Hacking GSM: Building a Rogue Base Station to Hack Cellular Devices
Introduction
A rogue base station (also called a dirt box or rogue BTS) is the use of a software-defined radio (SDR) to create a fake cell tower and a software implementation of a GSM/GPRS radio access network. The software typically used to power rogue BTS’ is YateBTS, which supports GSM850, EGSM900, DCS1800, PCS1900 GSM bands.
The purpose of creating a rogue base station in vulnerability research or penetration testing of cellular-capable IoT devices or embedded systems, such as telematics control units (TCUs) inside connected cars is to force an association of the device talking over GSM to associate to the rogue BTS instead of a legitimate cell tower. This is done in an attempt to capture, analyze, and in some cases, intercept and modify the transmission between the backend and the device in an attempt to control it to affect the confidentiality, integrity, or availability of the data transmitted to it.
Very little research has been published on how to build rogue BTS’ over the years, especially as it…
