Search the Community
Showing results for tags 'gsm'.
Found 7 results
Import data from new SIM to old SIM
Kev posted a topic in Mobile securitySalut, vreau sa plec la vanatoare/pescuit/picnic, nu stiu ce peripetii mai fac pe acolo... Vreau sa "salvez" nr. de telefon (SIM-ul), de pe un iOS (dual SIM) pe SIM vechi (anulat), pentru un a salva nr personal. telefon e.g. Nokia 3310, 5100 etc... Ideea este ca nu vreau sa functioneze simultan, vreau doar cand plec la drumetii sa am un nr. de contact, in caz de urgente, moare porcul, pisica, cainele, iar cel de acasa (personal) sa fie offline. Exista App care sa faca treaba asta? (in caz de ceva ajung acasa si ii dau on pe numarul personal, acelasi numar pe care l-a luat valul. Cu alte cuvinte, ma duc la vanatoare/pescuit/picnic ma impinge un prost in apa si cad cu tot cu tel, sa nu stric iOS-ul, sa am o rabla cu mine cu acelasi nr pe care il am in casa, nu sunt waterproof nici generatiile vechi nici cele noi, primele care sunt afectate sunt SIM-urile (patit). Sper ca ati inteles Thanks
placa baza iphone 5s
andrei201994 posted a topic in Mobile securitysalut cine stie ce rost are particica aia incercuita cu rostu : wifi, bluetooth, gsm ? multumesc mult mentionez ca telefonul se aprinde dar cred ca nu are semnal . http://s4.postimg.org/j85owzjbh/iphone_5c_logic_board_weibo_800x533.jpg
Introduction to GSM Security
Aerosol posted a topic in Mobile securityIntroduction The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I will be discussing the method that could be used to see the traffic on a GSM network and how an attacker could abuse the GSM network. Mobile communication technology was already developed and widely used in the early 1980s. For the first time, the C-NET system was developed in Germany and Portugal by Siemens, the RC-2000 system was developed in France, and the NMT system was developed in the Netherlands and Scandinavia by Ericsson, as well as the TACS system which operates in the UK. GSM appeared in mid-1991 and eventually turned into mobile telecommunications standard for the whole of Europe, maintained by the ETSI (European Telecommunications Standards Institute) technical committee. GSM started its commercial operation at the beginning of the last quarter of 1992 because GSM is a complex technology and needed more assessment to be used as standard protocol. In September 1992, type approval standards for mobile agreed to consider and incorporate dozens of test items for GSM production. In Europe, GSM was originally designed to operate at the frequency of 900 MHz. In this frequency, the uplinks use frequencies between 890 MHz to 915 MHz, and frequency between 935 MHz to 960 MHz is used for downlinks. The bandwidth used is 25 MHz ((915 – 890) = (960 – 935) = 25 MHz), with a channel width of 200 kHz. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) And all elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture. Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user’s or customer’s end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI). Mobile Subscriber ISDN (MSISDN). Encryption mechanism. Base Station System or BSS consists of: Base Transceiver Station (BTS) is a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC) is a controller device for base stations located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC) is a central network element in a GSM network. MSC works as the core of a cellular network, where MSC main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR) is a database that saves the data and customer information permanently. Visitor Location Register (VLR) is a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layer There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer, whose main role is to identify the data that is sent from UM to BTS. Layer 3 consist of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serves as a regulator for radio, mobile management and call control. Illustration of How GSM Works [mg]http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031815_2231_Introductio2.png icture 2. Illustration of how GSM works. Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS send to MSC to continue and proceed to the AuC for checking the user identification. MSC proceeds to the HLR / VLR to check the existence of mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. Problem The background of this issues lies in the GSM network. Due to leaking of the design of encryption in 1994, it could be attacked, such as sniffing the voice in an established communication. Attacking 1. Packet Analysis At this stage, the attacker will do packet analysis on one of GSM providers (for this example, the attacker will attack one of the service providers in Indonesia). The attacker is using multiple devices for packet analysis (Openmoko and Nokia 3310) and using Wireshark to dissect information used in GSM networks such as: Encryption used by the provider. ARFCN number. Location of the mobile phone, etc. The first step is that the attacker will analyze encryption used by the provider: Picture 3. A5/1 encryption used by the provider. In the picture above, the encryption used by the provider is A5/1. In the second packet, we could see the location in ARFCN, because ARFCN is determinant of the uplink and downlink signal to a GSM network. Picture 4. ARFCN (downlink) in use. From the above picture, we could see that the provider uses ARFCN 881. For more details, the frequency for ARFCN 881 is as follows: ARFCN: 881 Downlink frequency: 1879000000 Hz Uplink frequency: 1784000000 Hz Distance: 95000000 Hz Offset: 512 Band: GSM1800 (DCS 1800) It could be assumed that the provider uses encryption A5/1 and 1879000000 Hz frequency for downlink and 1784000000 Hz for uplink. However, ARFCN is not static in a communication. Picture 5. ARFCN calculation (GSM 1800) Picture 6. GSM900 frequency allocation in Indonesia. Picture 7. GSM1800 frequency allocation in Indonesia. 