Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Airprobe: Monitoring GSM traffic with USRP

Information (and hopefully the slides soon) from the presentation can be found on the HAR2009 Wiki and the CCC Projects page. The project homepage is http://airprobe.org/ but appears to be down currently.

Airprobe is a project for creating an OpenSource GSM protocol decoder.

  • Using gnuradio Software Defined Radio (SDR)
  • GSM layer 1 demodulation / decode
  • GSM TDMA demultiplex
  • Recombining bursts into mac blocks
  • Handling of mac blacks to protocol analyzer

Why ? because wardrivers must be getting bored with just Wireless LANs. There are other networks out there that are vulnerable (DECT, GSM, etc…). Raising public awareness is very important. It’s ok to look at the specs and say “There might be  a problem here”, but testing and proof are needed to effect change.

The chips and parts required to build your own GSM sniffer are not available to the general public (at least at the low quantities required for normal usage). This is where the SDR comes in.

Airprobe decoders supported

  • gsmsp
  • gssm
    • Considered alpha
  • gsm-tvoid
  • gsm-receiver
    • Latest GSM decoder
    • Much better decoding
  • gsmdecode
    • GSM Layer 2+ decoder from hex bytes to human readable
  • gsmstack
    • GSM MAC Layer from demodulated bits to MAC blocks
    • Incomplete (will be integrated with gsm-receiver)

The Project are currently looking for developers with DSP experience –> get in touch through airprobe.org if you can help

Demo: Using the USRP and SDR to eavesdrop on GSM traffic. The demo used pre-recorded data from the USRP to input into gsm-receiver and view the MAC blocks.

MAC blocks are displayed in 23 Byte blocks and use [2b] as a filler if there isn’t enough data to fill a Block.

By taking these MAC blocks and piping them into gsm-decode it’s possible to decode and view the system information paging traffic (clear-text). This capture was taken on a non-frequency hoping network. Frequency hoping however isn’t a security solution as the frequency hoping pattern is sent in clear-text and is publicly known. Frequency hoping is used to avoid interference. the current setup, doesn’t support frequency hoping, but there are a number of solutions being considered.

As the capture from gsm-receiver outputs to PCAP format, it’s possible to open within Wireshark to get a full graphical representation. The patches for wireshark are available in SVN currently.

All the building blocks are in place to enable decoding of GSM encryption. The final step is a working proof of concept to break the encryption. There are a few weaknesses, however no full PoC currently. The tools are here, but they need to be made more user friendly.

Currently no support for GPRS/EDGE, however this should be possible with some work. However GPRS uses different encryption than GSM, so research will need to be made in this area.


8 responses to “Airprobe: Monitoring GSM traffic with USRP

  1. Matias October 27, 2009 at 19:56

    blks, stdgui and others blocks were replaced by blks2, stdgui2 and that kind of stuff. NETBEANS IDE (with python support) is very usefull to rewrite correctly the python scripts.

  2. John March 11, 2011 at 23:34

    Has anybody successfully decoded GSM signals from base stations? Do we need a license to do that?

  3. akhil June 4, 2012 at 15:34

    After downloading the sources from the Airprobe….. how do i go forward.. what has to be done exactly.. all the links given abpve are closed.. and they dont exist…. can someone please guide me here…

%d bloggers like this: