Stay up to date with Payatu blog
Dissecting GSM encryption and Location update process
Have you ever wondered as what happens when you turn on your mobile phone? How does it communicate to the network in a secure manner? Almost all of us would have read about TCP/IP and many of us would be experts in it but when it comes to telecom, very few know about how it actually works from inside. What’s the message structure in gsm? What kind of encryption it uses? So, today we will talking in detail about the encryption standards of gsm and how the mobile phone update it’s location to the mobile network. What happens when you turn on your cell phone? When you turn on your cell phone, It first initiates it’s radio resource and mobility management process. The phone receives a list of frequencies supported on the neighbouring cells either by the SIM or from the network. It camps on a cell depending upon the power level and the mobile provider. After that, It performs a location update process to the network where the authentication happens. After a successful location update, the mobile phone gets it’s TMSI and it is ready to do other operations now. Now, let’s verify the above statements by having a look at the mobile application debug logs. The below screenshots are from the osmocom mobile application which simulates a mobile phone working on a PC.
Active analysis of a GSM call through osmocom-bb
In the last blog, we learnt how to do passive sniffing of gsm data using a RTL-SDR. I don’t wanna get much into what can be further done with passive analysis of GSM as it didn’t interest me much. Almost all of the operators now have upgraded their encryption standards, so sniffing GSM data using a USRP and cracking them using kraken is difficult now. There are other cost effective approaches that researches have used to crack and find the key(Kc) from the sniffed GSM data like running osmocom-bb on multiple phones and hopping channels to capture data or just by using a RTL-SDR. But today, we will focus on active analysis of GSM as that is more interesting and useful for research purpose. If you still want to know what can be done with just passive analysis of gsm data, you can read the tutorials released by srlabs on how to decrypt gsm data. They have done an awesome job on this. Objective We will intercept a gsm call in wireshark using Osmocom-BB and a motorola C118 phone and then we will analyze the GSM packets and learn what we can make out of it. What is Osmocom-BB?
Passive GSM sniffing with Software defined radio
I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts. Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR. What is a SDR? According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc. We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM.