SNIFFERS FOR DETECTING LOST MOBILES CHAPTER 1 INTRODUCTION

One of the most interesting things about cell phone is that it is really a radio an extremely sophisticated radio, which uses some band of frequency that has the basic working similar to the ordinary cordless phone. The mobile cellular communication has been appreciated since its birth in the early 70s and the advancement in the field of VLSI has helped in designing less power, smaller size but efficient transceiver for the purpose of communication. But however the technology has not yet answered the loss or misplacement of the lost mobile phone which is significantly increasing. In this paper we discuss the problem and the probable solution that could be done. The IMEI number is a unique number that is embedded in the mobile phone the main purpose of which is the blocking of calls that is made by unauthorized person once the mobile is reported as stolen but here we use it effectively for the purpose of detection.

1.1 WIRELESS SNIFFING: Wireless sniffing is the practice of eavesdropping on communications within a wireless network by using special software or hardware tools. Sniffing is more intrusive than wireless stumbling, which is looking for the presence of wireless networks. The motives behind wireless sniffing can range from troubleshooting to a malicious attack against a network or individual.

Both wired and wireless networks can be monitored or sniffed. Wireless networks generally are easier to sniff because they use radio signals as a method of communication. An attacker could, for example, sit in a car outside a home or business and sniff a wireless network. Computer networks divide information into pieces called frames. Inside these frames are data packets. Wireless sniffing might target frames, packets or both.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 1

SNIFFERS FOR DETECTING LOST MOBILES

Targeting frames can reveal the presence of a wireless base station that is set up to remain hidden, and it even can be used to crack older wireless encryption standards. Packet sniffing, which can also be called Internet provider (IP) sniffing, can be used to monitor e-mail or other data being sent over a wireless network by others. It also can help a network administrator watch for and diagnose network problems.

To sniff wireless networks, special software known as a sniffer is used to monitor network traffic. Networked computers and devices typically look only at frames and packets that are addressed to them. Sniffing software looks at all frames or packets, regardless of which computer the information is intended for. The wireless card or chipset and drivers that are used must be capable of this, and they must be compatible with the software used.

Wireless sniffing typically has two types of modes: monitor mode and promiscuous mode. In monitor mode, a wireless adapter is instructed to listen for the radio messages broadcast by other wireless devices without broadcasting any messages of its own. This type of sniffing is nearly impossible to detect because the attacker does not broadcast any messages. In promiscuous mode, a sniffer becomes associated with a particular wireless access point. This allows all data on the access point to be monitored, but it could expose the sniffer.

Sometimes a malicious intruder will use information gathered during a wireless sniffing session to imitate another machine. This is known as spoofing. Wireless sniffing can be used to enhance security as well. Wireless sniffing also can be used to perform intrusion detection watching for attackers or intruders on a network

1.2 NETWORK SNIFFING: Network sniffing is a passive technique that monitors network communication, decodes protocols, and examines headers and payloads to flag information of interest. Besides being used as a review technique, network sniffing can also be used as a target identification and analysis technique. Page 2

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

SNIFFERS FOR DETECTING LOST MOBILES

1.2.1 Overview: Reasons for using network sniffing include the following: Capturing and replaying network traffic Performing passive network discovery (e.g., identifying active devices on the network) Identifying operating systems, applications, services, and protocols, including unsecured (e.g., telnet) and unauthorized (e.g., peer-to-peer file sharing) protocols Identifying unauthorized and inappropriate activities, such as the unencrypted transmission of sensitive information Collecting information, such as unencrypted usernames and passwords. Network sniffing has little impact on systems and networks, with the most noticeable impact being on bandwidth or computing power utilization. The sniffer the tool used to conduct network sniffing requires a means to connect to the network, such as a hub, tap, or switch with port spanning. One limitation to network sniffing is the use of encryption. Many attackers take advantage of encryption to hide their activities while assessors can see that communication is taking place, they are unable to view the contents. Another limitation is that a network sniffer is only able to sniff the traffic of the local segment where it is installed.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 3

SNIFFERS FOR DETECTING LOST MOBILES CHAPTER 2 IMEI

The GSM Mobile Units IMEI (International Mobile Equipment Identity) numbering system is a 15 digit unique code that is used to identify the GSM/DCS/PCS phone. When a phone is switched on, this unique IMEI number is transmitted and checked against a data base of black listed or grey listed phones in the networks EIR (Equipment ID Register). This EIR determines whether the phone can log on to the network to make and receive calls. To know the IMEI number the *#06# has to be pressed, the number will be displayed in the LCD screen; it is unique to a mobile phone. If the EIR and IMEI number match, the networks can do a number of things.

