Hacking GSM: Building a Rogue Base Station to Hack Cellular Devices
A rogue base station (also called a dirt box or rogue BTS) is the use of a software-defined radio (SDR) to create a fake cell tower and a software implementation of a GSM/GPRS radio access network. The software typically used to power rogue BTS’ is YateBTS, which supports GSM850, EGSM900, DCS1800, PCS1900 GSM bands.
The purpose of creating a rogue base station in vulnerability research or penetration testing of cellular-capable IoT devices or embedded systems, such as telematics control units (TCUs) inside connected cars is to force an association of the device talking over GSM to associate to the rogue BTS instead of a legitimate cell tower. This is done in an attempt to capture, analyze, and in some cases, intercept and modify the transmission between the backend and the device in an attempt to control it to affect the confidentiality, integrity, or availability of the data transmitted to it.
Very little research has been published on how to build rogue BTS’ over the years, especially as it applies to performing penetration testing of connected cars. As a matter of fact, the last video created on it was by me in 2017. Now, three years later, much has changed, so much so that even a new BladeRF has been released by Nuand that supports 5G.
What’s unique about this series is not only will I walk you through setting up and configuring a rogue BTS using the BladeRF 2.0 Micro, but also how to perform a connected car penetration test using law enforcement vehicles as targets. Earlier this year, state law enforcement across multiple states requested me to perform a penetration test of their different vehicles, the Ford Intercepter, Dodge Charger, and Ford Explorer. The Las Vegas Police Department (LVPD) was kind enough to allow me to film the engagement so long as no badges were recording during the filming.
This documentary-style film will be released alongside the final article in this series. This article focuses on the configuration and installation of the BladeRF tools, YateBTS, and how to sniff the GSM packets traversing the local loopback interface for devices that associate to your rogue BTS.
The instructions in this article are for the installation and setup of the BladeRF 2.0 Micro. My setup uses the 2.0 Micro (A9) model. The BladeRF X40, the predecessor to the BladeRF 2.0 Micro supported 300 MHz to 3.8 GHz while the 2.0 Micro supports 47 MHz to 6 GHz.
The final article in this series will provide instructions on how to setup and install the BladeRF 2.0 Micro. In addition to hacking devices that have SIM chips in them and use GSM, the new frequency range of the 2.0 Micro allows you to listen to the radio, watch TV, and access other frequencies not previously possible with the X40. Here is just some of the things now within your frequency range with the 2.0 Micro.
In the United States, FM radio broadcasts on 88.0 MHz and ends at 108.0 MHz
Air Traffic Control to map plane flight paths from local airports at 1090 MHz
Step 1: Update/upgrade your fresh installation of Ubuntu. In this tutorial, I’m using Ubuntu 20.04 LTS.
$ apt update ; apt upgrade
Step 2: Add BladeRF PPA and install BladeRF tools and libbladeRF
$ add-apt-repository papa:nuand/bladerf $ apt update $ apt install libbladerf-dev
Step 3: Add user/group permissions for non-root user
$ addgroup yate $ usermod -a -G yate alissaknight $ apt install libusb-1.0-0-dev
Step 4: Download the custom Yate distro created by Nuand
$ wget https://www.nuand.com/downloads/yate-rc.tar $ tar xvf yate-rc.tar $ mv yate /usr/src $ mv yatebts /usr/src $ mv *.rbf /usr/share/nuand/bladeRF $ apt install autoconf gcc g++ make
Step 5: Compile Yate
$ cd /usr/src/yate $ ./autogen.sh ; ./configure —-prefix=/usr/local ; make ; make install-noapi ; ldconfig
Step 6: Compile YateBTS
$ cd /usr/src/yatebts $ ./autogen.sh $ ./configure —-prefix=/usr/local $ make $ sudo make install $ sudo ldconfig
Step 7: Set permissions
$ touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf $ chown root:yate /usr/local/etc/yate/*.conf $ chmod g+w /usr/local/etc/yate/*.conf
Step 8: Set transceiver scheduling
$ vi /usr/local/etc/ybts.conf # Add the values below to the ybts.conf file radio_read_priority=highest radio_send_priority=high
Step 9: Install Apache2 and PHP
$ apt install apache2 $ add-apt-repository ppa:ondrej/php $ apt update $ apt install php5.6
Step 10: Install Network-in-a-PC
$ cd /var/www/html $ ln -s /usr/local/etc/yate/nipc_web nipc $ chmod -R a+rw /usr/local/etc/yate $ /etc/init.d/apache2 start
Step 11: Connect to NIPC with your web browser and configure MCC, MNC, and Band for your BTS. NOTE: To determine what values to use here, select a wireless network to act as a decoy (E.g. AT&T Wireless). If your mobile phone is connected to the wireless network you want to imitate a BTS for, you can place your phone into field test mode. Here is the code you need to dial for an iPhone and Android:
1. Push the call button to make a phone call 2. Dial *3001#12345#* 3. Push the Call button 4. Push Serving Cell Info
freq_band_ind (Frequency Band Indicator):
4G : 700 MHz Lower B/C, Band 12/17 (LTE). 850 MHz Cellular, Band 5 (LTE). 1700/ 2100 MHz AWS, Band 4 (LTE). 1900 MHz PCS, Band 2 (LTE). 2300 MHz WCS, Band 30 (LTE).
5G: 850 MHz, 24 GHz, 39 GHz (Band n260).
In my case, my freq_band_ind is 2. Because I’m using AT&T Wireless, my frequency for Band 2 would be LTE, 1900 MHz PCS. My sel_plmn_mcc:310, sel_plmn_mnc:410. This matches up with what mcc-mnc.com says for my carrier: My freq_band_ind is currently 2. So based on the above bands for AT&T Wireless, my phone is operating currently at 1900 MHz PCS over 4G/LTE.
Once you have the appropriate values to plug into YateBTS, you’ll want to enter them into the following screens before starting Yate. Below is the configuration for my side of the world.
Step 12: Plug in the BladeRF to the USB cable and laptop and soft load the FPGA
$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbf (or whatever FPGA file matches your board)
Step 12: Start Yate
$ sudo yate -v
Once Yate has been started, you should be able to start Wireshark and point it at your local loopback interface in order to see the GSM traffic flowing across your BTS.
If you have any trouble in following the steps outlined in this article, please watch the video that accompanies this article where I walk through each one of these steps above at https://youtu.be/H7n9EyN5DKs