[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2011055129A1 - Identity acquisition of mobile stations in a mobile telecommunications network - Google Patents

Identity acquisition of mobile stations in a mobile telecommunications network Download PDF

Info

Publication number
WO2011055129A1
WO2011055129A1 PCT/GB2010/002058 GB2010002058W WO2011055129A1 WO 2011055129 A1 WO2011055129 A1 WO 2011055129A1 GB 2010002058 W GB2010002058 W GB 2010002058W WO 2011055129 A1 WO2011055129 A1 WO 2011055129A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
target mobile
mobile station
target
virtual
Prior art date
Application number
PCT/GB2010/002058
Other languages
French (fr)
Inventor
Paul Lopez Salzedo
Andrew John Loakes
Original Assignee
Inpro Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inpro Limited filed Critical Inpro Limited
Priority to EP10801184A priority Critical patent/EP2499854A1/en
Priority to GB1207750.9A priority patent/GB2487869B/en
Publication of WO2011055129A1 publication Critical patent/WO2011055129A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/90Services for handling of emergency or hazardous situations, e.g. earthquake and tsunami warning systems [ETWS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/50Connection management for emergency connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Definitions

  • the present invention relates to a method and apparatus for acquiring identity parameters of a mobile station, telephone, or user equipment, operating in a mobile telecommunications network.
  • IMSI International Mobile Subscriber Identity
  • IMEI International Mobile Station Equipment Identity
  • EP-A-1051053 discloses a method for identifying a mobile telephone (MS) in a public digital cellular mobile telephony network by operating, in proximity to the mobile telephone, a virtual base station (VBTS) with an associated test mobile telephone (TMS).
  • the TMS obtains from the current network base station a list of all base stations adjacent to the current station, and selects from this list the adjacent base station having the highest power.
  • the VBTS transmits on the BCCH of the selected base station with a greater power than that of the current base station, and with a location area code (LAC) different from that of the current base station.
  • LAC location area code
  • the mobile telephone MS thereby reselects VBTS, and transmits its identity parameters IMSI, IMEI.
  • EP-A-1908319 discloses a method of acquiring the identity of two or more mobile devices, by the use of an IMSI Catcher device. Issues arise, similar to those mentioned in regard to EP-A-1051053.
  • EP-A-1995985 discloses a system for emulating the functions of a mobile network, including measuring parameters of a serving cell, and then camping into neighbouring cells to store parameters of neighbouring cells, and a base station configured to form a virtual cell masquerading as a neighbouring cell, which becomes a plausible destination for a cell reselection.
  • the system interferes with existing serving cells in order to cause user terminals to camp into the virtual cell, whereupon user terminals are identified.
  • An object of the invention is to provide a method of acquiring identity parameters of a mobile station, and which may have advantages of simplicity and cost.
  • the invention provides a method for acquiring identity parameters of a target mobile station operating in a mobile telecommunications network, the method comprising:
  • a virtual telecommunications network which is configured as a low level network, and which is such that the target mobile station attaches to the virtual network, and the virtual network requiring the target mobile station to disclose identity parameters.
  • the invention provides apparatus for acquiring identity parameters of a target mobile station operating in a mobile telecommunications network, comprising: means for presenting within a predetermined area in which the target mobile station may be located, a virtual telecommunications network, which is configured as a low level network, wherein within said predetermined area radio signals from base stations of said network are disrupted or are not present, whereby to force the target mobile station to enter a no-service mode; and wherein said virtual network is such that the target mobile station attaches to the virtual network, and the virtual network including means for requiring the target mobile station to disclose identity parameters.
  • a localized region in which a target mobile station may be located, and wherein transmissions of a local base station of the telecommunications network are not present, or are present but disrupted, so as not to be recognizable by the mobile station.
  • This can be done by transmitting disrupting or jamming signals across all control channel frequencies (jamming being the deliberate transmission of radio signals that disrupt communications by decreasing the signal to noise ratio), or by electrically isolating the region such as for example by use of a Faraday Cage.
  • transmissions may not be present in this localized region, for example by reason of lack of network coverage.
  • the target station after the target station has searched for its home network and any Roaming Partner network, it will revert to a "no-service" mode, where it has the capability to connect to any compatible network (so that it may for example make calls to the emergency services), and continues periodically to search for a technically compatible network.
  • a virtual network is presented, which is technically compatible with the mobile station.
  • this virtual network is constructed at a low protocol level, for example layer 2 of the GSM protocol, the data link layer, which includes the LAPDm protocol.
  • the virtual network will, in accordance with known location update procedures, request and receive the identity parameters of the target mobile station, as explained in more detail below.
  • a low level network is constructed according to the GSM system.
  • low-level network is intended to mean a network which implements functions of level 1 only, or level 1 and level 2, of the OSI and/or GSM protocol architecture, that is the physical layer and data link layer, but which does not implement level 3 functions of the GSM protocol architecture, or higher level functions of the OSI protocol architecture, which excluded functions include message layer protocols such as Radio Resource, Mobility Management, and Connection Management, and as explained more fully below.
  • Embodiments of the invention are particularly applicable for operation within buildings or restricted areas, and in particular to very small predetermined areas or localized regions, for example just one, two or a few meters in diameter, as may occur in buildings in conference rooms, meeting rooms, corridors, reception areas, where there may only be a handful, three or four, of mobile phones, but where it is important to discover any illegitimate device.
  • the present invention by reason of its simplicity and fast operation, can operate in such small environments, whereas the prior art referred to above is designed to operate on much larger scales, and is much too slow in its operation.
  • Short range and directional antennae may be employed for identifying individual devices, by use of direction finding and triangulation techniques. Located devices may be checked against existing "black and white" lists.
  • the virtual network of the invention may be transmitted at frequencies which are not normally used, that is at multiples of the GSM clock frequency of 13 MHz.
  • a notch filter is provided, centred on the selected transmission frequency, and of a selected narrow width.
  • frequencies are selected, for ease of technical implementation, at or near the edge of the permitted frequency bands.
  • the present invention in its preferred form, may be used on any of the currently available or proposed networks, including GSM/CDMA/GPRS/2G/3G/3.5G/4G/EDGE and all future formats, taking advantage of the multi-format / multi-mode nature of all modern GSM compatible devices.
  • GSM 850, 900, 1800, 1900 and 3G We disrupt the spectrum of all other formats and frequencies (currently GSM 850, 900, 1800, 1900 and 3G) and present our network on GSM 900. All current devices have the ability to use GSM900 (even if it is not their preferred network/frequency) and once in no service mode will look for any available network.
  • Directionality By utilising signal power control, directional antennas and device signal-strength information we can target specific small areas or individuals (as opposed to grabbing all devices in a given large area, as in the prior art).
  • Figure 1 is a schematic of the GSM Protocol Architecture
  • Figure 2 is a schematic of operation of a first preferred embodiment
  • Figure 3 is a schematic of operation of a second preferred embodiment
  • Figure 4 is a block schematic diagram of an embodiment of a device for implementing the method of the present invention.
  • FIG. 5 shows schematically the sequence of operation of an embodiment of the invention
  • Figure 6 shows an embodiment of the invention, within a building
  • Figure 7 shows an embodiment of the invention, for identifying a device held by a person
  • Figure 8 shows an embodiment of the invention, where two devices of the invention are each located within a respective restricted area
  • Figure 9 shows an embodiment of the invention, within a building, where location of a hidden device is determined
  • FIG. 10 shows an embodiment of the invention, where instead of deploying a disruption signal, a Faraday cage is provided;
  • Figure 11 shows an embodiment of the invention wherein unknown devices being carried by a group of persons can be identified, and compared against a black/ white list of devices.
  • Figure 12 shows an embodiment wherein both the identification and location of a hidden device on one person in a group of people sat around a table is obtained, by use of multiple apparatus signal triangulation;
  • Figure 13 is a table of GSM 900 operating frequencies, with unused frequencies highlighted.
  • the embodiments described below provide cost-effective, fast, simple to operate solution for IMSI/IMEI capture All solutions in the prior art rely on the emulation of the target device(s) home network. This method has many drawbacks including high price, slow speed, physically large size, high power requirement, complex operation, high cost per operation, high RF environmental impact.
  • the embodiments described address and significantly improve on all of these above drawbacks.
  • the embodiments described make use of a low level GSM Network.
  • FIG. 1 this is a well known schematic of the GSM Protocol Architecture (See for example "Overview of the GSM System and Protocol Architecture", IEEE Communications Magazine, April 1993, pp92-100, and Introduction to GSM, Artech House Publishers (1995), ISBN 089006-785-6, Siegmund Redl, Matthias Weber and Malcolm Oliphant).
  • the GSM protocol is based on SSN7 of CCITT (used by ISDN) but additionally including a Mobile Application Part.
  • SSN7 of CCITT used by ISDN
  • MSN7 used by ISDN
  • Mobile Application Part At the radio interface between the mobile station and base station three protocol layers are implemented.
  • Physical layer (Layer 1) defines traffic and signalling channels, including modulation, power control, coding, timing, etc..
  • Data link layer (Layer 2), a link access procedure, termed a LAPDm protocol, provides reliable transport for messages, and includes organisation of data into frames, maintaining data links, and acknowledgement, and unacknowledgement of frames.
  • Message layer 3 also termed the network layer or signalling layer, contains all the functions and details necessary to establish, maintain, and then terminate mobile connections for services offered by GSM. Layer 3 implements higher level functions: Radio Resource (RR), Mobility Management (MM), and Call Management (CM).
  • RR Radio Resource
  • MM Mobility Management
  • CM Call Management
  • the embodiments described take advantage of the Emergency Call Codes present in all SIM's (Subscriber Identity Modules) Service Table within the Elementary Files (EF) (See ETSI Standard GSM 11.11):
  • SIM's Subscriber Identity Modules
  • EF Elementary Files
  • the phone will configure to exchange its IMSI/IMEI numbers upon finding any GSM network, and presenting the virtual network of this invention will force this exchange.
  • This operation or "handshake” is carried out employing layers 1 and 2 of a GSM Network, but not layer 3. This is to be distinguished from the other type of voice call in the GSM system, the "normal telephony call" (see Sec. 4.4 of standard GSM 02.03 v7.0.00,) which requires layer 3 call control functions.
  • the embodiments are concerned with a method and associated apparatus for acquiring identity parameters for one or more mobile devices or stations. This information may be utilised for various functions including mobile device location, identification, tracking and control.
  • identity parameters For a suspect mobile station (MS), the present invention relies upon known parameter exchange procedures which occur during use of a mobile station.
  • a GSM or UMTS network like all cellular networks, is a radio network of individual cells, known as base stations. Each base station covers a small
  • a location update procedure allows a mobile device to inform the cellular network, whenever it moves from one location area to the next.
  • Mobile devices are responsible for detecting location area codes. When a mobile finds that the location area code is different from its last update, it performs another update by sending to the network, a location update request, together with its previous location, and its Temporary Mobile Subscriber Identity (TMSI).
  • TMSI Temporary Mobile Subscriber Identity
  • each mobile is required to regularly report its location at a set time interval using a periodic location update procedure. Whenever a mobile moves from one location area to the next while not on a call, a random location update is required. This is also required of a stationary mobile that reselects coverage from a cell in a different location area, because of signal fade. Thus a subscriber has reliable access to the network and may be reached with a call, while enjoying the freedom of mobility within the whole coverage area.
  • the subscriber is marked as absent in both the MSC/VLR and the HLR (Mobile not reachable flag MNRF is set). The next time the mobile performs a location update the HLR is updated and the mobile not reachable flag is cleared.
  • the present invention in preferred embodiments uses spectrum disruption across all potential frequencies for a given mobile station (MS) or device, presents a virtual network, and forces the mobile device(s) to abandon connecting to its preferred network.
  • the virtual network is such that any device(s) in 'No service' mode will then connect.
  • These controls include (but are not limited to): retrieving IMSI and/or IMEI and/or TMSI and/or MSISDN, engaging in a call, requesting device signal strength, paging the device(s), sending and receiving SMS messages.
  • This invention does not emulate existing networks or perform any kind of detailed network analysis, nor does it perform any kind of covert 'man-in-the-middle' function or audio demodulation. It does not interrogate any existing MS/BS information. It may be considered an Overt' network switch-over, as opposed to 'covert' network emulation.
  • This invention in a preferred embodiment, utilises a low- level GSM 'Test mode' protocol. By switching in this way it is fundamentally different from all the prior art referred to above.
  • FIG 2 this is a schematic of operation of a first preferred embodiment, showing power level of signal on a vertical axis and time on a horizontal axis, within a restricted geographical area, where a suspect mobile station (MS) may be located.
  • the detection device shown in Figure 4 is employed to generate an RF disruption or jamming signal 2 across all relevant frequencies at which a network base station may transmit: for GSM 900 this is in the range 935 - 960 MHz.
  • a low level virtual network 4 is presented by the detection device.
  • the target MS will detect the virtual network, and attach itself to the network, and disclose its IMSI and IMEI numbers. Once this information has been obtained, the detection device will cease to transmit, permitting the target MS to reattach to its chosen network.
  • MS continues to search for its 'home network' or the 'next BS' it may have in its register (if, for instance, it had previously been connected to another network).
  • the time period that the MS searches for its 'home' or 'next' network is defined by the SIM parameter 'search for preferred network'. This is normally a time from 10 to 120 seconds.
  • the MS searches for any compatible network on any frequency range/format that the MS can operate on (850/900/ 800/3G/3.5G etc.)
  • the MS will revert to a "no-service" or idle mode, in which it will continue to scan for and connect to any technically compatible standard. This occurs due to the lower level GSM protocol that allows any handset to access any technically compatible network to enable an Emergency Call (112 / 91 / 999) (see GSM standards GSM 02.30 v7.0.0 and GSM 0203_340.
  • VN virtual network
  • the target MS is scanning for a network and discovers the VN and initiates a handshake.
  • the VN is repeatedly cycling a 'Location Update' procedure, which is a defined procedure, for example by 3GPP TS 23.012 V5.2.0 (2003-09)
  • the MS receives a full set of parameter commands defining its initial protocols whilst connected to the VN.
  • MS identity parameters of IMSI and IMEI are stored in the VN's internal 'Location register' but none of this is translated or communicated further (as would occur with an actual network where upon registration to the BS a call would be interrogated and communicated to the wider network utilising VLR and HLR protocols).
  • FIG 3 is a schematic of operation of a second preferred embodiment, showing level of signal on a vertical axis and frequency on a horizontal axis.
  • MS suspect mobile station
  • the detection device shown in Figure 4 is employed to generate an RF disruption or jamming signal 2 across frequencies at which a network base station may transmit: for GSM 900 this is in the range 935 - 960 MHz. However a narrow gap or 'notch' 6 is left in the network spectrum. This notch will be the generally unused GSM channel frequencies that are multiples of the core GSM - ⁇ 2 - protocol clock frequency (13 MHz).
  • the notch occurs at Channel 5, 936 MHz, and may be the width of a GSM channel, 200 kHz. Simultaneously within this notch a virtual network 4 is presented, to effect a network switch, and to carry out the procedure as described above with reference to Figure 1.
  • this shows in tabular form the GSM transmission frequencies, TX indicating MS to base station transmissions, and RX indicating base stations to MS transmissions. Unused frequencies at a multiple of the GSM clock frequency are highlighted. It is preferred to use, from the point of view of ease of technical implementation, unused frequencies at the edges of the spectrum, that is 936.0, 938.6, 956.8, and 959.4 MHz.
  • Cons - takes a minimum of 120 seconds, only grabs one device at a time (as once the disruption is lifted some devices will find their home network before seeing the virtual one).
  • the power should be kept as low as possible consistent with performing the features of the invention.
  • this shows a device 10 for implementing the virtual network of the invention.
  • the device is housed within a small box, and emits between 0.1 and 2 watts (however there may be situations where we may use up to 10 watts) RF power from a microwave antenna, at frequencies within the GSM range.
  • the device includes a power unit 12, a Control Configuration System CCS 14, and an RF engine (RFE) 15 comprising GSM core engine (GCE) 16, RF amplifiers (RFA) 18, Antennas (directional and/or Omni) (ANT) 20, RF control systems (RF) .24, and a networking / communications module 28. , .
  • CCS 14 provides overall control and management of communications, and interfacing with external functions, such as networking module 28.
  • RF engine 15 contains equipment necessary to generate and transmit a GSM virtual network.
  • the GCE 16 is a module that comprises of: a serial or USB duplex interface (connected to the CCS), dedicated CPU/DSP controller and required RAM/ROM that store/control/adjust/measure/report the GSM protocols; an RF section that takes the protocol settings and creates the virtual network (at a low signal level); Parameters controlled by the controller include frequency range, channel selection, power levels, power measurement and all other GSM parameters.
  • RF control system 24 includes a mechanism for producing disruption or jamming signals across the frequency range.
  • RFA part 18 includes a notch filtering arrangement for the embodiment of Figure 2, and signalling amplification.
  • the networking module 28 permits wider area networking to enable more than one device to share data about the target mobile phones (black/ white list). This can utilise many protocols (and will be application defined) including IP/HTTP/WiFi/GPRS/Blue-tooth/Optical.
  • CCS 14, and the RF engine comprising elements 16-26 enables a virtual wireless network to be broadcast, within the operating range of device 10.
  • This network is presented on a single frequency and channel manipulating the multi-band/multi- format nature of mobile devices.
  • the CCS 14 is contained in an external unit, connected by a data link - for example various software/hardware combinations including PC's, Laptops, NetBooks, PDA's, Smartphones and dedicated solid-state serial controllers; in Figure 5 - 12, the CCS is shown as incorporated in a Laptop with display screen
  • FIG. 5 shows schematically the operation of an embodiment of the invention, with a mobile phone MS within the broadcast area of the virtual network generated by the the RF engine RFE, and controlled and monitored by CCS, which is shown as contained within a desk top PC or lap top.
  • the mobile phone MS is cycled over four stages. In stage 1 , it is attached to its home network. In stage 2, disruption puts the phone into a no-service mode. In stage 3, the mobile phone .attaches to the virtual network, and provides its IMSI and IMEI numbers, which are held in the CCS. In stage 4, the CCS switches off the RFE, and the phone MS reverts to its home network. The switch from Stage 1 to 3 may appear instantaneous in some circumstances. The switch to stage 4 is dictated by the CCS settings.
  • Figure 6 shows an embodiment of the invention, where the device CCS, RFE of Figure 4 is located within a building, so that a target or unknown device MS within the building can be identified, and its IMSI and IMEI numbers held by CCS.
  • Figure 7 shows an embodiment of the invention, where the device CCS, RFE of Figure 4 is located within a restricted area, so that a target or unknown device MS being carried by a person can be identified, and its IMSI and IMEI numbers held by CCS.
  • FIG 8 shows an embodiment of the invention, where two devices 10 of Figure
  • CCS1 contains in memory a black/white list of phones which are known to be valid and phones which are suspect. This black/white list is shared with CCS2 by means of network link 30. In this way, the phones within the surveillance areas can be assessed for validity, where the acquired numbers are compared against this list.
  • Figure 9 shows an embodiment of the invention based on the embodiment of Figure 6, where the device of Figure 4 is located within a building, so that a target or unknown device MS within the building can be identified, and its IMSI and IMEI numbers held by CCS.
  • a hand held GSM RF detector HHD can then by employed to locate the device, in the circumstance where it may be hidden. This is effected by making a call (using the low level virtual network) to the target device, and detecting its transmissions.
  • FIG. 10 shows an embodiment of the invention, where instead of deploying a disruption signal by means of an RF engine, a Faraday cage F, for example located within the walls of a corridor, creates a passive disrupted 'No-Service' environment. - ⁇ 5 -
  • Any device outside the controlled environment will connect to the three Base Stations B shown.
  • a device enters the controlled area it will revert to a no-service mode, and will attach to the virtual network presented by the invention.
  • This type of construction might be permanent (examples include security control areas, Passport control and customs areas) or temporary (such as an erectable portable tunnel).
  • FIG 11 is an embodiment, based on the embodiment of Figure 8, and a device 10 of Figure 4 is located within a restricted area, so that target or unknown devices MS being carried by a group of persons can be identified, and their IMSI and IMEI numbers held by the CCS.
  • CCS contains in memory a black/white list of phones which are known to be valid and phones which are suspect, and the acquired numbers are compared against this list.
  • Figure 12 shows an embodiment wherein both the identification and location of a hidden device on one person in a group of people sat around a table is obtained, by use of multiple apparatus signal triangulation.
  • two RFE units 15 coupled to a single CCS 14, and comparing the received strength of the mobile device by the two RFE's, very accurate triangulation can be achieved.
  • there is an overlaid overhead video image of the room allowing for instant visual identification of the mobile device. All the devices in the room can in addition be checked against a black/white list .
  • the present invention can be adapted for different environments, location of the
  • RFE units can be both overt and covert including (but not limited to) body worn, vehicle mounted and street furniture.
  • the present invention may be used in reconnaissance situations, e.g. in a business reception, and used in conjunction with a camera.
  • Differential signal strength of two transmitters is used, e.g. at two different reception desks, to triangulate, and to determine at which desk illegal phone is, or, if multiple illegal phones, to sort targets.
  • a method for forcing a mobile device(s) including GSM/CDMA/GPRS/2G/3G/3.5G/4G/EDGE and all future formats
  • a controlled virtual network from its preferred network by creating a "no-service" environment (active and/or passive and permanent or temporary) and presenting a virtual network as the only available network.
  • - A method for forcing a mobile device(s) (including GSM/CDMA/GPRS/2G/3G/3.5G/4G/EDGE and all future formats) to switch to a controlled virtual network from its preferred network by creating a "no-service" environment (active and/or passive and permanent or temporary) and presenting a virtual network as the only available network.
  • a method that creates a 'no-service' environment by the means of passive spectrum disruption include creating an area of RF isolation utilising temporary or permanent Faraday cage or shield. Simultaneously within this environment a virtual network is presented, thus effecting a network switch from the devices preferred network. In some environments there is no network coverage and no passive spectrum disruption will be required.
  • a method wherein the IMSI and/or IMEI and/or TMSI and/or MSISDN (or any other available parameter) of mobile device(s) can be obtained.
  • a method wherein a covert/hidden mobile device can be identified and located by the use of engaging the MS in a BS call and utilising a hand-held detector (HHD) to locate the device.
  • HHD hand-held detector
  • a method wherein a covert/hidden mobile device (both a single device and a device used as a component for a more complex device) can be identified and located by the use of multiple apparatus and/or MS signal strength and/or signal triangulation.
  • a covert hidden mobile device (both a single device and a device used as a component for a more complex device) can be identified and located by the use of apparatus(s) and/or MS signal strength and/or signal triangulation and subsequently controlled by the apparatus operator.
  • a method wherein one or more mobile devices can be identified and checked against a black and white-list table.
  • a method wherein one or more mobile devices can be identified and checked against a black and white-list table across a local or wide area by utilising one or more apparatus(s) and wired and/or wireless networking between the units.
  • This network may or may not be encrypted.
  • a method wherein one or more mobile devices can be identified and checked against a black and white-list table across a local or wide area by utilising one or more apparatus(s) and using this data to control secondary systems including: physical access control devices, alarms and alerting systems.
  • a method wherein one or more mobile devices can be identified and sent a SMS message as defined by the apparatus and or/circumstances.
  • a method wherein one or more mobile devices can be identified and information sent to a wide-area GSM tracking system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for acquiring identity parameters of a target mobile station operating in a GSM mobile telecommunications network, within a predetermined area in which the target mobile station may be located and within which radio signals from base stations of the mobile network are either not present (by use of a Faraday Cage) or are disrupted (by use of a disrupting signal), whereby to force the target mobile station to enter a no-service mode, A virtual telecommunications network is presented within the predetermined area, configured at a low GSM protocol level, and employing the emergency calls procedure, which is such that the target mobile station attaches to the virtual network, and the virtual network requires the target mobile station to disclose identity parameters.

