About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Software Defined Radio, Part 6: Building a Cellphone IMSI Catcher (Stingray)- 783

otwPosted 4 Years Ago
  • Mobile networks use several different technologies including GSM, CDMA, TDMA, 4G, LTE, 5G and many others. Using special hardware and software, law enforcement can eavesdrop and track people. This is called an IMSI catcher or International Mobile Subscriber Identity catcher.
  • Currently, IMSI catchers, which are also referred to as Stingray, normally cost 50K to 200K. The goal of this post is to take the price down to something that is reasonable to regular consumers. With this, the author hopes they will be made illegal with no cheap they could be made.
  • The article focuses on 2G and 3G, which use GSM. The major security issue with GSM is the lack of mutual authentication. This means that handset (phone) does not authenticate the base station prior to accessing the network. By abusing this functionality, we can sniff and acquire the IMSI of the phone.
  • The IMSI number is within the SIM card. With this information, the person sniffing this traffic can identify and locate the phone user at a minimum and potentially intercept and spoof the user's traffic.
  • The author then goes through step by step to sniff GSM traffic. First, he walks through installing Kali Linux and gr-gsm for GNU radio, which is an open source radio project. After this, the program kal is used to find the base station and the frequency being used in the area.
  • Using kal -s to scan for frequencies, the author finds 889 and 890 being used. Now, we can try to sniff the base station traffic. Using the grgsm_livemon utility, we can tune the frequency to the GSM base station.
  • Now, simply using IMSI-catcher utility, we can capture IMSI traffic for 2G and 3G phones. Using this program, there is a picture with several pieces of captured data, including the cell ID , operator and other things.
  • The craziest part of all this: the author uses an RDL-SDR! This is limits which GSM frequencies can be used but this brings the bar down to $25. Using more sophisticated (and expensive) equipment, the author will demonstrate in the future how to intercept mobile communications.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed