GSM Hack (mobile phone signal hijacking)

Write something that many people are interested in. about the GSM communication network monitoring problem, when the Guangzhou black market appeared related devices that year, it was very popular. the masses were at risk. some so-called senior experts jumped out and said "It is impossible, and the GSM network is secure ". this may be the biggest crisis for mobile companies. we can laugh at what the experts have said. however, it is not easy to implement.
I remember a few years ago I was talking about a CASE execution solution and talking about listening to SSL communication data. there is a new programmer who is very white-eyed and loudly reminds me that SSL is encrypted, which cannot be implemented ...... I am afraid to deal with these technical staff who take books, because the teacher told them that 1 is 1 and 2 is 2. why can't they think about why 3? "
An information security worker should be "guilty" when looking at everything ". this is not the idea of preemptible. it is the essence of things. the same is true for GSM communication networks. for the time being, I have left the senior experts and general theories aside. to analyze how to implement it in detail, we will first learn some basic knowledge.

This is a simple architecture diagram of the GSM communication network system. We will divide it into five parts: MS, BSC, NSS, OSS, and PSTN. The following sections will introduce the relevant parts of this article.
MS: Mobile Terminal (mobile phone)
BSS:Base Station Subsystem Module
BTS: receiving and transmitting station of the Base Station
BSC: Base Station Controller
NSS:Network subsystem Module
OMC: Operation and Maintenance Center
MSC: mobile exchange center
VLR: roaming user location storage (details will be provided later)
HLR: local user location storage (will be detailed later)
AUC: authentication center (details will be provided later)
EIR: Device flag storage (details will be provided later)
OSS:Operation Support System (also called Operation Support System)
It has little to do with this article, so I will not discuss it in detail. It mainly involves network management and maintenance, billing, and user card data management. Of course, if you want to perform field penetration, the relationship will be big.
PSTN:Public switching telephone network, the server we use belongs to this network, which is basically the largest network today and also the basis of some other networks.
We have a basic understanding of the GSM network. to hijack the air line side, we need to know another important part. this is the mobile user identification card, which we call SIM card and mobile phone card. SIM cards store four types of data. The first type is fixed data: International Mobile User Identification Number (IMSI), authentication key (KI), authentication and encryption algorithm. the second type is temporary network data: Location region identification code (LAI), mobile user temporary identification code (TMSI), and public telephone network code prohibited from access. the third type is Business Code: personal identification code (PIN), unlock code (PUK), and billing rate. the focus of the analysis is the first and second types of data.
After completing the previous introduction, we now start to analyze the implementation of GSM Air Line Side hijacking. First, let's take a look at the GSM communication process and detailed call process and signaling process.

This is a (MS) Phone Call (MS) phone request to establish the communication signaling basic process. the entire process starts when MS requests a channel from BTS. first, MS will send a channel request message to BSS through the random access channel (RACH) to apply for a dedicated channel (SDCCH). After the BSC successfully assigns the corresponding channel to the BSS, in the access permitted channel (AGCH), the dedicated channel assigned to the notification MS by immediately allocating messages, then MS sends a layer-3 message-CM service request message on the allocated SDCCH. In the message, the CM service type is mobile, this message is transparently transmitted to MSC by BSS. After MSC receives the CM service request message, it processes the access request message and notifies VLR to process the MS Access Service request. (At the same time, since the SCCP Connection Service is used between the BSC and MSC, to establish a SCCP Connection, the MSC will also send a connection confirmation message to the BSC), after receiving the service access request, VLR will first check whether the MS has three authentication groups in the database. If yes, it will directly issue an authentication command to MSC. Otherwise, it will request the authentication parameter from H LR/AUC gets three groups, and then sends the authentication command to MSC. After receiving the authorization Command sent by VLR, MSC sends an authentication request to MS through BSS. The command contains the authentication parameters. After MS receives the authentication request, it uses the IMSI and authentication algorithm in the SIM card, the authentication result is obtained and delivered to MSC through the authentication response message. MSC sends the authentication result back to VLR. VLR checks the authentication result reported by MS and the results in the authentication parameter obtained from HLR, if the two are inconsistent, the access request is rejected and the call fails. If the two are consistent, the authentication is passed. After the authentication is passed, VLR will first issue an encryption command to MSC, then, notify MSC that the MS Access request has been passed. MSC notifies MS that the MS service request has been passed through BSS, and then MSC sends an encryption command to MS, which contains the encryption mode, after MS receives the command and completes the encryption, it sends back the encrypted message, which completes the entire access phase.
We can see that if we want to hijack the air line side, the hijacking is between MS and BTS. A smart friend can definitely think of the SSL listener I mentioned earlier. yes, we use (MIM) Man-in-the-middle attack in SSL listening. likewise, it can be used here. one-way authentication is the biggest problem in the GSM protocol. that is, the base station requires mobile phone identification, while the mobile phone does not. in layman's terms, a mobile phone is a child with milk. As long as the phone is fed, it will stretch out its mouth and call the mother. for mobile phones, attackers impersonate base stations. for base stations, attackers impersonate mobile phones. in the process of conversion, we can do anything we want. here, some of my friends say I understand it. actually, it is not that simple. we have not considered some problems.
Let's look back at the speech communication after the access phase is completed. When the caller calls the phone, the call is required.
MSISDN
Number, that is, the called mobile phone number, or the called mobile phone number. in the communication between the mobile phone and the base station, apart from the called MSISDN number during the calling process. the caller's mobile phone does not send the MSISDN number of the local machine. during the call process, the base station will not send the msisdn number of the called mobile phone to the called mobile phone. all of this will be replaced by IMSI (International Mobile User Identification Code) in the SIM card we introduced earlier. that is to say, it is impossible for the hacker to hijack the mobile phone of a specified number. you have no idea which mobile phone you want to listen? No one knows anyone. the ing between MSISDN and IMSI is stored in HLR and only known to it. attackers can solve this problem in two ways. One is to intrude MSC and query its number correspondence from HLR. the other is to get the SIM card of the monitor in advance and extract the IMSI. However, because of the security algorithm protection of the SIM card chip, the average cracking time is 2 to 7 hours. of course, if you have super computing resources, you can hurry up later.
The following is a detailed authentication process diagram.
.
A headache. there must be some difficulties in practical application. but there is also a good side for the attackers in practical applications. we know that the encryption system is set up in the GSM protocol communication. however, mobile companies do not have encryption modules in most regions. if gsm does not adopt the frequency hopping technology and communication is not always maintained at a frequency, we can use a spectrum analysis analyzer to listen. although this is not the most ideal situation, it also saves a lot of trouble for the hijacking of the air line side in man-in-the-middle mode.
Finally, let's talk about the bad situation. in some cases, communication between the mobile phone and the base station, such as call, call, and location update. IMSI cannot even send messages. it is replaced by a temporary ID (TMSI. this TMSI is allocated by VRL. The corresponding relationship between TMSI and IMSI is only known to it.
The final conclusion: GSM Air Line Side hijacking is completely feasible. there is a certain degree of Radio basics, knowledge of GSM protocol, and some less expensive equipment can be achieved. however, it is still difficult to apply it in actual situations. in addition to monitoring, the GSM Air Line Side hijacking can also be used for large-scale IMSI theft, or even for phone call or tracking of the victim.