Large FAQ on intercepting mobile communications: IMSI catchers and how to protect yourself from them. Large FAQ on intercepting mobile communications: IMSI catchers and how to protect yourself from them Imsi cellular interceptor buy

GSM interception
*GSM 900* Interception
The *GM* product is designed to receive and process signals
standard GSM-900, 1800 both without and with cryptographic protection
(algorithms A5.1 and A5.2).
"GM" allows you to:
- control the direct control or voice channel (emission
bases)
- control the reverse control or voice channel (emission
tubes)
- scan all channels looking for active ones in a given location
- scan channels selectively and set the time for rescanning them
- organize end-to-end listening
- organize selective listening using known TMSI, IMSI, IMEI,
Caller ID number, Ki.
- automatically record conversations on your hard drive
- control the conversation without recording
- search for an active subscriber (for open channels)
- record the number dialed by a cellular subscriber
- record the caller’s phone number on a cellular device (if
activated Caller ID system)
- display all registrations in the channel
The product contains two receiving channels - forward and reverse.
In the absence of cryptographic protection, *GM* can operate in two modes:
- search for active mobile subscriber.
If there is cryptographic protection only in the mode
- control of the station control channel (forward and reverse);
When monitoring the station control channel, *GM* determines the following
parameters for each connection:
- IMSI or TMSI (depending on the operating mode of the control
my network, these signals are transmitted by the base station);
- IMEI (if it is requested by the base station and when the energy

Availability of the mobile subscriber, since radiation is detected in this case
tubes);
- dialed number (when connecting at the initiative of a mobile phone)
subscriber and with its energy availability, since in this case it is fixed
tube radiation);
- Caller ID number (when transmitted by the base station).
In the active subscriber search mode, any next
compound. In this mode, *GM* continuously scans the entire range and
when an active subscriber is detected, it goes into control mode (of course
if the subscriber is in this moment says because the device turns on the transmitter
only for the duration of the conversation). If necessary (if this conversation is not
interested) the operator can reset the control mode and “GM” will switch again
into scanning mode until it finds another active subscriber. Mode
It is advisable to use search for an active subscriber during follow-up. IN
In this operating mode, *GM* does not detect subscriber identifiers!
When monitoring the control channel base station two options are possible
works:
- in end-to-end mode
- in selection mode based on characteristics
In end-to-end mode, the first conversation in the
controlled cell, and all registrations are displayed. If given
the conversation is not interesting, then control can be stopped by pressing a button
"Break"
In selection mode, only connections with a specified
TMSI, IMSI, IMEI, caller ID number or dialed number. Selection list
includes up to 200 identifiers. In case of monitoring a closed channel
cryptom the selection mode is carried out according to the known Ki, which allows
uniquely identify the subscriber without specifying TMSI, IMSI or IMEI.
In this case, the selection list includes up to 40 subscribers.
*GM* is made in the form of a monoblock measuring 450x250x50 mm. Control
*GM* operation is carried out from an external PC (it is possible to connect
laptop) via the RS-232 serial port.
The delivery set includes a device with software,
allowing you to read the Ki parameter from the SIM card, reading occurs in
within 10 hours.
*GM* is powered from the mains alternating current 220V. so and
DC voltage 12 V, for example from on-board network car.
On request, it is possible to produce channels in the range of 1800 MHz and 450 MHz.

Abbreviation and designations
TMSI – temporary mobile subscriber identifier (number)
IMSI – International Mobile Subscriber Identity Number
IMEI – international equipment identification number
mobile
stations
Ki – individual subscriber authentication key
1. The complex is designed to receive signals from the TTT system.
2. The complex has two receiving and processing channels - one in the upper and one in the lower part of the range.
3. The complex provides settings for any of 124 possible control channels.

4. When the complex operates, two modes are possible:
- without selection;
- with selection.
The selection table can include up to 40 identifiers.
The identifier consists of IMSI and IMEI (it is possible to specify only IMSI or only IMEI).
The complex carries out selection according to IMSI, IMEI and TMSI. Selection by TMSI after turning on the complex
is provided only after receiving a command with the specified IMEI or IMSI.
Attention! IMEI - identification number of the handset (determined by its manufacturer). IMSI -
international subscriber identification number (recorded in the SIM card). In general there is no direct
correspondence to the subscriber's city number. The correspondence table is set by the operator (the company issuing
tubes).
5. Identification of the outgoing number is provided.
6. The handover mode is ensured.
7. Processing in accordance with A5 algorithms is not provided.
8. The complex is controlled by a Windows program via a serial port.
9. Registration can be carried out both on a tape recorder and on a sound blaster.
10. When the power is turned on, the complex goes into the active subscriber search mode. When found
the complex switches to receiving mode. Subscriber reset is provided. In this mode, control from
no computer required. In this mode, subscriber identifiers are not determined.
After launching the control program, the complex switches to the control mode of the specified channel
management (the implementation of points 3 ... 5 is ensured).

BRIEF DESCRIPTION OF THE SYSTEM.
Widespread use of the system began in 1993 with the creation of the MTS company and
obtaining permission to use the range 890 - 915 MHz and 935 - 960 MHz without 10 MHz,
designed for radar operation.
According to open press data, there are currently from 180 to 220 thousand in Russia
users. In terms of economic indicators, the system is quite expensive and its users, like
As a rule, it is a stratum of society belonging to the so-called middle class (at least).
This fact created the prerequisites and the need to develop means of information control,
system circulating in the network.
This standard is widely used in areas with high population density.
The system is currently deployed and in operation in the following cities:
- MOSCOW;
- SAINT PETERSBURG;
- SAMARA;
- TOLYATTI;
- ROSTOV on DON;
- KALUGA;
- SEVERODVINSK;
- MURMANSK;
- SMOLENSK;
- TULA;
- PSKOV;
- RYAZAN;
- VLADIMIR;
- ARKHANGELSK;
- PETROZAVODSK.
- KYIV
- DNEPROPETROVSK
- DONETSK
- ODESSA
The introduction of the system is also being completed in some other cities, for example YAROSLAVL.
The standard provides automatic roaming with approximately 58 countries around the world.

