Jump to content

Interesting article: Cellphone tower spoof- Intercept GSM, 3g/4g traffic


SYMBIOTE
 Share

Recommended Posts

It's actually pretty easy, provided you have something like the HackRF: some sort of radio that you can tune and, crucially, transmit on.

All the software you need is OpenBSC from the OsmoCom project. To make it work, all you have to do is transmit a stronger-than-the-others signal that can be identified as the carrier you want to mimic. The phone will see no difference between your 'tower' and a remote one meaning it will pick you over the remote one because you provide a better signal. From that point on YOU are in control. You prevented inbound calls by virtue of the victim choosing your network over the real one meaning that as far as the telephone network is concerned, they are unreachable. You transfer any outbound calls using VOIP to any server that will accept the traffic and you play MITM. Because part of the GSM protocol is to decide the encryption used on the airwaves where the best form available on both ends is picked (much like with SSL in picking the cipher to use) all that remains to capture the traffic is to say your 'tower' can do, at best, no-encryption. The system defaults to that, the cell phone doesn't want to bother its users with a warning and nobody will be the wiser.

So really, all you need is a radio/transmitter.

Link to comment
Share on other sites

Guest spazi

I did some read about this couple of months ago, I believe the tactic is that you have a transmitter/receiver and force the nearby phone to downgrade to GSM instead of 3G/4G
That way you can sniff the data being transmitted/received.

Link to comment
Share on other sites

I could be mistaken here, but I don't think voice is carried by 3G or 4G. Those are data carriers. The voice bit still uses boring old GSM which is either 2G or less. The OsmoCom folks should have the definitive take on this though.

Link to comment
Share on other sites

GSM public band is something like 900 where the licensed band is 1800. Nothing on the Pineapple currently operates at either frequency, but using a USB dongle you could receive the signals and hopefully some day something like the HackRF can be used to actually transmit something on at least the public band.

It _can_ transmit on the non-public band of course. You're just not allowed to. So don't. Pretty please? Signed, the FCC.

Link to comment
Share on other sites

Thanks a lot Cooper for the opensbsc website , didn't knew it.

I will probably make a test in future , even if I have to say that I am a little worried about the eventual complexity of properly setting the software , and the effective interception capabilities.

If someone does this experiment before me , please post some info/photos here!

Link to comment
Share on other sites

Guest spazi

I actually found this book about GSM and 3G. Perhaps I should have read it :P
If I remember correctly, 3G does carry voice, like GSM, but it's got faster data rates and better encryption.
But I'm a totalt noob when it comes to telephone communication, so don't take anything I write here seriously.
Found this on the net:

"GSM differs from its predecessors in that both signaling and speech channels are digital, and thus is considered a second generation (2G) mobile phone system. This has also meant that data communication was easy to build into the system."

Edited by spazi
Link to comment
Share on other sites

I would reccommend this write up here: http://domonkos.tomcsanyi.net/?p=418 in which he uses the original HackRF Jawbreaker to intercept AND decrypt gsm traffic.

Importantly, this PDF which he links near the beginning which explains all about how GSM exactly works: https://skydrive.live.com/redir?resid=8F7DEEEC761F130B!603&authkey=!AN3UlLqs7FxmZmQ

Finally, this project is really cool. It involves hacking the femtocells to see all the traffic passing through it (femtocells are portable mini cell phone towers that anyone can buy for around $400 to improve their coverage - typically for businesses that have poor reception round the office...): https://wiki.thc.org/vodafone

Hope these help! I think thats all the projects I know of - the PDF detailing GSM is a highly recommended read!

Link to comment
Share on other sites

Thank you so much!

The article is detailed and I will read the part 2 of it, the pdf was very accurate and complete. And the link to the vodafone booster is interesting.

I saw this little baby right here: http://www.interceptors.com/intercept-solutions/detects-parameters-3G-networks.html

It will probably be expensive and probably they will not sell to non-gov users , but I wonder if these features can be emulated with an "home made" one:

  1. Automatically scans and detects parameters of all 3G networks
  2. Detects all 3G phones and collect all their identities (IMSI, IMEI and TMSI)
  3. Displays phone model, country of origin and name of network provider
  4. Measures distance to all 3G phones with accuracy of less than 30 m
  5. Selectively force only target’s phones to migrate to GSM mode. Rest of the phones stays in 3G-mode. Being pushed into GSM mode, 3G phones stay there until reboot. It makes possible interception of such phones by GSM passive interception systems. Active systems, after finishing interception, can send them back to 3G-mode.
  6. Selectively blocks communication of 3G target’s phones.

I found some triple band signal repeater that should do better than femtocells , it receive gsm-3g-4g : http://www.alibaba.com/product-detail/triple-system-signal-repeater-F20B-GDW-_495044108.html

This should definitely be the best quality/price for a coverage of about 2 square kilometers , I will check If will be possible to come out with a professional-like set up for interceptions.

Link to comment
Share on other sites

  • 1 month later...

Might be better to invest in a USRP b200 or B210. Using the signal reflector does to give you complete control, While using a USRP you can create your own basestation using OpenBTS which, with internet access, gives you complete control because you control the entire network, after all in this scenario you are the network.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...