Um, yeah, I don’t have $20k to drop on an Ettus USRP X310 and two daughterboards. I would have liked to have played with it but that is too rich for me.
A B210 with GPSDO is expensive, but considerably cheaper than $20k. Granted the functionality would be limited but it is possible for hobbyists to play with this.
This is usually the very inspiration for a hacker to pull out the soldering iron to make one themselves because the off-the-shelf item is too damn expensive
From rather ancient memory, the high-end Ettus stuff is much, much more expensive than its BOM cost. You're paying for a well-designed and well-tested product with excellent RF performance and a good ecosystem. You buy it and it works.
You could design your own board(s) with the same parts, and you could build it for much less money. But you'd need to know what you're doing, and the design stage would be expensive.
That’s one of the lessons learned when hacking your own thing. After enough projects and buying the parts & pieces (you never buy just one component), you end up with a stash that eventually means you don’t have to buy anything for a future project. It’s part of the cost of being a hacker.
From Hardware Requirements > SDR: "To sniff only downlink traffic from the base station, one can operate LTESniffer with USRP B210 which is connected to PC via a USB 3.0 port. Similarly, USRB B210 should be equipped with GPSDO and two RX antennas to decode downlink messages in transmission modes 3 and 4."
Is it just me, or should you be able to do this with a pair of HackRFs with a clock jumper between the two? Or possibly a clock-sync pin tied between the CPLDs?
Does anyone know the encryption schema of LTE? Does the key change with each message or is it for a longer period of time? I'm wondering how feasible it is for an attacker to capture and then break the encryption (obviously if we're talking 2048-bit that wont be happening anytime soon)
The authentication model is based on Radius with EAP, the main point is that anything after and including 3G does mutual authentication and in 4G/5G this is based on IETF protocols, in theory, you can associate with 4G network with whatever authentication supplier that works with WPA-Enterprise (and in theory that even works the other way around). The idea there is that 4G/5G is simply an physical layer for Ethernet2 frames with some kind of access control and QoS layer. And quite obviously the frames are encrypted and authenticated on L2. And as the whole thing is IP, some carriers just tunnel the whole thing in additional layer of IPSec tunnels.
Surely a phone would rather connect to a moderately strong 3/4/5G tower than a very strong 2G tower, right? So that'd limit you to settings where people otherwise wouldn't have a connection at all. IDK, genuinely curious.
These attacks are generally carried out by a “rogue base station” that simulates being a cell tower. It doesn’t require that there be a local 2G infrastructure.
The decommission of 2G/3G and removal of downgrades applies pretty much everywhere these days (my operator doesn't even allow 3G downgrades on their 5G plans), I read it as just an example rather than starting a very specific conversation.
Authentication profiles. Basically one can specify on the SIM profile that for the certain PLMN (mobile operator) only certain authentication methods are allowed (2G, 3G, 4G use different auth methods).
If I recall correctly, what this software is capable of doing is not what the Stringray debacle was about.
While the Stringray could also be used as a passive sniffer, the FBI Stringray debacle was about it being used as an active fake cell site, in proximity to a target, to intercept communications.
