Category: Mobile

Eavesdropping on LTE Calls with a USRP Software Defined Radio

Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.

It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded. 

The Ars Technica article, the original paper and a website created about the ReVoLTE technique and software go into detail about how the attack works. On the website the team explain the attack in simple terms:

The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.

The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).

For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.

The ReVoLTE Attack
Demonstration of the ReVoLTE attack in a commerical LTE network.

SignalID: Shazam Style Automatic Signal Identification for Android

SignalID is a new Android app available on the Google Play store which offers Shazam-like radio signal identification. Just like Shazam does for music, you simply tune to an unknown signal with your SDR, play the raw audio, and let the app listen to it for five seconds. It then computes an audio fingerprint and checks to see if it knows what the signal is. 

We tested the app but unfortunately we were unable to get it to detect any signals. Please write in the comments if you have success. As it uses audio fingerprinting, the app is probably highly dependant on choosing the correct demodulator (AM/FM/SSB etc), and also the tuning and signal quality. We note that most of the signal sources seem to come from our sister site the Signal ID Wiki. Searching through the wiki is a good alternative if automated solutions fail.

However the the app is new and we expect improvements and more signals to be added in the future. Currently the following signals can be recognized: 

- RTTY (Commercial 85Hz, 170Hz, 450Hz, 850Hz, Amateur 170Hz)
- PactorI (Standard, FSP, FEC, SELCALL)
- ASCII (170Hz)
- ALIS
- Codan8580 (200Hz, 250Hz)
- CIS36_50
- CIS40_5
- CIS50_50
- STANAG 4285 (GEN, SYS3000 FEC, 8PSK, TFC, IDLE, SYS3000)
- FT4

- FT8
- WEFAX (120, 240)
- 2G ALE
- 3G ALE
- CHIP64
- APRS (Burst)
- ATIS
- Tetrapol
- POCSAG
- FLEX (2FSK)
- PSK (31, 63, 125, 250, 500)

We note that this app reminds us of a Python based signal identification app for the PC called "audio_recognition_system" which we posted about earlier this year.

SignalID: Shazam-like audio based signal identification for Android.
SignalID - Demonstration

Trump Tweets about Pushed Buffalo Protestor Scanning to Jam Police Radios with an RTL-SDR and Android Phone

In political news 75 year old Buffalo protestor Martin Gugino has been generating controversy due to a video of him being pushed to the ground by a police officer, then subsequently lying motionless while bleeding from the head and being ignored by other officers.

Recently US president Donald Trump tweeted about a video news report by "One America News" (OAN) indicating that Gugino may have been trying to scan police with a "capture scanner". Whilst talking about the capture scanner they show an image of an RTL-SDR dongle and Android phone running the SDR Touch software. OAN go on to say that these capture scanners are designed to "skim microphones" in order to capture police communications, and are a tool commonly used by Antifa. Credit to @hackerfantastic for initially tweeting about the RTL-SDR being featured in the video.

Trump's tweet reads "Buffalo protester shoved by Police could be an ANTIFA provocateur. 75 year old Martin Gugino was pushed away after appearing to scan police communications in order to black out the equipment @OANN
I watched, he fell harder than was pushed. Was aiming scanner. Could be a set up?".

We're not entirely sure where this theory from OAN came from as there is no need to get so close in order to listen to police radio communications, since if unencrypted, they can be listened to from anywhere in the city. It's also unclear as to what microphones police would be using, and how these could be "skimmed" with an RTL-SDR. As for blacking out the equipment, an RTL-SDR cannot transmit so it would be impossible to use to jam the radios. An illegal jammer could be used after scanning, but police frequencies are already well known anyway, and there would be no need to scan for them so close even if low power comm links were used.

The video also shows that he appears to be filming police badge numbers with his phone before he was pushed, so it is unlikely that he was using an RTL-SDR and running SDR Touch at the same time as the camera app. No cables, antenna or dongle can be seen in the video either.

In the past we have seen a Slovenian researcher almost jailed for performing University research with an RTL-SDR, and a UN expert arrested for possessing an RTL-SDR in Tunisia. So this is a timely reminder to be careful as police and media do not always understand what an SDR is.

EDIT: Please note that this is not a political post or blog. We only post it to highlight the severe lack of understanding that can surround SDR and our technical hobbies. Comments inciting violence against protestors or anyone are NOT OK, and will be removed. Please keep discussions technical and civil in nature.

OAN indicates that Martin Gugino may have used an RTL-SDR on police
OAN indicates that Martin Gugino may have used an RTL-SDR "capture scanner" on police

YouTube Tutorial: Building a Passive IMSI Catcher with an RTL-SDR

Thank you to M Khanfar for submitting his YouTube tutorial on how to build a passive IMSI catcher with an RTL-SDR. He writes:

In this video im processes of easy step by step building a passive IMSI catcher. The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised today ! easy step by step install and running under virtual machine Ubuntu 18.04 and cheap SDR dongle! .

Intro
An IMSI catcher is a device commonly used by law enforcement and intelligence agencies around the world to track mobile phones. They are designed to collect and log IMSI numbers, which are unique identifiers assigned to mobile phone subscriptions. Under certain circumstances, IMSI numbers can be linked back to personal identities, which inherently raises a number of privacy concerns.

