GSM Sniffing on a Budget with Multi-RTL

If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.

[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.

Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation.

Thanks [dnet] for the tip!

25 thoughts on “GSM Sniffing on a Budget with Multi-RTL

          1. There used to be phone stickers that light up using the phone’s radiation. Subsequently, I made one using an SMD LED wired in series with a diode. Works like a charm.

  1. Not that this will be very useful given that most people use 3G or 4G rather than the old 2G system these days. (heck, quite a few carriers around the world are decommissioning old GSM systems)

    1. First of all, the whole purpose is security analysis, so if you find a bug in the base station, it doesn’t matter what generation the mobile station (phone, tablet, etc.) uses. Also, even 3G and 4G devices can fall back to 2G, and an active attacker can arrange just that by clever use of selective jamming. Finally, in an era of IoT and M2M shit, 2G is far from being decommissioned, actually some networks decommission 3G, since those devices can still fall back to 2G, but not the other way around. ;)

        1. That’s only in America. In Europe 2G is still very much alive.

          In the US T-Mobile also still uses it, so iPhone customers can still use that too :) The 2G iPhone was never simlocked as far as I remember, I had one here in Europe that was imported from the US and it worked fine.

          1. 2G has been decommissioned here in Australia to.

            I find [Jonathan Wilson]’s comment a little confusing.

            G 2G 3G 4G are not bands or frequency spectrums per-say.

            2G was however the 900MHz band and only band used for 2G and it didn’t matter which carrier you used.

            900MHz band is now being incorporated into 3G and 4G but it now depends which carrier it is with. Some do and some don’t.

            It looks like you will have to carry 3 phoned around (with different carriers) to get coverage everywhere possible. A complete win for stupidity which doesn’t surprise me from a Prime Minister that views Broadband as a *cost* rather than an *investment*.

            Here is what we now have in Australia except that the 2G is gone.

            https://www.whistleout.com.au/MobilePhones/Guides/Will-my-phone-work-in-Australia-carrier-network-frequencies

          2. RÖB said: “…
            G 2G 3G 4G are not bands or frequency spectrums per-say.
            2G was however the 900MHz band and only band used for 2G and it didn’t matter which carrier you used.
            900MHz band is now being incorporated into 3G and 4G but it now depends which carrier it is with. Some do and some don’t.”

            2G, including TDMA, GSM, CDMA 1xRTT, etc., has used both Cellular and PCS bands for 20+ years. I believe there was some AWS band use also, but don’t quote me on that.

  2. very cool.
    a little long and hard to understand but you did a great job.
    and you said up to 3 devices can be linked this way. very interesting.
    Just wandering what I would be able to do with that.
    I am just starting to play with these. I have my first device coning in any day now.
    Thank you for your time. And great job.

    1. It is better to not connect both pins of the crystal. Connect the ground of both boards together, then connect the xtal out from the board with the crystal to the xtal in of the board without. Otherwise both oscillators may fight each other, resulting in strange artefacts in the received signal.

    1. Here in Ireland I often drop down to 2G.. Now where I life in Ireland (the west) is pretty undeveloped for western Europe, but still, even here in the city it often drops.

      2G has very good range properties, not just because of the relatively low frequencies (which are also used for 4G these days) but because of dedicated timeslots for each phone so every call is interference free. The timeslots also cause the typical interference noise on speakers etc because it’s caused by the transmitter constantly switching on and off.

    2. GSM (2G) is on it’s way out, but 3 and 4G “GSM” are still a thing, sort of – it just isn’t typically called GSM, but HSP(D)A/UMTS and LTE correspondingly. An argument could be made that the actual transmission techniques have diverged/evolved so far as to not call it GSM anymore, and the standards are defined by 3GPP and not GSM, but LTE is still essentially descended from GSM, which is why they can coexist so easily and fall back to older systems.

      1. 3G and 4G are more descendents of CDMA, which was a competing standard to GSM at the time. CDMA was the American standard and GSM the European/Rest of world one. With 3G (also known as WCDMA) the American standard was chosen. Some of the benefits of GSM such as the dedicated timeslots (good long-range reception but exactly limited number of calls per cell) were lost with 3G, which has more dynamic allocation; the cells ‘breathe’, their coverage reduces at peak times. But CDMA’s more dynamic capacity was also an advantage in big cities especially when picocells became more common, and the extra capacity was needed for data.

        By the way LTE is a completely separate data-only network. Voice calls are basically Voice over IP instead of a separate circuit-switched service and many providers don’t offer it yet Here in Ireland with 2 networks (haven’t tried the third) whenever I fall back to 3G, my IP changes so any long-time connections I had are broken. Very annoying when tethering to my phone. So I don’t think this is great co-existence.

  3. From what i have heard its 3G that is going out, AT&T is shutting down its GSM network and giving away its IoT customers. I think this might be to free up frequencies for 4G/5G IoT standards, but there will be a gap between 2G and the new 4G/5G standards are up and running so i guess their competitors are happy. 3G and 4G (with exception for newer 4G IoT standards) have shorter range, is far more power hungry and are more expensive and the physical size of the modem is larger as well.

    2G good for low power, long range, small amount of data.
    3G higher speed, lower range, more power efficient for medium/large size data. (more complex and considered a ugly hax by some, depending on 3g standard).

    But this discussion of 2G/3G/4G is quite pointless as we are all talking about apples and bananas, we should discuss specific 3GPP standards and sub-standards.

    2G, 3G and 4G and even GSM and LTE is far to generic…

    1. 3G will still be here in my country for another 4 years or so and it’s more about supporting existing handsets than anything else. 3G has a specifically voice capability. Where the new LTE (Long Term Evolution) system (which I think is what your calling 4G) will have voice supported like a VoIP service.

      There is a movement now for IoT services to run on narrow bands in along with LTE or perhaps in a separate band altogether.

      So IoT (M2M) is on flux right now. Most IoT *was* G2 and that is being phases out so it leaves G3 and LTE for migration but not the Narrow Band LTE that manufactures are pushing for so IoT devices still have a heavy power budget to run the AMPs needed to transmit on the wide band 3G and normal LTE.

      The advantage of Narrow Band is that it requires far less power but for now things are stuck with wide band.

      Another factor is that it seems that only Serria is making LTE chips for IoT and these are ending up in mini PCIe cards which aren’t much good for your lower end micro-controllers.

      If this is confusing it’s because of another change. 2G represented a band or frequency spectrum (as well as a modulation schema) 3G represented a different modulation schema on multiple bands. LTE represents a networking structure that is loosely related to a modulation schema but can change over time and can be on any chosen band.

      So, at least in my country, right now 3G is the only current and practical solution for IoT (M2M) connectivity and it will be phased out in about 4 years time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s