Scribd
Upload
49 views7 pages

Cellular Hacking for Researchers

Uploaded by

speak-gray-trophy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views7 pages

Cellular Hacking for Researchers

Uploaded by

speak-gray-trophy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

DECEMBER 5, 2019

1098 words 6 mins read

W00t3k/Awesome-Cellular-Hacking

Awesome-Cellular-Hacking

repo name W00t3k/Awesome-Cellular-Hacking

repo link https://github.com/W00t3k/Awesome-Cellular-Hacking

homepage

language

size (curr.) 24581 kB

stars (curr.) 1244

created 2019-05-20

license

Awesome-Cellular-Hacking
Please note multiple researchers published and compiled this work. This is a list of their research in the 3G/4G/5G
Cellular security space. This information is intended to consolidate the community’s knowledge. Thank you, I plan on
frequently updating this “Awesome Cellular Hacking” curated list with the most up to date exploits, blogs, research, and
papers.
The idea is to collect information like the BMW article below, that slowly gets cleared and wiped up from the Internet -
making it less accessible, and harder to find. Feel free to email me any document or link to add.

Rogue BTS & CDMA/GSM Traffic Impersonation and


Interception
How to create an Evil LTE Twin/LTE Rogue BTS How to setup a 4G/LTE Evil Twin Base Station using srsLTE and a
USRP SDR device.
How To Build Your Own Rogue GSM BTS For Fun and Profit “In this blog post I’m going to explain how to create a
portable GSM BTS which can be used either to create a private ( and vendor free! ) GSM network or for GSM active
tapping/interception/hijacking … yes, with some (relatively) cheap electronic equipment you can basically build
something very similar to what the governments are using from years to perform GSM interception.”
Practical attacks against GSM networks: Impersonation “Impersonating a cellular base station with SDR: With the
flexibility, relative low cost of Software Defined Radio (SDR) and abundance of open source projects that emulate a
cell tower, successfully impersonating a GSM Base Station (BTS) is not a difficult task these days.”
Building a Portable GSM BTS Using BladeRF/PI “I was always amazed when I read articles published by some
hackers related to GSM technology. However, playing with GSM technologies was not cheap until the arrival of
Software Defined Radios (SDRs), besides not being something easy to be implemented.”
rtl.sdr.com Tutorial-Analyzing GSM with-Airprobe and Wireshark “The RTL-SDR software defined radio can be used
to analyze cellular phone GSM signals, using Linux based tools GR-GSM (or Airprobe) and Wireshark. This tutorial
shows how to set up these tools for use with the RTL-SDR.”
Traffic Interception for Penetration Testing Engagements “Within the penetration testing domain quite often we
have to deal with different technologies and devices. It’s important to cover all aspects of connectivity of a device
being tested which is why we have built a GSM/GPRS interception capability. There are a number of different
devices and systems that make use of GSM/GPRS, non-exhaustively we commonly see:”

Rogue Base Stations or Evil BTS’s, 2G/3G/4G


OpenBTS software is a Linux application that uses a software-defined radio to present a standard 3GPP air interface to
user devices, while simultaneously presenting those devices as SIP endpoints to the Internet

YateBTS is a software implementation of a GSM/GPRS radio access network based on Yate and is compatible with both
2.5G and 4G core networks comprised in our YateUCN unified core network server. Resiliency, customization and
technology independence are the main attributes of YateBTS

bladRF and YateBTS Configuration

srsLTE is a free and open-source LTE software suite developed by SRS (www.softwareradiosystems.com)

Installing a USRP Device on Linux


sudo add-apt-repository ppa:ettusresearch/uhd
sudo apt-get update
sudo apt-get install libuhd-dev libuhd003 uhd-host
uhd_find_devices
cd /usr/lib/uhd/utils/
./uhd_images_downloader.py
sudo uhd_usrp_probe
sudo uhd_usrp_probe
[INFO] [UHD] linux; GNU C++ version 7.4.0; Boost_106501; UHD_3.14.1.1-release
[INFO] [B200] Detected Device: B*****
[INFO] [B200] Operating over USB 3.
[INFO] [B200] Initialize CODEC control...
[INFO] [B200] Initialize Radio control...
[INFO] [B200] Performing register loopback test...
[INFO] [B200] Register loopback test passed
[INFO] [B200] Setting master clock rate selection to 'automatic'.
[INFO] [B200] Asking for clock rate 16.000000 MHz...
[INFO] [B200] Actually got clock rate 16.000000 MHz.
_____________________________________________________
/
| Device: B-Series Device

Troubleshooting SDR’s that are running BTS software


Common issues:

Improper FW
Lack of proper antennas
Wrong cellular phone type
Wrong SIM
Not configured correctly - Mobile Country Codes (MCC) and Mobile Network Codes (MNC)
Incorrect software BTS settings
Virtualized platform is not fast enough
Wrong SDR firmware

CERT/Media Alerts
Voice over LTE implementations contain multiple vulnerabilities - CERT ALERT

Recent Conferences and Talks


Protecting the 4G and 5G Cellular PagingProtocols against Security and Privacy Attacks

Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil

5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol

Hiding in Plain Signal:Physical Signal Overshadowing Attack on LTE

LTE Security Disabled—Misconfiguration in Commercial Network

Side Channel Analysis in 4G and 5G Cellular Networks

Shupeng-All-The-4G-Modules-Could-Be-Hacked

New Vulnerabilities in 5G Networks

Cellular Attacks
Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information
QCSniper - A tool For capture 2g-4g air traffic using qualcomm phones
[This is Your President Speaking: Spoofing Alerts in 4G LTE Networks](Link removed, will upload pdf)
Hacking Public Warning System in LTE Mobile Networks
RF Exploitation: IoT/OT Hacking with SDR
Forcing a targeted LTE Cellphone Into an Eavesdropping Network
Hacking Cellular Networks
Bye-Bye-IMSI-Catchers
New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols
White-Stingray: Evaluating IMSI Catchers Detection Applications
Breaking_LTE_on_Layer_Two
LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation
Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover
LTE PROTOCOL EXPLOITS: IMSI CATCHERS,BLOCKING DEVICES AND LOCATION LEAKS
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
Using OpenBTS - “Experimental_Security_Assessment_of_BMW_Cars by KeenLab”
5G NR Jamming, Spoofing, and Sniffing
LTE Security – How Good Is It?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-187.pdf -Small Tweaks do Not Help: Differential
Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
#root via SMS: 4G access level security assessment
Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
LTE security and protocol exploits
LTE Recon - (Defcon 23)
LTE Pwnage: Hacking HLR/HSS and MME CoreNetwork Elements
Synacktiv
WiFi IMSI Catcher
Analysis of the LTE Control Plane
WiFi IMSI Catcher
Demystifying the Mobile Network by Chuck McAuley
(https://www.defcon.org/images/defcon-22/dc-22-presentations/Pierce-Loki/DEFCON-22-Pierce-Loki-NSA-
PLAYSET-GSM.pdf)
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov
VoLTE Phreaking - Ralph Moonen
[Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stack]
(https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf)

SIM Specific Attacks


Rooting SIM-cards
The Most Expensive Lesson Of My Life: Details of SIM port hack

Stingray’s
https://www.wired.com/story/dcs-stingray-dhs-surveillance/
https://www.vice.com/en_us/article/gv5k3x/heres-how-much-a-stingray-cell-phone-surveillance-tool-costs
https://www.nyclu.org/en/stingrays

SS7/Telecom Specific
http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf
Getting in the SS7 kingdom: hard technology and disturbingly easy hacks= to get entry points in the walled garden

Github/Code Repo’s
https://github.com/Synacktiv-contrib/Modmobjam
https://github.com/Synacktiv-contrib/Modmobmap

Misc IMSI/Cellular Tools


https://github.com/Evrytania/LTE-Cell-Scanner
https://harrisonsand.com/imsi-catcher/
https://github.com/Oros42/IMSI-catcher
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
https://github.com/ptrkrysik/gr-gsm/wiki/Passive-IMSI-Catcher

Resources
RTL-SDR
MCC-MNC Codes for Base Stations
RFSec-ToolKit
FakeBTS
https://rmusser.net/docs/Wireless.html#cn

Misc
Touching the Untouchables: Dynamic Security
https://www.eff.org/pages/cell-site-simulatorsimsi-catchers
http://leetupload.com/blagosphere/2014/03/28/analyze-and-crack-gsm-downlink-with-a-usrp/
AT&T Microcell FAIL - fail0verflow (Older blog article, but still a good read)

awesome hacking

0 Comments 1 Login

G Start the discussion…

LOG IN WITH OR SIGN UP WITH DISQUS ?

Name

 Share Best Newest Oldest

Be the first to comment.

Subscribe Privacy Do Not Sell My Data

vitalysim/Awesome-Hacking-Resources
FEBRUARY 2, 2019

A collection of hacking / penetration testing resources to make you better!

Hack-with-Github/Awesome-Hacking
NOVEMBER 23, 2018

A collection of various awesome lists for hackers, pentesters and security researchers

carpedm20/awesome-hacking
NOVEMBER 10, 2018

A curated list of awesome Hacking tutorials, tools and resources

jivoi/awesome-osint
NOVEMBER 30, 2019

:scream: A curated list of amazingly awesome OSINT

benedekrozemberczki/awesome-community-detection
NOVEMBER 29, 2019

A curated list of community detection research papers with implementations.

posquit0/Awesome-CV
NOVEMBER 24, 2019

:page_facing_up: Awesome CV is LaTeX template for your outstanding job application

rigtorp/awesome-modern-cpp
NOVEMBER 12, 2019

A collection of resources on modern C++

orangetw/awesome-jenkins-rce-2019
NOVEMBER 11, 2019

There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

teoga/awesome-product-design
NOVEMBER 8, 2019
A collection of bookmarks, resources, articles for product designers.

Resource
Awesome Talks
Awesome Papers
Deep Learning
Machine Learning
Data Science
Tensorflow

Experiment
quran.telematika.org
tech.telematika.org
studi.telematika.org

More
Search Repositories
Google CSE
About
Categories
Tags

©Telematika.ORG 2017–2020 | Credit Chunky Poster

You might also like