According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.
In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too.
"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."
Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.
Over on YouTube user Goat Industries has uploaded a video that shows him successfully using his LimeSDR as a 4G repeater. More information about his project to build a cell phone signal repeater can be found on his hackaday.io page, and he describes the project as follows:
In more remote areas it is often not financially viable for the cell network operator to build extra base stations for a small number of people and their phones/modems etc. Fortunately, this is not the end of the road as we can, in theory, build our own base stations and even create our own cells.
There are currently available two groups of devices that already claim to do this, one of which is reassuringly expensive and the other is just plain illegal! This project aims to democratise the situation enabling cost effective, hackable devices to be built that not only work properly but also conform to the telecoms regulations.
In his video he shows the repeater running on his LimeSDR. For software he uses Pothos to create the receiver and LimeSuite to control the LimeSDR settings.
The LimeSDR is advertised as a full duplex RX/TX capable SDR with a 100 kHz – 3.8 GHz frequency range, 12-bit ADC and up to 80 MHz of bandwidth. Back in June 2016 they surpassed their $500k goal, raising over $800k on the crowdfunding site Crowdsupply, and today it’s now up to over $1.1 million. Most crowdfunding backers have now received their units in the mail, but some are still waiting. We paid $199 USD for an early bird unit, and currently a preorder unit costs $289 USD on Crowd Supply.