TMSI's and Identity theft?
zecke at selfish.org
Sat Jan 10 01:40:33 CET 2009
I'm currently implementing the CM Service Request of GSM 04.08 and I wonder
about the following:
1.) Some phones send us the TMSI of their current network
2.) One can ask the phone for the IMEISV/IMSI
3.) One can accept the LOCATION UPDATING REQUEST (or wait)
4.) A rogue MS could now request a channel with the BTS of the original
5.) Could send a CM Service Request with the TMSI of the original phone and
claim to not support A5 and such...
6.) Could initiate a call on the behalf of the other phone...?
7.) What is IMSI detached, I have not yet seen it... but it could solve such
things? So far I have only seen TMSI reallocation complete messages...
what am I missing? These messages are not encrypted right? One just would need
to know the right channel/paging group and such? Is this known? plausible?
More information about the OpenBSC