Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: conferennce

Airprobe: Monitoring GSM traffic with USRP

Information (and hopefully the slides soon) from the presentation can be found on the HAR2009 Wiki and the CCC Projects page. The project homepage is http://airprobe.org/ but appears to be down currently.

Airprobe is a project for creating an OpenSource GSM protocol decoder.

  • Using gnuradio Software Defined Radio (SDR)
  • GSM layer 1 demodulation / decode
  • GSM TDMA demultiplex
  • Recombining bursts into mac blocks
  • Handling of mac blacks to protocol analyzer

Why ? because wardrivers must be getting bored with just Wireless LANs. There are other networks out there that are vulnerable (DECT, GSM, etc…). Raising public awareness is very important. It’s ok to look at the specs and say “There might be  a problem here”, but testing and proof are needed to effect change.

The chips and parts required to build your own GSM sniffer are not available to the general public (at least at the low quantities required for normal usage). This is where the SDR comes in.

Airprobe decoders supported

  • gsmsp
  • gssm
    • Considered alpha
  • gsm-tvoid
  • gsm-receiver
    • Latest GSM decoder
    • Much better decoding
  • gsmdecode
    • GSM Layer 2+ decoder from hex bytes to human readable
  • gsmstack
    • GSM MAC Layer from demodulated bits to MAC blocks
    • Incomplete (will be integrated with gsm-receiver)

The Project are currently looking for developers with DSP experience –> get in touch through airprobe.org if you can help

Demo: Using the USRP and SDR to eavesdrop on GSM traffic. The demo used pre-recorded data from the USRP to input into gsm-receiver and view the MAC blocks.

MAC blocks are displayed in 23 Byte blocks and use [2b] as a filler if there isn’t enough data to fill a Block.

By taking these MAC blocks and piping them into gsm-decode it’s possible to decode and view the system information paging traffic (clear-text). This capture was taken on a non-frequency hoping network. Frequency hoping however isn’t a security solution as the frequency hoping pattern is sent in clear-text and is publicly known. Frequency hoping is used to avoid interference. the current setup, doesn’t support frequency hoping, but there are a number of solutions being considered.

As the capture from gsm-receiver outputs to PCAP format, it’s possible to open within Wireshark to get a full graphical representation. The patches for wireshark are available in SVN currently.

All the building blocks are in place to enable decoding of GSM encryption. The final step is a working proof of concept to break the encryption. There are a few weaknesses, however no full PoC currently. The tools are here, but they need to be made more user friendly.

Currently no support for GPRS/EDGE, however this should be possible with some work. However GPRS uses different encryption than GSM, so research will need to be made in this area.