GSM sniffing for fun and profit
Oh, my! I’m amused. After getting to know projects like
OpenBTS that allows you to build and program your own
GSM network, I’ve just stumbled upon OsmoconBB.
In a nutshell, despite having its specification widely open, the implementation of
GSM protocol, as well as hardware to interact with the bottom layer (from the phone perspective), are available to very few manufacturers.
OsmoconBB is an open source project that have implementation of the first three layers of
GSM protocol stack, allowing the first to run in a cheap cell phone and the second and third to run on your desktop.
In practical terms that means you have full control over the package sent and read from the network, full control over the
SIM card (even emulating one on a physical phone); you can also tell the network each of the features your phone have or doesn’t have (even if your’re lying): you can disable cryptography or tell you’re a little bit further from the cell.
The killer application I’ve seen running is a network sniffer. With
OsmoconBB, you can sniff the network using an ordinary phone and, with some black magic, gather the “session key” from a device and sniff it. After sniffing enough data, you can break the A5/2 encryption and decode the sniffed data into raw audio from both the
GSM network was already possible with
USRP hardware, but they aren’t as cheap as a common phone (like, US$30 Motorolo C123). Also,
OpenBTS act as the base station, and there were no such projects that acted as the terminal.
Check it out in these two videos:
Sniffingthe network and recording a call:
Author: Lucas Rosada