For example grey list or blacklist a phone: 1. Grey listing will allow the phone to be used, but it can be tracked to see who has it (via the SIM information). 2. Black listing the phone from being used on any network where there is an EIR match.

Many countries have acknowledged the use of the IMEI in reducing the effect of mobile phone theft. For example, in the United Kingdom, under the Mobile Telephones (Reprogramming) Act, changing the IMEI of a phone, or possessing equipment that can change it, is considered an offence under some circumstance.Such an action can also be considered a criminal offence in Latvia.

IMEI blocking is not the only approach available for combating phone theft. For example, mobile operators in Singapore are not required by the regulator to implement phone blocking or tracing systems, IMEI-based or other. The regulator has expressed its doubts on the real effectiveness of this kind of system in the context of the mobile market in Singapore. Instead, mobile operators are encouraged to take measures such as the immediate suspension of service and the replacement of SIM cards in case of loss or theft.
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 4

SNIFFERS FOR DETECTING LOST MOBILES

There is a misunderstanding amongst some regulators that the existence of a formally-allocated IMEI number range for a GSM terminal implies that the terminal is approved or complies with regulatory requirements. This is not the case. The linkage between regulatory approval and IMEI allocation was removed in April 2000, with the introduction of the European R&TTE Directive. Since that date, IMEIs have been allocated by BABT (or one of several other regional administrators acting on behalf of the GSM Association) to legitimate GSM terminal manufacturers without the need to provide evidence of approval.

2.1 BLACKLIST FOR STOLEN MOBILES:

When mobile equipment is stolen or lost the owner can typically contact their local operator with a request that it should be blocked. If the local operator possesses an Equipment Identity Register (EIR), it then will put the device IMEI into it, and can optionally communicate this to the Central Equipment Identity Register (CEIR) which blacklists the device in all other operator switches that use the CEIR. With this blacklisting in place the device becomes unusable on any operator that uses the CEIR, making theft of mobile equipment a useless business proposition, unless for parts.

The IMEI number is not supposed to be easy to change, making the CEIR blacklisting effective. However this is not always the case: a phone's IMEI may be easy to change with special tools.

Australia was first to implement IMEI blocking across all digital GSM networks, in 2003.[7] In the UK, a voluntary charter operated by the mobile networks ensures that any operator's blacklisting of a handset is communicated to the Central Equipment Identity Register(CEIR) and subsequently to all other networks. This ensures the handset will be unusable for calls often quite quickly and, in any case, within 48 hours.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 5

SNIFFERS FOR DETECTING LOST MOBILES

All UK Police forces including the Metropolitan Police Service actively check IMEI numbers of phones found involved in crime, against the National Mobile Property Register (NMPR). The NMPR draws its information from many property databases. One of the databases consulted is Immobilise which allows optional (and free) registration of devices by the public. Such registration ensures that a device coming into Police possession may be easily reunited with its registered keeper.

In some countries, such blacklisting is not customary. In 2012, major network companies in the United States, under government pressure, committed to introduce a blacklisting service, but it's not clear whether it will interoperate with the CEIR.[8][9]GSM carriers AT&T and TMobile began blocking newly reported IMEIs in November of 2012.[10]

2.2 RETRIEVING IMEI INFORMATION FROM A GSM DEVICE: There is a mandatory requirement by the standardization bodies, that mobile devices for public networks may be uniquely identified by the IMEI number for many addressing and retrieval purposes. On many, if not most devices, the IMEI number can be retrieved by keying *#06#, or using the AT command ATD*#06#. The IMEI number of a GSM device can be retrieved by sending the command AT+CGSN. For more information, refer to the 3GPP TS 27.007, Section 5.4 /2/ standards document. Retrieving IMEI Information from an older Sony or Sony Ericsson handset can be done by entering these keys: * Right * Left Left * Left *

IMEI information on BlackBerry and on new Sony Ericsson devices can also be found by going to options, then status. On Android the IMEI information can be found under the "About Phone" menu option in the settings menu. On iOS devices, the IMEI can be found under General: About in the Settings app. On Windows Phones, the IMEI can be found under Settings

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 6

SNIFFERS FOR DETECTING LOST MOBILES CHAPTER 3 DESIGNING FOR THE SNIFFER

As stated this proposal is about the detection of lost mobile phone and for this purpose we are designing a new device called the Sniffer. The sniffer device has to be designed precisely and size should be reduced for easy mobility for the purpose of detection. Its a cruel irony in information security that many of the features that make using computers easier or more efficient and the tools used to protect and secure the network can also be used to exploit and compromise the same computers and networks. This is the case with packet sniffing.

A packet sniffer, sometimes referred to as a network monitor or network analyzer, can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic. Using the information captured by the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network data transmission.

In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing all packets traversing the network regardless of destination.

By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.

A packet sniffer can only capture packet information within a given subnet. So, its not possible for a malicious attacker to place a packet sniffer on their home ISP network and
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 7

SNIFFERS FOR DETECTING LOST MOBILES

capture network traffic from inside your corporate network (although there are ways that exist to more or less "hijack" services running on your internal network to effectively perform packet sniffing from a remote location). In order to do so, the packet sniffer needs to be running on a computer that is inside the corporate network as well. However, if one machine on the internal network becomes compromised through a Trojan or other security breach, the intruder could run a packet sniffer from that machine and use the captured username and password information to compromise other machines on the network.

Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.

If you are one of the good guys and you need to maintain and monitor a network, I recommend you become familiar with network monitors or packet sniffers such as Ethereal. Learn what types of information can be discerned from the captured data and how you can put it to use to keep your network running smoothly. But, also be aware that users on your network may be running rogue packet sniffers, either experimenting out of curiosity or with malicious intent, and that you should do what you can to make sure this does not happen.

The device can be called as a mobile base station that includes the following important components: 1. Sniffer base station 2. Unidirectional antenna 3. Tracking software

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 8

SNIFFERS FOR DETECTING LOST MOBILES

3.1 SNIFFER BASE STATION:

The sniffer is a small base station, it includes transceiver section. It should operate at a frequency that is much different from the frequency of the current cell in which the operation of detection is being carried out.

Some of the main important things are the frequency that has to be generated by the transceiver section is around 900MHz range which is a VHF range and it is necessarily to design the oscillator circuit for that frequency range .Another important is the cooling that has to be provided to the circuit while designing the circuit that is to be operated at 900MHz range of frequency. Hence proper design of base station is an important thing in the design of the

sniffer. Mobile phones as well as the base station has low power transmitter is also transmitting at low power. The transmitter of the sniffer has to be a low power transmitter. This helps in the process of reducing the interference of the device with the devices that are in the other cells.

3.2 DESIGN OF UNIDIRECTIONAL ANTENNA:

Though the transceiver in a sniffer plays an important role in the detection of the mobile phone but however it is the directional antenna that has a major role in the design of the transmitter. The directional antenna acts as the eyes for the sniffer for the purpose of the detecting the lost mobile phones. Hence the proper design of the directional antenna is required. Antenna is a device which works at specified frequencies range for transmitting or receiving the data signal. In general, antennas transmit power depending on lobe pattern which varies from one antenna to the other. The lobe pattern is a two dimensional diagrams that is used to show radiation pattern. Radiation pattern of directional antenna is shown in fig1.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 9

SNIFFERS FOR DETECTING LOST MOBILES

Fig 3.1 The unidirectional antenna radiation pattern

In addition to this it is necessary that the transmitter should be a low power transmitter. The Gain and directivity are intimately related in antennas. The directivity of an antenna is a statement of how the RF energy is focused in one or two directions. Because the amount of RF energy remains the same, but is distributed over less area, the apparent signal strength is higher. This apparent increase in signal strength is the antenna gain. The gain is measured in decibels over either a dipole (dBd) or a theoretical construct called an Isotropic radiator (dBi). The isotropic radiator is a spherical signal source that radiates equally well in all directions. One way to view the omni directional pattern is that it is a slice taken horizontally through the three dimensional sphere.

The graphical representation of Radiation pattern of the unidirectional antenna is shown in figure. The spherical co-ordination system has three main components for the pattern representation and they are (R, , ) .The shape of the radiation system is independent of R, as long R is chosen to be sufficiently large and much greater than the wavelength as the largest Page 10

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

SNIFFERS FOR DETECTING LOST MOBILES

dimension of the antenna. The magnitude of the field strength in any direction varies inversely with R. A complete radiation pattern requires the three dimensional representation. The other factors that are to be taken into account during the development of the antenna for the sniffer should be the gain and the directivity .As these features have a greater effect while designing the antenna. The gain of the antenna is defined as the ability of the antenna to radiate the power in a particular direction. The power radiated per unit area in any direction is given by the pointing vector and is equivalent to

E2/2 W/m2

Total of the power that is being radiated by the antenna is given as

W=d

The average power that gets radiated is given as

(avg)=W/4 (watts per steradian)

The Directivity of the antenna is the direction in which there is maximum gain for the radiation that is being radiated, the gain of the antenna is given as a function of the angles. The directivity value is constant for a particular direction. In addition to the directivity and the gain of the antenna the other important thing that has to be taken into account is the power that is being radiated by the antenna. The total power is given as W and is the summation of the radiated power and the ohmic loss of the antenna. Here the Wl represents the ohmic losses of the antenna.

Wt=Wr+Wl The power gain of the antenna is given as

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 11

SNIFFERS FOR DETECTING LOST MOBILES

gp=4/wt

The ratio of power to the directivity is referred as a measure of efficiency of the antenna

gp/gd=Wr/(Wr+Wl)

The power radiated by the antenna should be properly designed as this causes more penetration of the electromagnetic radiation and thus it might have some effect in the near by cells. The effective area of the antenna is another important factor that is mainly required in the receiving antenna and it may be referred as the effective aperture or capture area and is related to the directive gain of the antenna through the relation

A=gd2/4

Since the sniffer device that is constructed is a device that has both the transmitting and the receiving antenna. Effective gain has to be taken into account and this shows the ability of the antenna to capture the signal that the lost mobile is transmitting.

3.3 SOFTWARE FOR THE TRACKING:

The software part plays a major role in the tracking of the lost mobile phone it is the base for the antenna to track the lost mobile the main feature of this software is that it helps in the process of creation of the data base and this is mainly done using a Random
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 12

SNIFFERS FOR DETECTING LOST MOBILES

Access Memory. The mobile phone that is lost has certain IMEI number that is embedded in the chip. This RAM of the sniffer device stores the IMEI number of the lost mobile phone. Thus this acts as a data base or the directory of the lost mobile phone number/The software that is to be designed in such a way that the software has the input as the IMEI number of the lost mobile phone from the RAM and this ID done using the SQL query that fetches the IMEI number. After getting the input of the lost mobile phones IMEI number it checks the comport for getting the information whether it obtains any signaling information from the lost device that might respond to the signal sent by the sniffer

The programming is done with C or Java. However the C is most preferred as it is easily embedded with the chips. With VB the front end is designed. The oracle SQL is the back end as it helps in retrieving the input data from the RAM using the query. But however the sample program that we have designed does not use the oracle it takes the input directly from the keyboard and this is an example and a dummy program that has been created that helps in the understanding of how the device would work.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 13

SNIFFERS FOR DETECTING LOST MOBILES

CHAPTER 4 WORKING OF THE SNIFFER DEVICE

The sniffer is basically a transceiver that works in the frequency which is in the special unused range that is operated by the service provided or it can designed to operate at a frequency that is of much different frequency than the one that is being used by the nearby cells as there may be possibility of interference by the device with the devices in the nearby cells. The working for the device is as follows. The fig 2 &3 shows the working of the sniffer ; as given in the fig2 it gives the normal operation of the mobile with the base station and there is a BTS that acts as a middle man in the process of communication between the mobile and the MTSO which is popularly known as MSC or Mobile Switching Centre .

There is always a two way communication between devices and before the establishment of the communication the authentication of the SIM card that has the IMSI or the International Mobile Subscriber Identifier .This IMSI number helps in the authorization of the user. The second authentication is the authentication of the handset, which is done in EIR or the Equipment Identifier Register. This register is located at the MSC and it contains the IMEI number of the lost handset and if the signal is obtained from the normal one then the two way communication is established.

