design and implementation of gsm sms eavesdropping solution

Posted by tetley at 2020-02-24

Insecure GSM

GSM is the most widely used mobile call standard. In mainland China, 2G networks of China Mobile and China Unicom are also GSM. With the development of technology, the security vulnerability of GSM has been found by security researchers. At present, it is not new to attack GSM. There are open source projects to sniff and camouflage GSM base stations in foreign countries.

In China, attacks against GSM have appeared. What we know mainly include sending spam (or fraud) messages from fake base stations and GSM data eavesdropping.

Below is a fake SMS sent by the pseudo base station with ICBC number 95588:

The following figure shows the pseudo base station equipment found in a certain place:

The cost of hardware equipment that can monitor GSM SMS is no more than 30 yuan (you are right, the hardware is a Motorola c118 mobile phone), as shown in the following figure:

It can be seen that the cost of implementing GSM attacks is very low. At present, we see that some people have used GSM problems to implement attacks. In Shenzhen, TSRC's partners have all met with advertising messages sent by pseudo base stations in different regions; there are also small partners on Weibo who report that Beijing has encountered similar situations. In the future, low-cost GSM attacks may be widely used.

It is a kind of attack way to send advertisement short message by pseudo base station, and another is to monitor the content of short message. This kind of sniffing is silent, and it is not easy to be found.

I remember being asked how to find out if I was being monitored. There is still a way, we dig a hole for the monitor: Send a message to ourselves through the channel, so and so has a secret file on the website, and the login user name and password are written in clear text. Then we can see if anyone tries to log in with this user password on the honeypot website we deployed.

In some business scenarios, the threat of this kind of GSM SMS monitoring is greater. For example, the exchange code of some group purchase business is sent to the user through SMS; the bank SMS on the day when the salary is sent will expose your salary; part of the verification code of online payment is sent through SMS ——Even if the text message sent to MM is peeked, it is also a very unpleasant thing.

How can enterprises and individuals avoid the security risks brought by GSM?

Solution design

In order to solve the security problem of GSM, it is necessary for the operators to crack down on the pseudo base station and GSM transmission encryption. Based on the current situation, this scheme still has a way to go.

Another simple way is to completely abandon GSM and switch to 3G, which involves the popularization of 3G. Of course, the attacker can also shield or interfere with 3G signals. At this time, the mobile phone will automatically switch to 2g (the 2G of China Mobile is GSM), which will still be affected. 2G of China Telecom is not GSM but CDMA 1X, which is not affected by GSM security. Use a phone number instead? This is a way to stop eating because of choking, not recommended.

For the attack mode of sniffing GSM SMS, I always have an idea (now I finally realize demo): since the GSM transport layer can't be relied on, we encrypt ourselves in the application layer. So the solution is very simple. It is to install an app in the mobile phone to encrypt the sent SMS content. Hehe, not only attackers, but also operators can't eavesdrop. The implementation of call encryption and decryption is complex, so it is not discussed.

For point-to-point SMS, both parties install an app, which encrypts and decrypts the sent and received SMS with the key agreed by both parties. In this way, the SMS in the transmission process is ciphertext. As long as the algorithm and key are not known by the attacker, you can rest assured.

Point to cloud SMS requires not only the user to install app, but also the support of the back-end server transformation. For example, 1065xxxx is used to send group purchase vouchers to users, which are encrypted before sending the SMS. The user's mobile terminal needs to install a special app to decrypt it, which ensures that the vouchers can not be used even by the captured attacker - which will increase the cost and require a special app. Maybe this function can be integrated into a general app product (mobile security products can Think about it.

Of course, this can also completely abandon the channel of SMS, and use some popular app platforms (such as wechat public account) or use their own apps.

For the problem of pseudo base station, there is no good way for the application layer, which is still under study.

Solution implementation

We have implemented such a point-to-point app on Android. AES algorithm is used for encryption. Both parties exchange key offline (in this demo, we write the key in app and omit the key exchange process). Then we can send encrypted SMS to each other.

The key code snippets are as follows:

private static byte[] encrypt(byte[] raw, byte[] clear) throws Exception { SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec); byte[] encrypted = cipher.doFinal(clear); return encrypted; }

The following is the encrypted content seen in the SMS program of the system (if intercepted in the transmission, he can only see this string of meaningless strings):

After decryption through our app:

How about experiencing it. This app (let's call it SMS emissary) has been released in the laboratory column of Tencent security emergency response center's official website. The address is here. Welcome to experience. Due to the short time, the interface, function and user experience are not good. Please forgive me.


This article is only a kind of attempt solution to GSM SMS eavesdropping, welcome interested students to discuss with us. For more security related technical research, please pay attention to "Tencent security emergency response center" (

At the same time, I would like to thank other members of the "GSM security research" project team of Tencent security center, such as poppey, Huang Jacky and riusksk, for their work.

More about GSM security, and listen to the next section.