GSM Cellular Network

Threats and Security Measures 5 References and Links This BSI brochure provides an insight into how GSMstandard mobile communication systems work. It describes some possible threats to security against interception in the use of GSM mobile communication services and identifies appropriate protective measures. (brochure in PDF-Format)

1 Principles of GSM Mobile Communication Technology

GSM (Global System for Mobile Communication) is a member of the class of cellular mobile communication networks that use operating frequencies of around 900 MHz and 1800 MHz. The GSM network is hierarchically structured, as shown in the diagram below.

1.1 Technical Components of Mobile Communication

1.1.1 Mobile phones

A GSM mobile phone consists of two components, the mobile radio telephone itself and the SIM (Subscriber Identity Module). This enables a distinction to be made in

the GSM network between user and mobile terminal. The mobile radio telephone is characterised by its internationally unique serial number or International Mobile Equipment Identity ( IMEI). The user is identified by his customer number (International Mobile Subscriber Identity or IMSI), which is stored on the SIM card. This is assigned to the subscriber when he registers with the network provider and must be distinguished from the telephone number assigned to him, which is the Mobile Station ISDN Number ( MSISDN). This distinction enables a subscriber to use different mobile radio telephones with the same SIM card. The subscriber-specific call number is also stored on the SIM card. The cryptographic algorithms for authentication and encryption of user data are also implemented on the SIM card. In addition, short text messages, call charge information and a personal telephone directory can be stored on the card too.

1.1.2 Base station

A GSM Base Transceiving Station ( BTS) houses the transmit and receive equipment for one or more cells. It constitutes the interface between the network provider and the mobile phone. The Base Station Controller ( BSC) administers the transmit and receive resources of the connected base stations. For example, the channels for signalling and for payload traffic are provided here and the data traffic between BTS and MSC is controlled here.

1.1.3 Switching nodes

The base station is controlled via the Mobile Switching Centre ( MSC). This switching node assumes all the technical functions of a landline network switching node, for example, path search, signal path switching and processing of supplementary services. If there is a requirement for a connection to a subscriber in the landline network, this is forwarded by the MSC to the landline network over a switching path. In order that the network provider is in a position to provide all the services for which demand exists, it must store various items of data. For example, it must know which subscribers are using its network and which services they wish to use. This data, such as the name of the subscriber, his customer number and the services he requires, is stored in the Home Location Register ( HLR). If a connection is to be established, for example from a landline network connection to a mobile phone, the network provider needs to know where the subscriber is and whether his mobile phone is switched on. This information is held in the Visitor Location Register ( VLR) and the HLR.

To check whether a subscriber is entitled to use the mobile telecommunication network (i.e. he has taken out a card contract), the network provider maintains an Authentication Centre ( AUC). This holds algorithms and subscriber-related keys which amongst other things are required during authentication. The network provider can also maintain the Equipment Identity Register ( EIR), which holds details of all the mobile transceivers permitted on the network, broken down into three groups known as the white, grey and black lists. The white list is a register of all the mobile phones which are functioning reliably, the grey list contains all the phones which may possibly be defective, while the black list holds details of all the phones which either have a fault or have been reported stolen. However, not all network providers maintain an equipment register.

1.1.4 Landline network

The public telephone network with its connecting paths is referred to as the landline network. As landline networks are also used in every mobile phone connection, the dangers entailed in the use of landline networks also apply to the use of mobile telecommunication networks

1.2 Connection set-Up

As soon as the owner switches on his mobile phone, it registers with the network provider via the nearest base station. At the network provider, data on the identity of the user, the serial number of the mobile phone and the identity of the base station over which registration has occurred is logged and stored. This is done even if no conversation takes place. Moreover, every time a number is dialled, this event is stored, irrespective of whether a connection is established or not.

1.3 Security Mechanisms

The SIM card can be protected against unauthorised access with a four- to eight-digit Personal Identification Number ( PIN). After switching on the mobile phone, the subscriber identifies himself to the card by entering this PIN. If an unauthorised person gains possession of a SIM card, he cannot use it without also knowing the PIN. To prevent improper use of the SIM card, the PIN should therefore be kept in safe place. The subscriber identifies himself to the network provider on registering by means of the SIM card and the cryptographic algorithms held on it. Authentication is effected with the aid of an authentication key which is known only to the network provider in

the AUC and the subscriber on the SIM card. Normally the data is only transmitted encrypted on the radio link between the mobile phone and the base station. Encryption is not used on any of the other transmission paths, either in the GSM network or in the landline domain. For operational reasons, even on the radio link it is possible for the encryption procedure not to be applied, in which case data will then be transmitted unencrypted. Depending on the statutory requirements, in some countries encryption of transmissions can be completely disabled or individual security parameters can be weaker.

