Joseph Estrada
Lacson Panfilo
Vlatko Pavletić
Octopus FTMRS ​​60D
Octopus FTMRS ​​60D mini
GSM interception mobile version
GSM interception is a stationary version

C-Guard power 5-500 mW, range 5-80 m

C-Guard power 15-30 W, range 20-1000 m
C-Guard power 15-120 W, reach over 3 km
TopSec GSM
TopSec GSM - module
TopSec GSM - Display
TopSec 703 +

With the arrival of GSM mobile phones most relieved, because they can not be easily intercepted as NMT (099) mobile phones, which you can listen to ordinary FM receiver, whose price does not exceed the price of the cell phone that listens. However, neither GSM is immune to eavesdropping.


Data on today's technology, the capabilities and the scope of tapping fixed or mobile phone traffic comes in a similar way to information about spy satellites and their capabilities: information appears mostly in the media exposure of various spying-tussy affairs triggered by politicians or military officials who suspect they are the target of secret interception. In court proceedings and statements issued by public affairs actors, there are some rows of techniques, methods and methods that have been wiretapping, and in this article I tried to unite all these "scattered" information without going into the moral interpretation of eavesdropping (violation of human rights, freedom of communication, etc ...), first of all, which is more interesting for the electronics, to gather available technical information about the devices themselves and the methods of tapping mobile telephony. So I have compared a number of factory phones for tapping phones that are offered for sale, although they are given quite strenuous and often dubious data. For any such device that is offered for eavesdropping GSM (and even if it is only a bit better radio scanner with spectrum analyzer), it is intended for sale only to governmental organizations and secret services. However, as devices are advertised over the Internet, sometimes with a marked (high) price, it suggests that merchants will serve every "serious" customer. Namely, more and more states adopt statutory regulations that oblige their telecommunications companies to provide government services for the purpose of tapping telecommunications traffic, which means governments no longer have the need to legally purchase cost-effective decommissioning devices in real-time. Finally, we should mention that on the internet "sale" and totally frivolous devices and applications for wiretaps GSM in private, usually very low prices and fantastic features, which everyone who had knowledge of the GSM system easy to conclude that the device is not presented can function.


In the late 1990s, when they scandalized with the tapping of opposition politicians, journalists and other public figures shook the media, raised the debate and the technological possibilities of listening. Then some have claimed that cell phones are eavesdropping and others that the phones are the easiest to eavesdrop, and that those who are tapping and can not see it being monitored. It was reported that every cell phone is actually a radio emitter and that secrecy services - through the signal that the cellphone emits regardless of whether they are talking to a user or not - secret services can at any moment know where the person is being controlled (Turkish security services have been arrested by Kurdish leader Abdul Ocalan ). It was then rumored that it is only possible to eavesdrop on prepaid customers or subscribers, and that those who use the vouchers can not be monitored. All of these claims can be discussed, but what we can be sure of today is that it is possible to tap and monitor any telephone subscriber, not thanks to a special secret technology, but only thanks to the introduction of governmental regulations to telecommunications companies. The same goes for Internet providers and users. The secrets of the service through the provider can control the internet correspondence if there are also statutory reasons for this. But let's move on!

In early October 2000. year, at a press conference in the prestigious Club Filipino near the capital Manila, Philippine Governor Luis Sinsong publicly blamed the Philippine president Joseph EstradaBut well woven in numerous scandals, to receive the fabulous amount of bribes. While the participants in the press conference are discussing the details of the governor's statement, Estrada's loyal people in the police apparatus parked in front of the club inconspicuous Toyota van equipped with the most advanced listening devices and immediately put under control of the mobile phones of hundreds of people, mostly senators, prosecutors and journalists. After Estrada's ouster, a parliamentary committee that investigated the corruption of the Philippine president and the people around him, he announced many, many years carefully concealed documents on cases of mass use of listening devices manufactured in Germany. At one of the hearings before the Committee General Panfilo Lacsonin the meantime, the arrested chief of the Philippine police, discovered the usual practice of occasional shopping trips to far Germany, where Estradin rule was the latest state-of-the-art telephony devices for tapping fixed and mobile telephones. The spent amounts exceeded half a million dollars, and the main supplier was a mining telecommunications company Rohde & Schwarz.

It is very likely that they are good buyers of Minhen companies Rohde & Schwarz and our first neighbors Slovenes. When are 6. January 1998. in the half-white days of two Slovenian intelligence officers arrested in the Croatian territory of Dubravka Križovljanska, their Volkswagen Transporter 2,4D found a number of devices for electronic scanning and anti-electron effect. The defendants were misdemeanor and expelled, later the criminal proceedings were initiated against them, and the vehicle was confiscated and returned to the Slovenian Ministry of Defense only after three years. There has never been more detailed explanation of how all Slovene spy vessels have been equipped with and what the Slovenes were so interested in Croatian telecommunications. The fact that the Croatian side has returned all that was confiscated, it seems that some special interesting or latest products were not in the vehicle, but most probably only the well-known devices available to the state and the civil service on this side of Sutle or even older ones. Of course, this is only a prerequisite, because the kind and modernity of the hearing devices that the Croatian state has over the security and security of its citizens is a secret and can not get any official data.