The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised . Nothing in this video is necessarily new, and those with less than honest intentions are most certainly already using these (or similar) devices.

This video walks through the processes of building a passive IMSI catcher, which is distinctly different from traditional IMSI catchers in that it does not transmit nor does it interfere with cellular networks in any way.

Traditional IMSI catchers are illegal in most jurisdictions due to the fact that they transmit on cellular frequencies (which requires a license), and that they essentially perform a man-in-the-middle attack between a phone and mobile base station (which breaks all sorts of anti-hacking laws). A passive IMSI catcher does neither of these.

How it works
The passive IMSI catcher works by capturing IMSI numbers when a phone initializes a connection to a base station. The IMSI is only disclosed during this initial connection. In an effort to protect privacy, all subsequent communication to that base station is done with a random Temporary Mobile Subscriber Identity (TMSI) number.

This means you will only collect IMSI numbers for devices as they move between base stations. Traditional IMSI catchers work differently, by spoofing a legitimate base station and forcing subscribers to connect to itself. They have the added ability to collect data about stationary devices, and can potentially have a more targeted range.

The only hardware required is a PC and SDR receiver that supports GSM frequencies. Generally this means 850/900/1,800/1,900 MHz. Most of the inexpensive RTL2832U based receivers have an upper-frequency range of about 1,700 MHz. You can get by with one of these, but of course, you won't be able to listen to stations at 1,800 or 1,900 MHz.

- – you can easy search GSM towers around you and show its frequencies then select specific tower then access its HLR data, then you can locate tower location in google map when you have specific data collected from SDR in terminal like :
MCC,MNC,LAC,CELLID , then you can easy add these data in this website: https://cellidfinder.com/cells  then locate it on map, and you can use IMSI number that you sniff to collect details info from database that have access with subscription to full database from this website :https://www.numberingplans.com

Building a Passive IMSI Catcher

 
 

Combining Android Tasker and an RTL-SDR for Mobile Automated Frequency Power Scans

Over on YouTube Ian Grody has uploaded two videos demonstrating an early alpha project that he is working on which combines Android Tasker with RTL-SDR frequency scanning. Tasker is an Android automation app which allows users to define a task based on a context. For example, you could set it to turn on WiFi and open an app (task) every time you arrive at a certain location (context).

Ian's idea is to create a Tasker application that performs an rtl_power scan with the RTL-SDR whenever a certain context is detected. The current version of his Tasker app can perform an rtl_power scan over a certain frequency range at the tap of a button, detect the strongest frequencies in that range, and plot a marker at the current location on a Google map which displays the strongest frequency detected at that location. He eventually hopes to turn the application into a wardriving application that will scan 27 MHz - 1.7 GHz for active signals while on the move.

His Tasker alpha application is available via the link on his Reddit post.

Tasker and a Software Defined Radio

Tasker and an RTL SDR - Part II

Preview: GNU Radio 3.8 Running on an Un-Rooted Android Smartphone

Over on Twitter and YouTube Bastian Bloessl (@bastibl) have been posting teaser shots and videos of GNU Radio 3.8 running on an un-rooted Android device. Unfortunately there doesn't yet seem to be any word yet on how he's been able to do this, but we guess  that the details will all be released in due time, possibly on his blog.

GNU Radio is an open source digital signal processing (DSP) toolkit which is often used in cutting edge radio applications and research, and to implement decoders, demodulators and various other SDR algorithms.

GNU Radio 3.8 on un-rooted Android receiving FM w/ HackRF (take 2)

Dash Mounted ADS-B With an RTL-SDR Blog V3

Reddit user [Bobcalamarie] recently [posted] about how he uses his car dash mounted Android tablet along with an RTL-SDR Blog V3 and a magnetic mount antenna while sitting in traffic to track aircraft overhead.

We’ve seen something similar to this once before when [Signals Everywhere] uploaded a video showing off ADS-B reception (among other things) to a dash-mounted Windows tablet and an Android head unit.

The software used by Bobcalamarie is the Android [Avare ADS-B] software which can be found in the Google Play Store. However, other applications exist for Windows, Linux, and other operating systems as well. Some software such as [Virtual Radar Server] even allows you to set-up alerts for specific types of aircraft. Which while we wouldn’t condone it, it might come in handy for someone in traffic.

What would you do if you had an SDR installed in your vehicle? We would love to hear what you have to say in the comments below.

Dash Mounted ADS-B Reception

A Portable RTL-SDR Based ADS-B Receiver with Display and 3D Printed Enclosure

Over on Hackaday.io user nathan.matsuda has written about his RTL-SDR based hand held ADS-B aircraft receiver with display and 3D printed enclosure.

His initial idea was to create a flexible and open portable SDR device, however keeping the device open and built for general use meant increased complexity which quickly slowed his progress. Instead [Nathan] decided to focus on just ADS-B for his portable device as living near an airport he’d been interested in aircraft tracking since his first SDR arrived.

The device consists of a Raspberry Zero, RTL-SDR, 3.5″ IPS LCD and a battery pack for portability. For software he uses dump1090 with some custom code for the map plotting. Together with a 3D printed case and some buttons, the result is a very professional looking portable aircraft tracking device.

Hopefully Nathan will continue updating his project page so that others may replicate it on their own.

Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver
Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver