Hi, 
Guest
Pic
Sign In

usrp-users@lists.ettus.com

Discussion and technical support related to USRP, UHD, RFNoC

View all threads

GreedyBTS - GSM & E100

HF
Hacker Fantastic
Fri, Feb 7, 2014 9:58 AM

Hi all,
Here is a copy of some slides I wrote for a presentation on
security weaknesses within GSM. I used an Ettus E100 to develop a malicious
BTS and GSM related attacks in a Faraday cage and presented on how these
attacks work to better understand them for defensive purposes. I was able
to use the E100 as a generic IP-router after I cross-compiled a new kernel
with netfilter enabled and also I had to recompile a number of the packages
such as Asterisk to enable ODBC and improved SQLite support, I also had to
make some changes to Python and its modules. I used GNURadio 3.6.4 and I
had to compile a specific version of the OpenBTS code as the recent
transceiver application did not function with the E100. I was able to get
the E100 to work as a GSM/GPRS router and do real-time call placement etc.

Just goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to dd
and boot an E100 but at this time I do not plan on hosting it for download
unless there is sufficient interest.

Kind Regards,
Matthew

Hi all, Here is a copy of some slides I wrote for a presentation on security weaknesses within GSM. I used an Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday cage and presented on how these attacks work to better understand them for defensive purposes. I was able to use the E100 as a generic IP-router after I cross-compiled a new kernel with netfilter enabled and also I had to recompile a number of the packages such as Asterisk to enable ODBC and improved SQLite support, I also had to make some changes to Python and its modules. I used GNURadio 3.6.4 and I had to compile a specific version of the OpenBTS code as the recent transceiver application did not function with the E100. I was able to get the E100 to work as a GSM/GPRS router and do real-time call placement etc. Just goes to show how mighty things come in small packages! Hope this material is useful to others on the list who may also be trying similar experiments. I ended up creating a firmware image that could be used to dd and boot an E100 but at this time I do not plan on hosting it for download unless there is sufficient interest. Kind Regards, Matthew
mwri_labs-GSM-Hacking-Wireless-Mobile-Phone-Communication_2014-01-30.pdf (1.29 MB)
FE
Furkan Elibol
Mon, Feb 10, 2014 8:41 AM

Hi,

I interested with your E100 image and if you support images I want to try.

Thanks..

furkan

On Fri, 2/7/14, Hacker Fantastic hackerfantastic@googlemail.com wrote:

Subject: [USRP-users] GreedyBTS - GSM & E100
To: usrp-users@lists.ettus.com
Date: Friday, February 7, 2014, 9:58 AM

Hi all,     
  Here is a copy of some slides I wrote for a presentation
on security weaknesses within GSM. I used an Ettus E100 to
develop a malicious BTS and GSM related attacks in a Faraday
cage and presented on how these attacks work to better
understand them for defensive purposes. I was able to use
the E100 as a generic IP-router after I cross-compiled a new
kernel with netfilter enabled and also I had to recompile a
number of the packages such as Asterisk to enable ODBC and
improved SQLite support, I also had to make some changes to
Python and its modules. I used GNURadio 3.6.4 and I had to
compile a specific version of the OpenBTS code as the recent
transceiver application did not function with the E100. I
was able to get the E100 to work as a GSM/GPRS router and do
real-time call placement etc.

Just goes to show how mighty things come in small
packages! Hope this material is useful to others on the list
who may also be trying similar experiments. I ended up
creating a firmware image that could be used to dd and boot
an E100 but at this time I do not plan on hosting it for
download unless there is sufficient interest. 

Kind Regards,Matthew

-----Inline Attachment Follows-----

USRP-users mailing list
USRP-users@lists.ettus.com
http://lists.ettus.com/mailman/listinfo/usrp-users_lists.ettus.com

Hi, I interested with your E100 image and if you support images I want to try. Thanks.. furkan -------------------------------------------- On Fri, 2/7/14, Hacker Fantastic <hackerfantastic@googlemail.com> wrote: Subject: [USRP-users] GreedyBTS - GSM & E100 To: usrp-users@lists.ettus.com Date: Friday, February 7, 2014, 9:58 AM Hi all,        Here is a copy of some slides I wrote for a presentation on security weaknesses within GSM. I used an Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday cage and presented on how these attacks work to better understand them for defensive purposes. I was able to use the E100 as a generic IP-router after I cross-compiled a new kernel with netfilter enabled and also I had to recompile a number of the packages such as Asterisk to enable ODBC and improved SQLite support, I also had to make some changes to Python and its modules. I used GNURadio 3.6.4 and I had to compile a specific version of the OpenBTS code as the recent transceiver application did not function with the E100. I was able to get the E100 to work as a GSM/GPRS router and do real-time call placement etc. Just goes to show how mighty things come in small packages! Hope this material is useful to others on the list who may also be trying similar experiments. I ended up creating a firmware image that could be used to dd and boot an E100 but at this time I do not plan on hosting it for download unless there is sufficient interest.  Kind Regards,Matthew -----Inline Attachment Follows----- _______________________________________________ USRP-users mailing list USRP-users@lists.ettus.com http://lists.ettus.com/mailman/listinfo/usrp-users_lists.ettus.com
Next page
Empathy v1.0   2025 ©emwd.com
Documentation