Can a GSM network operator access the device firmware version?
As far as I know they can read IMSI and IMEI or the extended IMEI namely IMEI-SV which encodes some sort of version numbering (but is not used by all manufacturers.
Can a telecommunication provider by any other means derive the firmware version of the modem or somehow query the devices?
Could AT commandas be used? Can they be executed at scale to query a whole network with millions of devices (if this would give the firmware version number)
Firstly, it's worth saying that most of the discussion below is related to mobile networks in general, rather than just a 'GSM' network.
Most operators have networks that share and mix technology from '2G', '3G' '4G etc networks and even these terms are not strict definitions (see for some more background on the different generation networks and common naming: https://stackoverflow.com/a/25592213/334402 )
3GPP, the standards body behind most mobile networks, has discussed device management and there exist at least some drafts which cover details like firmware and OS version etc - for example:
3GPP TR 32.802 - User Equipment Management (UEM) Feasibility Study https://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_14/Docs/PDF/SP-010652.pdf
The Open Mobile Alliance has also developed a specification for device management and this likely has more traction. You can see that the firmware version is included in the data covered in their specifications:
OMA Device Management Standardized Objects - https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_StdObj-V1_2-20070209-A.pdf
The term firmware is also a little ambiguous - if what you want is a feel for the OS version of mobile phone and iPads etc connection to the network, you may be able to work at a higher level and look at the headers in HTTP requests from the devices, specifically at the User Agent string. For example, a query from a browser on an iPhone might include:
Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
(see more examples here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent)
For Modems in particular, it is also worth mentioning the TR-069 specification for managing CPE (Customer Premise Equipment). This spec is from the broadband world and driven by ISP and Broadband operators need to manage wireless (and wired) modems in their customers homes and premises. It is also built into some GSM modems so worth being aware of also - spec is here:
https://www.broadband-forum.org/download/TR-069_Amendment-6.pdf
Note, links above are correct at time of writing - if broken just search for the spec numbers.
I'm not aware of any protocol level standard forcing a cellular device (not only a GSM one) to notify its FW version. In fact it has not any role in network registration like, for example, IMEI and IMSI (that are used to guarantee subscriber's and device's identities).
Anyway several operators control FW (and SW) versions of the devices through protocols defined by OMA Alliance:
OMA-DM protocol, which allows the network operator to retrieve (and set!) several settings: not only FW versions (used in order to deploy FW updates) but also SMS mode settings or APN and so on.
For example in specification document OMA-TS-DM_StdObj-V1_2-20070209-A is described DevDetail management object:
DevDetail _____ [...]
|__ DevType
|__ OEM
|__ FwV
|__ Swv
|__ Hwv
|__ [...]
Each information is got/set/executed by providing a CMD URI command such as
GET /DevDetail/FwV
LwM2M protocol (Light Weight Machine To Machine), a more recent standard suitable for low throughput networks (for exemple LTE CAT-M, specific for IoT devices).
In this light protocol, data is exchanged through CoAP over UDP (or its secure dual CoAPs, based on DTLS). Each information is reachable with an URI made up by (up to) four UINT16:
<Obj ID>[/<Obj Instance>[/<Resource ID>[/<ResourceInstance>]]]
For example in specification document LwM2M Specification 1.1 is described Device Object (Obj ID 3):
/3/0/3 : FW version
/3/0/18 : HW version
/3/0/19 : SW version
Related
I want to integrate quite a few IP Surveillance cameras to a dedicated PC (one that is unused at our office), I have looked at purchasing a NVR but I want to add about 16 overall and not many NVRs are capable to handle this amount if cameras.
Has anyone tried to setup a monitoring unit on a PC with IP cameras, did you use any specific software? How many HDD did you use?
Thanks for any replies
To build an effective IP securitysystem you will need the followings:
1. Broadband Internet connection:
Stable Internet connection is essentially needed.
2. One or more IP camera(s):
According to the specification of the camera you have mentioned, the IP camera you want to use is ONVIF-compliant.
(Quoting from onvif.org, ONVIF, that is Open Network Video Interface Forum, is an IP-based security standard: it is an open industry forum for the development of a global standard for the interface of IP-based physical security products. The ONVIF specification defines a common protocol for the exchange of information between network video devices including automatic device discovery, video streaming and intelligence metadata.)
The ONVIF standard ensures that there are interoperable products on the market, no matter what happens to individual companies. It increases flexibility and gives greater freedom of choices in case of developing an existing or creating a new surveillance system. Integrating a new equipment into the system takes only a little time.
3. PC:
In order to use your IP cameras with your PC you need to connect both of them to the same network. The best way to get the most out of your cameras if you install a camera viewer application or an IP camera device manager on your PC. By using such a device manager (or a simple camera viewer application) you can display the image of your cameras on your dedicated PC - even the image of multiple cameras simultaneously. You can find many device managers on the market that can be used to connect certain amount of cameras into one security system (this capacity depends on the product).
After connecting the cameras to your system, due to the ONVIF specification, you can control your surveillance system with the help of such useful functionalities as automated device discovery, video analytics, web-broadcasting, motion detection, PTZ control, etc.
NVRs vs. video recorder software
If you can not find any NVR on the market that is able to handle as many IP cameras as you want to use, a video recorder application can solve your problem. If you are not averse to C# development, you can take a look at this Codeproject article (How to Create a Video Recording Application (NVR/DVR software) for an ONVIF IP Camera using C#.NET) that demonstrates step-by-step how to implement a video recorder application that can be used on your PC and that is able to record and save camera videos without using any dedicated device. This way you can avoid using any NVR or DVR.
I hope I helped you to get started!
