Intercepting My Own 2G GSM Phone Call On A Real Cellular Network!
Recently, I had the opportunity to play around with a real 2G cellular network. So here is a quick video of how a GSM voice call is intercepted using DragonOS linux, a software defined radio and gr-gsm.
A good addition to any cellular security researchers inventory is an older Blackberry handset, in my case, a Bold 9700. These phones have an ‘engineering screen’ which contain a number of useful features for evaluating the privacy features of a 2G network.
Firstly, you will see me navigate to the ‘Sim Browser’ menu and check if a ‘Kc’ session key has been assigned to my SIM card. After sending this phone a text message and calling it, the field was empty indicating that this network operator has not enabled encryption. Yikes.
Secondly, you will see me browse to the ‘Neighbor Cells’ menu to lock the phone to a particular ARFCN. This will prevent it from jumping to another GSM cell while the phone call is in progress, allowing me to capture and record the downlinked data.
Thirdly, you will see me navigate to the ‘Voice Channel’ menu and change the audio codec from AMR Full-Rate to just plain old GSM Full-Rate. This mobile network carrier uses AMR on full-rate traffic channels to encode phone calls, which gr-gsm is not capable of decoding. However, it can decode GSM full rate traffic channels perfectly fine.
Lastly, you will see a screen recording of the voice traffic decoding and audio replaying process. I was actually really lucky recording this GSM capture file, no private user data belonging to anybody else was being transmitted on this cell at the time I made the phone call. Unfortunately I missed the DTAP packets relating to the call setup and other traffic channel related data as well. Boo.
Typically, this mobile carrier sends GSM phone calls over frequency hopping channels. But I predict that about one in twenty phone calls are sent over non-hopping channels, and I was lucky enough to be dialing the phone number at the time this cell decided to assign voice calls to non-hopping traffic channels.
Decoding 2G voice traffic on frequency hopping channels with gr-gsm is generally known to be impossible, or very VERY hard to do. And as such, mobile carriers enable frequency hopping on their networks as an extra layer of security to increase difficulty in interception of GSM communications.
While intercepting and listening to your own phone calls is fun and should keep you on the right side of the law, I strongly urge any viewers of this video to NEVER, EVER intercept anybody else’s private user data except that coming from your own telephone. Wiretapping laws are strict and penalties are harsh in most countries around the world.
Stay tuned for more GSM security research videos in the coming days. Thanks very much for reading and watching!
A (VERY STRONG) DISCLAIMER:
THIS VIDEO WAS MADE FOR THE PURPOSES OF EDUCATION AND EXPERIMENTATION ONLY. IMSI-CATCHING, SMS-SNIFFING AND VOICE CALL INTERCEPTION ON CELLULAR NETWORKS IS ILLEGAL AND PUNISHABLE BY HEFTY FINES AND IMPRISONMENT! YOU HAVE BEEN WARNED!
Views : 3372
GSM