Jump to content


Photo
* * * * - 2 votes

IMSI Catcher - AKA GSM Sniffer


  • Please log in to reply
25 replies to this topic

#1 nightfox

nightfox

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 15 March 2007 - 12:48 AM

Hello everyone,

I've been doing a little research in the field of GSM sniffing and cryptography related to cellular networks and have taken an interest in a device known as an IMSI catcher. This device is used to intercept/record/jam GSM cellular communications. There are several devices being sold commercially, however they are only offered to LE/ Gov Agencies (large corporations also use them for corporate espionage). The price of these units is upwards to $500,000 USD. Below is a sample of a commercial IMSI catcher:

http://www.cellulari...ercept-gsm.aspx

I would like to research this technology and build a unit that has all the capabilities of the commercial products. Once the project is complete I plan on providing a step-by-step tutorial on how to build an IMSI catcher using compnents readily available to the public. My budget for a working protoype is 15-20K (R&D + Parts), but the goal is to design a unit that a hobbiest can build for under 5K (if possible).

I am looking for people that have experience in the field of cellular communications, cellular cryptography and general electronics. I have no problems communicating the entire project through this thread, as the end result is to make our findings available to the community. Anybody that wants to learn about this technology, please feel free to participate.

A brief explanation of how an imsi catcher works can be found here:

http://www.cryptopho...cept/index.html

Basically its a man-in-middle attack where the unit mimics the cellular network's base tower. Once you can get the phone to connect to your base station, you can sniff the information but in order to keep the call alive you must re-transmit the signal to the networks real tower. To do this I read it is best to use a repeater, ones that are commonly used to eliminate network dead zones. So basically the data comes in through a reciever that mimics the cellular tower, goes through preselector/combiner, data passing through is monitored by a laptop or PC, and the signal is then re-transmitted to the real cellular tower.

So, first of all we have to find a machine that can mimic a base tower. Something that is reasonably priced and available to the public. The links below show two units that are commonly used for testing GSM equiptment. Typically SIM cards with no network codes are inserted in the phones and the phones are forced to connect to these virtual netwoks for analysis/debugging purposes. These machines are said to be programmable where you can enter the network codes of a (real) GSM network and mimic base station. The receiving range of these units are low so we would need to add juiced up antennas to increase our range.

CTS65
http://tinyurl.com/c7l4r

4100 Mobile Fault Finder
http://www.willtek.c...roducts/tt/4100

I am trying to peice together as much information as possible. My first goal is to figure out exactly how the base stations work and how to obtain network codes for GSM networks. Does anyone know of any solid resources on this topic? Also has anyone worked with the test devices mentioned above?

All feedback is GREATLY appreciated.

#2 jabzor

jabzor

    hax?

  • Agents of the Revolution
  • 1,146 posts
  • Country:
  • Gender:Male
  • Location:Northern Elbonia, fighting the lefties

Posted 15 March 2007 - 02:27 AM

I wonder how hard it would be to clone a sim with a repeater?
Just wondering.. :huh:

#3 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 15 March 2007 - 12:32 PM

Sounds like an interesting project. I'd be willing to help with the project on my free time.
Digital/Analog electronics (design/fabrication) is my specialty but I also do some coding.

#4 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 15 March 2007 - 12:36 PM

I have no skills/knowledge in the field, but I've been interested in GSM Interception since they built one at DefCon.
Does anyone have any info/plans/knowledge on what went down/how?

#5 nightfox

nightfox

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 15 March 2007 - 02:28 PM

I have no skills/knowledge in the field, but I've been interested in GSM Interception since they built one at DefCon.
Does anyone have any info/plans/knowledge on what went down/how?


It would be great if we could get some information from the guys that did this at Defcon. Instead of having to completely re-invent the wheel, we can use their info and add to it. I searched the Defcon site and googled for anything relating to their project and found nothing. Anyone have contact info or a link for these guys?

Thanks

#6 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 15 March 2007 - 07:32 PM

I have no skills/knowledge in the field, but I've been interested in GSM Interception since they built one at DefCon.
Does anyone have any info/plans/knowledge on what went down/how?


It would be great if we could get some information from the guys that did this at Defcon. Instead of having to completely re-invent the wheel, we can use their info and add to it. I searched the Defcon site and googled for anything relating to their project and found nothing. Anyone have contact info or a link for these guys?

Thanks


It was not an official presentation, it was a "party" in a room at the con. I remember reading an account of it somewhere, and how they screwed with a hooker on her phone.

#7 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 16 March 2007 - 10:27 AM

Just some info/ideas:

http://jya.com/crack-a5.htm
http://cryptome.org/gsm-spy.htm
http://www.analog.co...ualfoneVer2.pdf
http://www.nxp.com/a...97/75010049.pdf
http://www.analog.co...,AD6548,00.html
http://www.sirific.c...wnload.php?ID=2
http://www.sirific.c...wnload.php?ID=5
http://www.silabs.co...lutions_Web.pdf
http://www.broadcom....2122-PB02-R.pdf

#8 nightfox

nightfox

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 16 March 2007 - 11:25 AM

Thanks for the links kenetik, those devices seem interesting. I'll contact the manufacturers to get more information on them to see if we can put them to use.

Here are some more links:

general GSM info
http://www.iec.org/o.../tutorials/gsm/

GSM interception
http://www.dia.unisa...sec/netsec.html


If anyone has any information, PLEASE share!

#9 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 20 March 2007 - 02:23 PM

This turned up on ebay.. Maybe has some monitoring functionality used for debugging?

http://cgi.ebay.com/...1QQcmdZViewItem


Gsm freq. via wikipedia

http://en.wikipedia....requency_ranges

Edited by kenetik, 20 March 2007 - 02:25 PM.


#10 Virtual

Virtual

    HACK THE PLANET!

  • Members
  • 61 posts

Posted 31 March 2007 - 05:28 AM

I would be willing to help as I am pretty interested in this project.
Right now I work repairing computers and mobile phones so I might have some schematics or diagrams or other usefull stuff.
As for a virtual tower I have a Wavetek Communication Test Set 4202 S here at work and it does the job great, I do not know though how much is one.

\V/

#11 Mr. X

Mr. X

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 11 posts

Posted 02 April 2007 - 03:14 PM

Some another project:
http://scratchpad.wikia.com/wiki/Gsm

#12 nightfox

nightfox

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 03 April 2007 - 01:03 AM

Some another project:
http://scratchpad.wikia.com/wiki/Gsm


Joined their mailing list. Let's see what they have!

#13 t3st.s3t

t3st.s3t

    rekcah-rebÜ

  • Members
  • 719 posts
  • Location:NPA 330

Posted 03 April 2007 - 08:01 AM

I'll have some free time this summer and would be willing to help. ;)

#14 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 05 April 2007 - 04:38 PM

So i think the first step would be to receive some gsm signals..
Anyone know of any easy to find rf receivers covering this band (and not blocked of course)?
Or would it be best to design a custom system?
Ofcourse theres OSRP, but hardware is kinda pricey.. I'm curious what others think would be the best solution.
Also will there be some way for us to collectively discuss progress?
Should we just use this thread, or will there be a page dedicated to the project, when it takes off?

#15 nightfox

nightfox

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 10 April 2007 - 03:02 AM

What about this device here? Seems like we can use it to capture the data. Its a little pricey but if we could get some direction I don't mind grabbing it.

http://www.ers.fr/Sa...eet_0605312.pdf

We really need some cellular techs to help us out. If we're gonna really make this happen, we have to start assigning tasks. Its definatly not a small project.

#16 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 10 April 2007 - 10:38 AM

In order to make the project cost effective and in the grasp of the everyday gsm hobbyist we should probably try to figure out a low cost method of receiving data..

I have a few qestions, and please anyone feel free to chime in qith answers/suggestions:
1 - Can we modify a off the shelf gsm phone to receive raw data?
2 - What is the cost comparison of a modified gsm cell phone (if possible) compared to a fully custom receiving system?

Personally, I think hacking an off the shelf unit would be interesting. GSM phones can be easily aquired (ie ebay) and at very low prices. If a gsm phone got toasted it would be less of a set back than
if a $500+ custom pcb was ruined. I would like to do some further investigating into reverse engineering a gsm mobile for this purpose. If anyone can supply me with any info reguarding schematics
or pinouts please PM me.

nightfox, if I am incorrect in proposing the above please let me know. As for tasks I have experience reverse engineering hardware, trouble shooting analog and digital circuits, working with ball grid array cpus/SMD/Through hole, prototyping digital and analog circuits, and some design work. I am a licensed electronic technician, and have been in the field for many years.. but I love to design as well (as a hobby), however am not professionally experienced in such work.

