Hacking GSM Signals with an RTL-SDR and Topguw

The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien’s Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you’ll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software:

So like I said my software can “crack” SMS and call over GSM network.

How ?

I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I’ll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui.

Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you’re able to decipher sms or call.

Why ?

This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It’s very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don’t try to make something to do this automatically.
This is how Topguw was born.

Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM.

My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering.

Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you’re interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals.

GSM Hacking – easier than ever with Topguw

Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you.

15 comments

  1. Movsar

    Error,help please 🙂

    [email protected]:~/topguw-master/dist$ java -jar topguw_git.jar
    Exception in thread “main” java.lang.UnsupportedClassVersionError: gsm/gui/Principal : Unsupported major.minor version 52.0
    at java.lang.ClassLoader.defineClass1(Native Method)
    at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
    at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
    at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
    at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
    at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)

  2. kk

    Would anyone be so kind to clone the tables for me? Especially from Germany? I will send the 2 TB hard disk and pay of course for the shipment and will give some extras for two cases of beer 🙂 here is my email:
    [email protected]*g.pl where *=10 this antispam protection 🙂

  3. bas

    Hi,

    You can ask someone to clone his rainbow table.
    Or download them with an external server (took me 1day to download them and install into an OVH server). Like anonymous said compute rainbow table by yourself is just unimaginable.

    But the best way still ask for someone have them to clone its rainbow table and send the new hard-drive. 2TB hard-drive external are not expensive now.

    • Truth

      I can think of three options, but there are probably more.
      Brink a blank 2TB+ hard disk and an external HDD twin docking clone station and pick them up at most (not all) security conferences.
      Or spend four months to a year downloading them (depending on your ISP’s maximum acceptable usage policy cap) using bit torrent.
      Get access to a large number of powerful computers and create your own rainbowtables, it will not be bitwise the same as the Berlin rainbowtables but the results from using them will be the same.

    • Anonymous

      In June 2010 “Berlin A5/1 rainbow table set” were created using 8 GPUs 2×5850 (2×2.09 TFLOPs)+ 2×5870 (2×2.72 TFLOPs ) + 2×5970 (2×4.64 TFLOPs) – allowing the compute almost 2 TB of tables in around 4 weeks.

      So if you have access to 18.9 TFLOPs (Single Precision Compute Power) you could make your own tables in about 4 weeks, Double that and it would take only 2 weeks,

      But the cost in electricity to power these cards running flat out for 4 weeks, it probably quite a bit.
      (I’m using https://en.bitcoin.it/wiki/Non-specialized_hardware_comparison for a guesstimate of the power used by each card)
      5850 is 151 watt each
      5870 is 188 watt each
      5970 is 294 watt each
      So 1266 watts in total for all 8 GPS running at once. Unit rate per kWh as lets say 15 cents (depends where you are on earth). So that would be 127.6128 Euros/dollars/whatever powering these GPU’s for 4 weeks.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.