How to Build an IMSI Catcher to Intercept GSM traffic
Recently, there have been cases of using GSM hijacking + text message sniffing to steal bank cards. This article provides practical information on how to sniff the traffic of a GSM Network and will follow the structure below:
1. Background
2. Architecture of GSM
3. What is IMSI Catcher?
4. How IMSI Catcher works?
5. Hardware and Installation of tools
6. Capturing the GSM traffic
7. Detection of IMSI Catcher
1. Background
Before we delve deeper into the subject, some basic terminology and background information on GSM are provided below.
What is SDR?
Software Defined Radio is a radio broadcast communication technology, which is based on a software-defined wireless communication protocol instead of being implemented through hard-wires. SDR allows easy signal processing and experimentation with more complex radio frequency builds.
What is RTL-SDR?
RTL-SDR is a Realtek (RTL2832U) TV stick. TV sticks allow transmission of raw I/O samples, which can be used for DAB / DAB + / FM demodulation.
GSM stands for Global System for Mobile communication. More than 5 billion people use GSM technology to communicate all over the world. Operators in every country use a different frequency in the GSM possible spectrum. Refer to https://www.worldtimezone.com/gsm.html to learn more.
What is IMSI?
IMSI stands for “International Mobile Subscriber Identity” and is globally unique for each subscriber. The IMSI consists of 15 digits, which contain the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Mobile Subscriber Identification Number (MSIN). The IMSI is stored in the Subscriber Identity Module (SIM).
Mobile Phone Generations
1G - The first generation of mobile phones was implemented in the 1980s. The data sent from and to the phones were analogue and naturally had no security whatsoever. Additionally, it was only possible to make voice calls with 1G networks. Text messaging was not yet possible at that point.
2G - In the 1990s the second generation of mobile phone technology was rolling out. Features such as SMS, data, MMS, voice mail and call forwarding were implemented. Also, the radio signals became digital and were encrypted. Later 2.5G and 2.75G were introduced and both implemented improved techniques for data transfer such as GPRS and EDGE. The Global System for Mobile Communication (GSM) standard is the most widely used 2G standard and as of 2007, the most widely used mobile phone protocol in general.
3G - 3G was slowly rolled out in the 00s. The International Telecommunication Union (ITU) set up specifications that label certain mobile networks as 3G. 3G mobile networks support Global positioning system (GPS), mobile television and video conferencing. It also offers way more data transfer bandwidth and speed. Furthermore, the encryption standard is improved: using two-way authentication between the mobile phone and the base station and having improved encryption standards.
4.How IMSI Catcher works?
IMSI Catchers are devices that act like fake cell towers, which trick a target’s device to connect to them and then relay the communication to an actual cell tower of the network carrier. The target’s communications in the form of calls, text messages, internet traffic etc. go through the IMSI Catcher, which can read messages, listen to the calls and so on. At the same time victim will have no knowledge that this is happening as everything will seemingly work as normal. This is referred to as Man-In-Middle attacks in security fields.
This is possible because of a loophole in GSM protocol. Mobile phones are always looking for the mobile tower with the strongest signal to provide the best commutation. This is usually the nearest one. At the same time, when a device connects to a cell tower, it authenticates to it via an IMSI number. However, the tower doesn’t have to authenticate back. This is why every time someone places a device that acts as a cell tower near your phone, it would connect to it and give away its IMSI.
How does an IMSI Catcher find out my identity?
IMSI is a number unique to your SIM card. Once your phone is tricked into connecting to an IMSI catcher, it reveals this unique number. Once the police have your IMSI, they can easily determine your identity.
How does an IMSI Catcher find out my location?
Once your phone has been tricked into revealing its IMSI, the IMSI catcher can determine your phone’s general location by measuring the strength of the signal from the phone. Measuring the strength of the signal from different locations permits an ever-more precise determination of the phone’s location.
Can an IMSI Catcher snoop on my calls and text messages?
Yes. Some IMSI Catchers can ‘intercept’ your text messages, calls and Internet traffic. This means others can read or listen to your personal communications. IMSI Catchers can even re-route or edit communications and data sent to and from your phone. IMSI Catchers can also block service so you can no longer use your phone to make or receive calls and text messages – even for emergency calls.
5.Hardware and Installation of tools
Hardware
- RTL-SDR
- Hackrf
- USRP
- Blade-RF
Software
- GR-GSM - A python module, which is used for receiving information transmitted by GSM.
- Wireshark - Capturing the wireless traffic.
- IMSI-Catcher - This program shows the IMSI number, country, brand and operator of cellphones.
- GQRX – Software defined radio receiver.
- RTL-SDR Tools – Get the information of the RTL SDR dongle.
- Kailbrate – Determine the signal strength.
Installation of Wireshark, GQRX, GR-GSM, rtl-sdr
sudo apt-get update
sudo apt-get install gnuradio gnuradio-dev git cmake autoconf libtool pkg-config g++ gcc make libc6 libc6-dev libcppunit-1.14-0 libcppunit-dev swig doxygen liblog4cpp5v5 liblog4cpp5-dev python3-scipy gr-osmosdr libosmocore libosmocore-dev rtl-sdr osmo-sdr libosmosdr-dev libboost-all-dev libgmp-dev liborc-dev libboost-regex-dev python3-docutils build-essential automake librtlsdr-dev libfftw3-dev gqrx wireshark tshark
git clone -b maint-3.8 https://github.com/velichkov/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH
Installation of Kalibrate
sudo apt-get update
git clone https://github.com/steve-m/kalibrate-rtl
cd kalibrate-rtl
./bootstrap && CXXFLAGS='-W -Wall -O3'
./configure
make
sudo make install
Installation of IMSI Catcher
sudo apt install python-numpy python-scipy python-scapy
git clone https://github.com/Oros42/IMSI-catcher.git
6.Capturing the GSM traffic
For this practical, the RTL-SDR dongle was used. Once the tools installation process is complete, plugin the RTL-SDR USB dongle to your system.
Open the terminal and run the below command to check the dongle has been plugged in successfully.
In India Mobile GSM networks work on 900MHz and 1800MHz frequency bands (Uplink and Downlink).
The help guide of the “grgsm scanner” tool.
Search for nearby GSM base stations using “Kalibrate” or “grgsm_scanner” tools.
Three base stations were found. The signal mentioned above was relatively strong with a frequency of 945.4MHz and 945.6MHz.
In the above manner, we obtained some parameter information of the base station, such as: center frequency, channel, ARFCN value, LAC, MCC, MNC value, etc.
With the above details, we want to sniff the base station frequency. For that the program called “grgsm_livemon” will be used.
The help guide of the “grgsm_livemon” tool.
Run the “Wireshark” before running the “grgsm_livemon” tool to capture the packets. Select any interface to capture all the data.
Once the sniffing of the frequency starts, a popup window appears, as shown in the screenshot below.
The frequency button needs to be moved in order to capture the frequency. Once data capture starts it will look like the screenshot below.
Now we need to capture the IMSI details with the help of an “IMSI Catcher” tool.
To capture the IMSI and other details like TMSI, Country, Brand, Operator, MCC, MNC, LAC, Cell-ID etc., run the “IMSI Catcher” tool.
In Wireshark, the captured data of base station’s MNC, MCC, LAI and other information can be seen.
7.Detection of IMSI Catcher
There are different applications available, which help to find the IMSI Catcher in your location. Once it is installed in mobile, it will automatically detect the IMSI Catcher. Applications contain a database of all the cell towers of mobile carriers in different countries and regularly update this list.
Every time it detects a cell tower, it checks the list to see if it exists. If it exists, then it is a legitimate one, and there is no danger. However, if the tower is not on the list, there is something suspicious going on – and there is a high probability that this is an IMSI Catcher.
In this case, the best you can do is to turn off your phone and turn it on again, once you reach a safe location.
Below are some of the IMSI Catcher detector applications:
- Osmocom – used to detect and fingerprint certain network characteristics
- Android IMSI-Catcher Detector
- SnoopSnitch
- Cell Spy Catcher
- GSM Spy Finder
Notes: This article is only for study purposes and should not be used for illegal activities. It only discusses the interception of GSM data and not cracking. Illegal wiretapping is a serious breach of the law in most countries.