Cracking GSM with RTL-SDR for Thirty Dollars

GSM

Theoretically, GSM has been broken since 2003, but the limitations of hardware at the time meant cell phone calls and texts were secure from the prying ears of digital eavesdroppers and all but the most secret government agencies. Since then, the costs of hardware have gone down, two terabytes of rainbow tables have been published, and all the techniques and knowledge required to listen in on cell phone calls have been available. The only thing missing was the hardware. Now, with a super low-cost USB TV tuner come software defined radio, [domi] has put together a tutorial for cracking GSM with thirty dollars in hardware.

Previous endeavours to listen in and decrypt GSM signals used fairly expensive software defined radios – USRP systems that cost a few thousand dollars a piece. Since the advent of RTL-SDR, the price of software defined radios has come down to about $30 on eBay, giving anyone with a Paypal account the ability to listen in on GSM calls and sniff text messages.

The process of cracking GSM first involves getting the TMSI – Temporary Mobile Subscriber Identifier – a unique ID for each phone in a certain cell. This is done by sending a silent SMS that will send back and acknowledgement an SMS has been received on the victim’s phone, but won’t give the victim any indication of   receiving a message.

From there, the attacker listens to the GSM signals in the cell, receiving bursts attached to a TMSI, and cracking the encrypted stream using 1.6 TB of rainbow tables.

[domi] put up a four-part tutorial series (part 1 above; part 2, part 3, and part 4) that goes over the theory and the actual procedure of cracking text messages and voice calls with a simple USB TV tuner. There are a few limitations; the attacker must be in the same cell as the victim, and it looks like real-time voice decoding isn’t yet possible. Cracking GSM for $30, though, that’s good enough for us.

An RTL-SDR Spectrum Analyzer

RTL

With the combination of small, powerful, and pocketable computers and cheap, off-the-shelf software defined radio receivers, it was only a matter of time before someone built a homebrew spectrum analyzer with these ingredients. This great build is the project of [Stephen Ong] and he’s even released all the softwares for you to build this on your own.

The two main components of this build are a BeagleBone Black and its 7″ Touchscreen cape. The BeagleBone is running Angstrom Linux, a blazingly fast Linux distro for small embedded devices. The radio hardware consists of only a USB TV tuner supported by RTL-SDR. In his demo video, [Stephen] shows off his project and by all accounts it is remarkable, with a UI better than most desktop-oriented SDR software suites.

You can grab the BeagleBone image [Stephen] is using over on his blog, but for more enterprising reader, he’s also put up the source of his ViewRF software up on GitHub.

A Comparison of Hacker Friendly SDRs

3 SDRs

In the market for a software defined radio? [Taylor Killian] wrote a comprehensive comparison of several models that are within the price range of amateurs and hobbyists.

You can get started with SDR using a $20 TV tuner card, but there’s a lot of limitations. These cards only work as receivers, are limited to a small chunk of the radio spectrum, and have limited bandwidth and sample rates. The new SDRs on the market, including the bladeRF, HackRF, and USRP offerings are purpose built for SDR experimentation. You might want an SDR to set up a cellular base station at Burning Man, scan Police and Fire radio channels, or to track ships.

[Taylor] breaks down the various specifications of each radio, and discusses the components used in each SDR in depth. In the end, the choice depends on what you want to do and how much you’re willing to spend. This breakdown should help you choose a hacker friendly SDR.

HackRF, or playing from 30 MHz to 6 GHz

hackrf

Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.

The HackRF was the subject of a lot of interest last time it was on Hackaday - the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.

Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.

Below you can check out [Michael]‘s presentation at Toorcon where the HackRF was unleashed to the world.

[Read more...]

[Travis Goodspeed] starts a space agency in Southern Appalachia

travis-goodspeed-space-tracker

His space agency hardware might be in Southern Appalachia, but he can control it from anywhere in the world. That’s right, [Travis Goodspeed] started his own space agency — well kinda. The first piece of hardware operated by the organization is this dish for tracking moving targets in near space.

The main part of the build is a Felcom 82B dish which  was designed to be a satellite link for naval vessels. The image showing the back side of it exposes all of the extras he built into the system. Don’t worry though, a dome goes over the top to keep the weather out without encumbering its operation.He uses an SDR dongle to handle the radio communications. That connects to a BeagleBone which pipes the data to his handheld over the Internet.

It’s amazing to see this type of hobby project. It wasn’t that long ago that you needed an entire room of hardware to communicate with satellites.

Pager message sniffing with RPi and SDR

rpi-pager-message-sniffing

The 1990′s called, they want you to use modern technology to listen in on your friends’ pager messages. Seriously, how many people are still using pagers these days? We guess you can find out by building your own Software-Define Radio pager message decoder.

[Sonny_Jim] bought an RTL2832 based USB dongle to listen in on ADS-B airplane communications only to find out the hardware wasn’t capable of communicating in that bandwidth range. So he set out to find a project the hardware was suited for and ended up exploring the POCSAG protocol used by paging devices. It turns out it’s not just used for person-to-person communications. There are still many automated systems that use the technology.

Setting things up is not all that hard. Reading the comments on the project log show some folks are having dependency issues, but these sound rather banal and will be a good chance for you to brush up on your Linux-fu. Once all the packages are installed you’re simply working with text which can be displayed in a myriad of ways. [Sonny] set up a text files on the Pi’s webserver so that he can check out the latest captures from a smartphone.

[Image Source]

Detecting galactic rotation with software defined radio

dish

Last summer in the heyday of software defined radio via USB TV tuners we asked hackaday readers a question: Is anyone using everyone’s favorite method of SDR for radio astronomy? It took nearly a year, but finally there’s an awesome project to turn a USB TV tuner into a radio telescope. It’s from the fruitful mind of [Marcus Leech] (PDF warning), and is good enough to detect the rotation of the galaxy with a three-foot satellite dish.

News of [Marcus]‘ work comes to us from [Carl] over at RTL-SDR.com who has been keeping tabs on the advances of building a radio telescope in a backyard. He’s been collecting a lot of interesting tidbits including this gif showing an arm of the galaxy entering and leaving [Marcus]‘ telescope’s field of view over the course of a few hours.

Not only can [Marcus]‘ telescope record continium measurements – basically, a single-pixel camera sensitive to only one frequency – it can also produce spectral plots of the sky. Combine the ability to measure multiple frequencies at the same time with the Doppler effect, and [Marcus] can measure the rotation of the galaxy with a USB TV tuner. That’s just awesome in our humble opinion.

If you already have an RTL-SDR TV tuner and a largish satellite dish, [Marcus]‘ project should be fairly inexpensive to replicate; the feed assembly is made out of a coffee can, the amplifiers are repurposed satellite television equipment, and all the software – [Marcus]‘ own simple_ra tool for GNU Radio – is open source. Of course with a 3 foot diameter dish, it will be impossible to replicate the data from huge radio telescopes. Still, it’s an impressive piece of work that leaves us searching craigslist for an old C-band dish.