1. Experimental environment
Ubuntu 20.04
Gnuradio 3.8
2. Principle explanation
1. Introduction to GSM
1.1 Overview
GSM is the Global System for Mobile Communications (Global System for Mobile Mommunications), commonly known as “Global Communications”, a digital mobile phone network standard formulated by the European Telecommunications Standards Institute (ETSI).
1.2 Main advantages of GSM
- Sound quality is better than traditional analog phones, along with security features such as encryption and authentication.
- The GSM system uses a globally synchronized time reference, which is very convenient to activate and operate, and can use a SIM card for user identity authentication. This feature allows users to quickly switch operators on any GSM-enabled handset and keep their phone number the same.
Technology used by 1.3GSM
The main technologies used by GSM include time division multiple access (TDMA) technology, frequency allocation and scheduling technology, digital signal processing technology, GSM network architecture and GSM codes.
1.3.1 TDMA technology
It is the core technology of GSM, which allows multiple users to use different time slots to communicate on the same frequency, thus realizing efficient use of spectrum.
1.3.2 Digital Signal Processing Technology
GSM uses digital signal processing technology to enable voice and data to be transmitted and processed digitally, which is more stable, accurate and clear than analog transmission.
GSM’s frequency allocation and scheduling technology allows operators to divide limited spectrum resources into several frequency channels and dynamically allocate them to users who need to use them. This technology can effectively reduce frequency conflicts and improve communication quality and efficiency.
1.3.3 GSM network architecture adopts layered structure
GSM network architecture includes base station subsystem, network and supporting systems. This structure enables GSM to flexibly expand and upgrade its network capabilities and service functions.
1.3.4 GSM code
GSM code is another core technology of GSM, which is used to encrypt and decrypt calls, and protect user’s communication privacy and security. GSM codes are also used to identify and differentiate different users and devices so that communications can be routed to the correct target device quickly and accurately.
2. GSM working frequency band
The working frequency band used by the GSM network varies according to different regions and countries.
- In North America and South America, two frequency bands of 850MHz and 1900MHz are mainly used.
- The GSM frequency bands used in China include two frequency bands, GSM900 and GSM1800. Among them, the frequency range covered by GSM900 is between 907.2MHz and 960MHz, which is used for voice and SMS services; the frequency range covered by GSM1800 is between 1710MHz and 1785MHz and between 1805MHz and 1880MHz, mainly used for voice, SMS and data services
PS
1. GSM networks in different countries and regions may have differences in frequency band allocation and use, so users need to pay attention to whether their mobile phones support the frequency band and standard of the target country or region when roaming internationally
2. Different operators may allocate and use different frequency bands in different regions. Users need to confirm whether the frequency bands and standards they support match the target operator when choosing a mobile phone.
3. Composition and structure of GSM system
The GSM system consists of a mobile station (Mobile Station, MS), a base station subsystem (Base Station Subsystem, BSS), a network and switching subsystem (Network and Switching Subsystem, NSS)
What are the contents and functions of each part, as shown in the figure below, because the text description is not clear, so draw a picture to make it clear.
If you can draw a picture to solve it, you must not use words!
4. GSM network security
4.1 GSM network attack classification
4.1.1 Eavesdropping (eavesdropping) attack
Hackers listen to broadcast signals transmitted between base stations and mobile stations, and decrypt the signals to achieve the purpose of interception. Hackers can eavesdrop on wireless signals and obtain the content of phone calls or text messages. This attack may lead to the disclosure of personal privacy.
4.1.2 Forgery (spoofing) attack
The hacker pretends to be a base station, and then sends an induction signal to guide the victim to connect to an illegal base station. Because GSM is a one-way authentication, the mobile station (mobile phone) can only be authenticated by the base station, but the mobile station (mobile phone) cannot authenticate the base station. Authentication, so users can easily be induced to fake base stations for data communication
4.1.3 Man-in-the-middle attack
Hackers can intercept communication data and pass it on to the intended recipient, while forging their own identity information so that neither the sender nor the recipient knows. Such an attack could result in data being tampered with or stolen.
4.1.4 Denial-of-service attack
Hackers can prevent legitimate users from accessing or receiving services by overloading network resources with a large number of invalid requests. For example, hackers can attack base station transmitters, causing a large number of users to fail to connect to the network normally.
4.1.5 Cracking attack
Hackers can try to crack the password protection mechanism of the system to obtain sensitive user information, remote access control, or release malware for further attacks.
5. Three GSM encryption algorithms
GSM has three main encryption algorithms, namely A5/1, A5/2 and A5/3.
A5/1 and A5/2 are the earliest GSM encryption algorithms, both of which have been cracked. Now the GSM network widely uses the A5/3 algorithm, which is a more secure encryption algorithm. It uses a longer key length and a more complex encryption algorithm, which is difficult to be cracked by attackers.
A5/3 encryption steps are as follows
1. Initialization: Generate a 128-bit key, divide it into three 64-bit parts (called key stream generator, KSG), each part is connected with a 19-bit pseudo-random number generator (called linear feedback shift register, LFSR) and inject initial values into LFSR. 2. Shift: In the A5/3 algorithm, there are three LFSRs named R1, R2, and R3 respectively. For each shift, the three LFSRs perform 8 shift operations each. If the lowest bit is 1, the corresponding linear feedback bit is XORed into the highest bit of the LFSR. Thus, each LFSR generates 8 new bits. After the shift is complete, bits 18, 17, and 21 of R1, R2, and R3 are XORed together to produce a 1-bit output. 3. Synthetic key stream: Exclusively OR the 3 1-bit outputs generated above to obtain a 1-bit key stream. 4. Encryption and decryption: In GSM communication, use the obtained key stream to encrypt and decrypt the communication content.
In general, the A5/3 algorithm mainly consists of three steps of initialization, shifting, and key stream synthesis, in which the output generated by the shifting operation is synthesized into a key stream and used to encrypt and decrypt communication content.
3. Practice
1.gr-gsm installation
1.1 Update software sources and install dependent libraries
sudo apt-get update sudo apt-get install cmake g++ libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python3-pip --fix-missing
1.2 Download and compile gr-gsm
Execute the following command to download the gr-gsm code locally and compile it:
#Clone the gr-gsm repository git clone https://github.com/ptrkrysik/gr-gsm.git #Create and enter the build directory cd gr-gsm mkdir build cd build #run CMake cmake.. # compile and install make sudo make install sudo ldconfig # Verify installation: gnuradio-companion
PS
If cmake appears when …
CMake Error: The following variables are used in this project, but they are set to NOTFOUND
Please refer to the blog to solve
if make appears
make[1]: *** [CMakeFiles/Makefile2:953: lib/CMakeFiles/grgsm.dir/all] Error 2 make: *** [Makefile:141: all] Error 2
Please refer to the technical blog to solve
If sudo make install, an error occurs
c++ : fatal error: Killed signal terminated program cc1plus compilation terminated. make[2]: *** [swig/CMakeFiles/grgsm_swig.dir/build.make:63:swig/CMakeFiles/grgsm_swig.dir/CMakeFiles/grgsm_swig.dir/grgsm_swigPYTHON_wrap.cxx.o] Error 1 make[1]: *** [CMakeFiles/Makefile2:1116: swig/CMakeFiles/grgsm_swig.dir/all] Error 2 make: *** [Makefile:141: all] Error 2
Please refer to the blog to solve
1.3 Test whether gr-gsm is installed successfully
Execute the following command to test whether gr-gsm can work normally. If the output version information indicates that the installation is successful:
# Remember that hackrf_one must be connected at this time grgsm_scanner
You can also enter grgsm_livemon to test whether the installation is successful
grgsm_livemon
If the following error occurs, please refer to the solution
Traceback (most recent call last):
File "/usr/local/bin/grgsm_livemon", line 37, in <module>
from grgsm import arfcn
ModuleNotFoundError: No module named 'grgsm'
2. Install wireshark
sudo apt install wireshark
3. Start searching for base stations
1. Press and hold ctrl + alt + t to bring up the command window, and enter the terminal
grgsm_scanner -v -b GSM900
? 2. Enter in another terminal
#That 945.8M is the value of the Freq field in the first step grgsm_livemon -f 945.8M
3. Open another terminal
If the following data appears at the terminal of this command, it proves that the frequency selection is good, and the data can already be sniffed (otherwise the frequency needs to be changed (the frequency candidate is the value of the Freq field in the first step)).
And need to run under administrator privileges:
sudo wireshark -k -f udp -y gsmtap -i lo
4. Final result
View IMSI value in wire shark
If you want to systematically learn more about computer and network security, please follow the public account MiaoA Knowledge! A public account dedicated to systematically summarizing knowledge!