Apr 26, 2020
IMSI-catcher with SDR
We used to carry our phones everywhere. Cellular technology became a part of our lifestyle. GSM has long been the most widely deployed and the most successful mobile network across the world. By the end of 2003, mobile subscribers worldwide had totaled 1.3 billion, outnumbering the 1.2 billion fixed telephone subscribers [1]. I am interested in the privacy and security of GSM technology. Did someone any vulnerabilities of this technology? How am I safe from eavesdropping or the “Man In The Middle” attacks or just regular my location tracking.
I started to learn about radio hacking, mainly on GSM. I found a tool called IMSI-catcher, where you can get a unique id [2] of a network subscriber. Also, information related to network providers. It was not easy to learn, and still, I don’t know much about this domain.
I had a strong belief it will be like the security of WIFI. Let’s look at what
My results possible to replicate with any Software Defined Radio (SDR) starting $20. In this write up I used HackRF One and Skywave Linux distro.
Prerequisites
Need to download the Skywave distro iso file [3], made a bootable USB flash drive with Rufus [4], and installed on the bare metal laptop. I am assuming you already done that. Before installing GSM, the software needs to update the system for the latest packages. In my write-up, I used this post [5] as a reference for the primary source of information.
sudo apt update && apt upgrade -qyMost of the tools and drivers Skywave has built-in, but we need a few more.
sudo apt-get install -y \
cmake \
autoconf \
libtool \
pkg-config \
build-essential \
python-docutils \
libcppunit-dev \
swig \
doxygen \
liblog4cpp5-dev \
python-scipy \
python-gtk2 \
gnuradio-dev \
gr-osmosdr \
libosmocore-dev \
tcpdumpAfter installation needs to download a python package manager. I could install it from apt. There is another method like this below:
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py
python3 -m pip install --upgrade pip
pip3 install scapy --userAlso, you need to know which GMS frequency band is in your region. It should be around 900Mhz and 1Ghz. There is a tool showing which frequency is around you. In my case, it was 947Mhz.
Installation
IMSI catcher uses the GR-GSM module, which can convert particular radio waves into GSM packets.
Using a tool called tcpdump, you can find GSM packets coming through the localhost interface.
Data encrypted, but some packets called “paging requests” are visible in plain text. I downloaded source code from the Github.com repository and compiled it on my machine.
git clone https://git.osmocom.org/gr-gsm
cd gr-gsm
mkdir build
cd build
cmake ..
mkdir $HOME/.grc_gnuradio/ $HOME/.gnuradio/
make
sudo make install
sudo ldconfigInstead of using tcpdump or Wireshark to filter GSM traffic, there is another tool called IMSI-catcher, which gives you everything you need to see the information related to cell tower id, network provider IMSI number.
git clone https://github.com/Oros42/IMSI-catcher.gitRunning
Let’s check if your “HackRF One” device is visible for Operating System. Should work out the box.
hackrf_infoYou should see some information about device and driver versions
We need two terminal windows opened in the first one to go to the IMSI catcher directory and run a particular command.
cd IMSI-catcher.git
sudo python3 simple_IMSI-catcher.py --sniffOn another terminal, go to the gr-gsm directory and find some prepared script.
cd gr-gsm/apps
gnuradio-companio grgsm_livemon.grcCheck the configuration of the GNUradio blocks. The frequency variable needs to set like your GSM tower frequency. Then press a play button on a ribbon,
Soon you should see packets popping of another terminal will see IMSI number.
Troubleshooting
Wrong frequency or it is not enough RF signal to catch the GSM.
- You need to adjust the settings to open in the graphical interface window and increase power, default.
Missing some dependency or can’t compile.
- We need to install all dependencies mentioned in this post.
If you’re doing it over SSH in some hypervisor, it may be a problem for gr-gsm application.
- Recommend to do it on a bare and in GUI Desktop environment.
Reference
#1 https://www.zte.com.cn/global/about/magazine/zte-communications/2005/1/en_48/162312.html
#2 https://www.techopedia.com/definition/5067/international-mobile-subscriber-identity-imsi
#3 https://skywavelinux.com
#4 https://rufus.ie
#5 https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/
