Tagged: GSM

RTL-SDR and HackRF Used in Mr. Robot – A TV Drama About Hacking

A few readers have written in to let us know the role SDRs played in the last season of "Mr. Robot". The show which is available on Amazon Prime is about "Mr. Robot", a young cyber-security engineer by day and a vigilante hacker by night. The show has actual cyber security experts on the team, so whilst still embellished for drama, the hacks performed in the show are fairly accurate, at least when compared to other TV shows.

Spoilers of the technical SDR hacks performed in the show are described below, but no story is revealed.

In the recently aired season 4 episode 9, a character uses a smartphone running an SSH connection to connect to a HackRF running on a Raspberry Pi. The HackRF is then used to jam a garage door keyfob operating at 315 MHz, thus preventing people from leaving a parking lot. 

Shortly after she can be seen using the HackRF again with Simple IMSI Catcher. Presumably they were running a fake cellphone basestation as they use the IMSI information to try and determine someones phone number which leads to being able to hack their text messages. The SDR used in the fake basestation appears to have been a bladeRF.

HackRF Used on Mr Robot
HackRF Used on Mr Robot

In season 4 episode 4 GQRX and Audacity can be seen on screen being used to monitor a wiretap via rtl_tcp and an E4000 RTL-SDR dongle.

E4000 RTL-SDR Being used for Wiretap Monitoring
E4000 RTL-SDR Being used for Wiretap Monitoring

Did we miss any other instances of SDRs being used in the show? Or have you seen SDRs in use on other TV shows? Let us know in the comments.

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SIGINTOS IMSI Catcher
SigintOS IMSI Catcher

Motherboard Article: Creating an IMSI Catcher with an RTL-SDR

Motherboard, an online technology magazine has recently run an article titled "With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes". The article describes how an RTL-SDR together with the IMSI-Catcher Linux software can be used to collect IMSI numbers from cellphones connected to a nearby cell tower. The IMSI is a unique number assigned to each SIM card and collecting this data could be used to identify if someone is in the area covered by the cell tower.

The IMSI-Catcher software only works with the older 2G GSM signals which are now being phased out in some countries and are relatively unused in others. Also unlike more advanced IMSI-Catchers which create a fake cell tower signal, the RTL-SDR based IMSI-Catcher can only collect IMSI numbers when the cellphone first connects to the cell tower.

One of our older posts with a YouTube tutorial video explains the RTL-SDR IMSI Catcher in more detail. 

IMSI-Catcher Python Script
IMSI-Catcher Python Script

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

 

Building your Own Cell Phone Network with a Raspberry Pi and BladeRF

As part of their senior project Matthew May & Brendan Harlow of Champlain College worked on a project that involved creating their own software defined radio based portable cell phone network. If you're interested their setup is nicely documented on their project page. Basically it consists of a bladeRF software defined radio and Raspberry Pi running the YateBTS base station software. This is nothing new in terms of work done before, but the clear documentation makes it a good starting point for anyone looking at building their own SDR based cell basestation. 

A custom cell basestation may be useful for those in remote areas without commercial cell phone reception, during disasters or even just to create a type of secondary network in your home.

[Also seen on Hackaday and Motherboard]

A cell phone connected to their custom network
A cell phone connected to their custom network

Using an RTL-SDR as a Simple IMSI Catcher

Over on YouTube user Keld Norman has uploaded a video showing how he uses an RTL-SDR with gr-gsm and a Python script to create a simple IMSI catcher. IMSI stands for International mobile subscriber identity and is a unique number that identifies a cell phone SIM card in GSM (2G) mobile phone systems. For security IMSI numbers are usually only transmitted when a connection to a new cell tower is made. More advanced IMSI-catchers used by governmental agencies use a fake cell tower signal to force the IMSI to always be revealed. This way they can track the location of mobile phones as well as other data like who or when you are calling.

In the video Keld uses a Python script called IMSI-Catcher. This script displays the detected IMSI numbers, country, and mobile carrier on a text display. The video description shows how to install GR-GSM and the IMSI-Catcher script on Ubuntu.

IMSI-Catcher Python Script
IMSI-Catcher Python Script
How to make a simple $7 IMSI Catcher

Camp++ YouTube Talk: GSM Signal Sniffing for Everyone with GR-GSM and Multi-RTL

Over on YouTube the channel Budapest Hackerspace has recently uploaded a talk by Piotr Krysik which was given during the August 2016 Camp++ 0x7e0 information security conference. The talk is titled: “GSM signal sniffing for everyone with gr-gsm and Multi-RTL by Piotr Krysik” and talks about using the gr-gsm software and RTL-SDR dongles to sniff the GSM mobile phone network. Also, a tool developed by Piotr called multi-rtl which allows the proper synchronization of multiple RTL-SDR dongles in order to cover the large gap between the GSM uplink and downlink frequencies is discussed.

The talk explains a bit about how GSM works, and then goes on to talk about the gr-gsm and multi-rtl software. The talk blurb reads:

Gr-gsm is a set of tools for receiving GSM transmissions, which works with any software radio hardware capable of receiving GSM signal. Together with widely available RTL2832 based TV dongles, that are popularly used as low cost software radio receivers (known as RTL-SDR), it enables everyone to receive and study protocols used in GSM’s mobile radio interface.

Ability to receive signals spread over wide frequency range exceeding single RTL-SDR receiver’s bandwidth (~2.4MHz) was available exclusively for the owners of more capable and more expensive SDR devices. With introduction of Multi-RTL project by the author of the talk, this limit was overcome through synchronization of multiple RTL-SDR receivers in time domain, that doesn’t require complicated hardware modifications. With Muli-RTL it is possible to receive for example uplink and downlink of GSM900 transmissions, that are separated by 45MHz.

Speaker will present origins of both of the projects, together with description of their inner workings, examples of applications and plans for the future.

The talk slides can be downloaded here.

Camp++ 0x7e0 // GSM signal sniffing for everyone with gr-gsm and Multi-RTL by Piotr Krysik

CNxROOT Two Posts: How to Build an RTL-SDR Server with OpenWRT, Creating a GSM BaseStation with OpenBTS and a USRP

Recently security researcher cnxroot wrote in to let us know about two of his posts that may be of interest to readers. The posts are written in Chinese, so please use Google Translate to read them in English – it translates okay to some extent.

The first post shows us how to run the RTL-SDR on an OpenWRT capable router server. OpenWRT is a Linux firmware/OS that can be installed on several compatible router devices which extends the usefulness and features of the router. Since it is running Linux the RTL-SDR drivers can be installed onto it, and then rtl_tcp can be run, providing a remote RTL-SDR.

The second post is a bit more advanced. It is about creating a pseudo GSM base station with a USRP SDR and intercepting IoT devices which connect over GSM/GPRS. The post shows how to set up OpenBTS which can be used to create a base station.

RTL-SDR running on an internet router with OpenWRT.
RTL-SDR running on an internet router with OpenWRT.