Bello, N., Kanu, O. (2024). Penetration Testing of GSM Network using Man-In-The-Middle Attack. JES. Journal of Engineering Sciences, 52(1), 12-26. doi: 10.21608/jesaun.2023.226718.1249
Nosa Bello; Ogechukwu Kanu. "Penetration Testing of GSM Network using Man-In-The-Middle Attack". JES. Journal of Engineering Sciences, 52, 1, 2024, 12-26. doi: 10.21608/jesaun.2023.226718.1249
Bello, N., Kanu, O. (2024). 'Penetration Testing of GSM Network using Man-In-The-Middle Attack', JES. Journal of Engineering Sciences, 52(1), pp. 12-26. doi: 10.21608/jesaun.2023.226718.1249
Bello, N., Kanu, O. Penetration Testing of GSM Network using Man-In-The-Middle Attack. JES. Journal of Engineering Sciences, 2024; 52(1): 12-26. doi: 10.21608/jesaun.2023.226718.1249
Penetration Testing of GSM Network using Man-In-The-Middle Attack
Department of Electrical/Electronic Engineering, University of Benin, Benin City, Nigeria
Abstract
Even though wireless communication technologies have advanced beyond the Global Systems for Mobile (GSM) Communications standard to mitigate its vulnerabilities, it is still a fallback technology when the coverage is limited and modern protocols aren’t available. There is a need for a comprehensive practical demonstration of the pools of vulnerabilities of the GSM architecture in the past decades using man-in-the-middle open-source tools and SDRs amidst the latest developments. It can be shown that an attacker can successfully carry out base station spoofing, IMSI catching, GSM packet sniffing, decoding, decryption and Denial of Service (DoS) attacks. Thus, this paper aims to comprehensively present practical demonstrations of the many vulnerabilities possible with available tools. We exploited IMSI catching with a rogue BTS deployed using OpenBTS and USRP B210, GSM sniffing and decoding using GR-GSM and RTL-SDR, and A5/1 decryption using clever thinking and rainbow tables. It was observed that the one-way authentication of the GSM protocol allows most mobile devices to easily authenticate to the rogue BTS with spoofed MCC/MNC and that the strongest signal mostly wins. Also, it was observed that the possibilities of attacks on the target user like a DoS, or unencrypted communication, can be successfully carried out because the rogue BTS is in total control. Though the vulnerabilities of GSM have been made known to the general public some network providers have not taken simple measures to mitigate them, thus this work can serve as a guideline for research purposes and an awareness to the general public
[1] K. Nohl, “Attacking phone privacy Attacking phone privacy,” 2010.
[2] G. Liu and D. Jiang, “5G: Vision and Requirements for Mobile Communication System towards Year 2020,” Chinese Journal of Engineering, vol. 2016, 2016, doi: 10.1155/2016/5974586.
[3] M. Toorani and A. A. B. Shirazi, “Solutions to the GSM security weaknesses,” in Proceedings - The 2nd International Conference on Next Generation Mobile Applications, Services, and Technologies, NGMAST 2008, 2008, pp. 576–581. doi: 10.1109/NGMAST.2008.88.
[4] G. Cattaneo, G. De Maio, P. Faruolo, and U. Ferraro Petrillo, “A Review of Security Attacks on the GSM Standard,” International Conference on Information and Communication Technology, 2013.
[5] G. Cattaneo, G. De Maio, and U. Ferraro Petrillo, “Security Issues and Attacks on the GSM Standard: A Review,” Journal of Universal Computer Science, vol. 19, pp. 2437–2452, 2013.
[6] M. Matsui, “New Block Encryption Algorithm MISTY,” Lecture Notes in Computer Science Springer Berlin, vol. 1267, 1997, doi: https://doi.org/10.1007/BFb0052334.
[7] T. Ulversoy, “Software Defined Radio: Challenges and Opportunities,” IEEE Communications Surveys & Tutorials, vol. 12, no. 4, pp. 531–550, 2010, doi: 10.1109/SURV.2010.032910.00019.
[8] J. Dj Golit, “Cryptanalysis of Alleged A5 Stream Cipher,” Advances in Cryptology, pp. 239–255, 1997.
[9] K. Nohl and S. Krißler, “Phone with end-to-end encryption-soon needed?,” 2009.
[10] F. Oh, “What Is CUDA NVIDIA Official Blog,” Jan. 2022. https://blogs.nvidia.com/blog/2012/09/10/what-is-cuda-2/
[11] G. W. Lee and J. Hong, “A Comparison of Perfect Table Cryptanalytic Trade-off Algorithms,” 2014.
[12] J. Hong and S. Moon, “Erratum: A comparison of cryptanalytic trade-off algorithms,” Journal of Cryptology, vol. 27, no. 1. p. 181, Jan. 2014. doi: 10.1007/s00145-012-9140-7.
[13] J. Hong and S. Moon, “A comparison of cryptanalytic trade-off algorithms,” Journal of Cryptology, vol. 26, no. 4, pp. 559–637, 2013, doi: 10.1007/s00145-012-9128-3.
[14] K. Nohl and S. Munaut, “GSM Sniffing,” 2010.
[15] B. Hackerspace, “Camp++ 0x7e0 // GSM signal sniffing for everyone with gr-gsm and Multi-RTL by Piotr Krysik,” Jan. 2017. https://www.youtube.com/watch?v=xnXMKRIqkZ4
[16] F. Casanovas, “Airprobe – setup,” Jan. 2014. https://ferrancasanovas.wordpress.com/2014/01/27/airprobe-setup/
[17] Crazy Danish Hacker, “GSM Cracking: Kraken Install & Test - Software Defined Radio Series #15,” Aug. 2016. https://www.youtube.com/watch?v=UKmpw4gcMSE
[18] E. Barkan, E. Biham, and N. Keller, “Instant ciphertext-only cryptanalysis of GSM encrypted communication,” Journal of Cryptology, vol. 21, no. 3, pp. 392–429, Jul. 2008, doi: 10.1007/s00145-007-9001-y.
[19] Chaos Communication Camp, “26C3: GSM: SRSLY?,” 2009. https://fahrplan.events.ccc.de/congress/2009/Fahrplan/track/Hacking/3654.en.html
[20] DEFCON Conference, “DEF CON 18 - Chris Paget - Practical Cell phone Spying.” Nov. 2013. [Online]. Available: https://www.youtube.com/watch?v=fQSu9cBaojc
[21] F. Y. Hansen, The Hacker’s Hardware Toolkit: best gadgets for Read Team hackers, 2nd ed. 2019.
[22] Ettus Research, “USRP B210 USB Software Defined Radio (SDR) - Ettus Research,” 2023. https://www.ettus.com/all-products/ub210-kit/
[23] Range Networks, “GitHub - Range Networks/openbts: GSM+GPRS Radio Access Network Node,” 2014. https://github.com/RangeNetworks/openbts (accessed Sep. 23, 2023).
[24] GNU Radio, “GNU Radio Wiki,” 2022. https://wiki.gnuradio.org (accessed Aug. 02, 2023).