See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/307544953

Demonstration of Vulnerabilities in GSM Security with USRP B200 and Open-

Source Penetration Tools

Conference Paper · August 2016

DOI: 10.13140/RG.2.2.10901.12002

CITATIONS READS

14 7,553

4 authors, including:

Khyati P Vachhani
The MathWorks, Inc
14 PUBLICATIONS 88 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Use of ICT in teaching English to Arts and Commerce students of Gujarat View project

All content following this page was uploaded by Khyati P Vachhani on 01 September 2016.

The user has requested enhancement of the downloaded file.

 The 22nd Asia-Pacific Conference on Communications (APCC2016)

Demonstration of Vulnerabilities in GSM Security

with USRP B200 and Open-Source Penetration
Tools
Arusha Dubey Deepak Vohra Khyati Vachhani Arvind Rao
Student, Electrical Dept. Student, Electrical Dept. Assistant Professor, Electrical Dept. Scientist, DRDO
Nirma University, Nirma University, Nirma University, Ministry of Defense,
Ahmedabad, India Ahmedabad, India Ahmedabad, India India
arusha.dubey31@gmail.com dvohra.93@gmail.com khyati.vachhani@nirmauni.ac.in arvindrao@hqr.drdo.in

Abstract—This paper showcases the vulnerabilities in the GSM networks are now facing a multitude of security challenges
security architecture through implementation of an active attack including the well-known man-in-the-middle attacks.
at the Um interface. The attack was carried out by taking
advantage of lack of two-way authentication. A rogue GSM
base transceiver system was established using Universal Software Traditionally GSM interception hardware was costly and
Radio Peripheral (USRP) B200 board and OpenBTS. B200 allows custom built. Procurement of such hardware and endmost
relaxation of an external 10 MHz reference signal as opposed to approval of deploying it was at the behest of government
widely used USRP1 and N-series. After establishing rogue BTS, sponsored organizations only. This limited the analysis and
IMSI catch-attack and impersonation of a mobile subscriber testing of GSM infrastructure and its protocols. However, in
to send malicious SMS are executed. Along with OpenBTS,
standalone standard applications - Asterisk and smqueue are recent years, with the advancement of numerous open-source
used for correct routing of messages. The attacks are observed tools and re-configurable architectures like Software Defined
on the TEST network and not the spoofed network so that no Radio (SDR) [4], access to the technology to analyze and
infringement is established on security and privacy of the existing test GSM infrastructure is now open to almost everyone. Free
GSM subscribers. access to the tools and technology has pushed the boundaries
Index Terms—GSM, SDR, USRP, OpenBTS, GNU Radio,
security, authentication, IMSI-catch, man-in-the-middle attack of the attacker too. Newer variants of attacks like one-way
authentication, man-in-the-middle, denial of service etc have
been discovered and reported [5].
I. I NTRODUCTION
Cellular networks have grown continually over the past This paper focuses on examining those vulnerabilities of the
decades and their utilization has increased manifold in both GSM protocol stack that permit us to perform passive/active
developed and developing countries [1]. Cell phone utilization attacks on the network. Man-in-the-middle attacks are imple-
is expected to reach 95 percent of the world population by the mented using Universal Software Radio Peripheral (USRP)
end of 2016. Despite the exponential growth of such networks, hardware [6] and Open Base Transceiver Station (OpenBTS)
one can find the presence of outdated infrastructure in the software [7]. In addition to this, the authors show it is also
network. The foremost reason for not replacing the outdated possible to send defamatory Short Message Service (SMS)
infrastructure is the huge capital requirement for upgradation. to multiple subscribers. Since it is of utmost importance to
Also deployment of latest technology is confined to densely take care of the privacy of other GSM subscribers during the
populated regions because of higher demands and low return attacks, the non-encrypted traffic is acquired from the BTS
on investment [2]. Furthermore, compatibility with various and a separate isolated room is used for testing the attacks
legacy systems and previous standards has become an essential and sending defamatory SMS.
part with latest mobile handsets. Multiband compatibility
renders economic benefits for the mobile network operators The paper is organized as follows: Section 2 briefly de-
(MNOs) but at the cost of sabotaging the security of the scribes the security architecture of the GSM system which is
network. There is no existing deployed technology which has followed by the possible security threats on GSM standards in
manifested impassable security structure. This demands crucial section 3. Section 4 highlights the attack scenario in GSM sys-
steps to be incorporated to provide highly secured services tem using rogue base station. The various hardware−software
and more advanced means to examine existing technologies tools used to establish the attacks are discussed in section 5.
[3]. With attackers having decades of knowledge of several Section 6 explains the experimental setup requirements fol-
vulnerabilities and ever increasing surge of computing power lowed by the observations carried out during the deployment
available, Global System for Mobile Communication (GSM) of the system. Finally, the paper ends with the conclusion.

