Demonstration of vulnerabilities in GSM security with USRP B200 and open-source penetration tools

This paper showcases the vulnerabilities in the GSM security architecture through implementation of an active attack at the Um interface. The attack was carried out by taking advantage of lack of two-way authentication. A rogue GSM base transceiver system was established using Universal Software Radio Peripheral (USRP) B200 board and OpenBTS. B200 allows relaxation of an external 10 MHz reference signal as opposed to widely used USRP1 and N-series. After establishing rogue BTS, IMSI catch-attack and impersonation of a mobile subscriber to send malicious SMS are executed. Along with OpenBTS, standalone standard applications - Asterisk and smqueue are used for correct routing of messages. The attacks are observed on the TEST network and not the spoofed network so that no infringement is established on security and privacy of the existing GSM subscribers.

[1]  Nasibeh Mohammed,et al.  Experimental evaluation of security in 2G cellular networks in India , 2015, 2015 IEEE International Advance Computing Conference (IACC).

[2]  Mesud Hadzialic,et al.  An approach to analyze security of GSM network , 2014, 2014 22nd Telecommunications Forum Telfor (TELFOR).

[3]  Gertjan van Stam,et al.  Open BTS, a GSM Experiment in Rural Zambia , 2012, AFRICOMM.

[4]  T. Ulversoy,et al.  Software Defined Radio: Challenges and Opportunities , 2010, IEEE Communications Surveys & Tutorials.

[5]  Deepak Vohra,et al.  Investigating GSM Control Channels with RTL-SDR and GNU Radio , 2016, 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET).

[6]  Mohsen Toorani,et al.  Solutions to the GSM Security Weaknesses , 2008, 2008 The Second International Conference on Next Generation Mobile Applications, Services, and Technologies.

[7]  Angela Orebaugh,et al.  Wireshark & Ethereal Network Protocol Analyzer Toolkit , 2007 .

[8]  Maria Kalenderi,et al.  Breaking the GSM A5/1 cryptography algorithm with rainbow tables and high-end FPGAS , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[9]  A. Mehrotra,et al.  Mobility and security management in the GSM system and some proposed future improvements , 1998, Proc. IEEE.

[10]  Tania Villa,et al.  SDR-Based Network Impersonation Attack in GSM-Compatible Networks , 2015, 2015 IEEE 81st Vehicular Technology Conference (VTC Spring).

[11]  Ismail Guvenc,et al.  An experimental study on RSS-based wireless localization with software defined radio , 2014, WAMICON 2014.

[12]  Bob Gill,et al.  Investigating vulnerabilities in GSM security , 2015, 2015 International Conference and Workshop on Computing and Communication (IEMCON).

[13]  Danilo Valerio Open Source Software-Defined Radio: A survey on GNUradio and its applications , 2008 .

[14]  Guifen Gu,et al.  The survey of GSM wireless communication system , 2010, 2010 International Conference on Computer and Information Application.

[15]  M. Drahansky,et al.  Communication Security in GSM Networks , 2008, 2008 International Conference on Security Technology.

[16]  Khyati Vachhani,et al.  Experimental study on wide band FM receiver using GNURadio and RTL-SDR , 2015, 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[17]  Jian Tang,et al.  Simple GSM base station based on universal software radio peripheral , 2014, Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT).