We decode GSM with RTL-SDR for $ 30
Good time of day, Habr!
We live in amazing pre-singular time. Technologies are developing rapidly. What seemed fantastical a few years ago is becoming a reality today. Surprisingly, now, if you have a computer with a simple TV tuner, you can receive the coordinates of airplanes and ships, satellite imagery, and data from weather probes.
I am not a specialist in information security, all operations have been done solely for the purpose of training. This text will discuss how to decode (not decrypt) GSM traffic. By tradition, instead of an epigraph:
')
For interception, we need:
All painted in some detail, I will only comment on only those rakes, which came on myself.
Rake number 1 : do not put the latest version of GNURadio. Starting with version 3.7.0, the namespaces change, and software will not work. Use version 3.6.5. Also check the branches in the airprobe git repository. Tags and comments there indicate with which version of GNURadio you need to build projects.
Rake number 2 : do not forget to put dev-packages in addition to all listed.
Rake number 3 : it is often not easy to find a GSM operating frequency using the SDRSharp. Domonkos Tomchany offers for this purpose the kalibrate-rtl program . It will give something like:
Select a channel with a larger amplitude and launch the interception on it. The GSM traffic will appear in the console:
A couple of words about decryption. For him, apparently, in addition to $ 30 per tuner, you will have to spend money on a double terabyte hard drive under rainbow tables. The script for their generation was found in the Airprobe repository, it seems that Kraken will not find a problem.
What exactly is this method interesting? The fact that at its base you can build cheap, but rather serious universal interception systems . After all, there is still a DECT (links will not, the site Osmocom DECT temporarily lies), which is widely used in offices. Encryption is weaker there, and secrets are more serious.
Well, two-factor authentication is now in question.
βIs it really that bad?β You ask.
Not really. It is not possible to intercept 3G traffic in this way - the signal bandwidth is too wide. But no one prohibits an attacker from intercepting in a place where there is no such coverage or with jamming. And progress does not stand still. When HackRF Jawbreaker type iron becomes cheaper and more popular, interception of 3G on it will not take long to wait.
Thank you for attention.
We live in amazing pre-singular time. Technologies are developing rapidly. What seemed fantastical a few years ago is becoming a reality today. Surprisingly, now, if you have a computer with a simple TV tuner, you can receive the coordinates of airplanes and ships, satellite imagery, and data from weather probes.
I am not a specialist in information security, all operations have been done solely for the purpose of training. This text will discuss how to decode (not decrypt) GSM traffic. By tradition, instead of an epigraph:
Article 138 of the Criminal Code. Violation of the secrets of correspondence, telephone conversations, postal, telegraph or other communications
1. Violation of the secrecy of correspondence, telephone conversations, postal, telegraph or other communications of citizens - is punishable by a fine of up to eighty thousand rubles or in the amount of the salary or other income of the convicted person for a period of up to six months, or compulsory work for up to three hundred and sixty hours, or correctional labor for up to one year.
')
Milestones
- 1991 - the first GSM standard specifications are published.
- 2005 - the first mention
in the annals ofTV tuners on the E4000 chip. - 2008 - at the Black Hat conference, GSM hacking was demonstrated using a USRP SDR receiver priced at about $ 1,000.
- 2008 - the first commit in the Osmocom OpenBSC public repository, which implements the GSM base station controller software.
- 2008 - first commits in the Airprobe project. Attention, under the link problems with the certificate.
- 2009 - Carsten Nol demonstrates a way to break the A5 / 1 encryption algorithm.
- 2010 - the first commit in the public repository of the OsmocomBB project, which implements the GSM protocol stack on ordinary phones .
- 2010 - Kraken presentation - software that allows you to decrypt GSM data encrypted using the A5 / 1 algorithm. The demonstration was made using a regular phone.
- 2013 - The RTL-SDR blog has published a manual for decoding GSM traffic.
- 2013 - Domonkosh Tomchany published a new GSM hacking method .
Intercept
For interception, we need:
- The tuner itself is based on the E4000. The deposit of these chips has been exhausted, so the price of tuners on their base increases over time. The remaining chips are also suitable, but they do not support the GSM1800 / 1900 range.
- 75 Ohm antenna. Go and regular from the tuner. I placed the usual TV antenna on the windowsill in such an extravagant way, having thrown the USB extension cable.
