Home / Overview of Linux / Imsi cell phone interceptor buy. Listening to GSM with HackRF. How IMSI interceptors monopolize access to a mobile phone

Imsi cell phone interceptor buy. Listening to GSM with HackRF. How IMSI interceptors monopolize access to a mobile phone

GSM interception
*GSM 900* Interception
The product *GM* is designed to receive and process signals
standard GSM-900, 1800 both in the absence and in the presence of cryptoprotection
(algorithms A5.1 and A5.2).
"GM" allows:
- control direct control or voice channel (radiation
bases)
- monitor the reverse control or voice channel (radiation
tubes)
- scan all channels in search of active ones in a given location
- scan channels selectively and set their rescanning time
- organize end-to-end listening
- organize selective listening by known TMSI, IMSI, IMEI,
AON number, Ki.
- automatically record the conversation on the hard drive
- control the conversation without recording
- search for an active subscriber (for open channels)
- fix the number dialed by the cellular subscriber
- fix the phone number of the caller on the cellular device (if
enabled caller ID system)
- display all registrations in the channel
The product contains two receiving channels - forward and reverse.
In the absence of cryptoprotection, *GM* can operate in two modes:
- search active mobile subscriber.
In the presence of cryptoprotection only in the mode
- control of the control channel of the station (forward and reverse);
When monitoring the control channel of a station, *GM* determines the following
parameters for each connection:
- IMSI or TMSI (depending on the mode of operation of the controlled
my network, these signals are transmitted by the base station);
- IMEI (when requested by the base station and when the energy

Availability of the mobile subscriber, since the radiation is fixed
tubes);
- dialed number (when connecting initiated by the mobile
of the subscriber and with his energy availability, since in this case the
tube radiation);
- ANI number (when it is transmitted by the base station).
In the active subscriber search mode, any next call is monitored.
compound. In this mode, *GM* constantly scans the entire range and
when an active subscriber is detected, it switches to control mode (of course
if the subscriber is currently talking, because the device turns on the transmitter
only for the duration of the call). If necessary (if this conversation is not
interested) the operator can reset the control mode and “GM” will again go to
into scan mode until it finds another active party. Mode
searching for an active subscriber is advisable to use when maintaining. IN
*GM* does not detect subscriber identifiers in this mode of operation!
When monitoring the control channel of the base station, two options are possible
works:
- in through mode
- in the feature selection mode
In end-to-end mode, the first available conversation in
monitored cell, and all registrations are displayed. If given
the conversation is not interesting, then the control can be stopped by pressing the button
Break.
In the selection mode, only connections with a given
TMSI, IMSI, IMEI, ANI number or dialed number. Selection list
includes up to 200 identifiers. In case of closed channel control
crypto mode selection is carried out according to the known Ki, which allows
uniquely identify the subscriber without specifying TMSI, IMSI or IMEI.
The selection list includes up to 40 subscribers.
*GM* is made in the form of a monoblock measuring 450x250x50 mm. Control
work *GM* is carried out from an external PC (it is possible to connect
laptop) via the RS-232 serial port.
The package includes a device with software,
allowing to read the Ki parameter from the SIM card, the reading takes place in
within 10 hours.
*GM* is powered by AC 220V. so
DC voltage 12 V, for example from the on-board network of the car.
Under the order, it is possible to manufacture channels in the range of 1800 MHz and 450 MHz.

Abbreviation and designations
TMSI - temporary identifier (number) of the mobile subscriber
IMSI - International Mobile Subscriber Identity
IMEI - International Equipment Identification Number
mobile
stations
Ki – subscriber's individual authentication key
1. The complex is designed to receive signals from the TTT system.
2. The complex has two receiving and processing channels - one in the upper and one in the lower part of the range.
3. The complex provides tuning to any of the 124 possible control channels.

4. During the operation of the complex, two modes are possible:
- without selection;
- with selection.
The selection table can include up to 40 identifiers.
The identifier consists of IMSI and IMEI (it is possible to specify only IMSI or only IMEI).
The complex performs selection by IMSI, IMEI and TMSI. Selection by TMSI after turning on the complex
provided only after receiving a command with a given IMEI or IMSI.
Attention! IMEI - handset identification number (determined by its manufacturer). IMSI -
international identification number of the subscriber (recorded in the SIM card). In general, there is no direct
correspondence to the city number of the subscriber. The correspondence table is set by the operator (the company issuing
tubes).
5. Outgoing number identification is provided.
6. The handover mode is being worked out.
7. Processing in accordance with A5 algorithms is not provided.
8. The complex is controlled by a Windows program via a serial port.
9. Registration can be carried out both on a tape recorder and on a sound blaster.
10. When the power is turned on, the complex switches to the active subscriber search mode. Upon its discovery
the complex goes into receive mode. Reset of the subscriber is provided. In this mode, the control
no computer required. In this mode, subscriber IDs are not determined.
After starting the control program, the complex switches to the control mode of the specified channel
management (enforcement of points 3 ... 5 is ensured).

BRIEF DESCRIPTION OF THE SYSTEM.
The widespread use of the system began in 1993 with the establishment of MTS and
obtaining permission to use the range 890 - 915 MHz and 935 - 960 MHz without 10 MHz,
intended for the operation of the radar.
According to the open press, there are currently between 180,000 and 220,000
users. According to economic indicators, the system is quite expensive and its users, as
as a rule, there is a stratum of society belonging to the so-called middle class (at least).
This fact created the prerequisites and the need to develop means of control over information,
system circulating in the network.
This standard has become widespread in areas with high population density.
The system is currently deployed and in operation in the following cities:
- MOSCOW;
- ST. PETERSBURG;
- SAMARA;
- TOLYATTI;
- ROSTOV-ON-DON;
- KALUGA;
- SEVERODVINSK;
- MURMANSK;
- SMOLENSK;
- TULA;
- PSKOV;
- RYAZAN;
- VLADIMIR;
- ARKHANGELSK;
- PETROZAVODSK.
- KYIV
- DNEPROPETROVSK
- DONETSK
- ODESSA
The introduction of the system in some other cities, such as Yaroslavl, is also ending.
The standard provides automatic roaming with approximately 58 countries of the world.

The advantages of the system include a digital method of data transmission, a large number of
simultaneously served subscribers, the difficulty of creating twins (cloning a SIM card), convenience
subscriber operation, the ability to identify stolen devices when using legal SIM-cards and
etc.
The above factors have determined the feasibility of creating controls.
BASIC ALGORITHMS OF COMPLEX FUNCTIONING.
Radio traffic processing algorithms provide the most complete and high-quality access to
information circulating in the network, and also allow you to increase the capabilities of the complex when
new standards without changing the basic software by adding additional
modules. These include, for example, the planned introduction of a speech-enhanced vocoder,
data and facsimile transmissions. During the trial operation of the complex, it is possible to refine
modes for specific user tasks.
The complex is used in stationary and mobile versions.
MODES OF WORK.
(basic delivery set)
The scan mode allows you to determine the visible frequencies of the base stations at the standing point, as well as
basic network settings. In the course of work, the choice of time for analyzing a specific frequency is provided and
the mode of operation of the control channels is analyzed. This mode provides optimal
receive path configuration. The selected configuration can be loaded or saved on the fly.
Manual Scan Mode #1 provides automatic detection loaded channels
visible frequencies with an indication of the presence of activity. Allows the operator to select which active
speech slots. If there is a subscriber in the radio visibility zone, it provides duplex reception.
Manual Scan Mode #2 provides automatic tuning to visible frequencies with
stop on active frequency slots and form up to four duplexes in end-to-end mode
machine. When the active channel is disabled, autoscan continues. Possible to continue
scanning by operator commands. This mode allows you to fix the negotiations in the machine
in the absence or presence of an operator of the maximum possible number of channels. Mainly used for
low traffic activity, for example, when there is no operator at night or when there are few
visible frequencies. Provides duplex reception in the presence of the latter in the radio visibility zone.
The mode of operation by temporary numbers allows on selected control channels (no more than six)
provide automatic tuning to temporary numbers of subscribers with statistics, and when choosing
a subscriber of interest according to the information received or when re-registering in the network when working in
mobile version, enter it into the database and constantly monitor with continuous monitoring.
The probability of constant control depends on the number of crossover frequencies (at 10-12, the probability
is 80%), as well as on the speed of movement (up to 80 km / h according to the standard of the signal used).
Additional delivery set.
Energy Determination Mode #1 provides determination of energetically available
determining active frequencies and issuing the result to the operator, at the command of the latter,
setting the channel for reception with simultaneous reception of duplex. Number of reception channels - up to four
duplexes.
Energy Determination Mode #2 provides determination of energetically available
subscribers within the range of portable devices. Allows you to provide auto-scan range with
determination of active frequencies and automatic tuning to active slots with fixation of negotiations. By
When the session ends, auto-control continues.
With the extended version, a module is supplied that allows you to determine and identify, when
the presence of a portable device in the radio visibility zone, the number of a fixed or mobile subscriber when
call in the direction to the base station, as well as when passing the IMEI number, perform identification
subscriber.
Regions in Russia where MTS subscribers can use communication services:
(data as of April 6)
1. MTS
Moscow, Moscow region, Tver, Tver region, Syktyvkar, Ukhta, Kostroma, Komi Republic.
2. Russian Telephone Company (RTK) - connected to the MTS switch

