Passive GSM sniffing with Software defined radio

I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts.

Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR.

What is a SDR?

According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system.

In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc.

We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM.

GSM frequency bands

Before getting into details, let’s first have a look on different GSM frequency bands. GSM operates on a set of pre-defined frequencies designated by International Telecommunication union for the operation of GSM mobile phones.

GSM frequency bands

In India, we use two bands which are shaded in yellow in the above picture. A dual-band 900/1800 phone is required to be compatible with most networks around the world.

For sniffing, first we need to identify the GSM downlink channels. Here we would be sniffing GSM data for our own phone so we would need to know upon what frequency it is operating on. We can do this by getting the ARFCN no. from our phone.

In GSM cellular networks, an absolute radio-frequency channel number (ARFCN) is a code that specifies a pair of physical radio carriers used for transmission and reception in a land mobile radio system, one for the uplink signal and one for the downlink signal.

I am using Motorola G4 and in this phone we can get to the service mode by dialing *#*#4636#*#* on our phone keypad. I have switched the phone to 2G mode as analysis of 2G is much easier than 3G/4G. They are using different encoding and encryption schemes and we can cover them later.

 

Our ARFCN no. is 672. We can calculate exact frequency on which this phone is operating by using the ARFCN number. By using a simple ARFCN calculator we got to know the frequency our phone is operating in.

ARFCN Calculator

Now. Let’s tune our RTL-SDR to that particular frequency and find out what we can see.

Gqrx tool

We can clearly see the GSM Stream bits on that frequency. Let’s also scan for all the GSM channels around us. This will give us confirmation about our downlink channel. We can use kalibrate-rtl tool to scan GSM frequencies around us.

kalibrate-rtl

Here also we can see our downlink channel and it also gives us the offset value which will help us calibrate our SDR better.
Whatever data which the SDR is receiving is just raw data which makes no sense. We can use GR-GSM to decode this raw data and process this into meaningful information.

grgsm_livemon running

Now start wireshark simultaneously and we would start seeing the GSM data packets in the wireshark. We can also filter out Gsmtap packets.

This is a system Information type 3 packet. Information needed by the MS for cell selection and reselection is broadcasted with the help of this.

Location Update message

Can we listen to voice calls then?

All the data channels are almost always encrypted using a stream cipher (A5) used to provide over-the-air communication privacy in the GSM cellular telephone standard. We can only see some of the control channels above which were not encrypted.

All the calls and messages are encrypted using an encryption key (Kc) which is generated after an authentication mechanism by Authentication Center (AUC) which follows a challenge-response authentication model. The SIM card stores an encryption key called as Ki which is also stored by AUC/HLR. The Ki or Kc is never exchanged over network, therefore making it impossible to sniff encryption keys over the air. Moreover, the Kc changes before each call is setup. It means for every call, there would be a different encryption key.

However, older version of A5 can be cracked if we have enough computation power. Researches have cracked A5/1 encryption by setting up the entire process in cloud which has huge computation power. Kraken is the tool that can be used for this.

We cannot capture voice data with RTL-SDR because during a call, channel hopping takes place and the bandwidth of the RTL-SDR is not enough to capture the whole range at a time. We would need a better SDR with more bandwidth like a HackRF or any SDR device above that.

How does Intelligence Agencies intercept our calls then?

 

1. Downgrading the encryption algorithm used

Even if the operator is using new and strong encryption algorithm, sometimes It is possible to force the operator to switch to a weaker encryption algorithm. Operators have to enable support for older encryption algorithms because many older phones doesn’t have enough computation power to use new encryption algorithms.

2. some of the operators doesn’t use any encryption at all

During telecom security vulnerability assessments, it was found that, sometimes operators turn off encryption schemes completely when the load on the network increases so that they can reduce overhead traffic and can accommodate more users easily.

3. MITM attack

This is the most common attack vector that have been used since years by different hacker groups and Intelligence agencies. One can create fake cell towers and fool a mobile station in the vicinity to connect to that fake cell tower. All the mobile station data now would be going through that fake cell tower and the person in control could force the MS to use no encryption at all.

4. Getting the SIM card encryption keys

In 2015, It was in the news that some spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys (Ki) used to protect the privacy of cellphone communications across the globe. This key could be used to decrypt the GSM data.

What Next?

We will talk more about security analysis of GSM networks using Osmocom-BB, we will setup our own GSM Network using OpenBTS and discuss about the attacks possible over Um and Abis interfaces in the upcoming blogposts related to telecom security. Stay Tuned.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + 16 =