2. Authentication of a Communication When MS communicates to a BTS, MS identifies himself using IMSI and IMEI, and BSC to MSC communication to respond to IMSI. The authentication function is to assure that MS is a legitimate user. An illustration can be seen in the image below: Picture 8. MS Authentication flow. An explanation for the above picture is as follows: MS sends IMSI and IMEI to BSC. BSC requests IMSI and IMEI to MSC. MSC responds and sends RAND, SRES and Ki. BSC sends RAND to MS. MS responds with SRES’. BSC checks SRES’. 3. Kc Generation On A5/1 Picture 9. Kc generation on A5/1. The picture above shows the process of Kc generation before being used to send and receive a communication. RAND is a random number generated by the AuC when a customer makes a request authentication to the network. RAND isused to generate SRES and Kc. Ki is key authentication paired with IMSI when a SIM card is made. Ki only exists on the SIM card and the Authentication Center (AuC). Ki never get transmitted over the GSM network. A8 is an algorithm that’s being used to calculate Kc. Ki and RAND are inserted into the A8 algorithm and the result is Kc. The A8 algorithm exists on the SIM card and the AuC. Kc is the key used in the A5 encryption algorithm to write and decipher data that is being sent when communication occurred. 2. Sniffing GSM In Realtime In order to be able to sniff a GSM packet, you must have a hardware that works as a receiver. For example, the RTL-SDR with rtl2832 chip. However, this hardware has a limitation. The maximum packet capture is 16 kHz wide. In other words, not all GSM packets can be captured using this hardware. Picture 10. Sample packet captured with rtl2832 DVB (max 16 kHz). GSM uses 200 kHz for communication and it is divided into 8 slots (200 kHz / 8 = 25 kHz / slot). Picture 11. Downlink and uplink frame illustration. Before we could start capturing GSM packets, first we must know the ARFCN in use. One method that could be used to find out the ARFCN is by using Blackberry Engineering Mode. In order to use that feature, you can simply search for “blackberry engineering mode calculator“. After entering the engineering mode, you can see the ARFCN currently in use as you may see in this picture: Picture 12. Blackberry engineering mode (ARFCN 114). After knowing the ARFCN, we could proceed to capture the downlink packets. The capturing process could be seen in this picture (the result is not optimal due to a standard antenna being used): Picture 13. Sample captured with DVB (only to see the downlink frequency). From the above picture, we could see that the signal is not strong enough and it could increase the packets lost during capture period. Here’s an example of captured GSM packets using RTL-SDR and analyzed using Wireshark: Picture 14. Sample GSM packet captured using RTL-SDR and analyzed using Wireshark. Conclusion From the above explanation, we could conclude that communication through GSM exposes some security concerns. An attacker who understands how the GSM protocol works and has complete GSM standard documentation could find a way to attack the GSM networks, especially if security is poorly implemented. Source
Mobile Phone Tracking
Aerosol posted a topic in Mobile securityGSM or Global System for Mobile Communication is a technology that’s widely used in mobile communications, especially mobile phones. This technology utilizes microwave and signal transmission divided by time, so that the signal information sent will arrive at the destination. The GSM standard for mobile communications as well as mobile technology is deployed more than its counterparts around the world, like CDMA. At this time we will discuss how to track a cell phone by using the Doppler effect, in other words we will make it easier to know the whereabouts of a person just by having information such as cell phone numbers. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) All elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user or customer end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without a SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI) Mobile Subscriber ISDN (MSISDN) Encryption mechanism Base Station System or BSS consists of: Base Transceiver Station (BTS), a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC), a controller device for base stations which is located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC), a central network element in a GSM network. The MSC works as the core of a cellular network, where its main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR), a database that saves the data and customer information permanently. Visitor Location Register (VLR), a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layers There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer’s main role is to identify the data that is sent from UM to BTS. Layer 3 consists of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serve as regulators for radio, mobile management and call control. Picture 2. Illustration of how GSM works Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS sends to MSC and proceeds to AuC for checking the user identification. MSC proceeds to the HLR / VLR to check for the existence of the mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. How Doppler Works Doppler is a change in the frequency or wavelength of a wave source that is received by the observer. This is the Doppler effect formula which is not affected by wind: Doppler effect formula which is influenced by the wind: This is the illustration of Doppler effect: Picture 3. Doppler effect illust From the above picture, there are 3 persons: A, B and C. A is the person in the middle who could detect the source of the wave/sound from B or C. Because the wave/sound that came from B or C travels in a certain frequency and distance, the A person could distinct the source of the wave/sound. Concept In this article, we are proposing a GSM radar using the Doppler effect, where the Doppler effect itself will be used to listen for the mobile phone uplink. There are some literature and references that mention about the Doppler effect being used to identify a signal if the Doppler effect is combined with the right filter processing according to the signal characteristic being transmitted. Research 1. OpenBTS Installation This article won’t go further step by step on this OpenBTS installation until it could be used, because there are already a lot of tutorials which cover the installation process. For this research, we are using USRP N200 from Ettus Research. But as we proceed using OpenBTS with USRP N200, we realize that there is an anomaly in the signal transmitted by USRP N200. So, we are using a spectrum analyzer to figure out and find a solution for the signal anomaly. This is the setup we are using: Picture 4. Using spectrum analyzer to figure out USRP N200 signal anomaly Picture 5. Signal anomaly as seen on spectrum analyzer As you can see from the picture above, the signal generated by USRP N200 looks like a horn and the noise is quite high. The possible cause for that anomaly is USRP N200 clock is not accurate, and the solution for that is by adding a filter, so the final result will be a correct GSM modulation like this picture: Picture 6. Correct GSM modulation after adding a filter 2. Doppler Design After doing some research on Doppler design, we found out that some design is not capable for a frequency of 900 MHz, but we have a workaround and modified existing Doppler design so it capable of reaching 900 MHz and even higher. This is the block diagram for modified Doppler design (courtesy of Ramsey): Picture 7. Modified Doppler design Picture 8. Tracking mobile phone illustration Conclusion From the above explanation, we could conclude that the Doppler effect could be used to lookup the position of a device transmitting a signal in a certain frequency. We could take this research further to detect any kind of living creature (e.g. endangered species) that in some way is transmitting a signal in a certain frequency, as long as we have the sound sample of that creature. Source
SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Cracking SIM cards has long been the Holy Grail of hackers because the tiny devices are located in phones and allow operators to identify and authenticate subscribers as they use networks. A German cryptographer Karsten Nohl, the founder of Security Research Labs claims to have found encryption and software flaws that could affect millions of SIM cards, and allows hackers to remotely gain control of and also clone certain mobile SIM cards. This is the first hack of its kind in a decade. Nohl will be presenting his findings at the Black Hat security conference this year. He and his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS. According to him, Hackers could use compromised SIMs to commit financial crimes or engage in espionage. Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone. The exploit only works on SIMs that use an old encryption technology known as DES. DES is used in around three billion mobile SIMs worldwide, of which Nohl estimates 750 million are vulnerable to the attack. GSMA, which represents nearly 800 mobile operators, will notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat and also reach out to hundreds of mobile companies, academics and other industry experts. Nohl believes that cyber criminals have already found the bug. Now the theoretical details of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes. Sim Card Cloning Hack affect 750 millions users around the world - The Hacker News
