Penetration Testing of GSM Network using Man-In-The-Middle Attack

Bello, Nosa; Kanu, Ogechukwu

doi:10.21608/jesaun.2023.226718.1249

Penetration Testing of GSM Network using Man-In-The-Middle Attack

Document Type : Research Paper

Authors

Department of Electrical/Electronic Engineering, University of Benin, Benin City, Nigeria

10.21608/jesaun.2023.226718.1249

Abstract

Even though wireless communication technologies have advanced beyond the Global Systems for Mobile (GSM) Communications standard to mitigate its vulnerabilities, it is still a fallback technology when the coverage is limited and modern protocols aren’t available. There is a need for a comprehensive practical demonstration of the pools of vulnerabilities of the GSM architecture in the past decades using man-in-the-middle open-source tools and SDRs amidst the latest developments. It can be shown that an attacker can successfully carry out base station spoofing, IMSI catching, GSM packet sniffing, decoding, decryption and Denial of Service (DoS) attacks. Thus, this paper aims to comprehensively present practical demonstrations of the many vulnerabilities possible with available tools.
We exploited IMSI catching with a rogue BTS deployed using OpenBTS and USRP B210, GSM sniffing and decoding using GR-GSM and RTL-SDR, and A5/1 decryption using clever thinking and rainbow tables. It was observed that the one-way authentication of the GSM protocol allows most mobile devices to easily authenticate to the rogue BTS with spoofed MCC/MNC and that the strongest signal mostly wins. Also, it was observed that the possibilities of attacks on the target user like a DoS, or unencrypted communication, can be successfully carried out because the rogue BTS is in total control.
Though the vulnerabilities of GSM have been made known to the general public some network providers have not taken simple measures to mitigate them, thus this work can serve as a guideline for research purposes and an awareness to the general public

Keywords

Main Subjects

Electrical Engineering, Computer Engineering and Electrical power and machines engineering.

References

[1] K. Nohl, “Attacking phone privacy Attacking phone privacy,” 2010.

[2] G. Liu and D. Jiang, “5G: Vision and Requirements for Mobile Communication System towards Year 2020,” Chinese Journal of Engineering, vol. 2016, 2016, doi: 10.1155/2016/5974586.

[3] M. Toorani and A. A. B. Shirazi, “Solutions to the GSM security weaknesses,” in Proceedings - The 2nd International Conference on Next Generation Mobile Applications, Services, and Technologies, NGMAST 2008, 2008, pp. 576–581. doi: 10.1109/NGMAST.2008.88.

[4] G. Cattaneo, G. De Maio, P. Faruolo, and U. Ferraro Petrillo, “A Review of Security Attacks on the GSM Standard,” International Conference on Information and Communication Technology, 2013.

[5] G. Cattaneo, G. De Maio, and U. Ferraro Petrillo, “Security Issues and Attacks on the GSM Standard: A Review,” Journal of Universal Computer Science, vol. 19, pp. 2437–2452, 2013.

[6] M. Matsui, “New Block Encryption Algorithm MISTY,” Lecture Notes in Computer Science Springer Berlin, vol. 1267, 1997, doi: https://doi.org/10.1007/BFb0052334.

[7] T. Ulversoy, “Software Defined Radio: Challenges and Opportunities,” IEEE Communications Surveys & Tutorials, vol. 12, no. 4, pp. 531–550, 2010, doi: 10.1109/SURV.2010.032910.00019.

[8] J. Dj Golit, “Cryptanalysis of Alleged A5 Stream Cipher,” Advances in Cryptology, pp. 239–255, 1997.

[9] K. Nohl and S. Krißler, “Phone with end-to-end encryption-soon needed?,” 2009.

[10] F. Oh, “What Is CUDA NVIDIA Official Blog,” Jan. 2022. https://blogs.nvidia.com/blog/2012/09/10/what-is-cuda-2/

[11] G. W. Lee and J. Hong, “A Comparison of Perfect Table Cryptanalytic Trade-off Algorithms,” 2014.

[12] J. Hong and S. Moon, “Erratum: A comparison of cryptanalytic trade-off algorithms,” Journal of Cryptology, vol. 27, no. 1. p. 181, Jan. 2014. doi: 10.1007/s00145-012-9140-7.

[13] J. Hong and S. Moon, “A comparison of cryptanalytic trade-off algorithms,” Journal of Cryptology, vol. 26, no. 4, pp. 559–637, 2013, doi: 10.1007/s00145-012-9128-3.

[14] K. Nohl and S. Munaut, “GSM Sniffing,” 2010.

[15] B. Hackerspace, “Camp++ 0x7e0 // GSM signal sniffing for everyone with gr-gsm and Multi-RTL by Piotr Krysik,” Jan. 2017. https://www.youtube.com/watch?v=xnXMKRIqkZ4

[16] F. Casanovas, “Airprobe – setup,” Jan. 2014. https://ferrancasanovas.wordpress.com/2014/01/27/airprobe-setup/

[17] Crazy Danish Hacker, “GSM Cracking: Kraken Install & Test - Software Defined Radio Series #15,” Aug. 2016. https://www.youtube.com/watch?v=UKmpw4gcMSE

[18] E. Barkan, E. Biham, and N. Keller, “Instant ciphertext-only cryptanalysis of GSM encrypted communication,” Journal of Cryptology, vol. 21, no. 3, pp. 392–429, Jul. 2008, doi: 10.1007/s00145-007-9001-y.

[19] Chaos Communication Camp, “26C3: GSM: SRSLY?,” 2009. https://fahrplan.events.ccc.de/congress/2009/Fahrplan/track/Hacking/3654.en.html

[20] DEFCON Conference, “DEF CON 18 - Chris Paget - Practical Cell phone Spying.” Nov. 2013. [Online]. Available: https://www.youtube.com/watch?v=fQSu9cBaojc

[21] F. Y. Hansen, The Hacker’s Hardware Toolkit: best gadgets for Read Team hackers, 2nd ed. 2019.

[22] Ettus Research, “USRP B210 USB Software Defined Radio (SDR) - Ettus Research,” 2023. https://www.ettus.com/all-products/ub210-kit/

[23] Range Networks, “GitHub - Range Networks/openbts: GSM+GPRS Radio Access Network Node,” 2014. https://github.com/RangeNetworks/openbts (accessed Sep. 23, 2023).

[24] GNU Radio, “GNU Radio Wiki,” 2022. https://wiki.gnuradio.org (accessed Aug. 02, 2023).

[25] K. Nohl, “Wiki - A5/1 Decryption - SRLabs Open-Source Projects,” 2011. https://opensource.srlabs.de/projects/a51-decrypt

[26] A. Knight, Hacking Connected Cars: Tactics, Techniques and Procedures, 1st ed. Wiley, 2020. doi: 10.1016/S1353-4858(20)30090-8.

[27] Kali Team, “kalibrate-rtl Kali Linux Tools,” 2023. https://www.kali.org/tools/kalibrate-rtl/

[28] U. Lamping and G. Bloice, “Wireshark Developers Guide,” 2023. https://www.wireshark.org/docs/wsdghtmlchunked/

[29] H. Sand, “A look at GSM,” Feb. 2021. https://harrisonsand.com/posts/gsm-security/

[30] H. Sand, “Decrypting GSM SMS traffic,” Feb. 2021. https://harrisonsand.com/posts/decrypting-gsm/

[31] P.-P. Braun, “Deal with hopping,” 2019. https://pub.nethence.com/radio/hopping

[32] R. McMillan, “New ‘Kraken’ GSM-cracking software is released,” 2010. https://www.computerworld.com/article/2753942/new--kraken--gsm-cracking-software-is-released.html (accessed Sep. 24, 2023).

[33] Christiaan008, “27c3: Wideband GSM Sniffing (en),” Jan. 2011. https://www.youtube.com/watch?v=fHfXSr-FhU

[34] M. Kupka, “Odposlouchávání GSM komunikace - Hacking Lab,” 2021. https://hackinglab.cz/cs/blog/odposlouchavani-gsm-komunikace/

[35] H. L., “Radiohacking - Part 1 ‘GSM,’” Jul. 2022. https://vk.com/@haccking1-radiohaking-chast-1-gsm

[36] M. Parker, “GitHub - prkrmx/decipher: GSM decipher,” 2019. https://github.com/prkrmx/decipher

Volume 52, Issue 1
January and February 2024
Pages 12-26

View on SCiNiTO

Article View: 1,016
PDF Download: 2,468

Penetration Testing of GSM Network using Man-In-The-Middle Attack

References

Volume 52, Issue 1
January and February 2024
Pages 12-26

Files

Share

How to cite

Statistics

Penetration Testing of GSM Network using Man-In-The-Middle Attack

References

Volume 52, Issue 1January and February 2024Pages 12-26

Files

Share

How to cite

Statistics

Volume 52, Issue 1
January and February 2024
Pages 12-26