1 Title: Easier recipe to observe the cell phones around you
2 Tags: english, debian, personvern, surveillance
5 <p>A little more than a month ago I wrote
6 <a href="http://people.skolelinux.org/pere/blog/Simpler_recipe_on_how_to_make_a_simple__7_IMSI_Catcher_using_Debian.html">how
7 to observe the SIM card ID (aka IMSI number) of mobile phones talking
8 to nearby mobile phone base stations using Debian GNU/Linux and a
9 cheap USB software defined radio</a>, and thus being able to pinpoint
10 the location of people and equipment (like cars and trains) with an
11 accuracy of a few kilometer. Since then we have worked to make the
12 procedure even simpler, and it is now possible to do this without any
13 manual frequency tuning and without building your own packages.</p>
15 <p>The <a href="https://tracker.debian.org/pkg/gr-gsm">gr-gsm</a>
16 package is now included in Debian testing and unstable, and the
17 IMSI-catcher code no longer require root access to fetch and decode
18 the GSM data collected using gr-gsm.</p>
20 <p>Here is an updated recipe, using packages built by Debian and a git
21 clone of two python scripts:</p>
25 <li>Start with a Debian machine running the Buster version (aka
28 <li>Run '<tt>apt install gr-gsm python-numpy python-scipy
29 python-scapy</tt>' as root to install required packages.</li>
31 <li>Fetch the code decoding GSM packages using '<tt>git clone
32 github.com/Oros42/IMSI-catcher.git</tt>'.</li>
34 <li>Insert USB software defined radio supported by GNU Radio.</li>
36 <li>Enter the IMSI-catcher directory and run '<tt>python
37 scan-and-livemon</tt>' to locate the frequency of nearby base
38 stations and start listening for GSM packages on one of them.</li>
40 <li>Enter the IMSI-catcher directory and run '<tt>python
41 simple_IMSI-catcher.py</tt>' to display the collected information.</li>
45 <p>Note, due to a bug somewhere the scan-and-livemon program (actually
46 <a href="https://github.com/ptrkrysik/gr-gsm/issues/336">its underlying
47 program grgsm_scanner</a>) do not work with the HackRF radio. It does
48 work with RTL 8232 and other similar USB radio receivers you can get
50 (<a href="https://www.ebay.com/sch/items/?_nkw=rtl+2832">for example
51 from ebay</a>), so for now the solution is to scan using the RTL radio
52 and only use HackRF for fetching GSM data.</p>
54 <p>As far as I can tell, a cell phone only show up on one of the
55 frequencies at the time, so if you are going to track and count every
56 cell phone around you, you need to listen to all the frequencies used.
57 To listen to several frequencies, use the --numrecv argument to
58 scan-and-livemon to use several receivers. Further, I am not sure if
59 phones using 3G or 4G will show as talking GSM to base stations, so
60 this approach might not see all phones around you. I typically see
61 0-400 IMSI numbers an hour when looking around where I live.</p>
63 <p>I've tried to run the scanner on a
64 <a href="https://wiki.debian.org/RaspberryPi">Raspberry Pi 2 and 3
65 running Debian Buster</a>, but the grgsm_livemon_headless process seem
66 to be too CPU intensive to keep up. When GNU Radio print 'O' to
67 stdout, I am told there it is caused by a buffer overflow between the
68 radio and GNU Radio, caused by the program being unable to read the
69 GSM data fast enough. If you see a stream of 'O's from the terminal
70 where you started scan-and-livemon, you need a give the process more
71 CPU power. Perhaps someone are able to optimize the code to a point
72 where it become possible to set up RPi3 based GSM sniffers? I tried
73 using Raspbian instead of Debian, but there seem to be something wrong
74 with GNU Radio on raspbian, causing glibc to abort().</p>
projects / homepage.git / blob