#17 Linux

Linux

    SUP3R 31337 P1MP

  • Banned
  • 278 posts

Posted 10 April 2007 - 10:46 AM

In order to make the project cost effective and in the grasp of the everyday gsm hobbyist we should probably try to figure out a low cost method of receiving data..

I have a few qestions, and please anyone feel free to chime in qith answers/suggestions:
1 - Can we modify a off the shelf gsm phone to receive raw data?
2 - What is the cost comparison of a modified gsm cell phone (if possible) compared to a fully custom receiving system?

Personally, I think hacking an off the shelf unit would be interesting. GSM phones can be easily aquired (ie ebay) and at very low prices. If a gsm phone got toasted it would be less of a set back than
if a $500+ custom pcb was ruined. I would like to do some further investigating into reverse engineering a gsm mobile for this purpose. If anyone can supply me with any info reguarding schematics
or pinouts please PM me.

nightfox, if I am incorrect in proposing the above please let me know. As for tasks I have experience reverse engineering hardware, trouble shooting analog and digital circuits, working with ball grid array cpus/SMD/Through hole, prototyping digital and analog circuits, and some design work. I am a licensed electronic technician, and have been in the field for many years.. but I love to design as well (as a hobby), however am not professionally experienced in such work.

You could probably make some progress with a logic analyzer/oscope, whatever schematics/block diagrams you could get, and by cross referencing the serial numbers on all the IC's in the device.

How good is the documentation that is available from equipment vendors (in general) anyway? I wouldn't think that they would give you any detailed information as handsets are all but disposable nowadays, so there would be less need of repair and hence documentation. Could be wrong.

Now I know what I'm going to spend the remainder of my rapepal account on.

Hey Strom, you couldn't recommend any specific brand of logic anlyzer, could you?


EDIT:
I am not sure, but I remember something about a specific model of phone that has easily modifiable firmware mentioned in one of the links above. Something like this would be something to keep in mind. I don't know much about handsets, but if you could somehow mod the firmware to allow custom control of that RF unit....then you might have a little something.

However, I really don't know if the handsets have the same TX capabilities as the towers (other than the obvious one being power), even with a modded firware or whatnot.


EDIT:
here is what I was talking about, from http://scratchpad.wikia.com/wiki/Gsm

# Using a nokia phone or the MC351i from Siemens. For both devices is it possible to update the firmware on the baseband processor. This would mean we would have to disassemble the firmware and do binary patching. Probably limited to 1 channel (but we can use 128 phones at the same time:>). Not as flexible as the USRP.


Also, I wish I could afford one of these:
http://www.bitscope.com/product/

Edited by Linux, 10 April 2007 - 02:21 PM.


#18 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 10 April 2007 - 06:16 PM

Some another project:
http://scratchpad.wikia.com/wiki/Gsm



They seemed to have missed one option for the hardware to hack. GSM data cards - the PCMCIA variety which are used for GPRS access. They basically are a GSM phone without display and keypad and in theory could be used to place an audio call.

Mungewell.

#19 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 10 April 2007 - 06:21 PM

A brief explanation of how an imsi catcher works can be found here:

http://www.cryptopho...cept/index.html


The guy who does the cryptophone project did a talk at Hope 6, see:

http://www.hopenumbe...cryptophone.pls

He also mentioned the benefits of bugging the microwave links from remote cell towers, as a way to get to a bigger stream (ie. all the calls from the various cells around a town).
Munge.

#20 knifefanatic

knifefanatic

    the 0ne

  • Members
  • 1 posts

Posted 17 October 2007 - 01:10 AM

not to revive and beat a dead horse... but I thought I would add this...Believe it may be helpful.

http://wiki.thc.org/cracking_a5

I too find this interesting and would love to view IMEI lists in real time. Yes there is a specific one I am looking for... my own. Yep mine was stolen. It would also be interesting to know how many phones in the us are black listed in the UK.

Edited by knifefanatic, 17 October 2007 - 01:14 AM.





BinRev is hosted by the great people at Lunarpages!