Sniffing GSM traffic on a private cellphone network

-

Legal Disclaimer: GSM Research and Passive Traffic Monitoring

‘The information provided in this blog is for educational and informational purposes only. The author and publisher of this blog are not responsible for any misuse, illegal activities, or damages that may arise from the use of the information provided herein.


The author conducted research using two Samsung phones and a BladeRF with YateBTS to create a small-scale GSM network for the purpose of analyzing and intercepting traffic. It is important to note that intercepting or tampering with wireless communication without proper authorization is illegal in many jurisdictions. The author undertook this research within a controlled and lawful environment, and any techniques or findings described in this blog should not be replicated or applied in unauthorized or illegal activities.


The author strongly advises against engaging in any illegal activities, including but not limited to intercepting or tampering with wireless communications, without the express permission and authorization of the relevant authorities and stakeholders. Unauthorized interception of wireless communications violates privacy laws, regulations, and individual rights. Engaging in such activities may lead to severe legal consequences, including criminal charges and civil liabilities. It is always recommended to consult with legal professionals or authorized experts before conducting any research or experiments in the field of wireless communication.


The author disclaims any liability or responsibility for any damages, losses, or legal implications arising directly or indirectly from the use, misuse, or interpretation of the information provided in this blog.


By reading and using the information in this blog, you agree to the terms of this legal disclaimer and accept the risks associated with unauthorized interception or tampering with wireless communications.’


In this blog post I will be taking a look at cellular traffic and analyzing the GSM packets in Wireshark. However, I will also show how I have created a personal and portable, private cell phone network that I will use for this exercise. I created a portable cell phone network to ensure that I am operating and testing on frequencies that are not interfering or overlapping with any licensed operators in my area. I do not recommend that you attempt to follow along unless you understand how to properly do everything to stay within the bounds of your local laws, rules and regulations. It is illegal to interfere with licensed operators or to sniff the private traffic of individuals. To avoid these issues everything here is done in a private cell phone network I have created for this exercise with my own devices and cellular base station.

Here are some SIM cards that I programmed

The interface for programming the IMSI on the SIM cards was interesting to work with. You also need to specify a KI value as well for authentication . This will come up again when we discuss the Kc value for decoding later on in another post. Here we are going to passively observe gsm network traffic on our own portable cellphone network. The SMS and voice decoding is beyond the scope of this post as for now we will be discussing how to set up a base station, have cellular devices join the private network. Then I will demonstrate how you can have the devices call and text one another on your private cellphone network. Additionally, on another machine I will show how the traffic can be observed and analyzed with a HackRF, grgsm_livemon and Wireshark. I programmed the two SIM cards with 15 digit IMSI numbers to be compatible with the Yate base station. 


Here is the interface for writing IMSI and KI values to the custom SIM cards


Writing to a SIM card

Here is what the SIM card reader/writer looks like in action. It's useful for setting up the devices with the YateBTS as I have read that although you can perhaps have your base station freely adopt new subscribers within certain IMSI ranges that at least with the BladeRF there seems to be better performance if the base station is programmed to add specific subscribers with IMSI numbers that are put directly into the backend interface. I did this to get ahead of any connectivity issues and found that the connectivity and service worked quite well and consistently.


Loading the custom SIM cards

So at this point, the devices have been loaded with custom programmed SIM cards. They have the appropriate IMSI values needed for the Yate base station. Next I will show how I setup the base station before we get everything connected. I was able to run the YateBTS of a USB running DragonOS focal that has precompiled versions of the base station software that really helps to get up and running quickly. I flashed a USB with an ISO of the DragonOS focal software. Since it comes pre loaded with all the necessary files compiled and ready to roll thanks to ‘@cemaxecuter’ that helped cut down on setup time tremendously. I will show the GUI interface in a moment. Here is where we start the backend Apache server and load the FPGA files to the BladeRF.

Loading FPGA bitstream to the BladeRF

Since I created custom SIM cards I knew what the IMSI number was that I needed to put for the subscribers I wanted to add to my base station.

Adding subscribers manually with IMSI numbers

After a little bit more configuration in regards to the frequencies being used the BTS will be ready to start. You need to be careful to not transmit at frequencies that can interfere with licensed operators in your area. I chose to create a 2G network on frequencies that definitely are not overlapping with other devices in my area. Additionally also at run time I use an RF enclosure to ensure that my transmissions are not unintentionally affecting anyone else in my area.

