GSM

December 1, 2011, by | Start Discussion


Introduction
In this article we will describe the various tools, software, hardware and techniques, that can be employed to attack the GSM. All these are described in brief and corresponding references are given so that you will able to go and read more about the tool from the provided link.

GSM
GSM came into being during the late 1980s and was put into use in the western part of the world in the early 1990s. GSM has come a long way since then and has risen in both in terms of coverage as well as the number of subscribers. According to a survey of ITU there are about 4.1 billion people (apprx 60%) who had a mobile subscription and about 90% of the people lived in an area having access to GSM [1]. India itself has around 0.865 billion mobile subscribers that is about 72% of the total population [2]. Besides communication, more and more additional services – like payment , one time passwords, tokens, sms banking etc are being deployed on top of GSM.

The GSM Problem

GSM is an old technology and it can also be regarded as one of the most successful one, but it has been over 20 years since GSM was designed, during that time several security problems have been discovered in GSM. However till recently it was not practically viable to exploit these weaknesses; partly due to the closed nature of the GSM protocol, but mostly due all the complex signal processing involved and the high cost of the hardware needed for the same.

Here in this article we describe some currently available opensource hardware and software which can be used to play with GSM these include the Universal Software Radio Peripheral (USRP) together with the GnuRadio implementation for signal capturing and the AirProbe and OpenBTS project for handling GSM signals.

In the next section we describe the tools and tricks needed to get started playing with GSM.

Software Defined Radio (SDR)

Traditionally radios were a hardware matter, they were created to transmit and receive on specific frequencies and modulation scheme, (please note that the word radio here is used as a generic transceiver using electro-magnetic waves for transmissions) not specifically as the device known for the reception of programmed FM broadcasts made by radio stations.

Then comes the Software Defined Radio (SDR), the main idea here is to create very versatile transceivers by emulating a lot of signal processing hardware in to the software domain. Therefore t it has various advantages like costs and versatility. Imagine a universal radio with which you are able to tune in to wifi, Bluetooth, GSM, Satellite TV all with one piece of hardware and software, this is where the SDR’s comes into picture, In an SDR the signal processing is implemented in software, so all that needed is a generic receiver that can receive and transmit over a range of frequencies and corresponding signal processing software viz software for processing GSM, Bluetooth, wifi etc. Still a radio can never be 100% software, some hardware is needed to capture and create radio waves.

So in a SDR all signal processing activities like (de)modulation etc. are done in software, but the actual trans-receiving is done via the hardware subsystem. This makes for a much more adaptable system, giving it the ability to receive GSM signals as well as GPS and also television broadcasts by only changing something in the software.

Now comes the next problem this ideal scheme however is not practically viable, because in practice software are not fast enough to process a large portion of the spectrum and antennas are designed for specific frequency bands. Therefore we have more extended hardware subsystems for SDRs. Typically such a hardware subsystem consists of a wide band receiver that shifts a frequency band to a standard intermediate frequency, which can be sampled by ADCs (Analog to Digital converter) and the resulting digital signal can be sent to a computer. Often other common equipment like amplifiers and band-pass filters are also a part of the hardware subsystem. One of the most versatile and widely used SDR systems is GNU Radio, mostly combined with a USRP as the hardware subsystem.

USRP

The Universal Software Radio Peripheral (USRP) is designed as a general purpose hardware subsystem for software defined radio. It is an open-hardware device developed by Matt Ettus and which can be ordered through his company Ettus Research [3].

A USRP consist of a motherboard which contains a Field Programmable Gate Array (FPGA), Programmable Gain Amplifier (PGA), ADC(s), DAC(s) and a communication port to connect it to the computer. Special boards called ‘Daughterboards’ can be plugged into the USRP motherboard to tune in the specific frequency bands needed. These daughterboards can be hooked up to appropriate antenna’s for reception similarly we have daughterboards for transmission as well.
 

 

 

 

 Fig 1: An USRP 1

 

USRP Daughterboards

A variety of daughterboards are available for specific frequencies, this can  be plugged into the USRP motherboard  Currently there are about  13-15 daughterboards available, of which three are interesting in relation to GSM signals[4]:
 

  • DBSRX, a 800 MHz to 2.4 GHz Receiver.
  • RFX900, 800-1000MHz Transceiver, 200+mW output.
  • RFX1800, 1.5-2.1 GHz Transceiver, 100+mW output.

 Figure 2: A DBSRX2 800 MHz to 2.35 GHz Receiver Daughterboard

The most used GSM frequencies are GSM900 (890.2-959.8 MHz) and GSM1800 (1710.2-1879.8
MHz) in Europe, India also uses this [5], and GSM850 (824.0-894.0 MHz) and GSM1900 (1850.0-1990.0 MHz) in America and Canada. The DBSRX board covers all these frequencies, but is only a receiver board. In order to actively transmit a RFX board is needed. Keep in mind that most countries require a license to transmit on these frequencies.

Software tools that can be used for GSM analysis.

GNU Radio

GNU Radio started by Eric Blossom is a free toolkit under GPL license for implementing the software defined radios. Fundamentally GNU Radio is a library containing a variety of standard signal processing functions, these are known as blocks, typically there are hundreds of implemented blocks inside the GNU Radio implementation.  These blocks are programmed to work with several different types of RF hardware but it is mostly used in combination with an USRP.

GNU Radio, fresh out-of-the-box, does not offer much in terms of GSM sniffing capabilities, although
it can be used to locate the beacon frequencies of GSM masts [18]. However GNU Radio is quite useful when used in tandem with other software packages, like AirProbe, to perform the low level functions of GSM sniffing, like reception and demodulation etc.

