Build your own GSM BTS for unencrypted traffic with a Raspberry Pi (but please don't try this at home)
© Simone Margaritelli
- Hacker shows how easy it is to build a rogue GSM BTS
- For just $500 and coding knowledge, you could intercept network traffic
- What are the risks for IoT services using low-cost 2G networks?
- And please, don’t try this at home
Remember when we were told that digital cellular provided unbreakable digital encryption and that a key selling point back in the early days of GSM was the security of call traffic? Then along came a whole wave of press intrusion scandals involving phone hacking and we realised GSM wasn’t as secure as it was cracked up to be. Add to that the high-level eavesdropping activities of government security services and most recently the (apparently successful) attempts by the FBI to hack a terrorist suspect’s iPhone and our mild anxiety turns into full-blown panic.
Of course there are various ways to tap communications channels, some legally sanctioned and others not. But as we prepare for a whole new radio architecture with the forthcoming 5G systems and IMT-2020, it’s worth remembering that GSM is now a 30-year-old technology.
Indeed, ten years ago (although it seams like only yesterday) TelecomTV filmed the feature-length Mobile Planet documentary to celebrate 20 years since the signing of the GSM MoU. Time, I think, for a follow up series of web documentaries, if anyone is interested, especially with 5G gearing up. 5G will also provide the industry with an opportunity to rethink and rebuild mobile networks from the ground up, rather than evolving and iterating on the 30-year-old GSM standard.
And this change can’t come quickly enough, especially as we learn of an increasing number of people being able to subvert the existing technology and expose its weaknesses. Which brings us to the latest revelation – you, too, can build your own fully operational base station for a few hundred dollars, a little know-how, and probably a good degree of patience. You don’t really have to have much know-how either, as there are plenty of instructions out there on the web.
Build your own rogue BTS
The latest comes from a hacker called Simone Margaritelli, whose rationale is that he “breaks stuff to make the world a safer place” – so by publically pointing out security risks, companies can go fix them. As our hacker makes clear from the outset: “My point is that GSM is broken by design and it's about time vendors do something about it considering how much we're paying for their services.”
If his instructions are to believed (and several others have apparently followed them and achieved successful outcomes), then a base station will cost you just over $500 to make. Here’s what you need:
- A bladeRF software defined radio module from Nuand that can tune from 300MHz to 3.8GHz. Current price, $420
- Two quad-band cellular duck antennas that operate between 850MHz and 1.9GHz. Current price, $16 for the pair
- A Raspberry Pi 3. Current price, $32
- An Anker Astro E7 external battery power bank. Current price, $50
- An 8GB MicroSD card. Current price, $5
- Total outlay = $523
Of course, you can go out and buy a commercial picocell for your home or office for that price, I have one myself. But there’s a big difference with the DIY option – you get to set the rules yourself. You are not extending the reach of a network through authorised and registered usage; you are launching a rogue base station that will attract nearby smartphones like a magnet. Once these devices connect with your rogue unit, you have access to the data traffic. And this traffic will be unencrypted.
But wait a minute, doesn’t GSM use the A5/x encryption? Yes it does, but this is between base stations and mobile devices. The point here is that encryption is set at the base station level, so you merely configure your rogue base station to not encrypt traffic.
Obviously, we do not condone the use of home-made base stations operating on licensed spectrum by anyone other than the authorised licence holder; it’s very naughty and downright illegal for you to create your own GSM network without a multi-million dollar operating licence from the regulator. But you just know that a lot of smart kids are going to relish the challenge, not to mention an equal number of people who have criminal intent in mind.
And this raises another question: if legitimate users can roam onto your rogue base station without their knowledge, then how can you know that at some point you haven’t connected to another party’s rogue base station and had your traffic intercepted in the clear? You can’t.
The world is not fully covered by LTE, and 3G is far from ubiquitous; network coverage remains disjointed. We’re also seeing GSM get a new lease of life with IoT support – and hacking IoT data can be just as damaging and destructive as human-originated voice and data. GSM encryption was only designed to be strong enough for the envisaged life-cycle of ten years, yet the technology is still in use twenty years beyond that.
3G improved matters and tried to solve the threat of rogue base stations, and LTE built on that work. There’s a lot of interest currently in network security, and how 5G architectures need to incorporate security into the design process, rather than as an after-thought. The chances are not one of our readers will be interested in building their own rogue base station, but a great many will be concerned about how easy it is for others to do so. And with cellular operates promoting 2G use for IoT services, interest in hacking this 30-year-old technology is only going to increase. Time to properly address the issue.