The GSM/UMTS Phone Number Catcher

For the individual privacy protection, the GSM system transmits the IMSI or TMSI number over the air instead of the phone number which will leak the identity of the users. The MSC, HLR/VLR will translate the IMSI/TMSI to the phone number in the core network. This paper proposed an idea about catching the GSM/UMTS Phone Number over the air by man-in-the-middle attack. The GSM/UMTS phone number catcher proposed in this paper was implemented on a pseudo base station with a mobile terminal which can transmit any frames we wanted. While the legal terminals are trying to access, the phone number catcher will relay all its frame to the operator's network and try to break the shared authentication key Ki. Then the system will get the phone number by pretending the legal terminal to call a designated phone. We will analyze the GSM protocol which is relevant to the phone number catcher and later present the performance of such a system by real tests and demonstrate its feasibility.