It Might Be Possible To Build A Stingray With A Raspberry Pi

If there’s one thing that’s making you insecure, it’s your smartphone. Your smartphone is constantly pinging the cell towers, giving out your location and potentially leaking your private information to anyone with a radio. This is the idea behind an IMSI catcher, or Stingray in common parlance, and now you too can build one with parts you can buy off of Amazon.

The key to this hack is a software defined radio dongle, or RTL-SDR, that has been repurposed to listen in on a GSM network. Literally the only hardware required is an RTL-SDR that can be bought online for less than fifteen dollars, and you can identify the IMSI, or unique ID linked to every SIM card, in smartphones around you. The only bit of software required is a small Python script from [Oros42], freely available on GitHub.

Of course, building an IMSI catcher with a desktop is of limited utility, and using a laptop is still a bit too bulky to surreptitiously conceal in a public location. No, to really get the bang for your buck out of this, you need to do this with a small single-board computer running off a battery pack. Luckily, [Joseph Cox] over at Motherboard reports, “It is likely possible” to run this on a Raspberry-Pi. We’re guessing it’s even more than “likely” possible.

31 thoughts on “It Might Be Possible To Build A Stingray With A Raspberry Pi

  1. But increasingly irrelevant for much of the world as GSM networks are replaced.
    Do it for LTE – a lot easier these days to implement the eNodeB with open source LTE implementations and SDR.

    But you’re still going to need a $2000 SDR/FPGA platform.

    And it’s still illegal since you’re transmitting on licensed spectrum that is licenced to the cellular operators, and emulating their mobile carrier code to kick their customers off their eNodeB and connect to yours to grab their IMSI from the attach request.

  2. >you can identify the IMSI, or unique ID linked to every SIM card

    only if you manage to catch someone turning his 100% powered off (not sleeping) 2G phone on, I dont even think jamming would work, phone will hold its last TMSI for a while after losing connection.

    >IMSI catcher

    nope

    1. Yeah,
      RTL-SDR wont make an IMSI Catcher even if you run a software named “IMSI-Catcher”.

      On the otherhand.
      Lime Micro ran a 1800MHz GSM network at EMF Camp based on LimeSDR Mini’s and Raspberry PI’s.

      1. Paging areas are lots of cells, so looking at IMSI paging doesn’t do much to locate a person. That is why Stingray is a fake cell towers to make a small area.

        But this doesn’t transmit. It isn’t stingray. It’s just a trick to fool bad journalists trying to make big stories about something they don’t even understand.

      1. If I understand correctly Stingrays are effectively like a pineapple router in that they Reroute traffic through them and advertise themselves as the strongest signal around. Phones are programmed to talk to the strongest base station so the stingray essentially exploits that and snags the phones into it. As the phones hop on you record who is around and carry on. The stingray then forwards the data on over to the local cell tower as the stingray knows not to connect to it or its buddies. Users may not even be aware that they are in the presence of a stingray other than their cell signal jumps up.

        This is more a wardriving / sniffing thing. Passive vs Active interception

      2. This is just a passive sniffer. It will only allow you to see traffic that is already there. Usually this will be TMSI ids in paging traffic, although depending on the network configuration you may get quite a few IMSI’s as well.

        That doesn’t mean it is completely useless, if you know the phone number of the target you could call him/her or send a text without payload (so the phone won’t ring). This will allow you to get the TMSI and validate the phone is in the area. It changes, but not very often. It will also teach you a lot about how GSM networks work.

        A stringray usually has a transmitter. If makes a fake cell site where the phones will connect and camp. Thus it can do active traffic interception. It will be able to request the IMSI and IMEI for permanent identification. It can also configure ‘wrong’ cell selection parameters so the phone won’t roam to another cell for as long as possible.

        Making a real ‘fake’ stingray shouldn’t be that difficult. You could look at OpenBTS. Make sure to use a faraday cage or experimental license and set the network ID to the test ID to avoid having phones loose their network to you.

  3. Amateurs re-inventing the wheel.
    Just go on that auction site and grab up some of the commerical test equipment designed & built for testing cellular networks and subscriber equipment. Advantage is the hardware is specifically purpose built to work with both the network and the handset. Hook them up to RF power amplifiers and you have your own cell site – they even have network connections to allow access to the data stream.

  4. This article is beyond ridiculous and so is the one written by motherboard.

    They’re using old outdated software that can’t do anything with the LTE bands and limits you to 800 band GSM which isn’t even used in the United States for the most part.

    Can I please stop hyping up things that aren’t really happening?

    1. “They’re using old outdated software that can’t do anything with the LTE bands and limits you to 800 band GSM which isn’t even used in the United States for the most part”
      How is that relevant?

      “Can I please stop hyping up things that aren’t really happening?”
      Well it’s up to you.

    2. Who cares if it’s not for the US? There are other countries you know. This was developed by a French person, why do you assume it was made for you? It’s pretty arrogant of you to call something that’s usable in most of Europe, Asia, South America and Africa “things that aren’t really happening.”

      Also looks like you can set the frequency using the kalibrate-hackrf tool.

  5. The RPI is a bit overrated here, its the RTL-SDR dongel. You can attach that dongel to any USB interface, wouldnt be supprised you can get it working on a phone (wow, IMSI inception…)

    1. Indeed a phone seems like it would be most ideal. Already has the hardware designed to work for the target band. And a battery, obviously, and it looks way less suspicious if you wanted to plant one and have it monitor an area. On the github page there’s a link to the supported hardware list for open source mobile:
      https://osmocom.org/projects/baseband/wiki/Phones

      All ancient phones, but I don’t see why it wouldn’t be feasible to get it to work with a jailbroken smartphone running some form of linux.

