GSM Pentesting

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


This article describes two possible attack vectors in the GSM protocol. It is actually possible to do these attacks with open-source solutions. The only problem is the legal and technical situation, whether there is a way to keep the output power so low that only our devices connect to the base station, otherwise legal consequences follow if other devices and Signals are involved.


Fake Basesstation & IMSI-Catcher

The problem with GSM is the lack of authentication between the base station (BTS) and the end device. This enables a “man in the middle” attack to be carried out with a “rogue base station”/IMSI catcher. To do this, the system must be placed near the person to be spied on. By increasing the transmission power, the ME located in the vicinity are made to connect to this station of the attacker If the IMSI number of the person to be intercepted is not yet known, it must first be identified from the multitude of telephone calls made in the area. Professional devices such as the GA-901 from “Rohde & Schwarz” can therefore record several channels at the same time. This means that uninvolved people can also be eavesdropped. With this method, only outgoing phone calls can be eavesdropped. The outgoing call is forwarded to a "real" BTS. The so-called "MITM impersonation" uses the "Dynamic SIM cloning" method to position oneself in the uplink and also in the downlink channel between the communication partners. An "IMSI request" prompts the Mobile Equipment to disclose this unique number, which rarely occurs in normal operation. This allows movement profiles to be created, although this is to be prevented by the TMSI.

IMSI catchers are mainly used by law enforcement agencies and intelligence services to determine the locations and to create a movement profile of certain people.


The encryption algorithm A5 is used on the air interface between the ME and the BTS. When A5 / 1 and A5 / 2 were developed in the late 1980s, the decision was made to use "Security By Obscurity", which means that the security of the process depends on the algorithm being kept secret. By 1999, both stream cipher methods were investigated by Marc Briceno and other scientists using reverse engineering and finally published.

An attack on A5 / 1 was carried out by A. Biryukov, A. Shamir, and D. Wagner in 2000. The complexity of the original 2^64 has been reduced to 2^38 and 2^48 respectively. In the meantime, “Rainbow Tables” are used to decrypt the A5 / 1. This technology shortens the computational effort in order to calculate back the correct session key, with which it is then possible to passively listen in on phone calls in real time. A modified cell phone of an older design is completely sufficient for this. A5 / 1 is used in Europe and the USA. The much weaker A5 / 2 was developed for countries where strong encryption is prohibited. According to the standardization committee, this algorithm has not been allowed to be used since 2007.

With UMTS, only A5 / 3 is used to encrypt the radio connection. Also known as KASUMI, the procedure was published in 2002. However, more security is only created by the increased complexity of the block cipher procedure. In the GSM network sections between BTS, BSC and MSC, the data is not encrypted and is transmitted via radio link if required, which means that passive eavesdropping or the interception of the session key is possible at these points. An up-to-date overview of the security level of those cellular networks in use:


The website shows Osmocom-compatible mobile phones and laptops, which are visualized on a map.