GSM to UMTS Network Handover Vulnerability Testing Using Software-Defined Radio. McAbee, C.; Tummala, M.; and McEachen, J. In 2015 48th Hawaii International Conference on System Sciences, pages 5422–5431, HI, USA, January, 2015. IEEE.
Paper doi abstract bibtex This paper examines a possible vulnerability with the potential for a malicious entity to prevent a mobile device from handing over from a global system for mobile communications (GSM) to universal mobile telecommunications system (UMTS) network because the GSM network maintains the stand-alone dedicated control channel (SDCCH) uplink time slots. The process of testing this vulnerability requires the development of a device that monitors a GSM base transceiver station, identifies when a handover to UMTS message is sent, tracks the time slots of the SDCCH uplink, and transmits a GSM handover-failure message. We present a scheme that utilizes parts of the OpenBTS to transmit a GSM handover-failure message using a software defined radio. The method is validated through the collection of the GSM transmitter messages by Airprobe’s GSM-receiver module.
@inproceedings{mcabee_gsm_2015,
address = {HI, USA},
title = {{GSM} to {UMTS} {Network} {Handover} {Vulnerability} {Testing} {Using} {Software}-{Defined} {Radio}},
isbn = {978-1-4799-7367-5},
url = {http://ieeexplore.ieee.org/document/7070467/},
doi = {10.1109/HICSS.2015.638},
abstract = {This paper examines a possible vulnerability with the potential for a malicious entity to prevent a mobile device from handing over from a global system for mobile communications (GSM) to universal mobile telecommunications system (UMTS) network because the GSM network maintains the stand-alone dedicated control channel (SDCCH) uplink time slots. The process of testing this vulnerability requires the development of a device that monitors a GSM base transceiver station, identifies when a handover to UMTS message is sent, tracks the time slots of the SDCCH uplink, and transmits a GSM handover-failure message. We present a scheme that utilizes parts of the OpenBTS to transmit a GSM handover-failure message using a software defined radio. The method is validated through the collection of the GSM transmitter messages by Airprobe’s GSM-receiver module.},
language = {en},
urldate = {2020-05-20},
booktitle = {2015 48th {Hawaii} {International} {Conference} on {System} {Sciences}},
publisher = {IEEE},
author = {McAbee, Carson and Tummala, Murali and McEachen, John},
month = jan,
year = {2015},
pages = {5422--5431}
}