About another Slovenian affair (Vic-Holmec) Was written in the media five years ago. The journalist of TV Slovenia Tomaž Ranc researched the background of police affairs Vic-Holmec, when it launched score that is in the June ten-day war for an independent Slovenia at the border crossing the Slovenian-Austrian border Vic-Holmec any atrocities that could be qualified as war crimes. The police wanted to know where Ranc receives information without the required task obtained the list of persons with whom the reporter spoke during this period (judicial regulation to control telephone calls was made only later). Ranc was discovered, damaged the journalist launched a civil suit against Slovenia, the court had ordered 600.000 SIT compensation (about 2700 Euro), Internal Control Ministry of Interior suspended the two police officers ... Then it turned out that Slovenian courts annually issued hundreds of Regulation for surveillance or monitoring telephone conversations.

For the last few years in Germany there have been no spectacular cases of tapping journalists or politicians, but eavesdropping is all the more popular with the German police and secret services. According to the Federal Data Protection Commissioner, the number of eavesdropping cases in Germany has increased over five years for more than 170 percent. Year 1995. 4700 cases were registered and 1999 was registered. of the 12700 person was eavesdropped (according to data in the journal Connect). This figure is frighteningly large in relation to the number of intercepted persons in the United States, where it is among 240 million people, according to the official police report Wiretap monitored telephone conversations only 1190 people. Germany public because warns of the danger of "an avalanche of eavesdropping that is increasing every year." Precisely these words Jürgen Welp, a retired law professor from Münster, calls for verification of the success of eavesdropping, and argues that after a slight release of the eavesdropping approval for criminal proceedings, it ends up without any concrete results. For the past and this year, there is still no complete statistical data. Mostly it is about wiretapping because of the suspicion of the existence of a serious punishable offense, and the number will surely rise as the government early this year extended the directory of punishable acts when eavesdropping is legally permitted. After the terrorist attacks on the US, the powers of secret services and police have increased, and telephone service providers, including mobile, are legally obliged to allow eavesdropping.

Most of the attentions recently prompted a debate on the fate of the file that the former East German secret service STASI made eavesdropping former German Chancellor Helmuta Kohla. Less attention is drawn to the tapping of journalists, but there are such cases. Bremen journalist Rolf Gössner found out is that it's listening Institution for protection of the constitutional order because of articles on the secret services. Experts estimate that journalists often listens and Federal Intelligence Service BND through its system for automatic eavesdropping. This system records conversations with a particular word, such as a drug. Since journalists often investigate crime-related topics, they become victims of a system of eavesdropping.

In neighboring BiH there were also politicians with statements that they were eavesdropped and monitored. Allegedly, one of the numerous intelligence agencies in BiH, Muslim AID, can simultaneously eavesdrop on 40000 telephone calls (fixed and mobile), where cell phone tapping is also used to locate its user, and for its work it is not obliged to submit reports to the federal authorities, ie it is not responsible for them. Nevertheless, the new Law on Security Intelligence services foresees that only the Supreme Court of the Federation of BiH will only be able to issue an eavesdropping and monitoring order in the future under strictly specific conditions. Mass media can find information ("serious source") that only in Sarajevo is listening around the 600 phone. This is technically feasible, however, for eavesdropping, there is also a need for workforce. AID has about five hundred associates, and for its own needs and in accordance with the law this service has a dedicated and equipped space in Pošti where MR is located. MR is an intermediary that, in fact, allows parallel switching of cables and their implementation to the central punk in the AID itself. Regulatory interest states that the MR room unlocks two keys - one is guarded by Director of Mail, the second director of AID. When formerly members of the stabilization forces in BiH (SFOR and IPTF) decided to peek into this room on Dolac Malti, they had to break the door ?! From this it is concluded that Post is a very important factor in implementing (legal or illegal) listening to the phone. If SFOR and IPTF were aware of this, they are illustrating their later unannounced visits to facilities or PTT establishments in Vareš, Livno, Mostar, Sarajevo ...

In Croatia, the media followed by several scandals with secret eavesdropping. In the fall 1998. year, Zagreb politician Dr. Krešimir Franjić he believed in dust with his publicly asserted statement that his cell phone was ringing. He even mentioned the phone number 385-167 from which this tapping is supposedly being carried out. Although Dr. Franjic's suspicions had a special "weight," because he was acting as vice-president of the City Committee of the Croatian People's Party, they had never been clarified. The phone number he had read on his cell phone display, which he claimed to be a tachograph, was out of the question, and telecommunications experts claimed that it was a call over an old analogue station where the caller could not identify. According to their fairly logical interpretation, the first three digits (385) are the number for Croatia and the fourth (1) for the city of Zagreb. The last two digits (67) are most likely to belong to the telephone connection from which the calls to Dr. Franjic came, but that was too little for the caller to locate and identify. After all, it is unclear and the real need for such a way of intercepting a doctor's cell phone because spying on it could be much simpler, more effective and professional. Another example is Vlatko Pavletić who at the time when he was President of the Croatian Parliament and temporary Deputy President of the Republic (December 1999) publicly claimed to be tapped even phones in his parliamentary office, but the evidence for this could not submit. Earlier this year, when the scandal broke with Krunoslav Canjugom, then a county state attorney in Zagreb, was often mentioned as coronation evidence of the alleged myth was tapped by telephone conversations he had with a lawyer Mirko Batarelo. In the media, there were ratings on the evidence to which they were USKOK came tapping, and Vecernji List reported that the police, in particular the Department for special crime work, has a technique that enables interception of conversations from mobile phones. Sophisticated equipment allegedly purchased in Israel, and used to be the 'services' operators who have submitted information about the owners of cell phone numbers that they called tapped.


Police investigators are exposed daily to some kind of race in the armament, as criminals practice in the short term to change a few phones. The Berlin police allegedly discovered the 16 of various cell phones and pre-paid cards at the Coca Cola mafia chief. For criminals and literally at any time to be on the heels, criminals inspectors are most commonly scanned for the entire frequency range, the most common goniometers and other hearing devices are built into police vehicles, which then work with opacity with regular registration plates and both with various fictional commercial inscriptions. Successfully from the criminal aspect, useful cell phone tapping can not be done at a writing desk, but only on the ground. No matter which cell phone and card the suspect is using, the investigators will find their customer number (IMSI) as soon as they pass by the police vehicle. The medal, of course, also has its back. Namely, base station police simulator it will unmistakably register not only cell phone breakers but also all other, even random, passers-by, enabling them to track them. The justice ministers of the German federal provinces are still 2000. required legal regulation of use IMSI-Catcher. Chriastian Frank, a Spokesperson of the Ministry of Justice in the Schleswig-Holstein Province repeatedly stressed that such a device is a newspaper that is qualitatively distinct from the usual common methods of tapping telephone conversations and therefore requires a completely new legal basis.

Legal regulations for the use of hearing devices

On the ambiguities Croatian legislation which should regulate wiretapping (area of ​​so-called preventive policing, where there is a significant limitation of fundamental human and constitutional rights) even in the summer 1999. was warned Dr. Davor Krapac, in the Croatian Criminal Law and Practice Year, whose editor-in-chief. First June 2003. the "Regulation on Obligations in the Field of National Security of the Republic of Croatia for Legal and Physical Persons in Telecommunication" came into force, which was adopted by the Government of the Republic of Croatia. The Regulation regulates the area of ​​secret surveillance of telecommunications in the Republic of Croatia in accordance with the resolution of the Council of the European Union on legal secret surveillance of telecommunications and the corresponding standards and recommendations of the European Telecommunications Standards Institute (ETSI). According to this decree, telecommunications and network operators, as well as providers of services and access, are obliged to incorporate secret surveillance devices into their networks at their own expense and ensure their permanent maintenance and proper operation for the needs of the Operations and Technical Centers for Telecommunication Supervision. In addition to the content of telephone calls, they are also required to provide all other requested call data (times and dates, establishment or attempts to make calls, suspend calls, change of status, service, location, etc.) including identification and location information of the phones and their owners, which includes insights into the database. All data must be kept captured, and any knowledge about the means, procedures and data to change the measures of secret surveillance is obligatory to keep it as a state secret. In addition to this, they must ensure that the supervised or any other unauthorized person does not feel any change that could be caused by the use of secret surveillance. Thus, with the various "hunters" used by civil servants at the expense of their own institution's budget, the Croatian phone concessionaires themselves are now obliged to provide technical assistance to the court, the state attorney's office, the police and the army in order to obtain technical assistance at the request of the authorized person monitoring user service communications.

Of course, other states have such or similar provisions. According to the German Telecommunications Act (TKG) and local concessionaires are mandatory at their own expense to organize and implement ways and measures of control, and similarly with the Austrians. Accurate numbers of telephone subscribers covered by this legal provision operators, of course, do not reveal whether Georg Pölzl, Director of the Austrian Max-mobiles, however, complained that his company's control measures for the network, which required the Austrian Ministry of the Interior, invested between 4,3 and 10 million. Similarly, the government in South Africa has approved a proposal for a new law that will wiretapping of mobile phones to be legalized. The authorities claim that this is necessary because mobile phones are increasingly used in robberies and other crimes. Telephone companies have their own expense to install special listening devices and the future will be allowed to provide only those services that can be monitored. Recorded conversations to deliver will be the police, national security, military and other authorized services, and can be used during a criminal investigation. Ministry of the Interior of Estonia has asked operators Estonian telecommunications company to allow government agents monitoring of private phone calls and Internet connection. The idea stems from a new article on telecommunications in which he writes that telephone operators and Internet service providers must guarantee access to the network to government security experts. Telephone companies have confirmed that they have no objection to contribute to the fight against crime, but complain about the emerging charges. Consumers are concerned about the story, and justified fear that they pay the largest guild, as it will most likely become more expensive and subscription.

