Interception of data from Telecommunications Base Stations

In today's guide we will show you how to monitor the messages and also the calls of everyone who is on the same telecommunications base station as you. In particular, we will talk about GSM networks and IMSI numbers, how they work and the vulnerabilities that we will exploit to gain access.


GSM networks and IMSI numbers

GSM is a standard developed by the European Telecommunications Standards Institute (ETSI) and was first developed in Finland in December 1991. It quickly became the European standard for mobile phone transmission and achieved 90% penetration of the global mobile network by 21st century.

One of the security vulnerabilities of GSM networks is the lack of mutual authentication.

GSM does not authenticate the base station before it accesses the network.

In this guide, we will use this security vulnerability to sniff the packets of the base station and obtain the IMSI of the connected devices.

2022 08 08 16 23 35

The IMSI number is a globally unique number that identifies the user. It is up to 15 digits and includes:

MCC – Mobile country code. 3 decimal digits and identifies the country of the owner of the mobile device

MNC – Mobile network code. 2 decimal digits and identifies the mobile network

MSIN – Mobile subscriber number 10 decimal digits and identifies the subscriber

2022 08 08 16 22 44


The IMSI number is stored on the SIM card in the mobile phone and identifies the country, carrier and user. With this information, the person sniffing the network traffic can identify and locate the user of the phone and potentially intercept and spoof the user's information.

Let's see how we can collect this information from 2G and 3G mobile networks with the RTL-SDR dongle and some programs.

Step #1: Install Kali Linux and Apps

For this guide, we will be using Kali along with some programs to help us achieve our goal. Let's start with gr-gsm. Gr-gsm is a toolkit for receiving GSM broadcasts, which works with any Software Radio (SDR) hardware capable of receiving a GSM signal.

Although gr-gsm is available in the Kali repository, I've found that building it from source works better. To install gr-gsm, install the dependencies first.

sudo apt-get install -y cmake autoconf libtool pkg-config build-essential python-docutils libcppunit-dev swig doxygen liblog4cpp5-dev gnuradio-dev gr-osmosdr libosmocore-dev liborc-0.4-dev

Then download gr-gsm from the github repository.

sudo git clone

2022 08 08 16 21 57

Then follow the next steps to install the app properly.

cd gr-gsm mkdir build cd build cmake .. make -j 4 sudo make install sudo ldconfig

Finally, we need to change the PYTHONPATH environment variable with the command below

sudo echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc

2022 08 08 16 21 15

You are now ready to install calibrate-rtl from the Kali repository.

sudo apt install calibrate-rtl

2022 08 08 16 20 27


Next, we download IMSI-catcher from github.

2022 08 08 16 19 34


Step #2: Find the Frequencies that Base Stations in your area operate on

The next step is to find the base stations in your area and the frequency at which they operate. For this action, we can use calibrate.

Let's start by looking at the calibrate help screen.


2022 08 08 16 18 27

As you can see above, Kal just needs the -s option to scan the technology networks like GSM850, GSM-R, GSM900, EGSM, DCS or PCS.. Since GSM850 works in Greece, I will scan it with gain rate 45db.

 sudo kal -s GSM850 -g 45

screenshot 2022 08 08 at 11 20 48 software


As you can see above there were 2 base stations in range at 889,0 Mhz and 890,0 Mhz. These are within the reception range of my RTL-SDR dongle (24-1766Mhz).


Step #3: Tune grgsm to base station frequency

Now we need to tune grgsm to the frequency of the nearby base station. Go to the gr-gsm directory and type

grgsm_livemon -f 889.0M -g 45

screenshot 2022 08 08 at 11 21 36 software defined radio part 6 building a cellphone imsi catcher (stingray)


This should open the gr-gsm GUI. If you need, you can adjust the frequency with the slide bar.

Where 889.0M is the frequency we want to "hear" (make sure you replace the frequency found in your locale with calibrate) and -g 45 is our gain rate.

screenshot 2022 08 08 at 11 22 25 software



Step #4: Launch IMSI Catcher

Finally, let's start the IMSI catcher.

Change to the IMSI-catcher directory and then run the catcher with the -s (scan) option.

cd IMSI-catcher

sudo python -s

screenshot 2022 08 08 at 11 21 36 software

As I live in a remote location in Serres, where few people still use 2G and 3G GSM phones, my IMSI-catcher does not pick up any IMSI.

Also, the hardware I used is a cheap rtl-sdr where it is limited to 1766 Mhz in the upper range and several GSM phone technologies operate outside this band at higher frequencies.

On the other hand, another user in Europe where his device works on GSM network and still has many 2G and 3G phones, recorded numerous IMSIs along with carrier ID and shell as shown below.

screenshot 2022 08 08 at 11 24 19 software



Even with a cheap RTL-SDR, we can collect and collect 2G and 3G mobile traffic with IMSI. Since the IMSI is embedded on the SD card, there is little chance of spoofing the IMSI without more expensive equipment.

On the other hand, IMSIs are collected by a number of mobile applications and these IMSIs can be used to correlate with this data to identify the user. Of course, authorities can learn about a user's IMSI and identify them with that data.

As we move forward in this series, we will be adding more sophisticated software and hardware as we develop an inexpensive Stingray to monitor mobile communications. The Best Technology Site in Greece
Follow us on Google News

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).