Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.

29 thoughts on “Build Your Own GSM Base Station For Fun And Profit

  1. And what about the cost of the 2TB hard disk to hold the rainbow tables … Oh unencrypted, never mind, I was not here “these are not the droids you are looking for”. Yes totally “GSM has encryption”, yep that statement is 100% totally true. The encryption may be 30 years old, but GSM does have encryption. A5/1 is definitely a form for encryption with 54-bits of security. Weak enough to allow allow the British to keep on spying and just about strong enough to keep those pesky east Germans from listening in on the west Germans (30 years ago).

        1. Not for 2G. You need to issue the sim if you want to securely verify if the subscriber is real (you need to know the key and the hashing algorithm, usually COMPvX, in the card).

          If you just want to establish the connection you can ignore the authentication reply and proceed anyway. 3G and 4G also require cryptographic certification of the network.

          For enabling transport encryption IIRC you need to know the Ki in the card, but the plain text ‘encryption method’ requires no key material, and thus can work with any sim (or even no sim, on some phones)

  2. Obviously, a GSM base station has a transmitter which (presumably) requires a license from the FCC to be legal. Do the FBI, or local law enforcement, have such licenses for their stingrays? Or are they just winging it and hoping not to be caught?

    1. You expect the FCC to step in against the FBI? One branch of the executive arm of the government investigating another?

      Don’t be silly, the executive branch only investigates Congress and the judicial branch, just like Congress doesn’t police itself for all the affairs and bribes but focuses on the misdeeds of any part of the executive branch.

    2. I’m not so sure about this, I may be wrong and if I am please correct me but does this not just intercept the call then transmit to a real tower using a normal cell phone antenna?

  3. This actually does sound handy, one idea I’ve had is recycling worthless “Icloud Locked” and otherwise trashed phones where they have been reported lost but the original owners have long since given up on them.
    In some cases the insurance companies can’t even give them away but once you’ve traced the original owner its feasible to give them back their lost data in exchange for keeping the phone and a nominal sum (usually £10) meaning the phone is available for use and often an Iphone 4S or Samsung Galaxy S is more than enough for games/simple apps/etc.
    Obviously the IMEI lock only depends on the network operator so making your own SIM card and operating a private network (ie at festivals in Nevada etc) is more than doable and in fact permitted if you have the appropriate license and it is in an isolated area away from other networks.

  4. Also 2TB isn’t that expensive. I’ve actually got scrap drives here which despite showing disk read errors are still fine if you low level format them a couple of times. Good use for junkers, and 4*500GB = 1*2TB with a hot spare in case one decides to break.
    I’ve got it on good authority that its actually very rare for a >100GB drive to fail hard, often the fail is very specific and related to the small area where the MBR on Windows 7/8/10 is stored suggesting that simple reformatting as GPT will work if the bad areas are simply ignored in software.
    3 drives like that here all 1TB seacrates, exact same fault on each one and they were all used on slimline laptops such as the x520 and others so this is a very common problem indeed.

  5. What I would really like to see would be the work of those who are developing solutions (countermeasures) to the address the increasing problem of overreach by so many of the “grub-ment” jackals. At the very least a method or device capable of detecting Instruments such as the stingrays that are increasingly being used illegally

  6. Evidently none of the peanut gallery here is part of the commercial 2 way or cellular industry. One can pick up used “BTS” test sets on that auction site for a fraction of what they went for when new. The units by their very nature are intended to simulate a cell site to allow the handset to set up a call (for testing the handset on a production line or service shop – albeit nowadays there are no ‘service centers’ that actually repair the handsets to the board/chip level). One only needs to connect the RF ports on said test set to an appropriate high gain BDA (and specific sectorized antennae) to essentially establish a rogue site. At least “in-theory” and on-paper it might cause handsets to affiliate to it. Never tried it, though, so no “real world” feedback on the possibility. The test sets were made by industry heavy weights (ie. HP, ‘back-in-the-day’).

    1. As per FCC/ITU rules regardless of where you are, you are not authorized to ‘Transmit’ any kind of RF signal to air unless you have ‘pre-authorized’ permission of any kind. Now a day’s all most all part of world cover under FCC/ITU rules making it virtually impossible to transmit any usable RF signal without detection of local authority. It become real nasty if you play with either Military or Commercial range of radio frequency space even it might idle at your transmit time. So don’t try it for your own safty…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s