Hacking GSM Signals with an RTL-SDR and Topguw
The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien's Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you'll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software:
So like I said my software can "crack" SMS and call over GSM network.How ?
I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I'll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui.
Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you're able to decipher sms or call.
Why ?
This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It's very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don't try to make something to do this automatically.
This is how Topguw was born.Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM.
My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering.
Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you're interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals.
Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you.
Update 27 Feb 2023: Note that this content is constantly being censored by video upload sites. If the above video is down, Bastien has uploaded links to alternative video upload sites on pastebin.
Hello;
I need help looking for good training regarding cellular communications and security and some well known certifications; can you please help me.
Error,help please 🙂
movsark
sdr:~/topguw-master/dist$ java -jar topguw_git.jar
Exception in thread “main” java.lang.UnsupportedClassVersionError: gsm/gui/Principal : Unsupported major.minor version 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)
Try to use JRE 8
This is an old thread, I know, but is there anything new re: GSM via SDR?
On my blog is a virtual machine intended two work with to Motorola c115/118/123 and two usb jack 2.5mm serial PL2303 my blog : https://bastienbaranoff.wordpress.com/2016/02/08/gsm-base-station-with-two-osmocom-bb-compatible-phones-on-kali-rolling/
Check my blog to install topguw
Would anyone be so kind to clone the tables for me? Especially from Germany? I will send the 2 TB hard disk and pay of course for the shipment and will give some extras for two cases of beer 🙂 here is my email:
a51tables@*g.pl where *=10 this antispam protection 🙂
If I was in Germany, I’d probably try and pick up the “Berlin A5/1 rainbow table set” in person at a CCC event ( https://events.ccc.de/ ) that happen in Germany.
These would be the exact places where you could pick them up in person:
https://en.wikipedia.org/wiki/Computer_security_conference#Hacker_conferences
Hi kk,
I can, send me an email.
Hi Bas, i can not see on this site your email.
this is my email [email protected] . Please send me your email there and i will ask you about the details. mfg
Hi Mate 🙂
Whats up?
any chance to get the rainbow tables from you? Of course I’ll pay for the HD + shipping + extra 😉
Thanks in advance 🙂
Hi,
You can ask someone to clone his rainbow table.
Or download them with an external server (took me 1day to download them and install into an OVH server). Like anonymous said compute rainbow table by yourself is just unimaginable.
But the best way still ask for someone have them to clone its rainbow table and send the new hard-drive. 2TB hard-drive external are not expensive now.
where can I get the rainbow tables?
I can think of three options, but there are probably more.
Brink a blank 2TB+ hard disk and an external HDD twin docking clone station and pick them up at most (not all) security conferences.
Or spend four months to a year downloading them (depending on your ISP’s maximum acceptable usage policy cap) using bit torrent.
Get access to a large number of powerful computers and create your own rainbowtables, it will not be bitwise the same as the Berlin rainbowtables but the results from using them will be the same.
In June 2010 “Berlin A5/1 rainbow table set” were created using 8 GPUs 2×5850 (2×2.09 TFLOPs)+ 2×5870 (2×2.72 TFLOPs ) + 2×5970 (2×4.64 TFLOPs) – allowing the compute almost 2 TB of tables in around 4 weeks.
So if you have access to 18.9 TFLOPs (Single Precision Compute Power) you could make your own tables in about 4 weeks, Double that and it would take only 2 weeks,
But the cost in electricity to power these cards running flat out for 4 weeks, it probably quite a bit.
(I’m using https://en.bitcoin.it/wiki/Non-specialized_hardware_comparison for a guesstimate of the power used by each card)
5850 is 151 watt each
5870 is 188 watt each
5970 is 294 watt each
So 1266 watts in total for all 8 GPS running at once. Unit rate per kWh as lets say 15 cents (depends where you are on earth). So that would be 127.6128 Euros/dollars/whatever powering these GPU’s for 4 weeks.
The best way still to ask someone to clone and send his rainbow tables, only cost the hdd price !