IMSI Catcher - AKA GSM Sniffer

[nightfox 1]

Hello everyone,

I've been doing a little research in the field of GSM sniffing and cryptography related to cellular networks and have taken an interest in a device known as an IMSI catcher. This device is used to intercept/record/jam GSM cellular communications. There are several devices being sold commercially, however they are only offered to LE/ Gov Agencies (large corporations also use them for corporate espionage). The price of these units is upwards to $500,000 USD. Below is a sample of a commercial IMSI catcher:

http://www.cellularintercept.com/pc-14-1-c...ercept-gsm.aspx

I would like to research this technology and build a unit that has all the capabilities of the commercial products. Once the project is complete I plan on providing a step-by-step tutorial on how to build an IMSI catcher using compnents readily available to the public. My budget for a working protoype is 15-20K (R&D + Parts), but the goal is to design a unit that a hobbiest can build for under 5K (if possible).

I am looking for people that have experience in the field of cellular communications, cellular cryptography and general electronics. I have no problems communicating the entire project through this thread, as the end result is to make our findings available to the community. Anybody that wants to learn about this technology, please feel free to participate.

A brief explanation of how an imsi catcher works can be found here:

http://www.cryptophone.de/qa/intercept/index.html

Basically its a man-in-middle attack where the unit mimics the cellular network's base tower. Once you can get the phone to connect to your base station, you can sniff the information but in order to keep the call alive you must re-transmit the signal to the networks real tower. To do this I read it is best to use a repeater, ones that are commonly used to eliminate network dead zones. So basically the data comes in through a reciever that mimics the cellular tower, goes through preselector/combiner, data passing through is monitored by a laptop or PC, and the signal is then re-transmitted to the real cellular tower.

So, first of all we have to find a machine that can mimic a base tower. Something that is reasonably priced and available to the public. The links below show two units that are commonly used for testing GSM equiptment. Typically SIM cards with no network codes are inserted in the phones and the phones are forced to connect to these virtual netwoks for analysis/debugging purposes. These machines are said to be programmable where you can enter the network codes of a (real) GSM network and mimic base station. The receiving range of these units are low so we would need to add juiced up antennas to increase our range.

CTS65

http://tinyurl.com/c7l4r

4100 Mobile Fault Finder

http://www.willtek.com/english/products/tt/4100

I am trying to peice together as much information as possible. My first goal is to figure out exactly how the base stations work and how to obtain network codes for GSM networks. Does anyone know of any solid resources on this topic? Also has anyone worked with the test devices mentioned above?

All feedback is GREATLY appreciated.

[jabzor 1]

I wonder how hard it would be to clone a sim with a repeater?

Just wondering..

[kenetik 2]

Sounds like an interesting project. I'd be willing to help with the project on my free time.

Digital/Analog electronics (design/fabrication) is my specialty but I also do some coding.

[BrakeDanceJ 0]

I have no skills/knowledge in the field, but I've been interested in GSM Interception since they built one at DefCon.

Does anyone have any info/plans/knowledge on what went down/how?

[nightfox 1]

I have no skills/knowledge in the field, but I've been interested in GSM Interception since they built one at DefCon.

Does anyone have any info/plans/knowledge on what went down/how?

It would be great if we could get some information from the guys that did this at Defcon. Instead of having to completely re-invent the wheel, we can use their info and add to it. I searched the Defcon site and googled for anything relating to their project and found nothing. Anyone have contact info or a link for these guys?

Thanks

[BrakeDanceJ 0]

I have no skills/knowledge in the field, but I've been interested in GSM Interception since they built one at DefCon.

Does anyone have any info/plans/knowledge on what went down/how?

It would be great if we could get some information from the guys that did this at Defcon. Instead of having to completely re-invent the wheel, we can use their info and add to it. I searched the Defcon site and googled for anything relating to their project and found nothing. Anyone have contact info or a link for these guys?

Thanks

It was not an official presentation, it was a "party" in a room at the con. I remember reading an account of it somewhere, and how they screwed with a hooker on her phone.

[kenetik 2]

Just some info/ideas:

http://jya.com/crack-a5.htm

http://cryptome.org/gsm-spy.htm

http://www.analog.com/UploadedFiles/Develo...ualfoneVer2.pdf

http://www.nxp.com/acrobat_download/litera...97/75010049.pdf

http://www.analog.com/en/prod/0,,AD6548,00.html

http://www.sirific.com/download.php?ID=2

http://www.sirific.com/download.php?ID=5

http://www.silabs.com/public/documents/mar...lutions_Web.pdf

http://www.broadcom.com/collateral/pb/2122-PB02-R.pdf

[nightfox 1]

Thanks for the links kenetik, those devices seem interesting. I'll contact the manufacturers to get more information on them to see if we can put them to use.

Here are some more links:

general GSM info

http://www.iec.org/online/tutorials/gsm/

GSM interception

http://www.dia.unisa.it/professori/ads/cor...sec/netsec.html

If anyone has any information, PLEASE share!

[kenetik 2]

This turned up on ebay.. Maybe has some monitoring functionality used for debugging?

http://cgi.ebay.com/Motorola-L7-SLVR-Engin...1QQcmdZViewItem

Gsm freq. via wikipedia

http://en.wikipedia.org/wiki/GSM_frequency_ranges

Edited March 20, 2007 by kenetik

[Virtual 0]

I would be willing to help as I am pretty interested in this project.

Right now I work repairing computers and mobile phones so I might have some schematics or diagrams or other usefull stuff.

As for a virtual tower I have a Wavetek Communication Test Set 4202 S here at work and it does the job great, I do not know though how much is one.

\V/

[mrx 0]

Some another project:

http://scratchpad.wikia.com/wiki/Gsm

[nightfox 1]

Some another project:

http://scratchpad.wikia.com/wiki/Gsm

Joined their mailing list. Let's see what they have!

[t3st.s3t 0]

I'll have some free time this summer and would be willing to help.

[kenetik 2]

So i think the first step would be to receive some gsm signals..

Anyone know of any easy to find rf receivers covering this band (and not blocked of course)?

Or would it be best to design a custom system?

Ofcourse theres OSRP, but hardware is kinda pricey.. I'm curious what others think would be the best solution.

Also will there be some way for us to collectively discuss progress?

Should we just use this thread, or will there be a page dedicated to the project, when it takes off?

[nightfox 1]

What about this device here? Seems like we can use it to capture the data. Its a little pricey but if we could get some direction I don't mind grabbing it.

http://www.ers.fr/Sagem/OT460%20data%20sheet_0605312.pdf

We really need some cellular techs to help us out. If we're gonna really make this happen, we have to start assigning tasks. Its definatly not a small project.

[kenetik 2]

In order to make the project cost effective and in the grasp of the everyday gsm hobbyist we should probably try to figure out a low cost method of receiving data..

I have a few qestions, and please anyone feel free to chime in qith answers/suggestions:

1 - Can we modify a off the shelf gsm phone to receive raw data?

2 - What is the cost comparison of a modified gsm cell phone (if possible) compared to a fully custom receiving system?

Personally, I think hacking an off the shelf unit would be interesting. GSM phones can be easily aquired (ie ebay) and at very low prices. If a gsm phone got toasted it would be less of a set back than

if a $500+ custom pcb was ruined. I would like to do some further investigating into reverse engineering a gsm mobile for this purpose. If anyone can supply me with any info reguarding schematics

or pinouts please PM me.

nightfox, if I am incorrect in proposing the above please let me know. As for tasks I have experience reverse engineering hardware, trouble shooting analog and digital circuits, working with ball grid array cpus/SMD/Through hole, prototyping digital and analog circuits, and some design work. I am a licensed electronic technician, and have been in the field for many years.. but I love to design as well (as a hobby), however am not professionally experienced in such work.

[Linux 0]

In order to make the project cost effective and in the grasp of the everyday gsm hobbyist we should probably try to figure out a low cost method of receiving data..

I have a few qestions, and please anyone feel free to chime in qith answers/suggestions:

1 - Can we modify a off the shelf gsm phone to receive raw data?

2 - What is the cost comparison of a modified gsm cell phone (if possible) compared to a fully custom receiving system?

Personally, I think hacking an off the shelf unit would be interesting. GSM phones can be easily aquired (ie ebay) and at very low prices. If a gsm phone got toasted it would be less of a set back than

if a $500+ custom pcb was ruined. I would like to do some further investigating into reverse engineering a gsm mobile for this purpose. If anyone can supply me with any info reguarding schematics

or pinouts please PM me.

nightfox, if I am incorrect in proposing the above please let me know. As for tasks I have experience reverse engineering hardware, trouble shooting analog and digital circuits, working with ball grid array cpus/SMD/Through hole, prototyping digital and analog circuits, and some design work. I am a licensed electronic technician, and have been in the field for many years.. but I love to design as well (as a hobby), however am not professionally experienced in such work.

You could probably make some progress with a logic analyzer/oscope, whatever schematics/block diagrams you could get, and by cross referencing the serial numbers on all the IC's in the device.

How good is the documentation that is available from equipment vendors (in general) anyway? I wouldn't think that they would give you any detailed information as handsets are all but disposable nowadays, so there would be less need of repair and hence documentation. Could be wrong.

Now I know what I'm going to spend the remainder of my rapepal account on.

Hey Strom, you couldn't recommend any specific brand of logic anlyzer, could you?

EDIT:

I am not sure, but I remember something about a specific model of phone that has easily modifiable firmware mentioned in one of the links above. Something like this would be something to keep in mind. I don't know much about handsets, but if you could somehow mod the firmware to allow custom control of that RF unit....then you might have a little something.

However, I really don't know if the handsets have the same TX capabilities as the towers (other than the obvious one being power), even with a modded firware or whatnot.

EDIT:

here is what I was talking about, from http://scratchpad.wikia.com/wiki/Gsm

# Using a nokia phone or the MC351i from Siemens. For both devices is it possible to update the firmware on the baseband processor. This would mean we would have to disassemble the firmware and do binary patching. Probably limited to 1 channel (but we can use 128 phones at the same time:>). Not as flexible as the USRP.

Also, I wish I could afford one of these:

http://www.bitscope.com/product/

Edited April 10, 2007 by Linux

[mungewell 7]

Some another project:

http://scratchpad.wikia.com/wiki/Gsm

They seemed to have missed one option for the hardware to hack. GSM data cards - the PCMCIA variety which are used for GPRS access. They basically are a GSM phone without display and keypad and in theory could be used to place an audio call.

Mungewell.

[mungewell 7]

A brief explanation of how an imsi catcher works can be found here:

http://www.cryptophone.de/qa/intercept/index.html

The guy who does the cryptophone project did a talk at Hope 6, see:

http://www.hopenumbersix.net/mp3/16/cryptophone.mp3

http://www.hopenumbersix.net/pls/16/cryptophone.pls

He also mentioned the benefits of bugging the microwave links from remote cell towers, as a way to get to a bigger stream (ie. all the calls from the various cells around a town).

Munge.

[knifefanatic 0]

not to revive and beat a dead horse... but I thought I would add this...Believe it may be helpful.

http://wiki.thc.org/cracking_a5

I too find this interesting and would love to view IMEI lists in real time. Yes there is a specific one I am looking for... my own. Yep mine was stolen. It would also be interesting to know how many phones in the us are black listed in the UK.

Edited October 17, 2007 by knifefanatic

[Lio 1]

if one is to get really involved with this i think USRP would be a good investment(together with studying gnu radio) - they use gnu radio for a5 cracking in that chaos communications congres video too(i think its on thc.org somewhere)

[joako 3]

I recall something around 1999 or 2000 reading GSM encryption already had been cracked...

I some books that do a good job of explaining the GSM air interface I need to dig those up but I don't think a software radio would be adequate its not a simple analog transmission but there are more than 1 error correcting algorithms and to write a GSM radio from scratch would be a challenge... probably you'd gain the knowledge needed to just about anything on GSM.

Anyways I wonder if these cards would be of any use: http://www.junghanns.net/en/duo_gsm_pci_produkt.html

[ac3bf1 0]

Hey all!

I am so happy to find a thread like this!

Anyways I am planning to develop my thesis on this area...

and possibly build an IMSI catcher within 3/ months. Possible? We will see!

:-)

I am based in the London, UK, and on our campus we have some good equipment we can use...

Possibly if someone wants to come over and work here I might be able to make you come down and work here.

Also I can get a budget for this project from the UNIV

which can help!

So where do we start?

John

[ac3bf1 0]

Useful links:

http://gumstix.com/store/catalog/product_i...products_id=194

http://www.scottjanousek.com/blog/2006/12/...urce-gsm-phone/

http://www.opencellphone.org/index.php?title=Main_Page

http://www.sparkfun.com/commerce/categories.php?cPath=66_68

EDIT, ADDED THIS:

http://wiki.thc.org/gsm

Edited November 30, 2007 by ac3bf1

[canet 0]

I want to know how to enjoy the gsm Software Project!