- Fake base station with open ciphering named A5/0, and spoof real operator network; the network could be GSM(sms, call), and GPRS, EDGE
- local attack but could be targeting (to find local victim)
- victim couldn't be reached on the real network (indeed call and sms)
- could be detectable with rooted phone and application like imsi-catcher detector, snoopsnitch because of open network
- USRP
- Install DragonOS 29 or 30 for USRP
- Create fake bts with more specifications demos pdf_en pdf_fr
- Open ciphering (A5/0)
- Configure power as big as possible or use power amplifier
- MCC, MNC, band, arfcn, short name and long name like the operator (use network signal guru to find the configuration)
- LAC not like the operator (the phone think it makes handover)
- Use jamming or redirection attack for more advanced attack
- creating selective denied of service attack (imsi) by using lur (location update reject) demos pdf
In openbsc.cfg
network country code 001
mobile network code 1
short name dragonOS
long name dragonOS
band GSM1900
arfcn 526
nominal power 100
In osmo-bts.cfg
band 1900
For denied of service change location update reject cause, the default cause is numbered 13
location updating reject cause 13