978-1-5090-0676-2/16/$31.00 ©2016 IEEE 496

 The 22nd Asia-Pacific Conference on Communications (APCC2016)

II. S ECURITY A RCHITECTURE IN GSM rather robust and impenetrable version of the algorithm in such
The security architecture of the GSM standard looks after a way that it does not hamper the efficiency of the network or
provision of security services like authentication, confiden- introduce major variation in the infrastructure. This target can
tiality of the subscriber data and air interface encryption [8]. be achieved if new algorithms follow predefined standard in-
Each of these are extremely crucial for an end-to-end secured terface, i.e., key length. Hence, the A5 encryption algorithm is
communication. The basic security architecture of a GSM deployed, which actually is a lineage of algorithms that realize
network is shown in Figure 1. A brief description of these a predefined standard interface [9]. The standard versions with
security aspects is as follows: 64-bit keys are A5/1, A5/2 and A5/3. A5 version 0 however
has no encryption algorithm, necessitating a warning from the
network to the subscriber about transmission of information
over the air interface in plain-text. This warning message must
be broadcasted on the MS display screen, thus activating the
ciphering indicator feature in the SIM.

III. S ECURITY T HREATS ON GSM STANDARDS

The transparency of cellular networks makes the commu-
nicating subscribers more vulnerable to security and privacy
Fig. 1: GSM Authentication and Encryption threats. Despite the efforts put to strengthen on-the-air privacy
by using various techniques like frequency hopping [10], the
real-time interception of information or exchange of messages
A. Subscriber Authentication is still practical by all means.
The authentication process in GSM is one-way, implying
that only the subscriber must identify itself to the desired TABLE I: Vulnerabilities produced on GSM Security
network. The same does not hold for networks authentication Type of attacks Potential Security Vul- Security
to subscriber. The authenticity of subscriber is accomplished nerabilities Threat in
using a ”challenge response” method. The validation is done CIA triad
Eavesdropping, IMSI The ability of an attacker Confidentiality
by confirming the Ki key which is stored inside the subscriber catching,traffic analy- to intercept the data traffic
Subscriber Identity Module (SIM) and the Authentication sis and signaling information
Centre (AuC). The Mobile Station (MS) asks for this key to corresponding to other
subscribers. Equipment
get access of the desired network. required:Mobile handset
The MS forwards its International Mobile Subscriber Iden- Cracking cipher This is the ability Confidentiality
tity (IMSI) or the Temporary mobile subscriber identity keys and challenge- of the attacker to and
response pairs decrypt realtime voice availability
(TMSI) to the Base Transceiver Station (BTS) for further call or messages by
transmission to AuC. In return, the AuC provides an authenti- high performance
cation triplet computed by A8 algorithm. It consists of a 128- computations and pre-
computed rainbow
bit random number RAND, the 32-bit output of A3 Algorithm tables. Equipment
XRES, and 64-bit session key Kc. The BTS now sends this required:Mobile handset
RAND to the MS, which computes the Signed Response Base station spoof- This is the ability of the Confidentiality,
ing, SMS exploita- attacker to insert himself integrity and
(SRES) using A3 algorithm, inputs being RAND and Ki stored tion, call hijacking between the network availability
in the SIM, and the Kc key using the A8 algorithm. This ,over the air cracking, and the legitimate
response is sent to the BTS by MS. The encryption of TMSI Dos attack subscriber to modify,
delete,masquerade,
under Kc is sent by the BTS if and only if both SRES and replay and spoof data
XRES are the match. traffic and signaling
information between
B. Subscriber Confidentiality two communicating
entities. Equipment
Once the subscriber is validated, the network uses a 4- required:Mobile handset
byte TMSI number sent by the BTS instead of IMSI. Using and a rogue BTS
temporal identifiers is necessary to preserve the real identity
of the subscriber. TMSI stored in the VLR is assigned to the With A5/1 cracking attack, the encrypted GSM voice traffic
network for a limited period. or messages can be captured and stored into a Packet Capture
(pcap) file.Subsequently, the Kraken tool can be employed in
C. Air interface encryption synchrony with the publicly available A5/1 rainbow tables
Another important security aspect is on-the-air privacy of and open-source packet analyzer to decrypt the encrypted
information in the GSM protocol stack. In GSM standard, it is packets thus rendering the plain-text data [11]. There are
possible to overwrite the execution of the encryption algorithm some accomplished attacker capabilities that can threaten the
since GSM systems are modular. The target is to achieve a security in GSM network based on Confidentiality, Integrity

