How to Build an IMSI Catcher to Intercept GSM traffic

Mrudul Patel
By Mrudul Patel

February 4, 2020

Recently, there have been cases of using GSM hijacking + text message sniffing to steal bank cards. This article provides practical information on how to sniff the traffic of a GSM Network and will follow the structure below:

1. Background
2. Architecture of GSM
3. What is IMSI Catcher?
4. How IMSI Catcher works?
5. Hardware and Installation of tools
6. Capturing the GSM traffic
7. Detection of IMSI Catcher

Want to explore how to combat these cloud security challenges?

Download our eBook: Guide to Next-Generation Cloud SecOps

Get the eBook

 

1. Background

Before we delve deeper into the subject, some basic terminology and background information on GSM are provided below.

What is SDR?
Software Defined Radio is a radio broadcast communication technology, which is based on a software-defined wireless communication protocol instead of being implemented through hard-wires. SDR allows easy signal processing and experimentation with more complex radio frequency builds.

What is RTL-SDR?
RTL-SDR is a Realtek (RTL2832U) TV stick. TV sticks allow transmission of raw I/O samples, which can be used for DAB / DAB + / FM demodulation.

1What is GSM?

GSM stands for Global System for Mobile communication. More than 5 billion people use GSM technology to communicate all over the world. Operators in every country use a different frequency in the GSM possible spectrum. Refer to https://www.worldtimezone.com/gsm.html to learn more.

What is IMSI?

IMSI stands for “International Mobile Subscriber Identity” and is globally unique for each subscriber. The IMSI consists of 15 digits, which contain the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Mobile Subscriber Identification Number (MSIN). The IMSI is stored in the Subscriber Identity Module (SIM).

Mobile Phone Generations

1G - The first generation of mobile phones was implemented in the 1980s. The data sent from and to the phones were analogue and naturally had no security whatsoever. Additionally, it was only possible to make voice calls with 1G networks. Text messaging was not yet possible at that point.

2G - In the 1990s the second generation of mobile phone technology was rolling out. Features such as SMS, data, MMS, voice mail and call forwarding were implemented. Also, the radio signals became digital and were encrypted. Later 2.5G and 2.75G were introduced and both implemented improved techniques for data transfer such as GPRS and EDGE. The Global System for Mobile Communication (GSM) standard is the most widely used 2G standard and as of 2007, the most widely used mobile phone protocol in general.

3G - 3G was slowly rolled out in the 00s. The International Telecommunication Union (ITU) set up specifications that label certain mobile networks as 3G. 3G mobile networks support Global positioning system (GPS), mobile television and video conferencing. It also offers way more data transfer bandwidth and speed. Furthermore, the encryption standard is improved: using two-way authentication between the mobile phone and the base station and having improved encryption standards.

4G - 4G is also specified by the International Telecommunication Union (ITU). One of the requirements of 4G is a speed of 100 Mbit/s in a car or train and 1 Gbit/s for pedestrians. A 4G internal network is also completely IP based, so no more circuit-switched telephone. It must be noted that the current 4G standards are not actually fully compliant yet with the ITU specifications. However, they are still considered 4G since they are the closest to 4G speeds and are substantially better than 3G technologies.

5G - The next-generation of telecom networks (fifth generation or 5G) started hitting the market at the end of 2018 and will continue to expand worldwide. Beyond speed improvement, 5G is expected to unleash a massive IoT (Internet of Things) ecosystem where networks can serve communication needs for billions of connected devices, with the right trade-offs between speed, latency, and cost.

 

2.Architecture of GSM


The following Diagram presents the basic architecture of the GSM network.

2Mobile Station (MS)

The mobile station is a device that can access the GSM network via radio. The mobile station can be broken down into two separate parts, the mobile hardware and the SIM card.

Base Station (BS)

Base Station is the antenna and is also called the “cell tower” or “cell site”. One BS covers a cellular area in the cellular network. The size of this cell can vary from a few hundred meters to several kilometers. The size of the cell area depends on the landscape features and the population density of the area. In subway stations and large buildings, relay stations can be placed to act as repeaters. These relay stations then wire the signal to the nearest base station.

