sniffers for lost mobiles
TRANSCRIPT
SNIFFERS FOR DETECTING LOST MOBILES
CHAPTER 1
INTRODUCTION
One of the most interesting things about cell phone is that it is really a radio an
extremely sophisticated radio, which uses some band of frequency that has the basic working
similar to the ordinary cordless phone. The mobile cellular communication has been
appreciated since its birth in the early 70’s and the advancement in the field of VLSI has
helped in designing less power, smaller size but efficient transceiver for the purpose of
communication.
But however the technology has not yet answered the loss or misplacement of the
lost mobile phone which is significantly increasing. In this paper we discuss the problem and
the probable solution that could be done. The IMEI number is a unique number that is
embedded in the mobile phone the main purpose of which is the blocking of calls that is made
by unauthorized person once the mobile is reported as stolen but here we use it effectively for
the purpose of detection.
1.1 WIRELESS SNIFFING:
Wireless sniffing is the practice of eavesdropping on
communications within a wireless network by using special software or hardware tools.
Sniffing is more intrusive than wireless stumbling, which is looking for the presence of
wireless networks. The motives behind wireless sniffing can range from troubleshooting to a
malicious attack against a network or individual.
Both wired and wireless networks can be monitored or sniffed. Wireless networks generally
are easier to sniff because they use radio signals as a method of communication. An attacker
could, for example, sit in a car outside a home or business and sniff a wireless network.
Computer networks divide information into pieces called frames. Inside these frames are data
packets. Wireless sniffing might target frames, packets or both.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 1
SNIFFERS FOR DETECTING LOST MOBILES
Targeting frames can reveal the presence of a wireless base station that is set up to remain
hidden, and it even can be used to crack older wireless encryption standards. Packet sniffing,
which can also be called Internet provider (IP) sniffing, can be used to monitor e-mail or other
data being sent over a wireless network by others. It also can help a network administrator
watch for and diagnose network problems.
To sniff wireless networks, special software known as a sniffer is used to monitor network
traffic. Networked computers and devices typically look only at frames and packets that are
addressed to them. Sniffing software looks at all frames or packets, regardless of which
computer the information is intended for. The wireless card or chipset and drivers that are used
must be capable of this, and they must be compatible with the software used.
Wireless sniffing typically has two types of modes: monitor mode and promiscuous mode. In
monitor mode, a wireless adapter is instructed to listen for the radio messages broadcast by
other wireless devices without broadcasting any messages of its own. This type of sniffing is
nearly impossible to detect because the attacker does not broadcast any messages. In
promiscuous mode, a sniffer becomes associated with a particular wireless access point. This
allows all data on the access point to be monitored, but it could expose the sniffer.
Sometimes a malicious intruder will use information gathered during a wireless sniffing
session to imitate another machine. This is known as spoofing. Wireless sniffing can be used
to enhance security as well. Wireless sniffing also can be used to perform intrusion detection
watching for attackers or intruders on a network
1.2 NETWORK SNIFFING:
Network sniffing is a passive technique that monitors network
communication, decodes protocols, and examines headers and payloads to flag information of
interest. Besides being used as a review technique, network sniffing can also be used as a
target identification and analysis technique.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 2
SNIFFERS FOR DETECTING LOST MOBILES
1.2.1 Overview:
Reasons for using network sniffing include the following:
Capturing and replaying network traffic
Performing passive network discovery (e.g., identifying active devices on the network)
Identifying operating systems, applications, services, and protocols, including
unsecured (e.g., telnet) and unauthorized (e.g., peer-to-peer file sharing) protocols
Identifying unauthorized and inappropriate activities, such as the unencrypted
transmission of sensitive information
Collecting information, such as unencrypted usernames and passwords.
Network sniffing has little impact on systems and networks, with the most noticeable impact
being on bandwidth or computing power utilization. The sniffer — the tool used to conduct
network sniffing — requires a means to connect to the network, such as a hub, tap, or switch
with port spanning.
One limitation to network sniffing is the use of encryption. Many attackers
take advantage of encryption to hide their activities — while assessors can see that
communication is taking place, they are unable to view the contents. Another limitation is that
a network sniffer is only able to sniff the traffic of the local segment where it is installed.
CHAPTER 2
IMEI
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 3
SNIFFERS FOR DETECTING LOST MOBILES
The GSM Mobile Unit’s IMEI (International Mobile Equipment Identity) numbering
system is a 15 digit unique code that is used to identify the GSM/DCS/PCS phone. When a
phone is switched on, this unique IMEI number is transmitted and checked against a data base
of black listed or grey listed phones in the network’s EIR (Equipment ID Register). This EIR
determines whether the phone can log on to the network to make and receive calls. To know
the IMEI number the *#06# has to be pressed, the number will be displayed in the LCD
screen; it is unique to a mobile phone. If the EIR and IMEI number match, the networks can
do a number of things.
For example grey list or blacklist a phone:
1. Grey listing will allow the phone to be used, but it can be tracked to see who has it (via the
SIM information).
2. Black listing the phone from being used on any network where there is an EIR match.
Many countries have acknowledged the use of the IMEI in reducing the effect of
mobile phone theft. For example, in the United Kingdom, under the Mobile Telephones (Re-
programming) Act, changing the IMEI of a phone, or possessing equipment that can change it,
is considered an offence under some circumstance.Such an action can also be considered a
criminal offence in Latvia.
IMEI blocking is not the only approach available for combating phone theft. For
example, mobile operators in Singapore are not required by the regulator to implement phone
blocking or tracing systems, IMEI-based or other. The regulator has expressed its doubts on
the real effectiveness of this kind of system in the context of the mobile market in Singapore.
Instead, mobile operators are encouraged to take measures such as the immediate suspension
of service and the replacement of SIM cards in case of loss or theft.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 4
SNIFFERS FOR DETECTING LOST MOBILES
There is a misunderstanding amongst some regulators that the existence of a
formally-allocated IMEI number range for a GSM terminal implies that the terminal is
approved or complies with regulatory requirements. This is not the case. The linkage between
regulatory approval and IMEI allocation was removed in April 2000, with the introduction of
the European R&TTE Directive. Since that date, IMEIs have been allocated by BABT (or one
of several other regional administrators acting on behalf of the GSM Association) to legitimate
GSM terminal manufacturers without the need to provide evidence of approval.
2.1 BLACKLIST FOR STOLEN MOBILES:
When mobile equipment is stolen or lost the owner can typically contact their local
operator with a request that it should be blocked. If the local operator possesses an Equipment
Identity Register (EIR), it then will put the device IMEI into it, and can optionally
communicate this to the Central Equipment Identity Register (CEIR) which blacklists the
device in all other operator switches that use the CEIR. With this blacklisting in place the
device becomes unusable on any operator that uses the CEIR, making theft of mobile
equipment a useless business proposition, unless for parts.
The IMEI number is not supposed to be easy to change, making the CEIR blacklisting
effective. However this is not always the case: a phone's IMEI may be easy to change with
special tools.
Australia was first to implement IMEI blocking across all digital GSM networks, in 2003.[7]
In the UK, a voluntary charter operated by the mobile networks ensures that any operator's
blacklisting of a handset is communicated to the Central Equipment Identity Register(CEIR)
and subsequently to all other networks. This ensures the handset will be unusable for calls
often quite quickly and, in any case, within 48 hours.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 5
SNIFFERS FOR DETECTING LOST MOBILES
All UK Police forces including the Metropolitan Police Service actively check IMEI numbers
of phones found involved in crime, against the National Mobile Property Register (NMPR).
The NMPR draws its information from many property databases. One of the databases
consulted is Immobilise which allows optional (and free) registration of devices by the public.
Such registration ensures that a device coming into Police possession may be easily reunited
with its registered keeper.
In some countries, such blacklisting is not customary. In 2012, major network companies in
the United States, under government pressure, committed to introduce a blacklisting service,
but it's not clear whether it will interoperate with the CEIR. [8][9]GSM carriers AT&T and T-
Mobile began blocking newly reported IMEIs in November of 2012.[10]
2.2 RETRIEVING IMEI INFORMATION FROM A GSM DEVICE:
There is a mandatory requirement by the standardization bodies, that mobile devices for
public networks may be uniquely identified by the IMEI number for many addressing and
retrieval purposes. On many, if not most devices, the IMEI number can be retrieved by keying
*#06#, or using the AT command ATD*#06#.
The IMEI number of a GSM device can be retrieved by sending the command AT+CGSN. For
more information, refer to the 3GPP TS 27.007, Section 5.4 /2/ standards document.
Retrieving IMEI Information from an older Sony or Sony Ericsson handset can be done by
entering these keys: * Right * Left Left * Left *
IMEI information on BlackBerry and on new Sony Ericsson devices can also be found by
going to options, then status. On Android the IMEI information can be found under the "About
Phone" menu option in the settings menu. On iOS devices, the IMEI can be found under
General: About in the Settings app. On Windows Phones, the IMEI can be found under
Settings
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 6
SNIFFERS FOR DETECTING LOST MOBILES
CHAPTER 3
DESIGNING FOR THE SNIFFER
As stated this proposal is about the detection of lost mobile phone and for this
purpose we are designing a new device called the Sniffer. The sniffer device has to be
designed precisely and size should be reduced for easy mobility for the purpose of detection.
