 Thanks for coming out. I'm Ash Mastaflash and today we're going to cover inexpensive coordinated GSM anomaly detection. More specifically what that means by inexpensive. The whole goal of the project was to come up with something that was going to be far less expensive than the production of a malicious device. Coordinated meaning centrally configured. You don't want to have to pull SD cards on a whole bunch of remote sensors and then reconfigure them, re-burn them and get them back out into the field. So central configuration and software management was really important. And by anomaly detection, specifically what we mean is picking up rogue BTS's and IMSI catchers. So let's jump in. A little about me. I started with actually getting paid for technology to work around 2000 and I hopped disciplines every few years, kind of changed focus and now I'm working in R&D for a cloud workload security company. And I don't like talking about me, so that's where we want to end that. Let's talk about you. The audience I was writing this for has a background in systems and network engineering, some interest in GSM threat detection, but probably not a huge depth. I mean if you've got it then great but it's not required. I'll give you the crib notes so we can make it through. And tinfoil hats certainly not required, but it's not unwelcome. So go ahead and put it on now and let's party. So I said that I'm working R&D now. I really love my job. And as such, this has nothing to do with my day job. So if you don't like this, if you do something with this and get in trouble, I completely disavow whatever it is that you do with this. So yeah, and don't go talking to my boss about this. Just come talk to me if you don't like it. So here's what we're going to cover. First off, why you should care. The current threat and detection landscape. The original project goals, two iterations of the sensor and the service architecture because it's kind of a split architecture. Set up future plans for the project and that's where I kind of beg you for your help and full requests. Not an hat tip to prior art and Q and A. Why should you care? Because invasions of privacy are bad even when they're unnoticed. Yeah, that's true and this all is kind of vague. So specifically what are we looking at? What's the worst that could happen with a compromised cell phone conversation in your CFO's office? It could have a financial impact on your company. In the right CFO's office you could even be looking at something like insider trading or market manipulation with the right phone conversation. So these devices are so small and so easy to hide and so inexpensive, you know, can you really trust your ficus, adjust your tinfoil hat. And the second side of this is it's with an IMSI catcher you can also determine whether or not a specific person is within a domicile. So if with one of these devices someone could walk up outside of your house and they could get a listing of all IMSI numbers. Now IMSI numbers are the ones that are burned into your SIM in your phone that's attached to your account. So that identifies you as an individual. If you can take a listing of those from everybody inside of a house process of deductive reasoning you can determine who is home. So it's a little bit spooky and it's not that expensive to carry off. The terminology of baseline for the talk software to find radio. I had one of those in my pocket but I gave it away. It's using software to perform your signal analysis and using a typically a USB dongle that has a software controlled tuner. And in the case of this we're using the RTL, SDR devices, the super cheapo like $20, $40 units. ARFCN, absolute radio frequency channel number. I may just refer to that as channel number from here on out given that this isn't a GSM in-depth talk just because it's easier to kind of wrap your head around. Think of this almost like a television channel. CGI Cell Global ID is a globally unique identifier for the BTS that's comprised of a mobile country code, a mobile network code, a location area code and a cell ID. All that comes from the BTS. And like I said earlier the IMSI is what's burned into your SIM and that's what identifies you as an individual. Here's a visual aid to kind of wrap your head around GSM addressing in regards to the global cell ID. Every mobile country code has a number of subordinate mobile network codes within that. You have multiple location area codes and within that you have multiple cell IDs. So let's talk about threat and detection. So we'll go over, first a drink of water, malicious devices, how you know that these malicious devices are in play and what's currently on the market to detect them. So Hack Femto Cell is a trusted part of the provider's network. We saw some really good talks in DEF CON 21 about hacking Femto Cells for the purpose of honest IDS and also for some nefarious purposes. With a hacked Femto Cell you can gather IMSIs and you can also record phone calls and SMS traffic that are going across it. Your phone has no idea if it's good or evil. Your phone is just going to attempt to attach to it. And Evil BTS. Evil socket had a great blog post on how to build one for very, very cheap and ham hands for scale. This is the size of the SDR that's necessary to build a, you can kind of see how this could fit in your FICUS right. And that's the largest device in the system. So that coupled