1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Airprobe
%size 5
Monitoring GSM traffic
with USRP
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Why?
Why would you monitor GSM traffic
For the same reason you might monitor other networks
To learn and experiment with technology
To boldly go where no [free] man has gone before ;)
Practical demonstration of known GSM security problems
Raise public awareness abut GSM [in]security
thus increase the incentive for the market to improve
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Legal Disclaimer
Legal Disclaimer
Don't try this with public networks!
GSM operates on LICENSED spectrum
Most countries have telecommunications privacy laws!
Only capture/mointor/analyze traffic of your own networks
The software is strictly for research purpose only
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Airprobe.org
What is airprobe.org?
A platform for various GSM protocol decoding software
Including web site, wiki, mailing list, git repository
Formed by people who first met at the THC GSM list
Now hosted by the Chaos Computer Club
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Airprobe.org
What is our goal?
To produce a 100% open source GSM protocol decoder
using gnuradio Software Defined Radio (SDR)
GSM layer 1 demodulation / decode
GSM TDMA demultiplex
recombining bursts into mac blocks
handing off mac blocks to protocol analyzer like wireshark
implement missing dissectors in wireshark
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
What's SDR?
Software defined radio
a modern technique where analog hardware is replaced by software
digital signal processing replaces analog electronics
Variants
directly capturing carrier frequency with ADC
expensive, only for low/medium carrier frequencies
very high computing power required
replaces all analog parts by digital parts
downconverting before ADC using analogue mixer
most commonly found SDR variant today
replaces only detection/demodulation/synchronization
demodulating in hardware and using ADC for baseband
not really SDR, more like traditional analogue receiver
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
What's gnuradio?
gnuradio is
a GPL licensed FOSS project for SDR
for general-purpose PC rather than special DSP
implements building blocks like filters, demodulators, fft
uses python scripts to glue bulding blocks together
portable, runs on Linux/BSD/MacOS/Windows
supports different SDR and data acquisition hardware
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
What's the USRP?
USRP is
Universal Software Radio Peripheral
A open hardware project for SDR hardware
provides the ideal companion for gnuradio
modular mainboard with FPGA and ADC/DAC
pluggable Rx and Tx frontends
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Using USRP for GSM
USRP mainboard with one of the following frontends
USRP RFX900 frontend for GSM 850/900
USRP RFX1800 frontend for GSM 1800/1900
DBSRX frontend for GSM 850/900/1800/1900
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Airprobe.org software
gsmsp
gssm
the two early implementations by Joshua Lockey
considered alpha-level, many receive errors even with good signal
gsm-tvoid
For a long time the best decoder by tvoid
very comfortable UI
gsm-receiver
Latest GSM decoder by Piotr Krysik
much better decoding
gsmdecode
GSM layer2+ decoder from hex bytes to human readable
gsmstack
GSM MAC layer from demodulated bits to MAC blocks
A5.1
A5/1 algorithm in C, MyHDL, CUDA and Verilog
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Thanks
Thanks to
zecke, alphaone, Stefan, Jan for their work on OpenBSC
W. for his extensive A-bis protocol traces and MA-10
Dieter Spaar for his most excellent input
Karsten Keil for mISDN
Andreas Eversberg for LCR interface and HFC-E1 driver
Stichting Hxx for getting the license
all the voluntary testers at HAR2009
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Monitoring GSM traffic
Live Demo
LIVE DEMO
|
