Awesome-Cellular-Hacking

Please note multiple researchers published and compiled this work. This is a list of their research in the 3G/4G/5G Cellular security space. This information is intended to consolidate the community’s knowledge. Thank you, I plan on frequently updating this “Awesome Cellular Hacking” curated list with the most up to date exploits, blogs, research, and papers. (W00t3k https://github.com/W00t3k)

The idea is to collect information like the BMW article below, that slowly gets cleared and wiped up from the Internet – making it less accessible, and harder to find. Feel free to email me any document or link to add.

Contents

• QCSniper – A tool For capture 2g-4g air traffic using qualcomm phones
• This is Your President Speaking: Spoofing Alerts in 4G LTE Networks
• The Most Expensive Lesson Of My Life: Details of SIM port hack
• USING A HACKRF TO REVERSE ENGINEER AND CONTROL RESTAURANT PAGERS
• Hacking Public Warning System in LTE Mobile Networks
• Rooting SIM-cards
• RF Exploitation: IoT/OT Hacking with SDR
• Forcing a targeted LTE Cellphone Into an Eavesdropping Network
• Hacking Cellular Networks
• Bye-Bye-IMSI-Catchers
• New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols
• White-Stingray: Evaluating IMSI Catchers Detection Applications
• Breaking_LTE_on_Layer_Two
• LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation
• Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover
• LTE PROTOCOL EXPLOITS: IMSI CATCHERS,BLOCKING DEVICES AND LOCATION LEAKS
• Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
• Using OpenBTS – “Experimental_Security_Assessment_of_BMW_Cars by KeenLab”
• 5G NR Jamming, Spoofing, and Sniffing
• LTE Security – How Good Is It?
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-187.pdf –Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
• #root via SMS: 4G access level security assessment
• Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
• LTE security and protocol exploits
• LTE Recon – (Defcon 23)
• LTE Pwnage: Hacking HLR/HSS and MME CoreNetwork Elements
• Synacktiv
• Touching the Untouchables: Dynamic Security
• WiFi IMSI Catcher
• Analysis of the LTE Control Plane
• WiFi IMSI Catcher
• Demystifying the Mobile Network by Chuck McAuley
• (https://www.defcon.org/images/defcon-22/dc-22-presentations/Pierce-Loki/DEFCON-22-Pierce-Loki-NSA-PLAYSET-GSM.pdf)
• D1T2 – Bypassing GSMA Recommendations on SS7 Networks – Kirill Puzankov
• VoLTE Phreaking – Ralph Moonen
• [Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stack] (https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf)

Evil BTS

OpenBTS software is a Linux application that uses a software-defined radio to present a standard 3GPP air interface to user devices, while simultaneously presenting those devices as SIP endpoints to the Internet

YateBTS is a software implementation of a GSM/GPRS radio access network based on Yate and is compatible with both 2.5G and 4G core networks comprised in our YateUCN unified core network server. Resiliency, customization and technology independence are the main attributes of YateBTS

• bladRF and YateBTS Configuration

srsLTE is a free and open-source LTE software suite developed by SRS (www.softwareradiosystems.com)

GSM Traffic Impersonation and Interception Related Blogs

• EVIL LTE TWIN/IMSI CATCHER
• Practical attacks against GSM networks: Impersonation
• https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/
• https://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/
• http://leetupload.com/blagosphere/2014/03/28/analyze-and-crack-gsm-downlink-with-a-usrp/
• How To Build Your Own Rogue GSM BTS For Fun and Profit
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/

Common issues:

• Improper FW
• Lack of proper antennas
• Wrong cellular phone type
• Wrong SIM
• Not configured correctly – Mobile Country Codes (MCC) and Mobile Network Codes (MNC)
• Incorrect software BTS settings
• Virtualized platform is not fast enough
• Wrong SDR firmware

Stingray’s

• https://www.wired.com/story/dcs-stingray-dhs-surveillance/
• https://www.vice.com/en_us/article/gv5k3x/heres-how-much-a-stingray-cell-phone-surveillance-tool-costs
• https://www.nyclu.org/en/stingrays

SS7/Telecom Specific

• http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf
• Getting in the SS7 kingdom: hard technology and disturbingly easy hacks= to get entry points in the walled garden

Jamming and Mapping

• https://github.com/Synacktiv-contrib/Modmobjam
• https://github.com/Synacktiv-contrib/Modmobmap

Scanning

• https://github.com/Evrytania/LTE-Cell-Scanner
• https://harrisonsand.com/imsi-catcher/
• https://github.com/Oros42/IMSI-catcher
• https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
• https://github.com/ptrkrysik/gr-gsm/wiki/Passive-IMSI-Catcher

CERT/Media Alerts

• Voice over LTE implementations contain multiple vulnerabilities – CERT ALERT

Resources

• RTL-SDR
• MCC-MNC Codes for Base Stations
• RFSec-ToolKit
• FakeBTS
• https://rmusser.net/docs/Wireless.html#cn

Misc

• https://www.eff.org/pages/cell-site-simulatorsimsi-catchers
• AT&T Microcell FAIL – fail0verflow (Older blog article, but still a good read)

Credits: W00t3k https://github.com/W00t3k