Detection: Check value from registration timer T3212

[Gitschubser]

In the project https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher they check the timer T3212:

L5 Y The registration timer is set to a value < 10 minutes wip

We should check this timer too.

http://www.kmshetty.com/2011/06/t3212-periodic-location-update-timer.html http://rfnetworkoptimization.blogspot.de/2011/05/explain-timer-t3212.html http://de.wikipedia.org/wiki/IMSI-Catcher#Schutzma.C3.9Fnahmen

Allerdings ist diesem erkennbaren Muster auf einfachste Art und Weise durch den IMSI-Catcher zu entgegnen, indem ein script pseudo-zufällig für Aktivität zu den einzelnen eingebuchten Teilnehmern sorgt, z.B. durch stille SMS oder RRLP-Abfragen. Dadurch werden die T3212-Timer der einzelnen Teilnehmer dazu gebracht, nicht mehr quasi-synchron zu laufen, die Aktivitätsmuster erscheinen zufälliger, und diese einfache Möglichkeit der Erkennbarkeit wird verhindert.

Da der IMSI-Catcher zwar gegenüber dem Mobiltelefon ein GSM-Netzwerk simulieren kann, jedoch nicht gegenüber dem Netzwerk ein Mobiltelefon, ist ein Scan-Vorgang mit IMSI-Catcher auch recht einfach durch einen Telefonanruf zu enttarnen: Man ruft das fragliche Mobiltelefon an. Wenn es nicht klingelt, wurde die vom „echten“ Netz kommende Signalisierung verschluckt. Ein erfolgreicher terminierter Anruf kann den Einsatz eines „einfachen“ IMSI-Catchers ausschließen (z. B. R&S GA 090). Mittlerweile gibt es jedoch intelligentere IMSI-Catcher, die nur halbaktiv arbeiten. Somit lassen sich auch eingehende Gespräche belauschen. Ein paar Mobiltelefone (z. B. frühere Geräte von SonyEricsson) zeigen jedoch eine deaktivierte Verschlüsselung an ("Ciphering Indication Feature"), was auf den Einsatz eines IMSI-Catchers zurückzuführen sein kann - vorausgesetzt, dass der Netzbetreiber dies nicht über das OFM bit in EF_AD (Operational Feature Monitor LSB in Byte 3 der Elementary File: Administrative Data "6FAD") auf der SIM unterdrückt. Davon unbeeinträchtigt sind jedoch Überwachungsfunktionen, die direkt vom echten Netzwerk vollkommen ohne IMSI-Catcher gesteuert werden.

Google Translation:

However, this apparent pattern in the simplest manner by the IMSI-catcher is to counter by a script pseudo-random provides activity to the individual logged-participants, eg by silent SMS or RRLP queries. Thus, the T3212 timer of each participant is made ​​to no longer run quasi-synchronous activity patterns appear random, and this simple way of recognition is prevented.

Since the IMSI-catcher can indeed over the phone to simulate a GSM network, but not over the network a mobile phone, a scan with IMSI-Catcher is also quite easy to expose by a phone call: You call to the mobile phone in question. If it does not ring, coming from the "real" network signaling has been swallowed. A successful terminated call can use a "simple" IMSI catcher exclude (z. B. R & S GA 090). Meanwhile, there are smarter IMSI catcher who work only half active. Thus, incoming calls can eavesdrop. However, a few mobile phones (E.g. previous Sony Ericsson devices) show a disabled encryption on ("Ciphering Indication Feature"), which may be due to the use of an IMSI catcher - provided that the network operator, this is not bit on the OFM in EF_AD (Operational feature monitor LSB in byte 3 of the Elementary File: Administrative Data "6FAD") suppressed on the SIM. Not compromised but are monitoring functions that are controlled directly from real network completely without IMSI-Catcher.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[E3V3A]

@Gitschubser and @He3556 Could you translate that into English please? (Our developer @xLaMbChOpSx is not speaking German.) Also, without AT command access we do not have access to any other timers than those found in the ServiceMode menu. I have listed and mapped these out in the my thread:

RF/Radio properties of Samsung ServiceMode

They are:

T3210
T3211
T3212
T3213
T3220
T3230
T3240

Which include the one you mention above.

[E3V3A]

Another easy explanation:

Periodic LA and RA updating is used to notify the network of the UEs availability, and to avoid unnecessary paging attempts for a UE that has lost coverage and is not able to inform the CN that it is inactive.

The periodic LA update procedure is controlled by a timer, called t3212, which gives the time interval between two consecutive periodic location updates. The value is sent by the WCDMA RAN to UEs on the BCCH.