      1. You would need to run your own firmware on the baseband processor, not just rooting the application processor domain. There are some that will run any binary you feed it, so theoretically it is possible. Of course it is a massive reverse engineering effort to get it to do more than print Hello World over the serial port.

  6. Joseph Cox is really showing what he doesn’t know here. It’s a shame, since he reports on this stuff a lot, but clearly doesn’t understand the technology. Such a shame tech journalism is so poor.

    This this isn’t a stingray, just a passive sniffer. So it is very limited in what it can do as it can only watch what the real mobile network is doing – most of which is encrypted or uses temporary identifiers which are meaningless to an observer.

    Stingrays are fake cell towers. Cell towers transmit. Then they can take control of your phone. This is not that.

    1. He doesn’t even understand Linux or he would realize that Python is installed by default on the RPi Raspian build, so there’s no need to install Ubuntu. There may be a need to install some Python modules, but that’s it.

  7. Hi,
    even tough there might be still Networks out there without ciphering also GSM networks are normally cyphered with typically A5/1 stream cypher. This is a not too strong cipher which can be broken in case enough computing power available. Nowadays this fits in a relatively small FPGA based box. Here a passive listening is possible in case some known messages during Attach and Security negotiation are fetched from air and the key can be broken by the (FPGA) device in time.
    This device is called “passive IMSI capturer”.
    Another approach is to fake a local network by broadcasting the network ID of a targeted operator (requires knowledge of the mobile handset which should be intercepted and which operator is used). It is then necessary to select careful the right cell ID. Preferably a cell ID of a basestation which is in the neighbor cell list of the most nearest basestation is used. By using the right power settings (being a bit stronger than the most nearest cell) the mobile will decide to handover to the IMSI capturer. When the mobile comes to the fake cell all security is denied and the mobile is forced to send clear text. The fake cell is also not triggering any other security mechanism – so the mobile has no issues to join. Because in GSM the ciphering is only between Mobile and Basestation the “man/woman in the middle” can now forward the call to the normal network and intercept the call. This is called “active IMSI capturer” – however even though this saves computing time (no active breaking of the cypher) there are some points to recognize that a mobile is actively intercepted:
    – Without additional effort it is clear that the terminating side will see the wrong MSISDN (phone number) (most simple trick is to suppress it, however e.g. with access to the SS7 network this can be faked as well)
    – All security is lost – interesting wise some phones show it even in the display in case all security/ciphering is disabled.
    – Actively ongoing calls are terminated when a handover to the fake cell is done (because of the lost security) (I don’t know if there is any trick against)
    Last but not least is one of the first things an active IMSI capturer is doing (and one benefit of it) to ask the mobile immediately for it’s IMSI which is one of the identifier to find back a mobile in the network(s) for future use.
    As some people before mentioned – after a power on of a mobile which was long time not seen or is new to the network the IMSI is asked from the mobile by the network. This is happening VERY rare. After this so called “IMSI attach” a temporary identifier is used (the TMSI) for further attaches – this is also called the “TMSI attach”.
    So – another conspicuous thing is if the network asks a mobile suddenly for its IMSI – this is a clear point to be alerted.

    In 3G this looks quite similar even though it is much harder to break the cipher for the user plane. It is much easier to intercept the signaling as the user plane – long time there was no solution for that (not sure how it is now). Another point is that it is much harder to lure a 3G handset into a fake cell because of the more sophisticated power constellation and the mechanism the next neighbor cell is selected.

    For LTE it gets even more harder because the security is integral part of the complete Radio Access Network (RAN) and is established between the mobile and the MME (Mobile Management Entity(ies)) for signaling and between the mobile and the SGW (Serving Gateway(s)) of the LTE network. Also the cyphers are more complex (see Snow 3G cipher for LTE data)
    Even there are solutions out on the “special agents” market I doubt that there are the same “straight” attack scenarios possible by “just listening” or simple “man/woman in the middle” attacks as it is possible in 2G. Either massive more computing power needed or – an access to the backend (SS7) networks are required to e.g. reroute the call over “someone in the middle”.
    BTW.: VoLTE (Voice over LTE) has a additional cipher/security for its signaling (AKA). It is for sure quiet challenging to break this ciphers with normal (amount of) hardware. It is as well possible to cipher the RTP voice stream in VoLTE additionally to the LTE cipher so another challenge here…

    Obviously an active IMSI capturer needs also capability to send and receive (even in two directions, to the mobile and to the network) while a passive IMSI capturer needs only to listen.

    Have a great time and you might want to use LimeSDR with openairinterface5g eNB and UE implementation (see [1,2]). The project offers as well a core network implementation – so it is possible to have a own LTE network running.

    Greetings
    Thomas

    [1] – http://www.openairinterface.org
    [2] – https://gitlab.eurecom.fr/oai/openairinterface5g

    1. BTW^2: the new upcoming LPWA 5G/LTE technologies such as Cat-M1 and NB-IoT allow to sleep the LPWA Mobile up to eventually 413 days – and coming back to the network without new security negotiation…. }:-)

  8. Re protection from this, there’s a few apps on Play Store that give you some details of the cell you’re connected to, including physical location. But you can’t keep your eye on it all the time. What would be a nice feature is if it could alert you if you connect to a new, previously-unknown site, which might be a Stingray.

    Even if user-level stuff doesn’t have control over whether to connect to it or not, if you’re warned you at least have the option of switching off.

    1. Hi,
      To get warned – the parameters you get from some playstore apps or as well from iPhone field test mode are for sure interesting – however to have really a view what’s ongoing you need to get informed about the ongoing signaling which is normally hidden. Some devices however offer logging and debugging access to the signaling stack. Some 2/3/4G IoT modules are even more useful…
      BTW.: this tools are great to prepare the IMSI capturer with the right information about surrounding network(s) :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.