Its a cruel irony in information security that many of the
features that make using computers easier or more efficient and the tools used to protect and
secure the network can also be used to exploit and compromise the same computers and
networks. This is the case with packet sniffing.
A packet sniffer, sometimes referred to as a network monitor or network analyzer, can be used
legitimately by a network or system administrator to monitor and troubleshoot network traffic.
Using the information captured by the packet sniffer an administrator can identify
erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network
data transmission.
In its simple form a packet sniffer simply captures all of the packets of data that pass through a
given network interface. Typically, the packet sniffer would only capture packets that were
intended for the machine in question. However, if placed into promiscuous mode, the packet
sniffer is also capable of capturing all packets traversing the network regardless of destination.
By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can
capture and analyze all of the network traffic. Within a given network, username and password
information is generally transmitted in clear text which means that the information would be
viewable by analyzing the packets being transmitted.
A packet sniffer can only capture packet information within a given subnet. So, its not
possible for a malicious attacker to place a packet sniffer on their home ISP network and
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 7
SNIFFERS FOR DETECTING LOST MOBILES
capture network traffic from inside your corporate network (although there are ways that exist
to more or less "hijack" services running on your internal network to effectively perform
packet sniffing from a remote location). In order to do so, the packet sniffer needs to be
running on a computer that is inside the corporate network as well. However, if one machine
on the internal network becomes compromised through a Trojan or other security breach, the
intruder could run a packet sniffer from that machine and use the captured username and
password information to compromise other machines on the network.
Detecting rogue packet sniffers on your network is not an easy task. By its very nature
the packet sniffer is passive. It simply captures the packets that are traveling to the network
interface it is monitoring. That means there is generally no signature or erroneous traffic to
look for that would identify a machine running a packet sniffer. There are ways to identify
network interfaces on your network that are running in promiscuous mode though and this
might be used as a means for locating rogue packet sniffers.
If you are one of the good guys and you need to maintain and monitor a network, I
recommend you become familiar with network monitors or packet sniffers such as Ethereal.
Learn what types of information can be discerned from the captured data and how you can put
it to use to keep your network running smoothly. But, also be aware that users on your
network may be running rogue packet sniffers, either experimenting out of curiosity or with
malicious intent, and that you should do what you can to make sure this does not happen.
The device can be called as a mobile base station that includes the following
important components:
1. Sniffer base station
2. Unidirectional antenna
3. Tracking software
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 8
SNIFFERS FOR DETECTING LOST MOBILES
3.1 SNIFFER BASE STATION:
The sniffer is a small base station, it includes transceiver
section. It should operate at a frequency that is much different from the frequency of the
current cell in which the operation of detection is being carried out.
Some of the main important things are the frequency that has to be generated by
the transceiver section is around 900MHz range which is a VHF range and it is necessarily to
design the oscillator circuit for that frequency range .Another important is the cooling that has
to be provided to the circuit while designing the circuit that is to be operated at 900MHz range
of frequency. Hence proper design of base station is an important thing in the design of the
sniffer. Mobile phones as well as the base station has low power transmitter is also
transmitting at low power. The transmitter of the sniffer has to be a low power transmitter.
This helps in the process of reducing the interference of the device with the devices that are in
the other cells.
3.2 DESIGN OF UNIDIRECTIONAL ANTENNA:
Though the transceiver in a sniffer plays
an important role in the detection of the mobile phone but however it is the directional antenna
that has a major role in the design of the transmitter. The directional antenna acts as the eyes
for the sniffer for the purpose of the detecting the lost mobile phones. Hence the proper design
of the directional antenna is required. Antenna is a device which works at specified
frequencies range for transmitting or receiving the data signal. In general, antennas transmit
power depending on lobe pattern which varies from one antenna to the other. The lobe pattern
is a two dimensional diagrams that is used to show radiation pattern. Radiation pattern of
directional antenna is shown in fig1.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 9
SNIFFERS FOR DETECTING LOST MOBILES
Fig 3.1 The unidirectional antenna radiation pattern
In addition to this it is necessary that the transmitter should be a low power
transmitter. The Gain and directivity are intimately related in antennas. The directivity of an
antenna is a statement of how the RF energy is focused in one or two directions. Because the
amount of RF energy remains the same, but is distributed over less area, the apparent signal
strength is higher. This apparent increase in signal strength is the antenna gain. The gain is
measured in decibels over either a dipole (dBd) or a theoretical construct called an Isotropic
radiator (dBi). The isotropic radiator is a spherical signal source that radiates equally well in
all directions. One way to view the omni directional pattern is that it is a slice taken
horizontally through the three dimensional sphere.