Description

IDENTITY ACQUISITION OF MOBILE STATIONS
IN A MOBILE TELECOMMUNICATIONS NETWORK -
Field of the Invention
The present invention relates to a method and apparatus for acquiring identity parameters of a mobile station, telephone, or user equipment, operating in a mobile telecommunications network.
Background Art
There is a need for acquiring identity parameters of a mobile station, phone or other user equipment, which is connected to a public network, in circumstances where the information and data held by the network provider is not available. The most important parameters are I MSI (International Mobile Subscriber Identity) number and IMEI (International Mobile Station Equipment Identity) number. The article "Protection in Mobile Communications", Hannes Federrath in: Gunter Miiller, Kai Rannenberg (Ed.): Multilateral Security in Communications, Addison-Wesley- Longman 1999, 349-364, discloses a so-called IMSI Catcher, which behaves like a base station to the target mobile phone, and behaves like a mobile phone in relation to the network base station. It makes a so-called man-in-the-middle-attack, by transmitting with a greater power than the network base station on the Broadcast Control Channel frequency, so that the target mobile phone switches to the IMSI catcher, and discloses its identity parameters.
EP-A-1051053 discloses a method for identifying a mobile telephone (MS) in a public digital cellular mobile telephony network by operating, in proximity to the mobile telephone, a virtual base station (VBTS) with an associated test mobile telephone (TMS). The TMS obtains from the current network base station a list of all base stations adjacent to the current station, and selects from this list the adjacent base station having the highest power. The VBTS transmits on the BCCH of the selected base station with a greater power than that of the current base station, and with a location area code (LAC) different from that of the current base station. The mobile telephone MS thereby reselects VBTS, and transmits its identity parameters IMSI, IMEI. Whilst this method of identifying a mobile telephone has had successful commercial use, there are a number of issues which arise, such as the complex procedures which are required for upgrading the method from GSM to later standards such as UMTS. Further there are continuing requirements to reduce equipment costs and to reduce complexity.
EP-A-1908319 discloses a method of acquiring the identity of two or more mobile devices, by the use of an IMSI Catcher device. Issues arise, similar to those mentioned in regard to EP-A-1051053.
EP-A-1995985 discloses a system for emulating the functions of a mobile network, including measuring parameters of a serving cell, and then camping into neighbouring cells to store parameters of neighbouring cells, and a base station configured to form a virtual cell masquerading as a neighbouring cell, which becomes a tempting destination for a cell reselection. The system interferes with existing serving cells in order to cause user terminals to camp into the virtual cell, whereupon user terminals are identified.
Summary of the Invention
An object of the invention is to provide a method of acquiring identity parameters of a mobile station, and which may have advantages of simplicity and cost.
In a first aspect, the invention provides a method for acquiring identity parameters of a target mobile station operating in a mobile telecommunications network, the method comprising:
providing a predetermined area in which the target mobile station may be located and within which radio signals from base stations of the mobile network are disrupted or are not present, whereby to force the target mobile station to enter a no- service mode;
and presenting within said predetermined area a virtual telecommunications network, which is configured as a low level network, and which is such that the target mobile station attaches to the virtual network, and the virtual network requiring the target mobile station to disclose identity parameters.
In a second aspect, the invention provides apparatus for acquiring identity parameters of a target mobile station operating in a mobile telecommunications network, comprising: means for presenting within a predetermined area in which the target mobile station may be located, a virtual telecommunications network, which is configured as a low level network, wherein within said predetermined area radio signals from base stations of said network are disrupted or are not present, whereby to force the target mobile station to enter a no-service mode; and wherein said virtual network is such that the target mobile station attaches to the virtual network, and the virtual network including means for requiring the target mobile station to disclose identity parameters.
Thus a localized region is provided, in which a target mobile station may be located, and wherein transmissions of a local base station of the telecommunications network are not present, or are present but disrupted, so as not to be recognizable by the mobile station. This can be done by transmitting disrupting or jamming signals across all control channel frequencies (jamming being the deliberate transmission of radio signals that disrupt communications by decreasing the signal to noise ratio), or by electrically isolating the region such as for example by use of a Faraday Cage. Alternatively transmissions may not be present in this localized region, for example by reason of lack of network coverage.
In this situation, as is described in more detail below, after the target station has searched for its home network and any Roaming Partner network, it will revert to a "no-service" mode, where it has the capability to connect to any compatible network (so that it may for example make calls to the emergency services), and continues periodically to search for a technically compatible network.
In accordance with the invention, within this localized region, a virtual network is presented, which is technically compatible with the mobile station. To avoid unnecessary complication, and to ensure fast and reliable operation this virtual network is constructed at a low protocol level, for example layer 2 of the GSM protocol, the data link layer, which includes the LAPDm protocol. The virtual network will, in accordance with known location update procedures, request and receive the identity parameters of the target mobile station, as explained in more detail below. In an embodiment, a low level network is constructed according to the GSM system. Although current day handsets and User Equipment may operate on more modern systems, such as UMTS and WCDMA ("3G" and "4G"), nevertheless it is a feature of such systems that they are required provide a basic functionality compatible with GSM.
For the purposes of the present invention "low-level " network is intended to mean a network which implements functions of level 1 only, or level 1 and level 2, of the OSI and/or GSM protocol architecture, that is the physical layer and data link layer, but which does not implement level 3 functions of the GSM protocol architecture, or higher level functions of the OSI protocol architecture, which excluded functions include message layer protocols such as Radio Resource, Mobility Management, and Connection Management, and as explained more fully below.
Embodiments of the invention are particularly applicable for operation within buildings or restricted areas, and in particular to very small predetermined areas or localized regions, for example just one, two or a few meters in diameter, as may occur in buildings in conference rooms, meeting rooms, corridors, reception areas, where there may only be a handful, three or four, of mobile phones, but where it is important to discover any illegitimate device. The present invention, by reason of its simplicity and fast operation, can operate in such small environments, whereas the prior art referred to above is designed to operate on much larger scales, and is much too slow in its operation. Short range and directional antennae may be employed for identifying individual devices, by use of direction finding and triangulation techniques. Located devices may be checked against existing "black and white" lists.
In order to avoid any risk of interference with neighbouring GSM transmissions, the virtual network of the invention may be transmitted at frequencies which are not normally used, that is at multiples of the GSM clock frequency of 13 MHz. To enable this, a notch filter is provided, centred on the selected transmission frequency, and of a selected narrow width. As preferred, frequencies are selected, for ease of technical implementation, at or near the edge of the permitted frequency bands.
The present invention, in its preferred form, may be used on any of the currently available or proposed networks, including GSM/CDMA/GPRS/2G/3G/3.5G/4G/EDGE and all future formats, taking advantage of the multi-format / multi-mode nature of all modern GSM compatible devices. We disrupt the spectrum of all other formats and frequencies (currently GSM 850, 900, 1800, 1900 and 3G) and present our network on GSM 900. All current devices have the ability to use GSM900 (even if it is not their preferred network/frequency) and once in no service mode will look for any available network.
There are several advantages to the invention over existing methods as described above:
1. Simplicity - As the invention does not use any kind of network analysis, hardware and software complexity can be significantly reduced.
2. Costs - As the invention does not use any kind of network analysis, hardware and software costs can be significantly reduced.
3. Future redundancy - By taking advantage of the multi-mode nature of all mobile stations as future network formats become prevalent we will only need to disrupt such network formats and force the station into our preferred virtual network, as opposed to the existing methods which need to have complex network emulation and protocol decoding.
4. Directionality - By utilising signal power control, directional antennas and device signal-strength information we can target specific small areas or individuals (as opposed to grabbing all devices in a given large area, as in the prior art).
Brief Description of the Drawings
Preferred embodiments of the invention will now be described with reference to the accompanying drawings, wherein:
Figure 1 is a schematic of the GSM Protocol Architecture;
Figure 2 is a schematic of operation of a first preferred embodiment;
Figure 3 is a schematic of operation of a second preferred embodiment;
Figure 4 is a block schematic diagram of an embodiment of a device for implementing the method of the present invention;
Figure 5 shows schematically the sequence of operation of an embodiment of the invention;
Figure 6 shows an embodiment of the invention, within a building;
Figure 7 shows an embodiment of the invention, for identifying a device held by a person; Figure 8 shows an embodiment of the invention, where two devices of the invention are each located within a respective restricted area;
Figure 9 shows an embodiment of the invention, within a building, where location of a hidden device is determined;
° Figure 10 shows an embodiment of the invention, where instead of deploying a disruption signal, a Faraday cage is provided;
Figure 11 shows an embodiment of the invention wherein unknown devices being carried by a group of persons can be identified, and compared against a black/ white list of devices.
Figure 12 shows an embodiment wherein both the identification and location of a hidden device on one person in a group of people sat around a table is obtained, by use of multiple apparatus signal triangulation; and
Figure 13 is a table of GSM 900 operating frequencies, with unused frequencies highlighted.
Description of the Embodiments
The embodiments described below provide cost-effective, fast, simple to operate solution for IMSI/IMEI capture All solutions in the prior art rely on the emulation of the target device(s) home network. This method has many drawbacks including high price, slow speed, physically large size, high power requirement, complex operation, high cost per operation, high RF environmental impact. The embodiments described address and significantly improve on all of these above drawbacks. The embodiments described make use of a low level GSM Network.
Referring to Figure 1 , this is a well known schematic of the GSM Protocol Architecture (See for example "Overview of the GSM System and Protocol Architecture", IEEE Communications Magazine, April 1993, pp92-100, and Introduction to GSM, Artech House Publishers (1995), ISBN 089006-785-6, Siegmund Redl, Matthias Weber and Malcolm Oliphant). The GSM protocol is based on SSN7 of CCITT (used by ISDN) but additionally including a Mobile Application Part. At the radio interface between the mobile station and base station three protocol layers are implemented. Physical layer (Layer 1) defines traffic and signalling channels, including modulation, power control, coding, timing, etc.. Data link layer (Layer 2), a link access procedure, termed a LAPDm protocol, provides reliable transport for messages, and includes organisation of data into frames, maintaining data links, and acknowledgement, and unacknowledgement of frames. Message layer 3, also termed the network layer or signalling layer, contains all the functions and details necessary to establish, maintain, and then terminate mobile connections for services offered by GSM. Layer 3 implements higher level functions: Radio Resource (RR), Mobility Management (MM), and Call Management (CM).
The embodiments described take advantage of the Emergency Call Codes present in all SIM's (Subscriber Identity Modules) Service Table within the Elementary Files (EF) (See ETSI Standard GSM 11.11): When any phone is in "no- service" mode, that is unable to find a preferred network, nevertheless the phone will automatically look for any available network for the purpose of making an emergency call. Therefore the phone will configure to exchange its IMSI/IMEI numbers upon finding any GSM network, and presenting the virtual network of this invention will force this exchange. This operation or "handshake" is carried out employing layers 1 and 2 of a GSM Network, but not layer 3. This is to be distinguished from the other type of voice call in the GSM system, the "normal telephony call" (see Sec. 4.4 of standard GSM 02.03 v7.0.00,) which requires layer 3 call control functions.
The embodiments therefore fundamentally differ from existing solutions as we do not attempt to emulate any existing network but establish a 'test network' which any technically compatible mobile device can perform a background 'handshake' in the absence of its preferred home network or any 'roaming partner' as defined in SIM's Cooperative Network List (EFcnl)
By manipulating the RF environment we ensure the target device(s) can only see our network. By utilising the multi-band requirement of the GSM2.07 #1.14 standard means our process will operate globally regardless of the frequencies of the home networks present.
By utilising the multi-band nature of all current GSM devices we remove the need for a per-network channel analysis of the existing solutions (for example in the UK full network analysis requires analysing 9 network channels) requires 6 minutes (for a full search) per network channel, which can be concurrent with a single channel solution taking 54 mins, or simultaneous using multiple channel equipment (with all the associated increases in size, cost, power usage and operational complexity) taking 6 mins. Our solution requires zero time for network analysis.
By reducing the hardware size and complexity we reduce standard costs by over 50% (and up to 90% for some implementations).
We reduce operator complexity massively from a training program that can take a week and requires a high level of technical knowledge to a solution that takes an hour to learn and requires almost no technical knowledge. For many operations it is as simple as 'start' and 'stop'. This significantly improves the accessibility and ease of use (e.g. law enforcement requirements).
By utilising short-range directional antennas we significantly reduce the RF collateral impact of operation (the number of non-target users who may be denied service). Existing solutions mainly create an emulation of an existing network. The problem with this approach is that all phones within range may try to connect, subsequently having their service disrupted. As our solution does not create a 'known' network the only phones that will be disrupted will be the ones in our controlled disruption range. This means we can target areas as small as 1-2 meters.
By only requiring a single virtual network we significantly reduce the physical size of the hardware and power requirement. In many cases this significantly improves the usable application
The embodiments are concerned with a method and associated apparatus for acquiring identity parameters for one or more mobile devices or stations. This information may be utilised for various functions including mobile device location, identification, tracking and control. In order to obtain the identity parameters of a suspect mobile station (MS), the present invention relies upon known parameter exchange procedures which occur during use of a mobile station.
A GSM or UMTS network, like all cellular networks, is a radio network of individual cells, known as base stations. Each base station covers a small
geographical area which is part of a uniquely identified location area. By integrating the coverage of each of these base stations, a cellular network provides radio coverage over a very much wider area. A group of base stations is called a location area, or a routing area. A location update procedure allows a mobile device to inform the cellular network, whenever it moves from one location area to the next. Mobile devices are responsible for detecting location area codes. When a mobile finds that the location area code is different from its last update, it performs another update by sending to the network, a location update request, together with its previous location, and its Temporary Mobile Subscriber Identity (TMSI). There are several reasons why a mobile may provide updated location information to the network. Whenever a mobile is switched on or off, the network may require it to perform an IMSI
attach or IMSI detach location update procedure. Also, each mobile is required to regularly report its location at a set time interval using a periodic location update procedure. Whenever a mobile moves from one location area to the next while not on a call, a random location update is required. This is also required of a stationary mobile that reselects coverage from a cell in a different location area, because of signal fade. Thus a subscriber has reliable access to the network and may be reached with a call, while enjoying the freedom of mobility within the whole coverage area. When a subscriber is paged in an attempt to deliver a call or SMS and the subscriber does not reply to that page then the subscriber is marked as absent in both the MSC/VLR and the HLR (Mobile not reachable flag MNRF is set). The next time the mobile performs a location update the HLR is updated and the mobile not reachable flag is cleared.
The present invention in preferred embodiments uses spectrum disruption across all potential frequencies for a given mobile station (MS) or device, presents a virtual network, and forces the mobile device(s) to abandon connecting to its preferred network. The virtual network is such that any device(s) in 'No service' mode will then connect. Once the device has switched to the virtual network it is then in a low level GSM 'Test-mode' which bypasses any SIM configured network settings and allows the apparatus to control the mobile device. These controls include (but are not limited to): retrieving IMSI and/or IMEI and/or TMSI and/or MSISDN, engaging in a call, requesting device signal strength, paging the device(s), sending and receiving SMS messages.
This invention does not emulate existing networks or perform any kind of detailed network analysis, nor does it perform any kind of covert 'man-in-the-middle' function or audio demodulation. It does not interrogate any existing MS/BS information. It may be considered an Overt' network switch-over, as opposed to 'covert' network emulation. This invention, in a preferred embodiment, utilises a low- level GSM 'Test mode' protocol. By switching in this way it is fundamentally different from all the prior art referred to above.
Referring to Figure 2, this is a schematic of operation of a first preferred embodiment, showing power level of signal on a vertical axis and time on a horizontal axis, within a restricted geographical area, where a suspect mobile station (MS) may be located.. The detection device shown in Figure 4 is employed to generate an RF disruption or jamming signal 2 across all relevant frequencies at which a network base station may transmit: for GSM 900 this is in the range 935 - 960 MHz. After a period of 10 - 120 seconds, when the target MS is switched to a "no-service" mode, a low level virtual network 4 is presented by the detection device. The target MS will detect the virtual network, and attach itself to the network, and disclose its IMSI and IMEI numbers. Once this information has been obtained, the detection device will cease to transmit, permitting the target MS to reattach to its chosen network.
More specifically, when the target MS loses its preferred network it goes through the following steps;
a) MS continues to search for its 'home network' or the 'next BS' it may have in its register (if, for instance, it had previously been connected to another network). The time period that the MS searches for its 'home' or 'next' network is defined by the SIM parameter 'search for preferred network'. This is normally a time from 10 to 120 seconds.
b) At the point when neither 'home network' or the 'next BS' have been found and the 'search for preferred network' time has elapsed the MS then searches for any compatible network on any frequency range/format that the MS can operate on (850/900/ 800/3G/3.5G etc.)
c) When the MS finds a technically compatible network it will look to see if it is included in its 'Roaming Partner list' (if it has network roaming capability) as defined by the SIM card. If a preferred network is found it will connect to this network,
If no preferred network is found the MS will revert to a "no-service" or idle mode, in which it will continue to scan for and connect to any technically compatible standard. This occurs due to the lower level GSM protocol that allows any handset to access any technically compatible network to enable an Emergency Call (112 / 91 / 999) (see GSM standards GSM 02.30 v7.0.0 and GSM 0203_340.
In this idle mode call control tests are carried out to ensure by checking defined call control states and transitions from one state to another. A distinction is made between the case of an incoming call, an outgoing call, and incall functions. In addition Emergency call setup is tested: a GSM phone has to be able to perform an emergency call, even when a valid SIM is not inserted.
When the target MS reverts to no-service mode, and the virtual network (VN) of the invention is presented, the following actions take place:
d) The target MS is scanning for a network and discovers the VN and initiates a handshake.
e) To ensure the shortest delay time, the VN is repeatedly cycling a 'Location Update' procedure, which is a defined procedure, for example by 3GPP TS 23.012 V5.2.0 (2003-09)
f) The specific GSM channel frequency of the VN will not affect the hand-over as long as the presented frequency is within the technical capability of the MS.
g) At the point when the MS responds to the 'Location Update' command, the MS receives a full set of parameter commands defining its initial protocols whilst connected to the VN.
h) Within the location update procedure, the usual handshake protocols take place.
The MS identity parameters of IMSI and IMEI are stored in the VN's internal 'Location register' but none of this is translated or communicated further (as would occur with an actual network where upon registration to the BS a call would be interrogated and communicated to the wider network utilising VLR and HLR protocols).
Referring now to Figure 3, this is a schematic of operation of a second preferred embodiment, showing level of signal on a vertical axis and frequency on a horizontal axis. Within a restricted geographical area, where a suspect mobile station (MS) may be located, the detection device shown in Figure 4 is employed to generate an RF disruption or jamming signal 2 across frequencies at which a network base station may transmit: for GSM 900 this is in the range 935 - 960 MHz. However a narrow gap or 'notch' 6 is left in the network spectrum. This notch will be the generally unused GSM channel frequencies that are multiples of the core GSM - Ί2 - protocol clock frequency (13 MHz). As shown, the notch occurs at Channel 5, 936 MHz, and may be the width of a GSM channel, 200 kHz. Simultaneously within this notch a virtual network 4 is presented, to effect a network switch, and to carry out the procedure as described above with reference to Figure 1.