978-1-5090-0676-2/16/$31.00 ©2016 IEEE 497

 The 22nd Asia-Pacific Conference on Communications (APCC2016)

and Availability (CIA) triad followed in cryptography. These

attacks are briefly mentioned in Table 1.
Employing a top-down approach, the first attack is the
easiest to achieve. Subsequent attacks imply more rigorous
knowledge and equipment from the attacker. Hence, we can
presume that an attacker having a certain level of attack
capability also possesses all lower ranked capabilities. Eaves-
dropping and man-in-the-middle attacks were two major issues
known for 2G security.
IV. ATTACK S CENARIO USING ROGUE BASE S TATION Fig. 3: Hardware-Software suite
Rogue base station is actually a fake BTS that is placed
between the mobile handset and the real BTSs as shown
in the Figure 2. The purpose is to make rogue base station B. GNU Radio
imitate/mimic the role of the real BTS and allow multiple GNU Radio is a free and open source software tool kit
mobile handset users connect to it [12]. which is used to build a Software Defined Radio [15]. GNU
Radio is advantageous as various radio devices can be created
on a single USRP board. Since it functions as a software
module, it provides a high degree and ease of reconfiguration
property to SDR. GNU Radio provides a graphical user
interface with GNU Radio Companion (GRC). GNU Radio
also has a spectrum analyzing tool−Airprobe, which is used
in detecting the carrier frequency of a BTS. Also, we can
acquire collective broadcast messages from the BTS.
Fig. 2: Test phone connected with Rogue Base Station [5] C. Wireshark
This attack can be established by switching the network Wireshark, previously known as Ethereal [16], is a network
settings of the rogue BTS to the BTS having legitimate packet analyzer used to learn exactly how the network pro-
provider. This can be achieved by simply replacing the mobile tocols work. It is an open-source packet sniffer that observes
country code (MCC), mobile network code (MNC), location messages being sent and received by applications and proto-
area code (LAC) and the cell identity (CI). This permits the cols running on your computer, however never sends packets
rogue base station to appear as a part of the legitimate service itself.
providers. As a result, the attacker is able to acquire the IMSI D. OpenBTS
number of the subscriber, which otherwise must remain secret.
In addition, the attacker has the power to switch subscriber to OpenBTS is a LINUX based application, that is capable of
a no encryption mode or even impersonate a person to whom establishing an entire GSM base station using USRP board.
the subscriber wish to contact. There are generally two ways OpenBTS would need a USRP to offer a GSM standard
to implement rogue base station: Um interface to the MS, and uses an open-source private
(1) acquiring frequency of the neighboring BTS branch exchange (PBX) system like asterisk to route voice
(2) by jamming all downlink frequencies of BTS calls between several MSs [17]. OpenBTS requires following
standard distinct applications to be included along with it to
V. PENETRATION TEST TOOLS offer GSM base station functionalities:
In recent years, SDR has clinched much attention due to its 1) Transceiver: The transceiver application plays a vital role
capability in transforming the wireless hardware system into in configuring USRP to perform all necessary functions of a
software platform [13]. This hardware allows us to intercept BTS. The software written in python and C++ provides air
GSM traffic in various forms like IMSI-catching and sending interface of Um physical layer of GSM.
malicious SMS. The complete hardware and software suite 2) Asterisk: USRP can only provide the GSM Um air in-
required to establish these attacks is shown in Figure 3. terface to the mobile handsets which are termed as Session
Initiation Protocol (SIP) endpoints. In order to ensure the
A. Universal Software Radio Peripheral correct routing of calls and text messages along with registra-
Universal Software Radio Peripheral (USRP) board is a tion/authentication of the mobile handset in the network, open-
flexible and affordable SDR that turns a standard PC into a source communication server/public branch exchange system
powerful wireless prototyping system. USRP is composed of like asterisk is required.
one motherboard with a high-speed signal processing FPGA 3) Subscriber registry: To support asterisk for routing real time
[14], one or more daughter-boards which cover different voice calling or text messages between different mobile hand-
frequency ranges and an antenna for transmitting/receiving. sets, a standard SIP registry database called subscriber registry

