%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 Airprobe %size 5 Monitoring GSM traffic with USRP %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Why? Why would you monitor GSM traffic For the same reason you might monitor other networks To learn and experiment with technology To boldly go where no [free] man has gone before ;) Practical demonstration of known GSM security problems Raise public awareness abut GSM [in]security thus increase the incentive for the market to improve %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Legal Disclaimer Legal Disclaimer Don't try this with public networks! GSM operates on LICENSED spectrum Most countries have telecommunications privacy laws! Only capture/mointor/analyze traffic of your own networks The software is strictly for research purpose only %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Airprobe.org What is airprobe.org? A platform for various GSM protocol decoding software Including web site, wiki, mailing list, git repository Formed by people who first met at the THC GSM list Now hosted by the Chaos Computer Club %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Airprobe.org What is our goal? To produce a 100% open source GSM protocol decoder using gnuradio Software Defined Radio (SDR) GSM layer 1 demodulation / decode GSM TDMA demultiplex recombining bursts into mac blocks handing off mac blocks to protocol analyzer like wireshark implement missing dissectors in wireshark %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic What's SDR? Software defined radio a modern technique where analog hardware is replaced by software digital signal processing replaces analog electronics Variants directly capturing carrier frequency with ADC expensive, only for low/medium carrier frequencies very high computing power required replaces all analog parts by digital parts downconverting before ADC using analogue mixer most commonly found SDR variant today replaces only detection/demodulation/synchronization demodulating in hardware and using ADC for baseband not really SDR, more like traditional analogue receiver %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic What's gnuradio? gnuradio is a GPL licensed FOSS project for SDR for general-purpose PC rather than special DSP implements building blocks like filters, demodulators, fft uses python scripts to glue bulding blocks together portable, runs on Linux/BSD/MacOS/Windows supports different SDR and data acquisition hardware %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic What's the USRP? USRP is Universal Software Radio Peripheral A open hardware project for SDR hardware provides the ideal companion for gnuradio modular mainboard with FPGA and ADC/DAC pluggable Rx and Tx frontends %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Using USRP for GSM USRP mainboard with one of the following frontends USRP RFX900 frontend for GSM 850/900 USRP RFX1800 frontend for GSM 1800/1900 DBSRX frontend for GSM 850/900/1800/1900 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Airprobe.org software gsmsp gssm the two early implementations by Joshua Lockey considered alpha-level, many receive errors even with good signal gsm-tvoid For a long time the best decoder by tvoid very comfortable UI gsm-receiver Latest GSM decoder by Piotr Krysik much better decoding gsmdecode GSM layer2+ decoder from hex bytes to human readable gsmstack GSM MAC layer from demodulated bits to MAC blocks A5.1 A5/1 algorithm in C, MyHDL, CUDA and Verilog %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Thanks Thanks to zecke, alphaone, Stefan, Jan for their work on OpenBSC W. for his extensive A-bis protocol traces and MA-10 Dieter Spaar for his most excellent input Karsten Keil for mISDN Andreas Eversberg for LCR interface and HFC-E1 driver Stichting Hxx for getting the license all the voluntary testers at HAR2009 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Monitoring GSM traffic Live Demo LIVE DEMO