1.4 Types of Data

The data processed during telephone communication can be broken down into three groups (see [ BfD]): Inventory data (or master data) is data which is permanently held in a service or network and is kept available. This includes the call number and, if necessary, the name and address of the subscriber, information about the type of mobile data device, if appropriate any features and authorisations relevant to the connection as well as data about the assignment of subscriber groups. Content data is the real "payload data", i.e. the information and messages transmitted. Call data provides information about the detailed instances of communication. This includes data on communication partners (e.g. call numbers of the calling and called connection), time and duration of the connection, system services used, connections used, lines and other technical facilities, services and, in the case of mobile services, the location IDs of the mobile terminals.

1.5 Enhancements to GSM Mobile Communication Technology

1.5.1 HSCSD
HSCSD (High Speed Circuit Switched Data), an enhanced version of the GSM standard, is a circuit switching data service. Several GSM radio channels are used simultaneously for data transmission in order to achieve higher transmission rates (57 kbps).

1.5.2 GPRS
GPRS (General Packet Radio Service) is a packet-oriented data service for data transmission in the GSM network that has been enhanced by including additional infra-

structural components. Several radio channels can be bundled together, so that transmission rates of up to 171 kbps (in practice, approx. 50 kbps) are theoretically possible. Unlike HSCSD which uses curcuit switching, GPRS is based on the relaying of individual data packets. The Internet Protocol ( IP) is used for this purpose, and every mobile data device is given its own IP address. With GPRS, the user can be permanently online. The available RF channels are divided amongst all the subscribers. Billing is not on the basis of time spent online but instead is based on the amount of data transmitted. This data service is therefore especially suited to dialogue-oriented applications like WAP,i-mode(tm)and e-mail.

1.5.3 UMTS - Third Generation mobile communication

The Third Generation mobile communication system UMTS (Universal Mobile Telecommunications System) is the successor to GSM. Through more powerful radio technology (including more bandwidth and CDMA transmission methods), any content (e.g. multimedia applications, downloads from the internet, videoconferencing) can be transmitted at a high transmission rate. This opens the door to a variety of new services in the future. The data transmission rates specified in the UMTS system range from 144 kbps for the highly mobile user (maximum speed 500 km/h) through to 2 Mbps for quasi-stationary operation. UMTS data devices will from the outset be multi-mode capable, i.e. they will also be able to use the GSM network for voice and data connections.

1.6 Additional Services

1.6.1 SMS services
Text messages can be sent to mobile phone subscribers all over the world by SMS (Short Message Service). Messages can be up to 160 characters long. The message text is entered using the keypad and sent to the desired recipient. Alternatively, SMS messages can also be sent as e-mails. An EMS (Enhanced Messaging Service) message consists of a sequence of several SMS messages. The outcome of this is that even messages containing far more than 160 characters can be sent. It is also possible to send animated graphics, sounds (e.g. ring tones) and formatted text. MMS (Multimedia Message Service) is an enhanced version of SMS and EMS. With MMS, thanks to increased mobile radio bandwidth it is possible to transmit colour pictures (digital photographs) and short sequences of film to appropriately equipped

mobile phones. When one sends an SMS, EMS or MMS message, this is stored on a server belonging to the appropriate network operator, the SMS/EMS/MMS centre. The network operator automatically sends a notification to the recipient. In addition, some providers also send "message waiting" indicators to the mobile phone of the recipient (e.g. an email icon appears on the display). When the recipient retrieves the message, it is transmitted by the server to the mobile phone. The network operator then sends an instruction to delete the icon in the display of the mobile phone.