Referring to Figure 13, this shows in tabular form the GSM transmission frequencies, TX indicating MS to base station transmissions, and RX indicating base stations to MS transmissions. Unused frequencies at a multiple of the GSM clock frequency are highlighted. It is preferred to use, from the point of view of ease of technical implementation, unused frequencies at the edges of the spectrum, that is 936.0, 938.6, 956.8, and 959.4 MHz.
In regard to signal disruption and presenting a network, this may be done sequentially or simultaneously, and advantages and disadvantages are as follows: Disruption first:
Pros - simplest solution from a technical viewpoint
Cons - takes a minimum of 120 seconds, only grabs one device at a time (as once the disruption is lifted some devices will find their home network before seeing the virtual one).
Simultaneous:
Pros: Will grab all/multiple devices within our RF range as there is no other network available while our device is running. Will grab some devices sooner than 120 seconds. This can be instant for 'no service' phones and as short as 10 seconds for some phones (this is dictated by the 'time-out' settings on the SIM which defines how long the phone will look for its home network before attempting to roam).
Cons: More complex to build, can be less energy efficient.
As regards the power levels of the disruption and virtual networks, the power should be kept as low as possible consistent with performing the features of the invention.
Referring now to Figure 4, this shows a device 10 for implementing the virtual network of the invention. The device is housed within a small box, and emits between 0.1 and 2 watts (however there may be situations where we may use up to 10 watts) RF power from a microwave antenna, at frequencies within the GSM range. The device includes a power unit 12, a Control Configuration System CCS 14, and an RF engine (RFE) 15 comprising GSM core engine (GCE) 16, RF amplifiers (RFA) 18, Antennas (directional and/or Omni) (ANT) 20, RF control systems (RF) .24, and a networking / communications module 28. , .
CCS 14 provides overall control and management of communications, and interfacing with external functions, such as networking module 28. RF engine 15 contains equipment necessary to generate and transmit a GSM virtual network.
The GCE 16 is a module that comprises of: a serial or USB duplex interface (connected to the CCS), dedicated CPU/DSP controller and required RAM/ROM that store/control/adjust/measure/report the GSM protocols; an RF section that takes the protocol settings and creates the virtual network (at a low signal level); Parameters controlled by the controller include frequency range, channel selection, power levels, power measurement and all other GSM parameters.
RF control system 24 includes a mechanism for producing disruption or jamming signals across the frequency range. RFA part 18 includes a notch filtering arrangement for the embodiment of Figure 2, and signalling amplification.
The networking module 28 permits wider area networking to enable more than one device to share data about the target mobile phones (black/ white list). This can utilise many protocols (and will be application defined) including IP/HTTP/WiFi/GPRS/Blue-tooth/Optical.
It will be appreciated that the combination of control/configuration system
CCS 14, and the RF engine comprising elements 16-26, enables a virtual wireless network to be broadcast, within the operating range of device 10. This network is presented on a single frequency and channel manipulating the multi-band/multi- format nature of mobile devices.
In an alternative form of device 10, the CCS 14 is contained in an external unit, connected by a data link - for example various software/hardware combinations including PC's, Laptops, NetBooks, PDA's, Smartphones and dedicated solid-state serial controllers; in Figure 5 - 12, the CCS is shown as incorporated in a Laptop with display screen
Figure 5 shows schematically the operation of an embodiment of the invention, with a mobile phone MS within the broadcast area of the virtual network generated by the the RF engine RFE, and controlled and monitored by CCS, which is shown as contained within a desk top PC or lap top. The mobile phone MS is cycled over four stages. In stage 1 , it is attached to its home network. In stage 2, disruption puts the phone into a no-service mode. In stage 3, the mobile phone .attaches to the virtual network, and provides its IMSI and IMEI numbers, which are held in the CCS. In stage 4, the CCS switches off the RFE, and the phone MS reverts to its home network. The switch from Stage 1 to 3 may appear instantaneous in some circumstances. The switch to stage 4 is dictated by the CCS settings.
Figure 6 shows an embodiment of the invention, where the device CCS, RFE of Figure 4 is located within a building, so that a target or unknown device MS within the building can be identified, and its IMSI and IMEI numbers held by CCS.
Figure 7 shows an embodiment of the invention, where the device CCS, RFE of Figure 4 is located within a restricted area, so that a target or unknown device MS being carried by a person can be identified, and its IMSI and IMEI numbers held by CCS.
Figure 8 shows an embodiment of the invention, where two devices 10 of Figure
4 are each located within a respective restricted area, so that target or unknown devices MS being carried by a person or persons can be identified, and their IMSI and IMEI numbers held by the respective CCS, CCS1 or CCS2. In this embodiment CCS1 contains in memory a black/white list of phones which are known to be valid and phones which are suspect. This black/white list is shared with CCS2 by means of network link 30. In this way, the phones within the surveillance areas can be assessed for validity, where the acquired numbers are compared against this list.
Figure 9 shows an embodiment of the invention based on the embodiment of Figure 6, where the device of Figure 4 is located within a building, so that a target or unknown device MS within the building can be identified, and its IMSI and IMEI numbers held by CCS. In addition, a hand held GSM RF detector HHD can then by employed to locate the device, in the circumstance where it may be hidden. This is effected by making a call (using the low level virtual network) to the target device, and detecting its transmissions.
Figure 10 shows an embodiment of the invention, where instead of deploying a disruption signal by means of an RF engine, a Faraday cage F, for example located within the walls of a corridor, creates a passive disrupted 'No-Service' environment. - Ί5 -
Any device outside the controlled environment will connect to the three Base Stations B shown. When a device enters the controlled area it will revert to a no-service mode, and will attach to the virtual network presented by the invention. This type of construction might be permanent (examples include security control areas, Passport control and customs areas) or temporary (such as an erectable portable tunnel).
Figure 11 is an embodiment, based on the embodiment of Figure 8, and a device 10 of Figure 4 is located within a restricted area, so that target or unknown devices MS being carried by a group of persons can be identified, and their IMSI and IMEI numbers held by the CCS. In this embodiment CCS contains in memory a black/white list of phones which are known to be valid and phones which are suspect, and the acquired numbers are compared against this list.
Figure 12 shows an embodiment wherein both the identification and location of a hidden device on one person in a group of people sat around a table is obtained, by use of multiple apparatus signal triangulation. By utilising two RFE units 15, coupled to a single CCS 14, and comparing the received strength of the mobile device by the two RFE's, very accurate triangulation can be achieved. In this example there is an overlaid overhead video image of the room allowing for instant visual identification of the mobile device. All the devices in the room can in addition be checked against a black/white list .
The present invention can be adapted for different environments, location of the
RFE units can be both overt and covert including (but not limited to) body worn, vehicle mounted and street furniture.
The present invention may be used in reconnaissance situations, e.g. in a business reception, and used in conjunction with a camera. Differential signal strength of two transmitters is used, e.g. at two different reception desks, to triangulate, and to determine at which desk illegal phone is, or, if multiple illegal phones, to sort targets.
Features of the invention are as follows:
. A method for forcing a mobile device(s) (including GSM/CDMA/GPRS/2G/3G/3.5G/4G/EDGE and all future formats) to switch to a controlled virtual network from its preferred network by creating a "no-service" environment (active and/or passive and permanent or temporary) and presenting a virtual network as the only available network. 2. A method that creates a 'no-service' environment by the means of active spectrum disruption (or 'jamming') for a period of 10 to 120 seconds followed by presenting a virtual network configured to accept emergency calls, thus effecting a network switch from the devices preferred network. - .
3. A method that creates a 'no-service' environment by the means of active spectrum disruption whilst leaving a narrow gap or 'notch' in the jamming spectrum. This notch will be the generally unused GSM channel frequencies that are multiples of the core GSM protocol clock frequency (13 MHz). Simultaneously within this notch a virtual network is presented, thus effecting a network switch from the devices preferred network.
4. A method that creates a 'no-service' environment by the means of active spectrum disruption whilst simultaneously presenting a virtual network thus effecting a network switch from the devices preferred network.
5. A method that creates a 'no-service' environment by the means of passive spectrum disruption. Methods include creating an area of RF isolation utilising temporary or permanent Faraday cage or shield. Simultaneously within this environment a virtual network is presented, thus effecting a network switch from the devices preferred network. In some environments there is no network coverage and no passive spectrum disruption will be required.
6. A method wherein the IMSI and/or IMEI and/or TMSI and/or MSISDN (or any other available parameter) of mobile device(s) can be obtained.
7. A method wherein a covert/hidden mobile device can be identified and located by the use of engaging the MS in a BS call and utilising a hand-held detector (HHD) to locate the device.
8. A method wherein a covert/hidden mobile device (both a single device and a device used as a component for a more complex device) can be identified and located by the use of multiple apparatus and/or MS signal strength and/or signal triangulation. 9. A method wherein a covert hidden mobile device (both a single device and a device used as a component for a more complex device) can be identified and located by the use of apparatus(s) and/or MS signal strength and/or signal triangulation and subsequently controlled by the apparatus operator. A method wherein one or more mobile devices can be identified and checked against a black and white-list table.
A method wherein one or more mobile devices can be identified and checked against a black and white-list table across a local or wide area by utilising one or more apparatus(s) and wired and/or wireless networking between the units. This network may or may not be encrypted.
A method wherein one or more mobile devices can be identified and checked against a black and white-list table across a local or wide area by utilising one or more apparatus(s) and using this data to control secondary systems including: physical access control devices, alarms and alerting systems.
A method wherein one or more mobile devices can be identified and sent a SMS message as defined by the apparatus and or/circumstances.
A method wherein one or more mobile devices can be identified and information sent to a wide-area GSM tracking system.

Claims

CLAIMS:
1. A method for acquiring identity parameters of a target mobile station operating in a mobile telecommunications network, the method comprising:
providing a predetermined area in which the target mobile station may be located and within which radio signals from base stations of the mobile network are disrupted or are not present, whereby to force the target mobile station to enter a no- service mode;
and presenting within said predetermined area a virtual telecommunications network, which is configured as a low level network, and which is such that the target mobile station attaches to the virtual network, and the virtual network requiring the target mobile station to disclose identity parameters.
2. A method according to claim 1 , comprising providing a disrupting signal within said predetermined area, to disrupt radio signals from base stations of said network.
3. A method according to claim 2, comprising providing disrupting signals across the frequency spectrum of the mobile network, but not within a preselected frequency range in which said virtual network is presented, preferably said preselected frequency range being centred on a multiple of the clock frequency of the mobile network,
4. A method according to claim 2 or 3, wherein said disrupting signal is transmitted for a predetermined period, and the virtual network is presented simultaneously or subsequently to said disrupting signal,.
5. A method according to claim 1 , comprising electrically isolating said predetermined area to prevent penetration of said radio signals from base stations of the mobile network.
6. A method according to any preceding claim, wherein said low level virtual network is configured to employ an emergency calls procedure, which permits said target mobile station to make emergency calls in the absence of its preferred network, and said low level network provides a location update procedure to request and receive the identity parameters of the target mobile station.
7. A method according to any preceding claim, comprising, subsequent to identification of said target mobile station, determining the location of the target by a process including: assessing mobile station signal strength, signal triangulation, and/ or engaging said station in a call and utilising a hand-held detector to locate the station.
8. A method according to any preceding claim, wherein one or more target mobile stations are identified and checked against a table listing valid and invalid mobile stations.
9. A method according to any preceding claim, comprising providing a second predetermined area, similar to said first mentioned area, wherein one or more mobile stations can be identified by the method according to claim 1 , and including a network for gathering the identification results from the first and second areas.
10. A method according to any preceding claim, wherein said predetermined area is located within a building and comprises at least one of an office, conference room, meeting room, corridor, and reception area.
11. A method according to claim 1 , wherein a target mobile device is identified and located by the use of engaging the device in a call and utilising a hand-held detector to physically locate the device.
12. A method according to claim 1 , wherein a target mobile device, which is a single device and a device used as a component for a more complex device, is identified and located by the use of multiple apparatus and/or signal strength and/or signal triangulation.
13. A method according to claim 12, wherein the target device is subsequently controlled by an operator.
14. A method according to claim 1 wherein one or more target mobile devices is identified and checked against a black and white-list table.
15. A method according to claim 1 , wherein one or more target mobile devices is identified and checked against a black and white-list table across a local or wide area network.
16. A method according to claim 15, including using the checking to control secondary systems including: physical access control devices, alarms and alerting systems.
17. A method according to claim 1 , wherein a target mobile device is identified and sent a predetermined message.
18. A method according to claim 1 , wherein a target mobile device is identified and corresponding information sent to a wide-area GSM tracking system.
19. Apparatus for acquiring identity parameters of a target mobile station operating in a mobile telecommunications network, means for presenting within a predetermined area in which the target mobile station may be located, a virtual telecommunications network, which is configured as a low level network, wherein within said predetermined area radio signals from base stations of said network are disrupted or are not present, whereby to force the target mobile station to enter a no-service mode; and wherein said virtual network is such that the target mobile station attaches to the virtual network, and the virtual network including means for requiring the target mobile station to disclose identity parameters.
20. Apparatus according to claim 19, including means for providing a disrupting signal within said predetermined area, to disrupt radio signals from base stations of said network,.
21. Apparatus according to claim 19 or 20, including a notch filter means for providing a preselected frequency range in which said virtual network is presented, but said disrupting signal is excluded, preferably wherein said notch filter means is centred on a multiple of the clock frequency of the mobile network.
22. Apparatus according to claim 19, including electrical isolation means for isolating said predetermined area to prevent penetration of said radio signals from base stations of said network.
23. Apparatus according to any of claims 19 to 22, wherein said low level virtual network is configured to employ an emergency calls procedure, which permits said target mobile station to make emergency calls in the absence of its preferred network, and provides a location update procedure to request and receive the identity parameters of the target mobile station
24. Apparatus according to any of claims 19 to 23, wherein the presenting means comprises an RF engine for generating and transmitting network signals of said virtual network, and control means for controlling said RF engine, and for processing acquired identity parameters.
25. Apparatus according to claim 24, wherein said control means includes means holding a list identifying valid and invalid mobile stations, and means for comparing an identified target mobile station with said list.
26. Apparatus according to any of claims 19 to 25, including a network means for gathering information from a plurality of apparatus, each as claimed in claim 10.
PCT/GB2010/002058 2009-11-09 2010-11-09 Identity acquisition of mobile stations in a mobile telecommunications network WO2011055129A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP10801184A EP2499854A1 (en) 2009-11-09 2010-11-09 Identity acquisition of mobile stations in a mobile telecommunications network
GB1207750.9A GB2487869B (en) 2009-11-09 2010-11-09 Identity acquisition of mobile stations in a mobile telecommunications network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0919582.7 2009-11-09
GBGB0919582.7A GB0919582D0 (en) 2009-11-09 2009-11-09 Identity acquisition of mobile stations

Publications (1)

Publication Number Publication Date
WO2011055129A1 true WO2011055129A1 (en) 2011-05-12

Family

ID=41502088

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2010/002058 WO2011055129A1 (en) 2009-11-09 2010-11-09 Identity acquisition of mobile stations in a mobile telecommunications network

Country Status (3)

Country Link
EP (1) EP2499854A1 (en)
GB (2) GB0919582D0 (en)
WO (1) WO2011055129A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2770692A1 (en) * 2013-02-26 2014-08-27 U-TX Ltd. Method of linking a specific wireless device to the identity and/or identification measure of the bearer
CN108449751A (en) * 2018-04-28 2018-08-24 成都西科微波通讯有限公司 A kind of remote TD-LTE mobile phones detect the method and system of code
IT202100002588A1 (en) 2021-02-05 2022-08-05 Bitcorp S R L DEVICE AND A RELATED METHOD OF CAPTURING IDENTITY INFORMATION ASSOCIATED WITH A TARGET MOBILE COMMUNICATION DEVICE
EP4199566A1 (en) * 2021-12-16 2023-06-21 Rohde & Schwarz GmbH & Co. KG System and method for attempting to establish a connection between a mobile phone and a virtual node of a cellular network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1051053A2 (en) 1999-05-03 2000-11-08 Rohde & Schwarz GmbH & Co. KG Method for identifying a mobile phone user or for eavesdropping on outgoing calls
WO2007010223A1 (en) * 2005-07-22 2007-01-25 M.M.I. Research Limited Acquiring identity parameters by emulating base stations
US20080020749A1 (en) * 2004-04-16 2008-01-24 Francois Delaveau Method Of Controlling And Analysing Communications In A Telephone Network
EP1995985A1 (en) 2007-05-22 2008-11-26 Nethawk Oyj Method, measuring system, base station, network element and measuring device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1051053A2 (en) 1999-05-03 2000-11-08 Rohde & Schwarz GmbH & Co. KG Method for identifying a mobile phone user or for eavesdropping on outgoing calls
US20080020749A1 (en) * 2004-04-16 2008-01-24 Francois Delaveau Method Of Controlling And Analysing Communications In A Telephone Network
WO2007010223A1 (en) * 2005-07-22 2007-01-25 M.M.I. Research Limited Acquiring identity parameters by emulating base stations
EP1908319A1 (en) 2005-07-22 2008-04-09 M.M.I. Research Limited Acquiring identity parameters by emulating base stations
EP1995985A1 (en) 2007-05-22 2008-11-26 Nethawk Oyj Method, measuring system, base station, network element and measuring device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Introduction to GSM", 1995, ARTECH HOUSE PUBLISHERS
"Overview of the GSM System and Protocol Architecture", IEEE COMMUNICATIONS MAGAZINE, April 1993 (1993-04-01), pages 92 - 100
HANNES FEDERRATH: "Multilateral Security in Communications", 1999, ADDISON-WESLEY-LONGMAN, pages: 349 - 364

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2770692A1 (en) * 2013-02-26 2014-08-27 U-TX Ltd. Method of linking a specific wireless device to the identity and/or identification measure of the bearer
CN108449751A (en) * 2018-04-28 2018-08-24 成都西科微波通讯有限公司 A kind of remote TD-LTE mobile phones detect the method and system of code
IT202100002588A1 (en) 2021-02-05 2022-08-05 Bitcorp S R L DEVICE AND A RELATED METHOD OF CAPTURING IDENTITY INFORMATION ASSOCIATED WITH A TARGET MOBILE COMMUNICATION DEVICE
EP4199566A1 (en) * 2021-12-16 2023-06-21 Rohde & Schwarz GmbH & Co. KG System and method for attempting to establish a connection between a mobile phone and a virtual node of a cellular network

Also Published As

Publication number Publication date
EP2499854A1 (en) 2012-09-19
GB2487869A (en) 2012-08-08
GB2487869B (en) 2014-06-11
GB201207750D0 (en) 2012-06-13
GB0919582D0 (en) 2009-12-23

Similar Documents

Publication Publication Date Title
CN107683617B (en) System and method for pseudo base station detection
EP2206387B1 (en) Handling location information for femto cells
EP1908319B1 (en) Acquiring identity parameters by emulating base stations
EP1995985B1 (en) Method, measuring system, base station, network element and measuring device
US7729693B2 (en) Method of controlling and analyzing communications in a telephone network
CN112566203B (en) Cell reselection method and terminal equipment
US20100228859A1 (en) Method and apparatus for providing access for a limited set of mobile stations to a restricted local access point
CN107332640B (en) A kind of screen method and device of wireless signal
CN102946586A (en) Access network information notification, access method and device based on position information
CN104581730A (en) Method and system for distinguishing pseudo base station in real time
WO2011055129A1 (en) Identity acquisition of mobile stations in a mobile telecommunications network
US20110030035A1 (en) Method of managing authorization of private node b in a wireless communication system and related device
CN101180836A (en) Wireless local area network scan based on location
CN113099455A (en) Method for capturing and resisting capture of mobile phone number of LTE terminal user
EP1992103A1 (en) Acquiring identity parameter
EP3466033B1 (en) Location information protection
KR102150323B1 (en) Integrated base station and terminal unit
US20120165003A1 (en) Wireless communications device
JP3590730B2 (en) Mobile communication system
CN116636248A (en) Method for recording coverage hole, terminal device, network device and storage medium
CN111586692A (en) Method and device for positioning CDMA pseudo base station
CN107222864A (en) Filter the method and device of pseudo-base station
CN108476240B (en) Explicit spatial playback protection
CN111654898A (en) Information display method and device, storage medium and terminal
WO2000065731A1 (en) Method and system for providing location specific services to mobile stations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10801184

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 1207750

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20101109

WWE Wipo information: entry into national phase

Ref document number: 1207750.9

Country of ref document: GB

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2010801184

Country of ref document: EP