Vladimir, Vladimir region, Kaluga, Kaluga region, Pskov, Ryazan, Ryazan region, Smolensk,
Smolensk region, Tula, Tula region
3. Recomm
Eagle, Lipetsk.
4. Tambov telecommunications
Tambov, Michurinsk.
5. National roaming
City, operator Service area
1. St. Petersburg
Northwest GSM
(250 02)
Arkhangelsk,
Vologda,
Leningrad region.,
Murmansk,
Novgorod the Great,
Petrozavodsk,
Severodvinsk,
Cherepovets
2. Samara
SMARTS
(250 07)
Astrakhan,
Tolyatti,
Ufa
3. Rostov-on-Don
Dontelecom
(250 10)
Azov,
Taganrog
4. Krasnodar
Kuban GSM
(250 13)
Adler, Anapa,
Gelendzhik,
Hot key,
Dagomys, Yeysk,
Lazarevskaya, Matsesta,
Krasnaya Polyana,
Dinskaya, Novorossiysk,
Tuapse, Sochi,
Timashevsk, Temryuk,
Krymsk, Khosta
5. Yekaterinburg
Uraltel
(250 39)
6. Nizhny Novgorod
NSS
(250 03)
(!!! For outgoing communication, you need
international access)
7. Stavropol
BecomingTeleSot
(250 44)
Essentuki,
Nevinomissk,
Kislovodsk,
Pyatigorsk,
Mineral water
8. Novosibirsk
CCC 900
(250 05)
9. Omsk
Mobile communication systems
(250 05)
10. Surgut
Ermak RMS
(250 17)
Langepas,
Nizhnevartovsk,
Megion,
Khanty-Mansiysk,
Neftyugansk
11. Khabarovsk
Far Eastern cellular
systems-900
10
(250 12)
12. Kaliningrad
EXTEL
(250 28)
International roaming
Country Operators
1. Austria 1. MobilKom
2. max mobile. Telecom Service
3. CONNECT
2. Australia 4. Telstra
3. Azerbaijan (CIS) 5. Azercell
4. Andorra 6. STA
5. Bahrain 7. Batelco
6. Belgium 8. Belgacom Mobile
9 Mobistar S.A.
7. Ivory Coast 10. SIM
8. Bulgaria 11. MobilTel AD
9. UK 12. Vodafone Ltd.
13. Cellnet
14. Orange GSM-1800
10. Hungary 15. Westel 900 GSM Mobile
16. Pannon GSM
11. Germany 17. DeTeMobile (D-1)
18. Mannesmann Mobilfunk (D-2)
12. Greece 19. Panafon S.A.
20. STET Hellas
13. Georgia (CIS) 21. Geocell
22 Magticom Ltd
14. Hong Kong 23. Hong Kong Telecom CSL
24. Hutchison Telephone Comp.
25.SmarTone Mobile Communications
15. Gibraltar 26. Gibtel
16. Denmark 27. Sonofon
28 TeleDanmark Mobil A/S
17. o. Jersey 29. Jersey Telecoms
18. Italy 30. TIM
31. Omnitel Pronto Italia S.p.A.
19. Iceland 32. Lands siminn
33.TAL
20. Spain 34. Airtel Movil, S.A.
35. Telefonica Moviles
21. Indonesia 36. Satelindo
37. PT Excelcomindo Pratama
38. Telkomsel
22. Ireland 39. Aircell
40. Esat Digifone
23. Cyprus 41. CYTA
24. China 42. China Telecom
25. Latvia 43. LMT
44. Baltcom GSM
26. Lithuania 45. Bite GSM
46. ​​Omnitel
27. Lebanon 47. LibanCell
48. FTML S.A.L.
28. Luxembourg 49. P&T Luxembourg
50. Tango
29. o. Maine 51. Manx Telecom Ltd.
30. Macau 52. CTM
31. Macedonia 53. GSM MobiMak
11
32. Mauritius 54. Cellplus
33. Malaysia 55. Celcom
34. Malta 56. Telecell Limited
57 Vodafone Malta
35. Moldova 58. Voxtel
36. Norway 59. Telenor Mobil AS
60. NetCom GSM as
37. New Zealand 61. BellSouth New Zealand
38. Netherlands 62. Libertel B.V.
63. KPN Telecom
64. Telfort
39. UAE 65. Etisalat
40. Portugal 66. Telecel
67.TMN
41. Poland 68. Polska Telefonia Cyfrowa (ERA)
69. Polkomtel S.A.
70. Centertel GSM-1800
42. Romania 71. MobilFon SA
72. Mobil Rom
43. USA 73. Omnipoint
44. Singapore 74. SingTel Mobile (GSM 900/1800)
75.Mobile One
45. Slovakia 76. Globtel
77. EuroTel Bratislava
46. ​​Slovenia 78. Mobitel
47. Thailand 79. Advanced info service (AIS)
48. Taiwan 80. Chunghwa Telecom LDM
81.GSM PCC
82. FarEasTone
83Mobitai Communications Corp.
49. Turkey 84. Telsim
85. Turkcell
50. Uzbekistan 86. Coscom
51. Ukraine 87. UMC
88. Kyivstar
89.URS
52. Finland 90. Oy Radiolinja Ab
91. Sonera
53. France 92. SFR
93 France Telecom
54. Croatia 94. HPT
55. Czech Republic 95. EuroTel Praha
96.RadioMobil
56. Sweden 97. Europolitan AB
98 Comviq GSM AB
99 Telia Mobile AB
57. Switzerland 100. Swiss Telecom PTT
58. Sri Lanka 101. MTN
59. Estonia 102. EMT
103. Radiolinja Eesti
104. AS Ritabell
60. Yugoslavia 105. Mobtel *Srbija* BK-PTT
106. ProMonte (Montenegro)
61. South Africa 107. MTN
108. Vodacom (Pty) Ltd

It can be ordered!
Draw your own conclusions.

Not so long ago, I studied the possibilities of HackRF to analyze the traffic of GSM networks, the clock signal of the device floats somewhat, but in any case, the result will be access to various system messages. Further, I assume that you have linux installed with gnuradio, and you are also the proud owner of hackrf. If not, you can use a live cd, information about which is in the "Software" section of the forum. This is a great option when hackrf works right out of the box.

First we need to determine the frequency of the local GSM station. For this I used gprx, which is included with the live cd. After analyzing frequencies around 900 MHz, you will see something like this:

You can see fixed channels on 952 MHz and 944.2 MHz. In the future, these frequencies will be the starting points.

Now, with the help of the following commands, we must install Airprobe.

git clone git://git.gnumonks.org/airprobe.git

git clone git://git.gnumonks.org/airprobe.git

cd airprobe/gsmdecode
./bootstrap
./configure
make

cd airprobe/gsm receiver
./bootstrap
./configure
make

Installation completed. Now we can receive the GSM signal. Run wireshark with the command

Select "lo" as the receiving device, and select gsmtap as the filter, as shown in the following figure:

Now go back to the terminal and type

cd airprobe/gsm-receiver/src/python
./gsm_receive_rtl.py -s 2e6

A pop-up window will open and you will need to turn off auto-collection and set the slider to maximum. Next, we enter the GSM frequencies obtained earlier as the middle frequency.

We also select the peak and average values ​​in the trace options section, as shown below:

You will see that only the correct sequence signal (blue graph) goes beyond the peak value (green graph) in places, indicating that this is a permanent channel. Now we need to start decoding. In the window, click on the middle of this same frequency jump. You may see errors, but this is normal. I started getting data in this way:

Now you can notice that gsm data is coming to wireshark. As I mentioned at the beginning of the article, the clock signal floats, so you need to keep clicking on the circuit to maintain the set frequency. However, the program works pretty well. As funny as it sounds, wrapping your hack rf in a towel (or similar) will increase the thermal stability of the clock signal and reduce spread. On its own, you probably won't find this method very useful, but I think at least it shows the huge potential of HackRF.

We turn to the consideration of hacking GSM. Articles about vulnerabilities in A5/1 appeared about 15 years ago, but there has not yet been a public demonstration of the A5/1 hack in the real world. Moreover, as can be seen from the description of the network, it must be understood that in addition to cracking the encryption algorithm itself, a number of purely engineering problems must be solved, which are usually always omitted from consideration (including at public demonstrations). Most of the GSM hacking articles are based on Eli Barkan's 2006 article and Karsten Noh's research. In their article, Barkan et al showed that since in GSM, error correction goes before encryption (and it should be vice versa), a certain reduction in the search space for selecting KC is possible, and the implementation of a known-ciphertext attack (with completely passive listening to the air) in an acceptable time using pre-computed data. The authors of the article themselves say that when receiving without interference for hacking within 2 minutes, 50 terabytes of pre-computed data are required. In the same article (in the section about A5/2) it is indicated that the signal from the air always comes with interference, which complicates the selection of the key. For A5 / 2, a modified algorithm is presented that is able to take into account interference, but at the same time requires twice as much precomputed data and, accordingly, the cracking time doubles. For A5/1, the possibility of constructing a similar algorithm is indicated, but the algorithm itself is not given. It can be assumed that in this case it is also necessary to double the amount of precomputed data. The A5/1 key selection process is probabilistic and time dependent, i.e. how longer goes audition, the more likely to pick up KC. Thus, the 2 minutes stated in the article is an approximate, and not a guaranteed time for the selection of KC. Carsten Nohl is developing the most famous GSM hacking project. By the end of 2009, his computer security firm was going to release rainbow tables of session keys for the A5/1 algorithm, which is used to encrypt speech in GSM networks. Karsten Nol explains his demarche against A5/1 as a desire to draw public attention to the existing problem and force telecom operators to switch to more advanced technologies. For example, UMTS technology involves the use of a 128-bit A5 / 3 algorithm, the strength of which is such that it cannot be hacked by any available means today. Carsten calculates that a complete A5/1 key table would be 128 petabytes in size when packaged and distributed across multiple computers on a network. To calculate it, about 80 computers and 2-3 months of work will be required. A significant reduction in computation time should be provided by the use of modern CUDA graphic cards and Xilinx Virtex Programmable Arrays. In particular, his speech at 26C3 (Chaos Communication Congress) in December 2009 made a lot of noise. Briefly formulate the essence of the presentation as follows: soon we can expect the appearance of low-cost systems for online decoding A5 / 1. Let's move on to engineering problems. How to get data from the air? To intercept conversations, you need to have a full-fledged scanner that should be able to figure out which basic ones are broadcasting around, at what frequencies, which operators they belong to, which phones with which TMSI are currently active. The scanner must be able to monitor the conversation from the specified phone, correctly process transitions to other frequencies and base stations. There are offers on the Internet to purchase a similar scanner without a decoder for 40-50 thousand dollars. It cannot be called a budget device. Thus, to create a device that, after simple manipulations, could start listening to a conversation on the phone, it is necessary:


a) implement the part that works with the ether. In particular, it allows you to specify which of the TMSI corresponds to the phone you are looking for or, using active attacks, to force the phones to “discover” their real IMSI and MSISDN;

b) implement a KC selection algorithm for A5/1 that works well on real data (with noise/errors, gaps, etc.);

d) combine all these points into a complete working solution.

Karsten and the rest of the researchers basically solve the "c" point. In particular, he and his colleagues suggest using OpenBTS, airdump and Wireshark to create an IMSI interceptor (IMSI catcher). So far, we can say that this device emulates a base station and is embedded between the MS and a real base station. The speakers argue that a SIM card can easily prevent a phone from showing that it is running in A5/0 encryption mode (i.e. no encryption at all) and that most SIM cards in circulation are just that. It's really possible. In GSM 02.07, it is written (Normative Annex B.1.26) that the SIM card contains a special OFM bit in the Administrative field, which, if set to one, will disable the connection encryption indication (in the form of a barn lock). In GSM 11.11, the following access rights to this field are specified: read is always available, and write permissions are described as "ADM". The specific set of rights that govern the entry in this field is set by the operator at the stage of creating SIM cards. Thus, the speakers hope that most of the cards are released with the bit set and their phones do not really show an indication of the lack of encryption. This really makes the work of the IMSI catcher much easier. the owner of the phone cannot detect the lack of encryption and suspect something. An interesting detail. Researchers have encountered the fact that phone firmware is tested for compliance with GSM specifications and is not tested for handling abnormal situations, therefore, in case of incorrect operation of the base station (for example, the “dummy” OpenBTS that was used for interception), phones often freeze. The greatest resonance was caused by the statement that for only $ 1,500 it is possible to assemble a ready-made kit for listening to conversations from USRP, OpenBTS, Asterisk and airprobe. This information was widely circulated on the Internet, only the authors of these news and articles derived from them forgot to mention that the speakers themselves did not provide details, and the demonstration did not take place. In December 2010, Carsten and Munaut (Sylvain Munaut) again spoke at the 27C3 conference with a report on the interception of conversations in GSM networks. This time they presented a more complete scenario, but it has a lot of "hothouse" conditions. For location discovery, they use Internet services, which make it possible to throw “send routing info” requests into the SS7 network. SS7 is a network/protocol stack that is used to communicate between telephone operators (GSM and landline) and to communicate between GSM network components. Further, the authors make a reference to the implementation mobile communications in Germany. There, the resulting RAND query correlates well with the area code (area code / zip code). Therefore, such requests there make it possible to determine with an accuracy of the city or even part of the city where this subscriber is located in Germany. But the operator is not required to do so. Now the explorers know the city. After that, they take a sniffer, go to the city they found earlier and start visiting all its LACs. Arriving at the territory that is part of some LAC, they send an SMS to the victim and listen to see if paging of the victim's phone is going on (this happens over an unencrypted channel, in all bases at once). If there is a call, then they receive information about the TMSI that was issued to the subscriber. If not, they go to check the next LAC. It should be noted that since IMSI is not transmitted during paging (and the researchers do not know it), but only TMSI is transmitted (which they want to know), then a “timing attack” is performed. They send several SMSs with pauses in between and see which TMSIs are being paged by repeating the procedure until only one (or none) remains on the list of "suspicious" TMSIs. So that the victim does not notice such a “probing”, an SMS is sent that will not be shown to the subscriber. This is either a specially created flash sms, or an incorrect (broken) SMS, which the phone will process and delete, while nothing will be shown to the user. Having found out the LAC, they begin to visit all the cells of this LAC, send SMS and listen to the responses to the paging. If there is an answer, then the victim is in this cell, and you can start cracking her session key (KC) and listen to her conversations. Before that, you need to record the broadcast. Here, the researchers suggest the following:

1) there are custom-made FPGA boards that are capable of simultaneously recording all channels of either uplink (communication channel from the subscriber (phone or modem) to the base station of the cellular operator), or downlink (communication channel from the base station to the subscriber) of GSM frequencies (890 –915 and 935–960 MHz, respectively). As already noted, such equipment costs 40-50 thousand dollars, so the availability of such equipment for a simple security researcher is doubtful;

2) you can take less powerful and cheaper equipment and listen to some of the frequencies on each of them. This option costs about 3.5 thousand euros with a solution based on USRP2;

3) you can first break the session key, and then decode the traffic on the fly and follow the frequency hopping using four phones that have an alternative OsmocomBB firmware instead of the native firmware. Phone roles: 1st phone is used for paging and answer control, 2nd phone is assigned to the subscriber for conversation. In this case, each phone must write both reception and transmission. This is a very important point. Until that moment, OsmocomBB did not actually work, and in a year (from 26C3 to 27C3) OsmocomBB was completed to a usable state, i.e. until the end of 2010 there was no practical working solution. Session key hack. Being in the same cell with the victim, they send SMS to it, record the communication of the victim with the base, and crack the key, taking advantage of the fact that during the session setup (session setup) there is an exchange of many half-empty packets or with predictable content. Rainbow tables are used to speed up hacking. At the time of 26C3, these tables were not so well filled and hacking was not done in minutes or even tens of minutes (the authors mention an hour). That is, before 27C3, even Karsten (the main researcher in this area) did not have a solution that allowed him to crack KC in an acceptable time (during which, most likely, there would be no session key change (rekeying)). The researchers then take advantage of the fact that rekeying is rarely done after every call or SMS, and the session key they learn won't change for a while. Now, knowing the key, they can decode encrypted traffic to/from the victim in real time, and do frequency hopping at the same time as the victim. In this case, four flashed phones are really enough to capture the air, since it is not necessary to write all the frequencies and all the timeslots. The researchers have demonstrated this technology in action. True, the "victim" sat still and was served by one hundredth. Summing up the intermediate result, we can affirmatively answer the question about the possibility of intercepting and decrypting GSM conversations on the fly. In doing so, you must keep the following in mind:

1) The technology described above does not exist in a form available to anyone (including script kiddies). This is not even a constructor, but a blank for constructor parts that need to be completed to a usable state. Researchers repeatedly notice that they do not have clear plans for laying out the specifics of the implementation in the public domain. This means that based on these developments, manufacturers in the Middle East are not mass-producing $100 devices that everyone can listen to.

2) OsmocomBB supports only one family of chips (albeit the most common one).

3) The method of determining the location by requests to the HLR and enumeration of the LAC works in theory rather than in practice. In practice, the attacker either knows where the victim is physically, or cannot get into the same cell as the victim. If the attacker cannot listen to the same cell where the victim is located, then the method does not work. Unlike the demo, in reality there are thousands of paging messages in a load average LA. Moreover, paging does not work at the time of sending, but at certain time windows and in batches (according to paging groups with their own queues, the number of which is the remainder of dividing IMSI by the number of channels, which can be different in each cell), which again complicates the implementation .

4) Let's say LA is found. Now we need to “feel” the subscriber's answer. The phone transmitter has a power of 1-2 watts. Accordingly, scanning it from a distance of several tens of meters is also a task (not an easy one). It turns out a paradox: LA covers, for example, an entire region (city). In it, for example, 50 cells, some of which have a range of up to 30 km. We are trying to catch and decipher radiation on an omnidirectional antenna. To accomplish this task in this embodiment, a lot of equipment is required. If we proceed from the premise under which the victim is in direct line of sight, i.e. the distance at which the interception looks more realistic, a much more effective and simpler directional microphone. It should be noted that in the demonstration, the researchers intercept their phones at a distance of 2 meters.

5) The movement of the prey between cells also causes problems, because you also need to move with it.

6) The phones used in the demonstration require hardware modification, they need to remove the filter from the antenna, otherwise the “alien” uplink phones will not “see”. The filter in the phone is needed in order to "listen" not to all frequencies, but only to "one's own".

7) If the network regularly changes the key (rekeying) or changes the TMSI (none of the researchers took this into account), then this method does not work at all or works very poorly (the decryption time may be longer than the conversation time).

8) Listening to the entire network will not work, you need to know the phone number.

Probably even housewives know that public wifi hotspots unsafe. Which does not prevent ordinary users from using them with might and main - after all, if you can’t, but you’re bored and really want to, then you can! And without any VPN - although the VPN function is now being implemented even in complex antivirus products. A healthy alternative to Wi-Fi has always been considered a regular mobile connection, especially since every year it becomes cheaper, and its speed is higher. But is it as safe as we think? In this article, we decided to collect the main questions and answers on the interception of mobile data and decide whether it is worth being afraid of an ordinary user who is far from secret secrets.

What is an IMSI interceptor?

This is a device (the size of a suitcase or even just a phone) that uses design feature mobile phones - to give preference to the cell tower, whose signal is the strongest (to maximize the quality of the signal and minimize its own power consumption). In addition, in GSM (2G) networks, only a mobile phone must undergo an authentication procedure (this is not required from a cell tower), and therefore it is easy to mislead, including to disable data encryption on it. On the other hand, universal system UMTS (3G) mobile communications require two-way authentication; however, it can be bypassed using the GSM compatibility mode found on most networks. 2G networks are still widespread - operators use GSM as a backup network in places where UMTS is not available. More in-depth technical details of IMSI interception are available in a report from SBA Research. Another pithy description that has become a desktop document of modern cyber counterintelligence is the article "Your Secret Skat, Not Secret Anymore" published in the fall of 2014 in the Harvard Journal of Law & Technology.

When did the first IMSI interceptors appear?

The first IMSI interceptors appeared back in 1993 and were large, heavy and expensive. "Long live domestic microcircuits - with fourteen legs ... and four handles." The manufacturers of such interceptors could be counted on the fingers, and the high cost limited the circle of users to exclusively government agencies. However, they are now becoming cheaper and less bulky. For example, Chris Page built an IMSI Interceptor for just $1,500 and introduced him at the DEF CON conference back in 2010. His version consists of a programmable radio and free and open source software: GNU Radio, OpenBTS, Asterisk. All information necessary for the developer is in the public domain. And in mid-2016, Evilsocket hacker offered his version of a portable IMSI interceptor for just $600.

How do IMSI interceptors monopolize access to a mobile phone?

  • Trick your cell phone into thinking it's the only available connection.
  • They are configured in such a way that you cannot make a call without the mediation of an IMSI interceptor.
  • Read more about monopolization in SBA Research: IMSI-Catch Me If You Can: IMSI-Catcher-Catchers.

