TMSI's and Identity theft?

Holger Freyther zecke at
Sat Jan 10 00:40:33 UTC 2009

Hey Guys,

I'm currently implementing the CM Service Request of GSM 04.08 and I wonder 
about the following:

	1.) Some phones send us the TMSI of their current network
	2.) One can ask the phone for the IMEISV/IMSI
	3.) One can accept the LOCATION UPDATING REQUEST (or wait)
	4.) A rogue MS could now request a channel with the BTS of the original 
	5.) Could send a CM Service Request with the TMSI of the original phone and 
claim to not support A5 and such...
	6.) Could initiate a call on the behalf of the other phone...?

	7.) What is IMSI detached, I have not yet seen it... but it could solve such 
things? So far I have only seen TMSI reallocation complete messages...

what am I missing? These messages are not encrypted right? One just would need 
to know the right channel/paging group and such? Is this known? plausible? 
totally off?


OpenBSC mailing list
OpenBSC at

More information about the OpenBSC mailing list