Banner_edited.jpg

The most complete and powerful stealth phones are the XCell Pro and XStealth.


Due to hardware and software limitations, there is no XCell Stealth Phone that has ALL of the special features shown below. Our programmers have squeezed all kinds of special features out of all of the cell phones we use. For example, the XCell Pro does not have a calibration function, instead the automatic calibration is embedded in the operating system without access to the GUI.
Other XCell Stealth Phones have less special features (and lower prices) as they are tailored to the needs of users in the field.
There is no such thing as "the best XCell Stealth Phone". The best XCell Stealth Phone is the one that fits all security needs. However, the XCell Pro and XStealth are the most complete stealth phones as they come with all sorts of special features.

Call Interception Alert*

Real-time intercepted call detection and warning. The phone user is warned when a call is intercepted. Based on A5/1 stream cypher checking and TA checking algorithm (for SS7 interception). Triggered by any type of interception: IMSI catcher, GSM interceptor, SS7.

*Refers to phone calls made over the mobile network. Does not refer to IM voice chat, Skype, etc.

SMS Interception Alert*

Detection and alerting of SMS in real time. The phone user is warned when SMS are intercepted. Based on A5 / 1 stream cypher checking and TA checking algorithm (for SS7 interception). Triggered for any type of interception: IMSI Catcher, GSM Interceptor, SS7.

False Positive in networks that do not use encryption for SMS by default.

*Refers to regular SMS sent / received via mobile network. Does not refer to IM chat, WhatsApp, etc.

Location Tracking Alert*

Real-time detection and alerting of location tracking pings. On some XCell Stealth phones, received pings are stored in a text document for further analysis. When Location Spoofing is enabled (if available), a spoofed GSM location is sent based on the furthest cell tower the phone can "see".

*Relates to location tracking procedures that use the subscriber's cellular network (by government agencies, law enforcement, etc.). Not effective for IP-based location tracking.

SS7 Interception Alert

The interception of SS7 calls is done with the help of the network operator or, as in the latest systems - e.g. ULIN - bypassing the network operator's servers, directly at the HLR/VLR level.

Real-time interception detection and alerting.

SS7 Location Tracking Alert

SS7 location tracking is done with the help of the network operator or, as with the latest systems - such as ULIN - bypassing the network operator's servers, directly at the HLR/VLR level.

Real-time location tracking detection and alerting.

Location Update (LUR) Alert

LUR is sent from the network to the phone and requests the location of the phone. This is a standard procedure used by all mobile networks. A GSM interceptor with location tracking capabilities sends multiple LUR to the target phone to determine its exact location. XCell Stealth Phones detect abnormal LUR and trigger location tracking alerts, which are stored in a text file for further analysis.

Note: Cellular phones are not designed to function at very high speeds when travelling, such as on commercial airliners. Mobile phone networks are also not designed to support such speeds. Above 400Km/h during low altitude flights, false positive LUR alerts may occur due to the rapid succession of LAC.

Real Location Spoofing

Real Location Spoofing refers to the fake location sent for triangulation techniques (based on the cell tower location). Basically, the phone connects to the furthest cell tower that can be "seen" by the phone. It does not depend on GPS location and does not require an internet connection or third-party servers. GPS spoofing can be easily circumvented by triangulation, which reveals the actual location based on the cell tower's location.

Dynamic IMEI Change

IMEI is the phone ID. The dynamic IMEI function changes the IMEI automatically after each call and SMS without user intervention. New phone ID after each call and SMS. When this feature is enabled, calls and SMS cannot be intercepted and location cannot be tracked. Also, the target correlation methods of modern GSM interceptors that match the IMEI of the phone with the IMSI (SIM card used in this phone) will fail. Combined with the special Dynamic IMSI feature (XCell Basic v3 Advanced, XCell Pro and XStealth), the phone's capabilities become a weapon.

Manual Change IMEI

IMEI is the phone ID. Some basic XCell Stealth phones only have the function to manually change the IMEI, such as the XCell Dual SIM Stealth Phone. Dynamic IMEI stealth phones can also change the IMEI manually: User can add a specific IMEI. New phone ID after each call and SMS, manually. When IMEI change is enabled, call and SMS interception and location tracking will fail. Also, the target correlation methods of modern GSM interceptors that match the IMEI of the phone with the IMSI (SIM card used in this phone) will fail.

Phone Cloning

You can clone any other mobile phone and impersonate it to fool GSM Interceptor. Due to the sensitive nature of this particular feature, more info after purchase.

IMSI Change

IMSI is the SIM ID. Why IMSI change? Well, the answer is "IMSI Catcher", the name given to mobile phone interception systems. Therefore, no explanation is needed. IMSI Change is a special feature requested by law enforcement and intelligence agencies and is now available to the public. The phone user can generate a new IMEI/IMSI for each call, making tracking and interception an impossible mission. The IMEI is the phone ID, the IMSI is the SIM ID. If you change everything, the phone user is 100% protected. How does it work?

Channel Lock

Each mobile phone is connected to a cell tower via a pair of radio channels - uplink and downlink - called ARFCN or EARFCN. A GSM interceptor forces the phone to disconnect from the real cell tower and connect to the GSM interceptor using a different ARFCN and LAC (Location Area Code) value. By blocking ARFCN channels, XCell Stealth Phones do not connect to a GSM interceptor or any other real cell tower when on the move, thus avoiding call and SMS interception.

Low signal or even signal loss issues may occur.

A5 Tracer

All communication in GSM networks is encrypted by default, using a stream cypher called A / 5. To intercept calls, GSM interceptors disable network encryption or (the latest systems) lower the encryption level from A5 / 1 to the weaker A5 / 2, which can be decrypted in less than a second.

The phone permanently monitors the standard A5 / 1 GSM encryption (provided by the GSM network) and triggers warning messages if a missing encryption or a change in encryption is detected. In this way, the user is warned about the interception of calls before making a call or answering a call.

