1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from August
2017</title>
5 <description>Entries from August
2017</description>
6 <link>http://www.hungry.com/~pere/blog/
</link>
10 <title>Simpler recipe on how to make a simple $
7 IMSI Catcher using Debian
</title>
11 <link>http://www.hungry.com/~pere/blog/Simpler_recipe_on_how_to_make_a_simple__7_IMSI_Catcher_using_Debian.html
</link>
12 <guid isPermaLink=
"true">http://www.hungry.com/~pere/blog/Simpler_recipe_on_how_to_make_a_simple__7_IMSI_Catcher_using_Debian.html
</guid>
13 <pubDate>Wed,
9 Aug
2017 23:
59:
00 +
0200</pubDate>
14 <description><p
>On friday, I came across an interesting article in the Norwegian
15 web based ICT news magazine digi.no on
16 <a href=
"https://www.digi.no/artikler/sikkerhetsforsker-lagde-enkel-imsi-catcher-for-
60-kroner-na-kan-mobiler-kartlegges-av-alle/
398588">how
17 to collect the IMSI numbers of nearby cell phones
</a
> using the cheap
18 DVB-T software defined radios. The article refered to instructions
19 and
<a href=
"https://www.youtube.com/watch?v=UjwgNd_as30
">a recipe by
20 Keld Norman on Youtube on how to make a simple $
7 IMSI Catcher
</a
>, and I decided to test them out.
</p
>
22 <p
>The instructions said to use Ubuntu, install pip using apt (to
23 bypass apt), use pip to install pybombs (to bypass both apt and pip),
24 and the ask pybombs to fetch and build everything you need from
25 scratch. I wanted to see if I could do the same on the most recent
26 Debian packages, but this did not work because pybombs tried to build
27 stuff that no longer build with the most recent openssl library or
28 some other version skew problem. While trying to get this recipe
29 working, I learned that the apt-
>pip-
>pybombs route was a long detour,
30 and the only piece of software dependency missing in Debian was the
31 gr-gsm package. I also found out that the lead upstream developer of
32 gr-gsm (the name stand for GNU Radio GSM) project already had a set of
33 Debian packages provided in an Ubuntu PPA repository. All I needed to
34 do was to dget the Debian source package and built it.
</p
>
36 <p
>The IMSI collector is a python script listening for packages on the
37 loopback network device and printing to the terminal some specific GSM
38 packages with IMSI numbers in them. The code is fairly short and easy
39 to understand. The reason this work is because gr-gsm include a tool
40 to read GSM data from a software defined radio like a DVB-T USB stick
41 and other software defined radios, decode them and inject them into a
42 network device on your Linux machine (using the loopback device by
43 default). This proved to work just fine, and I
've been testing the
44 collector for a few days now.
</p
>
46 <p
>The updated and simpler recipe is thus to
</p
>
50 <li
>start with a Debian machine running Stretch or newer,
</li
>
52 <li
>build and install the gr-gsm package available from
53 <a href=
"http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/
">http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/
</a
>,
</li
>
55 <li
>clone the git repostory from
<a href=
"https://github.com/Oros42/IMSI-catcher
">https://github.com/Oros42/IMSI-catcher
</a
>,
</li
>
57 <li
>run grgsm_livemon and adjust the frequency until the terminal
58 where it was started is filled with a stream of text (meaning you
59 found a GSM station).
</li
>
61 <li
>go into the IMSI-catcher directory and run
'sudo python simple_IMSI-catcher.py
' to extract the IMSI numbers.
</li
>
65 <p
>To make it even easier in the future to get this sniffer up and
66 running, I decided to package
67 <a href=
"https://github.com/ptrkrysik/gr-gsm/
">the gr-gsm project
</a
>
68 for Debian (
<a href=
"https://bugs.debian.org/
871055">WNPP
69 #
871055</a
>), and the package was uploaded into the NEW queue today.
70 Luckily the gnuradio maintainer has promised to help me, as I do not
71 know much about gnuradio stuff yet.
</p
>
73 <p
>I doubt this
"IMSI cacher
" is anywhere near as powerfull as
75 <a href=
"https://www.thespyphone.com/portable-imsi-imei-catcher/
">The
76 Spy Phone Portable IMSI / IMEI Catcher
</a
> or the
77 <a href=
"https://en.wikipedia.org/wiki/Stingray_phone_tracker
">Harris
78 Stingray
</a
>, but I hope the existance of cheap alternatives can make
79 more people realise how their whereabouts when carrying a cell phone
80 is easily tracked. Seeing the data flow on the screen, realizing that
81 I live close to a police station and knowing that the police is also
82 wearing cell phones, I wonder how hard it would be for criminals to
83 track the position of the police officers to discover when there are
84 police near by, or for foreign military forces to track the location
85 of the Norwegian military forces, or for anyone to track the location
86 of government officials...
</p
>
88 <p
>It is worth noting that the data reported by the IMSI-catcher
89 script mentioned above is only a fraction of the data broadcasted on
90 the GSM network. It will only collect one frequency at the time,
91 while a typical phone will be using several frequencies, and not all
92 phones will be using the frequencies tracked by the grgsm_livemod
93 program. Also, there is a lot of radio chatter being ignored by the
94 simple_IMSI-catcher script, which would be collected by extending the
95 parser code. I wonder if gr-gsm can be set up to listen to more than
96 one frequency?
</p
>
projects / homepage.git / blob