Base Station Controller (BSC)

The base station controller controls several base stations. It handles the session handoffs between the different base stations when a user is moving through different cells. If the base stations are not connected to the same BSC, then the Mobile Switching Center (MSC) handles the handover.

Mobile Switching Center (MSC)

The mobile switching center is responsible for managing the authentication, handover to the other BSCs and routing calls to the landline.

Visitor Location Register (VLR)

Each MSC has its own Visitor Location Register (VLR). The VLR holds subscriber information of subscribers that are under the care of the MSC (which are copied from the Home Location Register (HLR)). The VLR, for example, holds the Temporary Mobile Subscriber Identity (TMSI), which is a temporary alias for the IMSI. This is to reduce the frequent broadcasting of the IMSI.

Home Location Register (HLR)

The HLR stores personal subscriber information like the IMSI and the phone number. There is only one HLR for every GSM network provider.

Authentication Center (AUC)

The Authentication Center (AUC) handles the authentication process of a subscriber to the network. More specifically, the AUC holds the shared secret key and generates the random challenge that is used to authenticate.

 

3.What is an IMSI Catcher?


An IMSI Catcher is an intrusive piece of technology that can be used to locate and track all mobile phones that are switched on in a certain area.

The IMSI Catcher does this by ‘pretending’ to be a mobile phone tower - tricking your phone into connecting to it and then revealing your personal details without your knowledge.

IMSI Catchers are indiscriminate surveillance tools that could be used to track who attends a political demonstration or a public event like a football match. They can even be used to monitor your calls and edit your messages – and you wouldn’t even know it was happening.

4.How IMSI Catcher works?


IMSI Catchers are devices that act like fake cell towers, which trick a target’s device to connect to them and then relay the communication to an actual cell tower of the network carrier. The target’s communications in the form of calls, text messages, internet traffic etc. go through the IMSI Catcher, which can read messages, listen to the calls and so on. At the same time victim will have no knowledge that this is happening as everything will seemingly work as normal. This is referred to as Man-In-Middle attacks in security fields.

This is possible because of a loophole in GSM protocol. Mobile phones are always looking for the mobile tower with the strongest signal to provide the best commutation. This is usually the nearest one. At the same time, when a device connects to a cell tower, it authenticates to it via an IMSI number. However, the tower doesn’t have to authenticate back. This is why every time someone places a device that acts as a cell tower near your phone, it would connect to it and give away its IMSI.

3How does an IMSI Catcher find out my identity?

IMSI is a number unique to your SIM card. Once your phone is tricked into connecting to an IMSI catcher, it reveals this unique number. Once the police have your IMSI, they can easily determine your identity.

How does an IMSI Catcher find out my location?

Once your phone has been tricked into revealing its IMSI, the IMSI catcher can determine your phone’s general location by measuring the strength of the signal from the phone. Measuring the strength of the signal from different locations permits an ever-more precise determination of the phone’s location.

Can an IMSI Catcher snoop on my calls and text messages?

Yes. Some IMSI Catchers can ‘intercept’ your text messages, calls and Internet traffic. This means others can read or listen to your personal communications. IMSI Catchers can even re-route or edit communications and data sent to and from your phone. IMSI Catchers can also block service so you can no longer use your phone to make or receive calls and text messages – even for emergency calls.

5.Hardware and Installation of tools

Hardware

Any of the hardware below can be used for practical purposes.
  •       RTL-SDR
  •       Hackrf
  •       USRP
  •       Blade-RF

Software

The following software tools are required for practical purposes.
  • GR-GSM - A python module, which is used for receiving information transmitted by GSM.
  • Wireshark - Capturing the wireless traffic.
  • IMSI-Catcher - This program shows the IMSI number, country, brand and operator of cellphones.
  • GQRX – Software defined radio receiver.
  • RTL-SDR Tools – Get the information of the RTL SDR dongle.
  • Kailbrate – Determine the signal strength.

 

Installation of Wireshark, GQRX, GR-GSM, rtl-sdr

sudo apt-get update

 sudo apt-get install gnuradio gnuradio-dev git cmake autoconf libtool pkg-config g++ gcc make libc6 libc6-dev libcppunit-1.14-0 libcppunit-dev swig doxygen liblog4cpp5v5 liblog4cpp5-dev python3-scipy gr-osmosdr libosmocore libosmocore-dev rtl-sdr osmo-sdr libosmosdr-dev libboost-all-dev libgmp-dev liborc-dev libboost-regex-dev python3-docutils build-essential automake librtlsdr-dev libfftw3-dev gqrx wireshark tshark

 git clone -b maint-3.8 https://github.com/velichkov/gr-gsm.git

cd gr-gsm

mkdir build

cd build

cmake ..

make

sudo make install

sudo ldconfig

export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH

4

Installation of Kalibrate

sudo apt-get update

git clone https://github.com/steve-m/kalibrate-rtl

cd kalibrate-rtl

./bootstrap && CXXFLAGS='-W -Wall -O3'

./configure

make

sudo make install

Installation of IMSI Catcher

sudo apt install python-numpy python-scipy python-scapy

git clone https://github.com/Oros42/IMSI-catcher.git

5

6.Capturing the GSM traffic

For this practical, the RTL-SDR dongle was used. Once the tools installation process is complete, plugin the RTL-SDR USB dongle to your system.

Open the terminal and run the below command to check the dongle has been plugged in successfully.

6In India Mobile GSM networks work on 900MHz and 1800MHz frequency bands (Uplink and Downlink). 

The help guide of the “grgsm scanner” tool.

  7

Search for nearby GSM base stations using “Kalibrate” or “grgsm_scanner” tools.

8Three base stations were found. The signal mentioned above was relatively strong with a frequency of 945.4MHz and 945.6MHz.

In the above manner, we obtained some parameter information of the base station, such as: center frequency, channel, ARFCN value, LAC, MCC, MNC value, etc. 

With the above details, we want to sniff the base station frequency. For that the program called “grgsm_livemon” will be used.

The help guide of the “grgsm_livemon” tool.

9Run the “Wireshark” before running the “grgsm_livemon” tool to capture the packets. Select any interface to capture all the data.

10Once the sniffing of the frequency starts, a popup window appears, as shown in the screenshot below.

11The frequency button needs to be moved in order to capture the frequency. Once data capture starts it will look like the screenshot below.

12Now we need to capture the IMSI details with the help of an “IMSI Catcher” tool.

13To capture the IMSI and other details like TMSI, Country, Brand, Operator, MCC, MNC, LAC, Cell-ID etc., run the “IMSI Catcher” tool.

14In Wireshark, the captured data of base station’s MNC, MCC, LAI and other information can be seen.

15

7.Detection of IMSI Catcher


There are different applications available, which help to find the IMSI Catcher in your location. Once it is installed in mobile, it will automatically detect the IMSI Catcher. Applications contain a database of all the cell towers of mobile carriers in different countries and regularly update this list.

Every time it detects a cell tower, it checks the list to see if it exists. If it exists, then it is a legitimate one, and there is no danger. However, if the tower is not on the list, there is something suspicious going on – and there is a high probability that this is an IMSI Catcher.

In this case, the best you can do is to turn off your phone and turn it on again, once you reach a safe location.

Below are some of the IMSI Catcher detector applications:
  • Osmocom – used to detect and fingerprint certain network characteristics
  • Android IMSI-Catcher Detector
  • SnoopSnitch
  • Cell Spy Catcher
  • GSM Spy Finder

Notes: This article is only for study purposes and should not be used for illegal activities. It only discusses the interception of GSM data and not cracking. Illegal wiretapping is a serious breach of the law in most countries.

For more information on how Next-Gen MDR combats cloud security threats, download our eBook: Guide to Next-Generation Cloud SecOps

Get the eBook


About

Mrudul Patel

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset