Hacker News new | past | comments | ask | show | jobs | submit login
How to Build Your Own Rogue GSM BTS for Fun and Profit (evilsocket.net)
262 points by sweis on Apr 2, 2016 | hide | past | web | favorite | 61 comments

I wouldn't even think about doing this unless you are in a faraday cage environment or other locked down RF environment where you can be absolutely sure you have complete control over all RF emitted by the device and you know exactly which devices are able to connect.

Otherwise, in the US expect the FCC and network operators to become intimately familiar with who you are rather quickly.

Having random public phones roam onto your rouge cellular network is a public safety risk (potentially no 911 access) as well as any number of laws being directly broken (unlicensed spectrum use, denial of service to legitimate licensed networks etc).

This. It is also important to note that you may interrupt the service of other people's handsets even if your BTS doesn't allow them to connect, just by operating your SDR with an insufficient clock reference [1]. The handset will re-calibrate it's VCXO to match your SDR, and then won't be able to see the legitimate cell networks.

[1] http://openbts.org/w/index.php?title=Clocks

Excellent point. All cell phone sites have a GPS reference clock source for each provider. The clock source is critical for everything from RF tuning to handoff timing between sites.

You'll see this type of antenna mounted typically right on top of the equipment housing structure. Each one you see will tell you how many providers are there.


(Note that it is small, about 6 inches in height. And different variations abound, but they are typically painted white and mounted right on the structure for LOS view to the sky)

All very good reasons why we should be throwing more police officers as well as the executives and owners of Harris in jail for using these things. It's impossible to manufacture or operate a stingray without breaking the law.

I would counter that we need to make it more difficult for police to use Stingrays, but law enforcement should absolutely engage in all sorts of man-in-the-middle attacks when it is in the public interest. The problem is not that the have a particular capability, but that they have such an overabundance of them and that they deploy them far too readily.

never heard about faraday cages?

... now we just need to figure out how to lure the surveillance target into our EM-shielded cage.

my point is that it's quite easy to "play" with such things without actually breaking the law

I think you may have misunderstood the comment. In the US, Ireland, and probably elsewhere, police are using rogue cell sites ("Stingrays") for surveillance. The person you replied to is claiming that this is illegal, and the police forces that are doing it should be punished. They weren't talking about people experimenting with setting up Faraday-caged toy cell sites in their basement — there's absolutely nothing wrong with that and it should be encouraged!

the executives and owners of Harris in jail

They were also talking about the people that built the devices.

They aren't "playing".

Did you intend to reply to the grandparent comment?

Talk about over-reacting. Not only is there a legal power maximum for private use of regulated spectrum, but there are plenty of areas of the US where you won't interrupt anyone else's service. If you're really concerned, get a Ham license.

There are plenty of areas where you can play with this on low power without pissing off the feds or ILECs. The creators of OpenBTS did this to provide service where it doesn't exist - in the middle of a desert, providing service to 30,000 people over a 7 square kilometer area, for example.

It should go without saying that broadcasting a pirate signal in a populated area is a bad idea.

For those who want to mess around with BTS -- 900mhz (Eurospec GSM freq; US' complement is 850) is unlicensed ISM band even without a Ham license, and legally compatible with all the Siemens production gear you can get fairly cheap (everyones phasing out the BS20s and what not).

There's a 1 watt/4 watt limit, but I'm really curious how easy it'd be to get full voice 2G (Euro spec standard) coverage for Manhattan. This is all on consumer-compatible Euro/Asia and/or quad-band units out of the box too. Capacity for each BTS was around 12 concurrent voice channels (IIRC) and when I ran numbers you'd get ~1.2 radial KM coverage[edit: indoors, not LOS (which is drastically further)] at the setup I spec'd out (it was a while ago, apologies, but I think it was Yagi style capable of +70dbm).


Below 928MHz doesn't exactly jive with https://en.wikipedia.org/wiki/GSM_frequency_bands. It looks like you'd be restricted to "Trunking GSM" and only part of the rest? Can the protocol/gear actually be restricted to only part of the band?

Also, similar topic - why is there such a dearth of information on hacking / forcibly opening up mobile basebands? Is it that there isn't much tinkering to be done once inside (just a lot of opaque DSP code), or are they really locked down that well, or is it simply that the people who develop such knowhow earn a living through phone unlocking etc and thus don't publicize?