Is it possible to detect whether certain TCP or UDP traffic is generated and processed directly by an Android mobile phone itself, or is being tethered to a different machine?
With HTTP, detection is relatively simple -- just look at the User-Agent string in the requests, and there is a certain likelihood to see some sort of a revealing pattern.
What about the discreet protocols, like https, ssh, IPsec, OpenVPN etc? Is it possible to detect the originator OS based on the TCP/UDP headers or content?
How would one masquerade the traffic to avoid detection through the passive fingerprinting of the encrypted protocols?
For example, if the mobile phone is running Android 2.2, and is tethered to OS X or OpenBSD, which TCP/UDP and https/ssh/IPsec/OpenVPN parameters would reveal the non-Android OS?
you can do analysis based on TTL, TCP ISN etc. http://www.cse.sc.edu/~wyxu/papers/wisec66-schulz.pdf contains a detailed analysis
You appear to be looking for TCP/IP stack fingerprinting software.
P0f, which stands for "passive Operating System fingerprinting," observes packets at the TCP level and makes assumptions about the OS based on the network stack implementation. P0f does this passively, meaning that it does not need to interact with the client.
The p0f site has an example with which you can check your own fingerprint. Note that many mobile web providers run through proxies, which tends to mean that the proxy is what is fingerprinted rather than the client.
See also the EFF's Panopticlick project, which shows that pretty much every web browser is uniquely fingerprintable, even when blocking cookies. Please do not abuse fingerprinting to invade users' privacy.
I recently purchased an assortment of sensors from a company and have been having little success in getting them to communicate with my software. I sent a note to the manufacturer asking about compatibility and was told that the devices use 'proprietary ZigBee'.
What does this mean? Do they use a different command set? Is the information is encrypted somehow?
If they are "ZigBee certified" or have a ZigBee logo on the packaging, then they have to implement the standard ZigBee protocols, including ZCL (ZigBee Cluster Library) and ZDO/ZDP (ZigBee Device Object/Profile) on endpoint 0.
Their product could include Manufacturer-Specific clusters with undocumented commands.
If they're using ZCL, then standard ZDO discovery should still work and allow you to enumerate all endpoints and their clusters that don't have the manufacturer-specific bit set. If you know the 16-bit manufacturer ID they're using, you can discover those attributes as well, and display their values (you won't know what they are though).
You should consider reading the ZCL specification at zigbee.org, as it may help you to understand how ZigBee devices communicate with each other. It also explains the manufacturer-specific extensions to the standard.
If you are a developer or are just curious to see the ZigBee traffic among the devices and sensors you have, you might want to try sniffing the traffic.
We use the Perytons sniffer. They support many off-the-shelf dongles you can use as front-ends and provide a 30 days free evaluation of their application.
Proprietary Zigbee usually called as Manufacturer Specific Profile(MSP) in zigbee and is very commonly used by developers and companies. Also Zigbee used to certify MSP till some time last year and used to issue the certificate too of the same. But now the certification is only limited to compliance of zigbee but not the logo usage.
https://www.udemy.com/internet-of-things-and-everything-a-workshop-on-zigbee/
I am currently developing an embedded uP based appliance which can be remotely controlled via ethernet from a PC using its own SNMP manager software.
I have implemented all the private commands, i.e. using a private community password and under the enterprise tree OID (1.3.6.1.4.1.MY_PEN...etc) So from that point of view the unit is working OK.
What I am not too sure is whether the appliance should also respond to other SNMP OID branch queries (e.g. 1.3.6.1.2.1...or others ) Not for the benefit of my PC software, but for the benefit of other PC managers who may or may not want to know whether my device "exists" on the system.
I am aware this is not an essential requirement (my device doesn't need to be known to others) but perhaps there is an established "polite" requirement for SNMP agents in a network to be visible as such. In which case there may be a minimum subset of OID queries that such agents should at least respond to to any PC manager out there.
I cannot find anything about this on the internet, does such a thing exist?
Any comments (or at least a pointer to the "right" RFC as there are so many of them!
Thanks in advance
For devices that I've worked on, the MIB-II system group (sysName, sysLocation, etc) is usually implemented. Other standards are only implemented where a definite need exists. See RFC 1213.
I am currently trying to write a network monitoring software for windows mobile 6. I googled a lot and some people say that it is not possible to use a NDIS driver or WinPcap or so for monitoring any network interface. Others say that it is possible. Fact is, that I found no exaples, nor any sourcecode on the net.
Therefore I ask this community: Is it possible to write a packet capturing tool that works on data-link layer for windows mobile in C or C#?
with best regards
Desktop and Server Windows products have a very defined, generic, and pluggable structure into which you can insert hooks into the network layer. (Look up LSP or Layered Service Provider - this is how AntiVirus/Firewall programs plug themselves into monitoring your network traffic). As far as WinPCap, it plugs in one level lower at the NDIS driver level, but regardless, Windows Mobile just is not nearly as flexible when it comes to this. I don't necessarily think it's just Microsoft being short-sighted here, though - it takes much more power to provide a generic and pluggable LSP or NDIS layer that most mobile devices just can't afford.
The most important point here - NDIS Packet Capturing is not supported for Windows Mobile. Closest you can get to a mobile platform with packet capture is Windows Embedded CE.
So, in order to capture network traffic for Windows Mobile you would need to develop your own NDIS driver framework. Not a small task.
Windows Mobile uses Windows CE.
NDIS is very much present on Windows Mobile, so you can write an intermediate driver to capture traffic.
However, it already has netlog which should do the work for you: http://msdn.microsoft.com/en-us/library/ms883126.aspx