SMS decryption has become a topic of increasing interest in recent years, as individuals and organizations seek to intercept and decode encrypted SMS messages transmitted over GSM networks.
Despite the apparent security of these messages, they are often vulnerable to interception and decryption using specialized software-defined radio techniques.
Table of Contents
To better understand all parameters and technology terminology read my article GSM Networks for Pentesters.
Legal and Ethical Considerations
It is important to note that SMS message decryption should only be performed for legitimate and authorized purposes.
Intercepting and decrypting SMS messages without proper authorization is illegal and unethical.
It is important to respect individuals’ privacy and follow the laws and regulations governing telecommunications and data privacy.
Technical Overview
SMS messages are sent over a dedicated control channel in the GSM network, known as the Short Message Service Center (SMSC) or Short Message Service-Point to Point (SMS-PP) protocol.
The SMSC acts as a store-and-forward messaging center, responsible for routing SMS messages between the sender and receiver.
When a user sends an SMS message, the message is sent from the user’s device to the nearest base station.
The base station then sends the message to the SMSC, which stores the message and forwards it to the recipient’s device or to another SMSC for further forwarding.
When the recipient’s device receives the message, it sends an acknowledgment to the SMSC to confirm receipt of the message.
The SMSC then sends a delivery report to the sender’s device to confirm that the message has been delivered to the recipient.
SMS Decryption Steps
Here are the general steps to decrypt GSM SMS messages:
- Obtain the encrypted SMS message: The encrypted SMS message can be obtained by intercepting the GSM communication between the sender and the receiver using specialized equipment or software.
- Extract the encryption key: The encryption key is required to decrypt the SMS message. The key can be extracted by analyzing the GSM communication and identifying the key exchange process.
- Decrypt the SMS message: Once you have the encryption key, you can use specialized software or libraries to decrypt the SMS message. Some popular software and libraries for decrypting GSM SMS messages include OsmocomBB, Kraken, and Airprobe.
Intercepting GSM Traffic
Intercepting GSM traffic involves using a software-defined radio (SDR) or other equipment to capture the radio signals that are transmitted over the air between a GSM device (such as a mobile phone) and a GSM base station.
GSM traffic is transmitted using bursts of radio signals that contain encoded data, including SMS messages.
To intercept GSM traffic, you will need an SDR device that is capable of receiving GSM frequencies, such as the popular RTL-SDR dongle.
You will also need software that can process the captured radio signals and extract the data, such as the open-source gr-gsm software.
Extracting the Encryption Key
To decrypt an SMS message, you will need to extract the encryption key that was used to encrypt the message payload.
The encryption key is used to decrypt the message payload and reveal the actual message text.
The process of extracting the encryption key depends on the specific encryption algorithm used for the SMS message.
For example, A5/1 is a common encryption algorithm used for GSM networks.
Decryption of SMS Message
Once you have extracted the encryption key from the captured GSM traffic, you can use the key to decrypt the SMS message.
The encryption key is used to decrypt the message payload, which contains the actual message text.
Depending on the encryption algorithm used, there may be additional steps required to decrypt the message.
One common encryption algorithm used for SMS messages is the A5/1 algorithm.
To decrypt an A5/1-encrypted SMS message, you can use a specialized tool or library such as Kraken or libosmo-dsp.
These tools implement the A5/1 algorithm and allow you to decrypt the encrypted message payload using the extracted encryption key.
kraken --decrypt <hex key> <hex message>
This command specifies the encryption key in hexadecimal format and the encrypted message payload in hexadecimal format.
Kraken then uses the A5/1 algorithm to decrypt the message payload and displays the decrypted message in plaintext.
Before Intercepting
Before starting the decryption process we need a few things ready.
- Our CFILE with all data captured
- KC Key – grabbed from our SIM Card
- TMSI
- Rainbow tables to Crack A1 encryption
- All tools working with the correct versions
Limitations
- You CAN’T decode SMS LIVE – 😉
Understand our Tool
In order to decrypt SMS data is necessary to use gnuradio tool grgsm_decode, read my article about how to install GNU Radio.
grgsm_decode is a tool that is part of the gr-gsm software suite, which is a collection of open-source software tools for working with GSM signals.
The grgsm_decode tool is designed to decode GSM signals and extract information from them, including GSM messages such as SMS.
grgsm_decode -h
Usage: grgsm_decode: [options]
The gsm_decode tools have a lot of options divided into 4 categories
Basic Options
N_MODE, --mode=CHAN_MODE
Channel mode. Valid options are 'BCCH' (Non-combined
C0), 'BCCH_SDCCH4'(Combined C0), 'SDCCH8' (Stand-alone
control channel) 'TCHF' (Traffic Channel, Full rate),
'TCHH' (Traffic Channel, Half rate)
-t TIMESLOT, --timeslot=TIMESLOT
Timeslot to decode [default=0]
-u SUBSLOT, --subslot=SUBSLOT
Subslot to decode. Use in combination with channel
type BCCH_SDCCH4 and SDCCH8
-b BURST_FILE, --burst-file=BURST_FILE
Input file (bursts)
-c CFILE, --cfile=CFILE
Input file (cfile)
-v, --verbose If set, the decoded messages (with frame number and
count) are printed to stdout
-p, --print-bursts If set, the raw bursts (with frame number and count)
are printed to stdout
Cfile Options
Cfile Options:
Options for decoding cfile input.
-f FC, --fc=FC Frequency of cfile capture
-a ARFCN, --arfcn=ARFCN
Set ARFCN instead of frequency (for PCS1900 add 0x8000
(2**15) to the ARFCN number).
-s SAMP_RATE, --samp-rate=SAMP_RATE
Sample rate of cfile capture [default=1.0M]
--ppm=PPM Set frequency offset correction [default=0
Decryption Options
Decryption Options:
Options for setting the A5 decryption parameters.
-e A5, --a5=A5 A5 version [default=1]. A5 versions 1 - 3 supported
-k KC, --kc=KC A5 session key Kc. Valid formats are
'0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF' and
'1234567890ABCDEF'
TCH Options
TCH Options:
Options for setting Traffic channel decoding parameters.
-d SPEECH_CODEC, --speech-codec=SPEECH_CODEC
TCH-F speech codec [default=FR]. Valid options are FR,
EFR, AMR12.2, AMR10.2, AMR7.95, AMR7.4, AMR6.7,
AMR5.9, AMR5.15, AMR4.75
-o SPEECH_OUTPUT_FILE, --output-tch=SPEECH_OUTPUT_FILE
tch/f speech output file [default=/tmp/speech.au.gsm].
--sub-channel=TCH_H_CHANNEL
TCH/H sub-channel. [default=0]
--multi-rate=MULTI_RATE
The MultiRate configuration element from the
Assignment Command message. Example: 28111a40. See
3GPP TS 44.018 - 10.5.2.21aa MultiRate configuration
--voice-boundary Enable voice boundary detection for traffic channels.
This can help reduce noice in the output.
How to remove encryption from text messages?
Decrypt SMS
grgsm_decode --freq <center frequency in Hz> --gain <gain value> --samp-rate <sampling rate in Hz> --arfcn <ARFCN value> --burst-file <filename of the file containing GSM bursts> --debug-decoder sms
Leave a Reply