Hacked Feature Phone Can Block Other People’s Calls
sicilianul posted a topic in Stiri securitateSwapping software can give one GSM phone the power to prevent incoming calls and text messages from reaching other phones nearby. By making simple modifications to common Motorola phones, researchers in Berlin have shown they can block calls and text messages intended for nearby people connected to the same cellular network. The method works on the second-generation (2G) GSM networks that are the most common type of cell network worldwide. In the U.S., both AT&T and T-Mobile carry calls and text messages using GSM networks. The attack involves modifying a phone’s embedded software so that it can trick the network out of delivering incoming calls or SMS messages to the intended recipients. In theory, one phone could block service to all subscribers served by base stations within a network coverage area known as a location area, says Jean-Pierre Seifert, who heads a telecommunications security research group at the Technical University of Berlin. Seifert and colleagues presented a paper on the technique at the Usenix Security Symposium in Washington, D.C., last week. An online video demonstrates the attack in action. Seifert’s group modified the embedded software, or “firmware,” on a chip called the baseband processor, the component of a mobile phone that controls how it communicates with a network’s transmission towers. In normal situations, when a call or SMS is sent over the network, a cellular tower “pages” nearby devices to find the one that should receive it. Normally, only the proper phone will answer—by, in effect, saying “It’s me,” as Seifert puts it. Then the actual call or SMS goes through. The rewritten firmware can block calls because it can respond to paging faster than a victim’s phone can. When the network sends out a page, the modified phone says “It’s me” first, and the victim’s phone never receives it. “If you respond faster to the network, the network tries to establish a service with you as an attacker,” says Nico Golde, a researcher in Seifert’s group. That’s enough to stall communications in a location area, which in Berlin average 200 square kilometers in size. The group didn’t design the hack to actually listen to the call or SMS but just hijacked the paging process. Traditionally, the details of how baseband processors work internally has been proprietary to makers of chips and handsets. But a few years ago, baseband code for a certain phone, the Vitelcom TSM30, leaked out. That enabled researchers to understand how baseband code works and spawned several open-source projects to study and tweak it. The Berlin group used that open-source baseband code to write replacement software for Motorola’s popular C1 series of phones (such as the C118, C119, and C123). Those devices all use Texas Instruments’ Calypso baseband processor. The researchers tested their attack by blocking calls and messages just to their own phones. However, they calculate that just 11 modified phones would be enough to shut down service of Germany’s third-largest cellular network operator, E-Plus, in a location area. “All those phones are listening to all the paging requests in that area, and they are answering ‘It’s me,’ and nobody in that cell will get an SMS or a phone call,” Seifert explains. Jung-Min Park, a wireless-security researcher at Virginia Tech, says that although devising the attack requires detailed technical knowledge, once it is created, “if someone had access to the same code and hardware, repeating the attack should be possible for an engineer.” Although carriers today mostly tout their 3G and 4G services, most networks around the world still use GSM networks. Around four billion people worldwide use GSM networks for calls, and carriers also use them for some machine-to-machine applications. The problem could be fixed, but that would require changing GSM protocols to require phones to prove their identity through an additional exchange of encrypted codes. “The defense is expensive to deploy,” says Victor Bahl, principal researcher and manager of the mobility and networking research group at Microsoft. “I can only speculate that the cell network providers are reluctant to invest in mitigation strategies in the absence of an immediate threat.” Seifert says the research of his group and others shows that basic aspects of mobile communications can no longer be assumed to be safe from hacking. “The answer of the carriers is: ‘It’s illegal—you are not allowed to do it,’” he says, “However, the implication is that the good old times, where you can assume that all the phones are honest and following the protocol, are over.” Demo: Sursa: Software Update to $20 Phones Could Topple 2G Cell Networks | MIT Technology Review Oare e chiar "noua" stirea?
USRP si GNU Radio Open BTS - decodare GSM
Acidripp posted a topic in Mobile securityA lucrat cineva de pe aici cu modulele USRP si Open BTS? Cat de simplu este sa asculti telefoanele mobile in Romania? pentru cei care nu stiu despre ce vorbesc, aveti aici cateva linkuri: USRP module and daughterboards GNU Radio OpenBTS