+
On friday, I came across an interesting article in the Norwegian
+web based ICT news magazine digi.no on
+how
+to collect the IMSI numbers of nearby cell phones using the cheap
+DVB-T software defined radios. The article refered to instructions
+and a recipe by
+Keld Norman on Youtube on how to make a simple $7 IMSI Catcher, and I decided to test them out.
+
+
The instructions said to use Ubuntu, install pip using apt (to
+bypass apt), use pip to install pybombs (to bypass both apt and pip),
+and the ask pybombs to fetch and build everything you need from
+scratch. I wanted to see if I could do the same on the most recent
+Debian packages, but this did not work because pybombs tried to build
+stuff that no longer build with the most recent openssl library or
+some other version skew problem. While trying to get this recipe
+working, I learned that the apt->pip->pybombs route was a long detour,
+and the only piece of software dependency missing in Debian was the
+gr-gsm package. I also found out that the lead upstream developer of
+gr-gsm (the name stand for GNU Radio GSM) project already had a set of
+Debian packages provided in an Ubuntu PPA repository. All I needed to
+do was to dget the Debian source package and built it.
+
+
The IMSI collector is a python script listening for packages on the
+loopback network device and printing to the terminal some specific GSM
+packages with IMSI numbers in them. The code is fairly short and easy
+to understand. The reason this work is because gr-gsm include a tool
+to read GSM data from a software defined radio like a DVB-T USB stick
+and other software defined radios, decode them and inject them into a
+network device on your Linux machine (using the loopback device by
+default). This proved to work just fine, and I've been testing the
+collector for a few days now.
+
+
The updated and simpler recipe is thus to
+
+
+
+- start with a Debian machine running Stretch or newer,
+
+- build and install the gr-gsm package available from
+http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/,
+
+- clone the git repostory from https://github.com/Oros42/IMSI-catcher,
+
+- run grgsm_livemon and adjust the frequency until the terminal
+where it was started is filled with a stream of text (meaning you
+found a GSM station).
+
+- go into the IMSI-catcher directory and run 'sudo python simple_IMSI-catcher.py' to extract the IMSI numbers.
+
+
+
+
To make it even easier in the future to get this sniffer up and
+running, I decided to package
+the gr-gsm project
+for Debian (WNPP
+#871055), and the package was uploaded into the NEW queue today.
+Luckily the gnuradio maintainer has promised to help me, as I do not
+know much about gnuradio stuff yet.
+
+
I doubt this "IMSI cacher" is anywhere near as powerfull as
+commercial tools like
+The
+Spy Phone Portable IMSI / IMEI Catcher or the
+Harris
+Stingray, but I hope the existance of cheap alternatives can make
+more people realise how their whereabouts when carrying a cell phone
+is easily tracked. Seeing the data flow on the screen, realizing that
+I live close to a police station and knowing that the police is also
+wearing cell phones, I wonder how hard it would be for criminals to
+track the position of the police officers to discover when there are
+police near by, or for foreign military forces to track the location
+of the Norwegian military forces, or for anyone to track the location
+of government officials...
+
+
It is worth noting that the data reported by the IMSI-catcher
+script mentioned above is only a fraction of the data broadcasted on
+the GSM network. It will only collect one frequency at the time,
+while a typical phone will be using several frequencies, and not all
+phones will be using the frequencies tracked by the grgsm_livemod
+program. Also, there is a lot of radio chatter being ignored by the
+simple_IMSI-catcher script, which would be collected by extending the
+parser code. I wonder if gr-gsm can be set up to listen to more than
+one frequency?
+
+