Overview
GSM β Global System for Mobile Communications β was first deployed commercially in Finland in 1991, making it the first digital cellular standard to achieve global scale. By its peak it served over five billion subscribers across more than two hundred countries, replacing the incompatible analogue first-generation networks that had preceded it and establishing the SIM card, the concept of number portability, and international roaming as foundational properties of the mobile experience. Its technical decisions β TDMA radio, MAP-based core signalling over SS7, and a SIM-resident shared secret for authentication β shaped every subsequent generation of mobile architecture.
The advances over analogue 1G were substantive. Digital encoding using full-rate (13 kbps RPE-LTP) and later enhanced full-rate speech codecs reduced the capacity cost of each voice call while improving resilience to interference. The SIM card externalised subscriber identity from the handset, enabling card swapping and making subscriber management a function of the operator's core network rather than the device. The TDMA air interface allowed eight subscribers to share a single 200 kHz radio channel by time-multiplexing their transmissions, enabling efficient frequency re-use across a cellular grid. Roaming across operators and countries became possible through the SS7-connected Home Location Register: a subscriber's home HLR is reachable from any network via MAP, allowing any visited network to authenticate a roaming subscriber and bill the home operator accordingly.
The GSM security model was designed for an era of commercial monopoly operators and considered physically secure backbone infrastructure. Authentication uses a shared secret K stored on the SIM and in the operator's Authentication Centre (AuC), but only the subscriber authenticates to the network β not the reverse. The MSC sends a random challenge (RAND) to the UE; the SIM computes a signed response (SRES) using the A3 algorithm and the stored K; the MSC compares the result against one pre-computed by the AuC. The network can, however, send a RAND to any UE and issue a Cipher Mode Command without the UE being able to verify it is speaking to a legitimate base station. This fundamental asymmetry β one-way authentication β is the root of the IMSI catcher attack and was not corrected until mutual authentication was introduced in 3G UMTS.
The A5/1 stream cipher that protects GSM radio traffic was reverse-engineered and fully broken by Karsten Nohl in 2009 using precomputed rainbow tables requiring approximately two terabytes of storage. A5/2, the export-weakened variant deployed in certain markets, had been broken earlier with trivially less computation. The standard also permits A5/0 β no encryption at all. Despite being a 1990s design with known-broken cryptography and no network authentication, GSM cells continue to operate in every inhabited region as a fallback for rural coverage, disaster recovery, and IoT devices. Every 3G, 4G, and 5G network maintains a 2G fallback path, and every time a subscriber is forced or induced onto that path, the full set of 2G vulnerabilities is re-exposed regardless of the security properties of the overlay network.
How it works
GSM radio access. The air interface (Um) uses Time Division Multiple Access (TDMA) on 200 kHz channels, dividing each channel into eight timeslots. Voice and data are carried in 26-frame multiframes for traffic channels and 51-frame multiframes for control channels. GSM operates in four frequency bands: 850, 900, 1800, and 1900 MHz. Full-rate speech encoding uses the RPE-LTP codec at 13 kbps; the enhanced full-rate (EFR) codec improved quality within the same rate. Each Base Transceiver Station (BTS) manages one or more cells; the Base Station Controller (BSC) aggregates multiple BTSs and handles radio resource management and intra-BSC handover decisions.
Authentication procedure (A3/A8). When a subscriber registers or is paged, the MSC or VLR initiates authentication by requesting a triplet from the HLR via MAP over the C or D interface. Each triplet consists of a random challenge (RAND), the expected signed response (SRES), and a ciphering key (Kc), all computed by the AuC from the subscriber's K using the A3 and A8 algorithms. The MSC sends RAND to the UE in an Authentication Request. The SIM applies A3 to K and RAND to produce SRES, which it returns to the MSC. The MSC compares the received SRES against the expected value from the triplet; equality confirms the subscriber's identity. The UE applies A8 to K and RAND to derive Kc β the same Kc the AuC computed β but at no point does the UE receive any proof that the requesting MSC is legitimate.
Ciphering (A5). Following successful authentication, the MSC sends a Cipher Mode Command specifying the algorithm to use: A5/1 (the standard cipher), A5/2 (export-weakened variant, now prohibited), or A5/0 (no ciphering). The UE and BTS independently apply the A5 stream cipher using the session key Kc and the TDMA frame number as inputs, generating a keystream that is XORed with the traffic data. A5/1 is a stream cipher based on three linear feedback shift registers; its full-session keystream can be recovered from precomputed tables given the ciphertext, making passive decryption of recorded sessions feasible with commodity hardware.
GPRS (2.5G packet data). The General Packet Radio Service added a packet-switched overlay to the GSM circuit-switched infrastructure. The SGSN (Serving GPRS Support Node) attaches to the existing BSC via the Gb interface and handles packet scheduling, ciphering (GEA algorithm), and mobility management for GPRS-capable devices. The GGSN (Gateway GPRS Support Node) connects the GPRS network to external packet data networks via the Gi interface and performs PDP (Packet Data Protocol) context management. A GPRS attach triggers a location update to the HLR via MAP on the Gr interface. Theoretical maximum throughput is 114 kbps; in practice, effective throughput is substantially lower due to shared channel contention and radio conditions.
VLR caching. The Visitor Location Register is collocated with the MSC and holds a local copy of the subscriber profile for each registered subscriber in the MSC's coverage area. When a subscriber registers in a new MSC area, the MSC queries the HLR via the D interface (MAP Update Location); the HLR sends the subscriber's profile to the new VLR and cancels the registration at the previous VLR via Cancel Location. For the duration of registration, the MSC serves calls and authentication procedures using the VLR's local copy, without querying the HLR on each transaction. This caching model is efficient but also the mechanism through which a spoofed Cancel Location can knock a subscriber off-network instantly.
Architecture role
Base Station Subsystem (BSS). The BSS comprises the BTS and BSC. Each BTS manages the radio transceivers for one cell and handles the physical and data link layers of the Um interface. The BSC sits above one or more BTSs, manages radio resource allocation, controls handover decisions within its BTS pool, and multiplexes traffic to the MSC via the A interface. The Abis interface between BTS and BSC carries traffic using LAPD framing. In large deployments, a single BSC may manage hundreds of BTSs.
Network Switching Subsystem (NSS). The NSS is the GSM core. The MSC is the circuit-switched switching centre responsible for call routing, mobility management, and connection to the PSTN via ISUP. The VLR, collocated with the MSC, is the subscriber profile cache for visiting subscribers. The HLR is the master subscriber database, holding the subscriber's profile, current location (serving VLR address), and service entitlements. The AuC, logically associated with the HLR, stores the subscriber's K and generates authentication triplets. The EIR (Equipment Identity Register) maintains IMEI blacklists and is consulted by the MSC to reject stolen devices.
Interconnect to PSTN and other PLMNs. The MSC connects to the PSTN and to other operators' MSCs via ISUP, the circuit-switched call signalling protocol that runs over SS7. ISUP carries the call setup and teardown messages needed to complete voice calls between networks. All subscriber management functions β HLR queries, VLR updates, SMS routing via the SMSC β use MAP, also over SS7. The entire NSS is therefore an SS7 network: any node that can reach the SS7 network can interact with any HLR, VLR, or MSC on it.
Role in combined multi-generation networks. In networks that operate 2G alongside 3G, the same MSC, HLR, and SS7 core typically serve both GSM and UMTS subscribers. In 4G deployments, the MME connects to the MSC via the SGs interface for Circuit-Switched Fallback (CSFB): when a 4G subscriber makes a voice call on a network without VoLTE, the MME signals to the MSC via SGs, which triggers a handover to 2G or 3G for the duration of the call. This path directly re-exposes the 2G attack surface to 4G subscribers for every CSFB voice call.
Key interfaces
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| Um | UE β BTS | GSM RF/TDMA | Air interface; voice and data bearer |
| Abis | BTS β BSC | LAPD | BTS control, traffic multiplexing |
| A | BSC β MSC | BSSAP/SS7 | Radio resource and mobility management |
| B | MSC β VLR | MAP | Subscriber data queries to local VLR |
| C | GMSC β HLR | MAP | Routing info for incoming calls |
| D | HLR β VLR | MAP | Location registration, authentication |
| E | MSC β MSC | MAP/ISUP | Inter-MSC handover and call routing |
| Gr | SGSN β HLR | MAP | GPRS location update and authentication |
| Gi | GGSN β Internet | IP | GPRS packet data network connectivity |
Security posture
GSM has three inherent security flaws that cannot be patched without architectural replacement. The first is one-way authentication. The network authenticates the subscriber by verifying SRES, but the subscriber has no mechanism to authenticate the network. Any device that transmits with sufficient signal strength and presents a plausible RAND challenge can impersonate a GSM base station to any UE within range. The UE will complete the authentication exchange and accept the Cipher Mode Command from the rogue station, because from the UE's perspective there is nothing to distinguish a legitimate MSC from an attacker. This is not a configuration weakness or an implementation flaw β it is the specified behaviour of the A3/A8 authentication procedure as defined in the standard.
The second flaw is the broken state of A5 encryption. A5/1, the primary cipher, was reverse-engineered from the GSM specification and fully broken by Karsten Nohl in 2009. Precomputed rainbow tables of approximately two terabytes allow recovery of the session key Kc from observed ciphertext within minutes. A5/2, the export-weakened variant, was broken earlier with less computation and is now prohibited by the standard, though legacy equipment may still negotiate it. A5/0 β no ciphering β remains a valid negotiation outcome if the network selects it. Even where A5/3 (KASUMI) is deployed on 2G cells, an attacker controlling a rogue base station can simply omit A5/3 from the Cipher Mode Command and force A5/1 or A5/0 without the UE being able to resist.
The third flaw is the SS7 out-of-band attack path. The GSM HLR is reachable via MAP over SS7 from any interconnected network, and MAP carries no message-level authentication. An attacker with SS7 access can interact with the HLR directly, bypassing all radio-layer security, without any involvement by the subscriber. The combination of all three flaws makes 2G the lowest-security generation in active deployment, yet the one most widely retained as fallback infrastructure across 3G, 4G, and 5G networks.
Attack surface
IMSI catcher via false base station
An attacker operates a device β commercially available as a dedicated platform or constructable from software-defined radio hardware β that presents as a GSM BTS with higher signal power than legitimate cells in the area. UEs in range perform network selection and attach to the strongest visible cell, which is the rogue station. The attacker responds with system information consistent with a legitimate network and proceeds with the attach procedure. Before assigning a Temporary Mobile Subscriber Identity (TMSI), the attacker sends an Identity Request with Identity Type set to IMSI. Because the UE has no mechanism to authenticate the requesting network, it responds with its IMSI in plaintext. Most IMSI catchers then relay the attach to the real network, operating as a transparent man-in-the-middle, making the attack invisible to the subscriber. Additionally, most IMSI catcher deployments actively jam 3G and LTE bands to force all nearby UEs onto 2G, including devices that would otherwise have attached to a more secure generation.
Impact: Permanent subscriber identifier harvested; all subsequent voice and data traffic
on the session is visible to the attacker; subscriber's real-time location exposed to
metre-level precision at the attacker's antenna position.
Difficulty: Low. Commercial IMSI catcher hardware (marketed as "Stingray" and equivalent
platforms) is available; open-source SDR implementations exist. No carrier access is required.
A5/1 over-the-air decryption
An attacker passively records GSM TDMA frames using a GSM-capable software-defined radio. The recorded ciphertext, combined with known plaintext fragments (predictable elements of the GSM framing structure), is run against precomputed rainbow tables for A5/1 keystreams. Recovery of the session key Kc allows decryption of the entire recorded session. For sessions using A5/0, no decryption step is required β all traffic is in cleartext. For A5/2, recovery is faster and requires less storage than A5/1. Where an attacker also controls a rogue base station, they can force selection of A5/0 or A5/2 via the Cipher Mode Command and eliminate even the degraded protection of A5/1.
Impact: Full decryption of over-the-air voice and data traffic, including SMS content
transmitted over the radio interface.
Difficulty: Low for A5/0 and A5/2 (no meaningful computation required). Medium for A5/1,
requiring approximately two terabytes of precomputed storage and minutes of processing per
session on commodity hardware.
SS7/MAP attacks via HLR
The GSM HLR is reachable by any node with SS7 access via MAP. The attack surface is identical to that described in the SS7 attacks topic: Send Routing Info (SRI) exposes the subscriber's current serving MSC address and IMSI, enabling continuous location tracking to cell-site precision; SRI-for-SM combined with supplementary service registration enables interception of inbound SMS including one-time passwords and 2FA codes; Cancel Location causes the VLR to deregister the subscriber, producing an immediate denial of service; and Any Time Interrogation (ATI) retrieves IMSI, location, and IMEI from the HLR without any authentication of the requesting node. None of these attacks require radio access or proximity to the subscriber; they are conducted entirely via the SS7 interconnect, from anywhere with access to the signalling network.
Impact: Subscriber location tracking to cell level; interception of SMS including 2FA codes;
targeted denial of service; IMSI and IMEI disclosure.
Difficulty: Low. Requires SS7 interconnect access, which is obtainable commercially via
certain operators in permissive regulatory jurisdictions.
Forced 3G/4G to 2G downgrade
A subscriber operating on a 3G or 4G network is protected by mutual authentication (in 3G UMTS AKA and 4G EPS-AKA) and stronger cryptographic primitives. An attacker can eliminate these protections by forcing the subscriber's device onto 2G. This is accomplished by selectively jamming 3G and LTE radio bands in the target area using RF interference equipment, or by operating a rogue 3G or LTE cell that reports extreme congestion or failure conditions, causing UEs to fall back through their generation preference list until GSM is selected. Once on 2G, all of the above attacks β IMSI catcher, over-the-air decryption, and SS7/MAP attacks β apply to subscribers who were operating under significantly stronger security guarantees moments before.
Impact: Full 2G attack surface re-exposed to the entire 3G/4G subscriber population in
the affected area. Particularly effective for targeted surveillance of individuals presumed to
be on secured LTE networks, or for mass interception of SMS 2FA codes during high-value events.
Difficulty: Medium. Requires RF equipment capable of jamming target bands; the equipment
is available commercially and the technique is well-documented. Detection requires monitoring
for anomalous 2G attach rate concentrations inconsistent with normal coverage patterns.
Mitigations
The primary defence at the core is a signalling firewall deployed at every SS7 interconnect boundary β specifically at the point where the operator's SS7 network connects to the IPX or GRX for roaming and international interconnect. The firewall must implement the full GSMA FS.11 category framework: Category 1 MAP messages (unconditionally dangerous from roaming partners, including SRI used for location tracking) must be blocked; Category 2 messages (contextually dangerous, including ATI and Cancel Location from unexpected sources) require strict validation against expected roaming relationships. GT address validation against IR.21 data for originating networks is essential β GT spoofing is a core enabler of most MAP-based attacks.
SMS home routing is the specific countermeasure for SRI-for-SM rerouting attacks. When all inbound SMS is routed via the home network SMSC before delivery to the visited network, an attacker cannot redirect SMS by spoofing an SRI-for-SM response, because the SMSC delivers directly rather than forwarding delivery to an attacker-controlled address. SMS home routing should be configured as the default delivery path for all subscribers, with no fallback to direct-to-visited delivery.
Cipher algorithm enforcement requires configuration at the MSC and BSC level. A5/3 (KASUMI) must be the minimum cipher negotiated on all 2G cells; A5/0 (no encryption) and A5/2 (export cipher, fully broken) must be disabled and not offered in the Cipher Mode Command. A5/3 provides significantly stronger over-the-air protection than A5/1, though it does not address the one-way authentication problem and remains vulnerable to a rogue base station that omits it from the cipher mode negotiation. A5/4 (the 128-bit KASUMI variant) should be preferred where UE support is confirmed.
2G fallback controls are the most architecturally significant mitigation. On spectrum configurations that permit it, operators should disable 2G fallback entirely for 3G and 4G subscribers, eliminating the downgrade attack surface. Where 2G fallback must be retained for coverage completeness, the CSFB path from 4G should be audited to ensure it does not silently re-expose subscribers to 2G cipher negotiation without logging. Monitoring for anomalous Identity Request rates from specific cell sites β requests for IMSI before TMSI assignment at rates inconsistent with normal attach behaviour β provides detection capability for IMSI catcher activity in proximity to cell infrastructure.
Spec references
-
3GPP TS 43.002 β The normative architecture specification for the GSM/EDGE Radio Access Network (GERAN). Section 4 defines the overall network reference model, identifying each functional entity (BTS, BSC, MSC, HLR, VLR, AuC, EIR, SGSN, GGSN) and the reference points between them. Section 5 provides the interface descriptions. This is the primary reference for understanding how the BSS and NSS are structured and how their components relate.
-
3GPP TS 43.020 β The normative specification for security-related network functions in GSM. Section 3 defines the security architecture and the roles of the A3, A8, and A5 algorithms. Section 4 specifies the authentication and ciphering procedures, including the triplet generation model, the Cipher Mode Command negotiation, and the IMEI check procedure. This is the reference for understanding the one-way authentication design and the A5 algorithm selection mechanism.
-
GSMA FS.11 β The GSMA's SS7 and SIGTRAN security guidelines. Section 3 defines the threat categories for MAP messages and the conditions under which each category is dangerous at interconnect boundaries. Annex A maps specific MAP operations β including SRI, SRI-for-SM, Cancel Location, and ATI β to their risk category and recommended handling. FS.11 is the operational reference for configuring the SS7 signalling firewall that is the primary defence for the 2G HLR.
Related topics
GSM's direct successor is 3G UMTS, which addressed both the one-way authentication problem (introducing UMTS AKA with mutual authentication) and the reliance on circuit-switched voice, while retaining the SS7-based core and HLR structure from GSM. Understanding UMTS requires understanding the GSM NSS it evolved from.
The signalling backbone of the GSM core β SS7 β is covered as a standalone topic. All MAP-based operations between MSC, HLR, VLR, SGSN, and SMSC run over SS7, and the attack surface of the GSM core is substantially the attack surface of the SS7 network it operates on.
For the attack taxonomy, SS7 attacks covers the MAP-based location tracking, SMS interception, Cancel Location, and ATI procedures in full detail. The primary operational defence β the SS7 signalling firewall β is covered in Signalling firewall, including configuration guidance for GSMA FS.11 category blocking.
For the roaming dimension, Roaming architecture covers the inter-PLMN connectivity model that makes GSM's HLR reachable from any connected network, and GRX covers the IP transit infrastructure over which SS7 and SIGTRAN roaming traffic flows.
GSMA FS.11 is the security standard most directly applicable to 2G core infrastructure: its category framework for MAP message filtering is the normative basis for signalling firewall deployment at GSM and UMTS interconnect boundaries.