulate cellular signals with sub-microsecond precision.
  • the unit can also make and receive outgoing and incoming phone calls.
  • the filtering system scans the cellular environment (502) and identifies all of the viable beacons in some defined operational environment. It then clones one or more of the beacons with certain important deviations to create baiting beacons while simultaneously generating interfering signals that blind the wireless device to the legitimate beacons and thereby forces the wireless device to search for and register with the proffered baiting beacons (503, 504).
  • the baiting beacon is chosen such that it is not on a legitimate channel in the operational or surrounding areas. This makes it possible to distinguish wireless devices that are in the operational area from those legitimately operating outside of the operational area. This is ensured by controlling the power of the baiting beacon such that is not detectable outside of the operational area by collateral wireless devices. This further eliminates the need for directional antennas to control collateral interference and achieves a solution having the minimal transmitted power and thereby power consumption.
  • the standards prescribe that a wireless device will reregister when it senses that it has entered a new registration area. More specifically when a new beacon is detected from a different registration area that is sufficiently stronger than any beacon in the current registration area, the wireless device will attempt to re-register in the new area (207). A newly-appearing beacon which is sufficiently stronger than an existing beacon that the wireless device attempts to register with it is said to override the existing beacon.
  • the standards provide for a hysteresis parameter that the beacon broadcasts to the wireless device and indicates to the wireless device how much stronger the new signal must be than any signal which the wireless device is receiving from beacons in the wireless device's current registration area.
  • the hysteresis parameter generally requires that the new beacon signals be many times greater (typical is a factor of 4 to 10) than beacon signals from the current registration are before the newly-appearing beacon overrides the beacon with which the wireless device is currently registered.
  • FIG 7 is a spectral representation of a known method of forcing re-registration with a baiting beacon.
  • the baiting beacon is made by cloning a beacon in the registration area and modifying the baiting beacon's registration area identifier. Then the baiting beacon is provided with enough signal power to satisfy the hysteresis parameter with regard to the most powerful beacon in the operational area (701).
  • the high signal power required to satisfy the hysteresis parameter has two undesirable side effects: the power required to produce the signal and the amount of collateral interference caused by the signal outside the operational area (505)
  • FIG 8 shows the technique disclosed herein for surgically suppressing all relevant beacons (801) and then proffering a much lower powered beacon in some quiescent portion of the spectrum (802), preferably but not necessarily using a channel identified as a neighbor of a relevant beacon.
  • Use of a neighbor channel is likely to speed the registration process because it prevents the wireless device from having to rescan the entire spectrum in search of new beacons.
  • Suppressing all of the relevant beacons also prevents the wireless device from simply moving to monitor an unsuppressed beacon in the same registration area. It furthermore decreases the time it takes to force a wireless device to register because when a wireless device is cut off from its network, the wireless device immediately begins searching for new beacons.
  • the baiting beacon when a baiting beacon is used without suppression, the baiting beacon must be detected for some period of time (perhaps 10s of seconds) as determined by a parameter provided by the relevant beacon the wireless device is monitoring before the wireless device will accept the baiting beacon as viable and attempt to register with it.
  • the filtering system automatically adjusts the individual baiting beacon and interference signals to both limit interference with and false alarms from collateral wireless devices.
  • the power level and bandwidth of an interfering signal which is intended to suppress a relevant beacon may be limited to only that needed to suppress the relevant beacon (803) within the operational area.
  • the baiting beacon's power level is adjusted to the minimum required for a wireless device that is within the operational area to respond to the baiting beacon. (804). Power consumption, collateral interference, and false alarms from collateral devices can be further minimized by placing the operational area within a containment housing such as might be used for screening baggage for active wireless devices that may be used as detonators.
  • wireless devices are programmed to only respond to particular beacons as determined by the service provider. Furthermore the cellular spectrum is normally divided into sub-bands. An extension of this technique is thus to provide a baiting beacon corresponding to each relevant beacon belonging to the service provider as shown in FIG 9. However it is not necessary to do so simultaneously. Instead, a single baiting beacon can be move from one sub-band to another, dwelling in each sub-band for a period that will permit detection of wireless devices that are using the sub-band in the operational area. Detecting all the wireless devices in the operational area will of course take longer when done this way than when done with a baiting beacon corresponding to each relevant beacon.
  • the filtering system includes a receiver (501) that is paired with the baiting beacon that detects the wireless device as it attempts to register with the baiting beacon (504).
  • the interrogation process also makes use of a data base to store identifying information to create a friend or foe list (507). This makes it possible to filter legitimate wireless devices from as yet detected wireless devices that may be of interest and subsequently allow access to the legitimate network of friendly wireless devices (510). This further makes it possible for legitimate subscribers to keep wireless devices on their persons even while in the operational area without provoking false alarms.
  • Wireless devices that are enticed to register with the baiting beacon can be subsequently interrogated to determine whether they are friend or foe (506).
  • the interrogator uses the paired baiting beacon and receiver to interact with the wireless device as it attempts to register so as to elicit identifying information such as the mobile identification number (i.e., the wireless device number), the international mobile subscriber identity IMSI, the temporary mobile subscriber identity TMSI, or the serial number.
  • the concept can be extended further to entice the wireless device to transmit continuously and possibly be sequestered on a unique channel so as to facilitate its location.
  • a further extension of the concept is to use the neighbor beacon list obtained from the relevant beacons on the initial scan to find a quiescent channel.
  • the baiting beacon then forces the wireless device of interest to move to this channel and to transmit on demand. In some situations it may even be desirable to force the wireless device to ring.
  • the filtering system computes the approximate location of the wireless device, as shown in FIG. 10.
  • the standards specify that a wireless device continually scan all of its neighbors (1001) while it is actively communicating with the current serving tower and to insert regular measurement reports on the absolute signal strength of the beacons as received by the wireless device. This information is then passed on to the network for purposes of determining when a phone should be handed off to another tower. If the wireless device is indicating to the network that it can sense a tower with much better signal strength and/or quality, the network will direct the wireless device to move to that tower. This is known in the art as Mobile Assisted Hand-Off (or Hand-Over) - MAHO.
  • the wireless device of course offers these reports to the filtering system's baiting beacon (1002). If a user of the filtering system knows the location of the neighboring towers (presumably from a previous survey), it is possible to derive, or as a minimum narrow, the position of the wireless device based on these power measurements as shown in FIG. 10. During the period in which the wireless device is collecting data for a measurement report, the interference signals are turned off so that the wireless device can detect the relevant beacons and the baiting beacon is given a signal strength sufficient to prevent the wireless device from monitoring another beacon. Specifically the received power implies a distance to the tower (1003).
  • the location technique may be further refined by using sector orientation and aperture information from the surrounding legitimate beacons. For example, a tower survey is likely to include not just the frequency channel settings and the position of the tower but also the orientation and aperture (beam width) of the sectors mounted thereupon (e.g., pointing with respect to true north and aperture in degrees - typically 120 degrees out of 360 for a three sector tower).
  • the location of the wireless device is therefore refined by overlaying on a map the projections of the sectors that can be heard by the wireless device with the intersection of the sectors being the presumed area in which the device is transmitting (1005).
  • Wireless devices that are deemed to be foes can subsequently be quarantined or temporarily disabled. All standards provide for dealing with a malfunctioning wireless device by having the beacons in the registration area issue a command to the wireless device to which the wireless device responds by disabling itself until it is power cycled. The baiting beacon can use this command to disable wireless devices in the operational area.
  • wireless devices can be disabled by irradiating them with large signal levels in the frequency band in which such devices are known to operate and thereby tripping protection circuitry that can only be reset by power cycling.
  • the technique is further refined by either matching the bandwidth of the interferer to the operational bandwidth of the device so as to concentrate the energy and then sweeping this energy across the operational band over time or detecting the frequencies on which the cellular or paging systems are operating in the operational area and concentrating the energy in those channels.
  • This technique is particularly useful for disabling strictly passive wireless devices such as one-way pagers that cannot be interrogated.
  • collateral interference is controlled by controlling the tripping signal power so that only devices within the operational area will be affected.
  • One example is baggage screening where the apparatus operates in close proximity to the wireless device. Collateral interference may be further limited by the use of either radio- opaque containers or directional antennas.
  • the filtering system can hijack the device and make a phone call on the network and use the network's caller ID functionality to detect the calling number of the wireless device.
  • the transceiver first scans a forward band in search of beacons (204, 502) that can be detected in some operational area. Since wireless devices are generally programmed to only operate on networks (i.e., entertain a beacon) of the service provider that supplies the wireless device (or on networks with which the service provider may have reciprocity agreements - known in the art as a "roaming agreement"), the filtering system must make note of both the service provider to which a beacon belongs and the standard used by the beacon.
  • the transceiver then formulates an ordered selection factor list for a service provider and standard, using criteria such as the signal strength and quality to determine the most probable serving beacon for a wireless device using a particular standard and service provider in the operational area and proceeds to monitor the serving beacon (502, 508) awaiting incoming or outgoing calls.
  • the filtering system is capable of listening to either side of the signal interface between the wireless device and the serving beacon. It is therefore able to detect and react in real-time to important events such as a registration or a call set up and to obtain identifying information about the wireless device from these events.
  • the filtering system applies the identification information to a friend or foe data base to determine on either a per-wireless device or per-wireless device class basis which wireless devices in the operational area are to be allowed access (507).
  • filtering there is the potential to effect either broad or selective filtering.
  • Four categories of filtering can be specified for the filtering system. They include: Blanket Denial of Service (DoS), which precludes all access to the network in some prescribed operational area; Negative Filtering, which prevents proscribed wireless devices or classes thereof from gaining initial access to a wireless system; Positive Filtering, which allows only prescribed wireless devices or classes of wireless devices to gain access to a wireless system; and Surgical ' Suppression, which surgically interferes with specific wireless devices after the wireless devices have gained access to a wireless system. The surgical interference may either directly jam communication and possibly force the wireless device off the air or prolong communication for purposes of either locating the wireless device or keeping it otherwise engaged.
  • the kind of filtering done by the filtering system further depends on whether the forward or reverse link is being interfered with.
  • AU standards provide for a wireless device to issue a power down alert to the network to indicate that the wireless device will no longer be able to accept incoming calls.
  • prior art has described techniques for hijacking a phone and feigning a power down to prevent the routing of incoming calls to a wireless device and as described under the heading of Roaming and Network Access, all standards employ the notion of a registration area wherein all pages intended for wireless devices that are currently registered therein are sent to all simultaneously to all of the towers in said area (206). Consequently, the filtering system need only listen to any one of the towers in a registration area to hear all of the pages for that registration area. If a filtering system is placed at a location where a number of registration areas overlap, the filtering system can listen to the pages and channel assignments from beacons in each of the registration areas.
  • CDMA and CDMA 2000 are governed by the Telecommunications Industry Association interim standards TIA IS-9SB and TIA IS-2000 respectively. These standards are incorporated herein by reference. . . . . . - ⁇ ⁇
  • CDMA signals use direct sequence spread spectrum modulation technique to allow multiple beacons and multiple wireless devices to share RF spectrum simultaneously.
  • the signals are distinguished by modulating each with a mutually orthogonal time- coded sequence.
  • the sequences are synchronized directly to the Global Positioning System (GPS) to within sub-microsecond timing.
  • GPS Global Positioning System
  • the specific formatting, coding and modulation of the forward and reverse channel signaling can be found in sections 7 and 6 respectively of IS-95B.
  • a summary diagram for the forward channel is presented in Figure 7.1.3.1-1 of the IS-95B standard.
  • Summary diagrams for access probe and reverse channel signaling are presented in Figures 6.1.3.1-1 to 7 of the IS-95B standard.
  • the above references apply to CDMA 2000 signals.
  • the CDMA code sequences (1101) are composed of what is known in the art as the long and short code sequences in tandem.
  • the forward and the paired reverse channel have slightly different long and short code schemes necessitating some differences in attack strategies.
  • the former uses a decimated long code such that is only modulated on per Walsh code basis (every 64 chips - refer to block denoted "decimator" in Figure 7.1.3.1-1 of IS-95B) and the latter modulates the long code on every chip
  • the long code sequence is derived from the Electronic Serial Number (ESN) of the wireless device when it is in a "traffic" state (e.g., a phone call is in progress).
  • ESN Electronic Serial Number
  • the long code is only applied on a per Walsh code basis, it is not necessary to have knowledge of or otherwise utilize the ESN to achieve suppression in the traffic state.
  • the CDMA beacon operating on some forward link frequency channel is provides a pilot and sync channel and some number of paging and traffic channels. All of the channels operate on the same frequency channel but are distinguished by different code sequences as summarized in FIG 12.
  • the wireless device Upon powering up, the wireless device searches a set of programmed RP operational band(s) for the pilot channels of each beacon (1201). The wireless device Will then use the pi ⁇ ot channel to acquire the sync channel (1202) to synchronize to the timing of the beacon and then extract a set of messages, known in the art as "overhead" messages, that is repeatedly broadcast on the first paging channel (1203). These messages are used by the wireless device to identify the network on which the beacon is operating as well as to obtain parameters for the behavior of the wireless device when interacting with the network. Included in the parameters are the ones necessary for formulating access probes to gain access to the system.
  • Timing of all code channels is based on the timing of the pilot channel which is in turn locked to GPS.
  • the receiver In order to recover any given code channel, the receiver must synchronize to the pilot. Because all wireless devices monitoring the beacon must synchronize to the beacon's pilot, it is in general not possible to attack the pilot channel without running the risk of causing interference on unintended code channels. Under highly specific circumstances, however, the filtering system is able to attack the pilot channel..
  • the synchronization of all code channels to the pilot channel also means that the timing of all of the code channels is co-dependent.
  • the power levels of all of the code channels are all nominally equal.
  • the pilot channel however, except that the pilot has a signal strength which is 2-4 times greater than that of the code channels.
  • CDMA is also designed to maximize frequency reuse.
  • An important feature of the standard is that multiple beacons can operate simultaneously on the same frequency channel. This is made possible by having each beacon delay its pilot signal (known in the art as a pilot PN offset) be a different amount. The delay ensures that the scrambling codes used by each beacon remain orthogonal and hence separable.
  • the reverse channel signaling is expressed in FIG 13.
  • the most important differences between reverse channel signaling and forward channel signaling are: all code channels are independent (1301) of one another and their power levels are distinct (1302), as they actively controlled by the base station via the paired forward channel; furthermore (1303) the absolute timing of each will vary as a function of the propagation time from the transmitter to the receiver (notwithstanding that they are implicitly locked to GPS via the forward link pilot channel); and unlike the forward channel there is no common pilot channel (although CDMA 2000 provides for an individual pilot associated with individual code channels).
  • FIG 14 summarizes the structure and operation of the AP. A detailed diagram is shown in Figure 6.6.3.1.1.1-1. of IS-95B.
  • An access attempt is a collection of access sub-attempts (1402) that are pseudo-randomly spaced in time (1403) in order to mitigate collisions with access attempts by other wireless devices.
  • the sub-attempt itself is a series of Access Probes (1404) each containing repeated bursts (1405) with increasing power (1406).
  • the bursts have pseudorandom spacing (1403).
  • the wireless device monitors the beacon paging channel(s) waiting for the network to respond.
  • the AP bursts cease when either the Access Attempt reaches its limit of sub-attempts or when a response is detected.