The advantages of the system include digital way data transfer, large amount
simultaneously served subscribers, the difficulty of creating duplicates (cloning SIM cards), convenience
subscriber operation, the ability to identify stolen devices when using legal SIM cards and
etc.
The above factors determined the feasibility of creating controls.
BASIC ALGORITHMS FOR THE COMPLEX OPERATION.
Radio traffic processing algorithms provide the most complete and high-quality access to
information circulating on the network, and also allow you to increase the capabilities of the complex when
new standards without changing the core software by adding additional
modules. These include, for example, the planned appearance of a vocoder with improved speech quality,
data transmission and fax transmissions. During trial operation of the complex, modifications are possible
modes for specific user tasks.
The complex is used in stationary and mobile versions.
OPERATING MODES.
(basic delivery set)
The scanning mode allows you to determine the visible frequencies of base stations at the location, as well as
basic network parameters. During operation, the choice of time for analysis of a specific frequency and
the operating mode of control channels is analyzed. This mode allows for optimal
receiving path configuration. The selected configuration can be quickly loaded or saved.
Manual scanning mode No. 1 provides automatic detection loaded channels
visible frequencies with indication of activity. Allows the operator to select active
speech slots. If there is a subscriber in the radio visibility zone, it provides duplex reception.
Manual scanning mode No. 2 provides automatic tuning of visible frequencies with
stopping on active frequency slots and forming up to four duplexes in final mode
machine. When the active channel is turned off, autoscanning continues. Possible to continue
scanning according to operator commands. This mode allows you to automatically record conversations
in the absence or presence of an operator of the maximum possible number of channels. Mainly used for
low traffic activity, for example when there is no operator at night or when there is a small number of
visible frequencies. Provides duplex reception if there is one in the radio visibility zone.
The operating mode using temporary numbers allows on selected control channels (no more than six)
provide automatic setup to temporary subscriber numbers with statistics, and when selecting
subscriber of interest based on information received or when re-registering on the network when working in
mobile version, enter it into the database and continuously track it with continuous monitoring.
The probability of constant monitoring depends on the number of cross frequencies (with 10-12 the probability
is 80%), as well as on the speed of movement (up to 80 km/h according to the standard of the signal used).
Additional delivery set.
Energy determination mode No. 1 provides determination of energetically available
determination of active frequencies and delivery of the result to the operator, upon the latter’s command,
setting up a channel for reception while simultaneously receiving duplex. Number of reception channels - up to four
duplexes.
Energy determination mode No. 2 provides determination of energetically available
subscribers within the operating range of portable devices. Allows for automatic range scanning with
determination of active frequencies and automatic tuning to active slots with recording of conversations. By
At the end of the session, autocontrol continues.
With the extended version, a module is supplied that allows you to determine and identify, when
the presence of a portable device in the radio visibility zone, the number of a fixed or mobile subscriber when
call in the direction to the base station, as well as when passing the IMEI number, perform identification
subscriber
Regions in Russia where MTS subscribers can use communication services:
(data as of April 6)
1. MTS
Moscow, Moscow region, Tver, Tver region, Syktyvkar, Ukhta, Kostroma, Komi Republic.
2. Russian Telephone Company (RTK) - connected to the MTS switch

Vladimir, Vladimir region, Kaluga, Kaluga region, Pskov, Ryazan, Ryazan region, Smolensk,
Smolensk region, Tula, Tula region.
3. Recom
Orel, Lipetsk.
4. Tambov Telecommunications
Tambov, Michurinsk.
5. National roaming
City, operator Service area
1. St. Petersburg
North-West GSM
(250 02)
Arkhangelsk,
Vologda,
Leningrad region.,
Murmansk,
Novgorod the Great,
Petrozavodsk,
Severodvinsk,
Cherepovets
2. Samara
SMARTS
(250 07)
Astrakhan,
Tolyatti,
Ufa
3. Rostov-on-Don
Dontelecom
(250 10)
Azov,
Taganrog
4. Krasnodar
Kuban GSM
(250 13)
Adler, Anapa,
Gelendzhik,
Hot key,
Dagomys, Yeisk,
Lazarevskaya, Matsesta,
Krasnaya Polyana,
Dinskaya, Novorossiysk,
Tuapse, Sochi,
Timashevsk, Temryuk,
Krymsk, Khosta
5. Ekaterinburg
Uraltel
(250 39)
6. Nizhny Novgorod
NSS
(250 03)
(!!! For outgoing communication you need
international access)
7. Stavropol
StavTeleSot
(250 44)
Essentuki,
Nevinomyssk,
Kislovodsk,
Pyatigorsk,
Mineral water
8. Novosibirsk
SSS 900
(250 05)
9. Omsk
Mobile communication systems
(250 05)
10. Surgut
Ermak RMS
(250 17)
Langepas,
Nizhnevartovsk,
Megion,
Khanty-Mansiysk,
Neftyugansk
11. Khabarovsk
Far Eastern cellular
systems-900
10
(250 12)
12. Kaliningrad
EXTEL
(250 28)
International roaming
Country Operators
1. Austria 1. MobilKom
2. max.mobil. Telecoms Service
3. CONNECT
2. Australia 4. Telstra
3. Azerbaijan (CIS) 5. Azercell
4. Andorra 6. STA
5. Bahrain 7. Batelco
6. Belgium 8. Belgacom Mobile
9. Mobistar S.A.
7. Ivory Coast 10. SIM
8. Bulgaria 11. MobilTel AD
9. UK 12. Vodafone Ltd.
13. Cellnet
14. Orange GSM-1800
10. Hungary 15. Westel 900 GSM Mobile
16. Pannon GSM
11. Germany 17. DeTeMobile (D-1)
18. Mannesmann Mobilfunk (D-2)
12. Greece 19. Panafon S.A.
20. STET Hellas
13. Georgia (CIS) 21. Geocell
22. Magticom Ltd
14. Hong Kong 23. Hong Kong Telecom CSL
24. Hutchison Telephone Comp.
25. SmarTone Mobile Communications
15.Gibraltar 26.Gibtel
16. Denmark 27. Sonofon
28. TeleDanmark Mobil A/S
17. o. Jersey 29. Jersey Telecoms
18. Italy 30. TIM
31. Omnitel Pronto Italia S.p.A.
19. Iceland 32. Lands siminn
33. TAL
20. Spain 34. Airtel Movil, S.A.
35. Telefonica Movies
21. Indonesia 36. Satelindo
37. PT Excelcomindo Pratama
38. Telkomsel
22. Ireland 39. Eircell
40. Esat Digifone
23. Cyprus 41. CYTA
24. China 42. China Telecom
25. Latvia 43. LMT
44. Baltcom GSM
26. Lithuania 45. Bite GSM
46.Omnitel
27. Lebanon 47. LibanCell
48. FTML S.A.L.
28. Luxembourg 49. P&T Luxembourg
50. Tango
29. o. Maine 51. Manx Telecom Ltd.
30. Macau 52. CTM
31. Macedonia 53. GSM MobiMak
11
32. Mauritius 54. Cellplus
33. Malaysia 55. Celcom
34. Malta 56. Telecell Limited
57. Vodafone Malta
35. Moldova 58. Voxtel
36. Norway 59. Telenor Mobil AS
60. NetCom GSM as
37. New Zealand 61. BellSouth New Zealand
38. Netherlands 62. Libertel B.V.
63. KPN Telecom
64. Telfort
39. UAE 65. Etisalat
40. Portugal 66. Telecel
67. TMN
41. Poland 68. Polska Telefonia Cyfrowa (ERA)
69. Polkomtel S.A.
70. Centertel GSM-1800
42. Romania 71. MobilFon SA
72.MobilRom
43. USA 73. Omnipoint
44. Singapore 74. SingTel Mobile (GSM 900/1800)
75.MobileOne
45. Slovakia 76. Globtel
77. EuroTel Bratislava
46. Slovenia 78. Mobitel
47. Thailand 79. Advanced info Service (AIS)
48. Taiwan 80. Chunghwa Telecom LDM
81. GSM PCC
82. FarEasTone
83. Mobitai Communications Corp.
49. Türkiye 84. Telsim
85. Turkcell
50. Uzbekistan 86. Coscom
51. Ukraine 87. UMC
88. Kyivstar
89.URS
52. Finland 90. Oy Radiolinja Ab
91. Sonera
53. France 92. SFR
93. France Telecom
54. Croatia 94. HPT
55. Czech Republic 95. EuroTel Praha
96.RadioMobil
56. Sweden 97. Europolitan AB
98. Comviq GSM AB
99. Telia Mobile AB
57. Switzerland 100. Swiss Telecom PTT
58. Sri Lanka 101. MTN
59. Estonia 102. EMT
103. Radiolinja Estonia
104. AS Ritabell
60. Yugoslavia 105. Mobtel *Srbija* BK-PTT
106. ProMonte (Montenegro)
61. South Africa 107. MTN
108. Vodacom (Pty) Ltd