Thanks to these laws the term "eavesdropping" slowly losing meaning. All conversations that you have run and you will only do fit on one CD, and the same stands less than a penny. When "Big Brother" to covet, they'll find out what you are and who spoke, including where you are at that moment are. How? Every cell phone transmits periodically its IMEI, ie. 16 digit identification number, regardless of the tab that is in it. Based on the delay to three nearest tower is determined by your geographical location. The fact that at this point do not talk does not mean anything, a cell phone can be "activated" from the headquarters and will duly record the contents of your private and business conversations, without your knowledge. Pay attention to the excessive and premature wear of the battery, it is the only indicator that something is happening. The only sure protection is off camera. Changing cell phone and cards? Not important, gives you voice characteristics such as a fingerprint.


speech coding

The GSM development team has studied several types of speech coding algorithms, where good speech quality is required and the complexity of the required electronic circuits (lowering production prices, processing delays, and lower power consumption for power supply). The choice fell on the RPE-LPC encoder. The information contained in the previous sample, which is not rapidly changing, is used to predict the following pattern. The difference between the previous and the current sample represents the signal.

Speech is divided into samples of length 20 ms, each of which encodes the 260 bits, giving a bit rate of 13 kbps (full rate speech coding). Due to natural and man-made electromagnetic interference encoded speech or data transmission must be protected from errors. During testing it was found that the block 260 bits (20 ms of speech) a certain block of bits is more important to understand than others. This block of 260 bits divided into three classes of sensitivity:

  • Class Ia 50 bit - most vulnerable to errors
  • Class Ib 132 bit - moderate sensitivity to errors
  • Class II 78 bit - least susceptible to errors

Class Ia has three parity bits CRC code that is added for error detection. If an error is detected frame is declared invalid, it is rejected and replaced the previous correctly received frame dim.

The 53 bits together with the 132 bits of class Ib and the 4 bits of the final sequence (total 189 bits) enter the encoder. Each input bit is encoded on two output bits based on the combination of the previous 4 input bit. At the output of the encoder is the 378 bit, which adds a frame of the remaining 78 bits from class II. Thus, every 20 ms of speech is encoded with 456 bits, which gives the digital signal speed of 22,8 kbps.

To further protect against errors "burst" period, each sample overlaps. At the output of the encoder 456 bits are divided into sub-blocks by 8 57 bits. The blocks are repeatedly sent to "burst" periods with a time slot (time-slot bursts), each of which can transmit two 57 bit blocks, so that each "burst" period by two different speech samples (time frame). Frames can intermingle, taken a few bits of the first frame, then another and so on., Then again something from
the first, the second etc. The depth of overlap varies for each channel type. The idea and goal of interleaving and interference is to reduce the interference effect when transmitting data. Error (s) is then deployed to a larger number of frames, so if 500 bits are incorrect, then deployment to a larger number of error blocks will less affect the transmission.

Signal transmission

The GSM system uses combined FDMA and TDMA techniques to transmit signals transmitted using GMSK modulation. FDMA (Multiple Access with Frequency Distribution) and TDMA (Multiple Time Distribution Approach) use frequency division and time division to allow multiple access. With FDMA techniques over a certain period of time, the channel is assigned to only one user so that another user is allowed access to the same channel if the previous conversation has already been made or has gone to the coverage area of ​​the other cell. Disadvantages are restrictions on the reuse of the same frequency in adjacent cells, meaning low capacity. In TDMA techniques, the allocated frequency domain is divided into channels, which are divided into a large number of time slots. Each user is assigned one time slot so that one channel is served by the 8 user.

The cellular base station-base band frequency is 890-915 MHz and a base station-mobile unit 935-960 MHz, which means that the bandwidth of the GSM band is 2 x 25 MHz. Such separate signal reception / signaling frequencies allow for easier simultaneous bi-directional transmission. The bandwidth of 25 MHz is further divided into 125 pairs of frequencies, resulting in each duplex channel having a width of 200kHz. One or more carrier frequencies are assigned to each base station. Insufficient loss of information in the surrounding channels is allowed and this loss is minimized thanks to GMSK modulation.

Each of these carrier frequencies is time-divided by using multiple access time allocation (TDMA) to separate 200 kHz channel traffic channels (TCHs) to be used for speech and data transmission. Traffic channels use multiple time frames, and when reception and transmission are separated for 3 "burst" periods, so mobile unit has no need for simultaneous transmission, which simplifies mobile station electronics. GSM can use a slow skipping technique where the mobile and base stations deliver each TDMA frame at a different carrier frequency. The frequency jump algorithm is output to the BCC channel. Frequency hopping is used to reduce interference to an acceptable level. In principle, jumping frequency has the advantage of the fact that the disturbance can be reduced if the disturbance signal is contained only in the narrow part of the signal spectrum over which the desired signal jumps.

26 TDMA (time) frame for speech / data transfer (where 24 frame is used for speech or data transfer, one represents SACC channel until last used) or 51 time frame for control data makes a multiple frame or multi-frame (1 multiframe = 26 or 51 TDMA frames) for the duration of 120 ms. Additionally, 26 or 51 multipliers make a supercircuit with 6,12 s, while 2048 superframe makes one 3 clock, 28 minutes, 53 seconds, and 760 ms.

Each of the TDMA frames lasts for 4,615 ms and is divided into 8 time slots - logical channels for duration of 0,577 ms, one for sending, the other for receiving while the remaining six time slots serves for sending control signals. The logic channel is defined by frequency and number of time slots, and each is then subdivided into 8 time slots where it broadcasts digitized speech in short burst periods. The digital signal transfer rate is 271 kb / s (duration of 1 bit is 3,79 us). For time alignment, the "burst" period for sending data is shorter than the time slot and runs 148 instead of the enabled 156,25 bit periods. These last 8 time slots together make 248 semi-duplex channels, which corresponds to the color of the 1984 logical half-duplex channels. There are 1984 / 7 = 283 logic half-duplex channels per cell, so the cell can use the 1 / 7 total number of frequencies. Such frequency allocation is sufficient to cover a very large area.

For the transmission of information related to the control and management of the network used to control channels. The control channels are divided into:

  • Broadcast Control Channel (BCCH), transmits the necessary information to the cellular base station unit, assigns frequencies and frequencies for frequency jumps.
  • Frequency Correction Channel (FCCH) and Synchronization Channel (SCH), Are used to synchronize the mobile unit with the structure of the cell time slot defining the boundaries "burst" period. Each cell in the network emits one FCCH and one SCH channel.
  • Random Access Channel (RACH), is used by the mobile unit when it provides a request for network access.
  • Paging Channel (PCH)is used to alert the mobile station to the incoming call.
  • Access Grant Channel (AGCH), serves to allocate the SDCCH channel to the mobile unit.


There are several features that characterize good modulation techniques, such as: good spectral efficiency, good efficiency of dissipated power, puncture performance, low price, ease of electronic circuits, low radiation level beyond the permitted bandwidth. Digital modulation is a comprehensible choice for future wireless systems, especially for wireless video signal transmission, and can improve spectral efficiency because digital signals are "more robust" than analogue in terms of interference. Spectral efficiency is a major advantage because wireless systems have to work in overclocked frequency spectrum. To achieve a high degree of spectral efficiency, the modulation models for TDMA and FDMA systems must be selected to have a high utilization of the intended frequency range, and this efficiency is measured in bits per second per 1Hz frequency band (bits / s / Hz).

Transmission capacities in many wireless systems are limited due to intra-channel interference, which is the main constraint on cellular capacity. In-channel disturbance increases when the same carrier frequency is used in adjacent cells. One of the main goals of the modulation technique is to be able to tolerate high levels of intra-channel interference.

In the mobile GSM mobile system, GMSK modulation is used to modulate the signal to the analog backbone frequency. GMSK Modulation (Gaussian Minimum Shift Keying), unlike MSK modulation, has a gaussian filter on the part before the modulation process, which makes the output signal strength much more compact. The pre-modulation gaussian filter has characteristics that operate on a narrow frequency range and a characteristic of sharp signal erosion. This allows you to quench the VF signal components. The signal response response level is low, allowing protection from the current excessive signal deviation. GMSK modulation is chosen as a compromise between spectral efficiency, complexity of electronics and undesirable emission (radio frequency output outside a certain frequency band). The complexity of the electronics is the proportional mobilization of the mobile station, which must be reduced to the smallest possible value. The undesirable emission outside the permitted frequency range must be controlled so that the interference to the surrounding channels is minimal.

At the working frequency of the GSM (900MHz), radio waves are generally rejected by buildings, mountains, hills, cars, aircraft, etc. Thus, reflected signals with different phase shift can be received with the mobile station antenna. Equalization is used to extract the original signal from unwanted reflections. This works on the principle that the influence of the feding on the delivered signal is studied, an inverse filter is constructed to isolate the remainder of the desired signal. This known signal is the 26 essential "training" sequence that is emitted in the middle of each "burst" period time frame.

The mobile station may change the frequency between the transmit, receive, and each TDMA frame surrender on different carrier frequencies. The algorithm for frequency jump is broadcast on BCC channel. Frequency jump allows overcoming the problem that inflicts fading. Minimizing interference to come due to various influences within the channel's target designers of cellular systems, but also receive a better service than individual cells. By using smaller cells increases the total system capacity. Discontinuous or breaking tradition (DTX) is a method of achieving certain advantages over the fact that the person who is talking, talking less than 40% of the total time of a normal conversation. These benefits are reflected in the recess of the transmitter during a period of silence, so you save battery power of the mobile station. The most important component of DTX is a system for speech detection (VAD). The system must distinguish speech from ambient sounds. If the voice misinterpreted that. VAD it "declare" the surrounding forest comes to turning off transmitters which manifests itself by cutting the signal and then the effectiveness of the DTX-and significantly diminish. When the transmitter is turned off at the receiving party does not have noise which is actually one of the advantages of digital technology GSM.

The second method used to save the battery power of a mobile station is the discontinuous reception of the signal. The channel used by the paging channel to alert the incoming call consists of a sub-channel, and each mobile station "listens" to its sub-channel, so it consumes very little energy.

There are five classes of mobile stations is determined by their maximum power emitted by the transmitter. The mobile station and base station are doing so dissipates the least power in the context of acceptable quality connections for minimizing interference within the channel and battery saving mobile stations. The levels of dissipated power are changed in steps (more below) after 2dB of maximum power defined for each class to a minimum of 13dBm (20mW). The mobile station measures the strength / signal quality and transmit the information base station controller, which decides on changes in the level of dissipation.

