blog/data/2017-08-09-gsm-imsi-catcher.txt

   1 Title: Simpler recipe on how to make a simple $7 IMSI Catcher using Debian
   2 Tags: english, debian, personvern, surveillance
   3 Date: 2017-08-09 23:59
   4
   5 <p>On friday, I came across an interesting article in the Norwegian
   6 web based ICT news magazine digi.no on
   7 <a href="https://www.digi.no/artikler/sikkerhetsforsker-lagde-enkel-imsi-catcher-for-60-kroner-na-kan-mobiler-kartlegges-av-alle/398588">how
   8 to collect the IMSI numbers of nearby cell phones</a> using the cheap
   9 DVB-T software defined radios.  The article refered to instructions
  10 and <a href="https://www.youtube.com/watch?v=UjwgNd_as30">a recipe by
  11 Keld Norman on Youtube on how to make a simple $7 IMSI Catcher</a>, and I decided to test them out.</p>
  12
  13 <p>The instructions said to use Ubuntu, install pip using apt (to
  14 bypass apt), use pip to install pybombs (to bypass both apt and pip),
  15 and the ask pybombs to fetch and build everything you need from
  16 scratch.  I wanted to see if I could do the same on the most recent
  17 Debian packages, but this did not work because pybombs tried to build
  18 stuff that no longer build with the most recent openssl library or
  19 some other version skew problem.  While trying to get this recipe
  20 working, I learned that the apt->pip->pybombs route was a long detour,
  21 and the only piece of software dependency missing in Debian was the
  22 gr-gsm package.  I also found out that the lead upstream developer of
  23 gr-gsm (the name stand for GNU Radio GSM) project already had a set of
  24 Debian packages provided in an Ubuntu PPA repository.  All I needed to
  25 do was to dget the Debian source package and built it.</p>
  26
  27 <p>The IMSI collector is a python script listening for packages on the
  28 loopback network device and printing to the terminal some specific GSM
  29 packages with IMSI numbers in them.  The code is fairly short and easy
  30 to understand.  The reason this work is because gr-gsm include a tool
  31 to read GSM data from a software defined radio like a DVB-T USB stick
  32 and other software defined radios, decode them and inject them into a
  33 network device on your Linux machine (using the loopback device by
  34 default).  This proved to work just fine, and I've been testing the
  35 collector for a few days now.</p>
  36
  37 <p>The updated and simpler recipe is thus to</p>
  38
  39 <ol>
  40
  41 <li>start with a Debian machine running Stretch or newer,</li>
  42
  43 <li>build and install the gr-gsm package available from
  44 <a href="http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/">http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/</a>,</li>
  45
  46 <li>clone the git repostory from <a href="https://github.com/Oros42/IMSI-catcher">https://github.com/Oros42/IMSI-catcher</a>,</li>
  47
  48 <li>run grgsm_livemon and adjust the frequency until the terminal
  49 where it was started is filled with a stream of text (meaning you
  50 found a GSM station).</li>
  51
  52 <li>go into the IMSI-catcher directory and run 'sudo python simple_IMSI-catcher.py' to extract the IMSI numbers.</li>
  53
  54 </ol>
  55
  56 <p>To make it even easier in the future to get this sniffer up and
  57 running, I decided to package
  58 <a href="https://github.com/ptrkrysik/gr-gsm/">the gr-gsm project</a>
  59 for Debian (<a href="https://bugs.debian.org/871055">WNPP
  60 #871055</a>), and the package was uploaded into the NEW queue today.
  61 Luckily the gnuradio maintainer has promised to help me, as I do not
  62 know much about gnuradio stuff yet.</p>
  63
  64 <p>I doubt this "IMSI cacher" is anywhere near as powerfull as
  65 commercial tools like
  66 <a href="https://www.thespyphone.com/portable-imsi-imei-catcher/">The
  67 Spy Phone Portable IMSI / IMEI Catcher</a> or the
  68 <a href="https://en.wikipedia.org/wiki/Stingray_phone_tracker">Harris
  69 Stingray</a>, but I hope the existance of cheap alternatives can make
  70 more people realise how their whereabouts when carrying a cell phone
  71 is easily tracked.  Seeing the data flow on the screen, realizing that
  72 I live close to a police station and knowing that the police is also
  73 wearing cell phones, I wonder how hard it would be for criminals to
  74 track the position of the police officers to discover when there are
  75 police near by, or for foreign military forces to track the location
  76 of the Norwegian military forces, or for anyone to track the location
  77 of government officials...</p>
  78
  79 <p>It is worth noting that the data reported by the IMSI-catcher
  80 script mentioned above is only a fraction of the data broadcasted on
  81 the GSM network.  It will only collect one frequency at the time,
  82 while a typical phone will be using several frequencies, and not all
  83 phones will be using the frequencies tracked by the grgsm_livemod
  84 program.  Also, there is a lot of radio chatter being ignored by the
  85 simple_IMSI-catcher script, which would be collected by extending the
  86 parser code.  I wonder if gr-gsm can be set up to listen to more than
  87 one frequency?</p>