|
The Hackers' Guide to GSM Phones
by protonigger
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Section 1: The Introduction
Originally developed as a European standard for mobile telephony, GSM
has quickly gained grounds all over the world. However, for much of
the world this is still new technology, and therefore there are many
people with many questions to ask. One of the ones I most commonly
hear from time to time when I idle in Hackers' Lounge is "how do you
hack gsm phones?". This is understandable. For much of the world this
is still new technology, and there are a lot of people who want to
know about all the fun things they can do with these new phones. Well,
this tutorial is for all of you. A complete guide for all your gsm
hacking needs. Enjoy...
Section 2: How GSM Operates
As I've said in past tutorials, in order to hack anything in any sense
of the word you have to first understand how it operates. Therefore
in this section you will learn the details on GSM to have a better
understanding of how it operates. Therefore, you will have a better
understanding of how it can be exploited. GSM (Global System for
Mobile communication) is fundamentally different from some of it's
older counterparts like AMP in the sense that it operates using
digital technology, instead of using the traditional analog
technology. GSM being a cellular system is of course divided into
cells. These cells correspond to their covering area of one trasmitter,
or a small collection of transmitters. The size of these cells depend
on the power of their transmitter. GSM, as with other cellular
systems, uses low power transmitters so that frequencies can be reused
efficiently. The frequency band used by a cellular mobile radio
system is distributed over a group of cells, which is repeated in all
the covering area of an operator. All the radio channels that are
available can then be used in each group of cells that form the
covering area of an operator. The frequencies that are used then will
be reused several cells away.
There are four different types of cells
that are used. Macrocells, microcells, selective cells, and umbrella
cells. Macrocells are large cells that are used for remote and sparsely
populated areas. Microcells on the other hand are used for densely
populated areas. With using these types of cells in densely populated
areas, the number of channels available is increased as well as the
capacity of the cells. Transmitters under these types of cells use
less power in order to reduce the possibility of interference between
neighboring calls. In areas where a full 360 degrees of coverage is
not needed, selective cells are used to specify a certain area
of coverage.
Umbrella cells are used in correlation with microcells
in order to solve the issue with handovers when traversing through
microcell areas. The power levels within an umbrella cell is increased
compared to the power levels within the microcells that the umbrella
cell covers. The cells themselves are grouped into clusters. The number
of cells used within a cluster is determined so that the cluster can
be repeated continuously within the covering area of an operator.
Your typical cluster usually contains either 4, 7, 12, or 21 cells.
The number of cells used within a cluster is very important. The
smaller the number of cells per cluster is, the bigger the number of
channels per cell will be, which will therefore increase the capacity
of each cell. The total number of channels used in each cell depends on
the number of available channels and the type of cluster used. A
balance must be established when setting up these clusters in order to
avoid interference with neighboring clusters.
Now lets discuss the
architecture of the GSM network. A GSM network can be divided into
four main parts. The MS (Mobile Station), the BSS (Base Station
Subsystem), the NSS (Network and Switching Subsystem), and the OSS
(Operation and Support Subsystem). The two main elements of an MS is
the terminal, and the SIM (Subscriber Identity Module). There are
different types of terminals within the MS architecture that are
distinguished based on their power and application.
The fixed
terminals are the ones installed in cars, and have a maximum output
of 20 watts. The GSM portable terminals can also be installed in
cars, and have a maximum output of 8 watts. Then finally handheld
terminals, which has a maximum output of 2 watts, but nowadays
these terminals can and do transmit at 0.8 watts. The SIM is a smart
card that is used for identifying the terminal. This SIM card is
protected by a PIN (Personal Idenfitication Number), and in order to
identify the user to the system also includes other parameters of
the user such as it's IMSI (International Mobile Subscriber Identity).
This is what allows the terminal to operate within the GSM network.
Without the SIM card, the terminal itself is a useless device. The BSS
is in charge of transmission and reception, and is what connects the MS
and the NSS. There are two parts that make up the BSS; the BTS (Base
Transceiver Station, also known as a Base Station), and the BSC (Base
Station Controller). The BTS corresponds with the tranceivers and
antennas used in each cell within the network, and are usually located
in the center of the cell. The transmission power of the BTS is what
defines the size of it's cell. Each BTS has between 1 and 16
transceivers, depending on the density of users within the cell.
TheBSC is what manages the BTSs, and is primarily in charge of handovers,
frequency hopping, exchange functions, and is in charge of the radio
frequency powers levels of the BTSs. The NSS is in charge of managing
the communications between the mobile users, and other users. This
part of the GSM architecture is separated into 7 parts. The MSC (Mobile
services Switching Center), the GMSC (Gateway Mobile services Switching
Center), the HLR (Home Location Register), the VLR (Visitor Location
Register), the AuC (Authentication Center), the EIR (Equipment Identity
Register), and the GIWU (GSM Interworking Unit).
The center component
of the NSS is the MSC, which performs the switching functions of the
network, as well as provides connectivity to other networks. Next is the
GMSC, which is provided as the interface between the cellular network
and the PSTN (Public Switched Telephone Network). This is in charge of
routing calls from the fixed network to a GSM user, and this is usually
implemented in the same machine as the MSC. The HLR is in charge of
storing information of the subscribers belonging to the covering area
of the MSC, as well as stores the current location of these subscribers
and the services that they have access to.
The location of the
subscriber corresponds to the ss7 (short for Common Channel Signaling
System 7, the protocol used by modern PSTNs) address of the VLR. The
VLR is in charge of storing information from a subscriber's HLR that is
necessary in order to provide the subscribed services to visiting
users. This information is recorded into the VLR upon request from the
HLR after a subscriber enters the covering area of an MSC. That way the
VLR can assure subscribed services to the user without having to call
upon the HLR every time a connection is established.
The AuC is a
security feature within the NSS. It provides the parameters needed for
authentication and encryption functions within the GSM network, which
helps to verify the user's identity. The EIR as well is also used for
security purposes. The EIR contains information about the mobile
equipments; more particularly, a list of all valid terminals within
the covering area of an MSC. A terminal is identified with it's IMEI,
and the EIR is used to forbid calls from stolen or unauthorized
terminals. The GIWU is made up of both hardware and software that
provides an interface to various networks for data communication. Using
the GIWU, speech and data can be alternated during the same call.
Finally the OSS is interconnected to different components of the NSS
and to the BSC in order to monitor and control the GSM system, as well
as controlling the traffic load of the BSS. Now that we understand
the structure of a GSM network, lets dive further into the functions
within the GSM system.
There are five different defined functions
within the GSM system. Transmission, RR (Radio Resources management),
MM (Mobility Management), CM (Communication Management), and OAM
(Operation, Administration and Maintenance). The first function we
shall discuss is of course the transmission function, which actually
in itself contains two subfunctions. The first subfunction deals with
the means needed for the transmission of user information, while the
second subfunction deals witht he means needed for the transmission
of signaling information.
Contrary to what one may believe on first
glance, not all functions within the GSM network are strongly related
to the transmission function. The MS, BTS, and BSC are of course
very strongly related to transmission. However, other aspects of the
GSM network such as the HLR, VLR, and EIR only deal with transmission
for signaling purposes with other components of the GSM network.
Now
lets take a minute to talk about the more important aspects of the
transmission function. One of the main objectives of GSM is roaming.
So in order to obtain a complete compatibility between mobile stations
and networks of different manufacturers and operators, the radio
interface must be completely defined. This specification of the radio
interface is a very important influence on the spectrum efficiency.
First there is frequency allocation, which allocates two frequency
bands for the GSM system. The frequency band 890-915 Mhz has been
allocated for the uplink direction (transmitting from the mobile station
to the base station), and the frequency band 935-960 Mhz has been
allocated for the downlink direction (transmitting from the base station
to the mobile station).
However, what you must understand about
frequency allocation is that not all frequencies within the frequency
bands specified can be used by all countries, due to military reasons
and that existing analog systems use part of the two 25 MHz frequency
bands. Then there is the multiple access scheme, which defines how
different simultaneous communications, between different mobile stations
situated in different cells, share the GSM radio spectrum.
The multiple
access scheme adopted by GSM is actually a mixture of FDMA (Frequency
Division Multiple Access) and TDMA (Time Division Multiple Access) with
the addition of frequency hopping. FDMA operates by assigning a
frequency to a specific user, while TDMA allows several users to share
the same channel. It does this by assigning each user their own burst
within a frame (a group of bursts). Under GSM, TDMA operates within a
FDMA structure. It accomplishes this by dividing a 25 MHz frequency
band into 124 carrier frequencies spaced from each other by a 200 khz
frequency band. The first carrier frequency is used as a guard band
between GSM and other functions, which operate on lower frequencies.
Each of these carrier frequencies are then divided in time using a
TDMA scheme, which splits the radio channel, with a width of 200 khz,
into 8 bursts. Each of these eight bursts are then assigned to a
single user. Now a channel corresponds to the recurrence of one burst
every frame. This is defined by its frequency and the position of its
corresponding burst within a TDMA frame. Within GSM, there are two
types of channels, traffic channels and control channels. Traffic
channels are used to transport speech and data information. TCH/Fs (full
rate traffic channels) are defined using a group of 26 TDMA frames
referred to as a 26-multiframe. Using the 26-multiframe structure,
uplink and downlink traffic channels are separated by 3 bursts. The
structure for the 26-multiframe is as follows; 24 frames are reserved
for traffic, 1 frame is used for the SACCH (Slow Associated Control
Channel), and the last frame is unused to allow the mobile station
to perform other functions like measuring signal strength of neighboring
cells.
There are also TCH/Hs (half rate traffic channels) which also
are grouped in a 26-multiframe, but the internal structure is a bit
different. Control channels are used for network management and
some channel maintenance tasks. There are four different types of
control channels defined by the task they perform. BCH channels
(Broadcast Channels), CCCH channels (Common Control Channels), DCCH
channels (Dedicated Control Channels), and associated control channels.
BCH channels are used by the base station to provide the mobile station
with sufficient information needed to synchronize with the network.
There are 3 different types of BCH channels; BCCH (Broadcast Control
Channel) channels, SCH (Synchronization Channel) channels, and FCCH
(Frequency-Correction Channel) channels. The BCCH channel gives the
mobile station the parameters necessary in order to identify and
access the network. The SCH channel gives the mobile station the
training sequence needed in order to demodulate the information sent
by the base station.
Finally the FCCH gives the mobile station the
frequency reference of the system in order to synchronize with the
network. The CCCH channels are used to establish the calls from the
mobile station or the network. Once again, there are three different
types of CCCH channels. The PCH (Paging Channel) channel, the RACH
(Random Access Channel) channel, and the AGCH (Access Grant Channel)
channel. The PCH channel is used to alert the mobile station of an
incoming call. The RACH channel is used by the mobile station to request
access to the network. Then the AGCH channel is used by the base station
to inform the mobile station about which channel it should use, which
is the answer of a base station to a RACH from the mobile station.
The DCCH channels are used for message exchange between several mobiles
and the network. There are two different types of DCCH that can be
defined; the SDCCH (Standalone Dedicated Control Channel), and the
SACCH (Slow Associated Control Channel). The SDCCH is used in order
to exchange signaling information in the downlink and uplink directions,
and the SACCH is used for channel maintenance and control. Then finally
there is the associated control channel, which composes of the FACCH
(Fast Associated Control Channels). The FACCH replaces all or part of
a traffic channel when urgent signaling information must be sent. These
types of channels carry the same information as the SDCCH channels.
So now that we (hopefully) understand how FDMA and TDMA operate under
GSM, we can now explore into the third part of the multiple access
scheme, frequency hopping.
There are two types of frequency hopping.
The slow frequency hopping changes the frequency with every TDMA frame,
which is used to avoid important differences in the quality of the
channels. On the other hand, fast frequency hopping changes the
frequency many times per frame. Fast frequency hopping however is not
used within GSM, so it is not really important to us. However, in order
for frequency hopping to even be used across the network, it has to be
approved by the mobile station. Now lets get into speech coding. Speech
coding is the most important aspect of a cellular mobile service, so
a lot of attention is given into detail.
The codec used by this service
first and foremost is a codec called RPE-LTP (Regular Pulse Excitation
Long-Term Prediction), which uses the information from previous
samples in order to predict the current sample. The speech signal
itself is divided into blocks of 20 ms. The size of these blocks are of
260 bits. These blocks once divided are then passed to the speech codec,
which has a rate of 13 kbps. Next is channel coding, which adds
redundancy bits to the original information in order to detect and
correct (if possible) the errors occured during transmission. Channel
coding uses two codes; a block code and a convolutional code. The block
code receives an input block of 240 bits and appends four 0 tail bits
at the end of the input block, thus making the block 244 bits. The
convolutional code adds redundancy bits in order to protect the
information. What makes convolutional code and block code different
is the convolutional encoder contains memory. A convolutional code can
be defined by 3 variables; n, k, and K.
For the sake of your sanity
and mine, I will skip over explaining this. If you feel curious enough
to read into this, then you can do a google search and find more
information on this in your spare time. Interleaving is another function
that rearranges a group of bits in a particular way. Within GSM it is
used in combination with FEC codes in order to improve the performance
of the error correction mechanisms.
Again, I'm going to let you look
into the details on this function in your own time. There is also
burst assembling, which is in charge of grouping the bits into bursts.
Then there is ciphering, which might be a topic that may wake a few
of you readers up. Ciphering is of course used to protect signaling
and user data. This cipher works by computing a ciphering key using the
A8 algorithm stored in the SIM card, the subscriber key, and the random
number delivered by the network (the same one used in the authentication
procedure). Then a 114 bit sequence is produced using the ciphering
key, the A5 algorithm and the burst numbers. This bit sequence is then
XORed with the two 57 bit blocks of data included in a normal burst.
In order to decipher all this correctly, the receiver of the
transmission has to use to the same A5 algorithm for the deciphering
procedure. Finally for those of you who may want to know, the modulation
used with GSM is the GMSK (Gaussian Minimum Shift Keying), which has
a rate of 270 5/6 kbauds and a BT product equal to 0.3.
There are a few
other functions, but I didn't feel that they were necessary for this
tutorial so I didn't include them.
Now that we're done talking about
the transmission function, feel free to take a break real quick to rest
your eyes and let your brain process all this in. Smoke a cigarette,
eat some junk food, just do whatever you need to do to relax and let
all this information I've given you sink in.
Finished?
All right, let's continue. Now that we are done talking about transmission, the next function we shall discuss is radio resources management. RR is used to
establish, maintain, and release communication links between mobile
stations and the MSC. The main elements of the RR deal with the base
station and the mobile station, but since the MSC needs to deal with
handovers, then it also concerned with RR functions. The main
procedures involved with RR is channel assignment, change, and release;
handovers; frequency hopping; power-level control; discontinuous
transmission and reception; and timing advance. However, since we've
already gone over most of these functions when talking about
transmission, then the only one we really need to concentrate at this
point is handovers.
Handovers are of course the process of changing
the channel or cell that a user is on when they are moving. There are
four different types of handovers that are used in these instances.
The handover of channels within the same cell, the handover of cells
controlled by the same BSC, the handover of cells belonging to the
same MSC but controlled by different BSCs, and finally the handover
of cells controlled by different MSCs. The first two types of handovers
are managed by the BSC, while the MSC is only notified of these
handovers. Meanwhile the MSC is in charge of managing the last two
mentioned handovers. In order for this handover to work, the mobile
station controls its own signal strength and the signal strength of
the neighboring cells. These power measurements allow the MSC or BSC
to decide which cell is best to use in order to maintain the quality
of the communication link. There are two different types of handover
algorithms that are used, the 'minimum acceptable performance'
algorithm, and the 'power budget' algorithm. The 'minimum acceptable
performance' algorithm works by increasing the power level of the
mobile when the quality of the transmission is decreased until this
increase has no effect on the quality of the signal, which is then
when a handover is performed. On the other hand, the 'power budget'
algorithm just goes ahead and makes the handover instead of increasing
the power level in order to obtain a good communication quality.
