Category: Mobile

YouTube Tutorial: Building a Passive IMSI Catcher with an RTL-SDR

Thank you to M Khanfar for submitting his YouTube tutorial on how to build a passive IMSI catcher with an RTL-SDR. He writes:

In this video im processes of easy step by step building a passive IMSI catcher. The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised today ! easy step by step install and running under virtual machine Ubuntu 18.04 and cheap SDR dongle! .

Intro
An IMSI catcher is a device commonly used by law enforcement and intelligence agencies around the world to track mobile phones. They are designed to collect and log IMSI numbers, which are unique identifiers assigned to mobile phone subscriptions. Under certain circumstances, IMSI numbers can be linked back to personal identities, which inherently raises a number of privacy concerns.

The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised . Nothing in this video is necessarily new, and those with less than honest intentions are most certainly already using these (or similar) devices.

This video walks through the processes of building a passive IMSI catcher, which is distinctly different from traditional IMSI catchers in that it does not transmit nor does it interfere with cellular networks in any way.

Traditional IMSI catchers are illegal in most jurisdictions due to the fact that they transmit on cellular frequencies (which requires a license), and that they essentially perform a man-in-the-middle attack between a phone and mobile base station (which breaks all sorts of anti-hacking laws). A passive IMSI catcher does neither of these.

How it works
The passive IMSI catcher works by capturing IMSI numbers when a phone initializes a connection to a base station. The IMSI is only disclosed during this initial connection. In an effort to protect privacy, all subsequent communication to that base station is done with a random Temporary Mobile Subscriber Identity (TMSI) number.

This means you will only collect IMSI numbers for devices as they move between base stations. Traditional IMSI catchers work differently, by spoofing a legitimate base station and forcing subscribers to connect to itself. They have the added ability to collect data about stationary devices, and can potentially have a more targeted range.

The only hardware required is a PC and SDR receiver that supports GSM frequencies. Generally this means 850/900/1,800/1,900 MHz. Most of the inexpensive RTL2832U based receivers have an upper-frequency range of about 1,700 MHz. You can get by with one of these, but of course, you won't be able to listen to stations at 1,800 or 1,900 MHz.

--- you can easy search GSM towers around you and show its frequencies then select specific tower then access its HLR data, then you can locate tower location in google map when you have specific data collected from SDR in terminal like :
MCC,MNC,LAC,CELLID , then you can easy add these data in this website: https://cellidfinder.com/cells  then locate it on map, and you can use IMSI number that you sniff to collect details info from database that have access with subscription to full database from this website :https://www.numberingplans.com

Building a Passive IMSI Catcher

 
 

Combining Android Tasker and an RTL-SDR for Mobile Automated Frequency Power Scans

Over on YouTube Ian Grody has uploaded two videos demonstrating an early alpha project that he is working on which combines Android Tasker with RTL-SDR frequency scanning. Tasker is an Android automation app which allows users to define a task based on a context. For example, you could set it to turn on WiFi and open an app (task) every time you arrive at a certain location (context).

Ian's idea is to create a Tasker application that performs an rtl_power scan with the RTL-SDR whenever a certain context is detected. The current version of his Tasker app can perform an rtl_power scan over a certain frequency range at the tap of a button, detect the strongest frequencies in that range, and plot a marker at the current location on a Google map which displays the strongest frequency detected at that location. He eventually hopes to turn the application into a wardriving application that will scan 27 MHz - 1.7 GHz for active signals while on the move.

His Tasker alpha application is available via the link on his Reddit post.

Tasker and a Software Defined Radio

Tasker and an RTL SDR - Part II

Preview: GNU Radio 3.8 Running on an Un-Rooted Android Smartphone

Over on Twitter and YouTube Bastian Bloessl (@bastibl) have been posting teaser shots and videos of GNU Radio 3.8 running on an un-rooted Android device. Unfortunately there doesn't yet seem to be any word yet on how he's been able to do this, but we guess  that the details will all be released in due time, possibly on his blog.

GNU Radio is an open source digital signal processing (DSP) toolkit which is often used in cutting edge radio applications and research, and to implement decoders, demodulators and various other SDR algorithms.

GNU Radio 3.8 on un-rooted Android receiving FM w/ HackRF (take 2)

Dash Mounted ADS-B With an RTL-SDR Blog V3

Reddit user [Bobcalamarie] recently [posted] about how he uses his car dash mounted Android tablet along with an RTL-SDR Blog V3 and a magnetic mount antenna while sitting in traffic to track aircraft overhead.

We’ve seen something similar to this once before when [Signals Everywhere] uploaded a video showing off ADS-B reception (among other things) to a dash-mounted Windows tablet and an Android head unit.

The software used by Bobcalamarie is the Android [Avare ADS-B] software which can be found in the Google Play Store. However, other applications exist for Windows, Linux, and other operating systems as well. Some software such as [Virtual Radar Server] even allows you to set-up alerts for specific types of aircraft. Which while we wouldn’t condone it, it might come in handy for someone in traffic.

