GPRS sniffing using ten pound mobile phone and linux laptop
On day one of the recent 2011 Chaos Communication Camp – an annual summer computer security conference this year held in Germany – Karsten Nohl & Luca Melette demonstrated how to sniff unencrypted GPRS from the air using a £10 Motorola C123 mobile phone & a laptop running Linux.
Actually you need four £10 phones and serial to USB leads – the phones can be Motorola C115 or C118 or C123 or C139 or C140 or V171 models or Sony Ericsson J100i. Two of the phones need the internal filters replacing before you can sniff the uplink above 20 metres. With the filters replaced you can sniff the uplink up to 200 metres, with external antennas, probably. You need FTDI versions of the cables to be able to grab four timeslots from each of the four phones simultaneously. As you can tell, this is nowhere near the script kiddie level just yet. But just twelve months ago sniffing any GSM traffic without a £1000 USRP device wasn’t really possible.
The PDF slides from the talk are here.
The technique builds on work from the Osmocom-bb project – which uses the same £10 mobile phone to implement a free software GSM stack, when the phone is attached to a laptop, using a cheap USB to RS232 cable.
Some countries networks use encryption on their GPRS links, but some countries networks choose not to, so they can monitor traffic like Skype. Even if you use a 3G iPhone, Blackberry or Android phone it will always step down to GPRS when the 3G signal isn’t available (it might be someone running a UMTS 3G signal jammer).
More information can be found at srlabs.de