Menu
in

GSM sniffing for fun and profit

Oh, my! I'm amused. After getting to know projects like OpenBTS that allows you to build and program your own GSM network, I've just stumbled upon OsmoconBB.

In a nutshell, despite having its specification widely open, the implementation of GSM protocol, as well as hardware to interact with the bottom layer (from the phone perspective), are available to very few manufacturers. OsmoconBB is an open source project that have implementation of the first three layers of GSM protocol stack, allowing the first to run in a cheap cell phone and the second and third to run on your desktop.

In practical terms that means you have full control over the package sent and read from the network, full control over the SIM card (even emulating one on a physical phone); you can also tell the network each of the features your phone have or doesn't have (even if your're lying): you can disable cryptography or tell you're a little bit further from the cell.

The killer application I've seen running is a network sniffer. With OsmoconBB, you can sniff the network using an ordinary phone and, with some black magic, gather the “session key” from a device and sniff it. After sniffing enough data, you can break the A5/2 encryption and decode the sniffed data into raw audio from both the uplink and downlink.

Sniffing the GSM network was already possible with OpenBTS and USRP hardware, but they aren't as cheap as a common phone (like, US$30 Motorolo C123). Also, OpenBTS act as the base station, and there were no such projects that acted as the terminal.

Check it out in these two videos:

  • Introducing OsmoconBB:

 

 

  • Sniffing the network and recording a call:

 

 

Author: Lucas Rosada

Leave a Reply

Exit mobile version