How 2G / GSM Was Decrypted And Decoded In The Early 2010's: Playing Around With AIRPROBE In 2023!
All the way back in 2010, Karsten Nohl of Security Research Labs in Germany delivered a talk at the Blackhat hacker convention. In this presentation, titled 'Breaking GSM Phone Privacy,' he showed how it was possible to decrypt and decode GSM data from cellular mobile networks.
The software tools for Linux showcased in this presentation were titled 'Kraken' and 'Airprobe.' I intend to make a video about Kraken at a later date, but this video will focus on Airprobe to show how mobile phone hackers intercepted and monitored voice calls and SMS messages back in the early 2010s.
Ultimately, Airprobe became obsolete due to the software not being updated for later versions of Linux and GNU-Radio. Later, an individual by the name of Piotr Krysik got busy expanding on the Airprobe codebase and modernized it to what would eventually become the software tools known as 'GR-GSM' to which I have showcased in videos previously.
Using the SRLabs Airprobe tutorial (I had to use the Wayback Machine to access it, link below) I enter the various commands to decrypt and decode the famous 'vf_call6' data capture file of a real phone call on an actual cellular carriers' GSM network and towards the end of the video, I play the decoded voice traffic.
I believe that this test file was recorded by the author of Airprobe themselves and was distributed voluntarily with the encryption key that he retrieved from his own telephone. So, I should reaffirm strongly that I have not, and will not EVER intercept any private communications because Australia has not had a 2G network operational since 2018.
Decryption of the test file is possible because the encryption key (called 'Kc' in the GSM engineering speak) is supplied. There is a number of methods known for obtaining the Kc encryption key of your own mobile telephone and voice calls on GSM, mainly utilizing older telephones like a Blackberry which can display the value, or using SIM card readers to read it directly from the SIM card.
Decrypting 2G voice calls and SMS's when the encryption key isn't known to you already (very naughty!) is called 'cracking' and involves using a software tool called 'Kraken' and the process of obtaining the key is a very involved and technical process that relies solely on the hope that a particular mobile phone carrier network uses the A5/1 cipher for protecting it's subscribers data.
Whether there is any GSM cell phone networks still using A5/1 encryption operating in 2023 is anyone guess, but I highly doubt it. In the future, I hope to try and capture data from my own private test 2G network that uses YateBTS/BladeRF and use Airprobe to decode the voice and SMS messages sent between my own smartphones. But this version of Airprobe, GNU-Radio and Ubuntu is very old and only supports the outrageously expensive Ettus USRP software defined radios.
There is a patched version of Airprobe for GNU-Radio 3.7 that supports the RTL-SDR and, with some tweaks, the HackRF and BladeRF of which I own all three. Another project for the future. Thanks for reading and watching!
LINKS
SRLabs.de Airprobe Tutorial
https://web.archive.org/web/201603100...
Airprobe Compiling Tutorial
https://www.rtl-sdr.com/rtl-sdr-tutor...
Ubuntu 12.04 ISO: (Pre-installed GNU-Radio 3.6 and Libosmocore)
https://archive.midnightchannel.net/z...
SOFTWARE:
VMWare Workstation 15
Ubuntu 12.04 Virtual Machine
GNU-Radio 3.6 (Needed for Airprobe)
Libosmocore (Needed for Airprobe)
Random other dependencies? (libtalloc-dev 2.1.0, I think)
Libgsm-tools 1.0.13 (making GSM audio playable)
THIS VIDEO IS MADE FOR EDUCATIONAL AND EXPERIMENTATION PURPOSES ONLY. IMSI-CATCHING, SMS-SNIFFING AND VOICE CALLI NTERCEPTION ON GSM NETWORKS IS ILLEGAL AND PUNISHABLE BY HEFTY FINES AND PRISON TIME! YOU HAVE BEEN WARNED.