1.6.2 WAP, i-mode?

WAP (Wireless Application Protocol) and i-mode(tm)are standards for the data transmission of internet content and services (e.g. banking, brokerage, information, shopping) to mobile phones, handheld devices or PDAs equipped with the appropriate special browser. The WAP protocol specifies an architecture based on existing internet technologies and a family of protocols for the transmission of information to mobile data devices. Amongst other things it defines guidelines for microbrowsers, which can be used to display content on mobile phone displays. As images and complex graphics cannot be presented in WAP, appropriate content has to be processed in WML (Wireless Markup Language) format. This is a description language which is used for the device-independent presentation of information. Dynamic information can be presented using WMLScript similar to the use of JavaScript on the web. Like the architecture of existing data networks, the WAP architecture is client-server based. It depends on a layered system structure similar to other families of network protocols, e.g. TCP/IP, and the OSI reference model. i-mode(tm) is a data service that has been developed in Japan and, like WAP, enables mobile internet access. In Germany it is based on the packet-oriented GPRS. With this technology, the user does not occupy an entire radio channel (or time slot) but the data is split into packets and transmitted when capacity is free. This saves resources, and billing is based on the volume of data transmitted in contrast to the length of time that the subscriber is connected. A special data device that incorporates a browser which can interpret iHTML is needed to use i-mode(tm) pages. It supports HTML formatted texts, colour graphics and polyphonic MIDI sounds.

2 Potential Threats Associated with the Use of GSM Mobile Communication Equipment
The signals transmitted on the "radio link" during mobile communication cannot be physically protected against unauthorised monitoring and recording, hence an attack can be carried out without the access problems that are customary in the case of landline communications. A second problem arises from the fact that for technical reasons mobile communication partners have to communicate information about their location at regular time intervals as well as whenever they move into a different location area, in order to be reachable at all times. Again, location information is transmitted whenever they themselves establish a connection. This location information could be used by the network or service provider - and also by third parties - to build up movement profiles. Since every GSM mobile communication connection also entails the use of landlines, security in the mobile telecommunication network cannot be greater than on landlines.

2.1 Interception of Phone Calls

If an adversary can gain access to the network provider's technical facilities (lines, switching exchanges, base stations), he will then be able to listen in to any telephone calls conducted over this equipment. This applies to connections both in the mobile communication network and in the landline network. Micro-wave links, on which transmission is normally effected unencrypted, can be intercepted with a moderate amount of technical effort. If the calls are connected over line-connected paths from the base station to the MSC, a physical attack on the cable paths is necessary. If a base station is connected to the switching node over an unencrypted micro-wave link, as is normally the case, it is possible to intercept and tap these radio signals unnoticed using antennae and special receivers. The threat is all the greater if all phone calls for the connected base station are transmitted over these micro-wave links. In Germany, the transmission of radio signals between mobile phone and base station is encrypted in all mobile communication networks. However, there are special technical systems around which exploit the weakness of one-sided authentication in the GSM network (the only authentication which occurs is the authentication of the mo-

bile phone to the base station), by pretending to mobile phones to be a base station, disabling the encryption and instituting plaintext operation. As far as the network is concerned, these devices behave like normal GSM mobile data devices. Other possible ways of disabling this encryption are tampering with the mobile phone or with the technical facilities of the network provider. Some mobile phones indicate the absence of encryption by an appropriate icon on the display. In the specialist literature on cryptography there are already descriptions of possible attacks on the GSM A5 encryption algorithm ([A5_1]).

2.2 Bugging of Indoor Conversations

2.2.1 Bugging using industry standard mobile phones
Mobile phones can be used to record or listen to indoor conversations unnoticed. In the simplest case, this can be achieved with a mobile phone which, for example, during a meeting, is placed unnoticed in the room and from which a connection is established to an interested eavesdropper. However, as the phone has only a limited battery life and the microphone is not designed for room surveillance, such an attempt at bugging is of only limited effect. Through skilful selection of features and combining these with hands-free operation, it is possible to have an external call put a mobile phone into talk mode without this being indicated by a ringing tone.

2.2.2 Bugging using a manipulated mobile phone

Specially manipulated mobile phones and phonecards, whose use is banned in Germany, can be used to listen in on indoor conversations. Here the mobile phone is used as a bugging device which can be activated from anywhere in the world over the telephone network, without this being detectable from the phone itself. Possible hardware manipulations include, for example, the installation of bugging transmitters, including in the batteries, and of additional control hardware. Another way of using mobile phones for bugging purposes is to tamper with the control software (firmware) installed on the device. Thus, for example, one type of device is known in which the display of the mobile phone is switched off in this way although a call is actually connected to the device.

though a call is actually connected to the device. Mobile phones are becoming even more flexible as a result of extension of the mobile phone menu functions using SIM Toolkit and a new generation of SIM Toolkit capable SIM cards. Such a mobile phone can be programmed with new functions by the network provider over the cellular network. Thus, for example, the card provider can tailor the menu structure to meet the requirements of a particular customer. This has the effect of increasing the danger of tampering. In order for the adversary to carry out a manipulation, he needs physical possession of the device to be manipulated for a certain time.

2.3 Improper Data Transfer Using GSM Mobile Data Devices

2.3.1 Unauthorised data transfer (by insider)
GSM mobile data devices, for example, in the form of a PC plug-in card (card phone) make it is possible to transmit data from the PC over the mobile telecommunication network and, if necessary, over the internet to anywhere in the world. In this way, by circumventing the internal telephone system and any onsite security staff, an insider could transmit large volumes of confidential data to the outside world unnoticed, using HSCSD or GPRS with correspondingly high transmission rates. It is not always possible to check afterwards whether such data transmission has occurred, as the network provider's record of the call data may already have been deleted.

2.3.2 Inadvertent data transfer (due to external party)

Like ordinary mobile phones, card phones too can be tampered with. Moreover, in this case there is the additional danger that the PC software can easily be tampered with through viruses or Trojan horses which can find their way onto a computer unnoticed. This danger is especially critical, as in such an attack not only the information that the user is currently working on but all the data files on the PC can flow out or be destroyed unnoticed.

2.4 Creation of Movement Profiles

Every time a mobile phone is registered, for technical reasons information on the base station used, the identity of the user and serial number of the mobile data device is transmitted to the network provider. This means that a network provider is able to

determine when, where and by whom a particular mobile call was activated or used. However, the creation of communication profiles and personal movement profiles is forbidden under German data protection legislation ([BfD]). Through analysis of the transmission protocols the network provider is also in a position to determine the distance of the subscriber from the base station and in this way to pinpoint the present location of a GSM subscriber. This position fixing can be used to the benefit of the customer to implement a "home zone" or offer him additional services (Location Based Services). With special interception technology it is possible to identify both the SIM cards and also the device identities of all the mobile phones within the catchment area without any need for access to the connection data stored by the network provider. This information can once again be used to create movement profiles for particular persons or mobile data devices.

2.5 Call Number Identification

If an adversary knows certain information (IMSI, IMEI, MSISDN) about the subscriber or a mobile phone, he can then identify individual phone calls, although this does require extensive technical effort. With the aid of IMEI it is possible to selectively filter calls out from the datastream on the mobile network radio relay links. Calls can also be identified in the public telephone landline network, for which knowledge of the subscriber call number is necessary. With the appropriate interception equipment, the IMSI and IMEI can be ascertained directly on the radio link between mobile phone and base station. An insider, either at the network provider's or, for example, in a company that extracts work or private telephone numbers from telephone lists, could identify the call number MSISDN by working out the relationship between IMSI, IMEI and MSISDN in the relevant database.

2.6 Threats Associated with the Use of Additional Services

2.6.1 SMS services
The statements made in Section 2.1 apply equally to the interception of SMS messages. It should also be mentioned that storage and processing of SMSs in the message centres is carried out unencrypted.

Cases have come to light in which hackers exploited software errors in certain mobile phones so as to make them crash by inducing a buffer overflow ("freezing" of the mobile phone in its present operating state) through the transmission of SMSs. Cases are also known in which, following receipt of an SMS from a hacker, nondeletable icons appeared on the display. Such attempts to jam a mobile phone via SMS are generally harmless, and usually any malfunctions that occur can be rectified simply and quickly. In addition to the threats associated with SMS messages already described, there is also the nuisance of unwanted SMS messages, sometimes associated with the request to call back a particular number (e.g. a number with a prefix which incurs a charge when called).

2.6.2 m-commerce and m-payment

In m-commerce applications that entail the use of i-mode(tm) or WAP, not only are the threats described in Section 2.3 applicable, but additional threats described elsewhere in connection with e-commerce and the use of the internet also apply ([BSIecomm]). Where services used are paid for by mobile phone (m-payments), the security considerations that relate to home banking apply on top of all the threats already mentioned (see [BSIhomeb]).

2.6.3 Virus problems

Due to the expanding possibilities of software-based applications on mobile data devices, the danger of viruses and Trojan horses is also increasing.

2.7 Hoax Messages

A hoax is a message that contains a warning about a new IT problem, but which is not based on actual technical facts. The only damage caused by a hoax is disquiet and irritation on the part of the recipients, and possibly the time and money spent on forwarding the hoax. A whole range of such hoax messages have afflicted mobile phone users. For example, users have been warned that inputting certain key combinations or dialling certain call numbers on mobile phones could result in conversations being tapped or calls being charged to other persons. Because such messages contain references to

calls being charged to other persons. Because such messages contain references to mobile phone brands manufactured by well-known companies and a few technical terms, they give the impression of being serious messages. ([BSIgshb])

3 Protective Measures
As a rule, the nature and scope of protective measures will depend on the threat situation. It is up to the individual to decide what safeguards to implement in a particular case. Because people often do not take seriously the danger of communications being intercepted, security officers should check that existing measures aimed at creating staff awareness of the threats in the telecommunications area are adequate. It may be appropriate to remind staff at regular intervals about the dangers of having their calls intercepted so as to ensure that they are fully aware.

3.1 Protection against Bugging of Phone Calls

One possible effective protection against bugging of phone calls is to employ interoperable, network-wide, end-to-end encryption. As long as such encryption is not implemented, every connection can potentially be intercepted, whether over the landline network or the mobile communication network. The following measures are recommended as a means of reducing the threat: As a matter of principle, confidential information should not be communicated on the telephone without taking special protective measures. Only devices which indicate the absence of encryption on the display should be used. If required, it is recommended using specially encrypting mobile phones for closed user groups. For user groups within government agencies, crypto mobile telephones cleared for classified use should be mentioned at this point. Itemised call breakdowns should be examined for unknown call numbers. In addition, a check should be carried out as to whether all the telephone charges are billed to the subscriber; the absence of charges for certain connections could be an indication of eavesdropping.

3.2 Protection against Bugging of Indoor Conversations

3.2.1 Protection against the bugging of indoor conversations using industry standard mobile phones

The only way to be sure that indoor conversations are not being bugged using mobile phones is to prevent mobile phones from being taken into the rooms to be protected. Passive warning devices (GSM mobile phone detectors) are available on the market which report any mobile phone that is in transmit mode or starts transmitting. The range of the devices can be adjusted so that it is confined to the area to be monitored. It is recommended that such warning devices are installed and are activated during conversations about sensitive or confidential subjects. There are active mobile phone detectors which order all mobile phones within range to go into transmit mode. However, these cannot be recommended as they are not allowed under German law. The use of noise generators which cause radio interference in a physically defined area and thus prevent the reception of mobile radio signals is also prohibited in Germany.

3.2.2 Protection against the bugging of indoor conversations using specially modified mobile phones
The protective measures mentioned in Section 3.2.1 also apply in the case of specially modified mobile phones. The following additional points should be noted as well: Switching off the mobile phone does not ensure sufficient protection since in the case of specially modified mobile phones there is no way of eliminating with certainty the possibility of the phone being switched into transmit mode over the radio link unnoticed. The only way to prevent this would be to remove the battery. The risk of manipulation can be avoided if the following points are observed: To avoid the possibility of a device being tampered with in advance of acquisition, mobile phones should only be purchased from trusted sources. When purchasing relatively large numbers, the order should be split between several suppliers. If a mobile phone is suspected of having been tampered with, it should be withdrawn from circulation. Tampering with the hardware can be reliably detected by comparing the x-ray image of a normal mobile phone with that of a device suspected of having been manipulated. Hardware manipulation, in which special eavesdropping features are added via additional circuit elements can also be identified visually after taking the device apart.

At present there is no test tool around with which the firmware of mobile phones can be checked for manipulation.

3.3 Protection against Improper Data Transfer over GSM Mobile Data Devices
3.3.1 Protection against unauthorised data transfer
It is impossible to achieve 100% protection against insiders. It is therefore advisable to ban the taking of mobile phones into sensitive areas and to check that this ban is being adhered to.

3.3.2 Protection against inadvertent data transfer

As cases of manipulated card phones cannot be excluded, mobile phonecards should not be allowed in PCs on which sensitive data is handled or which are connected to a computer network. For further information on manipulation using Trojan horses, the reader is referred to [ BSIvirFB].