You can order it!
Draw conclusions.

Cloning SIM cards

One common problem is SIM card cloning. On the Internet you can often find advertisements about an easy way to clone a card, and there are also many utilities, for example, SIM Card Seizure. The goals of cloning are usually the ability to make free calls at someone else's expense and the ability to listen to conversations of the owner of the cloned SIM card. In the first use case, the owner of the clone will have problems receiving incoming calls, but outgoing calls can be made freely. The main consumers are people who then offer passers-by at the metro a cheap call to any country in the world. As for listening to the subscriber, the next section is devoted to consideration of this issue.

The previous section described the SIM card authentication process (Fig. 120). The basic parameters in this process are IMSI and

KI. In order for a clone to authenticate to AUC, it must know these parameters. Finding out the IMSI is easy; it can be written on the card itself or attached to it. It can be easily read from the SIM card using a smart card reader. But with K I everything is somewhat more complicated.

As you already know, KI is stored in only two places - in the SIM card memory and in the AUC memory. K I is never transmitted in clear text during authentication, i.e. it cannot be intercepted during authentication. Attackers have 4 options for obtaining KI. The first option is an insider in the operating company. This option is preferable because You can get information from several cards at once. The disadvantages of this option are that due to the significance of K I, access to their values is strictly limited and if a massive leak is detected, the insider will quickly be calculated. In addition, AUC often lacks functionality for reading KI for the same security reasons. The second option is based on the theft of KI immediately after receiving a batch of SIM cards from the manufacturer. The problems here are the same as in the previous version: the number of people who have necessary accesses, is calculated in units.

Third option: read K I from the SIM card memory. Let's start with what you need to get physical access to the card (remove it from the victim’s phone under some pretext, know the PIN code). An important drawback: the SIM card does not have an interface through which K I can be directly read or changed.

And finally, the last option: calculate K I. The attacker must have knowledge of the A3 algorithm used by the operator. In this case, you can try to calculate KI by observing the results of the RAND to SRES conversion. To do this, RAND is manually generated, the encryption algorithm is called and the RAND is passed to it. This process is automated by programs such as SimScan and WoronScan.

This is how the first clones of SIM cards were obtained. This was made available because the A3 algorithm, called COMP128, was leaked online. A vulnerability was discovered in the algorithm that made it possible to select KI in an acceptable number of attempts. After the vulnerability was discovered, most operators replaced it with something more robust. There are currently three versions of COMP128. The second and third versions are currently considered unbreakable. And although there are programs on the network that declare the ability to hack these versions, in reality it always turns out that their goal is to force the user to download a “Trojan”.

If the attacker does not have information about the implementation of A3, then he can try to select K I by brute force. Another obstacle arises here: the number of attempts to select KI is limited. U

SIM cards have a built-in A3 call counter, and if a certain threshold (65535) is exceeded, the card is blocked and stops responding to registration requests (although other functions work, e.g. phone book). Under normal operating conditions, when A3 is called every time a SIM card is registered on the network (when the phone is turned on), such restrictions do not interfere with the subscriber. But to obtain K I it may take more attempts.

If the attacker managed to pick up K I, then he gets the opportunity to make calls at someone else’s expense. But there are several limiting factors. Firstly, because the money in the account will begin to appear faster than usual, it is very likely that the owner of the SIM card may notice this. A detailed printout will immediately reveal “extra” calls. This also applies to “unlimited” tariffs, because they also have restrictions, in particular when calling abroad. Therefore, attackers strive to speak out the entire available balance and get rid of the clone. Secondly, if both cards are registered on the network, then incoming calls will come to the card that was last authorized, or with which the last one was made outgoing call. Accordingly, a legitimate user may notice that he will no longer receive expected calls. For the purposes of conspiracy, it is generally contraindicated for attackers to pick up the phone. Otherwise, the user’s correspondents will immediately detect the fraud. Third, the operator can calculate SIM cards that register with the network in geographically dispersed locations for a limited time. If there is suspicion of card cloning, the operator will block the card and issue the subscriber a new one.

To summarize, we can say that cloning SIM cards is possible, but quite difficult. If the operator has timely modernized the implementation of A3, and its employees are loyal and incorruptible, then subscribers should not be afraid of the appearance of clones of their SIM cards. In addition, the relevance of such fraud is decreasing, because The demand for cheap calls abroad is compensated by the possibility of calling on Skype, as well as offers from legal operators.

Interception of conversations in the GSM network

Most articles on GSM hacking rely on a 2006 paper by Eli Barkan and research by Karsten Noh.

In their article, Barkan et al. showed that since in GSM, error correction occurs before encryption (but it should be the other way around), a certain reduction in the search space for selecting K C and the implementation of a known-ciphertext attack (with completely passive listening to the air) is possible in an acceptable time using pre-computed data.

The authors of the article themselves say that when receiving without interference, hacking within 2 minutes requires 50 terabytes of pre-computed data. The same article (in the section about A5/2) indicates that the signal from the air always comes with interference, which complicates the selection of the key. For A5/2, a modified algorithm is presented that is able to take into account interference, but at the same time requires twice the amount of pre-computed data and, accordingly, the hacking time doubles. For A5/1, the possibility of constructing a similar algorithm is indicated, but the algorithm itself is not given. It can be assumed that in this case it is also necessary to double the amount of precomputed data.

The process of selecting the A5/1 key is probabilistic and depends on time, i.e. The longer the audition goes on, the more likely it is to pick up K C . Thus, the 2 minutes stated in the article is an approximate and not a guaranteed time for selecting K C .

Karsten Nohl is developing the most famous project for hacking GSM networks. His firm dealing with problems computer security, was going to make publicly available by the end of 2009 rainbow tables of session keys of the A5/1 algorithm, which is used to encrypt speech in GSM networks.

Karsten Nohl explains his demarche against A5/1 with the desire to attract public attention to existing problem and force telecom operators to switch to more advanced technologies. For example, UMTS technology involves the use of the 128-bit A5/3 algorithm, the strength of which is such that it cannot be hacked by any means available today.

According to Carsten's calculations, the complete A5/1 key table in packaged form will occupy 128 petabytes and be distributed distributedly on many computers on the network. To calculate it, it will take about 80 computers and 2-3 months of work. The use of modern CUDA graphics cards and Xilinx Virtex programmable arrays should significantly reduce computation time. In particular, his speech at 26С3 (Chaos Communication Congress) in December 2009 caused a lot of noise. The essence of the speech can be briefly formulated as follows: soon we can expect the appearance of budget systems for online decoding A5/1.

Let's move on to engineering problems. How to get data from the air? To intercept conversations, you need to have a full-fledged scanner, which must be able to figure out which basic ones are broadcasting around, on what frequencies, which operators they belong to, which phones with which TMSI in currently active. The scanner must be able to monitor the conversation from the specified phone and correctly process transitions to other frequencies and base stations.

There are offers on the Internet for purchasing a similar scanner without a decoder for 40-50 thousand dollars. This cannot be called a budget device.

Thus, to create a device that, after simple manipulations, could begin to listen to a telephone conversation, it is necessary:

a) implement the part that works with ether. In particular, it allows you to specify which TMSI corresponds to the phone you are looking for or, using active attacks, to force phones to “discover” their real IMSI and MSISDN;

b) implement an algorithm for selecting K c for A5/1 that works well on real data (with noise/errors, omissions, etc.);

d) combine all these points into a complete working solution.

Karsten and the rest of the researchers mainly solve point “c”. IN

In particular, he and his colleagues suggest using OpenBTS, airdump and Wireshark to create an IMSI catcher. More information about the device and interception of calls with its help is written below in the section “Man-in-the-middle attack in GSM”. For now, we can say that this device emulates a base station and is embedded between the MS and the real base station.

The presenters claim that a SIM card can easily prevent a phone from showing that it is operating in A5/0 encryption mode (i.e., no encryption at all) and that most SIM cards in circulation are like this. It really is possible. In GSM 02.07, it is written (Normative Annex B.1.26) that the SIM card contains a special OFM bit in the Administrative field, which, if the value is equal to one, will lead to the prohibition of the connection encryption indication (in the form of a barn lock). In GSM 11.11, the access rights for this field are as follows: read is always available, and write rights are described as “ADM”. The specific set of rights governing entry into this field is set by the operator at the stage of creating SIM cards. Thus, the presenters hope that most cards are issued with the bit set and their phones really do not show an indication of the lack of encryption. This really makes the work of the IMSI catcher much easier because...

the owner of the phone cannot detect the lack of encryption and become suspicious.

Interesting detail. Researchers were faced with the fact that phone firmware is tested for compliance with GSM specifications and is not tested for handling emergency situations, therefore, in the case incorrect operation base station (for example, the “dummy” OpenBTS that was used for interception), phones often freeze.

The greatest resonance was caused by the statement that for just $1,500 you can assemble a ready-made kit for listening to conversations using USRP, OpenBTS, Asterisk and airprobe. This information was widely distributed on the Internet, only the authors of these news and articles derived from them forgot to mention that the speakers themselves did not provide details, and the demonstration did not take place.

In December 2010, Carsten and Munaut again gave a presentation at the 27C3 conference on intercepting conversations in GSM networks. This time they presented a more complete scenario, but there are many "greenhouse" conditions in it.

To locate a location, they use Internet services that make it possible to send “send routing info” requests into the SS7 network. SSV is a network/protocol stack that is used for telephone operators (GSM and landline) to communicate with each other and for GSM network components to communicate with each other.

Next, the authors make a link to the implementation mobile communications in Germany. There, the RAND obtained as a result of the query correlates well with the region code (area code/zip code). Therefore, such requests there make it possible to determine, down to the city or even part of the city, where this subscriber is located in Germany. But the operator is not obliged to do this.

Now researchers know the city. After that, they take a sniffer, go to the previously found city and begin visiting all its LACs. Having arrived at the territory that is part of some LAC, they send the victim an SMS and listen to whether the victim’s phone is paging (this happens over an unencrypted channel, in all base channels at once). If there is a call, then they receive information about the TMSI that was issued to the subscriber. If not, go check the next LAC.

It should be noted that since IMSI is not transmitted during paging (and researchers do not know it), but only TMSI is transmitted (which they want to know), then a “timing attack” is performed. They send several SMS with pauses in between, and see which TMSIs are being paged, repeating the procedure until there is only one (or none) left in the list of “suspicious” TMSIs.

To prevent the victim from noticing such “probing”, an SMS is sent that will not be shown to the subscriber. This is either a specially created flash sms, or an incorrect (broken) SMS, which the phone will process and delete, but nothing will be shown to the user.

Having identified the LAC, they begin visiting all cells of that LAC, sending SMS and listening for paging responses. If there is an answer, then the victim is in this cell, and you can start hacking her session key (K C) and listening to her conversations.

Before this, you need to record the broadcast. Here the researchers suggest the following:

1) there are custom-made FPGA boards that are capable of simultaneously recording all channels or uplink (communication channel from the subscriber (phone or modem) to the base station mobile operator), or downlink (communication channel from the base station to the subscriber) of GSM frequencies (890-915 and 935-960 MHz, respectively). As already noted, such equipment costs $4,050 thousand, so the availability of such equipment for a simple security researcher is questionable;

2) you can take less powerful and cheaper equipment and listen to part of the frequencies on each of them. This option costs approximately 3.5 thousand euros with a solution based on USRP2;

Hacking a session key. Being in the same cell as the victim, they send her an SMS, record the victim’s communication with the base cell, and crack the key, taking advantage of the fact that during session setup, many half-empty packets or with predictable contents are exchanged. Rainbow tables are used to speed up hacking. At the time of 26C3, these tables were not so well filled out and hacking was not done in minutes or even tens of minutes (the authors mention an hour). That is, before 27C3, even Carsten (the main researcher in this area) did not have a solution that could crack KC in an acceptable time (during which, most likely, the session key would not be changed (rekeying)).

The researchers then take advantage of the fact that changing the key is rarely done after every call or SMS and the session key they have learned will not change for some time. Now, knowing the key, they can decode encrypted traffic to/from the victim in real time, and do frequency hopping at the same time as the victim. To capture the air in this case, four re-flashed phones are actually enough, since it is not necessary to write all frequencies and all timeslots. Researchers have demonstrated this technology in action. True, the “victim” sat still and was served by one hundredth.

