GSM Hacking guide for professional pentesters and hobbyists. As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing GSM infrastructure and reusing the frequencies for 5G and other transmissions technologies.
Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these type of hardware can only receive (RX) data.
SS7 Attacks on GSM
SS7 attacks and attacks using Rogue GSM Base stations are not in scope and it will never be besides some tips on entry points. Remember I am not responsible for your actions, do it in your Lab and study with your own devices.
First I will described the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country use for GSM.
After we know what ARFCN we want monitor we will capture live data on specific channel and save into a cfile.
This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end I will explain how to crack A5/1 encryption using rainbow tables.
What hardware is necessary to capture GSM downstream packets?
As I said before here I only use a RTL-SDR device and is enough to do a passive recon around you and understand the basic concepts about the technology and decode some SMS messages or voice calls dedicated to us.
Limitations on GSM Hacking
Attention the limitations are related to the hardware used on this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible.
- We only receive traffic (RX)
- We only Decrypt Our Session
- Extract the KC Key from our Session
GSM SIM Cards
SIM cards have to main categories CDMA / GSM here I am focused on GSM SIM cards. This cards have two types of charging system PREPAID and POSTPAID.
PREPAID
Prepaid cards already have a tax plan assigned to them
POSTPAID
SIM Card Structure
SIM cards hold a profile mapped by the network operator, these cards have a storage capacity 8k,16k,32k128k,etc…
MF – Master Files
DF – Dedicated Files
EF – Elementary Files
Standards : GSM 11.11 – 3GPP 51.011
SIM Card Profile
Network Requirements
- MCC / MNC
- IMSI
- ICC-ID
- SMS Parameters
Marketing Requirements
- Phonebook
- Number of Short Messages
- Service Dialing Number (Customer Care Numbers
- Mailbox Number
Business Requirements
- Roaming Partner List
- PIN Handling
ICC-ID
ICC
- SIM – Single IMSI or Dual IMSI
- RUIM – Single CDMS or Combo CDMA+GSM
ICC-ID is defined by ITU-T E.118
The ICC-ID has 19 digits and calculated using Luhn algorithm.
89-91-15-100-000000011-8
89 – Tele
91 – CC
15 – MNC
100 – Vendor
000000011 – Serial Number
IMSI
International Mobile Subscriber Identity
The IMSI has 15 digits and is unique across all globe and indicates the home network of the subscriber.
MCC + MNC + MSIN = IMSI
SIM Keys
GSM Hacking
GSM Mobile Station
Capture BTS Broadcast Unencrypted Data
Decrypt SMS Data
Decrypt Voice Channel
GSM A5/1 Decryption
git clone git://git.srlabs.de/kraken
https://opensource.srlabs.de/projects/a51-decrypt
GSM IMSI Catchers