I'd really like to see some device hacked open enough such that all the surveillance identifiers (IMEI etc) could be freely scrubbed. After that, psuedonymously obtain network access via a remote SIM card proxied over IP - bootstrap with an existing wifi, and then I'd hope any renegotiation could take place over the device's own connection.

Check out OsmocomBB - https://bb.osmocom.org/

While it doesn't even intend to be "consumer friendly" firmware replacement, the project provides a lot of interesting info on hacking TI Calypso basebands used for instance in some old Motorola devices and Openmoko phones.

Proxied SIM probably won't work due to timing constraints and I don't think it could be possible on device's own connection, but I'm not really an expert in this area, so don't believe me and my educated guesses too much.

However, counter-intuitively, playing with stuff like IMEI number will probably make you even easier target. Some hardware characteristics of your device could be used to "fingerprint" it, and having a lot of IMEIs being advertised by some old Calypso device in similar area could easily bring some attention to it.

Ah crap the timing could indeed be a fundamental problem. Proxying a SIM card is just a recent idea I've been kicking around. Alternatively a privacy-friendly VMVNO could just send a new SIM every (week,month,etc). Once the concept was proven (with non-fixed IMEI etc), I'm imagining a commercial demand would spring up in short order. There's no reason a SIM card must be treacherous hardware.

Obviously a small or singular mix group can be worse than no psuedonymity at all, but the idea would be to go for wider adoption. If I actually wanted to privately engage in illegal activity, I'd just buy burner phones and use the appropriate opsec. Really I just want to enable privacy for all of us who don't have something to hide.

I remember being in Ireland last summer and seeing right off the plane a vending machine of burnable sim cards.

The market doesn't exist in the US yet, but Europe seems to be somewhat accustomed to it.

Even though it sounds like its not feasible could you explain the concept of "sim proxying"? I am curious. Thanks!

So, when you refer to 'restricted to nothing >928', I presume you mean side-band harmonic tone spill. To answer your question: I have no idea, but here's my educated guess based on the '08 auction[1] -- absolutely. I'm presuming that Verizon wouldn't pay billions of dollars for 2 6 mhz bands if they couldn't use it without violating FCC's "don't jump into my band, bro" stuff. Block A has 698–704 and 728–734 MHz. So, they're presumably using 6mhz here, another 6 mhz there (channel trunking) but they're definitely keeping within a 6mhz range. Granted you get a bit more of spectral content within a 700mhz band compared to the 900 to 928 range[edit: uh, per hertz obviously haha], that's still a massive band [edit: again, referring to the content you can fit per hertz; without actually running numbers, I'd gut-feeling-estimate that you're losing maybe ehh 30% capacity, so 900 to 928 is more than enough to operate a full 2G antenna].

RE: The dearth of information: Forcibly opening up? As in like, violating FCC rules? I mean, the knowledge is out there and readily available on the public internet if you know where to look. You can still find o-chem forums with PhD students talking about the manufacturing of research chemicals, but its masked in their own lexicon (an idiot can't just Google "how do i make {insert designer drug of choice}", but you'll find a lot re: "wacker oxidation of foo in bar" or "reductive amination in a Vigreux column").

Just like we've got specs and RFCs for all of our protocols, the mobile industry meets up and agrees on everything from MIPI standards (ever wondered how there are so many Chinese Android devices with so many different seemingly interchangable components like video cameras, GPS modules, etc? There's a spec everything). You could easily take over some of the 850mhz spectra for a day or two but a) what would you have to gain? I guess you could sell baseband equipment to private investigators for a huge premium, thats about it, b) even if you could monetize it, the FCC would storm in on you within a couple days, a week at most.

RE: devices hacked open - Shenzhen has everything.

[1] https://en.wikipedia.org/wiki/United_States_2008_wireless_sp...

I had forgotten how much the bands would be sliced up commercially, so yeah it makes sense that equipment can narrowly segregate. The two separate Verizon ranges are probably UL/DL, no? If you're messing with your own base station, then it seems like the phone would be the violator on the uplink frequencies, heh heh.

For opening up, fundamentally any device should be open to inspection and modification by its owner. But my specific desire would be to eliminate the fixed identifiers from the protocol, to restore some privacy of these tracking devices we expect to carry everywhere.

