Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.
Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.
[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.
Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.
Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.
Thanks [Justin] for the tip.
I wonder if this could be done if you had 2 HackRFs.
“It is probably possible to implement a GSM basestation with a pair of HackRF Ones, but this is unproven.”
http://ossmann.blogspot.ca/2014/01/hackrf-present-and-future.html
aah, he seems more concerned with the radiated power than the other capabilities of the HackRF so maybe it is possible
well just looked at a previous post from HaD that suggested that there are a few features missing from the HackRF that would prevent this, so probably not.
If you read the article, it is a bladeRF not hackRF. The blackRF is full duplex so yes this is totally possible
So if I substitute the raspberry pi 3 with a MacBook Pro, would it make me less of a hipster?
Just put an apple sticker on each SDR and you’ll be fine.
Oops, I should have said an Apple sticker. Capitalization error strikes again!
And what about the cost of the 2TB hard disk to hold the rainbow tables … Oh unencrypted, never mind, I was not here “these are not the droids you are looking for”. Yes totally “GSM has encryption”, yep that statement is 100% totally true. The encryption may be 30 years old, but GSM does have encryption. A5/1 is definitely a form for encryption with 54-bits of security. Weak enough to allow allow the British to keep on spying and just about strong enough to keep those pesky east Germans from listening in on the west Germans (30 years ago).
Yes, but as a station *you* get to select the key!
Only if you specified the sim
Not for 2G. You need to issue the sim if you want to securely verify if the subscriber is real (you need to know the key and the hashing algorithm, usually COMPvX, in the card).
If you just want to establish the connection you can ignore the authentication reply and proceed anyway. 3G and 4G also require cryptographic certification of the network.
For enabling transport encryption IIRC you need to know the Ki in the card, but the plain text ‘encryption method’ requires no key material, and thus can work with any sim (or even no sim, on some phones)
Obviously, a GSM base station has a transmitter which (presumably) requires a license from the FCC to be legal. Do the FBI, or local law enforcement, have such licenses for their stingrays? Or are they just winging it and hoping not to be caught?
You expect the FCC to step in against the FBI? One branch of the executive arm of the government investigating another?
Don’t be silly, the executive branch only investigates Congress and the judicial branch, just like Congress doesn’t police itself for all the affairs and bribes but focuses on the misdeeds of any part of the executive branch.
I’m not so sure about this, I may be wrong and if I am please correct me but does this not just intercept the call then transmit to a real tower using a normal cell phone antenna?
This actually does sound handy, one idea I’ve had is recycling worthless “Icloud Locked” and otherwise trashed phones where they have been reported lost but the original owners have long since given up on them.
In some cases the insurance companies can’t even give them away but once you’ve traced the original owner its feasible to give them back their lost data in exchange for keeping the phone and a nominal sum (usually £10) meaning the phone is available for use and often an Iphone 4S or Samsung Galaxy S is more than enough for games/simple apps/etc.
Obviously the IMEI lock only depends on the network operator so making your own SIM card and operating a private network (ie at festivals in Nevada etc) is more than doable and in fact permitted if you have the appropriate license and it is in an isolated area away from other networks.
Also 2TB isn’t that expensive. I’ve actually got scrap drives here which despite showing disk read errors are still fine if you low level format them a couple of times. Good use for junkers, and 4*500GB = 1*2TB with a hot spare in case one decides to break.
I’ve got it on good authority that its actually very rare for a >100GB drive to fail hard, often the fail is very specific and related to the small area where the MBR on Windows 7/8/10 is stored suggesting that simple reformatting as GPT will work if the bad areas are simply ignored in software.
3 drives like that here all 1TB seacrates, exact same fault on each one and they were all used on slimline laptops such as the x520 and others so this is a very common problem indeed.
What I would really like to see would be the work of those who are developing solutions (countermeasures) to the address the increasing problem of overreach by so many of the “grub-ment” jackals. At the very least a method or device capable of detecting Instruments such as the stingrays that are increasingly being used illegally
Uber hacker Febrice Bellard has been working on similar stuff (except for LTE):
http://bellard.org/lte/
I’ve been trying this with a NanoBTS and OpenBSC on a Raspberry Pi 2. A crop of NanoBTSes under $300ish seem to be on eBay lately, and there’s someone selling 1900MHz units for $200: http://www.ebay.com/itm/271956875931
You’ll be able to bring up 2G services fairly easy, though you’ll need to program and provision your own SIM cards for GPRS service, though.
you can use yate !!
For safe and responsible research, these are really nice: http://ramseytest.com/product.php?pid=10
Get the company/university to pay for it. ;)
Evidently none of the peanut gallery here is part of the commercial 2 way or cellular industry. One can pick up used “BTS” test sets on that auction site for a fraction of what they went for when new. The units by their very nature are intended to simulate a cell site to allow the handset to set up a call (for testing the handset on a production line or service shop – albeit nowadays there are no ‘service centers’ that actually repair the handsets to the board/chip level). One only needs to connect the RF ports on said test set to an appropriate high gain BDA (and specific sectorized antennae) to essentially establish a rogue site. At least “in-theory” and on-paper it might cause handsets to affiliate to it. Never tried it, though, so no “real world” feedback on the possibility. The test sets were made by industry heavy weights (ie. HP, ‘back-in-the-day’).
Just like DC said above.
Any news on availability of said units ?
It would be awesome if someone could implement this on LimeSDR.
Are there any restrictions or legal issues if I were to build my own GSM base station on the European 3G range (eg. 2100Mhz) in the USA?
As per FCC/ITU rules regardless of where you are, you are not authorized to ‘Transmit’ any kind of RF signal to air unless you have ‘pre-authorized’ permission of any kind. Now a day’s all most all part of world cover under FCC/ITU rules making it virtually impossible to transmit any usable RF signal without detection of local authority. It become real nasty if you play with either Military or Commercial range of radio frequency space even it might idle at your transmit time. So don’t try it for your own safty…
what is the cost of raspberry pi 2/3
how can I use it with a Notebook?
hmm no one a idea?
Can I use a different SDR and not bladeRF or hackRF?
i can get gsm data receiver from atm ? by this device
I have a telecom antenna. What hardware do I need to use it ? Thanks
what is the range of coverage on this thing?