15

This question would be in the category of SmartPhone Sniffers.

So we have sniffers that can show the packets that are being sent across a wired or wireless (802.11) network. I am just performing a basic research on GSM Sniffers and I would like to know if there are tools available for monitoring the space for specific frequency ranges and capturing data..

What would be the complexity of designing such a tool?

MToecker
  • 686
  • 4
  • 13
Legolas
  • 563
  • 6
  • 16

3 Answers3

10

The hardware tool that is suited to his is the Universal Software Radio Peripheral (vendor site). You can get a leg up on decoding the transmissions by looking at the work done for the OpenBTS system. So, hardware-wise it's commodity equipment, though a few thousand dollars because it's not very common. Software wise, the groundwork is already there to pull from.

Cellular data is typically encrypted between handset and tower, and so far most attacks against that have ben active. Thus, complexity of sniffing usable data may be relatively high / a research project.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • 1
    i believe it was 2008's DEFCON that had some discussions about this. Also, something to note is that handsets will jump to the strongest signal, which may be an unencrypted network. The standard dictates that there should be a pop-up letting the user know that they are no longer encrypted, but many retailers will disable that to avoid support calls. (this is just my understanding from the DEFCON talk, please correct me if I'm wrong) – Ormis Aug 08 '11 at 18:58
  • 2
    I was in the room for that talk... I believe it was DEFCON 18 (last year). That required an active MITM attack rather than eavesdropping. Much like breaking SSL vs. stripping SSL away, the easier one is the active attack in this case. – Jeff Ferland Aug 08 '11 at 19:15
4

The most commonly deployed 2G (GPRS/EDGE) ciphers have now been publicly broken, and the evidence indicates that they were once again intentionally left weak by the mobile industry designers. See this news coverage:

Here are a few details. At Chaos Communication Camp 2011, Karsten Nohl, Luca Melette et al. disclosed flaws in the GEA/1 and GEA/2 ciphers and released the open source gprsdecode software for sniffing GPRS/EDGE networks. It works in conjunction with the open source Osmocom GSM Baseband software implementation running on supported cell phone hardware, like OpenMoko or some Motorola phones based on the Ti Calypso Digital Baseband chip.

They also noted that some carriers don't even encrypt the data (i.e. using GEA/0) in order to detect the use of traffic or protocols they don't like, e.g. Skype.

GEA/3 seems to remain relatively hard to break and is said to be in use on some more modern networks. If used with USIM to prevent connections to fake base stations and downgrade attacks, users will be protected in the medium term, though migration to 128-bit GEA/4 is still recommended.

But GEA/0, GEA/1 and GEA/2 are widely deployed. So applications should use SSL/TLS for sensitive data, as they would on wifi networks.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
1

These days basic Software Defined Radio (SDR) kit has become very affordable so you can now obtain the RTL-SDR USB stick for about $15 and perform some GSM sniffing on a standard laptop running Wireshark. The GSM capture is done using the RTL-SDR and the airprobe tool (which builds on GnuRadio) that relays the packets to Wireshark, via the GSMTAP port (UDP 4729), which now has GSM protocol decode functionality built-in.

This will generally get you the traffic from base station, though it is mostly encrypted, albeit with a broken algorithm. Capturing a mobile station's traffic trickier as it can use frequency hopping. Furthermore the legality of such sniffing varies between countries and is generally a tricky area.

user30473
  • 231
  • 2
  • 5