Summing up Subtotal You can answer the question in the affirmative about the possibility of intercepting and decrypting GSM conversations on the fly. In doing so, you need to remember the following:

1) The technology described above does not exist in a form accessible to anyone (including script kiddies). This is not even a construction kit, but a blank for construction kit parts that need to be completed to a usable state. Researchers repeatedly note that they do not have clear plans to publish general access implementation specifics. This means that based on these developments, manufacturers in the Middle East are not mass-producing $100 devices that everyone can listen to.

2) OsmocomBB supports only one chip family (albeit the most common one).

Unlike the demonstration, in reality there are thousands of paging messages in an average LA load. Moreover, paging does not work at the moment of sending, but in certain time windows and in batches (by paging groups with their own queues, the number of which is the remainder of dividing the IMSI by the number of channels, which can be different in each cell), which again complicates the implementation .

4) Let's say LA is found. Now you need to “grope” for the subscriber’s response. The telephone transmitter has a power of 1-2 watts. Accordingly, scanning it from a distance of several tens of meters is also a task (not an easy one). It turns out to be a paradox: LA covers, for example, an entire region (city). It has, for example, 50 cells, some of which have a range of up to 30 km. We are trying to catch and decipher radiation using an omnidirectional antenna. To implement this task in this embodiment, a lot of equipment is required. If we proceed from the premise that the victim is in direct visibility, i.e. distance at which interception looks more realistic, a directional microphone is much more effective and simpler. It should be noted that in the demonstration, researchers intercept their phones at a distance of 2 meters.

5) Moving the victim between cells also causes problems, because you also need to move with it.

6) The phones used in the demonstration require hardware modification; you need to remove the filter from the antenna, otherwise the “alien” uplink phones will not “see”. A filter in the phone is needed in order to “listen” not to all frequencies, but only to “your own”.

7) If the network regularly changes the key (rekeying) or changes TMSI (none of the researchers took this into account), then this method does not work at all or works very poorly (the decryption time may be longer than the conversation time).

8) You won’t be able to listen to the entire network; you need to know the phone number.

Traffic interception protection

1) Instead of a constant byte, use random values for paging empty GSM messages.

2) Change K C after each call.

3) Change TMSI as often as possible.

Points 2 and 3 can be solved by simply reconfiguring the elements of the provider’s network and do not require updating firmware or equipment.

In addition, there are various modified phones on the market, for example, the Cancort crypto smart phone, which provides operation on GSM 900/1800 communication lines in two modes:

Open mode ( normal mode GSM);

Encryption mode with hack-proof encryption of information.

Cancort performs the following functions:

Encryption/decryption of short messages (SMS service)

Data encryption/decryption (BS26 and GPRS service).

Email encryption/decryption.

Encryption/decryption of information in all telephone directories (SIM PB).

Encryption/decryption of MMS information.

You can also use scramblers for protection, which have proven themselves in protecting regular telephone networks. An example is GUARD GSM. This device(like analogues) connects to a cell phone via a wired headset and has small sizes. The GUARD GSM scrambler has thirty-two scrambling modes.

The operating principle of this scrambler is based on the initial destruction and temporary rearrangement of sound on the transmitting side with its subsequent restoration on the receiving side. This process is two-way. Temporary rearrangement of speech signal segments and restoration of their sequence at reception takes a certain time interval. Therefore, a mandatory property of such equipment is a small signal delay on the receiving side. The conversation usually starts at open mode and then, upon mutual command, the devices switch to scrambling mode. When conducting negotiations, the device simultaneously performs two functions: scrambling and descrambling. That is, the speech spoken by one of the subscribers is encrypted on his part, and the second scrambler located at the second subscriber decrypts this speech. And the same thing happens in the opposite direction, when the second subscriber begins to speak.

Specifications:

1. Speech intelligibility is at least 95%.

2. Connection type full duplex.

3. Signal delay on the line is no more than 100 ms.

4. The level of security of the linear signal is temporary.

5. Use in GSM 900/1800 standard networks.

6. Type of connection to a cell phone: wired headset 7. dimensions 80x45x16 mm

Man-in-the-middle attack in GSM

The attack discussed earlier actively used a device called IMSI-catcher. This section discusses how such a device works and its limitations.

On the Internet you can find many offers for the sale of special devices that can emulate base stations. Such advertisements declare that such emulators allow you to secretly listen to any conversations without informing the operator or even knowing the phone number of the person being listened to.

Devices with similar functionality do exist (for example, the RA 900 complex produced by Rohde & Schwarz), but they have far less impressive capabilities:

1) secretly you can only determine whether a phone into which a SIM card with the specified IMSI is inserted is located in the coverage area, or get a list of IMSI/IMEI but not phone numbers in the “pseudo-base” coverage area. This implies that the attacker knows the IMSI.

2) You can listen to outgoing conversations from a specific phone, but the subscriber’s signal encryption will be disabled. In addition, the caller's number will be changed or hidden. In this case, the subscriber himself can detect this and establish the fact of listening (or suspect).

3) When listening directly, incoming calls cannot be delivered to the subscriber and, accordingly, cannot be listened to. For other network subscribers, the listened subscriber is “out of coverage area”.

As you can see, the functionality presupposes the presence of certain information about the victim.

Operating principles of IMSI-catcher

IMSI-catcher is a device that, on the one hand, behaves like a GSM network base station, and on the other hand contains a SIM card or some other technical means for connection to communication networks. It is used as follows:

1. The device is placed near the victim's mobile phone. The range is determined based on the power level of the actual base station.

2. During operation, the device appears as a regular station. Naturally, it must impersonate the station of the operator to which the victim belongs. The GSM standard does not require the base station to confirm its authenticity to the phone (unlike UMTS networks, for example), so this is quite easy to do. The frequency and signal strength of the fake base are selected so that the real base stations of all neighboring networks do not interfere with its operation.

3. The victim's phone is forced to select the fake base as the best available base station due to its good and strong signal. The selection principle was described earlier. As a result, the attacker can determine the IMEI of the victim.

4. To listen to conversations during registration, the fake database informs the phone about the need to switch to A5/0 encryption mode, that is, without encryption at all. A GSM phone cannot refuse.

5. After this, all outgoing calls of the victim pass through the fake station in the clear and can be recorded/listened to there. In this case, the device acts as a proxy, independently connecting to the dialed number and transparently transmitting the voice through itself in both directions.

Limitations of IMSI-catcher

1. When connected to a fake station, the victim becomes unavailable for incoming calls. To support incoming calls, the device must be served by the operator's network in the same way as other base stations. To do this, you need to connect to some base station controller (BSC) and register in its routing tables. But if an attacker has access to the operator’s network at a level that allows them to connect and configure new base stations, then in this case it is more effective to use SORM. If, in addition to the victim, others enter the device’s coverage area Cell phones located near the victim, they will show the presence of coverage, but neither incoming nor outgoing calls will be serviced. This may raise suspicions.

2. Majority modern phones have an encryption indication (in the form of a padlock) and the victim may become wary if he sees that the connection is not encrypted.

