Tagged: basestation

Defcon 2020 Online Talks: Satellite Eavesdropping & Detecting Fake 4G Base Stations

DEFCON 2020 was held online this year in and the talks were released a few days ago on their website and on YouTube. If you weren't already aware Defcon is a major yearly conference all about information security, and some of the talks deal with wireless and SDR topics. We found two very interesting SDR and wireless related talks that we have highlighted below. The first talk investigates using commercial satellite TV receivers to eavesdrop on satellite internet communications. The second discusses using a bladeRF or USRP to detect fake 4G cellphone basestations. Slides for these talks are available on the Defcon Media server under the presentations folder.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

Space is changing. The number of satellites in orbit will increase from around 2,000 today to more than 15,000 by 2030. This briefing provides a practical look at the considerations an attacker may take when targeting satellite broadband communications networks. Using $300 of widely available home television equipment I show that it is possible to intercept deeply sensitive data transmitted on satellite links by some of the world's largest organizations.

The talk follows a series of case studies looking at satellite communications affecting three domains: air, land, and sea. From home satellite broadband customers, to wind farms, to oil tankers and aircraft, I show how satellite eavesdroppers can threaten privacy and communications security. Beyond eavesdropping, I also discuss how, under certain conditions, this inexpensive hardware can be used to hijack active sessions over the satellite link.

The talk concludes by presenting new open source tools we have developed to help researchers seeking to improve satellite communications security and individual satellite customers looking to encrypt their traffic.

The talk assumes no background in satellite communications or cryptography but will be most interesting to researchers interested in tackling further unsolved security challenges in outer space.

DEF CON Safe Mode - James Pavur - Whispers Among the Stars

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

4G based IMSI catchers such as the Hailstorm are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now IMSI catcher detection has focused on 2G IMSI catchers such as the Stingray which are quickly falling out of favor.

In this talk we will tell you how 4G IMSI Catchers might work to the best of our knowledge, and what they can and can't do. We demonstrate a brand new software project to detect fake 4G base stations, with open source software and relatively cheap hardware. And finally we will present a comprehensive plan to dramatically limit the capabilities of IMSI catchers (with the long term goal of making them useless once and for all).

GitHub: https://github.com/EFForg/crocodilehunter

DEF CON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real Time

Setting up a GSM Basestation in minutes with a USRP and DragonOS

DragonOS is a ready to use Linux OS image that includes many SDR programs preinstalled and ready to use. The creator Aaron also runs a YouTube channel that has multiple tutorial videos demonstrating software built into DragonOS.

In a recent video Aaron shows how you can set up a GSM basestation within minutes by using the latest DragonOS version together with a USRP b205mini-i software defined radio. As the required software (osmo-BTS, osmo-bts, osmo-bts-trx) is all preinstalled, setting up the basestation is a simple matter of opening three terminal windows and running a few commands. We note that this latest DragonOS version is due to be released this Thursday.

In a previous video Aaron also shows a more detailed setup procedure showing how all the software was installed.

DragonOS Focal Running a GSM network in minutes (osmo-bts, osmo-bsc, osmo-bts-trx, USRP b205mini-i)

Building your own Rogue GSM Basestation with a BladeRF

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.