scanners and cb radio

crofty05

any body know if there is scanners out there now that can pick up phones

Thomas_S_Hunterson

I don't think that's legal

Static M.e.

Yes digital scanners scan I believe if you have the right equipment

DublinWriter

crofty05 wrote:

any body know if there is scanners out there now that can pick up phones

Yes. Do you have €350,000 to spare and a copy of the SIM of the phone you want to tap?

Otherwise, forget it. Gone are the analogue days of the early 90's when you could just listen in to everyone.

Martyr

any body know if there is scanners out there now that can pick up phones

yes, there are, but without atleast some software, it isn't possible to decipher the data (atleast GSM)

you could try something like this here

i've wanted to investigate this for a few years now, but i've always been put off by the price tag some mobile based scanners cost (not handheld)

the best research i've briefly read on subject of intercepting mobile telephones was carried out by Eli Biham.

read 'Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication'here

there are gsm interceptors, but are only feasible for organisations like military & police authorities can afford such hardware...or criminal gangs.

but if you're really serious about this stuff, consider investing in winradio hardware

For example, a good buy would be the 3150e or WR-3150i-DSP

only problem is what it says in detail:

The frequency range is 150 kHz to 1.5 GHz. (The publicly available US version excludes cellular frequencies 825-849 and 869-894 MHz).

good range, but if you were to receive it with excluded frequencies..it could cause you some problems.
although, US GSM differs from European, so it may not be problem after all.

check it out, its probably the best option, if you can afford it.

forgot to mention, i remember reading that some gsm works at 1900Mhz, not sure if thats in US or Europe..but the 3150e may not be enough for what you want.

150 kHz to 4.0 GHz

$2995.00

crofty05

cheersi have decided to purchase one after looking in to its a serious machine 3150e thanks

DublinWriter

Average Joe wrote:

there are gsm interceptors, but are only feasible for organisations like military & police authorities can afford such hardware...or criminal gangs.

You're basically talking tens and hundreds of thousands of Euro for some of the GSM intercepting kit coming out of cottage-industries in China/South Korea.

Even so, you'd still need a clone of the SIM card of the phone you want to tap. You can't just 'promiscuously' listen to the airwaves anymore like you could in the old analogue cell-phone days.

The WinRadio kit is good and cheap and serves as a great introduction to radio, but it's still a toy and you won't be able to do anything more with it that you could do with a decently spec'ed handheld scanner. Mobile it ain't, which is a major drawback for most.

Some of the more exciting kit I've seen recent has been from Bearcat, whose scanners have a 'close proximity' scanning mode. Meaning that when you're down at your local shopping centre, the scanner will automatically hunt for strong local signals and alert you to them, so you don't have to go frequency hunting.

Static M.e.

Slight on/off topic.

Say if you just wanted to be able to pick up signals from Electric Gates and such what would you need?

For instance, to get into my car park I have a little keyring, press the button and the gate opens. Now I have a seperate keyring for the work gate both work on different freq.

Could I get something to pick up and transmit the signal back?

Martyr

DublinWriter wrote:

WinRadio kit is good and cheap

which kit you mean?, i don't think they are all cheap..some of specs look a bit outdated though.

DublinWriter wrote:

serves as a great introduction to radio, but it's still a toy

i assume you've actually owned & used one before or know someone same.
so ok, i believe you know alot about this already, won't argue with that.

DublinWriter wrote:

Mobile it ain't, which is a major drawback for most.

the winradio hardware is pc-based..so you would obviously be packing some portable computer, i.e laptop. no?

like, this has its own portable computer:
PFSL-3000

and this can be used with laptop.

would a handheld scanner from bearcat & laptop be a better solution?

what handheld would you recommend? i'm interested in getting one some time in future.

crofty05

there is a sweet bearcat out there now dont know the model number has a red screen and can hook to navigation any body know the reason looks good

Static M.e.