  • Embedded in the AP is the identifying information specific to the wireless device. This can be the ESN, the IMSI, the MIN or the TMSI.
  • Parameters governing the formation of Access Attempts and Access Probes intended for the beacon to which the wireless device is attempting to gain access are provided by the access parameters message that is broadcast by the beacon.
  • the parameters include the span of the pseudo-random spacing between repeats; the number and size of power increments or the maximum number of sub-attempts. .
  • the filtering system uses a number of waveform vulnerabilities of the CDMA standard to achieve network access filtering and/or surgical suppression.
  • Waveform Overriding The orthogonal noise-like nature of the CDMA waveform offers possibilities for overriding the waveform.
  • the hallmark property of the CDMA waveform is its use of direct sequence spread spectrum modulation techniques. This allows a receiver to distinguish and coherently combine multiple echoes (known in the art as multi-path due to multiple path delays caused by various effects, such a reflections, refraction or diffraction) of the received signal and thereby enhance the receiver- performance.
  • CDMA receivers typically select a limited number " of ' trie strongest paths (echoes) which the receiver detects across a delay spread of typically several microseconds.
  • the filtering system overrides a CDMA waveform by offering one or more copies of another signal having different delays (typically across several microseconds) that are timed to the signal under attack.
  • the use of the different delays requires far less power to cause the receiver to abandon the legitimate signal in favor of the overriding signal than the power need to overwhelm the signal directly. Furthermore it offers the possibility of inserting information into the signal offered by the filtering system.
  • the filtering system does use a pilot attack for surgical suppression in limited circumstances as described further below.
  • the waveform overriding technique is illustrated in FIG 15.
  • Direct Waveform Attack - CDMA waveform attacks are predicated on whether they are operating in either blanket or surgical mode and whether they are operating on the forward or reverse link.
  • the attack contemplates using either of two strategies.
  • the first strategy, shown in FIG 16, is a direct attack on the waveform by timing to it directly to within a single chip.
  • the filtering system estimates timing of any code channel as seen at the receiver of the wireless device.
  • the estimation can be made if the filtering system is within a thousand feet or less of the wireless device and is attacking the forward channel (1601) ( ⁇ 1000 feet). In this case it simply a matter of generating an interfering signal that is directly matched to the forward channel's codes at a power level only slightly higher than that of the beacon.
  • the filtering system further refines the attack by recognizing that the typical multi-path is in the 2 to 3 uS range and offering multiple copies of the signals in that range (1602). The limitation of this refinement is that as more copies of the signals are added, the likelihood of interfering with a co-spectral code channel increases. This is so because the delayed copies are delayed relative to the pilot and are therefore necessarily no longer strictly orthogonal to the other code channels.
  • the filtering system further need not know the identification information for the wireless device to attack any given code channel. Even though the Walsh symbols unique to the code channel are pseudo-randomly (1603) inverted by the long code which is in turn derived from the ESN (electronic serial number of the wireless device, the filtering system need not match this pseudo-random inversion but instead allows the pseudo-random inversion performed by the forward channel receiver in the wireless device to act on behalf of the filtering system (1604). (i.e., the wireless device creates its own scrambled interference).
  • the second strategy, shown in FIG 17, is and extension of the first but does not require precise (chip level) knowledge of the waveform timing. Instead it dithers the timing of the waveform across some broad delay spread to force a CRC error as described below.
  • This attack recognizes that it is not necessary to attack the entire waveform but instead attack enough symbols in the right places to force a CRC error in the receiver. In principal it is only necessary to attack a particular symbol set whose members are related by the interleaving process (1701). However, because the timing of the waveform is not known precisely, there is little chance of success in picking a random delay for the symbol set that will line up with the delay as seen at the wireless receiver. Instead the filtering system attacks multiple symbol sets but randomly dithers their delay across some nominal delay spread (e.g., 0 to 5 uS) (1702) with the expectation of lining up on the actual delay and corrupting at least one symbol set within the frame.
  • nominal delay spread e.g., 0 to 5 uS
  • CRC Attack - CDMA transmissions are collected into packets consisting of a data payload and a Cyclic Redundancy Check (CRC) (or in some contexts as a Frame Quality Indicator) appended to the packet.
  • CRC Cyclic Redundancy Check
  • the CRC enables a receiver to detect whether an error occurred in the transmission of the packet. When the receiver detects a CRC error it will discard the packet. If enough packets are discarded, the link can be crippled such that it remains open but intelligible communication is minimized. Increasing the discard packet rate further will ultimately cause one side or the other to terminate the link.
  • CRCs are constructed such that all bits whether in the payload of the packet or the CRC itself are treated equally. This means that it is only necessary to corrupt one or more bits anywhere in the packet to cause a packet error.
  • the filtering system causes bit errors by using the previously described waveform or attacks and limiting transmission times to a small subset of symbols.
  • the transmission times are matched to the interleaving process employed by CDMA.
  • interleaving process employed by CDMA.
  • the interleaving process acts to spread out contiguous errors caused by bursty noise in the post deinterleaved symbol sequences following reception and thereby operates to improve the performance of the convolutional decoding processes (e.g., Viterbi or Turbo decoding algorithms) that follow.
  • FIG 18 illustrates the attack strategy.
  • the filtering system surgically attacks sets of Walsh symbols (1801) that will be contiguous after the de-interleaving process using the previously described attack techniques.
  • the convolutional decoder sees multiple contiguous errors (1802) and selects the wrong decode path causing most of the data to be decoded erroneously (1803) and thus any subsequent CRC fails (1804).
  • receiver subsystem (502) of the filtering system will perform a scan of the environment in the operational area and analyze the relevant beacons.
  • Receiver subsystem (601) sets up the generation subsystem (602) so that it generates a baiting beacon at some signal level on some frequency channel with some pilot PN offset.
  • the baiting beacon's parameters will normally be set to make it a clone of the most conspicuous existing beacon.
  • the baiting beacon will be slightly modified so that it appears to be in a different registration area from that of the beacon the baiting beacon was cloned from. There may also be other parameter settings in the baiting beacon that maximize the conspicuousness of any wireless devices that register on the baiting beacon.
  • the baiting beacon also has some additional feature which enables the filtering system's receiver to recognize the baiting beacon as such.
  • additional feature which enables the filtering system's receiver to recognize the baiting beacon as such. Examples of such features are: • including a special code in a message which the standard requires the beacon to transmit. The special code may be either unexpected or impossible on the networks seen in the operational area; or
  • the receiver After the baiting beacon has been set up, the receiver repeats the scan. This time, it picks up the relevant beacons as well as the baiting beacon. The receiver then computes the timing differences between the baiting beacon and the relevant beacons using any available signal processing techniques for doing so - such as direct or indirect signal cross-correlation and subsequent demodulation.
  • FIG. 19 shows an example of using WideFire® Dragon series test equipment to create a baiting beacon.
  • a description of WideFire Dragon series test equipment could be found in July, 2006 at comh . com/products /products . asp .
  • the baiting beacon is created from a clone of an existing beacon (1901) with a few modifications such changing the registration area (1902) and then set to be on a desired channel (1903) at- a- signal level that is set such that it can only be detected in the operational area (1904).
  • Other parameters can be set to increase the conspicuousness of the registering wireless device. For example, the parameters that specify the duration and signal strength of an access probe from a wireless device to the beacon can be selected to maximize the duration and signal strength (1905).
  • FIG. 20 shows two possibilities for the placement and nature of interfering signals and baiting beacons.
  • the interfering signals can be produced by artificial beacons having a different pilot PN offset from the PN offset of the relevant beacons.
  • This arrangement baits the wireless devices on all of the frequency channels used by the relevant beacons simultaneously (2001).
  • this method is inferior to that proposed in the filtering system because the receiver must monitor all of the back channels associated with the beacons to detect registration attempts. Making a receiver that does this is much more complex and expensive than making a receiver that only modifies the forward channels.
  • the filtering system uses interference signals to force all the wireless devices in the operational area to register on a single baiting beacon operating on a single frequency channel (2002).
  • a preferred location for a beacon in the spectrum is on the lowest unused pilot PN offset on what is the generally the first channel in the particular network that is scanned by the wireless device in the particular network. If the first channel to be scanned is occupied by an existing legitimate beacon then the baiting beacon can transmit at a level such that it acts as both an interferer with regard to the legitimate beacon and a baiting beacon (2003). Operating on the first channel to be scanned minimizes the time the wireless device requires to register with the baiting beacon, but other channels could be used as well.
  • the filtering system will choose to bait on an unused channel so as to eliminate any co-channel interference intrinsic to CDMA and thereby simplify the process of subsequently locating a wireless device that is operating on the unused channel by using techniques such as direction finding, angle of arrival or time difference arrival (2004).
  • the CDMA standard provides for configuring a beacon such that a wireless device that attempts to register with a beacon in the wireless device's registration. . area - signal -is redirected to another beacon for registration.
  • the filtering system provides two baiting beacons - a first baiting beacon for baiting devices in the operational area and a second baiting beacon that operates in a quiescent portion of the spectrum. The first baiting beacon redirects the wireless device to the second baiting beacon.
  • how the baiting beacons are placed is up the user of the filtering system. If the user does not specify the placement, the filtering system provides a default placement for the baiting beacons.
  • PRL preferred roaming list
  • Some scenarios may call for a cloned baiting beacon corresponding to each wireless service provider whose beacons are is detected in the operational area and one or more additional baiting beacons that are designed to be as general as possible to snare wireless devices that are completely foreign to the operational area.
  • This problem is addressed by simply introducing one or more additional baiting beacons that operate on the same frequency channel but have different pilot PN offsets. This minimizes the multiple frequency channel monitoring problem by placing all the beacons on the same frequency channel (2005).
  • Another possibility previously described is to duplex the beacon across the provider sub-bands.
  • interference signals will work to cause a wireless device to reregister with a baiting beacon as long as the interference signals prevent the wireless device from detecting the signal of a relevant beacon.
  • interference signals that will work are simple white noise or a modified CDMA signal that uses illegal code sequences.
  • CDMA signals are, however, inherently resistant to jamming. Because this is so an indiscriminant jamming signal such as white noise centered upon the same frequency and having the same bandwidth as a relevant beacon that is to be suppressed must have a signal strength in the operational area that is on the order of 100 times the signal strength of the relevant beacon in the operational area. The signal strength necessary for indiscriminate jamming is a particular problem when legitimate beacons are operating at high power and in close proximity to the operational area.
  • the filtering system is able to generate interference signals that require no more power to suppress a relevant beacon in an operational area than the power of the relevant beacon's signal in the operational area.
  • the filtering system achieves this by limiting the bandwidth of the interfering signals to that of the relevant beacon and attacking only critical sections of the waveform within the bandwidth (FIG 16 and 17). By limiting the attack to only critical sections of the waveform (FIG 18), the filtering system minimizes the transmit on-time of the interfering signal and thus significantly reduces the average power required to suppress the relevant beacon.
  • Matching the bandwidth and power level of the interfering signals to the bandwidth and power levels of the relevant beacons also hides the interfering signals within the waveform produced by the relevant beacons, making the interfering signals hard to detect.
  • FIG. 21 shows several different examples of the types of interfering signals that may be used by the filtering system to suppress CDMA beacons. Because the filtering system is precisely synchronized to the relevant CDMA beacon it is possible to perform a direct attack on the relevant beacon's pilot signal by proffering an interfering pilot signal with false delays that are either slightly advanced or slightly retarded with respect to the relevant beacon's pilot signal but still close enough to the timing of the relevant beacon's pilot signal for the wireless device to lock onto the false pilot signal rather than onto the relevant beacon's pilot signal (2102, 2103, 2104).
  • the timing from the pilot signal is used by the wireless device to interpret the remaining portions of the signal from the relevant beacon, a wireless device that is locked onto the false pilot signal cannot interpret any of the signal from the relevant beacon.
  • the interfering pilot signal thus forces the wireless device to lose contact with its network, and that in turn forces the wireless device to reregister with the baiting beacon.
  • Another possible attack,- expressed is to " recognize that all CDMA channels (such as the sync channel) use CRCs and are therefore susceptible to the previously described CRC attacks. Symbols in the sync code channel can be directly attacked by generating interfering symbols that are coded to that channel. Another possibility is to indirectly attack symbols using the previously described pilot signal attack. As a result of the attack on the sync code channel, the synchronization required to correctly read the symbol is disturbed and the wireless device reads the symbol incorrectly. Either form of attack causes enough post deconvolution bit errors that the CRC for the checking span to which the packet belongs to indicate that the packet is bad and thereby cause the wireless device to drop or otherwise ignore the packet and any message to which the packet belongs. Again, only a relatively small number of post- interleaved symbols on a reduced subset of frames need be attacked, and the power requirements for the filtering system are correspondingly small.
  • a receiver is paired with each baiting beacon.
  • the receiver looks for registration bursts from wireless devices.
  • these registration bursts are termed access probes (303, 402).
  • Many properties of a wireless device's access probe are controlled by parameters which the wireless device receives from the beacon it is monitoring (205, 301). Every access probe contains information that identifies the wireless device making the access probe.
  • Proper parameter settings in the beacon can force the wireless device to provide identifying information that uniquely identifies the wireless device. Examples of information that uniquely identifies the wireless device are the device's IMSI or ESN.
  • the filtering system uses a two or perhaps three pass process in which the wireless device is forced to reregister itself with a number of baiting beacons, each one having parameters that require the wireless device to return a different part of the information in the access probe to that baiting beacon. More specifically, each baiting beacon broadcasts an access parameters message which indicates the identifiers for the wireless device which that baiting beacon desires to receive from the wireless device. In other embodiments, each wireless device, may be expressly -interrogated as- -it- is detected by the baiting beacon to gain the identification information.
  • the filtering system can use messages from the baiting beacon to a wireless device to cause the wireless device to operate on an otherwise unused channel.
  • the technique of causing the wireless device to operate on the unused channel is termed herding. Herding is shown in FIG. 22. If the herded wireless device is the only wireless device operating on the unused channel, location of the herded wireless device from the signal it broadcasts becomes dramatically easier.
  • a CDMA wireless device can baited as described previously (2201) and then subsequently herded to attempt access on yet another baiting beacon supplied by the filtering system. This is done by having the first baiting beacon provide channel assignment parameters in either the sync message or the neighbor list messages.
  • the interrogating system responds to the access probe with a message on the forward paging channel that indicates that the wireless device is to operate on the herding channel (2203).
  • the first baiting beacon lowers (2204) its power to prevent any additional wireless devices from being baited and redirected to the herding channel.
  • the wireless device is the only wireless device in the herding channel and can be interrogated at leisure by the baiting beacon on the herding channel.
  • the herding beacon can modify the parameters it provides to the herded wireless device so that the herded wireless device can be trapped in a continuous registration mode on the herding channel. In this mode, the wireless device will broadcast continuously without further interaction between the baiting beacon and the wireless device. Where continuous broadcasting by the wireless device is undesirable, the baiting beacon may send paging messages to the herded wireless device to elicit additional transmissions from it. The more transmissions the herded wireless device sends, the easier it is to locate it. Herding can also be used to disable the herded wireless device. To do this, the baiting beacon for the herding channel prevents the herded wireless device from either placing outgoing calls or receiving incoming calls.
  • the baiting beacon for the herding channel can also use a herded wireless device to measure the strengths of the pilot signals from the relevant beacons. This can be done by means of a message from the baiting beacon requesting a pilot strength measurement or by listening for an automatic pilot measurement report message which the CDMA standard requires the wireless device to send to the beacon that the wireless device is monitoring. As will be described in detail below, the pilot strength measurements can be used to locate the wireless device.
  • the filtering system may use data base (507) to determine whether a wireless device is to be disabled. Once it is determined that a wireless device is to be disabled, there are a number of disablement techniques available.
  • One such technique is using maintenance features provided in the CDMA standards can be used by a baiting beacon to disable a wireless device.
  • the CDMA standard provides that when the network detects a malfunctioning wireless device, the beacon being monitored by the wireless device may send a lock until power cycled command which locks the wireless device and thereby disables it until the wireless device is power cycled.
  • Another such technique is to herd the wireless device onto a channel whose baiting beacon does not respond to calls from the wireless device, calls to the wireless device, or both.
  • Another technique is to highjack the phone and feign to the network that the device is powering down using a power down order access probe with an order message indicating that the device is powering down.
  • the filtering system uses the aforementioned waveform attack techniques to provide several levels of filtering ranging from broad suppression to highly surgical targeting of individual wireless devices.
  • the methods are described for each of the filtering modes: blanket denial-of-service, positive filtering, negative filtering, and surgical suppression.
  • the description of each method includes separate descriptions for attacks on the forward and reverse channels, with additional description for interactive attacks such as interrogation and/or disablement.
  • Blanket denial of service takes advantage of the fact that a CDMA wireless device can sense multiple beacons in an operational area. It is strictly left to the discretion of the CDMA wireless device as to which beacon it will choose to monitor at any given moment. It is therefore in general, difficult for the filtering system to predict what beacon a given wireless device will monitor with any certainty - particularly in geometries where a wireless device is more or less equidistant from multiple towers. Because this is so, simply attacking the strongest tower may just cause the wireless device to move to monitor the next best choice. CDMA is further complicated by the fact that it incorporates load balancing features. Several beacons operating on different frequency channels may be co-located on a single tower.
  • the wireless device uses its electronic serial number and a mathematical randomizing algorithm to determine which frequency channel (or beacon thereon) it should work with. This makes it impossible to predict on which beacon any given wireless device will interact if the wireless device's electronic serial number (ESN) is not known in advance—and generally it is not.
  • ESN electronic serial number
  • Pilot Attack This is a direct attack on the pilot signal using a matched interferer (override attack). This prevents the wireless device from detecting or otherwise synchronizing to a beacon.
  • the filtering system using a set of pilot signals having different legitimate pilot PN offsets or operating on the same nominal pilot PN but having a delay spread different from that of the legitimate pilot.
  • the first technique makes it possible to either divert all wireless devices to the proffered pilot signals; the second makes it possible to prevent synchronization to the legitimate pilot, which in turn makes it impossible for the wireless devices to synchronize to the sync channel.
  • the benefit of this approach when considered against a nonspecific attack e.g., plain white noise
  • the filtering system randomizes the delay spread and on-time to make it difficult to detect and/or subsequently locate the source of the interference while further minimizing the required power.
  • This type of attack uses the waveform override strategy shown in FIG 21.
  • the filtering system synchronizes to the beacon sync channel and then randomly targets a sufficient number of symbols to cause a CRC error in the sync channel message (CRC attack).
  • CRC attack CRC error in the sync channel message
  • the interfering signal is expressly modulated synchronous to the sync message such that the interfering bits are only applied during the payload part of the message.
  • This attack is superior to the pilot channel attack with respect to the required power and covertness because the periodicity of the message is such that only a few dozen symbols per second per pilot channel need be corrupted randomly. Specifically it uses the attack methodologies shown in FIGs 15 through 18
  • the process is shown in FIG 23.
  • the filtering system On any given frequency channel on which a legitimate beacon (2301) is operating, the filtering system generates a redirect beacon (2302) that is a clone of the legitimate beacon except that it has a pilot PN offset that is on the neighbor list of the legitimate beacon, at slightly higher signal level.
  • the purpose is to bait a wireless device into monitoring this redirect beacon.
  • the CDMA sync message contains a field that tells the wireless device the channel it should redirect to for paging messages or otherwise use for access. Usually, this field is set to be the same frequency channel that sync channel is operating on (i.e., merely redirects back to itself).
  • the filtering system codes this field in the sync channel message of the redirect beacon (2303) such that it redirects (2304) the phone to yet another trapping beacon that is also generated by the filtering system (2305).
  • the trapping beacon is expressly crafted to trap the wireless device into monitoring it and/or perform an endless series of registration attempts.
  • One particularly effective method is to neglect to transmit one of the required overhead messages on the paging " channel of the trapping beacon - causing the device to wait indefinitely for the required messages before attempting registration.
  • Other methods include but are not limited to: proffering a trapping beacon that baits the devices into registering and then consummating the registration.
  • the trapping beacon is crafted such that it lists no neighbors, hence the wireless device will only monitor the trapping beacon after registration; or redirecting the device to yet another beacon (2306) which will in turn redirect the it back to the first, causing the device to constantly ping-pong between the two (2307).
  • a single redirect beacon can be rotated through each frequency channel.
  • the redirect beacon dwells long enough so to gain the attention of the wireless devices that happen to be monitoring the channel at that time and then moves to the next frequency channel.
  • the redirect beacon power can further be tailored to match the legitimate beacon power on each frequency and thereby further reduce the average power consumption.
  • the frequency channel of the trapping beacon is chosen such that it operates in either a quiescent portion of the spectrum or on a frequency channel whose beacon has the minimum received power in the operational area such that its power consumption is negligible when compared to the redirect beacon.
  • Another important benefit is the ability to carefully limit the operational area by controlling the power levels of both the redirect and trapping beacons. Specifically, adjusting the power of the redirect beacon will dictate the baiting radius. Similarly adjusting the power of the trapping beacon will affect the radius in which wireless devices are trapped.
  • Another novelty is that if the frequency channel and pilot PN offset are carefully chosen such that they are the first in the preset scan list built into the wireless device it often possible to circumvent the necessity of interfering with all of the legitimate beacons and instead introduce only a single trapping beacon and thereby further significantly reduce the required power.
  • Forward channel DoS attacks are generally preferred due to the ability to limit the size of the operational area by controlling the attack signal level and thereby minimize any attendant collateral interference outside of the operational area. They are also preferred because of their insensitivity to tower sectoring (i.e., directional antennas).
  • a wireless device may have a good view of the tower and the filtering system a poor view of the tower. When this is the case, the ability of the filtering system to affect the signal of the wireless device as seen at the tower is reduced or even eliminated.
  • a reverse channel attack may be the only recourse in situations where the geometry is such that operational area is significantly closer to the base station (tower) than to the interfering transmitter. When that is the case, the power required for a forward channel attack makes the attack impractical.
  • Blanket access denial is achieved by preventing any beacon from successfully receiving access probes from any wireless devices.
  • the CDMA standard is predicated on a random access mechanism for gaining the initial attention of the base station. It is expected that access probes from different wireless devices will regularly collide such that both mutually interfere and prevent the base station from recognizing either. To address this, the wireless devices use the previously described pseudo-random transmit timing (FIG 3) to effectively create a random back-off condition.
  • FOG 3 pseudo-random transmit timing
  • the occurrence (not to be confused with timing) of an access probe is impossible to predict (e.g., whenever a wireless device chooses to place a call). Furthermore the selection of which of perhaps several code (access) channels on which the attempt is made is also impossible to predict.' Notwithstanding the impossibility of predicting the occurrence of an access probe, the legal timing boundaries for when a wireless device can choose to transmit are well defined and are synchronized expressly to the network timing provided by the beacon which the wireless device is attempting to access.
  • each access probe is delayed by a pseudo-random amount (referred to in the standard as the PN randomization delay - refer to IS-95B Figure 6.6.3.1,1.1-1, Access Attempt (Part 2 of 2)) across some defined delay spread as chosen unilaterally by the wireless device.
  • the purpose is to minimize access collisions, as the PN codes having different delays are uncorrelated (orthogonal) and hence the beacon can separate and therefore recover multiple simultaneous attempts - presuming that the power of one is not so large that it overwhelms the others.
  • the purpose of power stepping an Access Probe is precisely to limit this overwhelming effect by starting at some small signal power and gradually increasing it until it can be detected by the tower.
  • the unpredictability of the access probe suggests that any attack must at a minimum interfere with the reverse link by generating a signal on all of the access- channel code channels at all prescribed transmission times to ensure that no access probes get through to the base station. Furthermore since the exact phase (i.e., pilot PN offset) of the code sequences used on the access channels is pseudo-random (i.e., unpredictable) across a large span of CDMA chips, it is impractical to apply the surgical techniques described for the forward link.
  • the filtering system addresses the foregoing limitations by exploiting the typical case where the interferer is nearer to the wireless device than the wireless device is to the beacon.
  • Access Probes are structured such that the wireless device generates multiple bursts, each with increasing power until the base station responds (FIG 14 (1406)).
  • the filtering receiver detects the access probe (2401) before the base station (2402), extract the wireless device identifying parameters such as ESN embedded in the burst (2403), clone the identifying parameters (2405), and generate some number of additional bursts (2405) either requesting service or indicating that the wireless device is powering down and thereby confuse the base station and preventing either registration or call setup.
  • Examples of confusing bursts include but are not limited to:
  • Registration bursts (such as when it is detected that a wireless device is attempting a call setup)
  • Order messages - as enumerated in Table 6.7.3-1 of IS-95B such as a release order - indicating that the wireless device is powering down; base station challenge - indicating the base station should identify itself;
  • the technique of FIG. 24 does not directly interfere with the legitimate access probe.
  • the technique also achieves significant power savings because the average duty cycle and therefore the attendant on-time of the interferer is equal to the expected birth rate of new registrations or call setups, which will be less than 10% and typically less than 1% of the time.
  • the technique of FIG. 24 does require that the filtering system monitor the access channels of all of the viable beacons in the operational area. This requirement may be expensive not only from the point of view of cost, but also from the point of view of the size, weight, and power requirements of the filtering systems needed to monitor the access channels.
  • the difficulties caused by the requirement that all access channels be monitored are reduced if the use of the attack is limited to situations where the filtering system is operating in close proximity to a powerful beacon and generates interfering beacon signals (using techniques described for the forward link attack) to suppress all but the beacons on the close tower.
  • the suppression of the other beacons of course forces all of the wireless devices to operate on the close tower.
  • This mode of operation prevents targeted wireless devices from successfully communicating with the network in any manner such as performing registration or receiving pages.
  • the filtering system can interrogate interrogating the wireless device as described in PCT/US2006/30159 and then issuing either a specifically crafted lock order on that device or hijacking the device after interrogation and issuing a release order (of type power down order as described previously for CDMA Reverse Link Denial-of- Service) to fool the network into believing that the wireless device is no longer active. These methods are preferred if it is desirable that not even paging messages get through to the device.
  • the lock order can be paired with an unlock order or similarly the release order can be paired with a registration to selectively enable and disable the wireless device at will.
  • the beacon When a beacon detects of an access probe performing either an origination (in the case of an outgoing call) or an answer to a page (in the case of an incoming call), the beacon will issue a channel assignment message via the paging channel which allocates a traffic channel to the wireless device. Consequently, an attack on , all of the paging channels on which this message could appear would achieve the desired suppression.
  • the filtering system can perform this type of attack but it is not the preferred method due to the potential for it to interfere with any collateral wireless devices that may be attempting network access at the same time - since the timing of the channel assignment of interest is the prerogative of the network and hence impossible to predict precisely.
  • the likelihood of collision is typically small and the attack requires significantly less power than a post call setup attack on the assigned traffic channel. Hence, this method is useful in cases where some risk of collateral interference is acceptable.
  • the reverse channel negative access filter attack is a logical extension of the blanket denial of service.
  • the identification information embedded in the access probe is used in conjunction with data base 507 (2406) to apply the confusion attack of FIG. 24 to wireless devices as indicated by database 507.
  • Positive filtering is likely to consume significantly higher power as it is presumed that unlike negative filtering where a small subset of wireless devices are denied access and thereby the on-time is relatively small, the reverse is true where the transmission is on most of the time so as to permit access to all but a few wireless devices.
  • the filtering system locks all wireless devices not on the positive list or performs a power down hijack of them as they attempt to gain access to the system.
  • Call Filtering Allow or disallow calls to/from specific wireless devices.
  • the filtering system detects either the origination message carried on a reverse channel access probe (in the case of an outgoing call) or on the alert with info message on the forward traffic channel after call setup.
  • the outgoing call is addressed by using the techniques described for negative and positive filtering.
  • the following methods are used after a wireless device has gained access to the network to either cripple communications so as to maintain the link while preventing useful communication across it or to outright sever the link while the call is in progress.
  • the methods prevent or otherwise limit collateral interference with any other calls that may be in progress.
  • CDMA wireless devices necessarily co-utilize the same spectrum.
  • the signals for the various wireless devices are kept separate by the specific modulated code sequences that the network dynamically assigns to the wireless devices when the call is established. While it is possible to end a call by attacking the either forward or reverse link with a broadband signal such as non-specific white noise, such an attack requires a power level that is perhaps 20 to 30 dB (100 to 1000 times) greater than the signal under attack as the spread spectrum techniques employed by CDMA are intrinsically resistant to this type of attack. Furthermore, such a white noise attack can be used only to attack any and all wireless devices that are currently active.
  • the attack which is preferably made by the filtering system is to generate a waveform that is expressly locked to the system timing and the wireless device of interest (i.e., is using the same codes at the same time) and thereby attack only the wireless device of interest without affecting collateral wireless devices.
  • This method of attack further reduces the required power levels by the aforementioned factor of from 100 to 1000 times. It is critical to the preferred attack that the timing, code sequences, and power of the generated waveform be closely controlled. For instance, if the power of the attack waveform is not commensurate with the signal under attack, it will fail to achieve suppression and conversely if it is above a certain level it begins to interfere with other wireless devices.
  • the CDMA standard expressly addresses this problem on the reverse channels (refer to FIG 13 (1302)) by incorporating very strict power control signaling on the forward channel that commands the wireless device to constantly adjust its reverse channel power so as to create a situation where the power from all of the wireless devices as seen at the beacon's receiver is the same notwithstanding that the various wireless devices have widely different propagation losses due to factors such as the distance to the base station.
  • the filtering system may use a directional antenna to focus the power of the interfering signal directly at the wireless device of interest or equivalently limit the amount of power received by collateral wireless devices that are not in the beam.
  • the use of the directional antenna can significantly enhance the performance of the attack (commensurate with the selectivity of the antenna) by providing more grace in adjusting the transmitted power. For example it will be necessary for the user of the filtering system to estimate the propagation loss between the transmitter and the wireless device of interest so as to tailor the transmitted power to be in the proper range described above as seen at the wireless device. Incorporating the directional antenna can provide significantly more "wiggle room" for this estimate. The extra wiggle room is important, as it is often difficult in many environments to predict propagation loss.
  • Control of collateral interference The power can be controlled in the forward channel case so that only devices in the operational area are affected. In the reverse case the user must estimate the power of the signal from the wireless device that is received by the beacon and set the interference accordingly without regard to other devices that are operating off of the beacon and hence it is difficult to limit collateral interference to the operational area.
  • Handoff- Attacking the forward channel prevents the wireless device from receiving a handoff directive as would likely to occur if the attack was on the reverse channel.
  • the filtering system can proffer a pilot that is in phase with the overriding symbol in addition to the overriding symbol, and even in this case it is impossible to predict how the wireless device would react to this if done on a per symbol basis. Furthermore, such a procedure would certainly affect reception by collateral wireless devices that are synchronized to the legitimate pilot.
  • CDMA Code Division Multiple Access
  • CDMA is predicated on detecting and combining multiple paths which appear in the signal as echoes with varying delays. Therefore, in order to affect the receiver within the aforementioned power constraints it is necessary to attack some or all of those paths directly by overriding them at precisely the right time. Since these paths are derived directly from the pilot signal and since the pilot is used by all W
  • This method of attack might have limited utility if the transmitter is in very close proximity to the wireless device as compared to other collateral wireless devices and it therefore becomes possible to proffer the aforementioned associated pilot without creating unintended interference. However since the pilot must be on for the duration of the attack, it is unlikely that there would be any power savings over the direct attack on the traffic channel described previously.
  • the forward channel attack operates within these constraints by generating a signal that uses the same code channel modulation as the channel of interest.
  • FIG 25 shows the preferred method of surgical suppression.
  • the filtering system is provided a list of targets (2501).
  • the filtering system then suppresses all but the serving beacon using previously described methods (2502) ensuring that the wireless device will only gain access to the network via the serving beacon.
  • the filtering system then monitors the paging channels of the serving beacon looking for channel assignment messages (2503).
  • the channel assignment messages identify the wireless device and the code channel to be used by the wireless device in the conversation state.
  • the filtering system then attacks the assigned forward code channel (2504) using either the Direct Waveform or CRC attack described previously and shown in FIGs 15 through 18.
  • the filtering system In order to limit collateral interference, the filtering system must limit the power of the attack.
  • the appropriate power level can be determined by estimating the distance between the filtering system and the wireless device being attacked and using well established physical relationships between signal power level and distance. While this information can be provided by the user, the filtering system can also interrogate the wireless device for measurement reports as described in Patent Application PCT/US2006/30159 so as to determine the position of the wireless device and hence estimate its distance automatically.
  • a further enhancement is to interrogate the wireless device and estimate the distance based on the round trip delay. This can be done because the timing between the wireless device and the baiting beacon acting as a legitimate beacon is precise to within less than 1 uS (approximately 1000 feet - which is within the attack delay spread described for the Direct Waveform attack).
  • Collateral interference is further reduced by employing a directional antenna on the filtering system's transmitter. This not only limits the space in which interference can be expected but also permits less exact distance (and hence power) estimates.
  • GSM Global System for Mobile communications
  • GPRS General Packet Radio Service
  • EDGE EDGE
  • GSM Global System for Mobile communications
  • GPRS Global System for Mobile communications
  • EDGE EDGE
  • GSM Global System for Mobile communications
  • ETSI ETSI
  • the GSM, GPRS, and EDGE standards may be found at http://www.etsi.org. All of these standards are hereby incorporated by reference into the present patent application.
  • GPRS and EDGE are considered to be enhanced modes of the GSM standard and hence it is only necessary to consider GSM with the understanding that wireless devices capable of these modes must necessarily operate as a superset of GSM.
  • GSM signal structuring is shown in FIG 26.
  • GSM When operating in non-traffic mode (e.g., beacon signals) GSM uses the 51-multiframe (2601) described in ETSI 45.002 and incorporated herein by reference.. It consists of a set of 51 GSM frames each lasting 4.6 mS) (2602) and therefore each 51-multiframe repeats approximately 4 times per second. Each frame is subdivided into 8 time slots each lasting 1/8 of the frame (577 uS) (2603).
  • a "burst" consisting of a sequence of Gaussian Minimum Shift Keyed (GMSK) modulated symbols.
  • the structure of the burst is also shown in FIG 26.
  • the center of the burst consists of a few dozen fixed symbols that are denoted as the training sequence (2604) - referred to in the standard as the TSC.
  • the purpose of the TSC is to enable a receiver in the wireless device or beacon to recover the timing of an individual burst within the slot as well as to compute any necessary equalization parameters so as to improve receiver performance in the presence of multipath.
  • the standard provides for 5 types of bursts: Normal, Frequency Correction, Sync, Access and Dummy, Each are described in ETSI 45.002 Section 5.2.
  • a burst from the GSM beacon occupies slot zero of every frame.
  • the first frame is reserved for the FCCH (2605) logical channel, which is nothing more than a tone burst that is designed to be used by the wireless device to align (correct) its frequency tuning with that of the beacon.
  • the second frame (2606) contains the SCH logical channel. It is comprised of a special sync burst that contains several fields that tentatively (but not unambiguously) identify the beacon and a timing code called the frame number that identifies the frame within the 51-multiframe in which this burst is occurring.
  • the purpose of the sync burst (SCH channel) is that it (among other things) enables the wireless device to unambiguously identify the phase of the 51- multiframe.
  • the next four frames carry the broadcast control channel (BCCH) (2607).
  • BCCH broadcast control channel
  • the BCCH carries the system messages that identify the beacon, and its configuration and access parameters.
  • the next four frames following the BCCH is the first common control channel (CCCH) (2608) which also has 4 frames. This is followed by another FCCH/SCH pair in the following frame and this process then repeats with 2 CCCH sets (8 frames) and a FCCH/SCH pair for the remainder of the 51-multiframe (2609).
  • CCCH common control channel
  • Each collection of 4 frames in either the BCCH or CCCH sets is referred to as a "block". Therefore a beacon has 1 BCCH block and 9 CCCH blocks in a 51-multiframe.
  • the CCCH blocks themselves are subdivided into logical paging (PCH) or access grant (AGCH) channels (blocks) depending on what is specified in the system messages broadcast on the BCCH. For example, in some configurations, all 9 CCCHs are reserved for paging and in others, some are reserved for paging and others for access grant.
  • PCH logical paging
  • AGCH access grant
  • the purpose of a PCH is to page a wireless device and the purpose of the AGCH is to assign temporary channels. Their distinction is unimportant to the present context as access grant messages can be designated to be sent on PCHs if the beacon is so configured.
  • the remainder of the 51-multiframe slots will carry other types of signaling at the discretion of the beacon - these can be stand-alone dedicated control channels (SDCCHs) traffic channels (TCHs) or perhaps special GPRS signaling channels.
  • SDCCHs stand-alone dedicated control channels
  • TCHs traffic channels
  • special GPRS signaling channels Typically (but not necessarily) slot 1 (0 based) will carry an SDCCH.
  • SDCCHs also use the 51-multiframe structure (which necessarily coincides with the 51-multiframe phase used in slot 0).
  • the first 32 frames are subdivided into 8 4-frame blocks similar to that described for BCCH and CCCH channels.
  • the remaining frames carry slow- associated-control channels (SACCHs) that are associated with each SDCCH but are not important to the present context.
  • SDCCH running on slot 1 can support 8 subchannels.
  • the purpose of the SDCCH subchannels is to provide a temporary dedicated channel which the wireless device and the beacon can use to interact when performing registration or call setup.
  • SDCCH subchannels are used long enough to complete control signaling with the wireless device.
  • the beacon recycles the subchannel into a pool for use by the next wireless device.
  • Each block on the BCCH, CCCH, or SDCCH channels encapsulates a single message.
  • Each message uses a CRC and hence corrupting a message in any 1 of the 4 frames is sufficient .to cause a CRC failure for that message. It is thus not necessary to attack all of the frames in a block but simply to corrupt one, which may be randomly selected.
  • any forward channel has a paired reverse channel.
  • Slot 0 of the paired reverse channel always carries the Random Access Channel (RACH).
  • RACH Random Access Channel
  • the wireless device Once the wireless device has acquired timing on the forward channel it will generate an access burst on slot 0 of the paired reverse channel to gain the attention of the beacon.
  • a reverse SDCCH that is paired with the forward SDCCH, which in the context of the example above would be on slot 1 of the reverse channel.
  • the structuring of the reverse SDCCH is slightly different from that of the associated forward SDCCH but this distinction is not important in this context. It is only necessary to note that for every forward SDCCH subchannel, there is a paired reverse SDCCH subchannel. The arrangement thus that allows the wireless device and the beacon to signal back and forth in a full duplex manner.
  • FIG 27 summarizes the GSM signaling protocol.
  • a GSM wireless device When a GSM wireless device powers up, it scans a prescribed set of bands looking for beacons. First the wireless device detects the FCCH bursts and corrects its frequency to match that of the beacon (2701). It then detects the sync channel burst and extracts among other things a constantly updating frame number (2702), which unambiguously enables the wireless device to determine on which frame the 51-multiframe starts. It then locates the BCCH block (2703) and begins extracting the system information messages that specifically identify the beacon, what types of wireless devices it will support, what frequency channels other neighboring beacons are operating on, and how to formulate a RACH burst for gaining the attention of the beacon.
  • the wireless device formulates a RACH burst requesting a temporary channel (2704).
  • GSM has safeguards to thwart eavesdropping. Therefore the RACH only indicates the kind of contact the wireless device is attempting to make with the network such as attempting registration, placing an outgoing call or responding to -a page from- the beacon (which is typically indicative of an incoming call to the wireless device). It is important to note that there is also a field in this message indicating whether the wireless device is attempting to make an emergency call.
  • the RACH burst also has a random field called a "random reference" which is returned by the beacon in any subsequent response to the wireless device so that the wireless device knows that the beacon is responding to its request and not that of another wireless device.
  • the beacon will not respond to the RACH and each wireless device will back off a random amount of time and retry an RACH burst.
  • the wireless device After sending the RACH burst, the wireless device waits for a response from the beacon by listening to the PCH or AGCH channels on the beacon (2705). If the beacon responds it will return the aforementioned random reference in an immediate channel assignment message on a PCH or AGCH.
  • the immediate channel assignment message specifies an SDCCH subchannel (more specifically a frequency channel, a time slot and an SDCCH subchannel) on which the beacon will interact with the wireless device.
  • the wireless device upon receiving an immediate channel assignment response from the beacon, moves its transmitter and receiver to the specified SDCCH subchannel (2706) and the wireless device and the beacon begin communicating on this reserved channel for the duration of time it takes to consummate a transaction.
  • FIG 28 shows an abbreviated example of the registration (known in the standards as a location update) signaling that tasks place after the beacon and wireless device move to the SDCCH pair.
  • the wireless device will identify itself to the beacon by offering a message with its TMSI (2801).
  • the purpose of the TMSI is to identify the wireless device without using a permanent identifier such as an IMSI that would allow an eavesdropper to identify the subscriber to whom the wireless device belongs.
  • the beacon knows the identity of the wireless device, it will optionally authenticate the device. Authentication also updates the encryption key. Once that is done, communications between the wireless device and the network are encrypted (2802).
  • the network issues a new TMSI to the wireless device (2803), which completes the location update.
  • the beacon and the wireless device then end the connection (2804).
  • the network knows the location area in which the wireless device is located and can route pages to the wireless device to alert it to incoming calls.
  • the user has a way of identifying the wireless device by TMSI alone.
  • the filtering system can use interrogation techniques like those shown in Patent Application PCT/US2006/30159 to obtain a wireless device's TMSI.
  • the wireless device Once the wireless device is location updated, it will enter an idle mode and monitor the paging channels (PCHs) of the most viable beacon in the wireless device's location area. Other than timed registration dictated by the beacon parameters, the wireless device will not re-register until it roams outside of this location area. At some point, the wireless device will either place or receive a call.
  • the processes are very similar as shown in FIG 29. The most notable difference is that an incoming call is precipitated by a page (2901). However once a page is received or an outgoing call attempted, the signaling process is largely the same even though some of the specific messages will differ. As described for registration, the wireless device will generate a RACH (2902) and receive in response an SDCCH assignment (2903).
  • the wireless device and the beacon will move to the SDCCH subchannel and exchange a set of messages that will perform a call setup (2904) in which the beacon assigns a traffic channel (TCH) pair (forward and reverse) to the wireless device and then both leave the SDCCH subchannel and move to the TCH pair (2905) to start the conversation (thus freeing the SDCCH for signaling with new wireless devices).
  • TCH traffic channel
  • the above messaging will include the phone number of the incoming caller (2906) and in the case of an outgoing call, the messaging will indicate the phone number being called (2907).
  • the wireless device and the beacon will go encrypted immediately after the wireless device identifies itself to the beacon. (2908).
  • the fact that further communications between the wireless device and the beacon are encrypted has several consequences.
  • GSM employs frequency hopping.
  • the encrypted TCH channel assignment message includes not only a time slot number but a hopping channel list along with a hopping sequence number and a mobile allocation index offset number. Combined, this information tells the wireless device how to frequency hop in what is typically a pseudo-random fashion.
  • the filtering system needs to have the encrypted hopping information.
  • LAPDm Link Access Protocol in the D channel, modified
  • LAPD This is a numbered supervisory protocol that determines whether a message was properly received.
  • LAPD is specified in the following governing standards documents ITU-T Q.920 and ITU-T Q.921 incorporated herein by reference.
  • the LAPDm protocol used in GSM is LAPD slightly modified to enhance its performance over radio links where packet dropping is a frequent occurrence.
  • GSM uses LAPDm to ensure that the proper set of messages is has been received in the right order and more importantly, that none are missing. If a recipient is missing a message, it will not acknowledge its receipt to the sender and the sender will continue to send the message until it is acknowledged.
  • the LAPDm inserts its own messages such a supervisory numbering that tell the receiver that for example a message is a repeat.
  • LAPDm enables a certain degree of fluidity between either side of the link because in general not each and every message will be received (including repeats) and therefore expressly acknowledged.
  • the filtering system exploits this feature as described under the following heading GSM Attack Method
  • GSM Global System for Mobile communications
  • CDMA Code Division Multiple Access
  • TSC Attack The TSC is the single weakest point of the GSM waveform. If a sufficient number of symbols in the TSC are corrupted it will be difficult for the receiver to properly synchronize to and therefore recover the burst.
  • FIG 30 shows examples of TSC attacks. The TSC attack is limited to small sections of the waveform and therefore enjoys enormous power savings over conventional nonspecific attacks.
  • the GSM standard provides for up to 8 different "normal" burst TSCs each of which are orthogonal to one another. Having multiple TSCs provides what is known in the art as a "color code" which prevents the beacon from synchronizing to the wrong wireless device such as might happen in a pathological propagation environment (e.g., a wireless device on a mountain top propagating far beyond its expected range) or when the network is poorly planned (e.g., two base stations in close proximity operating on the same frequency channel).
  • a pathological propagation environment e.g., a wireless device on a mountain top propagating far beyond its expected range
  • the network is poorly planned
  • Random TSC Attack In a general attack, the symbols should be corrupted at random (i.e., interference would randomly target only a subset of the symbols so as to minimize that ability of countermeasures to locate the source of interference) (3001).
  • TSC flipping It may only be necessary to corrupt enough symbols at the proper points in the TSC to exceed the Hamming distance between one TSC and another ("flipping") and have the receiver dismiss this corrupted TSC as one that is from an unexpected device (3002). This is the preferred method of attack, as it limits the average transmission on-time and thereby the required power.
  • TSC Delay Attack Corrupting any given TSC in any given burst may prove to be insufficient when attacking a sophisticated receiver such as is might be found in a commercial beacon.
  • a -sophisticated-receiver may use short termed averaging of the timing such that it may "fly-wheel" and use an estimated average timing to recover and/or equalize the burst if the TSC cannot be expressly recovered in a particular burst.
  • the filtering system need only corrupt the TSC in a particular frame within some block carrying some critical message that may only repeat on the order of every second.
  • the duration of a TSC is on the order of 50 uS and presuming that only half the symbols need to be corrupted to ruin the frame, the foregoing suggests that the transmitter needs to be on for as little as 25 uS every second. This reduces the required power by a factor of 40,000 when compared to a non-tailored attack where the transmitter is always on.
  • LAPDm Override This attack capitalizes on the fact that supervisory frames used in the LAPDm protocol used in SDCCH must be sequentially numbered.
  • the filtering system uses a signal override technique to generate a supervisory message at a higher signal strength having a frame number that is completely out of phase.
  • the supervisory message can be generated on either the forward of reverse link.
  • the receiving side of the link will respond when it receives an out of phase supervisory message by immediately dropping the call.
  • This method is extremely economical from a power consumption perspective because it is only on for a single message.
  • the method forces the call to be dropped immediately instead of attacking the signaling at random and waiting for the poor quality indicators detected on either side of the link to cause the beacon or the wireless device to terminate the call. This makes the technique instantaneous and therefore maximally inconspicuous, as it minimizes exposure time.
  • a wireless device sends an early classmark message that is necessarily in the clear.
  • the classmark message essentially specifies the capabilities of the wireless device including the types and levels of encryption the wireless device will support.
  • GSM provides for three modes of the encryption based on the A5 algorithm denoted as A5/0 (no encryption), A5/1 (strong encryption) and A5/2 (weak encryption).
  • This message is precisely timed to occur on the SDCCH immediately after the channel assignment.
  • the filtering system crafts an override message in its entirety but changes the encryption fields to indicate that it only supports A5/0 (no) encryption and transmits this using a higher power signal at precisely the same time as would the wireless device.
  • the network will typically respond by providing the user with an unencrypted channel.
  • the classmark attack can be used prophylactically on all detected call setups in the operational area on encrypted networks. This makes it possible for the filtering system to subsequently detect the phone numbers associated with either incoming or outgoing calls and/or detect the frequency hopping sequence information so that a call can be filtered for access based on the phone number or surgically suppressed post- setup.
  • the foregoing techniques describe a prophylactic approach to the problem of access filtering before a wireless device gains access to the system.
  • wireless devices may be actively transmitting in the operational area before the filtering system is operating or in some cases it may be the policy of the network to not support unencrypted channels.
  • the filtering system deals with these wireless devices by forcing them into either a search or idle mode where they can subsequently be filtered for access.
  • the GSM standard employs a combination of encryption and frequency hopping once a call is in progress. Without knowledge of the frequency hopping list and the encryption key, it is impossible to obtain any information from the call. Further, the identifying information for the call ean only be obtained at call set up time, not when the call is in progress. For these reasons, the surgically targeted waveform attack strategies described above are ineffective.
  • the filtering system attacks the signal in a broad fashion with the understanding that there is likely to be unavoidable collateral interference and that the goal of any method is to limit this collateral interference to the degree possible while at the same time limiting the amount of power required to mount the attack.
  • the most effective strategy is to apply a wideband jamming signal across the entire span of the potential frequency hopping range long enough for the network to drop the call in progress (typically several seconds). While the attack does not know the hopping sequence
  • the method is best understood through a description of signaling on GSM traffic channel (TCH).
  • TCH GSM traffic channel
  • the GSM traffic channel in either direction uses what is known in the standard as the 26-multiframe shown in FIG 31.
  • the TCH operates on the same slot of each frame (meaning that as many as 8 separate wireless devices can be operating within this framing scheme).
  • the middle and last frame of the 26- multiframe are reserved for carrying SACCHs (3101).
  • the information carried on the SACCH depends on the direction.
  • the SACCH contains a list of neighboring beacons that the wireless device should monitor and report on for purposes of effecting smooth handovers.
  • the SACCH is primarily used to report on the signal strength of the neighboring beacons listed in the SACCH on the forward link.
  • the SACCH is also used by either side of the link to determine when a call should be dropped. If a SACCH frame is not detected within some prescribed period of time, it is presumed that the link has been lost and one side or the other will unilaterally terminate the call.
  • the standard also provides for half rate signaling wherein the 26-multiframe is shared by two wireless devices within some slot. However this is a detail not germane to the present context.
  • the fast associated control channel FACCH Operating within the TCH is the fast associated control channel FACCH.
  • the purpose of the FACCH is to exchange messages that need immediate real-time attention (e.g., perform handover or call waiting).
  • the FACCH in either direction works by stealing TCH frames and injecting its own messages. This known in the art as "blank-and-burst".
  • the messages are of sufficiently short duration that they are not noticed in the conversation by either subscriber.
  • the foregoing is complicated by the fact that on each frame the TCH (including SACCH and any FACCH) hops to a different frequency.
  • the frequency hopping is predicated on a list of channels known as the Mobile Allocation (MA) and two parameters known as Mobile Allocation Index Offset (MAIO) and the Hopping Sequence Number (HSN). This information is established during the call setup.
  • the MAIO is broadcast on one of the system messages (System Information 1) in the beacon and hence the call setup directs the wireless device to refer to this list.
  • System Information 1 System Information 1
  • the MA is given directly to wireless device (i.e., obviating System Information 1).
  • the MAIO is essentially where in this list (i.e., on which frequency channel) the hopping should start and therefore ranges from O to MA size - 1.
  • the HSN is a number between O and 63 that dictates which of 64 possible pseudo-random hopping sequences should be employed where any sequence is nominally designed such that the hopping is more or less uniformly distributed across all of the channels in the MA.
  • the standard is such that the maximum hopping span cannot exceed 25 MHz and is typically much smaller (e.g., 7 to 10 MHz), in part because the spectrum is often subdivided among multiple service providers.
  • the primary purpose of frequency hopping is to combat fading, rather than to make interception of a call difficult. Therefore, a service provider will often limit the HSN and MAIO ranges to a few possibilities. This makes it possible to predict within some finite range what the hopping sequence is likely to be. This information can be discovered by using the filtering system to place several live calls to the network to discover MA and the ranges of the. HSN and MAIO for used by a given beacon.
  • a simple method for placing the call is to hijack a existing phone and place an unencrypted call.
  • the filtering system attacks only the TSC with one or more wideband interfering signals that are limited to the portion of the frame occupied by the TSC.
  • the total number of interferers required to produce the interfering signals will be governed by the bandwidth of the individual interferers versus the total bandwidth of the hopping sequence.
  • the number of interferers can be reduced to the degree that something is known about the hopping sequence - ranging from a single interferer with a 200 kHz bandwidth hopping in synchrony with wireless device to as many as are required to blanket the entire 25 MHz maximum hopping span.
  • An interferer block can then itself be heterodyned across the maximum 25 MHz spectrum at will, as is demonstrable in existing embodiments implemented using a device such as the ComHouse Wireless NST.
  • the Wireless NST is capable of perhaps doubling the coverage of interference blocks by attacking the first half of a TSC on one set of hopping channels and then retuning to attack the second half of the TSC in another set of hopping channels (3206). In fact, the interference with the TSC can be subdivided in this fashion until the interference loses its effect.
  • a focused attack on SACCH frames is the preferred method, as this will require the minimum power and while be maximally inconspicuous.
  • either side of the link must receive viable SACCH messages in order to keep the link open. If either side goes for some defined period (possibly 10 seconds or more) without receiving a legitimate SACCH message, that side will end the call.
  • the forward channel SACCH attack is preferred, as this will limit collateral interference to the operational area.
  • the SACCH messages include at least 4 frames and therefore it is only necessary to attack one of 4 at random (i.e., one SACCH frame every 4 26-multiframes). Ending a Call (time critical) - If ending a call is time critical, then it is necessary to attack as many frames as possible. In general all frames across the entire known hopping set should be attacked. However, voice and all other messages that may be interspersed on the FACCH use CRC coding. Therefore it is not necessary in general to attack all frames (i.e., cover the entire spectrum simultaneously) but merely enough of them to cause enough CRC failures to force either side to drop the call. In this case it may be possible to dither a smaller number of interferer blocks across the known span of the frequency hopping set. This conserves both power and resource cost.
  • Crippling is a logical extension of the performing a time critical call end.
  • the frame attack rate is set so that the call remains viable but the information that it carries has become mostly unintelligible. Indeed this attack avoids the SACCH so as to give the link the appearance of viability.
  • the likely response to a poor channel is an attempt by the network to try another channel. However, this response will not succeed because the network will only allocate another channel set and/or slot, and the filtering system simply detects the allocation and moves to cover the new slot.
  • Handover The first reaction of a beacon to the poor signal- quality resulting from the attack is to move the wireless device to another channel before dropping the call because of the poor signal quality. Therefore any strategy for performing suppression (surgical or otherwise) must deal with any attempt by the beacon to move the wireless device.
  • the filtering system addresses this by ensuring that enough frames are corrupted to keep the handover messages carried in the interspersed FACCH signaling from getting through.
  • the methods described for CDMA are applicable to the GSM. With respect to baiting, all of the relevant beacons are suppressed and a lower level baiting beacon is proffered.
  • the technique has all of the same benefits as it has CDMA (i.e., minimization of power through surgical attack and minimization of collateral interference).
  • the most important differences between the methods used with GSM and those used with CDMA are the parameters that must be set in the baiting beacon and the specific techniques used in beacon suppression.
  • the filtering system will generate baiting beacons for an operational area by automatically cloning the relevant beacons in the operational area, but will also permit the user to edit the parameters which the baiting beacons provide to the wireless devices.
  • the user may also specify the form of the interfering signal. For example, the user may specify the number of times the interfering signal will be transmitting per frame as well as the periodicity of the transmission.
  • An example is shown in FIG 33 using WideFire Technology. Like the example presented in FIG. 19 for CDMA, this example shows parameter settings for a GSM baiting beacon (3301 and 3302) which maximize the conspicuousness of any subsequent registration attempt by a wireless device.
  • FIG. 34 shows the interrogation process for GSM wireless devices.
  • a receiver is paired with the baiting beacon.
  • the receiver looks for channel request bursts.
  • the GSM standard terms the request bursts random access channel bursts (RACH) (3401).
  • RACH random access channel bursts
  • the wireless device transmits the RACH burst to request a temporary dedicated control channel from the beacon. Parameters passed on the control channel will determine the subsequent interaction between the wireless device and the beacon.
  • the form of the RACH to which a particular beacon responds is controlled by parameter settings in the beacon.
  • the RACH further contains a transaction type field that indicates the kind of transaction which the wireless device wishes to perform with the beacon.
  • the transaction types include location update; answer to a page; call origination; and emergency call.
  • the receiver paired with the baiting beacon must detect the RACH burst. Then the baiting beacon must respond to the RACH by assigning the wireless device a temporary dedicated control channel (3402). The wireless device will then use the control channel to provide identification information to the receiver. If the wireless device is performing a registration, otherwise known in the standard as a location update, it will generate a RACH burst in which the transaction type field indicates that the wireless device wishes to register with the beacon. After the subsequent allocation of a temporary channel by the baiting beacon, the wireless device will then burst a location update request (3403) in which is embedded either the wireless device's TMSI or its IMSI.
  • the wireless device will attempt a location update using its TMSI.
  • the standard provides for the case where the TMSI currently assigned to a wireless device is not in the system data base of the service provider with which it is attempting to gain access. In this case, the TMSI is unrecognized by the system and hence the location update is ignored. The wireless device will subsequently retry access using its IMSI (3404). In the filtering system, the baiting beacon ignores all TMSI based attempts at location update, forcing the wireless to retry using its IMSI. This in turn makes it possible to pair the device's TMSI with its IMSI.
  • the standard also provides for expressly interrogating the wireless device using an identity request message. In the identity request message, the wireless device is queried for its IMSI, TMSI, IMEI or IMEISV (3405).
  • Forcing the wireless device to produce its IMSI in addition to its TMSI also makes it possible to uniquely identify the device to friend or foe data base (507).
  • the TMSI is ephemeral and is consequently not used to identify the wireless device in data base (507).
  • a baiting beacon can retrieve the MIN for a wireless device whose TMSI or IMSI is known by "hijacking" the wireless device. This is shown in FIG. 35.
  • the baiting beacon uses the wireless device's TMSI or IMSI to place an outgoing call to a telephone number prescribed by the filtering system (3501).
  • the filtering system uses the wireless network's caller ID function to determine the MIN of the wireless device (3502).
  • the hijacking works because of two characteristics of a GSM network: • the GSM network typically only authenticates a wireless device during location update.
  • the GSM network permits a device in the network to request an unencrypted channel.
  • the baiting beacon can use an unencrypted channel (3501) to make the call to the telephone number belonging to the filtering system.
  • the telephone number may be that of another phone that is available to the filtering system or the filtering system may be outfitted with a GSM subscriber identity module (SIM) that is behaving like a legitimate phone and is registered with the network to receive incoming calls.
  • SIM GSM subscriber identity module
  • the SIM allows the filtering system to behave as a legitimate wireless device in the GSM network.
  • the filtering system can accept the call that it made for the wireless device. Having accepted the call, the filtering system can extract the caller ID information for the wireless device from the call.
  • the filtering system may also herd a wireless device to an unused channel.
  • the use of temporary dedicated control channels makes it possible to force wireless devices to operate on any specified channel and time slot therein.
  • FIG. 36 demonstrates the process.
  • the baiting beacon pages the wireless device that is to be herded, using either the TMSI or IMSI.
  • the filtering system responds to the RACH by providing a channel assignment response that specifies the herding channel (3601).
  • the herded wireless device will remain on the herding channel as long as it receives SACCH frames indicating that the herded wireless device is still connected to the network (3602).
  • the filtering system can herd as many wireless devices simultaneously as it has baiting beacons and separate frequency channels.
  • a filtering system with 8 baiting beacons capable of operating on 8 separate frequency channels can herd up to 63 phones simultaneously if each beacon uses all 8 slots within all 8 channels (64 less 1 to account for beacon generation).
  • FIG. 37 demonstrates a different methodology.
  • a GSM beacon responds to a location update from a wireless device, it provides the wireless device with a new TMSI and a new cipher key.
  • the baiting beacon foregoes the TMSI reallocatidn that is normally part of the location update process.
  • the TMSI for the wireless device and the wireless device's cipher key are now effectively out of phase (3701).
  • the network will generally not re-authenticate the wireless device. Instead, the network will presume that because the wireless device's TMSI has not changed, the wireless device is still using the cipher key that it received with the TMSI. Because the cipher key the wireless device is using does not match its TMSI, the wireless device will not be able to complete the cipher mode sequence in the call setup (FIG 29 (2908)). The network responds to the failure to get past the cipher mode sequence by dropping the call. The same thing happens when an attempt is made to call the wireless device. The wireless device is consequently effectively cut off from the network.
  • the wireless device will remain cut off from the network until such time as the network chooses to re-authenticate the wireless device.
  • the TMSI and the cipher key will again be in phase.
  • the period of time during which the TMSI and the cipher key are out of phase depends on the interval between re-authentications which is specified in the network configuration. Typical intervals range from 10 minutes to an hour. If sustained denial of service is desired, the filtering system can again put the TMSI and the cipher key out of phase each time the network re-authenticates.
  • the wireless device can be restored to the network at any time by putting the TMSI and the cipher key back in phase. This can be done by re-interrogating the wireless device with the random challenge that was used for the legitimate authentication, as this will restore the original key state and therefore put the cipher key back in phase with the currently established TMSI (3702).
  • Another important feature of this technique is that the user does not know that the wireless device is cut off from the network.
  • the UMTS standard is the next generation successor to the GSM standard.
  • the UMTS standard has introduced safeguards that are expressly designed to thwart baiting beacons that exploit shortcomings in the earlier GSM design. Among the safeguards is that the UMTS beacon must correctly authenticate itself to the wireless device. If the beacon fails to authenticate correctly, the wireless device will mark the beacon as suspect and thereafter refrain from interacting with it. In order to distinguish between situations in which authentication fails because the beacon cannot respond, for example, because the call is dropped and situations in which the beacon does respond but does not do so correctly, the wireless device marks the beacon as suspect only if it has received a response from the beacon that is correct as to form but not as to content. The response is correct if beacon has presented fully formed valid messages having valid CRCs.