Well as I said the rest of the RR functions were already discussed when
we were talking about transmission, so now lets get into mobility
management. MM is in charge of all aspects related with the mobility
of a user, specifically the location management and the authentication
and security. Location management is performed by performing an update
location procedure by indicating it's IMSI to the network when the
mobile station is powered on. When a mobile station moves to a
different location area or a different PLMN, the location update
message is sent to the new MSC/VLR, which then gives this location
information to the subscriber's HLR. If this step is authenticated, the
HLR cancels the registration of the mobile station with the old MSC/VLR.
This location updating is performed periodically, and if after the
updating time period the mobile station hasn't registered, then it's
deregistered.
When a mobile station is powered off, it sends an IMSI
detach procedure in order to let the network know that it's no longer
connected. Now the authentication procedure is involved with the SIM
card and the Authentication Center. A secret key that is stored within
the SIM card and the AuC, and the A3 ciphering algorithm mentioned
earlier is used to verify the authenticity of the user. The mobile
station and the AuC creates an SRES using the secret key, the A3
algorithm, and a random number generated by the AuC. If these two
SRESs are the same, then the user is authenticated. Also the AuC checks
the equipment identity to see if the IMEI number of the mobile is
authorized to the EIR, which if so, the mobile station is allowed
access to the network.
During the authentication procedure the
subscribed services for the user is also checked. Also in order to
assure user confidentiality, the user is registered with a TMSI
(Temporary Mobile Subscriber Identity) after it's first location update
procedure. Now lets talk about communication management. CM is
responsible for three different functions within the GSM system. Call
control, supplementary services management, and short message services
management.
Call control is in charge of call establishing, maintaining,
and releasing as well as selecting the type of service. One of the
most important roles of CC is call routing. In order for a user to
reach a mobile subscriber, a user dials the MSISDN (Mobile Subscriber
Integrated Services Digital Network) which includes a country code, a
national destination code identifying the subscriber's operator, and
a code corresponding to the subscriber's HLR. This call is then passed
to the GMSC (if the call indeed is originated from a fixed network),
which knows the HLR corresponding to a certain MSISDN number.
The
GMSC then asks the HLR for information needed in call routing, the
HLR requests this information from the subscriber's VLR, and this VLR
allocates an MSRN (Mobile Station Roaming NUmber) temporarily for the
call. This MSRN number is then sent through the HLR to the GMSC, which
allows for the call to be routed to the subscriber's current MSC/VLR,
and thus the mobile is paged. Now lets talk about the supplementary
services management function. This function deals with only the mobile
station and the HLR, and is what provides selected services to the
subscriber.
One function within supplementary services management is
call forwarding, which allows a user to forward incoming calls to
another number if the mobile is busy. This function call also be applied
unconditionally.
Another service is call barring. There are many
different types of call barring services. BAOC (Barring All Outgoing
Calls), BOIC (Barring Outgoing International Calls), BOIC-exHC (Barring
Outgoing International Calls except those directed towards the Home
PLMN Country), BAIC (Barring All Incoming Calls), and barring all
incoming calls when roaming. Then of course there are other services
like call hold, call waiting, multiparty service, CLIP (Calling Line
Identification Presentation), CLIR (Calling Line Identification
Restriction), and other services. I would go into them all, but I want
to go ahead and finish up this section so I can continue with the
rest of the tutorial.
Now short message services management of course
in charge of managing the sms service. This service is supported via
a Short Message Service Center through two interfaces. One is SMS-MT/PP
(the SMS-GMSC for Mobile Terminating Short Messages), and SMS-MO/PP
(the SMS-IWMSC for Mobile Originating Short Messages). It's good to
note that SMS-MT/PP plays the same role as GMSC. Now onto OAM
(Operation, Administration, and Maintenance). OAM is used to allow
the operator to monitor and control the gsm system as well as modify
the configuration of the properties and elements of the gsm system.