Authentication subscribers, data confidentiality and protocols

In digital mobile phones, smart cards are present from the very beginning, and they were used only for phone identification, as more and more misuse (eavesdropping and calling to someone else's account) occurred. The safety of today's GSM system is described in the GSM system recommendations (GSM recommendations 02.09, 02.17 Security aspects, Subscriber Identity Modules 03.20, Security Related Network Functions and 03.21 Security Related Algorithms), and implies the protection and secrecy of subscriber identity, as well as the protection of subscriber data. The smart cards, which are provided by three, are known as SIM modules and are in any GSM phone. The first phase of the GSM specifications requested the use 4 Kb EEPROM, the second phase, which is currently in use requires 8 Kb EEPROM for storing keys, customer information and telephone numbers. In preparation is already the next phase, which envisages the use of elliptic curves to validate users and modify sesijskog key.

The subscriber is identified in the system IMSI number. This number along with personal subscriber number (Ki) Constitutes confidential information that the system identifies the subscriber. Encryption scheme and security of GSM are designed in such a way so that sensitive information never transmitted over the radio channel. Conversations are encrypted using a temporary randomly generated encryption key (Kc). The mobile station is identified TMSI the number issued by the GSM system and for additional security can be periodically altered (eg when roaming calls are forwarded). The GSM security mechanisms are made up of three different elements: subscriber number (SIM), GSM mobile station and network. The SIM card contains IMSI number, personal subscriber number (Ki), encryption algorithm (A8), protection algorithm (A3) i PIN number. The GSM device contains an encryption algorithm A5. Identification Center (AUC) contains a database of subscriber data. These data are contained IMSI, TMSI, LAI and personal subscriber number Ki for each user. This sort of security element and encryption algorithm provides a very high degree of security from possible wiretapping and unauthorized use.

The schema shows the distribution of security information across all three GSM system elements, SIMs, mobile stations, and the network. In the network, security information is further distributed through the AUC Center, and the VLR and HLR registers. AUC Center generates RAND, SRES, and Kc codes stored in HLR and VLR registers.
Confidential subscriber data IMSI and Ki are never distributed via a radio channel.

GSM network is used to verify the identity of a number of mechanisms for verification. Random 128-bit number (RAND) is sent to a mobile station that calculates the 32 bit recognition code (SRES) Based on a random encryption RAND number s A3 algorithm using subscriber identification key (Ki). After the network receives a subscriber SRES number, shall be re-calculate so to verify the identity of subscribers. It should be noted that the subscriber identification key (Ki) is never sent via a radio channel. The identification key is stored in the subscriber's account YES tab, and in AUC center, HLR i VLR registers. If it is calculated SRES coincide, the mobile station is successfully applying the system.

SIM card contains algorithm (A8) To generate 64 bit encryption key (Kc). The encryption key is calculated by adding the same random RAND the number (used in the identification process), the key generated A8 algorithm with a personal subscription key. Key Kc is used to encrypt and decrypt data between mobile and base stations. An additional security factor is the ability to change the encryption key, so the system is additionally shielded from wiretapping, and can also be changed at time intervals. Encrypted voice and computer data are encrypted using the algorithm A5. The network sends a special request for encrypted communications, and the mobile station to request begins to encrypt / decrypt using A5 algorithm and key for encryption Kc.

To ensure the confidentiality of the identity of subscribers, is used TMSI. TMSI is sent to the mobile station after the identity verification and encryption procedure has been performed. The mobile station confirms the receipt. For each area, it is also defined TMSI No, this is valid only for this area. Outside the area required with TMSI i LAI number.

The length of the key and the possibility of fraud

Assuming we have a code breaking device (1 million combinations per second, which is technically possible today), the time to break 128 bit code is extremely large. Taking into account the effective length of the code A5 the 40 bit algorithm (otherwise known as 64) gets much shorter for breaking the code. Tabular display makes it very easy to see why GSM is not easy to eavesdrop and illegally utilizing services to someone else's account.

The length of the key 32 bits 40 bits 56 bits 64 bits 128 bits
Time needed 79 minutes 12,7 days 2,291 years 584,542 years 10,8 x 10 ^ 24 years

The time required for breaking the code device speed million combinations per second

The length of the key
40 bit
56 bit
64 bit
128 bit
Number of devices 1 day
2,14 x 10 ^ 8
3.9 x 10 ^ 27
Number of devices for 1 week
3.04 x 10 ^ 6
5.6 x 10 ^ 26
Number of devices 1 year
10.8 x 10 ^ 24

The number of devices needed to break the code at a given time

However, neither GSM is a perfect network. Several system failures have been made in the design of the system's hardware, and they are used for the utterly secret interception or other intrusion into the GSM network. The first omission is that when accessing the system, the subscriber does not check in the base of active subscribers. In the illegal market there are devices for SIM card emulation and programmers for "cloning", ie copying the SIM card. Thanks to a subscriber's check failure, if a cellular phone with a cloned card accesses the system, the system will not recognize the fraud. Secretly eavesdropping GSM (albeit only within the range of a base station) allows another (shrunken) failure in the GSM system and little politics. Namely, GSM is a global system, and communications laws and their crypto protection are not the same in all countries. Thus, in many countries of Eastern Europe and the Middle East, at the request of secret services, it is not allowed to use a strong A5 / 1 algorithm, but weaker A5 / 2, which places much less technical and time requirements for breaking them. But in some countries (such as those under international sanctions), no cryptographic equipment is allowed, so communication is completely unprotected. The potential eavesdropper can use it with another technical failure in the GSM system, which is that no base station authorization is envisaged. You need to create your own base station that would send information to the phone in Iraq, which would automatically shut down the crypto protection and allow the wiretap. The designers did not foresee this possibility in the future, and today, remodeling systems around the world will cost millions of dollars.

Listening device GSM

Information on how individuals could break the codes and enter the GSM network, security algorithms have been published, and how the incoming GSM network has been introduced in less than a second, etc. However, based on verified information and scrupulous descriptions the possibility of tapping devices sold in various "Spy Shop" in developed countries can be concluded that unlimited GSM traffic interception is only possible for security services, only in cooperation with telephone companies providing GSM services. These services are wiretapping directly to the mobile telephony headquarters where the equipment is placed in parallel with the audio channels used to transmit voice.

Capturing and decoding of GSM mobile traffic in wireless and passive mode is possible but with expensive professional equipment (from 400000 $ to more) with two basic limitations: to receive only signals within a base station range (max to 25 km for the signals sent by the base station to the cellular phone and from 300 to 1000 m for the cellular signals to the base station - depends on the antenna, ground configuration etc.) and that the number of connections that can be dialed simultaneously in both directions is very limited (max of 10 channels for portable to 120 channels at transport stations). Likewise, in real-time, only signals encoded with a weaker A5 / 2 algorithm can be decoded, while the real-time A5 / 1 algorithm is largely needed for phone company support (some newer devices advertise the ability to decode the A5 / 1 algorithm in real time along with optional purchase of additional special software and hardware module). In such devices, SIM card readers are built, from which they can read all the data needed to woo the cell phone to use this SIM card at a certain time (15 min). Finally, in order to allow eavesdropping, it is necessary to know well the infrastructure of the mobile phone operator.

Arsenal by which tapping and surveillance of telephone connections can be conducted is quite large: Israeli company Comverse Infosys in cooperation with their sister company Syborg Informationssysteme Buxbacha from the German state of Saarland, delivers equipment for eavesdropping on the set as a control center connected to the key sites network operators. Siemens tapping system LIOS enables simultaneous monitoring at one place and up to 10000 users. company Netline Technologies from Tel Aviv, based on the former Israeli intelligence, delivers GSMtooth, a device that can position a mobile phone at a short distance.


so-called IMSI-Catcher (GA900 i GA901) That investigators and prisluškivatelji on all sides of the world unusual price (bought it along with other trinkets and Filipinos mention the affairs) is a Munich company Rohde & Schwarz. The acronym IMSI means International Mobile Subscriber Identity (international mobile subscriber identity), and in fact the number assigned to each mobile device. Thanks to this, the IMSI-Catcher simulating the base station captures and eavesdrops all the cellular signals and only sends it back to the network after checking. The actual capabilities of this device and its technical characteristics before the Philippine Board testified Edgar Ablan, sales manager at Rohde & Schwarz Manila. According to his statement, IMSI-Catcher successfully "covers" the area of ​​5 km around the base station and is very effectively complemented with the device named Digital Directional Finder, Which is at all times a particular mobile device can be positioned.

According to some German press reports, after a terrorist attack on the New York World Trade Center, and in Germany, the IMSI-Catcher was involved in extensive surveillance of mobile phone owners. The fact that the use of this device is not legally defined but is only permitted due to the imprecision of some legal provisions, are still undergoing heated debate. In addition to the rulebook, tapping devices and their use for controlling cell phones used by alleged offenders, intruders are also concerned with the provision of mobile network services. Christian Schwolow, A spokesman for the German telecommunications company D2, criticized the use of IMSI-Catcher and claimed that he hurt the network because it uses the frequencies the company pays. Schwolow's colleague Philipp SCHINDERA from the company T-Mobil believes that it is not excluded that the tele-device network may be completely disabled. According to him, the fight against terrorism, in spite of its justification, can also cause infallible damages, for, for example, while police officers hunt for the signals of criminals to burden the net, ordinary citizens can be prevented from attempting urgent medical aid.

Octopus FTMRS ​​60D

Israeli company Teletron represents the most modern technique of tapping of security services and members of the secret services, and is one of the better known suppliers of listening devices for the needs of telecommunications companies and institutions dealing with supervision in all parts of the world. With one workstation their interception system Octopus FTMRS ​​60D can be monitored simultaneously to 120 telephone terminals. The versatile monitoring system monitors all kinds of phone calls and even faxes, and also stores and stores conversations and exchanged messages. All recorded conversations can be listened to and analyzed later. The system consists of a central workstation and multiple operator units. The smaller version of Octopus allows you to tweak 30 phone terminals and about 1000 hours of recording.

