fbpx
Skip to content

GSM Hacking: What you need to know

GSM Hacking guide for professional pentesters and hobbyists. As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing GSM infrastructure and reusing the frequencies for 5G and other transmissions technologies.

Here I will explain the different network devices and public attacks against each device.

Hacking GSM
Hacking GSM

First I will describe the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country use for GSM.

After we know what ARFCN we want monitor we will capture live data on specific channel and save into a cfile.

To calculate the downstream frequency based on your ARFCN you can use this calculator: https://www.cellmapper.net/arfcn

This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end I will explain how to crack A5/1 encryption using rainbow tables.

Hardware

On this tutorial we only use a RTL-SDR device and is enough to do a passive recon around you and understand the basic concepts about the technology and how the PLMN (Public Land Mobile Network)

DevicePriceStore
RPI3 1 GB RAM
SD-CARD 64 GB
USB RTL SDR
Power Bank

RTL-SDR Limitations

Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these type of hardware can only receive (RX) data.

  • We only receive traffic (RX) Downstream
  • To capture both Upstream and Downstream we need two dongles

Attention the limitations are related to the hardware used on this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible. I will write about then on other articles.

SIM Card Attacks

Attack
Sim SwappingENISA
SimjackerWebsite/
SIM Cloning

Mobile Station

Rogue BTS

If you want to learn how to install a Rogue BTS read my other article from the GSM Hacking Series.

GSM IMSI Catchers

Capture BTS Broadcast Unencrypted Data

Decrypt SMS Data

Decrypt Voice Channel

GSM A5/1 Decryption

git clone git://git.srlabs.de/kraken

https://opensource.srlabs.de/projects/a51-decrypt