UnPing

In order to locate the phone, law enforcement agencies send so-called location tracking pings (LTP) to the phone. These are basically malformed SMS (invisible on ordinary cell phones, regardless of the brand, price or technology used), usually over the GSM network. In response to the received ping, a normal phone sends back its GSM location data (not to be confused with GPS tracking), which consists of the tower's cell ID data, which actually means the GPS position of the tower the phone is connected to.

When the UnPing function is enabled, the XCell Stealth Phone:

1. trigger alarms when a location tracking ping is received.

2. block replies to received LTP and in this way hide the phone's location. Certain special settings are required.

Location tracking alerts are displayed on the phone home screen and saved in a text file.

TMSI monitoring

TMSI (temporary IMSI) is a value generated by the network to protect the IMSI to be sent by the phone. The TMSI should change with every LAC change or every time the phone is restarted (depending on the settings of the respective cellular network). Due to the low computing power compared to network servers, a GSM interceptor generates a single TMSI as long as the phone is connected to it. The TMSI monitoring enables the user to check the current TMSI and any changes. More details after your purchase.

Untraceable

XCell Stealth Phones are tracking proof and give privacy back to the user. In contrast to a mobile phone, which processes encrypted data elements, encodes them and makes them incomprehensible to an external listener, XCell Stealth Phones protects the call itself so that the phone can no longer be found or located.

No call log history

No calls are saved in the call log, which is always clean and has no entries.

Discrete call recording

The user can activate automatic call recording. Every single call is recorded without a warning tone. Call recordings are a valuable resource when dealing with tampered with or hacked recordings, especially in court.

Hunting Mode

 

By activating hunting mode, the phone warns the user when a call and / or SMS is intercepted (before the call is answered or before the call is initiated) as well as location tracking. No calls or messages are blocked. In hunting mode, you can tell if your phone is being monitored.

Anti interception mode

Activating eavesdropping mode prevents calls and SMS from being sent or received while the phone is monitored and interception is active. Use it with precautions only when necessary: you don't want your enemies to come up with new collecting strategies (HUMINT or bugging) in order to find out your secrets.

Ki Extraction Alert

Ki is the encryption key stored on every SIM card that is required for the encryption and decryption of voice calls. A GSM interceptor tricked the phone into sending out Ki (for further decryption of voice calls) through multiple RAND/SRES sessions. XCell Stealth Phones detects abnormal RAND / SRES sessions and triggers an alarm to extract Ki.

Secure SMS

A secure SMS is a normal SMS that is sent to another non-XCell device through secure gateways. A secure SMS can only be intercepted if the recipient phone is intercepted. A secure SMS is different from an encrypted SMS.

Encrypted SMS

Some XCell Stealth Phones use government grade SMS encryption. You need at least 2 similar XCell stealth phones. No additional fees, no monthly payments, no internet connection required.

Embedded in the operating system, it prevents reverse engineering or hacking due to obfuscated source code. In this way it is not possible to manipulate the encryption algorithm, which is hidden for the cryptanalysis.

Encrypted IM

Only available for XStealth Lite and XStealth.

Encrypted instant messaging ensures privacy and security by ensuring that only the person you are sending your messages to can read them. Powerful encryption software built into the messaging apps means that third parties who intercept these messages cannot read them.

There is a wide variety of encrypted IMs that the user can have installed before delivery. Some encrypted IMs are installed by default.

XCrypt MLSPⓇ

Is our proprietary SMS encryption solution, available for XCell Basic v3 Advanced Stealth Phone and XStealth. Can also be installed on XStealth Lite upon user request. It requires at least 2 XStealth devices to function. More about it here.

Immune to Silent SMS

Many foreign police and intelligence agencies use secret "silent" SMS to locate suspects or missing persons. This method involves sending an SMS text message to a suspect's cell phone. This SMS goes unnoticed and sends a signal back to the sender of the message. Silent SMS use an invisible return signal or "ping". The message is rejected by the recipient's cell phone and leaves no trace. In return, the sender receives the geographic location of the mobile phone.

Immune to Spy Call

A spy call is a call made by a GSM interceptor to a cell phone to eavesdrop on what's around the phone. This call cannot be recognized by the phone user: the phone does not ring or vibrate and the home screen remains off (no indication of an active call). A spy call is not visible in the call list.

XCell stealth phones block spy calls or allow the user to answer the call depending on the phone model.

Immune to Silent Call

A silent call is a call originating from the GSM interceptor to a specific IMEI / IMSI to make correlations between IMEI / IMSI and MSISDN (Mobile Subscriber Integrated Services Digital Network number) which is actually that of the SIM Card corresponding telephone number). Using the silent call, a GSM interceptor can determine a specific phone number associated with a specific IMEI / IMSI. Silent calls are the result of a process called ping. This is very similar to an Internet Protocol (IP) ping. A normal telephone cannot recognise a silent call. Not to be confused with Spy Call, which means you need to listen to the surroundings of the phone.

A silent call is also used by a GSM interceptor to locate a cell phone by initiating a silent (blind) call. Ordinary cell phones do not ring or vibrate and must transmit on a frequency controlled by the interceptor. Then a DF device (Direction Finder) is used to locate the signal source (target cell phone). Up to 1 m accuracy. GSM Interceptor enables regular incoming and outgoing calls and SMS during this process.

A silent call is also used to capture the current TMSI number.

XCell Stealth Phones are designed to detect, reject and block silent calls.

Security suite

 

The Security Suite is installed on certain XCell stealth phones and contains up to 7 special functions:

 

  • IMSI change

  • Immediate wiretapping

  • C2 monitoring

  • Sandbox

  • cryptoTRACERⓇ

  • Anti-interception

  • Location spoofing

Call encryption

Call encryption for XStealth Lite and XStealth is only available upon user request. Consists of call encryption apps that use data connections and third-party servers. Not recommended.

Instant interception check

The user can immediately check whether the phone is connected to a GSM interceptor or is affected by SS7 surveillance by running the "Instant interception check" app.

After the start, the function begins to check the active and passive monitoring, step by step. When monitoring with active / semi-active GSM interceptors, the phone checks:

  • BTS parameters

  • RSSI

  • Cell ID

  • LAC

  • ARFCN

  • Ki retrieval attempts (encryption key stored on the SIM card).

  • Baseband Attack Attempts.

The phone is checked when attempts are made to intercept passive GSM interceptors:

  • Uplink

  • Downlink

  • It pings the HLR / VLR core network and calculates network redundancy and abnormal ping delays.

  • At the end, a network security assessment is made

C1 / C2 monitoring


By forcing the cell tower to be selected again (parameter C2), active and semi-active GSM interceptors force every mobile phone to disconnect from the home network and connect to the fake cell tower. This is also called BCCH manipulation and is used by all modern GSM interceptors. When this feature starts, the phone will:​​

  • Extract the C1 value from the serving cell.

  • Calculates the C2 value using a special algorithm used by every GSM network

  • Search for at least 6 other neighbouring cell towers, sorted according to the RSSI value.

  • Compare C1 to C2.

  • Set off an alarm if no neighbouring cells are found (a clear indication that a GSM interceptor is active in the area).

  • Look for CPICH, RSCP, and BCCH.

  • Show forced handover attempts (if any).

  • Display of channel blocking errors (if any).

cryptoTRACERⓇ

In addition to IMSI catchers and GSM interceptors, which are small and mobile (sometimes vehicle-mounted) eavesdropping systems, law enforcement authorities use so-called lawful interception (SS7 interception or interception by operator help), a special piece of hardware that is directly connected to the GSM core network (at the level of the network switch).

cryptoTracerⓇ is a unique function based on XCell's own algorithms, which can immediately recognize legally compliant eavesdropping attempts and alert the user if calls and SMS are intercepted with SS7 means (strategic eavesdropping solutions).

Network Scan

Available on XStealth only.

A live network monitoring tool that looks for IMSI catchers / GSM interceptors, SS7-based eavesdropping devices, and other network anomalies. A function for detecting eavesdropping in real time is also available. No false positives thanks to intelligent scan mode. Similar to the Instant Interception Check available for the XCell Dynamic IMEI range of products.

Real time interception detection

The user can check the security of his mobile stealth phone connection in real time. Detects interception of calls / SMS in the following ways: IMSI Catcher / GSM Interceptor or SS7 (also known as Network Switch Based Interception).

LAC Change Alert

This is the proximity alert function. The phone detects any abnormal LAC (Location Area Code) when it is stationary, changes that are only made by IMSI catchers / GSM interceptors in order to force a connection for eavesdropping purposes.

Available at XSteallth.

Microphone lock

The user can lock the microphone at any time to prevent remote activation so that the environment cannot be monitored via Silent Call or Spy Call.

Available on XStealth.

Camera lock

The user can lock the camera at any time and thus prevent remote activation for spy images / films.

Available on XStealth.

Calibrate

 

Android Ultra Secure Stealth Phones are supplied with a calibration app, which is required for 2G and 3G networks. Make sure to run Calibrate when the phone is connected to the home network (not roaming, not connected to a GSM interceptor). Best of all: when you are out and about. Only use MNO SIM cards within the country that issued the SIM card. GSM country code and SIM country code should be identical.

When you activate the phone for the first time, you should run the calibration function: the phone will calibrate itself, test the GSM network and save the data of the home network, which is part of the self-learning process. It is important that you are using a new SIM card (whether subscribed or prepaid) and that you are in a safe place (connected to a real GSM network).

Other XCell Stealth Phones use automatic calibration when a new SIM card is inserted.

On screen functions

To make operation easier, the most important monitoring and warning functions are also displayed on the start screen. Since the main home screen looks anonymous and like any other smartphone, simply swiping the screen will bring up all of the monitoring functions on the screen.

Sandbox

IMEI engine, IMSI engine and other software components are moved to a separate partition (sandbox) for faster and smoother operation. The system restart has been suppressed in case of abnormal network properties (i.e. generated by IMSI catcher / GSM interceptor).

Continuous network scanning

Continuous scanning on the network is a background process that never stops. The phone searches for GSM / SS7 threats. Also works in airplane mode. As a result, the battery discharges faster than normal cell phones. The battery lasts up to 3 days.

Testing tool: XPing

No other secure cell phones come with a free (or not) testing tool.

Android Ultra Secure Stealth Phones - XStealth Lite and XStealth - come with a free test tool: XPing Tool. This is an Android application that was developed to test the location tracking alert and the receipt of location ping.

XPing Tool can be installed on any other Android device (4.2 and higher) that can send location tracking pings to any other mobile phone. In order to be legal for use, we have removed the location data sent back from the target phone to the sender phone along with the delivery report. The sender cell phone only receives a standard delivery report stating that the location ping was sent and received by the target cell phone. The sender telephone does not receive any location data back.

Not compatible with other XCell stealth phones.

Virus Free: Secure by Default

All XCell stealth phones are virus, malware or spyware immune by default. Apps cannot be installed even by the user himself: the app installation is deactivated. Remote code execution is not possible even as a result of SIM toolkit attacks. No need for antivirus app to slow down the phone.

Removed GPS Module

At the customer's request, the GPS module can be deactivated on both the software and hardware level.

Removed Camera Module

 

At the customer's request, the camera module can be deactivated on both the software and hardware level.

Removed all Google software

 

All Google software components will be removed at the customer's request. This can lead to system stability problems.

Only available for XStealth Lite and XStealth.

All other XCell stealth phones do not have a Google software component by default.

Self-Destruct Motherboard

If the phone is connected to an external device other than the paired charger, a self-nuclear mechanism will be triggered and the motherboard will self-destruct. There are no unlocking procedures. This can only be fixed by replacing the motherboard.