OSS, BSS, and NSS all play a part in OAM's operation. Certain components
of BSS and NSS provide the information needed by the operator, which
is then passed to the OSS, which is in charge of analyzing it and
controlling the network. The self test tasks usually carried out by
the BSS and NSS are also used by the OAM for certain functions. The
BSC, which is in charge of controlling several BTSs is also a part of
OAM. Well that concludes it for the functions within the GSM system and
for this section. If you have ended this section utterly confused then
feel free to read it over. It's not that you need to remember every
single component and fact listed in this section, but it helps to have
a pretty good understanding of the gsm system, and it's better that
the information is here for you to recall on. Just be sure that you
have a basic understanding of the information I have provided you before
you continue to the next section.
Section 3: Exploiting GSM Phones
So now that you hopefully have at least a basic understanding of how
gsm operates, let's talk about the fun stuff. The first trick I will
discuss is an activity that is becoming quite prevalant, SIM cloning.
If you have paid attention to any cell phone related tutorials in the
past, then you may remember cloning being made popular by certain
public figures like Kevin Mitnick in order to place calls on the bill
of another subscriber. Well, even with GSM this trick still holds
relevant. How could such a flaw exist in a system that is obviously
concentrated on preventing such fraudulant use? The flaw is within the
COMP128 authentication algorithm used as an instantiation of A3/A8
widely used by gsm providers. Unfortunately for these providers, the
COMP128 algorithm is just not strong enough to prevent fraud. We
attack the algorithm by using a chosen-challenge attack, which works by
forming a number of specially-chosen challenges and querying the SIM
card for each one. Then by analyzing the responses from these queries,
we are able to determine the value of the secret key that is used for
authentication. So how do we perform this attack?
Well there are a few
things you need before you start. First you will need to buy a SIM
card reader, a card programmer, empty silver pic 2 card, and an
unregulated adapter, and if you don't have one a 9 pin male to female
extension cable. You can probably put a bid on ebay for most of this
hardware, or just google up some sites that sell them. You will also
need some software for this trick. First you will need a SIM card
editor. An excellent piece of software to use in this instance is
Cardinal Sim Editor, which you can find (including the crack for it) at
the below link...
http://www.cracksweb.com/news.php?go=824
Another tool you will is CardMaster, which once again you can find at
the below link...
http://cardmaster.dk/download2.php
Finally what you will need is a SIM card emulator. An excellent example
of an emulator to use is SIMEMU, which you can find at the below
link...
http://simemu.cjb.net/
Note for those of you who feel the need to read the instructions on the
site, just go to www.freetranslation.com to translate the web page from
Spanish to English. Now let's go ahead and get started shall we. You
will first want to plug your SIM Reader into your com port. Then run
Cardinal and then click where it says "Click Here" and then click
Settings. You will then select your com/serial port and the baud rate.
Then you will close this out, and then left click where it says "Click
Here", go to smartcard, and click SIM editor. The program will from
there start up, and you will go to SIM, then SIM Info, and click the
load button. After doing this you will see the IMSI code, take note
of this code as you will need it. Now close the SIM Info and go to
Security/Find key KI. When this window opens just click Start and wait.
It will take approximately 4 hours to find the key. Once it is found
take note of this KI and exit. Now you should have the IMSI and KI
noted, if so lets continue with the next step. Now take your silver
card. Within the unzipped file within you will find two files.