The graphical representation of Radiation pattern of the unidirectional antenna is
shown in figure. The spherical co-ordination system has three main components for the pattern
representation and they are (R, θ , Ф ) .The shape of the radiation system is independent of R,
as long R is chosen to be sufficiently large and much greater than the wavelength as the largest
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 10
SNIFFERS FOR DETECTING LOST MOBILES
dimension of the antenna. The magnitude of the field strength in any direction varies inversely
with R. A complete radiation pattern requires the three dimensional representation.
The other factors that are to be taken into account during the development of the
antenna for the sniffer should be the gain and the directivity .As these features have a greater
effect while designing the antenna. The gain of the antenna is defined as the ability of the
antenna to radiate the power in a particular direction. The power radiated per unit area in any
direction is given by the pointing vector and is equivalent to
E2/η2 W/m2
Total of the power that is being radiated by the antenna is given as
W=∫ΦdΩ
The average power that gets radiated is given as
Φ(avg)=W/4π (watts per steradian)
The Directivity of the antenna is the direction in which there is maximum gain for
the radiation that is being radiated, the gain of the antenna is given as a function of the angles.
The directivity value is constant for a particular direction. In addition to the directivity and the
gain of the antenna the other important thing that has to be taken into account is the power that
is being radiated by the antenna. The total power is given as W and is the summation of the
radiated power and the ohmic loss of the antenna. Here the Wl represents the ohmic losses of
the antenna.
Wt=Wr+Wl
The power gain of the antenna is given as
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 11
SNIFFERS FOR DETECTING LOST MOBILES
gp=4πΦ/wt
The ratio of power to the directivity is referred as a measure of efficiency of the antenna
gp/gd=Wr/(Wr+Wl)
The power radiated by the antenna should be properly designed as this causes more
penetration of the electromagnetic radiation and thus it might have some effect in the near by
cells.
The effective area of the antenna is another important factor that is mainly required in
the receiving antenna and it may be referred as the effective aperture or capture area and is
related to the directive gain of the antenna through the relation
A=gdλ2/4
Since the sniffer device that is constructed is a device that has both the transmitting
and the receiving antenna. Effective gain has to be taken into account and this shows the
ability of the antenna to capture the signal that the lost mobile is transmitting.
3.3 SOFTWARE FOR THE TRACKING:
The software part plays a major role in the tracking of the lost mobile phone it is
the base for the antenna to track the lost mobile the main feature of this software is that it
helps in the process of creation of the data base and this is mainly done using a Random
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 12
SNIFFERS FOR DETECTING LOST MOBILES
Access Memory. The mobile phone that is lost has certain IMEI number that is embedded in
the chip. This RAM of the sniffer device stores the IMEI number of the lost mobile phone.
Thus this acts as a data base or the directory of the lost mobile phone number/The software
that is to be designed in such a way that the software has the input as the IMEI number of the
lost mobile phone from the RAM and this ID done using the SQL query that fetches the IMEI
number. After getting the input of the lost mobile phones IMEI number it checks the comport
for getting the information whether it obtains any signaling information from the lost device
that might respond to the signal sent by the sniffer
The programming is done with C or Java. However the C is most preferred as it is
easily embedded with the chips. With VB the front end is designed. The oracle SQL is the
back end as it helps in retrieving the input data from the RAM using the query. But however
the sample program that we have designed does not use the oracle it takes the input directly
from the keyboard and this is an example and a dummy program that has been created that
helps in the understanding of how the device would work.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 13
SNIFFERS FOR DETECTING LOST MOBILES
CHAPTER 4
WORKING OF THE SNIFFER DEVICE
The sniffer is basically a transceiver that works in the frequency
which is in the special unused range that is operated by the service provided or it can designed
to operate at a frequency that is of much different frequency than the one that is being used
by the nearby cells as there may be possibility of interference by the device with the devices in
the nearby cells. The working for the device is as follows. The fig 2 &3 shows the working of
the sniffer ; as given in the fig2 it gives the normal operation of the mobile with the base
station and there is a BTS that acts as a middle man in the process of communication between
the mobile and the MTSO which is popularly known as MSC or Mobile Switching Centre .