with a Raspberry Pi 3 you can build an Evil BTS and record phone and SMS traffic. Again, this is the same case with the Femto Cell. Your phone doesn't know if it's good or evil. It's just going to try and talk to it. That's a GSM thing. So indicators of attack. How do you know when something weird is going on? ARFC and remember think of it like a TV channel. All of a sudden if a channel goes loud over threshold this is something you determine by the short period of observation. So you can set a threshold alert when it gets over that. ARFC is an outside of forecast. You can use, here's a spoiler alert. We're using graphite and part of this. Graphite has Holt Winters algorithm built in so that you can have a confidence band over time. And so if something that's typically low but all of a sudden gets a little bit louder it may not be a threat to you but it may be something nearby. A channel all of a sudden getting louder may indicate that someone's trying to broadcast on the same channel. Unrecognized cell global ID. There are databases you can download with the GPS coordinates and all the metadata for the cell global IDs and it's useful for determining your location. If you don't have a GPS chip you can kind of make that determination based on where the tower is. Gratuitous BTS re-association. This is something that you would determine by observing the behavior of a cell radio. And if all of a sudden you have a stationary radio that starts associating to another BTS or a bunch of other BTSs typically for a standard or a stationary radio you're not going to see a lot of that behavior. If you're walking around it's supposed to happen like that with your cell phone but if it's sitting in one place you really shouldn't be hopping towers a whole heck of a lot. And if you have the GPS location of a tower by the cell global ID and the BTS is broadcasting a cell global ID of something that should be in say Orlando if that cell shows up in Vegas either someone's absolutely awful at their job of configuring BTSs or it may be something malicious. So current detection methods both Pony Express and Bastille networks have an offering of which this is a subset. Open source options. Fake BTS is a really cool project. It serves as the original inspiration for this. It's a collection of shell scripts that use wire shark and air probe and calibrate to make a determination as to whether or not you have malicious nearby cells. The Android IMSI catcher detector is software that you install on your phone itself and it interacts with your cell phone's radio to determine if there's any sort of anomalous behavior. And Femto catcher is very close in function to the Android IMSI catcher detector but it's specifically for catching Femto cells and it's really only effective for phones on Verizon wireless network. The original project goals. It's Vegas. I think it's okay to ask for what you can get for $100. So that was the goal is see if I can get the target price under $100 for the first iteration. I wanted a low footprint for the raw materials. I wanted it to be at least as small as this and functional targets. I wanted to be able to pretty much use the indicators of attack as a metric on whether or not I would be successful detecting rogue BTS's and centrally managed software and configuration. That was really important to me because I have really big hands and it is such a pain to actually get those micro SD cards into the right slot in a Raspberry Pi and I've lost so many and gotten so frustrated having to crack the case back open to get my yeah I didn't want to screw around with that. I wanted to be able to drop this thing under a desk behind a ceiling tile pretty much wherever you might find a malicious device I wanted to drop this thing so that you could get good local coverage inexpensively and not have to touch it again. In the process of this I collected a lot of hardware. I had a Raspberry Pi 2, a logarithmic antenna, a couple of odroids, a C1 plus an XU4, a galaxy of red and blue and green and orange LEDs until NUC and until Edison, a GSM modem, a handful of RTL-SDR devices. I didn't really need all this stuff but when you get locked into a serious hardware collection the tendency is to push it as far as you possibly can. So that brings us to situational information from telemetry and correlated heuristics and I definitely started with the acronym site of that before I came up with the words to match. So this is the first iteration of the sensor. I had an RTL-SDR device, I wrote a wrapper in Python to get that into structured data using Calibrate and all of that feeds into the main process. Also running GPSD to pull accurate GPS readings from a GPS dongle using log-forward to forward scan logs since we have it in structured formats pretty easy to drop to file and log-pick-set-up, shoot it off to log-stache, elastic-search, all that good stuff in the cloud and I was using a tool, a Python tool called Graphite Send to send all this stuff over an open VPN channel up to a Graphite instance for tracking time series measurements which was, it was effective enough, I talked Verizon into sending me a FIMTO cell to set up in my apartment and when you start it up, I mean they never really consistently started the same speed, sometimes you'll be waiting for 40 minutes for it to get a GPS fix but when it does go live, it's pretty plain to see. Honestly, this graph