This page describes a more efficient approach to guess known plaintext for known plaintext attacks in GSM networks.
Some of it is implemented in tkgenstat.pl/tkconvert/tknapalmex of gsmtk
Stage 1: we started sniffing on a new network, we have no data so far.
Sniff ~100 communications.
Split them to SDCCH and SACCH (they act very differently)
Decode all plaintext frames and sort them by relative occurrence
Guess the most frequently used frames. You can have several guesses per burst, it would look like
Plaintext: 0xABCDEF Confidence: 0.172
Plaintext: 0x123456 Confidence: 0.139
etc.
Stage 2: we have some cracked communication from a given BTS.
Decode all frames and sort them by relative occurrence.
Decode all communications and create tuples (Communication length;Position;Plaintext). Sort them by relative occurrence.
On insecure networks, you will get something like “If the communication was 4 frames long, the third frame is ALWAYS XYZ”. With this, you can guess plaintext very efficiently, with success rate peaking at 100 %.
Stage 3: we have some cracked communication from this network, but we have moved to a different BTS.
Optimization: System information messages
Optimization: Time advance and signal strength.
Notice that the SI5 message contains two bytes that depend on physical location of the target phone. Usually this information is leaked in plaintext preamble or in other communications with the same TMSI. Use this leaked information to improve guessing. Also, if it won't work, try incrementing and decrementing these two variables by one (yielding 4 more frames).
Optimization: targeting listening