There is always a two way communication between devices and before the
establishment of the communication the authentication of the SIM card that has the IMSI or
the International Mobile Subscriber Identifier .This IMSI number helps in the authorization of
the user. The second authentication is the authentication of the handset, which is done in EIR
or the Equipment Identifier Register. This register is located at the MSC and it contains the
IMEI number of the lost handset and if the signal is obtained from the normal one then the two
way communication is established.
The IMEI of the lost mobile phone number once has been reported to the service
provider, who keeps in track of the record of lost mobile phones. The MTSO or the MSC
which keeps in track of all the mobile phones with IMEI number and the IMSI number has the
information of the lost mobile phones location which means the location of the cell where the
lost device is because of the two way communication with the device the BTS of the lost
device is known to MSC. From this information regarding the cell in which the device is
located the sniffer device is introduced.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 14
SNIFFERS FOR DETECTING LOST MOBILES
Fig: 4.1 .The initial connection between the cellular network and lost mobile phone
The next figure or the fig 2 shows the sniffer that gets into work for the purpose of
detection of the lost device. After the information regarding the IMEI number of the lost
device is provided by the MTSO or MSC .This is then fed into the sniffers main memory the
sniffer’s located in particular cell gets into action of detecting the lost device. The sniffer uses
a frequency that is different from the one that is being used by the base station and the located
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 15
SNIFFERS FOR DETECTING LOST MOBILES
nearby cells .The base station disconnects the connection with the lost mobile phone, as there
is a request regarding this action from the EIR part of the MSC.
This causes the lost device to search the BTS to get locked with since each
base station does not have authorization capability the lost device send appropriate connection
request signal. Now when the sniffer device is being deployed and this device has in built
authorization capability the lost device finds the sniffer to get itself locked to the frequency of
the sniffer .While the connection between the sniffer and the mobile phone is established; the
IMEI of the lost mobile is validated with the stored IMEI and after successful authorization
the communication between the sniffer and the lost device is established.
If the other devices in the same try to communicate with the sniffer the
access is denied and this is done at the validation done based on the IME. Once the
communication starts it is mainly with the antenna and the signal strength of the lost device
the location can be tracked. However the process to searching can also be aided with the GPS
system for more accurate and fast detection
The main requirement is that the sniffer is operated in a frequency that is different
from the frequency adopted by the cell and nearby ones. Hence the interference from the
nearby cell can be avoided. The directional antenna is used in finding the location of the
mobile phone.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 16
SNIFFERS FOR DETECTING LOST MOBILES
Fig 4.2: The connection of the sniffer device with the lost mobile phone.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 17
SNIFFERS FOR DETECTING LOST MOBILES
Here the signal strength of the received signal is obtain antenna pattern is plotted
once the signal of the mobile is obtained. The no. of antenna pattern for different position of
same mobile phone is used to find the exact location.
But however in this method the directional antenna used much be of a very small
beam width this helps in more accurate process of detection.
Fig 4.3: The sniffer shown in fig tries to communicate with the lost mobile.
After getting connected with the mobile it creates a virtual cell pattern and thus helps in the
detection of lost mobile phones.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 18
SNIFFERS FOR DETECTING LOST MOBILES
CHAPTER 5
CONCLUSON
Since the boom of the mobile phone for the purpose of the
communication there has been a large no. of complaints regarding the mobile phone that is
being lost and there has been no effective method developed for detecting the lost device. The
given paper dealt about the idea of development “Sniffer for the detection of lost Mobile
phones” paves a way by means of which the lost mobile phones can be recovered. But the
process of detection is yet to be developed through the software and demo has been developed
and is with the authors. The demo has been written in VB that gives the over view of how the
lost mobile is being detected and the software has been written in C. The SQL has to be used
for the purpose of querying and the internal architecture is of lesser complexity compared to
the base station as this mainly involves the control signal and there is no need for the voice
process.
The design involved the following:
Design of the sniffer base station design of unidirectional l antenna, development of software
for tracking. Though this method appears to be a little bit complex involving the design of the
sniffer but however for large scale detection the overall effective cost of the design and the
detection scales down.
There are certain boundary conditions or criteria that have to be qualified
for the identification of the lost mobile like the power of the mobile should be good enough ,
the mobile phone should not be in the shadow region etc., but however this method can be
improved by using modern technologies and devices.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 19
SNIFFERS FOR DETECTING LOST MOBILES
CHAPTER 6
REFERENCES
Schiller, “Mobile Communication”, Pearson Education 1 Edition, 7th reprint -2003.
John D Kraus, “Electromagnetic”, TMH
Jordan et al, “Electromagnetic waves and radiation system” , Printice Hall
www.gsmworld.com
http://ericsson.com
http://iec.org
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE Page 20