Interception of data from Telecommunications Base Stations

In today's guide we will show you how to monitor the messages and also the calls of everyone who is on the same telecommunications base station as you. In particular, we will talk about GSM networks and IMSI numbers, how they work and the vulnerabilities that we will exploit to gain access.

5558818

GSM networks and IMSI numbers

GSM is a standard developed by the European Telecommunications Standards Institute (ETSI) and was first developed in Finland in December 1991. It quickly became the European standard for mobile phone transmission and achieved 90% penetration of the global mobile network by 21st century.

One of security points of GSM networks are the lack of mutual authentication.

GSM does not authenticate the base station before it accesses the network.

In this guide, we will use this security vulnerability to sniff the packets of the base station and obtain the IMSI of the connected devices.

2022 08 08 16 23 35

The IMSI number is a globally unique number that identifies the user. It is up to 15 digits and includes:

MCC - Κωδικός χώρας κινητής τηλεφωνίας. 3 δεκαδικά ψηφία και προσδιορίζει τη χώρα του κατόχου της κινητής συσκευής

MNC - Κωδικός δικτύου κινητής τηλεφωνίας. 2 δεκαδικά ψηφία και προσδιορίζει το δίκτυο κινητής τηλεφωνίας

MSIN - Αριθμός συνδρομητή κινητής τηλεφωνίας 10 δεκαδικά ψηφία και προσδιορίζει τον συνδρομητή

 
2022 08 08 16 22 44
 

 

The IMSI number is stored in the SIM in the mobile phone and identifies the country, provider and user. With this information, the person sniffing the network traffic can identify and locate the user of the phone and potentially intercept and spoof the user's information.

Let's see how we can collect this information from 2G and 3G mobile networks with the RTL-SDR dongle and some programs.

Step #1: Install Kali Linux and Apps

For this guide, we will be using Kali along with some programs to help us achieve our goal. Let's start with gr-gsm. Gr-gsm is a toolkit for receiving GSM broadcasts, which works with any Software Radio (SDR) hardware capable of receiving a GSM signal.

Although gr-gsm is available in the Kali repository, I found that building it from source works . To install gr-gsm, install the dependencies first.

sudo apt-get install -y cmake autoconf libtool pkg-config build-essential python-docutils libcppunit-dev swig doxygen liblog4cpp5-dev gnuradio-dev gr-osmosdr libosmocore-dev liborc-0.4-dev

Then download gr-gsm from the github repository.

sudo git clone https://git.osmocom.org/gr-gsm

2022 08 08 16 21 57

Then follow the next steps to install the app properly.

cd gr-gsm mkdir build cd build cmake .. make -j 4 sudo make install sudo ldconfig

Finally, we need to change the PYTHONPATH environment variable with the command below

sudo echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc

 
2022 08 08 16 21 15

You are now ready to install calibrate-rtl from the Kali repository.

sudo apt install calibrate-rtl

2022 08 08 16 20 27
 

 

Next, we download IMSI-catcher from github.

2022 08 08 16 19 34

 

Step #2: Find the Frequencies that Base Stations in your area operate on

The next step is to find the base stations in your area and the frequency at which they operate. For this action, we can use calibrate.

Let's start by looking at the calibrate help screen.

kal-h

2022 08 08 16 18 27
 

As you can see above, Kal just needs the -s option to scan the technology networks like GSM850, GSM-R, GSM900, EGSM, DCS or PCS.. Since GSM850 works in Greece, I will scan it with gain rate 45db.

 sudo kal -s GSM850 -g 45

screenshot 2022 08 08 at 11 20 48 software

 

As you can see above there were 2 base stations in range at 889,0 Mhz and 890,0 Mhz. These are within the reception range of my RTL-SDR dongle (24-1766Mhz).

 

Step #3: Tune grgsm to base station frequency

Now we need to tune grgsm to the frequency of the nearby base station. Go to the gr-gsm directory and type

grgsm_livemon -f 889.0M -g 45

screenshot 2022 08 08 at 11 21 36 software defined radio part 6 building a cellphone imsi catcher (stingray)

 

This should open the gr-gsm GUI. If you need, you can adjust the frequency with sliding.

Όπου 889.0M είναι η συχνότητα που θέλουμε να "ακούμε" (βεβαιωθείτε ότι αντικαθιστάτε τη συχνότητα που βρίσκεται στις τοπικές ρυθμίσεις σας με το kalibrate) και -g 45 είναι το gain rate μας.

screenshot 2022 08 08 at 11 22 25 software

 

 

Step #4: Launch IMSI Catcher

Finally, let's start the IMSI catcher.

Change to the IMSI-catcher directory and then run the catcher with the -s (scan) option.

cd IMSI-catcher

sudo python simple_IMSI-catcher.py -s

screenshot 2022 08 08 at 11 21 36 software

As I live in a remote location in Serres, where few people still use 2G and 3G GSM phones, my IMSI-catcher does not pick up any IMSI.

Also, the hardware I used is a cheap rtl-sdr where it is limited to 1766 Mhz in the upper range and several GSM phones operate outside this band at higher frequencies.

On the other hand, another user in Europe where his device works on GSM network and still has many 2G and 3G phones, recorded numerous IMSIs along with carrier ID and shell as shown below.

 
screenshot 2022 08 08 at 11 24 19 software
 

 

Summary

Even with a cheap RTL-SDR, we can collect and collect 2G and 3G mobile traffic with IMSI. Since the IMSI is embedded on the SD card, there is little chance of spoofing the IMSI without more expensive equipment.

On the other hand, IMSIs are collected by a number of mobile applications and these IMSIs can be used to correlate with this data to identify the user. Of course, authorities can learn about a user's IMSI and identify them with that data.

As we move forward in this series, we will be adding more sophisticated software and hardware as we develop an inexpensive Stingray to monitor mobile communications.

 
 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).