3. To broadcast outgoing calls, the device needs an output telephone network. If you use your own GSM module with a SIM card for this, then outgoing calls from the fake station will be made with a number different from the victim’s number. To hide this, you can use the “calling line identification restriction” (CLIR) service, which can also alert the recipients of the call and they can inform the victim about it. Alternatively, when using WiFi+VoIP, you can replace the number of a fake station with the correct one, but this complicates the design.

For more accurate spoofing, it is necessary that the device uses a SIM card of the same operator used by the victim, in which case the attacker will have the opportunity to broadcast the victim’s calls to business and short numbers.

4. If the victim moves, he can easily move out of the device’s coverage area, which will result in the process having to be started all over again.

The listed disadvantages show that the use of such a device is limited to short-term interception of conversations and is practically not suitable for long-term listening.

Thus, the main benefit of such a device may be to identify the Sh3ShMSH of a victim, about whom only its location is precisely known, and then use the information about Sh5I to conduct routine eavesdropping using SORM means.

Conclusion

Interception of messages in OBM networks is possible. But, taking into account the conditions necessary for the implementation of interception, we can say that the MBM is much better protected than shown in films and on the Internet.

Let's move on to looking at GSM hacking. Articles about vulnerabilities in A5/1 appeared about 15 years ago, but there has still been no public demonstration of hacking A5/1 in real world conditions. Moreover, as can be seen from the description of the network’s operation, one must understand that in addition to breaking the encryption algorithm itself, a number of purely engineering problems must be solved, which are usually always omitted from consideration (including at public demonstrations). Most articles on GSM hacking rely on a 2006 paper by Eli Barkan and research by Karsten Noh. In their article, Barkan et al. showed that since in GSM, error correction occurs before encryption (but it should be the other way around), a certain reduction in the search space for selecting KCs and the implementation of known-ciphertext attacks (with completely passive listening to the airwaves) are possible in an acceptable time using pre-computed data. The authors of the article themselves say that when receiving without interference, hacking within 2 minutes requires 50 terabytes of pre-computed data. The same article (in the section about A5/2) indicates that the signal from the air always comes with interference, which complicates the selection of the key. For A5/2, a modified algorithm is presented that is able to take into account interference, but at the same time requires twice the amount of pre-computed data and, accordingly, the hacking time doubles. For A5/1, the possibility of constructing a similar algorithm is indicated, but the algorithm itself is not given. It can be assumed that in this case it is also necessary to double the amount of precomputed data. The process of selecting the A5/1 key is probabilistic and depends on time, i.e. The longer the audition goes on, the more likely it is that KC will be selected. Thus, the 2 minutes stated in the article are an approximate and not a guaranteed time for selecting KC. Karsten Nohl is developing the most famous project for hacking GSM networks. By the end of 2009, his company, which deals with computer security issues, was going to make publicly available rainbow tables of session keys for the A5/1 algorithm, which is used to encrypt speech in GSM networks. Karsten Nohl explains his demarche against A5/1 with a desire to draw public attention to the existing problem and force telecom operators to switch to more advanced technologies. For example, UMTS technology involves the use of the 128-bit A5/3 algorithm, the strength of which is such that it cannot be hacked by any means available today. According to Carsten's calculations, the complete A5/1 key table in packaged form will occupy 128 petabytes and be distributed distributedly on many computers on the network. To calculate it, it will take about 80 computers and 2–3 months of work. The use of modern CUDA graphics cards and Xilinx Virtex programmable arrays should significantly reduce computation time. In particular, his speech at 26С3 (Chaos Communication Congress) in December 2009 caused a lot of noise. The essence of the speech can be briefly formulated as follows: soon we can expect the appearance of budget systems for online decoding A5/1. Let's move on to engineering problems. How to get data from the air? To intercept conversations, you need to have a full-fledged scanner, which must be able to figure out which basic ones are broadcasting around, on what frequencies, which operators they belong to, which phones with which TMSI are currently active. The scanner must be able to monitor the conversation from the specified phone and correctly process transitions to other frequencies and base stations. There are offers on the Internet for purchasing a similar scanner without a decoder for 40–50 thousand dollars. This cannot be called a budget device. Thus, to create a device that, after simple manipulations, could begin to listen to a telephone conversation, it is necessary:

b) implement a KC selection algorithm for A5/1 that works well on real data (with noise/errors, omissions, etc.);

d) combine all these points into a complete working solution.

Karsten and the rest of the researchers mainly solve point “c”. In particular, he and his colleagues suggest using OpenBTS, airdump and Wireshark to create an IMSI catcher. For now, we can say that this device emulates a base station and is embedded between the MS and the real base station. The speakers claim that a SIM card can easily prevent a phone from showing that it is operating in A5/0 encryption mode (i.e., no encryption at all) and that most SIM cards in circulation are exactly like this. It really is possible. In GSM 02.07, it is written (Normative Annex B.1.26) that the SIM card contains a special bit OFM in the Administrative field, which, if the value is equal to one, will lead to the prohibition of the connection encryption indication (in the form of a barn lock). In GSM 11.11, the access rights for this field are as follows: read is always available, and write rights are described as “ADM”. The specific set of rights governing entry into this field is set by the operator at the stage of creating SIM cards. Thus, the presenters hope that most cards are issued with the bit set and their phones really do not show an indication of the lack of encryption. This really makes the work of the IMSI catcher much easier because... the owner of the phone cannot detect the lack of encryption and become suspicious. Interesting detail. Researchers were faced with the fact that phone firmware is tested for compliance with GSM specifications and is not tested for handling abnormal situations, therefore, in the event of incorrect operation of the base station (for example, a “dummy” OpenBTS, which was used for interception), the phones often freeze. The greatest resonance was caused by the statement that for just $1,500 you can assemble a ready-made kit for listening to conversations using USRP, OpenBTS, Asterisk and airprobe. This information was widely distributed on the Internet, only the authors of these news and articles derived from them forgot to mention that the speakers themselves did not provide details, and the demonstration did not take place. In December 2010, Carsten and Munaut again gave a presentation at the 27C3 conference on intercepting conversations in GSM networks. This time they presented a more complete scenario, but there are many "greenhouse" conditions in it. To locate a location, they use Internet services that make it possible to send “send routing info” requests into the SS7 network. SS7 is a network/protocol stack that is used for telephone operators (GSM and landline) to communicate with each other and for GSM network components to communicate with each other. Next, the authors make reference to the implementation of mobile communications in Germany. There, the RAND obtained as a result of the query correlates well with the region code (area code/zip code). Therefore, such requests there make it possible to determine, down to the city or even part of the city, where this subscriber is located in Germany. But the operator is not obliged to do this. Now researchers know the city. After that, they take a sniffer, go to the previously found city and begin visiting all its LACs. Having arrived at the territory that is part of some LAC, they send the victim an SMS and listen to whether the victim’s phone is paging (this happens over an unencrypted channel, in all base channels at once). If there is a call, then they receive information about the TMSI that was issued to the subscriber. If not, they go check the next LAC. It should be noted that since IMSI is not transmitted during paging (and researchers do not know it), but only TMSI is transmitted (which they want to know), then a “timing attack” is performed. They send several SMS with pauses in between, and see which TMSIs are being paged, repeating the procedure until there is only one (or none) left in the list of “suspicious” TMSIs. To prevent the victim from noticing such “probing”, an SMS is sent that will not be shown to the subscriber. This is either a specially created flash sms, or an incorrect (broken) SMS, which the phone will process and delete, but nothing will be shown to the user. Having found out the LAC, they begin to visit all cells of this LAC, send SMS and listen for paging responses. If there is an answer, then the victim is in this cell, and you can start hacking her session key (KC) and listening to her conversations. Before this, you need to record the broadcast. Here the researchers suggest the following:

1) there are custom-made FPGA boards that are capable of simultaneously recording all channels of either uplink (communication channel from the subscriber (phone or modem) to the base station of the cellular operator) or downlink (communication channel from the base station to the subscriber) of GSM frequencies (890 –915 and 935–960 MHz, respectively). As already noted, such equipment costs 40–50 thousand dollars, so the availability of such equipment for a simple security researcher is questionable;

2) you can take less powerful and cheaper equipment and listen to part of the frequencies on each of them. This option costs approximately 3.5 thousand euros with a solution based on USRP2;

3) you can first break the session key, and then decode the traffic “on the fly” and follow the frequency change (frequency hopping) using four phones that have alternative OsmocomBB firmware instead of the native firmware. Telephone roles: 1st telephone is used for paging and control of responses, 2nd telephone is allocated to the subscriber for conversation. In this case, each phone must record both reception and transmission. This is a very important point. Up to this point, OsmocomBB actually did not work, and within a year (from 26С3 to 27С3) OsmocomBB was completed to a usable state, i.e. until the end of 2010 there was no practical working solution. Hacking a session key. Being in the same cell as the victim, they send her an SMS, record the victim’s communication with the base cell, and crack the key, taking advantage of the fact that during session setup, many half-empty packets or with predictable contents are exchanged. Rainbow tables are used to speed up hacking. At the time of 26C3, these tables were not so well filled out and hacking was not done in minutes or even tens of minutes (the authors mention an hour). That is, before 27C3, even Carsten (the main researcher in this area) did not have a solution that could crack KC in an acceptable time (during which, most likely, the session key would not be changed (rekeying)). The researchers then take advantage of the fact that changing the key is rarely done after every call or SMS, and the session key they have learned will not change for some time. Now, knowing the key, they can decode encrypted traffic to/from the victim in real time, and do frequency hopping at the same time as the victim. To capture the air in this case, four re-flashed phones are actually enough, since it is not necessary to write all frequencies and all timeslots. Researchers have demonstrated this technology in action. True, the “victim” sat still and was served by one hundredth. To sum up, we can answer affirmatively the question about the possibility of intercepting and decrypting GSM conversations on the fly. In doing so, you need to remember the following:

1) The technology described above does not exist in a form accessible to anyone (including script kiddies). This is not even a construction kit, but a blank for construction kit parts that need to be completed to a usable state. Researchers repeatedly note that they do not have clear plans to make implementation specifics publicly available. This means that based on these developments, manufacturers in the Middle East are not mass-producing $100 devices that everyone can listen to.

2) OsmocomBB supports only one chip family (albeit the most common one).

3) The method of determining location by queries to HLR and enumerating LAC works more in theory than in practice. In practice, the attacker either knows where the victim is physically located, or cannot get into the same cell as the victim. If the attacker cannot listen to the same cell in which the victim is located, then the method does not work. Unlike the demonstration, in reality there are thousands of paging messages in an average LA load. Moreover, paging does not work at the moment of sending, but in certain time windows and in batches (by paging groups with their own queues, the number of which is the remainder of dividing the IMSI by the number of channels, which can be different in each cell), which again complicates the implementation .

4) Let's say LA is found. Now you need to “grope” for the subscriber’s response. The telephone transmitter has a power of 1–2 watts. Accordingly, scanning it from a distance of several tens of meters is also a task (not an easy one). It turns out to be a paradox: LA covers, for example, an entire region (city). It has, for example, 50 cells, some of which have a range of up to 30 km. We are trying to catch and decipher radiation using an omnidirectional antenna. To implement this task in this embodiment, a lot of equipment is required. If we proceed from the premise that the victim is in direct visibility, i.e. distance at which interception looks more realistic, a directional microphone is much more effective and simpler. It should be noted that during the demonstration, researchers intercept their phones at a distance of 2 meters.

5) Moving the victim between cells also causes problems, because you also need to move with it.

6) The phones used in the demonstration require hardware modification; you need to remove the filter from the antenna, otherwise the “foreign” uplink phones will not “see”. A filter in the phone is needed in order to “listen” not to all frequencies, but only to “your own”.

8) You won’t be able to listen to the entire network; you need to know the phone number.

Probably even housewives know that public Wi-Fi points unsafe. That doesn’t stop ordinary users from using them with all their might - after all, if you can’t, but you’re bored and really want to, then you can! And without any VPN - although VPN function now they are even being implemented in complex antivirus products. A healthy alternative to Wi-Fi has always been considered regular mobile connection, especially since every year it becomes cheaper and faster. But is it as safe as we think? In this article, we decided to collect the main questions and answers regarding the interception of mobile data, and decide whether an ordinary user who is far from hidden secrets should be wary of it.

What is an IMSI interceptor?

This is a device (about the size of a suitcase or even just a phone) that uses design feature mobile phones - give preference to the cell tower whose signal is the strongest (to maximize signal quality and minimize your own power consumption). In addition, in GSM (2G) networks, only the mobile phone must undergo an authentication procedure (this is not required from the cell tower), and therefore it is easy to mislead it, including in order to disable data encryption on it. On the other hand, the Universal Mobile Telecommunications System (UMTS) (3G) requires two-way authentication; however, it can be bypassed by using the GSM compatibility mode found on most networks. 2G networks are still widespread - operators use GSM as a backup network in places where UMTS is not available. More in-depth technical details of IMSI interception are available in the SBA Research report. Another insightful description that has become a reference document for modern cyber counterintelligence is the article “Your Secret Stingray, No Longer Secret at All,” published in the fall of 2014 in the Harvard Journal of Law & Technology.

When did the first IMSI interceptors appear?

The first IMSI interceptors appeared back in 1993 and were large, heavy and expensive. “Long live domestic microcircuits - with fourteen legs... and four handles.” Manufacturers of such interceptors could be counted on one hand, and the high cost limited the range of users - exclusively to government agencies. However, now they are becoming cheaper and less bulky. For example, Chris Page built an IMSI interceptor for just $1,500 and introduced him at the DEF CON conference back in 2010. Its version consists of a programmable radio and free open source software source code: GNU Radio, OpenBTS, Asterisk. All the information a developer needs is publicly available. And in mid-2016, hacker Evilsocket offered his version of a portable IMSI interceptor for only $600.

How do IMSI interceptors monopolize access to a mobile phone?

They trick your cell phone into thinking that this is the only connection available.
They are configured in such a way that without the mediation of an IMSI interceptor you cannot make a call.
Read more about monopolization in the publication of the SBA Research Center: IMSI-Catch Me If You Can: IMSI-Catcher-Catchers.

The range of interceptors sold is respectable. What about artisanal crafts?

Today (in 2017), enterprising technicians are making IMSI interceptors using commercially available high-tech boxed components and a powerful radio antenna, and spending no more than $600 (see the Evilsocket hacker's version of the IMSI interceptor). This applies to stable IMSI interceptors. But there are also experimental, cheaper ones that work unstable. For example, in 2013, at the Black Hat conference, a version of the unstable IMSI interceptor was presented, the total cost of hardware components of which was $250. Today, such an implementation would be even cheaper.
If, in addition, we take into account that modern Western high-tech military equipment has an open hardware architecture and open source software (this is today required condition, to ensure compatibility of software and hardware systems developed for military needs), - developers interested in producing IMSI interceptors have all the trump cards for this. About this modern trend military high-tech can be read in Leading Edge magazine (see the article “The benefits of SoS integration”, published in the February 2013 issue of the magazine). Not to mention, the US Department of Defense recently expressed its willingness to pay $25 million to a contractor who would develop effective system for radio identification (see April 2017 issue of Military Aerospace Monthly). One of the main requirements for this system is that its architecture and the components of which it will consist must be open. Thus, open architecture is today a prerequisite for the compatibility of hardware and software systems developed for military needs.
Therefore, manufacturers of IMSI interceptors do not even need to have great technical qualifications - they just need to be able to select a combination of existing solutions and put them in one box.
In addition, modern microelectronics, which is becoming cheaper at an exorbitant rate, allows you to fit your handicraft not only into one box, but even (!) into one chip (see the description of the SoC concept) and even more - to configure the on-chip wireless network(see description of the NoC concept at the same link), which replaces traditional data buses. What can we say about IMSI interceptors, when today you can even find technical details about the hardware and software components of the ultra-modern American F-35 fighter in the public domain.

Can I become a victim of "accidental interception"?

Quite possible. Imitating cell tower, IMSI interceptors listen to all local traffic - which, among other things, includes conversations of innocent passers-by (read “revelations of Big Brother’s big sister”). And this is a favorite argument of “privacy lawyers” who oppose the use of IMSI interceptors by law enforcement agencies who use this high-tech equipment to track down criminals.

How can an IMSI interceptor track my movements?

Most often, IMSI interceptors used by local law enforcement agencies are used for tracing.
Knowing the IMSI of the target mobile phone, the operator can program the IMSI interceptor to communicate with the target mobile phone when it is within range.
Once connected, the operator uses a RF mapping process to figure out the direction of the target.

Can they listen to my calls?

This depends on the IMSI interceptor used. Interceptors with basic functionality simply record: “there is such and such a mobile phone in such and such a place.”
To listen to conversations, the IMSI interceptor requires an additional set of functions, which manufacturers build in at an additional cost.
2G calls can be easily monitored. IMSI interceptors for them have been available for more than ten years.
The cost of an IMSI interceptor depends on the number of channels, operating range, encryption type, signal encoding/decoding speed and which air interfaces need to be covered.

Continuation is available only to members

Option 1. Join the “site” community to read all materials on the site

Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

Radio interception and cellular communication

To intercept a conversation from a radiotelephone, you do not need any special equipment. It is enough to know in which frequency range the device operates and connect to this frequency with an interceptor.

To intercept cellular conversations, you need to have more sophisticated equipment. As already mentioned, mobile companies carefully encrypt their signals, so it is not so easy to intercept and recognize them. Complexes for intercepting and monitoring cellular communications of the AMPS or NMT-450i brand are manufactured in Western Europe and in the vast Russian Federation.

The operation of the complexes is to detect incoming and outgoing signals generated when calls are received, track the numbers of subscribers associated with a given conversation, and monitor the movement of the controlled subscriber during a telephone conversation.

The number of simultaneously listened to subscribers depends on the power of the device and the installed software.

On average, a cellular communications interception and tracking complex is capable of monitoring 14 subscribers or seven phone calls at once. Some devices are additionally equipped with tape recorders and voice recorders for simultaneous recording of conversations. Information is transmitted to HDD attached computer or saved on the memory card of the device itself. The complex completely controls the “life” of the subscriber, constantly monitoring his calls and messages.

The price of such complexes depends on their capacity and the number of simultaneously controlled subscribers. In monetary terms it fluctuates around 10-50 thousand dollars. It is worth considering the fact that intercepting and suppressing GSM communications is much more difficult. Scientists in Britain and Germany are working on the creation of interception systems, and at the moment their cost is about 500 thousand dollars.

Transmission of acoustic information via power lines

These transmitters or network bookmarks are built into electrical devices powered by a stationary network of 220 volts. Sometimes network bookmarks are built into the sockets themselves. The device consists of a microphone, an amplifier and a low-frequency transmitter. Frequency range - 10-350 kHz.

There is no point in installing high frequency transmitters as they are easier to detect. Reception of signals and their transmission occur in one electrical phase.

If the phases are different, a capacitor is used as a connecting component. The device for receiving acoustic information is made to order. However, a block of household intercoms will cope with its tasks perfectly.

They are sold in any radio store. Information transmitters are built into electrical devices and are powered by energy. It is difficult to detect network bookmarks, since any electronic machine will create interference when scanning radio broadcasts.

In the Russian Federation, a complex for intercepting and decrypting messages on a pager has been developed and is in use, which can be found on sale in all CIS countries.

The complex consists of a miniature computer on which the corresponding software, receiver and converter of signals from a pager. The AR3000 radio scanner or radio station is used as a receiving device.

The complex intercepts :

text;
sound;
digital messages.

Which in turn are sent using radio paging.

Decoded messages are stored on the hard drive in archive file, and the file name indicates the time and date of the message. On the computer's hard drive, you can filter messages from one subscriber, filter all messages in a specified time interval, or perform other actions with received files. Search and filtering options change.

Deputy Director for Development Kerimov Rostislav.

Popular

Autoscanner ELM327: how to use, principle of operation

« is a special bluetooth device that allows you to quickly diagnose a car, identify errors in the ECU (electronic control unit... »

How does IMEI stop thieves from using a stolen phone?

« Sometimes in life, troubles happen. One of them may be the case when someone steals someone else’s phone for profit. It happens that due to the condition... »

HP LaserJet P1102w: connecting via Wi-Fi to the best printer HP p1102w reset to factory settings

« Recently I have become a wireless maniac. All purchased devices are wireless and work via WiFi. The HP printer I bought turned out to be the same... »