SEE50s.hex (EEPROM) and SEF50sEN.hex (PIC). Now connect your programmer
to a com port and go to the setup menu on your CardMaster program and
choose the appropriate com port. You should then see a yellow rectangle
at the bottom of the program that says that there is no card. Now
insert your smartcard into the programmer, and the rectangle should
change to green and you will see "Card ready". Now go to where it says
"Card type:" and select "Silvercard". NOw go to the "File to Pic:"
field and upload SEF50sEN.hex, then go to the "File to Eeprom:" field
and upload SEE50s.hex. Now go to Edit and click "Auto Program". Now
once this is finished you will need to cut the card so that it will
fit into the phone. Instructions for how the card needs to be cut is
provided on the GSM solutions web site that will be listed in the
Sites to Visit section at the bottom of this page. Now insert the newly
cut silvercard into the phone. If it asks for a pin just punch in 111.
Then from the main menu open up "Sim-Emu". Now from this menu go to
Set Phone #, then -GSM #1 (or any slot), then Configure, then Edit #.
Now edit GSM #X to any name, and then press ok. Now go to Config.Pos.
and it will ask for PIN2, which will be 1234. It will then ask you
what position you want the card to be, choose Position 1. It will then
ask you for the IMSI, which you will punch in the IMSI you got from
Cardinal. It will then ask you for the KI, which again you punch in the
KI you got from Cardinal. It will then ask you to enter your PUK which
can be anything up to 8 digits. Then it will ask you to enter your PIN
which can be anything up to 4 digits. There you go, now you have
cloned another SIM card, and are now free to call away all you want to
on someone elses bill. There have also been rumors that on certain
services there are ways to clone a SIM remotely, but none have been
tested so this can't be proven. So now that we're finished talking about
SIM cloning, let's get into another trick involving exploiting gsm
phones, bluejacking. What is bluejacking you ask? Bluejacking is
exploiting the BlueTooth wireless communication system common among
PDAs, cell phones, and of course laptops. In essense this is nothing
more than a harmless little prank, similar to defacing web sites.
For bluejacking gsm phones what we are trying to do is first create a
phonebook contact that says something like "haha I haxor3d j00r ph0n3!",
and then send it to any bluetooth enabled device in the facinity.
This in essense amounts up to at most a harmless little prank, but it's
fun to watch their faces when they get the message. However, I won't
bother explaining the details of how to bluejack, since the methods
are models and manufacturer dependant, and are explained on a site that
will be listed at the bottom of this tutorial. Don't believe that
the possibilities for exploiting bluetooth enabled gsm phones ends there
though. Another activity that we can jump onto is called bluebugging.
Bluebugging is the process of sniffing out communication from a
bluetooth-enabled cell phone. Like, for example, sms messages. Yup, now
you can sit in a coffee shop, open up your laptop, and spy on everyone
else who is using their phone. This concept was first introduced to the
world in a presentation at DefCon 11, and is now available to the public
in the form of a tool called BlueSniff that works as a bluetooth
wardriving utility to play big brother. Go to the below address to get
a copy of this tool...
http://bluesniff.shmoo.com/bluesniff-0.1.tar.gz
Another nice tool to use for such means is btscanner, which can be used
to gather as much information as possible on a bluetooth-enabled
device. Yet again, this wonderful tool can be found at the below
address...
http://www.pentest.co.uk/src/btscanner-1.0.tar.gz
There is also a method known as bluesnarfing, which can be used to
gain access into a cell phone to steal files. However, contrary to the
media hype surrounding this issue, bluesnarfing tools are NOT freely
available for all to take (at least none that I know of). The only
known tool to exploit this weakness is Bluesnarf, which is not freely
available for download. However, don't let that get you down, since as
you can see there are many more bluetooth flaws that we are able to take
advantage of. Well that concludes it for this section. As always, hope
you all have enjoyed reading this tutorial as much as I enjoyed writing
it. So until next time...
Section 4: Sites to Visit
www.gsmsolutionsltd.com - GSM Solutions ltd. - full information on
SIM cloning including how to properly cut the silvercards
www.bluejackq.com - a site dedicated to bluejacking
www.geocities.com/henrik.kaare.poulsen/gsm.html - a complete guide to
how gsm operates
Note: For those of you who have any questions or comments and feel
the need to reach me then you can do so at [email protected] and
I will try to get back to you as soon as possible.
www.informationleak.com
|
|