The range of interceptors sold is respected. What about handicrafts?

  • Today (in 2017), enterprising technicians are building IMSI interceptors using commercially available high-tech boxed components and a powerful radio antenna for under $600 (see Evilsocket's version of the IMSI interceptor). This is about stable IMSI interceptors. But there are also experimental, cheaper ones that work unstably. For example, in 2013, a version of the unstable IMSI interceptor was presented at the Black Hat conference, with a total cost of $250 hardware components. Today, such an implementation would be even cheaper.
  • If, in addition, we take into account that modern Western high-tech military equipment has an open architecture hardware and open source software (this is today a prerequisite to ensure compatibility of software and hardware systems developed for military needs), developers interested in manufacturing IMSI interceptors have all the trump cards for this. You can read about this current military high-tech trend in Leading Edge magazine (see the article “The Benefits of SoS Integration”, published in the February 2013 issue of the magazine). Not to mention, the US Department of Defense recently expressed its willingness to pay $25 million to a contractor who would develop an effective RFID system (see the April 2017 issue of Military Aerospace monthly). One of the main requirements for this system is that its architecture and components must be open. Thus, the openness of the architecture is today an indispensable condition for the compatibility of software and hardware systems developed for military needs.
  • Therefore, manufacturers of IMSI interceptors do not even need to have great technical qualifications - they just need to be able to choose a combination of existing solutions and put them in one box.
  • In addition, modern microelectronics, which is getting cheaper at an exorbitant pace, allows you to fit your handicraft crafts not only in one box, but even (!) In one chip (see the description of the SoC concept) and even more than that - set up an on-chip wireless network(see the description of the NoC concept at the same link), which is replacing traditional data buses. What can we say about IMSI interceptors, when even technical details about the hardware and software components of the ultra-modern American F-35 fighter can be found in the public domain today.

Can I be the victim of an "accidental interception"?

Quite possible. Simulating a cell tower, IMSI interceptors listen to all local traffic - which, among other things, includes the conversations of innocent passers-by (read "revelations of Big Brother's older sister"). And that's the favorite argument of "privacy lawyers" who oppose the use of IMSI interceptors by law enforcement agencies who use this high-tech equipment to hunt down criminals.

How can an IMSI interceptor track my movements?

  • Most often, IMSI interceptors used by local law enforcement agencies are used for tracing.
  • Knowing the IMSI of the target mobile, the operator can program the IMSI interceptor to communicate with the target mobile when it is in range.
  • Once connected, the operator uses an RF mapping process to figure out the direction of the target.

Can they listen to my calls?

  • It depends on the IMSI interceptor used. Interceptors with basic functionality simply fix: "there is such and such a mobile phone in such and such a place."
  • To listen to conversations, an IMSI interceptor requires an additional set of features that manufacturers build in for an additional fee.
  • 2G calls are easily tapped. IMSI interceptors have been available for them for more than a decade.
  • The cost of an IMSI interceptor depends on the number of channels, operating range, encryption type, signal encoding / decoding rate, and which radio interfaces should be covered.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

Listening mobile phone - one of the methods of unauthorized access to personal data. Includes interception and decryption of GSM packets (digital communication standard used in mobile phones), SMS and MMS messages.

The risk of intrusion into the privacy of the owners of phones, smartphones and tablets, or rather, their negotiations and correspondence is growing day by day. Devices that scan and analyze the flow of radio signals, special software for decrypting GSM and other technical and software tricks have become more accessible today than ever before. If you wish, you can buy them, or even get them for free (utilities). Listening to a mobile is now the prerogative of not only the special services.

Who is tapping phones

The contingent of those eager to know the content of private conversations and SMS messages is large enough, it includes both amateur spies and sophisticated professionals. These people have different goals and intentions, respectively.

Phone tapping is carried out by:

  • Law enforcement - to prevent terrorist attacks, provocations, to collect evidence during the operational-investigative process, to search for offenders. With the written permission of the prosecutor or the court, they can intercept and record telephone conversations in all wireless (including GSM) and wired switching lines.
  • Business competitors - they turn to the pros for conducting industrial espionage: collecting compromising evidence on the management of a rival company, finding out commercial plans, production secrets, information about partners. They do not spare money and effort to achieve their goal, they use the latest equipment and high-class specialists.
  • Close circle (family members, friends, acquaintances) - depending on the financial solvency, telephone communication is monitored independently (after a brief acquaintance with the technology). Or they turn for help to "craftsmen" who provide the service at affordable prices. The motives for espionage are predominantly of a domestic nature: jealousy, division of inheritance, intrigue, excessive displays of care, banal curiosity.
  • Swindlers and blackmailers - operate exclusively on their own. Choose victims (mobile subscribers) purposefully. During the interception of conversations, they find out all the information of interest (business activities, meetings, immediate plans, circle of acquaintances). And then they use it in conjunction with social engineering methods to influence the owner of the phone in order to lure him out of funds.
  • hackers - perform interception of conversations mainly software tools- viruses. But sometimes they also use devices that scan GSM. Victims for the attack are chosen randomly, according to the principle of "who gets caught." Their interests are the extraction of information "trophies". Puns recorded from private telephone air, funny misunderstandings, showdowns are laid out by digital hooligans in various online publications for the amusement of visitors.
  • Jokers - usually known victims. They organize "one-time" espionage for the sake of "fun", a prank, or to make some kind of surprise. Although sometimes they succumb to the vile temptation, having heard from the lips of the listened interlocutors some secret from their personal or business life.

Mobile Listening Methods

1. Installation of the "bug"

The traditional method of surveillance, but, nevertheless, effective and affordable in terms of the financial issue. A tiny device the size of a pinhead (or even smaller) is installed in the victim's phone in no more than 10 minutes. At the same time, his presence is carefully masked, visually and hardware.

The "bug" is powered by a battery, so it functions even if there are no telephone conversations, that is, it constantly "listens" to the surrounding space within the microphone sensitivity radius. Sound broadcasts via GSM-connection or via a given radio channel, depending on the technical modification of the device.

2. GSM signal interception

From a technical point of view, one of the most difficult methods. But along with this, and one of the most productive, powerful. Its principle of operation is based on gaining unauthorized access to a private GSM channel and subsequent decryption of its packets. The signal interceptor installs scanning equipment with integrated software designed to “read” signals between the repeater tower and the subscriber. And then, after waiting for the connection to be established (if the hunt is for a specific number), it starts wiretapping.

Mobile encryption algorithms

All mobile operators use secret data encryption algorithms to encode signals. Each of them serves to perform specific tasks:

  • A3 - prevents phone cloning (protects the authorization procedure);
  • A5 - encodes the digitized speech of subscribers (ensures the confidentiality of negotiations);
  • A8 is a service crypto key generator that uses the data obtained by the A3 and A5 algorithms.

Interceptors focus their attention on the A5 algorithm (which masks speech), which they intercept and decrypt. Due to the peculiarities of exporting the A5 cryptosystem, two versions of it were developed:

  • A5/1 - for Western European countries;
  • A5/2 (stripped down, weak version) for other countries (including the CIS states).

For some time, the essence of the A5 algorithm was a mystery behind seven seals, a technological secret at the level of a state secret. However, by the beginning of 1994, the situation had changed radically - sources appeared that revealed in detail its basic principles of encryption.

To date, almost everything is known about the A5 to the interested public. In short: A5 creates a 64-bit key by unevenly shifting three linear registers, the length of which is respectively 23, 22 and 19 bits. Despite the high resistance of the key to hacking, hackers have learned to "open" it on medium-power equipment - both in the strong (/1) and in the weak versions (/2). They use special software (developed by them) that unravels the A5 "tangle" using a variety of cryptanalysis methods.

Interception and monitoring equipment

The first mobile listening devices appeared immediately after the adoption of the GSM standard. There are about 20 top solutions that are actively used for wiretapping by private and legal entities. Their cost fluctuates between $2-12,000. CM. Budyonny - design engineers equipped the departments of the Ministry of Internal Affairs with listening devices.

Any model of GSM-interceptor (sniffer), regardless of the technical characteristics (design, speed, cost), performs the following functions:

  • channel scanning, active detection;
  • control of the control and voice channel of the repeater/mobile phone;
  • signal recording to external media (hard drive, USB flash drive);
  • identification of telephone numbers of subscribers (called and calling).

The following devices are actively used to monitor mobile channels:

  • GSM Interceptor Pro - covers a coverage area of ​​0.8-25 km, supports A1 / 1 and / 2;
  • PostWin is a complex based on a class P-III PC. In addition to GSM-900, it intercepts AMPS/DAMPS and NMT-450 standards;
  • SCL-5020 is an Indian-made device. Determines the distance to the repeater, can simultaneously listen to up to 16 GSM channels.

3. Changing the "firmware" of the phone

After a technical modification, the victim's phone copies all the conversations and sends them to the hacker via GSM, Wi-Fi, 3G and other relevant communication standards (optional).

4. Introduction of viruses

After infecting the OS of a smartphone, a special spy virus begins to covertly perform “chart recorder functions” — that is, it captures all conversations and redirects them to intruders. As a rule, it is distributed in the form of infected MMS, SMS and email messages.

Measures to protect your mobile phone from eavesdropping

  1. Installing a security application in the phone OS that prevents connection to false repeaters, checks the identifiers and signatures of the bases mobile operator, detects suspicious channels and spyware, blocks other programs from accessing the microphone and video camera. Top solutions: Android IMSI-Catcher Detector, EAGLE Security, Darshak, CatcherCatcher

  1. Carrying out technical diagnostics of the battery: when listening, it quickly discharges, heats up when the phone is not in use.
  2. Immediate response to suspicious phone activity (the backlight randomly lights up, unknown applications are installed, interference, echo and pulsing noise appear during conversations). It is necessary to contact the repair shop so that the specialists examine the phone for the presence of "bugs" and viruses.
  3. Turning off the phone by removing the battery at night, ideally - insert the battery into the phone only to make an outgoing call.

Be that as it may, if someone wants to listen to your phone, sooner or later he will be able to do it, on his own or with someone else's help. Never lose vigilance and at the slightest manifestation of signal interception symptoms, take appropriate measures.