OpenBTS - osmocom-bb & GSM attacks.

Hacker Fantastic hackerfantastic at googlemail.com
Fri Feb 7 10:08:18 UTC 2014


Hi all,
        Here is a copy of some slides I wrote for a presentation on
security weaknesses within GSM. I used an Ettus E100 to develop a malicious
BTS and GSM related attacks in a Faraday cage and presented on how these
attacks work to better understand them for defensive purposes. I was able
to use the E100 as a generic IP-router after I cross-compiled a new kernel
with netfilter enabled and also I had to recompile a number of the packages
such as Asterisk to enable ODBC and improved SQLite support, I also had to
make some changes to Python and its modules. I used GNURadio 3.6.4 and I
had to compile a specific version of the OpenBTS code as the recent
transceiver application did not function with the E100. I was able to get
the E100 to work as a GSM/GPRS router and do real-time call placement etc.
I got it to function with real-time support and wrote a small script to
provision new devices by watching the syslog and adding to the SQLite
database.

I also used osmocom-bb to do things like use gnuplot and graph the channel
usage although the code is extremely ugly! I took RSSI measurements over a
period of time into images and then tied them together for a movie, it
isn't quite realtime but it makes pretty graphs. I mentioned how you could
implement the MS side of the GSM stack using the osmocom project and as
such am sharing the slides here.

Just goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to dd
and boot an E100 but at this time I do not plan on hosting it for download
unless there is sufficient interest. If you need it for some reason drop me
an e-mail.

Kind Regards,
Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20140207/10b8b278/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mwri_labs-GSM-Hacking-Wireless-Mobile-Phone-Communication_2014-01-30.pdf
Type: application/pdf
Size: 1357681 bytes
Desc: not available
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20140207/10b8b278/attachment.pdf>


More information about the baseband-devel mailing list