  • the interaction between a wireless device to which the UMTS beacon must authenticate itself and the beacon begins when the UMTS beacon receives either the TMSI or the IMSI of the wireless device. Consequently, the requirement that a UMTS beacon authenticate itself to the wireless device does not prevent discovery of both the TMSI and the IMSI of the wireless device.
  • One way of doing this is the "ignore TMSI" method described above for GSM.
  • Another way of doing this is to suppress all UMTS beacons using the techniques described for CDMA and then provided a GSM baiting beacon. This forces the wireless device to fall back to GSM and the "ignore TMSI" or conventional interrogation methods are again available..
  • the filtering system further takes advantage of UMTS' requirement that the beacon authenticate itself to the wireless device to disable individual or entire classes of wireless devices.
  • the method is shown in FIG. 38.
  • the interrogator suppresses all but one of the legitimate beacons using any of the previously described techniques for CDMA (3801) and overrides the remaining beacon (3802). This ensures that the wireless device will be listening on that beacon (3803).
  • the wireless device is then paged (3804) using either the TMSI or IMSI that was presumably derived using the interrogation methodology previously described. This is possible because paging messages in UMTS are not subject to integrity checking.
  • the wireless device responds with a RACH for a channel and interrogator obliges (3805, 3806).
  • the wireless device offers either its TMSI or IMSI (3807) and the baiting beacon attempts authentication in a fashion which is guaranteed to fail (3808). In response to the failure of the authentication, the wireless device marks that beacon as no longer viable (3809) and ignores the beacon from that point on. This process is repeated for all of the UMTS beacons that are detected in the operational area (3810). The wireless device is now ignoring all of the UMTS beacons in the operational area and has thereby disabled itself.
  • the filtering system can use waveform attack techniques just described to provide levels of filtering ranging from broad suppression to highly surgical targeting of individual wireless devices.
  • the methods are described for each of the filtering modes: blanket denial-of-service; positive/negative filtering; or surgical suppression.
  • blanket denial-of-service positive/negative filtering
  • surgical suppression surgical suppression.
  • Within each is a separate description for attacks on the forward and then reverse channels (where applicable) with additional description for interactive attacks such as interrogation and/or disablement.
  • GSM Blanket Denial of Service A GSM wireless device will sense multiple beacons in some operational area. Which beacon a GSM wireless will monitor at any given moment is left strictly to the discretion of the GSM wireless device. It is therefore in general, difficult for the filtering system to predict which beacon the wireless device will monitor with any certainty - particularly in geometries where a wireless device is more or less equidistant to multiple towers. Simply attacking the strongest beacon may thus just cause the wireless device to move to monitor the next best choice.
  • Neighbor beacon The simplest method to deny access is to clone an existing beacon that is a neighbor of the strongest beacon in the operational area but is not detectable in the operational area and then having the cloned beacon generate a signal that is stronger than the signal generated by the strongest beacon in the operational area. All wireless devices in the operational area should then begin monitoring the cloned beacon. However this is not a preferred method because of the required power consumption and because there is no guarantee that all of the wireless devices will necessarily move to monitor the cloned beacon. While this technique permits filtering of incoming calls, when a wireless device attempts to make an outgoing call and receives no response from the cloned beacon, the wireless device may attempt to use another beacon.
  • BCCH Attack This attack randomly corrupts one of the frames within a message block belonging to any of the compulsory system messages broadcast on the broadcast control channel (BCCH) - refer to FIG 27 (2707) using previously described TSC attacks (FIG 30).
  • the GSM standard requires that System Information messages type 2, 3 and 4 be present in all beacons (ETSI 44.018). Failure to detect any of these messages will preclude the use of the beacon for access by the wireless device.
  • ETSI 44.018 System Information messages type 2, 3 and 4 be present in all beacons
  • the wireless device will be insensitive to this type of attack. Therefore the filtering system refines this attack by preceding it with a blinding signal lasting several seconds that will force the wireless device to lose synchronization.
  • the filtering system will then resume the surgical BCCH attack with the effect that all wireless devices in the operational area will not be able to resynchronize to the legitimate beacon(s).
  • the filtering system must provide the blinding simultaneously for every beacon that is detectable in the operational area to completely cut off the wireless device. Blinding one beacon will simply cause the wireless device to move to monitoring another beacon from which it will be able to receive incoming pages.
  • Paging/ Access Grant Channels Attack This method randomly corrupts one of the frames within the message block of all the paging and access channels operating within the 51 multi-frame (FIG 27 (2707)) using previously described TSC attacks (FIG 30). This prevents the wireless device from receiving either immediate channel assignments or pages from the network.
  • This method is inferior to the BCCH attack from an average power consumption perspective, as the transmit duty cycle is significantly increased (by a factor of 9) but the method can be used in cases where the BCCH attack is not viable.
  • all beacons in the operational area must be attacked simultaneously for the reasons cited in the BCCH attack. However this attack is useful in cases where there is a single dominant beacon, as the wireless devices will necessarily stay camped on this beacon even though the paging messages from the beacon are being attacked. This is because the remainder of the beacon remains unmolested by the attack and the wireless device therefore has no reason to consider alternative beacons.
  • SDCCH Attack This attack is directed to any SDCCH channel when the channel is allocated for access.
  • this technique has a relatively high power consumption, first because the interfering transmitter will constantly be active on any reasonably loaded system and second because the receiver associated with the interfering transmitter must constantly monitor the reverse channels looking for access attempts.
  • This technique may, however, be viable on beacons that have a relative low density of wireless devices.
  • one of four frames in each block of the SDCCH subchannel (FIG 27 (2707)) on which the wireless device is active is suppressed using previously described TSC attacks (FIG 30)
  • Herding - The wireless devices can be herded to a false beacon and thereby in effect disabled using the interrogation techniques described previously. However this is not the preferred method from a power consumption perspective, due to the requirements of generating multiple interferers while sustaining a baiting beacon.
  • Post Call Set Up Attack - GSM poses a special problem when wireless devices may already be actively operating using frequency hopping in the operational area. This is a particularly acute problem in situations where the operational area is mobile and consequently passes by wireless devices that are active.
  • the filtering system refines the wideband attack described previously under Ending a Call (time critical) by marrying it to receivers that scan the reverse hopping channels specified in either the Cell or Mobile allocation lists extracted from either the System Info messages or those that have been obtained using the previously described techniques for calling the tower and retrieving the list.
  • Forward channel attacks are generally preferred because the operational area and any attendant collateral interference may be limited.
  • reverse channel attacks have a significant disadvantage with respect to power consumption as the attack work on wireless devices that are far closer to the tower than the interfering transmitter. Because this is so, the interfering transmitter must always transmit using the worst case power levels. The high power levels of course make the transmitters highly conspicuous and also result in extensive collateral interference.
  • Reverse channel attacks may, however, be the only recourse in situations where the geometry is such that wireless device(s) of interest is(are) significantly closer to the base station than to the interfering transmitter. This is, however, likely to be the case for only a very small fraction of the wireless devices of interest.
  • the preferred method is to use the SDCCH attack as described for the forward channels but instead operating on the reverse link,
  • a random access channel (RACH) attack may also be used to prevent any devices in the operational area from gaining the attention of the beacon and being allocated an SDCCH channel in the first place.
  • RACH random access channel
  • the GSM standard has a key vulnerability that can be exploited to both positively and negatively filter access by particular wireless devices.
  • Embedded in any request for service with be the wireless device identifying information (nominally TMSI but often IMSI). It is also important to note that the request for service can never be encrypted because the identifying information upon which encryption is based has not yet been made known to the beacon (i.e., the network). Therefore it is a simple matter for the filtering system's receiver to detect the identifying information embedded in the service request and to determine from the friend-foe database whether the associated wireless device should be allowed access. Methods for discovering the TMSI and IMSI of a wireless device have been described previously under interrogation techniques.
  • the filtering system attacks the dedicated control channel (SDCCH) assigned to the wireless device, using the previously described TSC attacks, subsequent to detection of the identifying information and hence prevents the control signaling from consummating either an incoming or outgoing call.
  • SDCCH dedicated control channel
  • TSC attacks subsequent to detection of the identifying information and hence prevents the control signaling from consummating either an incoming or outgoing call.
  • wireless devices not on the approved list are attacked as just described. Since a unique control channel is allocated to a single wireless device (FIG 27) the effect of surgical access on a subscriber or even a wireless device basis is thereby achieved.
  • the issues of how quick the response time must be and how long it must be sustained In the former case the minimum worst case response time will be on the order of less than a second.
  • the filtering system sustains the attack long enough to ensure that one or the other side of the link gives up .
  • the wireless device or beacon may make repeated attempts to gain access or respond, so the attack must be sustained longer than the minimum timeout of either side of the link as established by the standard (ETSI 44.006). Conversely the attack cannot be sustained longer than chamiel reuse period. If it is, the channel under attack may be reallocated by the beacon to yet another wireless device and continued interference with the channel would result in collateral interference
  • the filtering system uses the minimum timeout periods to determine the duration of the attack. This is supported by the fact that there are at least 4 and typically 8 control channels in the control channel pool and these are typically, if not necessarily, allocated in sequence. Therefore the attack must end before the beacon loops around and attempts to reuse the control channel.
  • the filtering system can thus use the beacon/system configurations to determine the duration of the attack.
  • the first refinement takes advantage of the fast response time described above and overrides the beacon signal with a higher powered signal that transmits the channel release message directing the wireless device to release the channel.
  • the above described methods can also be refined by making use of the LAPDm protocol employed on the SDCCH signaling.
  • the network can be forced to drop the call by replying using a supervisory frame on the reverse channel with frame numbering that is out of phase. This will force the network to drop the control link via a channel release (in essence hijacking the network to act on behalf of the filtering system). This is a particularly effective technique when the geometry is such that the filtering system is located closer to the beacon than is the wireless device.
  • the filtering system also surgically filters emergency calls by detecting the emergency settings in the initial RACH channel request and allowing the associated control signaling to proceed regardless of the wireless device. Specifically, the filtering system recovers the random reference information in all RACH channel request and matches it to the subsequent the immediate channel assignment that echoes the random reference and thereafter refrains from interfering with the associated SDCCH signaling that follows.
  • beacon timing used in the GSM system is highly stable. Therefore it is not necessary in many cases to leave the receiver on constantly. Instead in cases where the receiver does not need to actively intercept signaling it makes use of a timing receiver (e.g., GPS) having significantly lower power consumption to flywheel the timing so that filtering system need only be resynchronized to a beacon infrequently (e.g., perhaps every hour or possibly even once a day).
  • a timing receiver e.g., GPS
  • Call Filtering -GSM encrypts the sensitive information in a call, including the identification of incoming or outgoing calls.
  • the following discussion presumes that the encryption key is available or encryption can be defeated as described previously and therefore contemplates detecting the post-encrypted information that identifies either the incoming or outgoing phone number (e.g., included in the setup or other messages) and ending the control signaling (e.g., attack the SDCCH) before the traffic channel assignment can be completed - refer to "Call Setup" in FIG 29. Selection of whether the attack is on the forward or reverse link is expected to be a function of the positions of the wireless device and the transmitter relative to each other and the beacon the wireless device is monitoring. Since the post encrypted information also contains the frequency hopping sequence information, the filtering system attacks the traffic channel as described below under the heading of Surgical Traffic Suppression, post call setup
  • Surgical Traffic Suppression - Surgical traffic suppression cripples communications between the wireless device and the beacon or severs the link between the wireless device and the beacon after the wireless device has already gained access to the network.
  • the filtering system does this by using a signal generator that is precisely timed to the network and possibly supplemented by directional antennas to surgically either hamper communication using the TSC attack methodologies previously described and thereby prolong it or to outright sever communications after either a prescribed amount of time or upon an event determined by the operator.
  • the filtering system has access to the encryption key or the key can otherwise be derived as for example described in Patent Application PCT/US2006/30159 or defeated as described herein. In this case it is simply a matter of hopping synchronously to the wireless device under consideration and performing " the aforementioned GSM surgical waveform attacks. More specifically it requires one interferer block with a total number of channels (N) therein equal to 1 as shown in FIG 32 (3206).
  • Whether a link is crippled or severed is controlled by the frame rate corruption.
  • a modest frame rate corruption e.g., 10%
  • the preferred method of corruption is to employ the previously described TSC attacks.
  • the CRC attack may be used to attack the data in the burst payload instead of the TSC. In this fashion it gives the appearance that link is open, as evidenced by the good TSC quality, even though the payload data bits have been corrupted. This forces forcing the receiver to discard enough vocoded voice packets to render the link unintelligible.
  • the attack employs direct interference (random data bits using GMSK modulation) on non-TSC bits.
  • a further refinement is to attack non-protected bits used in the voice encoding process. This is made possible by the fact that these bits are placed at regular locations in the transmitted data. Therefore attacking non-protected bits further fosters the illusion that the link is viable while still corrupting intelligibility.
  • the interference signals can be used to suppress the beacons in an operational area or to interfere with communications between a beacon and a wireless device on either the forward or reverse channels.
  • the interference may include inducing errors in individual symbols of a communication or even changing the values of individual symbols.
  • the baiting beacons can be used to obtain identification information from wireless devices, to disable wireless devices, to perform operations in the wireless communication system for the wireless devices, to locate wireless devices, and to herd wireless devices to specified channels in any present or future digital wireless communication system.
  • the filtering system itself may be implemented using any hardware or software technology which is able to generate interference signals which obey the timing constraints required for the techniques and have the power required to override a beacon or a portion of a communication between a beacon and a wireless device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne des techniques permettant de brouiller des communications sans fil standard entre une balise et un dispositif sans fil. Ces techniques permettent de déterminer une caractéristique requise par les normes pour un signal produit au cours de la communication. Un signal d'interférence est alors généré, spécifiquement adapté à la caractéristique et brouillant la caractéristique de manière que le dispositif sans fil et la balise ne puissent pas interagir conformément aux normes de communication sans fil. Lesdites techniques peuvent être utilisées pour supprimer les balises sans fil légitimes dans une zone opérationnelle, pour établir une balise leurre dans la zone opérationnelle, ou pour brouiller les communications entre un disposiitf sans fil et une balise leurre ou une autre balise. Le signal d'interférence est spécifiquement adapté à la caractéristique de manière à réduire significativement la quantité de puissance requise pour le signal d'interférence et la présence du signal d'interférence.
PCT/US2006/033738 2005-08-02 2006-08-29 Procedes d'identification, de suppression, de desactivation et de filtrage d'acces a distance de dispositifs sans fil d'interet a l'aide de recepteurs de temporisation et d'interception des signaux permettant de reduire la puissance, de minimiser la detection, et de minimiser les interferences collaterales WO2007027699A2 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US12/065,225 US20090311963A1 (en) 2005-08-02 2006-08-29 Methods of Remotely Identifying, Suppressing, Disabling and Access Filtering Wireless Devices of Interest Using Signal Timing and Intercept Receivers to Effect Power Reduction, Minimization of Detection, and Minimization of Collateral Interfernce.
PCT/US2007/063493 WO2007106694A2 (fr) 2006-03-07 2007-03-07 Procédés pour supprimer des menaces de dispositifs sans fil gsm dans des environnements dynamiques ou statiques étendus avec une puissance consommée et des interférences collatérales minimales
US13/424,153 US8606171B2 (en) 2005-08-02 2012-03-19 Methods of suppressing GSM wireless device threats in dynamic or wide area static environments using minimal power consumption and collateral interference

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US71270405P 2005-08-29 2005-08-29
US60/712,704 2005-08-29
US71713105P 2005-09-14 2005-09-14
US60/717,131 2005-09-14
USPCT/US2006/30159 2006-08-01
PCT/US2006/030159 WO2007016641A2 (fr) 2005-08-02 2006-08-01 Procedes d'identification, de suppression et/ou d'inactivation a distance de dispositifs sans fil particuliers

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2006/030159 Continuation-In-Part WO2007016641A2 (fr) 2005-08-02 2006-08-01 Procedes d'identification, de suppression et/ou d'inactivation a distance de dispositifs sans fil particuliers
PCT/US2007/063493 Continuation-In-Part WO2007106694A2 (fr) 2005-08-02 2007-03-07 Procédés pour supprimer des menaces de dispositifs sans fil gsm dans des environnements dynamiques ou statiques étendus avec une puissance consommée et des interférences collatérales minimales

Related Child Applications (4)

Application Number Title Priority Date Filing Date
PCT/US2006/030159 Continuation-In-Part WO2007016641A2 (fr) 2005-08-02 2006-08-01 Procedes d'identification, de suppression et/ou d'inactivation a distance de dispositifs sans fil particuliers
US12/280,716 Continuation-In-Part US8140001B2 (en) 2006-03-07 2007-03-07 Methods of suppressing GSM wireless device threats in dynamic or wide area static environments using minimal power and collateral interference
PCT/US2007/063493 Continuation-In-Part WO2007106694A2 (fr) 2005-08-02 2007-03-07 Procédés pour supprimer des menaces de dispositifs sans fil gsm dans des environnements dynamiques ou statiques étendus avec une puissance consommée et des interférences collatérales minimales
US28071609A Continuation-In-Part 2005-08-02 2009-01-08

Publications (2)

Publication Number Publication Date
WO2007027699A2 true WO2007027699A2 (fr) 2007-03-08
WO2007027699A3 WO2007027699A3 (fr) 2007-07-05

Family

ID=37809438

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/033738 WO2007027699A2 (fr) 2005-08-02 2006-08-29 Procedes d'identification, de suppression, de desactivation et de filtrage d'acces a distance de dispositifs sans fil d'interet a l'aide de recepteurs de temporisation et d'interception des signaux permettant de reduire la puissance, de minimiser la detection, et de minimiser les interferences collaterales

Country Status (1)

Country Link
WO (1) WO2007027699A2 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8140001B2 (en) 2006-03-07 2012-03-20 L-3 Communications Corporation Methods of suppressing GSM wireless device threats in dynamic or wide area static environments using minimal power and collateral interference
US8477727B2 (en) 2009-07-29 2013-07-02 L-3 Communications Corporation Methods for surreptitious manipulation of CDMA 2000 wireless devices
US8526395B2 (en) 2009-09-04 2013-09-03 L-3 Communications Corporation Using code channel overrides to suppress CDMA wireless devices
US8588853B2 (en) 2010-10-25 2013-11-19 Raytheon Applied Signal Technology, Inc. Femtocell configuration
US8606322B2 (en) 2010-10-25 2013-12-10 Raytheon Applied Signal Technology, Inc. Portable cellular base station configuration
WO2014041225A1 (fr) * 2012-09-13 2014-03-20 Universidad Carlos Iii De Madrid Procédé et dispositif pour bloquer les signaux de téléphonie mobile
US8755770B2 (en) 2006-08-01 2014-06-17 L-3 Communications Corporation Methods for identifying wireless devices connected to potentially threatening devices
US8767595B2 (en) 2005-08-02 2014-07-01 L-3 Communications Corporation Enhanced methods of cellular environment detection when interoperating with timed interfers
US9398602B2 (en) 2010-09-22 2016-07-19 Qualcomm Incorporated Multi-radio coexistence
WO2018046958A1 (fr) * 2016-09-09 2018-03-15 Cellxion Limited Système et procédé de restriction d'accès à un réseau de communication mobile

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050058117A1 (en) * 2003-07-29 2005-03-17 Sony Corporation Wireless communication system, wireless communication apparatus, wireless communication method and computer program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050058117A1 (en) * 2003-07-29 2005-03-17 Sony Corporation Wireless communication system, wireless communication apparatus, wireless communication method and computer program

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8767595B2 (en) 2005-08-02 2014-07-01 L-3 Communications Corporation Enhanced methods of cellular environment detection when interoperating with timed interfers
US8606171B2 (en) 2005-08-02 2013-12-10 L-3 Communications Corporation Methods of suppressing GSM wireless device threats in dynamic or wide area static environments using minimal power consumption and collateral interference
US8140001B2 (en) 2006-03-07 2012-03-20 L-3 Communications Corporation Methods of suppressing GSM wireless device threats in dynamic or wide area static environments using minimal power and collateral interference
US8755770B2 (en) 2006-08-01 2014-06-17 L-3 Communications Corporation Methods for identifying wireless devices connected to potentially threatening devices
US8477727B2 (en) 2009-07-29 2013-07-02 L-3 Communications Corporation Methods for surreptitious manipulation of CDMA 2000 wireless devices
US8526395B2 (en) 2009-09-04 2013-09-03 L-3 Communications Corporation Using code channel overrides to suppress CDMA wireless devices
US9832785B2 (en) 2010-09-22 2017-11-28 Qualcomm Incorporated Multi-radio coexistence
US9398602B2 (en) 2010-09-22 2016-07-19 Qualcomm Incorporated Multi-radio coexistence
US8588853B2 (en) 2010-10-25 2013-11-19 Raytheon Applied Signal Technology, Inc. Femtocell configuration
US8606322B2 (en) 2010-10-25 2013-12-10 Raytheon Applied Signal Technology, Inc. Portable cellular base station configuration
WO2014041225A1 (fr) * 2012-09-13 2014-03-20 Universidad Carlos Iii De Madrid Procédé et dispositif pour bloquer les signaux de téléphonie mobile
WO2018046958A1 (fr) * 2016-09-09 2018-03-15 Cellxion Limited Système et procédé de restriction d'accès à un réseau de communication mobile
GB2569068A (en) * 2016-09-09 2019-06-05 CellXion Ltd System and method for restricting access to a mobile communications network
US10904822B2 (en) 2016-09-09 2021-01-26 Cellxion Limited System and method for restricting access to a mobile communications network
US11523327B2 (en) 2016-09-09 2022-12-06 Cellxion Limited System and method for restricting access to a mobile communications network

Also Published As

Publication number Publication date
WO2007027699A3 (fr) 2007-07-05

Similar Documents

Publication Publication Date Title
US20090311963A1 (en) Methods of Remotely Identifying, Suppressing, Disabling and Access Filtering Wireless Devices of Interest Using Signal Timing and Intercept Receivers to Effect Power Reduction, Minimization of Detection, and Minimization of Collateral Interfernce.
US8526395B2 (en) Using code channel overrides to suppress CDMA wireless devices
US8140001B2 (en) Methods of suppressing GSM wireless device threats in dynamic or wide area static environments using minimal power and collateral interference
US8755770B2 (en) Methods for identifying wireless devices connected to potentially threatening devices
WO2007027699A2 (fr) Procedes d'identification, de suppression, de desactivation et de filtrage d'acces a distance de dispositifs sans fil d'interet a l'aide de recepteurs de temporisation et d'interception des signaux permettant de reduire la puissance, de minimiser la detection, et de minimiser les interferences collaterales
US8477727B2 (en) Methods for surreptitious manipulation of CDMA 2000 wireless devices
US8767595B2 (en) Enhanced methods of cellular environment detection when interoperating with timed interfers
US10368239B2 (en) Method and apparatus for providing broadcast channel encryption to enhance cellular network security
Jover et al. Enhancing the security of LTE networks against jamming attacks
Mpitziopoulos et al. A survey on jamming attacks and countermeasures in WSNs
EP1747631B1 (fr) Procede et equipement utilisateur permettant la signalisation et la detection du brouillage dans un reseau de telecommunication mobile
Stхhlberg Radio jamming attacks against two popular mobile networks
Song et al. Fake bts attacks of gsm system on software radio platform
EP2684385B1 (fr) Transmission d'un signal d'alarme dans un système de communication sans fil
EP3912383A1 (fr) Protection d'informations pour détecter de fausses stations de base
Jeung et al. Adaptive rapid channel-hopping scheme mitigating smart jammer attacks in secure WLAN
WO2007106694A9 (fr) Procédés pour supprimer des menaces de dispositifs sans fil gsm dans des environnements dynamiques ou statiques étendus avec une puissance consommée et des interférences collatérales minimales
US11463875B2 (en) Detection of system information modification using access stratum security mode command
EP4256832A1 (fr) Procédés et appareils pour diffusions de cellules à confiance nulle
AT&T 1645140466114231_article.pdf
Rupasinghe et al. Physical layer security for UAV communications
EP4186260A2 (fr) Codage de commande d'avance temporelle de réponse d'accès aléatoire 3gpp, 5g et lte pour une atteinte liée à la sûreté et la sécurité
Hangargi Denial of Service Attacks in Wireless Networks
RU2818276C1 (ru) Способ противодействия атакам злоумышленников, направленным на прослушивание пейджинговых сообщений, передаваемых абонентским устройствам беспроводной сети связи
Ludant et al. Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 12065225

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06802570

Country of ref document: EP

Kind code of ref document: A2