3.4 Protection against SIM Card Misuse

The mobile phone and SIM card must always be kept safe. The secret personal PIN should remain activated and under no circumstances should it be kept in the same place as the SIM card for the mobile phone. Should the SIM card go missing, arrangements should be made immediately for the network provider to block the card in order to exclude the possibility of the card being misused and also of any personal loss. It is recommended checking itemised call breakdowns at regular intervals for unexplained charges and called party numbers.

plained charges and called party numbers.

3.5 Protection against the Creation of Movement Profiles

If the creation of movement profiles is viewed as a threat, then if possible both mobile phones and SIM cards should be swapped around among staff more frequently. In this way it is at least more difficult to associate specific phones and cards with particular users. If it is desirable that the whereabouts of the user should be concealed at certain times, the only way to ensure this is by switching off the mobile phone. To be quite certain, the battery should be removed.

3.6 Protection against Call Number Identification

If mobile phones and SIM cards are swapped around between users, as suggested in Section 3.5, this can provide a certain protection against the association of call numbers with particular persons, as it prevents a permanent association between user and call number or between mobile phone and user from being deduced. However, the association with a company, for example, will remain. Other possibilities for protecting against call number identification include: not publishing call numbers in the public phonebook not publishing call numbers in the internal phone directory

3.7 Protective Measures for the Use of Additional Services

3.7.1 SMS services
As there is no way of preventing SMSs from being received, at this point the only recommendation that can be made is to only divulge one's own call number to trusted persons.

3.7.2 m-commerce and m-payment

See [BSIecomm].

3.7.3 Virus problems

See [BSIvirFB].

3.8 Hoax Messages

A collection of hoax messages can be found on the BSI internet (no longer available).

4 List of Abbreviations
Abbreviations Explanation AUC Authentication Centre BSC Base Station Controller BSS Base Station Subsystem BTS Base Transceiver Station CDMA Code Division Multiple Access EIR Equipment Identity Register EMS Enhanced Messaging Service GPRS General Packet Radio Service GSM Global System for Mobile Communication GMSC Gateway MSC, bergang zum Festnetz HLR Home Location Register HSCSD High Speed Circuit Switched Data HTML Hyper-Text Markup Language iHTML HTML-Variante fr i-mode? IMEI International Mobile Equipment Identity IMSI International Mobile Subscriber Identity IP Internet Protocol ISDN Integrated Services Digital Network MIDI Musical Instruments Digital Interface MMS Multimedia Messaging Service MSC Mobile Switching Center MSISDN Mobile Station ISDN Number OSI Open Systems Interconnection PIN Personal Identify Number SIM Subscriber Identity Module SMS Short Message Service TCP Transmission Control Protocol UMTS Universal Mobile Telecommunications System VLR Visitor Location Register WAP Wireless Application Protocol WML Wireless Markup Language

5 References and Links

Eberspcher J., Vgel H.-J., Bettstetter C.:GSM Global System fr Mobile Communication Vermittlung. Dienste und Protokolle in digitalen Mobilfunknetzen. Stuttgart: Teubner 2000 (3. Auflage) [WALmobil] Walke B.: Mobilfunknetzte und Ihre Protokolle. Stuttgart: Teubner 1998 Bundesamt fr Sicherheit in der Informationstechnik: IT-Baseline Protection [BSIgshb] Manual. Cologne: Bundesanzeiger 2002. [BSIecomm] Bundesamt fr Sicherheit in der Informationstechnik: Electronic Commerce (leaflet), Bonn 2001. [EBEgsm]

[BSIecomm]

(leaflet), Bonn 2001. [BSIhomeb] Bundesamt fr Sicherheit in der Informationstechnik: Homebanking. Bonn 2001 [BSIvirFB] Bundesamt fr Sicherheit in der Informationstechnik: Trojanische Pferde. Also: Kurzinformationen zu Computer-Viren, Bonn 2001 Real Time Cryptanalysis of A5/1 on a PC. In: Schneier B. (ed.): Fast Software [A5_1] Encryption. Heidelberg: Springer 2000 (see also http://cryptome.org/a51bsw.htm) [3gpp] 3rd Generation Partnership Project: www.3ggp.org [BfD] The Federal Data Protection Commissioner: www.bfd.bund.de [BSI] Bundesamt fr Sicherheit in der Informationstechnik: www.bsi.bund.de [ETSI] European Telecommunications Standard Institute: www.etsi.org [heise] Heise Online news: www.heise.de