A Frequency Counter and a copy of the A-Team episode Til Deadh Do Us Part to see how to open the gates once you have the frequency :]

Thanks, I knew the A-Team wouldn't let me down!!! (and Bedlam of course )

Mickk

Irelands frequencies are
o2
907.5-915.0 / 952.5-960.0 MHz and 1750.9-1765.3 / 1845.9-1860.3 MHz

vodafone
900.0-907.5 / 945.0-952.5 MHz and 1736.3-1750.7 / 1831.3-1845.7 MHz

meteor
892.5-900.0/937.5-945.0 MHz and 1765.5-1779.9/1860.5-1874.9MHz

Martyr

Mickk wrote:

Irelands frequencies are
o2
907.5-915.0 / 952.5-960.0 MHz and 1750.9-1765.3 / 1845.9-1860.3 MHz

vodafone
900.0-907.5 / 945.0-952.5 MHz and 1736.3-1750.7 / 1831.3-1845.7 MHz

meteor
892.5-900.0/937.5-945.0 MHz and 1765.5-1779.9/1860.5-1874.9MHz

hey, how you know this?
sounds about right for gsm, from what i read..but i wouldn't know for sure.
have you ever tried decrypting the conversations offline? using some code?
i would be very interested in doing this, just as an experiment of course
also, what about SMS, are they sent on same frequencies?

let us know, please!

themole

Average Joe wrote:

the best research i've briefly read on subject of intercepting mobile telephones was carried out by Eli Biham.

read 'Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication'here

Here is an article from 2003 on his research.

Unless things have changed since then:

It is only theoretical, rather than an imminent threat to the security of people's calls." To actually crack the GSM encryption "would take several hundreds of thousands of pounds and lots of skill to reprogram the equipment needed", Volans told New Scientist.

Martyr

The GSM Association, which represents the global industry, acknowledges that the research "goes further than previous academic papers" and "appears to be feasible". But spokesperson Ian Volans says: "It is only theoretical, rather than an imminent threat to the security of people's calls." To actually crack the GSM encryption "would take several hundreds of thousands of pounds and lots of skill to reprogram the equipment needed", Volans told New Scientist.

i think its important to highlight who made the statement, & who that person represents.
if you read the actual paper by independent academics..Eli Biham is very respected cryptographer & mathematician, who i would trust more than some dodgy PR spokesman, it tells a completely different story..

i quote from the paper:

In this paper we present a very practical ciphertext-only cryptanalysis of GSM encrypted
communication, and various active attacks on the GSM protocols. These attacks can even break into
GSM networks that use “unbreakable” ciphers. We first describe a ciphertext-only attack on A5/2 that
requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key
in less than a second on a personal computer

note, few dozen millseconds..on a PC, since when did PCs cost hundreds of thousands of pounds?

so, what Volans says, is complete rubbish..never listen to spokesmen.

biham waited 3 years before publishing the full research on gsm, why?
because its obvious what he discovered was very sensitive information that could be used by almost anyone smart enough to understand the documentation, to listen in on peoples phone calls, encrypted or not.

READ the full paper, and you will see that it is VERY FEASIBLE for the right people with a PC, radio equipment.(i.e scanner covering possible frequencies by Mickk) and some code to carry out a whole range of attacks against GSM phones.

the thing is, nobody has bothered to do this yet..atleast not publicly anyway.

Mickk

As I understand gsm your network sends out 6 requests every time you turn on your phone to verify it is you and the encryption key is included in one of them.

Ideally each phone would have a built in decryption on the packets but they dont and there lies the weakness. The infrastructure is too established to add this now aswell... (this is just my take on what I have read, it might be off or even way off)

It probably would be possible to tap random phones by intercepting the packets but for specific numbers not easy...

It could be very very lucrative tho so dont get caught or they will throw the book at you, charging multi way conference video calls lasting days to random numbers...

themole

From the quoted paper:

Man in the Middle Attack
The attacker can tap conversations in real time by performing a man-in-the-middle attack, as
depicted in Figure 7.3. The attacker uses a fake base-station in its communications with the mobile
phone, and impersonates the mobile phone to the network.

Call Wire-Tapping
Then, he uses a fake base station to attack the victim phone and retrieve the respective Kc.

I am not questioning the ability to break the encryption. The main cost involved is in be able to capture the wireless signal in a meaningful way.

Afaik, from what i learned in college, twas a while ago so i could be wrong. But one of the things which makes it hard to read a GSM signal is that the signal does frequency hopping and if you do not know the scheme used and the timing you cannot read all of the signal. This is why in the above two examples from the paper mentioned you need a fake basestation to get the caller to talk to it.

Thats what costs money.


There are two essential issues:
1) Being able to read the entire signal
2) Decrypting the signal.

Is there any piece of equipment which can sniff the signal in a passive way and thereby get enough information to break the encryption?

Martyr

themole wrote:

Afaik, from what i learned in college, twas a while ago so i could be wrong. But one of the things which makes it hard to read a GSM signal is that the signal does frequency hopping and if you do not know the scheme used and the timing you cannot read all of the signal.

page 33 - GSM call establishment wrote:

(b) The network broadcasts an IMMEDIATE ASSIGNMENT message on the PAGCH. This
message contains the random discriminator (and also the TDMA frame number in which
the CHANNEL REQUEST was received), and the details of the channel that is allocated to
the mobile (including frequency hopping information, if needed). The messages also includes
other technical information such as timing advance. The mobile immediately tunes to the
the assigned traffic channel.11

themole wrote:

This is why in the above two examples from the paper mentioned you need a fake basestation to get the caller to talk to it.

page 21 wrote:

It is easy (and cheap) to build and operate a fake base station in GSM, using off-the-shelf equipment. The fact
that the phone does not authenticate the network also helps.

maybe some of the information is obsolete now..but, its only been 3 years since that research took place & i'd say its still applicable today.

wouldn't it cost too much money for phone companies to change all the existing hardware already installed?
...unless of course there is way (probably) to upgrade firmware to protect against these kind of attacks?

older phones wouldn't work, or would they?

page 22 wrote:

The attacker can tap conversations in real time by performing a man-in-the-middle attack, as
depicted in Figure 7.3. The attacker uses a fake base-station in its communications with the mobile
phone, and impersonates the mobile phone to the network. When authentication is initiated by the
network, the network sends an authentication request to the attacker, and the attacker forwards
it to the victim. The victim computes SRES, and returns it to the attacker, which holds it and
does not send it back to the network, yet. Next, the attacker asks the phone to start encryption
using A5/2.

and on that..

abstract wrote:

We first describe a ciphertext-only attack on A5/2 that
requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key
in less than a second on a personal computer

one thing is, as Mickk already pointed out, it would be difficult to monitor specific phone numbers..
but if you could setup your fake base station & "lure" all mobiles, isolating the one you're looking for..well, too much to copy/paste, read page 26.

everything in this paper leads me to believe that with a few good heads knocked together, (people with experience in radios/electronics & computers)..it would be possible to carry out most of these attacks, using information provided in the paper as a guide.

themole

Interesting.

I wonder jusy how much it would cost to build a gsm base station.

From reading most of that paper, i beleive it said that 3G does not use the same encryption scheme and so is probably not vulnerable?

If 3G is not vulnerable then there is not much point trying to fix the 2.5g nework as they are trying to get everyone to go 3G anyway.

I reckon they will shut down the regular 2.5G network in the next 3/4 years, or possbily sooner.

ironclaw

GSM decyphering is impossible to anyone with a budget below about €750,000 at least.

1) Its illegal

2) The A5 allogorityhim is such that hacking is almost impossible

Only a handful of hacks have taken place. One recently was done offline but no details have immeged. "Man in The Middle" Attacks are possible and well documentated. Where is becomes hard is you need to create a GSM tower.(i.e. a laptop with a GSM card etc...) This is very hard to do. No digital scanner or analogue scanner on the market can decypher GSM. Online or offline. There are people who have spent there lives hacking it with little success. A WinRadio unit would go a long way towards it but it would need alot of sophisticated digital processors. But once you have you "grab" or RAW data how do you decypher it? No program has been written to do so. (at least not public domain). I am all for information and i respect people's opinions. But right now, GSM hacking isnt possible. Bareing in mid it has been aroun for 15 years plus and never has been openly hacked.

Regards and I wish you all the best,

ironclaw

Martyr

GSM decyphering is impossible to anyone with a budget below about €750,000 at least.

do you know this from personal experience?
i doubt it very much.
yes, i'm very cynical.