978-1-5090-0676-2/16/$31.00 ©2016 IEEE 498

 The 22nd Asia-Pacific Conference on Communications (APCC2016)

is provided. It behaves as a replica for the Home Location

Register (HLR) present in conventional GSM network.
4) smqueue: To ensure delivery of text messages between the
MSs, store-and-forward facility called smqueue is provided to
the OpenBTS.

VI. E XPERIMENTAL R ESULTS

In this section, the experimental setup and the challenges
faced while deploying a GSM BTS through USRP and GNU
Radio is discussed. The GSM base station network used in
this experimental setup did not work right out of the box Fig. 4: Setup for rogue BTS using USRP and OpenBTS
and required essential configuration for successful exchange of
SMS or voice calls [18]. Firstly, we discuss the hardware and
software requirement for the setup followed by the deployment clock rate of B200 can be changed to GSM specific 52 MHz by
steps for establishing man-in-the-middle attacks and IMSI simply updating the UHD driver file. For less mission-specific
catching. Finally, the observations of the experiment carried cases like testing GSM system with OpenBTS, the high level
out are highlighted. of frequency accuracy can be slightly compromised.
A. Setup Requirement B. Deployment of the test bed
GSM connection communicates over Um interface i.e. in In a GSM network, two separate radio frequencies are
between mobile station and BTS. When a connection is used so the base station and handsets can communicate si-
established in GSM, which is a Frequency Division Multi- multaneously in both directions. The complete step-by-step
ple Access/Time Division Multiple Access (FDMA/TDMA) implementation of the attacks is depicted in the flow chart
system, assigns an absolute radio frequency channel number given in Figure 5. The first step was to find suitable ARFCNs
(ARFCN) and a dedicated time slot. Synchronization in GSM for the IMSI-catcher to operate on. The ARFCN identifies
is established by two bursts namely synchronization channel up-link and down-link physical radio carriers. The chosen
(SCH) and Frequency correction channel (FCH). The BTS ARFCN should be broadcasted in the Broadcast Control
clock is kept synchronized with GSM with the help of these Channel Allocation (BA) list of the legitimate cells nearby.
two bursts. The current TDMA time is sent by SCH and a tone In addition there should be as little traffic as possible on the
is produced by FCCH for commanding the local oscillator. frequencies. The frequencies should either not be in use by
The main hardware issue which can arise is with the timing a BTS, or the BTS operating on the chosen ARFCN should
process. The GSM system has clock frequency set either at have very little or no reception at the geographical location
52 MHz or in the multiple of 13 Mhz. If we assume that the of the experiment [20]. The frequency spectrum analyzer tool
lowest error permitted by the GSM specification is 50 Hz, and uhd-fft provided with GNU Radio was used to search through
the local oscillator generates a KHz error on the RF end, it all the neighbor ARFCNs to find the most suitable ARFCNs
is quite inevitable why modifying USRP for GSM TX/RX to broadcast on. The most suitable ARFCNs are the neighbor
is required. Due to lack of synchronization, this results in ARFCNs with the lowest RxL at the geographical location of
dropping of beacon signal of the BTS by the MS. the experiment.
All versions of USRP by Ettus Research are supported in The next thing to look out for when setting up a new
OpenBTS with minor or negligible modifications with the network is excess radio interference or noise from other
daughter boards. The N-series USRP is termed as the highest sources on the uplink. If the uplink is too noisy, the signals
performing device with high dynamic range and low phase from handsets cannot reliably be demodulated into usable
error amongst its family. The use of GPS or the 10 MHz exter- information. In this experimental setup, the detected environ-
nal reference is not mandatory for desktop testing. With some mental noise Received Signal Strength Indication (RSSI) is
calibration, these devices can easily transmit/receive GSM −69 dB (lower numbers are better and mean less noise is
signals. USRP2, which is functionally identical to the N-series present) and the configured target RSSI level for handsets is
requires dedicated external 10 MHz reference signal in order −50 dB. This means that the base station can, at best, receive
to run OpenBTS. USRP1 does not support OpenBTS without 19 dB more energy from the handsets than the environmental
the hardware modification. Unlike USRP2, USRP1 does not noise; ”a very good margin” means uplink reception issues
accept a 10 MHz reference signal but required external 52 due to noise should not be a problem.
MHz clock [19]. With the recent release of B200/B210, use If the base station radio setup does not include a frequency
of external 10 MHz reference signal became non-mandatory in duplexer, the number one source of noise on the uplink can
order to run OpenBTS. This became an advantage in terms of actually be the downlink signal. Without proper duplexing
establishing GSM system with no prior hardware or firmware to filter it out, the downlink signal is usually the closest
modifications. In this paper, B200 USRP board is used to energy source to the uplink both physically and by frequency
create a rogue base stations as shown in Figure 4. The 56 MHz [21]. Even without a duplexer, there are ways to reduce noise

978-1-5090-0676-2/16/$31.00 ©2016 IEEE 499

 The 22nd Asia-Pacific Conference on Communications (APCC2016)

on the uplink. Decreasing the downlink transmission power Thus, MS is still under the impression that it has moved into
will further clean up the uplink. The coverage area lost by a new cell circle. This turns out to be an advantage for the
decreasing the downlink power is not significant in a lab attacker in avoiding the MS to connect to other nearby BTS.
environment. Cleaner signals are preferable to strong ones. To avoid MS getting connected to other BTS, the attacker can
With the necessary information of the 2G serving BTS and set a cell reselect hysteresis (CRH) to a high value and increase
the list of neighboring ARFCN, the attacker is now fully the transmit power.
prepared to establish a rogue BTS. 1) IMSI-catch using Rogue Base Station: After establishing
the rogue BTS and setting the necessary environmental param-
eters, the IMSI-catch attack could be successfully executed
in few seconds. Handsets will not usually divulge the IMSI
of their SIM card. It can sometimes be located in a menu
or through a field test mode, but this method of determining
a SIMs IMSI is very cumbersome. Luckily, there are other
methods; OpenBTS also knows the IMSIs it has interacted
with because the attacker is in control of the network side and
also has access to this information. To force an interaction
between a handset and test network, the attacker has to perform
a Location Update Request (LUR) operation on the network,
analogous to a registration. This is nothing more complicated
than selecting the network from the carrier selection list.
The IMSI numbers caught are shown in Figure 7. The pri-
mary idea of this attack is to make use of these IMSI numbers
in connecting with the real network. The attacker will receive
the RAND from the real network which in turn is forwarded to
the attacked mobile user for calculating SRES value. Now, the
attacked mobile user reverts the SRES to the attacker assuming
that the real network initiated the process. Ultimately, the
attacker forwards the SRES value from rogue BTS to the real
network where successful authentication is accomplished. In
this way, the IMSI-catch attack by an attacker becomes a man-
Fig. 5: Step-by-Step Active Attack flow in-the-middle attack between the mobile subscriber and the
real network.
Depending on the handset model, firmware, and SIM used, The AUTH parameter in Figure 8 shows if the MS is
the network ID will be displayed as 00101, 001-01, Test authenticated or not. AUTH 0 means that the location update
PLMN 1-1, as shown in Figure 6. request was rejected. AUTH 1 means that the MS is a
subscriber in the network and is authenticated. AUTH 2 means
that the MS is not a subscriber, but the location update request
is accepted. In this case, the MS is camped on the network,
but does not have a phone number. One can further observe
that all except one of the caught IMSIs had a AUTH value
of 2. The one with AUTH value of 1 is an MS that was
added as a subscriber to the network before the experiment
was conducted.

Fig. 6: Established test network TEST PLMN 1-1

The attacker will now trigger the rogue BTS through cell Fig. 7: list of IMSI numbers caught
reselection process. This process takes place mainly due to
two reasons : 2) Sending malicious SMS using Rogue Base Station: In
(1) the attacker is using one of the neighboring cell ARFCNs addition to IMSI-catch attacks, an attacker can also imperson-
(2) the transmission power of the rogue BTS is higher than ate a mobile user to send malicious SMS messages from the
the serving BTS. rogue BTS. It is quite critical to observe that it is equally

978-1-5090-0676-2/16/$31.00 ©2016 IEEE 500

 The 22nd Asia-Pacific Conference on Communications (APCC2016)

sending malicious or defamatory SMS using smqueue and

asterisk. This process was carried out in an extremely secured
environment with dedicated test phone, not invading privacy
of a random subscriber. However, the results can be modelled
to understand how vulnerabilities like one-way authentication
procedure in GSM security architecture can be misused for
Fig. 8: IMSI number of the test phone with AUTH=1 fraudulent usage by attackers.
R EFERENCES
[1] G. Gu and G. Peng, “The survey of gsm wireless communication
system,” in Computer and Information Application (ICCIA), 2010 In-
ternational Conference on. IEEE, 2010, pp. 121–124.
[2] N. Mohammed and N. R. Kisore, “Experimental evaluation of security
in 2g cellular networks in india,” in Advance Computing Conference
(IACC), 2015 IEEE International. IEEE, 2015, pp. 701–705.
[3] A. Mehrotra and L. S. Golding, “Mobility and security management in
the gsm system and some proposed future improvements,” Proceedings
of the IEEE, vol. 86, no. 7, pp. 1480–1497, 1998.
[4] T. Ulversøy, “Software defined radio: Challenges and opportunities,”
Communications Surveys & Tutorials, IEEE, vol. 12, no. 4, pp. 531–
550, 2010.
[5] M. Pannu, R. Bird, B. Gill, and K. Patel, “Investigating vulnerabilities
in gsm security,” in Computing and Communication (IEMCON), 2015
International Conference and Workshop on. IEEE, 2015, pp. 1–7.
[6] M. Ettus, “Universal software radio peripheral (usrp),” Ettus Research
LLC http://www. ettus. com, 2008.
Fig. 9: Spoofed SMS sent to the test phone [7] D. A. Burgess, H. S. Samra et al., “The openbts project,” 2008.
[8] T. Stockinger, “Gsm network and its privacy-the a5 stream cipher,” 2005.
[9] P. Bouška and M. Drahanskỳ, “Communication security in gsm net-
works,” in 2008 International Conference on Security Technology.
likely to imitate any mobile number of the sender, which IEEE, 2008, pp. 248–251.
actually increases the chances of successful execution of the [10] D. Vohra, A. Dubey, and K. Vachhani, “Investigating gsm control chan-
attack. After successful execution of the attack, the attacker nels using rtl-sdr and gnu radio,” in Wireless Communications, Signal
Processing and Networking (WiSPNET), 2016 International Conference
can disable the rogue BTS. During this process, the attacked on. IEEE, 2016, pp. 1047–1051.
user will reconnect to the real network without even knowing [11] M. Kalenderi, D. Pnevmatikatos, I. Papaefstathiou, and C. Manifavas,
about the earlier presence of rogue BTS. Apart from this, the “Breaking the gsm a5/1 cryptography algorithm with rainbow tables and
high-end fpgas,” in Field Programmable Logic and Applications (FPL),
attacker can attack multiple users at a time using same USRP 2012 22nd International Conference on. IEEE, 2012, pp. 747–753.
acting as a rogue BTS. [12] M. Hadzialic, M. Skrbic, K. Huseinovic, I. Kocan, J. Musovic, A. Hebi-
While testing the user impersonation attack, dummy mobile bovic, and L. Kasumagic, “An approach to analyze security of gsm
network,” in Telecommunications Forum Telfor (TELFOR), 2014 22nd.
numbers were utilized so that no other devices other than the IEEE, 2014, pp. 99–102.
specified recipients (lumia/iPhone in our case) were connected [13] K. Vachhani and R. A. Mallari, “Experimental study on wide band fm
to the rogue BTS as shown in Figure 9. The entire experimen- receiver using gnuradio and rtl-sdr,” in Advances in Computing, Com-
munications and Informatics (ICACCI), 2015 International Conference
tal test bed was accomplished using the TEST network and on. IEEE, 2015, pp. 1810–1814.
not with the spoofed network. Thus, no other devices besides [14] D. Valerio, “Open source software-defined radio: A survey on gnura-
the ones used specifically for the test were connected to the dio and its applications,” Forschungszentrum Telekommunikation Wien,
Vienna, Technical Report FTW-TR-2008-002, 2008.
network. As shown in the figure, the SMS message sent to [15] G. Radio, “The gnu software radio,” Available from World Wide Web:
the test device unveiled that the SMS sender was indeed the https://gnuradio. org, 2007.
spoofed mobile number. [16] A. Orebaugh, G. Ramirez, and J. Beale, Wireshark & Ethereal network
protocol analyzer toolkit. Syngress, 2006.
[17] J. Mpala and G. van Stam, “Open bts, a gsm experiment in rural zambia,”
VII. CONCLUSION in e-Infrastructure and e-Services for Developing Countries. Springer,
GSM systems have introduced several techniques such 2012, pp. 65–73.
[18] Z. Li, J. Tang, X. Zhu, and C. Kai, “Simple gsm base station based on
as frequency hopping to avoid eavesdropping, the real-time universal software radio peripheral,” in Computing, Communication and
exchange of information is still very practical and easy Networking Technologies (ICCCNT), 2014 International Conference on.
to infringe. This paper successfully presents how a base IEEE, 2014, pp. 1–6.
[19] K. Vasudeva, B. S. Ciftler, A. Altamar, and I. Guvenc, “An experimental
transceiver station can be created using USRP B200 board study on rss-based wireless localization with software defined radio,”
and OpenBTS. During the experimental setup, USRP B200 in Wireless and Microwave Technology Conference (WAMICON), 2014
board was preferred over high-end N-series/USRP1 because IEEE 15th Annual. IEEE, 2014, pp. 1–6.
[20] S. Aragon, F. Kuhlmann, and T. Villa, “Sdr-based network impersonation
the former overcomes the need of giving external 10 Mhz attack in gsm-compatible networks,” in Vehicular Technology Confer-
reference signal required for establishing an accurate timing ence (VTC Spring), 2015 IEEE 81st. IEEE, 2015, pp. 1–5.
process in GSM network. A TEST network was created and [21] M. Toorani and A. Beheshti, “Solutions to the gsm security weaknesses,”
in Next Generation Mobile Applications, Services and Technologies,
connected to the test mobile handset. The man-in-the-middle 2008. NGMAST’08. The Second International Conference on. IEEE,
attack was illustrated by setting up a rogue BTS station and 2008, pp. 576–581.

978-1-5090-0676-2/16/$31.00 ©2016 IEEE

View publication stats
501