There are quite a few steps to get up and running but we have basically everything we need at this point. We created custom SIM cards to put on our devices, we have configured our local base station and loaded the appropriate FPGA bitstream to the BladeRF. Since I want to also see what is going on I will also at this point setup the observing machine with the HackRF. For this purpose I setup another laptop with DragonOS software. I initially scanned the area to see my base station and then since I created the base station I already had the exact transmission frequency that would normally need to be found at this step. Using a tool called grgsm_livemon I am able to monitor a single channel at a time. I additionally started up Wireshark to start monitoring for the GSMTAP packets to be able to later analyze them and learn about the test portable cell phone network I have setup.

Now that the cellular base station is up and running as well and we have another machine observing the traffic and pulling it into Wireshark we are ready to have our devices join the network and see what they're doing in granular detail. Here my network has a generic name of 00101.

Selecting our custom network

Upon joining the network a test message is sent to the device alerting it that it has joined our special network and letting the user know what their new number is on our little private, portable network. For this device below it has now been allocated the phone number of '56789'. If another user needs to contact this user they would text or call '56789' on their device as you would normally dial or text anyone.

Joining the custom network

I decided to do a quick QA test on my network and tested to see if texts and calls were working properly. 

Texting devices on the network works
 
Also calls between devices across the network worked well. This is really cool because you can use cellphones on your own private network as you normally would use a much larger company such as AT&T, T-Mobile or Verizon. And best of all, it's free. The software is completely open source and there are no paid per use limits or any fees whatsoever. Once you are up and running you can use your private cell phone network on a private island or very large ranch to communicate privately with your friends on your own portable cell phone network. I found this to be a really neat project to work on and this is a lot of fun once I got it all setup and working properly. It also helps for security research as I can now investigate things on my own network, with my own devices on my own frequencies so that I am definitely not interfering with any systems, channels or frequencies I am not supposed to be. 

Our first call on our private, portable cellphone network 

And at this point we can definitely see the traffic flowing on our observation machine. As you can see below gr-gsm livemon is working well and is seeing everything from our base station and what is going on between our devices. 

gr-gsm livemon traffic 

gr-gsm livemon and Wireshark

Here is a packet from our private network 
Here we see the IMSI for one of our test devices

As you can see there is GSM packet with some system information above and below there is one with specific user IMSI information. The first packet shows our 'Unknown' network and a unique location area code that clearly does not really exist anywhere. In the packet below that we have been able to find an IMSI associated with one of our test devices. Additionally, below we see that with a tool called GSMEvil we are even able to intercept SMS messages in addition to being able to observe IMSIs. 

Viewing SMS messages on our own network with GSMEvil

I hope you have found this little deep dive into cellular traffic to be interesting and informative. It has been fun to learn how to create a private, portable cellphone network. Also, if you decide to try anything I have discussed above please be mindful of any local rules, laws or regulations. It is best to double check anything you are unsure about before you actually begin any testing, observing, monitoring or transmitting.

Comments

Post a Comment

Popular posts from this blog

Automated Exploitation of a Bluetooth vulnerability that leads to 0-click code execution

-
Image
This blog post covers an interesting vulnerability that was just discovered earlier this year and an open source free tool that was created to automate testing for this vulnerability in Bluetooth devices.  I will preface this with the warning that this is of course done in my personal testing lab environment with my own devices for learning and demonstration purposes. I am in no way encouraging that these tools, snippets of code or techniques be used maliciously as there can be very serious legal consequences for those that use these hacking tricks nefariously. However, in a personal testing lab environment I think this is great for learning and allows someone to quickly be able to confirm or deny if their personal devices are truly standing up to the Bluetooth CVE of CVE-2023-45866 . CVE-2023-45866 is described as an issue where the " Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept
Read more

Raspberry Pi WiFi Honeypot 🍯

-
Image
This was a fun project to work on and build out. I learned a few new interesting tricks along the way. I started with this tutorial from 2013 by Andy Smith . However, a few things have changed with hostapd that I had to figure out through debugging. Also, the configuration of the nginx server as well as dnsmasq were slightly different for me using the new Raspbian Buster for Raspberry Pi 4.  This should save you some time if you follow my trick tips later on in the article that I found by searching through various message boards and googling error messages as I did debugging to get this working properly. I have gone over setting up nginx servers in previous articles so if you need help with getting started these may be helpful. So first things first. I started with a canakit and assembled the raspberry pi with the appropriate heat sinks and a little fan set to a standard speed. The speed is adjusted by how you install the wiring. If you haven't done this before you can follow the
Read more