Homebrew hardware and a Free stack would be a massive undertaking and capital-intensive to distribute. So a better starting point would be some already-distributed piece of consumer hardware. I'd think there would be at least one device that got reverse engineered enough to create some community flash-it-yourself distribution. Perhaps I'm just not doing the right searches, but I just run across vague allusions from either people who are in the know and NDA, independents who dug in a bit but only published summaries of results, or commercial-oriented unlockers only interested in achieving their narrow result.

I guess I'm left wondering whether Qualcomm's hardware security really is that good to destroy the enthusiasm for such tinkering, or whether it's just their legal goons have so far successfully contained the knowledge to the secretive unlocking market.

Can you explain to my why baseband hacking would be important in this regard? Does all the protocol/handshake negotiation happen at the baseband layer before its modulated up? Is that correct?

In the context of mobile, "baseband" colloquially refers to everything "below" the application processor (I guess technically stopping at the RF mixer). The physical layer protocol is carried out in the digital domain by the "baseband processor", which is also running code that takes care of the higher level session protocols.

So yes, this generally includes all bits of protocol below the simplistic IP and AT-command based session interface that's exported.

(My idea for "SIM proxying": The link between a SIM and the baseband processor is a simple serial link. So as long as latency requirements could be met, this serial link could be tunneled over IP, allowing one to rent a SIM card that wasn't actually in their possession).

This is not an over-reaction in even the slightest way.

The barrier to entry for this implementation is a little over $600 USD. If someone brought this solution online in their apartment in midtown Manhattan NYC, they would potentially affect hundreds, if not thousands of devices.

Someone who is deploying an OpenBTS in the middle of the desert probably already has a good understanding of their existing RF environment.

I'm willing to bet that just about everyone participating here lives in an RF rich environment where if they brought solution online, it would impact someone.

People who buy football equipment are aware that you can injure people playing football and generally don't play football in a midtown Manhattan office, for example.

People who buy BTS equipment are aware that they are creating a cell tower and it will affect people around them and the police and cell network providers will not be happy with them if that happens.

> they would potentially affect hundreds

Unlikely since the range of this device is about a single small / medium apartment building.

Exactly; without an RF amp you're not going to do any serious damage.

You'd think people would have gathered that from the fact that the entire RF device is USB bus powered.

"hacker" news

> Having random public phones roam onto your rouge cellular network is a public safety risk

So don't let other people on it.

Fun story: I worked for a company in the UK making GSM picocells with IP backhaul. One day, due to a misconfiguration, we had a lot of confused people from other offices in the building wondering why their phones were roaming onto a Canadian cell network thousands of miles across the Atlantic. Oops.

I suspect the chances of getting caught if you run it intermittently a few times are almost nil. After all, the Stingray devices are illegal and seem to have been used for years.

Perhaps, but he was addressing the legality, not the practicality of getting caught. And the points about your project potentially stopping people from calling 911 are also salient. This is just something that isn't worth the risk to most tinkerers like myself to even try.

What are the odds of someone calling 911 around you the moment you try it? I'd say negligible if you're not in the center of a city.

Probably nil if they're connecting to your rogue device.

absolutely agree, while writing the post I gave for granted that ppl realized how illegal this is and take appropriate measures.

Sitting in a Faraday cage will not do you much good...

Totally agree with the sentiment though. Apply for an experimental FCC license!

Do those licenses really exist? Sounds interesting.

That's how Harald Welte and Osmocomm team was always providing on-site GSM networks on events like Chaos Communication Congress/Camp.

However, recently Germany sold out part of spectrum that was used for those licenses, so it became much harder now there. The network on last CCC almost didn't happen, but the provider who bought it (T-Mobile IIRC?) allowed to use it this time anyway. The future is a one big question mark though :(

It's a great post but I think it's one of those experiences best enjoyed vicariously

Oh! And also, if this sort of thing interests you, get your ham radio technician's license. There is no morse code requirement and the test questions and answers come from a publically-available pool. It is straightforward to study for (but do read the theory, don't just memorize test answers).

Once you have that, you can start operating digital modes on local bands at low power. You'll be amazed how far you can stretch 5W of transmitter.

I'm pretty sure a technician license grants you the same amount of power and access to the same bands as a general and extra license above 6m.

Yeah, I think you're right.

Just for reference, here's all the allocations. They've got fairly verbose rules http://www.arrl.org/frequency-allocations

FWIW MURS is open without a license for digital, although with pretty lower power ceilings.

Phones automatically connect to any unencrypted BTS? This is really insane. I thought service providers provision the sim card with white listed and authenticated providers or only tunnel their traffic securely through foreign networks. This is way to easy. Are there apps to detect such things?

EDIT: found 2 apps claiming to be able to detect this.



Newer systems using 3GPP-type authentication (LTE, and I think UMTS) require mutual authentication between the SIM and the network (details in [1] section 6.3). If the network doesn't provide a satisfactory AUTN, the mobile can't proceed with connecting to the network because later steps in the connection procedure need some keys derived from the authentication procedure.

I think in older GSM-derived systems, the SIM just computed an authenticator based on a nonce provided by the network.

I know for sure that CDMA (IS-95 and 2000) and later AMPS systems supported one-way authentication or not, as selected by the network.

I've heard rumors that attackers have to force a protocol downgrade to something without mutual authentication by jamming the legitimate signal. The other options for the attack would seem to include

- obtaining the secret key value (or a set of authentication vectors) from the legitimate network. Either of these seems more difficult to obtain than the actual locations that the attackers claim to want.

- obtaining K from SIM manufacturers, which has happened [2].

- exploiting implementation defects in SIMs or mobiles.

[1] 3GPP/ETSI TS 133 102 "3G security: security architecture", http://www.etsi.org/deliver/etsi_ts/133100_133199/133102/13....

[2] https://hn.algolia.com/?query=gemalto&sort=byPopularity&pref...

Thanks, that made it much more clear to me :)

I now also read about "femtocells" used among else by Verizon (which dievices have been hacked) that are used to extend the signal coverage by costumers. It is an interesting topic overall. I think i will dive more into it...

> costumers

interesting, never saw this kind of typo before, since those two letters are quite far off..


Sorry, i do all kind of weird typos, sometimes i do not spot them.

First one looks a little sketch, second one is more well known I think. Here's an open-source one: Android IMSI-Catcher Detector (https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...)

Here's a list of apps to get cell data: http://wiki.opencellid.org/wiki/Data_sources

If you're using a CDMA phone and are still concerned, you can try modifying your own PRL and blocking carrier updates.

CDMA is largely immune to this, largely owing to the lack of implementations of a CDMA BSM

It's moderately interesting how these work, they basically check if you're connecting to a "new" tower.

Another app is called aimsicd, I use it personally. Not paranoid, but there's no reason not to use it really. No noticeable drain on battery, and it would be interesting to know if it ever did throw anything.

This is exactly the method how criminals in my home country send scam texts to victims[1], it's hard to trace since they are mobile. Before LTE towers were widely deployed, two major GSM operators can't prevent people from connecting to a malicious station, since 2G sim cards do not have capabilities to authenticate operator's network.

It's a relief that major operators today are actively rolling out 4G SIM cards, and law enforcements are taking malicious stations seriously. So today if you set up rogue GSM BTS, you might be prosecuted.

[1] http://www.theregister.co.uk/2014/03/26/spam_text_china_clam...

Is that an issue with more modern systems like UMTS and LTE? For some reason I remember reading somewhere that when UMTS was introduced, the SIM card standard was updated to include some data allowing devices to challenge UMTS (and I assume LTE too) BTSes to provide proof in the form of an answer to a challenge code presented by the device using data from the SIM card. Have I got this right?

Yes, you are correct. Some parts of LTE and WCDMA use a pre shared secret and rolling keys to allow UEs to identify themselves to the mobile network. There are however many non-data carrying parts of LTE that are not encrypted or authenticated, sort of how 802.11 has AES but management frames are still fully unecrypted.

I posted this yesterday already: https://news.ycombinator.com/item?id=11403135

I thought you can't post duplicate content.?

I've heard the moderator, dang, say that the duplicate system is imperfect. Sometimes it's just luck. It looks like this has been posted several times over the past few days.


Duplicates are allowed if a post hasn't gotten much attention in a while. Sometimes HN will auto-repost your post. It's not a bug, it's a feature!


> Are reposts ok?

> If a story has had significant attention in the last year or so, we kill reposts as duplicates. If not, a small number of reposts is ok.

> Please don't delete and repost the same story, though. Accounts that do that eventually lose submission privileges.

Is there a list of all the HN topics that include the keyword: "How to build your own _____ for fun and profit"

Please don't mention the search bar.

Make and submit it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact