This article (GSM Penetration Testing Fundamentals) attempts to give an overview of the technology, terms, and security that are built into GSM Technology. I hope this will allow you to get started in hacking mobile networks without getting bogged down by too much technical detail.
Before starting any hacking tutorials, you need to understand the technology.
Table of Contents
As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing it from the infrastructure and reusing the frequencies for 5G and other transmission technologies.
Here I will explain the different network devices on a GSM network and public attacks against each device.
First I will describe the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country uses for GSM.
GSM Network
A GSM network has many devices connected some of them are on the client side others are outdoors and inside the data centers, they all have one thing in common! They all have IDs that identify them.
Do you want to understand GSM in deep? Check free Courses HERE
On the client side, we have Mobile Stations (Cellphones), SIM cards, and USB modems. Each one of them has security vulnerabilities and different entry points to be explored, here I will try to talk about all of them.
SIM Card Attacks
SIM cards have been developed around three decades ago, there were a lot of functionality improvements on each version but some vulnerabilities were kept because they aren’t technology related.
Mobile Stations
A GSM mobile station is a device used by a subscriber to access cellular services provided by a GSM network.
The internals of a GSM mobile station consist of several components that work together to enable voice and data communication over the cellular network. The mobile station contains a SIM card slot where a user can insert their SIM card to identify themselves to the network.
The device also has an antenna that receives and transmits radio signals to and from the network.
The mobile station’s transceiver processes these signals and converts them into voice or data that can be received by the user. The device also contains a microprocessor that manages the mobile station’s operations, such as handling incoming and outgoing calls, managing the user’s contacts, and storing messages.
Additionally, the mobile station may have additional features such as a camera, GPS, or other sensors. Overall, the internals of a GSM mobile station are designed to enable fast and reliable voice and data communication over the cellular network.
USB Modems
A GSM USB modem is a device that enables users to connect to the internet using a cellular network. The internals of a GSM USB modem consist of several components that work together to establish and maintain the connection.
The modem contains a SIM card slot where a user can insert a SIM card to identify themselves to the cellular network. It also has an antenna that receives and transmits radio signals to and from the cellular network.
The modem’s chipset processes these signals and converts them into data that can be transmitted over the USB connection to a user’s computer. The device also contains firmware that manages the modem’s operations, such as connecting to the network, establishing a data session, and managing the connection.
Overall, the internals of a GSM USB modem are designed to enable fast and reliable data connectivity using a cellular network.
GSM Penetration Testing
Hardware
In this tutorial, we only use an RTL-SDR device, which is enough to do a passive recon around you and understand the basic concepts about the technology and how the PLMN (Public Land Mobile Network).
Passive sniffing GSM is ilegal in most countries, check your law or your credentials.
!NEVER actively sniff.
Device | Price | Store |
RPI3 1 GB RAM | ||
SD-CARD 64 GB | ||
USB RTL SDR | ||
Power Bank |
RTL-SDR Limitations
Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these types of hardware can only receive (RX) data.
- We only receive traffic (RX) Downstream
- To capture both Upstream and Downstream we need two dongles
Attention the limitations are related to the hardware used in this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible. I will write about them in other articles.
Rogue BTS
A rogue BTS, also known as a fake base station, is a device that mimics a legitimate base station in a cellular network. The rogue BTS works by transmitting radio signals that appear to be coming from a legitimate cell tower.
Once a user’s mobile device connects to the rogue BTS, the attacker can intercept the user’s calls, text messages, and data traffic. In some cases, the rogue BTS may also be used to launch attacks on the user’s device, such as installing malware or stealing sensitive information. Rogue BTS attacks can be carried out using off-the-shelf hardware and software, making them relatively easy and inexpensive to execute. These attacks pose a significant threat to mobile network security and can be difficult to detect and prevent.
To protect against rogue BTS attacks, network operators can implement security measures such as radio frequency monitoring, signal authentication, and encryption. Additionally, users can protect themselves by avoiding connecting to unknown or suspicious cell towers and using secure communication channels, such as VPNs.
If you want to learn how to install a Rogue BTS read my other article from the GSM Hacking Series.
Passive Sniff GSM
After we know what ARFCN we want to monitor we will capture live data on a specific channel and save it into a cfile to further analysis.
To calculate the downstream frequency based on your ARFCN you can use this calculator:
https://www.cellmapper.net/arfcn
This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end, I will explain how to crack A5/1 encryption using rainbow tables. ( … and how to download them! 😀 )
Capture BTS Broadcast Unencrypted Data
GSM IMSI Catchers
Decrypt SMS Data
Decrypt Voice Channel
GSM A5/1 Decryption
git clone git://git.srlabs.de/kraken