When the self-nuke mechanism is triggered, the phone goes into protected mode (permanent boot loop): Bootloaders are deleted and the phone's motherboard discharges itself on the data lines with the first USB connection with 200 VDC.
Laboratory tests also repeatedly set the phone's battery on fire, with ignition being caused by the high-voltage discharge. Our company is not responsible for any damage or loss if any charger other than the one supplied is used or if an attempt is made to connect the phone to any other external device. We do not replace defects in any other way.

Encrypted bootloader

You can use a regular bootloader to change all of the software on your phone. By locking (encrypting) it, we are preventing others from doing this. Other means not only forensic examiners, but also the owner of the phone itself. In this way, we want to offer as little attack surface as possible to hackers / forensics who want to interfere with the phone for security reasons. We do not want customer-specific software to be installed that can degrade or even destroy the security of the phone. The phone keeps a read-only copy of the encryption key that blocks any firmware updates that could be aired by hackers or even intelligence agencies to gain access to your phone. The phone keeps a read-only copy of the manufacturer's public key internally. This means that the phone gets the best of both worlds: it prevents users from uploading unsigned malicious changes to the phone, while allowing us to fix any software problems when we have the phone in our hands.

Encrypted & Signed firmware

With a signed firmware, our programmers can verify that the firmware has not been tampered with when a user asks for it. Thanks to the encryption, obfuscation and signature of the firmware, no extraction for further cloning or analysis of the device depth is possible.

Bluetooth firewall

 

Highly secure bluetooth connection. Remote activation not possible, 100% user control.

No false positives

False positives mean false positives triggered by normal and harmless events on the phone. For example, some wireless service providers do not use standard encryption for SMS as intended. Without suppression of false positives, an SMS eavesdropping alarm is triggered when an SMS is sent or received without actually being intercepted. The same goes for location tracking pings.

Forensic proof

 

XCell Stealth Phones are protected from forensic investigations by volatile USB filters. No forensic device can extract any data or files from the phone. As soon as the phone is connected to such a device, a PC or a service box, the volatile USB filters trigger a self-destruction of the motherboard and the phone goes into protected mode (permanent boot loop). If the phone is accidentally connected to a PC for charging, the self-nuke mechanism is also triggered. Only the wall chargers provided and paired with the phone should be used for charging.

Paired Wall Charger

All XCell Stealth Phones that are charged via a micro USB port come with a paired charger. Other chargers or power banks are not allowed. The paired charger is used to protect against forensic investigations and data extraction. If anything else is plugged into the USB port, the motherboard will self-destruct.

User control

Phone users have 100% control over their own XCell stealth phone. No OTA updates, no hidden strings, no servers involved.

Security audit

Most XCell Stealth Phones have received independent security reviews from three different companies, all of which have passed successfully.

Highly Customizable

XCell Stealth Phones are highly customizable based on customer requirements: software, graphical interface and company logo. Available as branded, unbranded and custom stealth phones. XStealth Lite and XStealth are the most versatile products: the customer can choose up to 4 apps to be installed after we have checked the source code and (if necessary) applied security patches. We reserve the right not to install certain apps that may compromise the user's privacy or the security of the phone.

Tamper Resistant Stealth Phone

Effective anti-tampering mechanisms are installed on both the software and hardware level. Hardware tamper protection is the resistance to tampering (deliberate malfunction or sabotage) either by the normal users of a product, package or system or by others who have physical access to it. Software anti-tampering techniques allow firmware to inspect itself and see if its code has been changed. We refer to these techniques as self-checking, which literally read the binary code of the protected software using special functions called checkers.

Tamper Resistant Battery

A cell phone battery has up to 4 micro cells inside. When intelligence agencies intercept the package containing your new cell phone, they replace one of the microcells with a tracking device before delivery, powered directly by the remaining microcells. Since the user of the cell phone always charges the battery before it is discharged, he always keeps the tracking device alive.

Tamper Resistant OS

Mobile devices are easy targets for both hackers and abusive state actors. So we designed the most secure Android - XROM - to protect against a wide variety of attack vectors without worrying about who has access to your data. XROM is based on the latest stable version of the Android open source project and has the basic data protection and security functions from there, which are already way ahead of any conventional desktop / mobile Linux distribution.

Unlike other flavors of Android, including aftermarket operating systems and the forks that manufacturers create for their devices, XROM doesn't disable or weaken basic security features like verified boot and the SELinux policy.

The Android runtime was taught not to look for executable code (oat and odex files) in / data / dalvik-cache, and the execute and symlink read permissions for the dalvik cache label were changed for system_server and domains, which are only used by the base system, removed so that the policy only allows it for untrusted_app, isolated_app and the shell domain for adb shell.

XROM cannot be downgraded for abusive exploits. System files are protected from being copied or extracted.

Fully verified boot process that includes all firmware and operating system partitions. The unverified user data partition is encrypted and is deleted by a factory reset. Rollback protection is implemented via the Replay Protected Memory Block.
The kernel attack surface is reduced using seccomp-bpf. Linux kernel defaults are paired with a randomization of the library load order in the linker.

No OTA updates

Most "secure" cell phones and apps these days request software updates from time to time, which is basically not a bad thing. The main problem is that fake software updates can be deployed by skilled hackers or abusive law enforcement agencies to trick the phone user and install spyware without the user being aware of and consenting to it. This is because a malicious app or code execution can easily be disguised as a software update and easily installed on the phone remotely. This is actually the way law enforcement agencies get remote access to phone data.

This is an example: https://www.youtube.com/watch?v=h98KtUgUOsg

No App Install / Uninstall

Apps cannot be installed or existing ones removed on XStealth Lite and XStealth. The app installation is blocked on XStealth Lite and XStealth and the uninstallation of the app is blocked. We blocked the apps uninstall process to prevent security apps from being removed, obviously exposing the phone to various exploits, attacks and data extraction.

If users need to install apps, let us know. Our programmers do it for you.

In this way, we prevent remote spyware installation by improper app upgrade or by exploiting the "Time-of-Check to Time-of-Use" vulnerability described below.

Almost half of all Android systems, 49.5 percent to be precise, contain a vulnerability that could allow an attacker - hacker or other abusive actor - to abuse the application's installation process to install spyware on affected mobile devices.

There is an Android OS vulnerability called Time-of-Check to Time-of-Use. This vulnerability affects approximately 89.4 percent of the Android population. Potential attackers can exploit this flaw in two ways. They can either use a harmless looking app with harmless looking permissions to download a separate malicious app in the future, or they can simply force a user to download an absolutely malicious app that contains a seemingly innocuous set of permissions.

APKs are the file format used to install software on the Android operating system. As a result, the person or thing tampering with the APK can install arbitrary or malicious code on vulnerable devices out of sight of the user.

From memory, Android uses PackageInstaller to continue the installation. Once the installation begins in earnest, the package to be installed will appear in a user interface called PackageInstallerActivity. Here the user can confirm the download and check the requested permissions, which is also known as the "time of the check". In this case, however, the "time of check" vulnerability makes it possible for the attacker to manipulate the information displayed on the PackageInstallerActivity page. In other words, the attacker can make it appear that the user is downloading one app when in fact they are downloading a completely different app.

The app installation is also blocked by anti-forensic filters to protect the phone: a forensic client cannot be installed on the phone to extract data and/or files. If the app installation is forced, the self-nuke mechanism is triggered and the phone goes into protected mode (permanent boot loop): bootloaders are deleted and the main board of the phone takes a discharge of 200 VDC when it is first connected to the USB on the data lines.

Laboratory tests also repeatedly set the phone's battery on fire, with ignition being caused by high-voltage discharge. Our company is not responsible for any damage or loss if any charger other than the one supplied is used or if an attempt is made to connect the phone to another external device. We will not provide any compensation for defects caused by our own fault.

Glossary 

For a better understanding of the special functions, please read the glossary.

If you have any further questions, please do not hesitate to contact us.

A5 / 0, A5 / 1, A5 / 2, A5 / 3 (Kasumi)

The GSM encryption algorithm is called A5. There are four variants of A5 in GSM, only the first three of which are widely used:

 

  • A5 / 0: no encryption at all

  • A5 / 1: strong (re) encryption, intended for use in North America and Europe

  • A5 / 2: weak encryption, intended for use in other parts of the world, but has since been rejected by the GSMA

  • A5 / 3: even stronger encryption with an open design. Also known as Kasumi . Used by some 3G and 4G cellular networks.

 

 

A5 / 1

Stream encryption is used to ensure the protection of wireless communication in the GSM cellular standard. It was initially kept secret but became public knowledge through leaks and reverse engineering. A number of serious vulnerabilities have been identified in the cipher. A5 / 1 is used in Europe and the USA.

 

 

A5 / 2

Is a stream encryption used to provide voice protection in the GSM mobile phone protocol. A5/2 was an intentional weakening of the algorithm for certain export regions. The encryption is based on a combination of four linear feedback shift registers with irregular clocking and a non-linear combiner.

 

 

A5 / 3

A5 / 3 is a block cipher used in UMTS , GSM and GPRS mobile communication systems. In UMTS, KASUMI is used in the confidentiality and integrity algorithms with the names UEA1 and UIA1. In GSM, KASUMI is used in the A5/3 key stream generator and in GPRS in the GEA3 key stream generator. More here .

 

 

ARFCN / EARFCN

In GSM cellular networks, a radio frequency absolute channel number (ARFCN) is a code that identifies a pair of physical radio operators used to transmit and receive in a land mobile radio system, one for the uplink signal and one for the downlink signal. This network parameter is used to force the mobile phones to send registration requests to a wrong BTS (IMEI / IMSI catcher).

LTE EARFCN stands for E-UTRA Absolute Radio Frequency Channel Number. The EARFCN number is in the range 0 to 65535.

 

 

Authentication key (Ki)

The authentication key, or Ki, is a 128-bit key that is used in authentication and the generation of the encryption key. In short, the key is used to authenticate the SIM in the GSM network. Each SIM card contains this key, which is assigned to it by the operator during the personalization process. The SIM card is specially designed so that the Ki cannot be compromised via a smart card interface.

 

 

Encryption key (Kc)

The SIM contains the algorithm for generating the encryption key (A8) with which the 64-bit encryption key (Kc) is generated. The encryption key is calculated by applying the same random number (RAND) used in the authentication process to the encryption key generation algorithm (A8) with the single subscriber authentication key (Ki). The encryption key (Kc) is used to encrypt and decrypt the data between the MS and the BS. However, a passive GSM interceptor can remotely extract the encryption key, calculate it and use it for real-time decryption.

 

 

BCCH

A broadcast control channel (BCCH) is a point to a unidirectional multipoint channel (downlink) that is used in the UM interface of the GSM mobile radio standard. The BCCH transmits a repeating pattern of system information messages describing the identity, configuration and available functions of the base transceiver station (BTS).

 

 

BCCH manipulation

A special technique. GSM interceptors (IMEI / IMSI catchers) use BCCH manipulation to create a "virtual power effect" of up to several hundred watts. A GSM interceptor uses this to trick the handsets that will always dial the "BTS" with the strongest signal. In addition, by changing the Cell ID (all other network parameters remain the same - MCC, MNC, LAC) and the ARFCN, the interceptor forces the mobile phones in the area to send registration requests and in this way to collect the phone IDs: IMSI, IMEI, Classmark , Etc.

 

 

BTS

Aka cell tower. The base transceiver station contains the equipment for sending and receiving radio signals (transceivers), antennas and equipment for encrypting and decrypting communication with the base station controller (BSC).

 

 

Carrier

A company that provides GSM telecommunications services.

 

 

Cell

In personal communication systems (cellular telephone systems), a cell is the geographic area served by a single base station. Cells are arranged so that base station frequencies can be reused between cells. The environment of a cell site. The area in which calls from a particular cellular location are processed.

 

 

Cell identifier

A GSM Cell ID (CID) is a generally unique number that is used to identify each Base Transceiver Station (BTS) or a sector of a BTS within a Location Area Code (LAC) when it is not in a GSM network lies. In some cases the last digit of the CID represents the sector ID of the cells. This network parameter is used in the so-called BCCH manipulation by GSM interceptors. By changing the Cell ID (all other network parameters remain the same - MCC, MNC, LAC) and ARFCN, the system forces the cell phones within the range to send registration requests and in this way to collect phone IDs: IMSI, IMEI, Classmark, etc.

 

 

Cell location

The transmitting and receiving equipment, including the base station antenna, that connects a mobile phone to the network.

 

 

Channel coding

Channel coding is the technique of protecting communications signals from signal degradation by adding redundancy to the communications signal.

 

 

fading

A fade is a slow change in signal strength.

 

 

GSM 1800

The GSM 1800 band provides for a GSM uplink in the 1710-1785 MHz range and a GSM downlink in the 1805-1880 MHz range.

 

 

GSM 1900

The GSM 1800 band provides for a GSM uplink in the 1850-1910 MHz range and a GSM downlink in the 1930-1990 MHz range.

 

 

GSM 900

The GSM 900 band provides for a GSM uplink in the 890-915 MHz range and a GSM downlink in the 935-960 MHz range. GSM 900 is now switched off in the USA, Canada and Australia.

 

 

3G

3G (short for Third Generation) is the third generation of wireless mobile telecommunications technology. It is the upgrade for 2.5GGPRS and 2.75GEDGE networks for faster data transfer.

3G telecommunications networks support services that provide an information transfer rate of at least 144 kbit / s . [ 2 ] [ 3 ] [ 4 ] Later 3G versions, often referred to as 3.5G and 3.75G , also offer mobile broadband access of several Mbit / s. s for smartphones and mobile modems in laptops.

Older mobile eavesdropping systems could not eavesdrop on 3G cellular communications directly because they used high power jammers (frequency interferers) on 3G frequencies, forcing cell phones to downgrade to 2G frequencies where they can easily be eavesdropped. Nowadays, 3G and 4G systems can be intercepted without any problems.

 

 

4G

Is the fourth generation of broadband cellular technology , the successor to 3G and the forerunner of 5G . Potential and current applications include modified mobile web access, IP telephony, gaming services, high definition mobile television, video conferencing, and 3D television. Older mobile eavesdropping systems could not intercept 3G and 4G cellular communications directly because they used high power jammers (frequency interferers) on 3G frequencies, forcing cell phones to downgrade to 2G frequencies where they could easily be eavesdropped. Nowadays, 3G and 4G systems can be intercepted without any problems.

 

 

5G

Is the fifth generation technology standard for broadband cellular networks that cell phone companies will be using worldwide from 2019, and is the planned successor to the 4G networks that connect most current cell phones.

 

 

GSM air interface

The GSM air interface works in the UHF frequency band.

 

 

GSM architecture

A GSM network consists of the mobile station, the base station system, the switching system and the operating and support system.

GSM base station system (BSS) The GSM base station system (BSS) provides the interface between the GSM mobile phone and other parts of the GSM network.

 

 

GSM channels

GSM offers two types of channels: traffic channels and signaling channels.

 

 

GSM handover

Handover is the process in which the membership of a GSM mobile phone is transmitted from one base station to another.

 

 

GSM interceptor

See IMEI / IMSI catcher.

 

 

GSM security

GSM offers a range of security services including authentication, key generation, encryption and limited privacy.

 

 

IMEI

The International Mobile Station Equipment Identity, or IMEI, is a usually unique number used to identify 3GPP (i.e., GSM, UMTS, and LTE) and iDEN cell phones, as well as some satellite phones. The IMEI number is used by a GSM network to identify valid devices and is only used to identify the device and has no permanent or semi-permanent relationship with the subscriber. It is also used by IMEI / IMSI catchers / GSM eavesdropping devices to identify your phone and intercept calls.

 

 

IMSI

The International Mobile Subscriber Identity is a unique identification that is assigned to all cellular networks. It is saved as a 64-bit field and sent from the phone to the network. It is also used to record other details of the cellphone in the home location register (HLR) or as copied locally in the visitor location register. In order to prevent eavesdroppers from identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as possible and a randomly generated TMSI is sent instead.

 

 

IMSI catcher

Is essentially a fake cell tower operating between the target cell phones and the real towers of the service provider. As such, it is viewed as a Man In the Middle (MITM) attack. It is used as a bugging device to intercept and track cell phones and is usually undetectable to cell phone users. Such a virtual base transceiver station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and for intercepting its calls.

The IMSI catcher masks itself as a base station and logs the IMSI numbers of all mobile stations in the region while they try to establish a connection to the IMSI catcher. This can force the mobile phone connected to it not to use call encryption (i.e. put it into A5 / 0 mode), which makes it easy for the call data to be intercepted and converted to audio.

 

 

LAC

Location Area Code, unique number that is sent by a "Base Transceiver Station" in GSM. A "location area" is a group of base stations grouped together to optimize signaling. Usually dozens or even hundreds of base stations share a single Base Station Controller (BSC) in GSM or a Radio Network Controller (RNC) in UMTS, the intelligence behind the base stations. The BSC takes care of the allocation of radio channels, receives measurements from the mobile phones and controls handovers from base station to base station.

 

 

MCC

Mobile country code used when addressing cellular networks.

 

 

MNC

A mobile radio network code (MNC) is used in combination with a mobile radio country code (MCC) (also referred to as "MCC / MNC tuple") to uniquely identify a mobile network operator who operates the public mobile networks GSM / LTE, CDMA, iDEN, TETRA and UMTS as well as some satellite mobile radio networks.

 

 

MSISDN

Is a number that uniquely identifies a subscription in a GSM or UMTS cellular network. In simple terms, this is the phone number of the SIM card in a mobile phone. This abbreviation has several interpretations, the most common being "digital network number for integrated mobile radio subscribers". See also silent call.

 

 

SIM card

Chip card that gives GSM phones their user identity.

 

 

Silent call

In terms of GSM interception, a silent call is a call made by the GSM interceptor to a specific IMEI / IMSI in order to establish correlations between IMEI / IMSI and MSISDN (Mobile Subscriber Integrated Services Digital Network Number, which is actually the telephone number for the SIM card in a cell phone / cell phone). With the help of the silent call, a GSM interceptor can find out a specific telephone number that is assigned to a specific IMEI / IMSI. Silent calls are the result of a process known as "pinging". This is very similar to pinging the Internet Protocol (IP). A silent call cannot be recognised by a phone user. Not to be confused with the spy call, which means eavesdropping on the phone environment.

 

 

Silent SMS

Many foreign police and intelligence services use secret "silent" SMS to locate suspects or missing persons. In this method, an SMS is sent to a suspect's cell phone, which silently sends a signal back to the sender of the message. The silent SMS, also known as flash SMS, uses an invisible return signal, the so-called "ping". The silent SMS enables the user to send a message to another cell phone without the owner of the recipient cell phone knowing about it. The message is rejected by the recipient's mobile phone and leaves no trace. In return, the sender receives a message from a mobile operator confirming that the silent SMS has been received. Silent SMS was originally intended to allow operators to determine if a cell phone was turned on and "test" the network without alerting users. But now intelligence and police have found other uses for the system.

Technical bit: In order to manipulate and mute the SMS information, the security services go through a network for sending and receiving SMS, which is known as an SMS gateway, e.g. the Jataayu SMS gateway. This enables them to link the processing and GSM systems together. This method of bulk mailing appears to be widely used by these security services. Silent SMS allow a cell phone to be precisely located using the GSM network. Law enforcement agencies can locate a user by identifying the three antennas closest to their cellphone and then triangulating the distance according to the speed a signal will take to get back. A mobile phone updates its presence on the network regularly, but when the person moves, the information is not updated immediately. By sending a silent SMS, the location of the cell phone is updated immediately. This is very useful as it allows law enforcement to locate a person at a specific point in time depending on the radio frequencies.

This technique is much more effective than simple cell phone location (Cell ID). This is the only instant, convenient way to keep a cell phone tracked when it is not in use. We then speak of geopositioning and not geolocation. Then either the police track the information about the operator, or private companies process the data and refer the investigator, for example, to a map on which the movements of the monitored telephone appear in real time.

 

 

Spy call

A spy call is a call placed by a GSM interceptor to a cell phone to eavesdrop on what's around the phone. This call cannot be recognized by the phone user.

 

 

TMSI

The Temporary Mobile Subscriber Identity (TMSI) is the identity that is most often sent between the mobile phone and the network. TMSI is randomly assigned by the VLR to every mobile phone in the area as soon as it is switched on. The number is local to a location area and must therefore be updated every time the mobile phone moves into a new geographic area.

The network can also change the TMSI of the cell phone at any time. This is usually done to prevent the subscriber from being identified and tracked by eavesdroppers on the radio interface. This makes it difficult to keep track of which cell phone is which, except briefly when the cell phone is turned on or when the data in the cell phone becomes invalid for one reason or another. At this point the global "International Mobile Subscriber Identity" (IMSI) must be sent to the network. The IMSI is sent as infrequently as possible to avoid being identified and tracked.

 

 

Triangulation

How does the location of cell phone users work and how accurate is it? There are two methods of locating cell phone users. Cell phones equipped with the Global Positioning System (GPS) use signals from satellites to pinpoint your location. The second, less accurate method, often called "Cell Tower Triangulation," refers to how the cell towers that receive the signal from a phone can be used to calculate geophysical location.

Some industry researchers estimate that only about 11% of phones manufactured this year will have GPS functionality, leaving the remaining 89% of phones without GPS to rely on Cell Tower Triangulation to reveal geolocation data for applications.

 

 

What exactly is cell tower triangulation?

In the best case, the signal from a cell phone can be received by three or more cell towers, so that "triangulation" works. From a geometrical-mathematical point of view, if one knows the distance of an object from three different points, one can calculate the approximate position of this object in relation to the three reference points. This geometric calculation applies in the case of cell phones because we know the locations of the cell towers receiving the phone signal, and we can estimate the phone's distance from each of these antenna towers based on the delay time between when the tower pinged the phone sends and receives the response ping back.

 

 

In many cases, there can even be more than three cell towers receiving a phone's signal, which allows for even greater accuracy (although the term "triangulation" is not really accurate if you are using more than three reference points). In densely built-up, urban areas, the accuracy of cell phone location is considered very high because there are typically more cell towers with overlapping signal coverage areas. In cases where a cellular user is within large structures or underground, triangulating cell towers may be the only method of determining their location, as a GPS signal may not be available.

In many cellular networks, the accuracy of the location can be even higher, because directional antennas are used on the tower and the direction of the cell phone signal can be identified. With the signal direction plus the phone's distance from the cell tower, accuracy can be pretty good, even with only two towers.

 

 

However, there are many places where fewer cell towers are available, e.g. B. on the outskirts of cities and in the country. If there are fewer than three cell towers available, the location of a mobile device can become much more inaccurate. In cities, where there are many more vertical structures that can be an obstacle to sending and receiving cell phones, many more cell towers need to be spread out in order to have good service. The countryside has relatively fewer cell towers, and a phone's signal may only be picked up by a single one at a much greater distance.

In areas where a phone is only picked up by a single tower, and if it is only equipped with omnidirectional antennas, the accuracy will be even lower. In rural areas, the range of the cell tower can vary from about a quarter of a mile to several miles, depending on how many obstacles could block the tower's signal.

 

 

How extensive is the state surveillance?

No civilian is allowed to know. Some governments in the EU, like the UK government, have laws and practices that allow the government to collect and use information in legal cases without disclosing their sources or methods. Chapter 8 of the Crown Prosecution Service Disclosure Manual states: "The ability of law enforcement agencies to combat crime through the use of covert human intelligence sources, covert operations, covert surveillance, etc." and "The protection of secret methods of detecting and combating crime".

According to estimates by whistleblower William Binney, former director of the US World Geopolitical and Military Analysis Reporting Group, the US NSA alone has 20 trillion "transactions" - phone calls, e-mails and other types of data - just from Compiled by Americans (April 2012). Government agencies are not the only organizations interested in personal information stored on or transmitted through your mobile phone. Self-proclaimed cyber criminals are now jumping on the bandwagon to take advantage of the benefits previously enjoyed only by government and intelligence agencies.

 

 

The target phone is located by a GSM interceptor with target location functions.

The working method is based on two vehicles. The first vehicle with the interception system, forcing the target phone to continue transmitting the signal. The second vehicle is used with the interceptor and the location components. The direction to the destination is shown as a compass pointer and the relative signal strength is shown as a bar graph and numerically. The signal tone increases in frequency as the interceptor approaches the target and thus clearly warns of a close encounter.

 

 

A3

The authentication algorithm used in the GSM system. Currently the COMP128 algorithm is used in most GSM networks as an A3 / A8 implementation.

 

 

A5

The encryption algorithm used in the GSM system. There are different implementations with the names A5 / 1, A5 / 2, ... The A5 / 1 is known as a strong algorithm for data protection over radio. A5 / x (A5 / 2 ...) are weaker implementations that target foreign markets outside of Europe. There is also an A5 / 0 algorithm that does not contain any encryption at all.

 

 

A8

The key generation algorithm used in the GSM system. Currently the COMP128 algorithm is used in most GSM networks as an A3 / A8 implementation.

 

 

AuC

Authentication centre. The AuC register is used for security reasons. It contains the parameters required for authentication and encryption functions (RAND, SRES and Kc). The RAND is a random challenge that is generated randomly. The other two parameters are generated from the participant's RAND and Ki using the A3 and A8 algorithms. These parameters help to verify the identity of the user (SRES) and to provide the session key (Kc).

 

 

BSC

Base station controller. The BSC acts as a common node between several BTSs, which together form a BSS and the backbone network.

 

 

BSS

Base station subsystem. The BSS connects the mobile station and the NSS. It is responsible for sending and receiving. The BSS can be divided into two parts:

  • The base transceiver station (BTS) or base station

  • The base station controller (BSC)

 

 

COMP128

A one-way function currently used in most GSM networks for A3 and A8. Unfortunately, the COMP128 algorithm is defective, so that when requested it reveals information about its arguments. This is an undesirable and unacceptable side effect of one-way function.

 

 

GPRS

General Packet Radio Service. GPRS is used to realize high speed data transmission between the MS and another subscriber. GPRS uses multiple BTSs in the same BSS. The MS sends different packets to different BTSs, which are reconstructed in the SGSN. This allows the MS to use a higher transmission speed than a transmission channel can handle.

 

 

HLR

Home Location Register. The HLR is part of the AuC. The HLR provides triples to the MSC indicating a random challenge and an SRES, as well as a Kc based on a particular participant's Ki and the random challenge. The HLR is also responsible for ensuring that the MS's location is known at all times.

 

 

ISAAC

Internet security, applications, authentication and cryptography. A small research group in the Computer Science Division at the University of California, Berkeley. http://www.isaac.cs.berkeley.edu/

 

 

Kc

The session secret key used to encrypt over-the-air traffic between the BTS and the MS. The Kc is generated after each authentication initiated by the MSC. The Kc is calculated from the Ki and from the random challenge sent by the MSC using the A8 algorithm. Both the MS and the HLR calculate the Kc independently of one another. The Kc is never transmitted through the air.

 

 

Ki

Ki is the secret key that is shared between the SIM and the HLR of the subscriber's home network.

 

 

LSB

Least Significant Bit.

 

 

LSFR

Linear Shift Feedback Register. A register that generates an output bit based on its previous state and a feedback polynomial.

 

 

MS

Mobile Station, the cell phone.

 

 

MSC

Mobile Services Switching Center, the central component of the NSS. The MSC performs the network switching functions. It also connects to other networks.

 

 

NSS

Network and switching subsystem whose main role is to manage communication between the mobile users and other users such as mobile users, ISDN users, landline users, etc.. It also contains databases that are needed to store information about the participants and users in order to manage their mobility.

 

 

SDA

The Smartcard Developers Association is a non-profit organisation that tries to provide developers with non-proprietary information about smart cards. http://www.scard.org/

 

 

SGSN

Serving GPRS Support Node. An SGSN delivers packets to MSs in its service area via several BTSs. An SGSN also communicates with an HLR to authenticate MSs to enable encrypted communication. In GPRS, the SGSN authenticates the MS instead of the MSC.

 

 

SRES

Signed RESponse. This is the response that the MS sends back to a request from the MSC during the MS authentication and thus authenticates itself to the MSC (or SGSN in the case of GPRS).

 

 

SS7

The signalling system 7 is used as a signalling protocol in most intelligent networks. SS7 is defined by ITU-T.

 

 

Symmetric cryptography

In symmetric cryptography, the same key is used for both encryption and decryption.

 

 

VLR

Visitor register. The VLR stores triples generated by the HLR when the subscriber is not in his home network. The VLR then makes these triples available to the MSCs as required.