[E3V3A]

Would be good to know:

1. How to find this value? Where to look and how to extract?
2. What are typical values (found in the wild)?

Let's try to be specific here, so that we can implement this ASAP.

[Gitschubser]

1. How to find this value? Where to look and how to extract?

Samsung Galaxy S3 #197328640# [1] DEBUG SCREEN -> [2] MM INFORMATION -> T1312=xx

2, What are typical values (found in the wild)?

Each provider can have a different value in GSM and UMTS. It is necessary to collect the data from all provider/networks (manually or automatically).

Germany (MCC=262)

MNC=1 GSM 30 UMTS 30

MNC=2 GSM 10 UMTS 10

MNC=3 GSM 120 UMTS 120

MNC=7 GSM 40 UMTS 39

[E3V3A]

@Gitschubser

1. Yes I know very well abut the Samsung Service Menu, but we don't have it scraped yet. Also those values shown there, are probably not the value, but booleans showing if the timer is running or not. We need a different method. Can you post a screenshot?
2. And what about other phones?

[Gitschubser]

The value is shown in decihours. You found this value in Layer 3 Message/System Information Type 3 (See here: http://2.bp.blogspot.com/-d2tLDGqDYoo/U0_Um5ak34I/AAAAAAAAAMA/ELMm_33ZD2E/s1600/si3.PNG -> T3212 timeout value)

T3212 This is the time-out value for MS periodic location updating. T3212 has values from 0 to 255. (Time for periodic LU = 6min * T3212 value)

Links: http://telecomstudy18.blogspot.de/2014/04/layer-3-message-in-gsm.html http://2g3g.blogspot.de/2009/10/4_123.html http://www2.informatik.hu-berlin.de/~goeller/isdn/GSMDmChannels.pdf (3c 00111100 T3212 TimeOut value : 60 deci hours) http://www.diva-portal.org/smash/get/diva2:355716/FULLTEXT01.pdf

MCC=262 MNC=1 GSM 30 = 3 hours = 180 minutes UMTS 30= 3 hours = 180 minutes

MNC=2 GSM 10 = 1 hours = 60 minutes UMTS 10 = 1 hours = 60 minutes

MNC=3 GSM 120 = 12 hours = 720 minutes UMTS 120 = 12 hours = 720 minutes

MNC=7 GSM 40 = 4 = 240 minutes UMTS 39 = 234 minutes

[E3V3A]

@Gitschubser Thanks for info!

However, now you're talking about T3212 and not what you wrote about T1312:

Samsung Galaxy S3 #197328640# [1] DEBUG SCREEN -> [2] MM INFORMATION -> T1312=xx

I've asked about "T1312" HERE, and it seem not to exist...since I never found any info on that timer, so it's probably another typo, out of ~100s of other ones, in the BP firmware. : D

Most likely it is the: (a) timer values (as you say) and the (b) count of how many timeouts of the T3212, for the current cell (?).

[Gitschubser]

Please ask Samsung why they named it T1312. :-) Please decode the Layer 3 Message/SI Type 3 from your network, compare this value T3212 with this value T1312 in the Service Menu. You will see it is always the same value (T1312=T3212). Could another persons test this and agree to me?

[E3V3A]

@Gitschubser I don't have this value in my SM for the GT-I9195 unless it's been renamed to something else? Please have a look in the XDA link above, if you see something that may sound like it.

Germany T3212 MNO Timeout Table in: <value> (minutes):

MCC	MNC	GSM	UMTS	Operator
262	01	30 (180)	30 (180)
262	02	10 (60)	10 (180)
262	03	120 (720)	120 (720)
262	07	40 (240)	39 (234)

If you have the values for other countries, please post here.

[He3556]

I am not sure if you know that the value for "Periodic Location Update" is saved on the SIM Card.

Once MS read T3212 from system info, it will store it on the SIM card. When the timer exceeds the T3212 value, the location update process will be triggered.

and

Large T3212 (16 - 20 hours) is recommended for the area with much traffic, and small T3212 (2-3 hours) for areas with little traffic. For the area where the traffic exceeds the system capacity, it is recommended to set T3212 as 0 (no periodic location update).

More details here

[ Edited by E:V:A for readability. ]

[Gitschubser]

France

MCC	MNC	GSM	UMTS	Operator
208	01	30 (180)	10 (60)
208	10	0 (180)	30 (180)
208	15	10 (60)	30 (180)
208	20	30 (180)	30 (180)

[E3V3A]

@Gitschubser, please also provide the operator names.

[SecUpwN]

Please also provide the operator names.

@Gitschubser, please answer the above question. Thank you.