Real-Time Passive Capturing of the GSM Radio Islam Alyafawi University of Bern Bern, Switzerland Email: alyafawi@iam.unibe.ch Desislava C. Dimitrova University of Bern Bern, Switzerland Email: dimitrova@iam.unibe.ch Torsten Braun University of Bern Bern, Switzerland Email: braun@iam.unibe.ch Abstract—This paper addresses the problem of service devel- opment based on GSM handset signaling. The aim is to achieve this goal without the participation of the users, which requires the use of a passive GSM receiver on the uplink. Since no tool for GSM uplink capturing was available, we developed a new method that can synchronize to multiple mobile devices by simply overhearing traffic between them and the network. Our work includes the implementation of modules for signal recovery, message reconstruction and parsing. The method has been validated against a benchmark solution on GSM downlink and independently evaluated on uplink channels. Initial evaluations show up to 99% success rate in message decoding, which is a very promising result. Moreover, we conducted measurements that reveal insights on the impact of signal power on the capturing performance and investigate possible reactive measures. I. I NTRODUCTION In recent years, wireless devices are getting more powerful and pervasive. Besides that, there is an increasing number of developed services, such as location based services (LBSs), targeting these devices. Services run on top of supporting systems. A system is described as active when the service deployment is provisioned at the mobile terminal [8], [9] or at the network side [10], [11]. In both cases, cooperation is required either from the end user or the network operator. A passive system on the contrary does not require participation of the communicating parties but relies on overhearing radio signals and their subsequent processing. Current wireless devices often support more than one radio technology, e.g., WiFi, Bluetooth and the Global System for Mobile Communications (GSM). The wide availability of GSM networks encourages research on the use of GSM as a common radio technology for service development. In addition, GSM signals appear more stable over time in comparison to WiFi or Bluetooth signals [12], which is a crucial factor in the quality of the service. In this paper we also opted for the use of GSM. The design of a passive-based localization service has several challenges that are related to the nature of the wireless medium and the GSM standards. First, how can we capture GSM radio signals, convert them to messages and parse the message content? Second, can we identify the signal source in order to provide the correct service? Facing these challenges requires an uplink receiver that captures, processes and analyzes GSM radio signals generated by the mobile devices. This paper offers a receiver of GSM uplink signals. The developed GSM receiver overcomes the challenges of (i) synchronization with the end users in time and frequency, (ii) signal power recovery and (iii) message parsing. Besides identifying mobile devices, the receiver facilitates feedback on the Received Signal Strength (RSS) as an important measure in many passive applications, such as localization. To our knowledge, until now, there is no passive tool that can offer comprehensive capturing and interpretation of GSM uplink signals. Although OpenBTS [5] implements the GSM radio interface for uplink, it relies on communication with the users. Our system presents the first effort of a GSM receiver development that can be used for the purpose of passive location services. A series of experiments were conducted in real GSM networks for performance evaluation of the uplink receiver. The receiver shows a reliable performance of signal recovering with a success rate up to 99%. Such a system remains invisible to the target devices and is hence attractive for third parties, which wish to avoid dependency on network operators to provide their services. We are aware that privacy questions may raise and detailed investigations on data anonymization will be interesting. In our current solution, as a first step, we work with objective identifiers, which we (as non operator) cannot relate to an identity. In the following, Section II summarizes the challenges of signal capturing for GSM-based services, while Section III introduces existing tools. Section IV presents the developed passive uplink receiver, which is evaluated in Section V. Section VI concludes the work. II. PASSIVE RECEIVER REQUIREMENTS A passive receiver relies on the concept of signal overhear- ing, in which the communication between two radio devices is overheard by a third device for the purpose of a specific application. The system operation is illustrated in Figure 1. A mobile station (MS) communicates with a base station (BS) and the traffic is overheard by a number of passive nodes, termed anchor nodes (ANs). ANs do not have any information about the MS location or transmission time and frequency. Ideally, BSs cover geographical areas with hexagonal shapes. MSs located within a BS’s coverage area communicates only with that BS. A passive receiver system has to deal with sev- eral challenges before becoming a commonly adopted solution.