What would you do if you had an SDR installed in your vehicle? We would love to hear what you have to say in the comments below.

Dash Mounted ADS-B Reception

A Portable RTL-SDR Based ADS-B Receiver with Display and 3D Printed Enclosure

Over on Hackaday.io user nathan.matsuda has written about his RTL-SDR based hand held ADS-B aircraft receiver with display and 3D printed enclosure.

His initial idea was to create a flexible and open portable SDR device, however keeping the device open and built for general use meant increased complexity which quickly slowed his progress. Instead [Nathan] decided to focus on just ADS-B for his portable device as living near an airport he’d been interested in aircraft tracking since his first SDR arrived.

The device consists of a Raspberry Zero, RTL-SDR, 3.5″ IPS LCD and a battery pack for portability. For software he uses dump1090 with some custom code for the map plotting. Together with a 3D printed case and some buttons, the result is a very professional looking portable aircraft tracking device.

Hopefully Nathan will continue updating his project page so that others may replicate it on their own.

Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver
Raspberry Pi Zero and RTL-SDR Portable ADS-B Receiver

Radwave Beta: Android RTL-SDR RF Analyzer App with Spectrum Pause and Rewind Features

Radwave Screenshot
Radwave Screenshot

Radwave is a recently released Android App for RTL-SDR dongles. It provides a real time waterfall of the RF spectrum, and it's defining feature is that you can easily zoom, pause and rewind the spectrum at any time. The software is currently in beta, and doesn't demodulate any signals, but the work and ideas behind the spectrum display features is really interesting.

Radwave utilizes RTL-SDR dongles and the RTL2832U driver app to allow people to interactively explore the RF spectrum. You can dynamically zoom in and out in time and frequency, pause, and go back in time - all without losing any samples. If you find something cool, tag it and share with friends.

Radwave core technology is its interactive real-time spectrogram. It shows all the spectrum - utilizing every sample1 - for the entire collection2. Frequencies are aligned over time as you change the RF center frequency3, helping you make sense of what you see.

1 Adjacent non-overlapping DFT windows

2 Up to device limitations

3 Alignment limited by buffer uncertainty

Radwave Intro - We're in Beta!

YouTube Tutorial: Using RTL-SDR on an Android Smartphone

Over on YouTube, channel Null Byte has uploaded a video showing us how to use an RTL-SDR V3 on an Android smartphone. In the video he discusses the hardware and software required to get started on Android and demonstrates the free SDRoid Android app (based on RFAnalyzer) by tuning to several signals including a voice signal. Later in the video he also shows an ADS-B app for receiving aircraft positions. The video is intended for people new to RTL-SDR so it is a little basic, but it's a great introduction.

He notes that the next video (which will probably be released in a week) will show RPiTX being used with the RTL-SDR.

Use an RTL-SDR Software-Defined Radio Receiver with an Android Smartphone [Tutorial]

RTL_TCP SDR: iOS Software Defined Radio App with Spectrum Display

In the post a few days ago about the newly released "SDR Receiver" app for iOS, we briefly mentioned that another iOS app called "RTL_TCP SDR" has just been released out of beta and put onto the Apple store as well.

"RTL_TCP SDR" is a little different to "SDR Receiver" because it contains a full spectrum analyzer and waterfall display, whereas "SDR Receiver" only allows you to listen via presets or manual tuning. Both apps can not access the RTL-SDR directly on the iOS device due to Apple limitations. An external server on a Raspberry Pi or PC running rtl_tcp is required. Programmer HotPaw writes about his App:

An RTL-SDR Software Defined Radio receiver for iOS devices (requires an external rtl_tcp server). Listen to VHF AM and FM radio signals. View a waterfall of the RF spectrum. Connect, via the rtl_tcp network protocol, to a networked RTL-SDR USB peripheral. 

iOS devices do not currently support the direct connection of USB devices such as an RTL-SDR. Thus, the use of this app requires network access to a server, such as a Raspberry Pi (or Mac), with an RTL-SDR unit plugged into its USB port, and running the rtl_tcp protocol at an TCP/IP network address accessible from your iOS device. The Raspberry Pi acts, essentially, as a USB port adapter for your iOS device. 

No support is provided for installing any of the software needed to use this app with a Raspberry Pi. Please do not download this app unless you are already familiar with Software Defined Radio, have an RTL-SDR USB device, and have already installed and tested rtl_tcp on your Raspberry Pi, Mac, or other server.

Over on his Reddit discussion thread he also mentions:

Since Apple's iOS doesn't allow an RTL-SDR to be plugged directly into a Lightning port (even with a USB adapter), an rtl_tcp adapter, such as a Raspberry Pi (or Pi Zero) server is required.

This app is an experiment in real-time DSP and SDR coding using Apple's Swift and Metal GPU-shader programming languages. It includes a spectrum waterfall, and supports demodulating FM, AM, and SSB. Also, includes beta test support for the AirSpy HF+.

HotPaw's "RTL_TCP SDR" running on an iPad.
HotPaw's "RTL_TCP SDR" running on an iPad.