1) Its illegal

there are alot of illegal activities much worse than gsm hacking, that still happen everyday, even right now as you read this.just because gsm hacking is "illegal", won't stop it from happening in the real world.

wireless hacking for example would be considered "illegal".
still goes on.

2) The A5 allogorityhim is such that hacking is almost impossible

what?
did you even read that paper we've been talking about?
please go and READ the paper before you comment further.

so far, you're saying that what Eli Biham states in the paper is untrue?
and you expect anyone to take you seriously ? do you even know who Eli Biham is?

you think he would publish a paper full of lies that would inevitably damage his credibility as a security researcher?

please provide some credible evidence to show that gsm hacking is "impossible" then, perhaps you have a valid argument.

right now, i don't know if you're serious or joking.

also, just to inform you, if you want source code to any of the encryption algorithms used in gsm, the specifications are available from 3gpp site.

look here:
http://www.3gpp.org/specs/numbering.htm

DublinWriter

Average Joe wrote:

do you know this from personal experience?
i doubt it very much.
yes, i'm very cynical.

Well, I've read a couple of articles in 'Monitoring Monthly' about kit developed available by a company in Hong Kong that will tap GSM calls made to a phone as long as you have a clone of its SIM.

The article stated that you wouldn't have much change out of £500K stg.

So before you go shooting people down, it's best off to do some homework yerself.

ironclaw

I amnt going to enter into an arguement. That paper is 3 years out of date.(A long time considering 3G, Wi-Max and Newer near broadband speed techs have been developed).And i am reading the paper and yes, i have some experience in this field. Yahoo Groups have some interesting information,if you bother to look. A GSM Man in The Middle attack would be alot cheaper, how much, i cant say.

To finish, I'm a first time user of this site and the ideal of fourms are to spread idea's. Not shoot them down. Also, GSM "hacking units" are not availible to anyone outside of Goverments or Police forces. By all means write them an email, but i doubt you'll get a response.On a side note, you do not need a clone of the intended Sim Card.

ironclaw

Martyr

Firstly, Ironclaw, please accept my apologies.
I wrongly assumed you were contradicting what was stated in the paper without actually having read it.
Jumped the gun, sorry.

ironclaw wrote:

That paper is 3 years out of date

it is 3 years old, but is ALL of it out of date? obsolete?
i don't believe so.

ironclaw wrote:

A GSM Man in The Middle attack would be alot cheaper, how much, i cant say.

well, this was initially what i believed we were discussing.
not commercial GSM interceptors, but actual man-in-the-middle attacks which in practice are rarely impossible.

i mean, if you think about symmetric encryption where the same key is used for enciphering/deciphering a stream of data..both the sender/receiver must know the key, right?

and so either sender/receiver must negotiate a key to use in a session before a call is made, or atleast between the initial caller & base station.

so what if someone with radio equipment captures the key? can it not be used to decrypt the data offline/online the same as sender/receiver?
i don't see how this would be impossible.

AFAIK cell phones don't use asymmetric crypto like RSA, do they?
which is not impossible to crack either, but very tiime consuming & more difficult.
is not A3 based on KASUMI , based on misty1 which is a symmetric block cipher.

AFAIK this is the current cipher being used in european GSM phones, right or wrong?
if not, what is then?

ironclaw wrote:

To finish, I'm a first time user of this site and the ideal of fourms are to spread idea's. Not shoot them down.

welcome, its always good to have knowledgeable people on these kind of subjects visit here.

ironclaw

No problems. Apology accepted. Everyone is entitled to a view. I enjoy reading documentation on this topic. And i would never contadict it as i am not of that standard. This document is worth a read but be prepared as it is 3 yrs out dated.

I have interesting documents sumwhere which i will post asap.

And the current alogorythm...emm... I amnt sure. I heard A3 or A5 or a new A5 (I am probably wrong). Plus every provider would probably use a slighty differnt method (Again I could be wrong).

Regards to all.

Ironclaw

DeltaAlpha1

Hey All, Just wondering if people here use CB radios in the dublin area. I've noticed alot of people with long aerials on their roofs of their car. Do most people use 40 CH AM/FM or is it the more USB/ Side Band channels?

If so, what channels are most commonly used in Dublin??

Thanks