- A machine with an installed distribution of the Debian family. Ubuntu will do. I used an old laptop with Kali Linux, which I connected via ssh over Wi-Fi. I did not succeed in setting up the software for Fedor from the first attempt of the software; I decided not to wrestle with anything and act like in the example. Rake number 0 : if you make an installation flash drive with Kali Linux - read this . Unetbootin will not create a working image.
- A fair amount of patience and this is the instruction .
All painted in some detail, I will only comment on only those rakes, which came on myself.
Rake number 1 : do not put the latest version of GNURadio. Starting with version 3.7.0, the namespaces change, and software will not work. Use version 3.6.5. Also check the branches in the airprobe git repository. Tags and comments there indicate with which version of GNURadio you need to build projects.
Rake number 2 : do not forget to put dev-packages in addition to all listed.
Rake number 3 : it is often not easy to find a GSM operating frequency using the SDRSharp. Domonkos Tomchany offers for this purpose the kalibrate-rtl program . It will give something like:
username@hostname:~$ kal -s GSM900 Found 1 device(s): 0: Terratec T Stick PLUS Using device 0: Terratec T Stick PLUS Found Elonics E4000 tuner Exact sample rate is: 270833.002142 Hz kal: Scanning for GSM-900 base stations. GSM-900: chan: 10 (937.0MHz - 20.572kHz) power: 1467419.20 chan: 12 (937.4MHz - 20.602kHz) power: 242714.33 chan: 25 (940.0MHz - 20.308kHz) power: 364373.98 chan: 32 (941.4MHz - 20.340kHz) power: 1562694.12 chan: 52 (945.4MHz - 20.100kHz) power: 206568.21 chan: 54 (945.8MHz - 20.184kHz) power: 628970.43 chan: 71 (949.2MHz - 20.052kHz) power: 396199.27 chan: 86 (952.2MHz - 20.081kHz) power: 1095374.22 chan: 112 (957.4MHz - 20.047kHz) power: 594273.38 Select a channel with a larger amplitude and launch the interception on it. The GSM traffic will appear in the console:
168815 0: 49 06 1b 0a 35 52 f0 10 00 e8 c8 02 28 13 65 45 bd 00 00 83 1f 40 1b 168819 0: 15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 168825 0: 41 06 21 a0 05 f4 44 46 03 b7 17 05 f4 16 4e fc 29 2b 2b 2b 2b 2b 2b 168829 0: 41 06 21 a0 05 f4 41 4d ef 18 17 05 f4 1d 5c 2a 63 2b 2b 2b 2b 2b 2b 168835 0: 4d 06 24 a0 f6 ce c3 7a df d4 7e 21 fc 80 0a 40 cb 25 e2 3c d3 2b 2b 168839 0: 49 06 22 a0 d1 6c 9f 44 11 40 57 92 17 05 f4 ef 59 34 1d cb 2b 2b 2b 168845 0: 41 06 21 a0 05 f4 35 4a 5b 9d 17 05 f4 20 4a 56 e2 2b 2b 2b 2b 2b 2b 168849 0: 25 06 21 20 05 f4 e8 24 47 7f 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 168855 0: 49 06 22 a0 c8 9c 63 0a ee e8 45 0c 17 05 f4 d3 04 7f 49 cb 2b 2b 2b 168859 0: 41 06 21 a0 05 f4 d8 5f d2 1f 17 05 f4 51 42 81 53 2b 2b 2b 2b 2b 2b findings
A couple of words about decryption. For him, apparently, in addition to $ 30 per tuner, you will have to spend money on a double terabyte hard drive under rainbow tables. The script for their generation was found in the Airprobe repository, it seems that Kraken will not find a problem.
What exactly is this method interesting? The fact that at its base you can build cheap, but rather serious universal interception systems . After all, there is still a DECT (links will not, the site Osmocom DECT temporarily lies), which is widely used in offices. Encryption is weaker there, and secrets are more serious.
Well, two-factor authentication is now in question.
βIs it really that bad?β You ask.
Not really. It is not possible to intercept 3G traffic in this way - the signal bandwidth is too wide. But no one prohibits an attacker from intercepting in a place where there is no such coverage or with jamming. And progress does not stand still. When HackRF Jawbreaker type iron becomes cheaper and more popular, interception of 3G on it will not take long to wait.
Thank you for attention.
Source: https://habr.com/ru/post/200914/
All Articles