Oh, my! I’m amused. After getting to know projects like OpenBTS
that allows you to build and program your own GSM network
, I’ve just stumbled upon OsmoconBB.
In a nutshell, despite having its specification widely open, the implementation of GSM protocol
, as well as hardware to interact with the bottom layer (from the phone perspective), are available to very few manufacturers. OsmoconBB
is an open source project that have implementation of the first three layers of GSM protocol
stack, allowing the first to run in a cheap cell phone and the second and third to run on your desktop.
In practical terms that means you have full control over the package sent and read from the network, full control over the SIM card
(even emulating one on a physical phone); you can also tell the network each of the features your phone have or doesn’t have (even if your’re lying): you can disable cryptography or tell you’re a little bit further from the cell.
The killer application I’ve seen running is a network sniffer. With OsmoconBB
, you can sniff the network using an ordinary phone and, with some black magic, gather the “session key” from a device and sniff it. After sniffing enough data, you can break the A5/2 encryption and decode the sniffed data into raw audio from both the uplink
and downlink
.
Sniffing the GSM network
was already possible with OpenBTS
and USRP
hardware, but they aren’t as cheap as a common phone (like, US$30 Motorolo C123). Also, OpenBTS
act as the base station, and there were no such projects that acted as the terminal.
Check it out in these two videos:
- Introducing
OsmoconBB
:
Sniffing
the network and recording a call:
Author: Lucas Rosada