SMS decryption has become a topic of increasing interest in recent years, as individuals and organizations seek to intercept and decode encrypted SMS messages transmitted over GSM networks.
Despite the apparent security of these messages, they are often vulnerable to interception and decryption using specialized software-defined radio techniques.
In this article, we’ll explore the basics of SMS decryption and provide an overview of some of the tools and techniques used to decode SMS messages on GSM networks.
Decrypt GSM SMS Messages – In my previous article, I wrote about how to sniff GSM networks and capture downstream packets. To better understand all parameters and technology terminology read my article GSM Networks for Pentesters.
Legal and Ethical Considerations
It is important to note that SMS message decryption should only be performed for legitimate and authorized purposes.
Intercepting and decrypting SMS messages without proper authorization is illegal and unethical.
It is important to respect individuals’ privacy and follow the laws and regulations governing telecommunications and data privacy.
SMS messages are sent over a dedicated control channel in the GSM network, known as the Short Message Service Center (SMSC) or Short Message Service-Point to Point (SMS-PP) protocol.
The SMSC acts as a store-and-forward messaging center, responsible for routing SMS messages between the sender and receiver. When a user sends an SMS message, the message is sent from the user’s device to the nearest base station.
The base station then sends the message to the SMSC, which stores the message and forwards it to the recipient’s device or to another SMSC for further forwarding. When the recipient’s device receives the message, it sends an acknowledgment to the SMSC to confirm receipt of the message.
The SMSC then sends a delivery report to the sender’s device to confirm that the message has been delivered to the recipient.
Here are the general steps to decrypt GSM SMS messages:
- Obtain the encrypted SMS message: The encrypted SMS message can be obtained by intercepting the GSM communication between the sender and the receiver using specialized equipment or software.
- Extract the encryption key: The encryption key is required to decrypt the SMS message. The key can be extracted by analyzing the GSM communication and identifying the key exchange process.
- Decrypt the SMS message: Once you have the encryption key, you can use specialized software or libraries to decrypt the SMS message. Some popular software and libraries for decrypting GSM SMS messages include OsmocomBB, Kraken, and Airprobe.
Intercepting GSM Traffic
Intercepting GSM traffic involves using a software-defined radio (SDR) or other equipment to capture the radio signals that are transmitted over the air between a GSM device (such as a mobile phone) and a GSM base station. GSM traffic is transmitted using bursts of radio signals that contain encoded data, including SMS messages.
To intercept GSM traffic, you will need an SDR device that is capable of receiving GSM frequencies, such as the popular RTL-SDR dongle. You will also need software that can process the captured radio signals and extract the data, such as the open-source gr-gsm software.
Extracting the Encryption Key
To decrypt an SMS message, you will need to extract the encryption key that was used to encrypt the message payload. The encryption key is used to decrypt the message payload and reveal the actual message text.
The process of extracting the encryption key depends on the specific encryption algorithm used for the SMS message. For example, A5/1 is a common encryption algorithm used for GSM networks.
Decryption of SMS Message
Once you have extracted the encryption key from the captured GSM traffic, you can use the key to decrypt the SMS message. The encryption key is used to decrypt the message payload, which contains the actual message text. Depending on the encryption algorithm used, there may be additional steps required to decrypt the message.
One common encryption algorithm used for SMS messages is the A5/1 algorithm. To decrypt an A5/1-encrypted SMS message, you can use a specialized tool or library such as Kraken or libosmo-dsp.
These tools implement the A5/1 algorithm and allow you to decrypt the encrypted message payload using the extracted encryption key.
kraken --decrypt <hex key> <hex message>
This command specifies the encryption key in hexadecimal format and the encrypted message payload in hexadecimal format.
Kraken then uses the A5/1 algorithm to decrypt the message payload and displays the decrypted message in plaintext.
Before starting the decryption process we need a few things ready.
- Our CFILE with all data captured
- KC Key – grabbed from our SIM Card
- Rainbow tables to Crack A1 encryption
- All tools working with the correct versions
- You CAN’T decode SMS LIVE – 😉
Understand our Tool
In order to decrypt SMS data is necessary to use gnuradio tool grgsm_decode, read my article about how to install GNU Radio.
grgsm_decode is a tool that is part of the gr-gsm software suite, which is a collection of open-source software tools for working with GSM signals.
The grgsm_decode tool is designed to decode GSM signals and extract information from them, including GSM messages such as SMS.
grgsm_decode -h Usage: grgsm_decode: [options]
The gsm_decode tools have a lot of options divided into 4 categories
N_MODE, --mode=CHAN_MODE Channel mode. Valid options are 'BCCH' (Non-combined C0), 'BCCH_SDCCH4'(Combined C0), 'SDCCH8' (Stand-alone control channel) 'TCHF' (Traffic Channel, Full rate), 'TCHH' (Traffic Channel, Half rate) -t TIMESLOT, --timeslot=TIMESLOT Timeslot to decode [default=0] -u SUBSLOT, --subslot=SUBSLOT Subslot to decode. Use in combination with channel type BCCH_SDCCH4 and SDCCH8 -b BURST_FILE, --burst-file=BURST_FILE Input file (bursts) -c CFILE, --cfile=CFILE Input file (cfile) -v, --verbose If set, the decoded messages (with frame number and count) are printed to stdout -p, --print-bursts If set, the raw bursts (with frame number and count) are printed to stdout
Cfile Options: Options for decoding cfile input. -f FC, --fc=FC Frequency of cfile capture -a ARFCN, --arfcn=ARFCN Set ARFCN instead of frequency (for PCS1900 add 0x8000 (2**15) to the ARFCN number). -s SAMP_RATE, --samp-rate=SAMP_RATE Sample rate of cfile capture [default=1.0M] --ppm=PPM Set frequency offset correction [default=0
Decryption Options: Options for setting the A5 decryption parameters. -e A5, --a5=A5 A5 version [default=1]. A5 versions 1 - 3 supported -k KC, --kc=KC A5 session key Kc. Valid formats are '0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF' and '1234567890ABCDEF'
TCH Options: Options for setting Traffic channel decoding parameters. -d SPEECH_CODEC, --speech-codec=SPEECH_CODEC TCH-F speech codec [default=FR]. Valid options are FR, EFR, AMR12.2, AMR10.2, AMR7.95, AMR7.4, AMR6.7, AMR5.9, AMR5.15, AMR4.75 -o SPEECH_OUTPUT_FILE, --output-tch=SPEECH_OUTPUT_FILE tch/f speech output file [default=/tmp/speech.au.gsm]. --sub-channel=TCH_H_CHANNEL TCH/H sub-channel. [default=0] --multi-rate=MULTI_RATE The MultiRate configuration element from the Assignment Command message. Example: 28111a40. See 3GPP TS 44.018 - 10.5.2.21aa MultiRate configuration --voice-boundary Enable voice boundary detection for traffic channels. This can help reduce noice in the output.
How to remove encryption from text messages?
grgsm_decode --freq <center frequency in Hz> --gain <gain value> --samp-rate <sampling rate in Hz> --arfcn <ARFCN value> --burst-file <filename of the file containing GSM bursts> --debug-decoder sms