17

An answer to a recent question has given me an idea for a school project (security CS program).

Also, an active attacker (with a fake base station) can potentially force a mobile phone to use another variant [of encryption]...

This sounds very cool, and I want to implement this on an at-home basis.

This article talks about a 2010 presentation of just such an experiment. I've done some limited research, but I have two main questions:

What equipment would I need to buy and how much would it cost (this project is self-funded)? The article said $1,500, including the laptop (which I already have), but did not give any specific information on the antenna.

What sort of APIs/libraries/etc., if any, exist for the communications protocols? If none, I can probably try to implement the protocol myself, but this could take a lot of time.

Update:

Conclusion so far: While cell phones can operate in a HAM radio band in the United States, I'm concerned about potential legal implications of spoofing a cell phone tower. Specifically, I think I would need to identify myself as another carrier in order to perform a MITM attack, which may be a crime.

Some helpful links:

John Deters
  • 33,650
  • 3
  • 57
  • 110
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
  • keep cell phone at home and relay calls threw it... do not use call forwarding because the carrier will see it as a incoming call but use perhaps Bluetooth to control that phone from a remote location all the carrier will see is incoming outgoing calls from ur home although you are in Hawaii at the beach sippin on coronas eating polky ;) please if you figure it out post up the results im not a electronic wizard or even a techy I got the idea from the blue tooth in my car witch is voice activated... to make my idea stupid easy to understand imagine this.... I leave my cell in my car at home wit –  Sep 23 '13 at 20:04
  • Is this how the police use Stingray? See https://en.m.wikipedia.org/wiki/Stingray_Phone_Tracker. – Stone True Nov 25 '15 at 18:25
  • @user31155, Bluetooth is a short range technology, ~100 meters max. Probably the easiest solution would be remote control software to control your phone remotely.. http://www.makeuseof.com/tag/remote-control-iphone-computer/ Not sure how well it works though – iCodeSometime Jan 12 '17 at 15:57
  • The concept was demonstrated by white-hat hackers at DEFCON, as shown here: https://security.stackexchange.com/questions/157316/gsm-encryption-suppression/160390#160390 – SDsolar Jun 25 '17 at 00:54

3 Answers3

11

Defcon has had a few presentations on this subject. An active attacker can turn off encryption altogether, never mind just changing it.

Also there is an open source program available just for this. I will edit this with the link when I find it.

John Deters
  • 33,650
  • 3
  • 57
  • 110
WalterJ89
  • 747
  • 6
  • 10
3

A recent Blackhat- Europe talk entitled LTE and IMSI catcher myth [Paper], [presentation] was carried out using Yate BTS SatSite. The provided materials hints how to build one such fake base station.

kingmakerking
  • 265
  • 2
  • 6
  • are there another cheap options? –  Nov 28 '16 at 04:52
  • There is a pretty good writeup for a cheap build based on a Raspberry Pi here: https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/ – knipp Feb 22 '19 at 09:26
3

A potentially cheaper option would be to get a femtocell device from an existing mobile provider (which often lend them or sell them cheaper than any SDR you'd need for OpenBTS) and root it.

Once you've got root you can look at what software drives the mobile network interface and modify it/make your own software that would spoof a provider's real BTS and logging the IMSIs.

André Borie
  • 12,706
  • 3
  • 39
  • 76