Please note multiple researchers published and compiled this work. This is a list of their research in the 3G/4G/5G Cellular security space. This information is intended to consolidate the community's knowledge. Thank you, I plan on frequently updating this "Awesome Cellular Hacking" curated list with the most up to date exploits, blogs, research, and papers.
The idea is to collect information like the BMW article below, that slowly gets cleared and wiped up from the Internet - making it less accessible, and harder to find. Feel free to email me any document or link to add.
- White-Stingray: Evaluating IMSI Catchers Detection Applications
- Breaking_LTE_on_Layer_Two
- LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation
- Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover
- LTE PROTOCOL EXPLOITS: IMSI CATCHERS,BLOCKING DEVICES AND LOCATION LEAKS
- Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
- Using OpenBTS - "Experimental_Security_Assessment_of_BMW_Cars by KeenLab"
- 5G NR Jamming, Spoofing, and Sniffing
- LTE Security – How Good Is It?
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-187.pdf
- LTE security and protocol exploits
- LTE Recon - (Defcon 23)
- LTE Pwnage: Hacking HLR/HSS and MME CoreNetwork Elements
- Synacktiv
- Touching the Untouchables: Dynamic Security
- WiFi IMSI Catcher
- Analysis of the LTE Control Plane
- WiFi IMSI Catcher
- Demystifying the Mobile Network by Chuck McAuley
- (https://www.defcon.org/images/defcon-22/dc-22-presentations/Pierce-Loki/DEFCON-22-Pierce-Loki-NSA-PLAYSET-GSM.pdf)
- D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov
- VoLTE Phreaking - Ralph Moonen
↑Evil BTS
OpenBTS software is a Linux application that uses a software-defined radio to present a standard 3GPP air interface to user devices, while simultaneously presenting those devices as SIP endpoints to the Internet
YateBTS is a software implementation of a GSM/GPRS radio access network based on Yate and is compatible with both 2.5G and 4G core networks comprised in our YateUCN unified core network server. Resiliency, customization and technology independence are the main attributes of YateBTS
srsLTE is a free and open-source LTE software suite developed by SRS (www.softwareradiosystems.com)
- Practical attacks against GSM networks: Impersonation
- https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/
- https://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/
- http://leetupload.com/blagosphere/2014/03/28/analyze-and-crack-gsm-downlink-with-a-usrp/
- How To Build Your Own Rogue GSM BTS For Fun and Profit
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/
Common issues:
- Imprioper FW
- Lack of proper antennas
- Wrong cellular phone type
- Wrong SIM
- Not configured correctly - Mobile Country Codes (MCC) and Mobile Network Codes (MNC)
- incorrect APN
- https://www.wired.com/story/dcs-stingray-dhs-surveillance/
- https://www.vice.com/en_us/article/gv5k3x/heres-how-much-a-stingray-cell-phone-surveillance-tool-costs
- https://www.nyclu.org/en/stingrays
- http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf
- Getting in the SS7 kingdom: hard technology and disturbingly easy hacks= to get entry points in the walled garden
- https://github.com/Evrytania/LTE-Cell-Scanner
- https://harrisonsand.com/imsi-catcher/
- https://github.com/Oros42/IMSI-catcher
- https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
- https://github.com/ptrkrysik/gr-gsm/wiki/Passive-IMSI-Catcher