GSM Interception

Let us mention another listening device GSM, which is over the Internet offers under various vague names, eg. GSM Interception, Cellular (Telephone) Interceptor - GSM (Multi) Digital and most of all on the pages where this device also offers a variety of other "spy-shops". Along with the mandatory warning that the offered devices are only available to government organizations, this device is specifically designed to openly expose its price to 420000 $ for GSM and 280000 $ for the TDMA system. The device is offered in a mobile version (the "black suitcase" in combination with a notebook), and in a stationary version where the device is embedded in the standard PC case. With regard to the way of presenting the device (not to mention neither the manufacturer nor the model name) with the published pretty idealistic photographs and device features and its cost, it can be assumed that the purpose of these web sites is somewhat different (perhaps only the collection of e-mails and other data of people who are trying to authorize them as government officials - which they have trouble with, or questioning how many people are interested or willing to give half a million dollars for eavesdropping of neighbors ...), and that the described device probably does not exist. I'm referring to this "device" for a given description of its alleged features, which probably represent some limit, which at this time is reached by the strongest professional devices for cell phone tapping. On the web you will find quite similar private pages with such offers, with compelling photos of notebooks next to black box with the antenna, and screen-shot of non-existent software, where, of course, with the registration, you can contact all the details by e-mail, in response to pick up one of the many computer viruses.


company Netline Technologies Tel Aviv offers on the market C-Guard Cellular Firewall. That device is the size of a pack of cigarettes, and the purpose is to disable the functioning of all cell phones in a certain area. In this way mobile phones can be forced off in churches, concert halls, restaurants, or in hospitals where they could interfere with the functioning of medical electronic devices, such as incubators or cardiac monitor. For such blockers mobile communications in particular have shown great interest in Arab states. A few years ago the country Bahrain bought 5000 such devices, with the official interpretation of how they want to ensure peace in mosques. All over the required technology to block mobile phone offers and company Cell Block Technologies from Manchester, and even on the Internet, at a cost of $ 158 per device. In Taiwan, pocket blockers can also be purchased, with which the use of mobile phones in their vicinity can disable anyone, who wants it. And a company Uptron from the Indian city of Lucknow is offering boasts technology that blocks mobile phones even within almost 2 km. Otherwise, the cost of these devices, which are offered on the Internet, ranging from several hundred dollars to several thousands of dollars depending on the output power of the jammer.

The use of devices that prevent the mobile telephony in the United States is prohibited by law, and the sentence imposed is 11 thousand dollars and one year in prison. When asked, the German competent Ministry of Post and Telecommunications in this regard is quite tersely announced that "these devices are subject to the Telecommunications Act, and therefore can not get a working frequency nor use permit." In Croatia the purchase, installation or use of radio equipment (a cell phone blockers for its base structure just that and are) no pre-acquired licenses prescribed punishment for a legal person up to 400 thousand. Devices for blocking mobile phones in Israel are not prohibited. Small technical tricks even they can be applied to only certain phones. Most manufacturers from other countries in the technical descriptions of their blokatorskih products used formulations that provide the impression that the disabling mobile telephone devices an integral part of the usual prevention of criminal activities, because they effectively block cell phones criminals, terrorists or kidnappers. according to the Daniela Keely, IBM's advisor for security and data protection, modern blockers can be programmed to prevent only certain cell phones, or conversely, that only certain cell phones allow you to use.

Cell phones for additional protection from eavesdropping

The big surprise in professional circles caused 2001. The announcement of the company Rohde & Schwarz as the price of 6300 marks can deliver phone that is impossible to eavesdrop. It is a device Siemens S35i additionally equipped encrypted protection technology, which does not allow "breaking". Siemens spokesperson Stefan Böttinger claims that "even a thousand Pentium computers for ten million years could not reveal the key to which the conversations were encoded." It is doubtful whether it is reasonable and non-tendentious to explain the fact that bullet-proof manufacturers suddenly propagate counter-attacks, and their own IMSI-Catchere can be successfully avoided. Siemens discourages any insinuation and argues that cell phones that are shielded from eavesdropping will only be sold to state institutions and institutions, and not to private individuals, and will apply a very strict process of testing the suitability of potential customers.

TopSec GSM it actually Siemens model S35i, in which the company Rohde & Schwarz installed posebak cryptographic module. The high degree of protection against eavesdropping allows a combination of asymmetric algorithm with the code length 1024 bits that selects the type of code, and a symmetric algorithm of 128 bit that encodes speech. Coding interview included with the "Crypto" via the appropriate keys for shortcuts (soft key). Everything else happens by itself: the device starts taking data and to 15 seconds of exchange codes. Like everyone else, and coded conversations can at any time by pressing the button to end the connection. Upon completion of the interview used the code immediately deleted, and that, along with its size, represents an additional safety factor. With encryption TopSec GSM has as an additional option and the possibility of authorization. Special software can form closed user groups, which each can communicate only with their cell phones and within their group. TopSec GSM is suitable for encrypted voice communication on the frequency bands of 900 and 1800 MHz. Except between two TopSec GSM mobile phone encryption protected phone calls may be taken in connection with the fixed telephone network, provided that the ISDN protect another product from the TopSec segment. It is TopSec 703 +, which can encode all conversations in Euro-ISDN. With TopSec GSM mobile phones, of course, with any other user, it can also lead to completely ordinary, unprotected conversations.