AirProbe

Airprobe [6] is an open-source project trying to built an air-interface analysis tool for the GSM (and
possible later 3G) mobile phone standard.  This project came forth out of the GSM-sniffer project [20]
The most interesting part of AirProbe is the gsm-receiver project. It is, at this moment, the best
working capture tool for GSM.

Airprobe comes with two simple shell scripts that call all the necessary functions for saving the signals on a frequency to a file and for interpreting the signals in this file.

Calling
capture.sh <freq> [duration==10] [decim==112] [gain==52] with a frequency will capture the signals on that frequency to a file. The duration, decimation and gain are optional arguments with default values. A file will be created called capture_<freq>_<decim>.cfile, containing the captured IQ samples. These can then be interpreted by calling:

go.sh <file.cfile> [decim==112]
The file name has to be provided, but the decimation is again optional, though you should use the
same decimation value that was used during capturing.

The go.sh script runs a python file that defines a software radio, which does all the processing needed  to get the information bits out of the samples. This results in a series of hex values that represent the information as sent by the GSM network. The go.sh script uses a UNIX pipe method to have these hex-codes interpreted by gsmdecode – one of the other projects in the AirProbe repository. You could also try to convert these hex codes to a .pcap file, which can be read by the wireshark program [21].

Currently the gsm-receiver project will only decode the downlink (GSMnetwork to mobile phone).

At this moment it can handle several of the control channels in GSM (control channels will be discussed in section 4.2), and speech channels. However due to encryption (chapter 7) and frequency hopping (section 3.1.2) this will not yet work in most real world situations.

Gammu

Another good tool for capturing the GSM traces is by the uses of Gammu, which is a opensource
project which can manage various functions on cellular phones. In order to work with Gammu we will need a Nokia DCT3 enabled phone one such phone can be 3210.  We can use Nokia phones here because, Nokia used a simple remote logging facility for debugging their DCT3 firmwares remotely but apparently forgot to remove this when going into production.

So this debugging functionality can be enabled it back using Gammu. A cable cable to connect the specific DCT3 phone to a computer is also needed.  Once Gammu is installed on this computer [7] and the mobile phone is connected to the computer, you can run Gammu using the following commands:

gammu –nokiadebug nhm5_587.txt v20-25,v18-19

The software will then interface with the phone and create a .xml debug log of lots of packages sent
to and from the mobile phone. 

The .xml file that can be interpreted either by wireshark or Air- Probe’s gsmdecode [6].

The Gammu + Nokia phone method has a much better receive quality than the USRP + AirProbe,
after all the mobile phone is specifically made to receive these signals.

OpenBTS / OpenBSC

Base Transceiver Station (BTS) is a GSM cell tower, and a Base Station Controller (BSC) is a control center for several BTSs. Both of these systems have an open-source implementation:  OpenBTS[8]  and OpenBSC [9] respectively.

Both the software use different approaches to the same problem. OpenBTS, founded by David Burgess, offers a BTS implementation using the USRP and turning it into a BTS. Some of the logic normally present in a BSC is placed inside OpenBTS.

Whereas OpenBSC, developed by Harald Welte, on the other hand implements most of the BSC functions and currently includes support for two BTS types (nanoBTS and the Siemens BS-11 microBTS). It does not support an OpenBTS driven USRP.

With the help of these systems you can setup you personal GSM network, although this requires a licence in most conutires, you will have to spend crores of rupees to bid for that spectrum 😉

A5/1 Cracking project

GSM communications in the countries across the world including India is encrypted using an algorithm know as A5/1. In August of 2009 a project was started to use a generic time-memory-trade-off to break A5/1, by pre-computing a large rainbow table. The pre-computation is done distributed on the Internet. Volunteers can download the table from the project’s website [10], and run it on their own computers. The probability of success with this table of decrypting the GSM communications is around fifty percent to find the encryption key for an encrypted conversation.

Sample GSM communications capture

Below figure shows a trace capture, the trace doesn’t present information in a human friendly way. Therefore we use either wireshark or gsmdecode to examine the traces.

Figure below shows what a trace examined with wireshark looks like.
 

 

Wireshark is good tool for analyzing and decoding GSM traces, as it organizes all the information
and conveniently shows extra information like the current frame number and frequency. The results of the interpreting with Wireshark (from version 1.2.6 on) are also better than those of Gsmdecode.

We end the article with a promise to come up with hands on tutorials on how to actually get our hands dirty trying to attack the GSM. If anyone is interested in knowing more about the current state of research on the same please feel free to email me at utsav [at] Xiarch [dot] com, questions, comments and any feedback is appreciated and will be rewarded.

 

References

  1. Chris Tryhorn. Nice talking to you … mobile phone use passes milestone. The Guardian, 2009. Tuesday 3 March http://www.guardian.co.uk/technology/2009/mar/03/mobile-phones1
  2. December 2011. http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use
  3. December 2011. http://www.ettus.com/company
  4. December 2011. http://www.ettus.com/order
  5. December 2011. http://support.chinavasion.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=227#gsm-in
  6. December 2011. https://svn.berlin.ccc.de/projects/airprobe/wiki
  7. December 2011. https://svn.berlin.ccc.de/projects/airprobe/wiki/tracelog and http://www.gammu.org/
  8. December 2011. http://openbts.sourceforge.net/
  9. December 2011. http://bs11-abis.gnumonks.org/trac/wiki/OpenBSC
  10. December 2011. http://www.reflextor.com/trac/a51


Utsav, founder and Principal Consultant at Xiarch, (www.xiarch.com), earned his Masters in information security from CERIAS, Purdue University, USA. He also has a CISSP. Some of things that drive him in life are spirituality, info security and passion. He is a firm believer in God, who believes in living life to the fullest.

Leave a Reply