#1267092: Overview of Cellular-Hacking Resources

Description: Please note multiple researchers published and compiled this work. This is a list of their research in the 3G/4G/5G Cellular security space. This information is intended to consolidate the community's knowledge. Thank you, I plan on frequently updating this "Awesome Cellular Hacking" curated list with the most up to date exploits, blogs, research, and papers.

The idea is to collect information like the BMW article below, that slowly gets cleared and wiped up from the Internet - making it less accessible, and harder to find. Feel free to email me any document or link to add.
Contents

QCSniper - A tool For capture 2g-4g air traffic using qualcomm phones
This is Your President Speaking: Spoofing Alerts in 4G LTE Networks
The Most Expensive Lesson Of My Life: Details of SIM port hack
USING A HACKRF TO REVERSE ENGINEER AND CONTROL RESTAURANT PAGERS
Hacking Public Warning System in LTE Mobile Networks
Rooting SIM-cards
RF Exploitation: IoT/OT Hacking with SDR
Forcing a targeted LTE Cellphone Into an Eavesdropping Network
Hacking Cellular Networks
Bye-Bye-IMSI-Catchers
New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols
White-Stingray: Evaluating IMSI Catchers Detection Applications
Breaking_LTE_on_Layer_Two
LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation
Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover
LTE PROTOCOL EXPLOITS: IMSI CATCHERS,BLOCKING DEVICES AND LOCATION LEAKS
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
Using OpenBTS - "Experimental_Security_Assessment_of_BMW_Cars by KeenLab"
5G NR Jamming, Spoofing, and Sniffing
LTE Security – How Good Is It?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-187.pdf -Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
#root via SMS: 4G access level security assessment
Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
LTE security and protocol exploits
LTE Recon - (Defcon 23)
LTE Pwnage: Hacking HLR/HSS and MME CoreNetwork Elements
Synacktiv
Touching the Untouchables: Dynamic Security
WiFi IMSI Catcher
Analysis of the LTE Control Plane
WiFi IMSI Catcher
Demystifying the Mobile Network by Chuck McAuley
(https://www.defcon.org/images/defcon-22/dc-22-presentations/Pierce-Loki/DEFCON-22-Pierce-Loki-NSA-PLAYSET-GSM.pdf)
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov
VoLTE Phreaking - Ralph Moonen
[Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stack] (https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf)

↑Evil BTS

OpenBTS software is a Linux application that uses a software-defined radio to present a standard 3GPP air interface to user devices, while simultaneously presenting those devices as SIP endpoints to the Internet

YateBTS is a software implementation of a GSM/GPRS radio access network based on Yate and is compatible with both 2.5G and 4G core networks comprised in our YateUCN unified core network server. Resiliency, customization and technology independence are the main attributes of YateBTS

bladRF and YateBTS Configuration

srsLTE is a free and open-source LTE software suite developed by SRS (www.softwareradiosystems.com)
GSM Traffic Impersonation and Interception Related Blogs

EVIL LTE TWIN/IMSI CATCHER
Practical attacks against GSM networks: Impersonation
https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/
https://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/
http://leetupload.com/blagosphere/2014/03/28/analyze-and-crack-gsm-downlink-with-a-usrp/
How To Build Your Own Rogue GSM BTS For Fun and Profit
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/

Common issues:

Improper FW
Lack of proper antennas
Wrong cellular phone type
Wrong SIM
Not configured correctly - Mobile Country Codes (MCC) and Mobile Network Codes (MNC)
Incorrect software BTS settings
Virtualized platform is not fast enough
Wrong SDR firmware

Stingray's

https://www.wired.com/story/dcs-stingray-dhs-surveillance/
https://www.vice.com/en_us/article/gv5k3x/heres-how-much-a-stingray-cell-phone-surveillance-tool-costs
https://www.nyclu.org/en/stingrays

SS7/Telecom Specific

http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf
Getting in the SS7 kingdom: hard technology and disturbingly easy hacks= to get entry points in the walled garden

Jamming and Mapping

https://github.com/Synacktiv-contrib/Modmobjam
https://github.com/Synacktiv-contrib/Modmobmap

Scanning

https://github.com/Evrytania/LTE-Cell-Scanner
https://harrisonsand.com/imsi-catcher/
https://github.com/Oros42/IMSI-catcher
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
https://github.com/ptrkrysik/gr-gsm/wiki/Passive-IMSI-Catcher

CERT/Media Alerts

Voice over LTE implementations contain multiple vulnerabilities - CERT ALERT

↑Resources

RTL-SDR
MCC-MNC Codes for Base Stations
RFSec-ToolKit
FakeBTS
https://rmusser.net/docs/Wireless.html#cn

Misc

https://www.eff.org/pages/cell-site-simulatorsimsi-catchers
AT&T Microcell FAIL - fail0verflow (Older blog article, but still a good read)
More info: https://github.com/W00t3k/Awesome-Cellular-Hacking

Date added July 11, 2019, 4:33 p.m.
Source Github
Subjects
  • 5G / 5G Wi-Fi Technology
  • Info on - Mobile Security
  • Mobile Malware and Threats - Various
  • Mobile Malware - New Reports in
  • Mobile Phone Hardware - Various
  • . NEW Hack and Attack Methods
  • New Hack and Attack TOOLS Alerts
  • Telecommunications / ISP Alerts
  • Telecommunications / ISP Background Information and Reports
  • Tools - Mobile IOS / iPhone / iPad / Android etc
  • Tools - Mobiles / Smartphones - Various