The IMEI of the lost mobile phone number once has been reported to the service provider, who keeps in track of the record of lost mobile phones. The MTSO or the MSC which keeps in track of all the mobile phones with IMEI number and the IMSI number has the information of the lost mobile phones location which means the location of the cell where the lost device is because of the two way communication with the device the BTS of the lost device is known to MSC. From this information regarding the cell in which the device is

located the sniffer device is introduced.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 14

SNIFFERS FOR DETECTING LOST MOBILES

Fig: 4.1 .The initial connection between the cellular network and lost mobile phone

The next figure or the fig 2 shows the sniffer that gets into work for the purpose of detection of the lost device. After the information regarding the IMEI number of the lost device is provided by the MTSO or MSC .This is then fed into the sniffers main memory the sniffers located in particular cell gets into action of detecting the lost device. The sniffer uses a frequency that is different from the one that is being used by the base station and the located
S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 15

SNIFFERS FOR DETECTING LOST MOBILES

nearby cells .The base station disconnects the connection with the lost mobile phone, as there is a request regarding this action from the EIR part of the MSC.

This causes the lost device to search the BTS to get locked with since each base station does not have authorization capability the lost device send appropriate connection request signal. Now when the sniffer device is being deployed and this device has in built authorization capability the lost device finds the sniffer to get itself locked to the frequency of the sniffer .While the connection between the sniffer and the mobile phone is established; the IMEI of the lost mobile is validated with the stored IMEI and after successful authorization the communication between the sniffer and the lost device is established.

If the other devices in the same try to communicate with the sniffer the access is denied and this is done at the validation done based on the IME. Once the communication starts it is mainly with the antenna and the signal strength of the lost device the location can be tracked. However the process to searching can also be aided with the GPS system for more accurate and fast detection

The main requirement is that the sniffer is operated in a frequency that is different from the frequency adopted by the cell and nearby ones. Hence the interference from the nearby cell can be avoided. The directional antenna is used in finding the location of the mobile phone.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 16

SNIFFERS FOR DETECTING LOST MOBILES

Fig 4.2: The connection of the sniffer device with the lost mobile phone.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 17

SNIFFERS FOR DETECTING LOST MOBILES

Here the signal strength of the received signal is obtain antenna pattern is plotted once the signal of the mobile is obtained. The no. of antenna pattern for different position of same mobile phone is used to find the exact location.

But however in this method the directional antenna used much be of a very small beam width this helps in more accurate process of detection.

Fig 4.3: The sniffer shown in fig tries to communicate with the lost mobile. After getting connected with the mobile it creates a virtual cell pattern and thus helps in the detection of lost mobile phones.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 18

SNIFFERS FOR DETECTING LOST MOBILES CHAPTER 5 CONCLUSON

Since the boom of the mobile phone for the purpose of the communication there has been a large no. of complaints regarding the mobile phone that is being lost and there has been no effective method developed for detecting the lost device. The given paper dealt about the idea of development Sniffer for the detection of lost Mobile phones paves a way by means of which the lost mobile phones can be recovered. But the process of detection is yet to be developed through the software and demo has been developed and is with the authors. The demo has been written in VB that gives the over view of how the lost mobile is being detected and the software has been written in C. The SQL has to be used for the purpose of querying and the internal architecture is of lesser complexity compared to the base station as this mainly involves the control signal and there is no need for the voice process.

The design involved the following: Design of the sniffer base station design of unidirectional l antenna, development of software for tracking. Though this method appears to be a little bit complex involving the design of the sniffer but however for large scale detection the overall effective cost of the design and the detection scales down.

There are certain boundary conditions or criteria that have to be qualified for the identification of the lost mobile like the power of the mobile should be good enough , the mobile phone should not be in the shadow region etc., but however this method can be improved by using modern technologies and devices.

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 19

SNIFFERS FOR DETECTING LOST MOBILES

CHAPTER 6 REFERENCES

Schiller, Mobile Communication, Pearson Education 1 Edition, 7th reprint -2003.

John D Kraus, Electromagnetic, TMH

Jordan et al, Electromagnetic waves and radiation system , Printice Hall

www.gsmworld.com

http://ericsson.com

http://iec.org

S.V.COLLEGE OF ENGINEERING, DEPARTMENT OF ECE

Page 20