GSM Penetration Testing
Posted in: GSM Hacking

GSM Penetration Testing Fundamentals: Part 1

This article (GSM Penetration Testing Fundamentals) attempts to give an overview of the technology, terms, and security that are built into GSM Technology. I hope this will allow you to get started in hacking Bluetooth without getting bogged down by too much technical detail.

Before starting any hacking tutorials, you need to understand the technology.

As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing GSM infrastructure and reusing the frequencies for 5G and other transmission technologies.

Here I will explain the different network devices on a GSM network and public attacks against each device.

Hacking GSM
Hacking GSM

First I will describe the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country uses for GSM.

GSM Network

A GSM network has many devices connected some of them are on the client side others are outdoors and inside the data centers, they all have one thing in common! They all have IDs that identify them.

What to understand GSM in deep? Check free Courses HERE

On the client side, we have Mobile Stations (Cellphones), SIM cards, and USB modems. Each one of them has security vulnerabilities and different entry points to be explored, here I will try to talk about all of them.

SIM Card Attacks

SIM cards have been developed around three decades ago, there were a lot of functionality improvements on each version but some vulnerabilities were kept because they aren’t technology related.

Attack TypeSource
Sim SwappingENISA
SimjackerWebsite
SIM Cloning

Mobile Station

Hardware

In this tutorial, we only use an RTL-SDR device, which is enough to do a passive recon around you and understand the basic concepts about the technology and how the PLMN (Public Land Mobile Network).

Passive sniffing GSM is not legal in most countries, check your law or your credentials.

!NEVER actively sniff.

DevicePriceStore
RPI3 1 GB RAM
SD-CARD 64 GB
USB RTL SDR
Power Bank

RTL-SDR Limitations

Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these types of hardware can only receive (RX) data.

  • We only receive traffic (RX) Downstream
  • To capture both Upstream and Downstream we need two dongles

Attention the limitations are related to the hardware used in this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible. I will write about them in other articles.

Rogue BTS

If you want to learn how to install a Rogue BTS read my other article from the GSM Hacking Series.

Passive Sniff GSM

After we know what ARFCN we want to monitor we will capture live data on a specific channel and save it into a cfile to further analysis.

To calculate the downstream frequency based on your ARFCN you can use this calculator:

https://www.cellmapper.net/arfcn

This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end, I will explain how to crack A5/1 encryption using rainbow tables. ( … and how to download them! 😀 )

Capture BTS Broadcast Unencrypted Data

GSM IMSI Catchers

Decrypt SMS Data

Decrypt Voice Channel

GSM A5/1 Decryption

git clone git://git.srlabs.de/kraken

https://opensource.srlabs.de/projects/a51-decrypt

Back to Top