Even though wireless communication technologies have advanced beyond the Global Systems for Mobile (GSM) Communications standard to mitigate its vulnerabilities, it is still a fallback technology when the coverage is limited and modern protocols aren't available. There is a need for a comprehensive practical demonstration of the pools of vulnerabilities of the GSM architecture in the past decades using man-in-the-middle open-source tools and SDRs amidst the latest developments. It can be shown that an attacker can successfully carry out base station spoofing, IMSI catching, GSM packet sniffing, decoding, decryption and Denial of Service (DoS) attacks. Thus, this paper aims to comprehensively present practical demonstrations of the many vulnerabilities possible with available tools.
We exploited IMSI catching with a rogue BTS deployed using OpenBTS and USRP B210, GSM sniffing and decoding using GR-GSM and RTL-SDR, and A5/1 decryption using clever thinking and rainbow tables. It was observed that the one-way authentication of the GSM protocol allows most mobile devices to easily authenticate to the rogue BTS with spoofed MCC/MNC and that the strongest signal mostly wins. Also, it was observed that the possibilities of attacks on the target user like a DoS, or unencrypted communication, can be successfully carried out because the rogue BTS is in total control.
Though the vulnerabilities of GSM have been made known to the general public some network providers have not taken simple measures to mitigate them, thus this work can serve as a guideline for research purposes and an awareness to the general public