is a little bit smoothed out, it's normally spikier than this, I went back in history in Graphite and Graphite had already kind of smoothed things out for me but it's very clear, very apparent when this stuff goes live because it gets very loud and your phone attaches to it and then today you're on a part of Verizon's trusted network. So remember that slide earlier, here it is in table form. So these are our functional targets, ARFSEN over threshold as a big yes as well as ARFSEN outside of forecast but the tool that we're using called Calibrate, what it does is it produces a list of channels, nearby channels and gives you a power rating. It's typically used for picking up, for determining your clock offset because the SDR devices are notorious for being drifty and the RTL SDR devices are especially notorious depending on temperature so those are the things that you actually can't get away with running those things with the lids closed, they get way, way too hot and the price was $100, like it was right at about $100, not counting the case, I mean the case was kind of necessary for the trip out here but just the raw components you can get for about $100 and it's pretty effective. The problem is you're looking at about seven minutes worth of resolution so it takes seven minutes to scan 850 megahertz GSM using a Raspberry Pi 2 and you can actually have kind of a pretty important conversation in less than, you know, in less than seven minutes. So good first-generation I was thinking, ah, I got, this actually happened after I submitted my CFP. I was able to kind of prove what I was thinking and so this is like late April and I was thinking, ah, I could kind of roll with this just right on this and maybe be fine and cool and I started looking at the source code and I was really, really not happy with it. It was pretty horrific and that's just not me being self-conscious. There were a few problems with this. So what's wrong with mark one? Main was single threaded and when you're pulling data from two separate devices you can end up with some interesting situations if you've got to wait on your GPS to get a fix and then you do your seven minute scan of 850 megahertz GSM then it's, it's this sort of sort of additive problem. It's, ah, you can really end up with some kind of ridiculously long scan times especially if you're indoors trying to get a GPS fix. Another thing I didn't like is that there were two secure channels for delivering the information. That's, it's inefficient, it's just more crap to manage and I really kind of wanted to reduce those to, to one encrypted channel. So now I'm going to start the demo and I'm going to start it early in the presentation because it takes a, um, this stuff is kind of bandwidth dependent so I'll explain a little bit more about that. Check this out. Is this thing on? Alright, so this has got a RTLSDR device, uh, GSM radio, it's a Raspberry Pi 2 and, uh, and just some stuff to support that. So, and this thing's being provisioned from zero using the, uh, orchestration stuff I was talking about. So while we're waiting on this thing, ah, what it's doing is there's a, the service that I'm using to orchestrate what I'll loosely call firmware, although maybe we'll have a discussion on the actually what firmware is later. Um, I'm going to call it firmware. It's just a bunch of Python code. But the, um, what actually sits on the device, there's a service called Resin. And, uh, Resin has built an image to put on your Raspberry Pi that runs Docker. Uh, I think, I can't remember the version of Linux that's based on, I'm not going to promise something up here. But what it does is it dials home to the service, um, and it pulls, uh, Docker images of whatever you commit. So basically what you do, this is what your deployment pipeline looks for using, uh, Sitch and Resin. So what you have, your actual user effort is you do a get commit of your code, you do a get push to Resin's repository, everything below the orange bar is all managed by Resin. If your build completes, uh, and I'd like to mention that if you do not do unit testing, you are going to hate your life. You will pull your eyeballs out of your head because it takes a few minutes and it's almost like, hey, here's Python, but now I have to compile it and wait and wait. So, um, get good at unit testing and then make that part of your commit. Um, the, the commit hook will run a Docker build on your code and if your build is successful, it'll accept the commit and moves the image into Resin's registry. And then your device will, it, it pulls like every minute to the Resin service and when you have a new container image, it just pulls down your container image and restarts. And you don't have to touch the thing to do software updates, which is really nice if you're sticking these things up in attics and all over the place. So, as far as service side software goes, um, we've talked a lot about what's actually running on the sensor and what's running on the service side, uh, most people in here, if you're a sysadmin, you're probably familiar with LogStash, Elasticsearch and Kibana. It's a great, fantastic open source tool and it's super versatile. It's a part of this, uh, as well as using Carbon and Graphite for time series, uh, database and for statistical calculation. And I'm using Tissera because, uh, as much as I love Graphite, Graphite's graphs are really not pretty. You need something to go on top of it. And, um, Graphite Beacon is probably the simplest tool I found for just measuring and looking for things outside of bounds on Graphite. It was so nice that somebody didn't over engineer something. It's simple. You can figure it, set it up and fire it off. Um, so that's what I chose. Vault is a really cool tool from Hashi Corp. And, um, and what it does, it does secret management. So, you can load certs, you can load, uh, credentials in there and you use, and we have the keys for accessing those loaded up into environment variables in the device itself. So, you can do your credential rotation against Vault and then you just bounce your whole application. You know, through the Resin user interface and everything comes back up, gets its credentials and all those credentials are written on the sensor to a, um, to a RAM disk so that if somebody does jerk the power, it's at least a little more difficult. I know, you know, with physical contact all of your security should be considered null, but at least it makes it a little bit more difficult to uncover your, uh, your crypto material. Resin is the service that I use to manage the software and Slack is where the notifications come out, you know, because at least you can do it over IP and you're not relying on SMS when GSM may or may not be, you know, a friendly area. So on the service architecture side, um, uh, the first thing the information hits is the inbound information processor. What that is in this case is, uh, log stash, uh, document retention, everything stored in structured data in Elasticsearch and the web-based portal is, uh, kind of a combination of Kibana and DeSera. Uh, the time series database is Graphite and analysis and alert generation right now are shared by, um, Graphite, I'm sorry, um, that other tool, Graphite beacon, and some stuff that's coming directly out of the sensor. The sensor is actually smart enough to do some alerting on its own and that stuff is caught by log stash and it kicks it out straight to Slack. Uh, like I said, an external alerting service is Slack and there's a user. So the intelligence feed, uh, if you're going to make a determination on, um, you know, on the location of all of these GSM towers, you don't want to do your own site survey and then compile your own database, you really kind of want to look and see if somebody else has already done that. The open cell ID database is out there and it's super useful. The only thing I think it didn't contain that I really wanted was the carrier name because you can make that determination using the MCC and MNC parts of the cell global ID. Uh, so thank God for Twilio and their free pricing API because you can just pull all of that stuff down. API key is free and the way that this works is it's all because once you start using Docker for something, you just want to use it for everything. And um, and so I have this Docker container that I can run as a job and it goes out, it pulls down the open cell ID database, it merges that with the information of Twilio pricing API and it throws this stuff out into files based on MCC. The reason that's sliced up is because that database file is so huge, uh, that you want to have this kind of broken up and uh, knowing the company, country that you're operating in, you should be able to determine the uh, mobile country codes that you need to be downloading for. So it reduces the download size, uh, but truth in advertising is, as much as I want this live demo to work, it is a lot of information and maybe or maybe it won't be able to download everything in time. If it doesn't, I've got a, I've got a video and I'm sure this probably wouldn't be the first time a live demo fell over at Def Con. So, uh, if you insist. So let's talk about the Mark II sensor and uh, and kind of the improvements I wanted to make before I showed anybody this, this ugly baby of mine. Um, so there's a component, uh, the Sim 808 collector. Uh, that interacts with the GSM modem to actually function in some, in a way that's somewhat similar to the way the Android IMSI catcher detector works, uh, by interacting with your phone's, uh, GSM components. So, the um, so everything that you see in green is its own thread off of the main process. So that way you can, you can currently run collections against your GSM modem as well as your RTL SDR device so that you don't have to wait seven minutes and then do it, you know, it's just, decided to forego all of that. Um, everything that you see in blue is a first in, first out buffer. So all of this scan information goes into the enrichment buffer and the enricher thread picks it up. Enricher thread compares that against the enrichment database that you pull down based on the MCC file. Yes, the MCC file, uh, that comes down that's, all that stuff gets shoved up into AWS. It doesn't have to work like that. It'd be simple enough to tool around to work off of an HTTP server but AWS was just easier so that's what I did. Um, and the emitter, uh, can emit straight to scan logs which are picked up by LogStash forwarder or you could point it off to, um, to the LogStash server itself. I felt a lot more comfortable having it work with LogStash forwarder because LogStash forwarder can run its own buffer if you end up with loss of communication. It just seemed like the smarter thing to do to not have everything just pipelined up in memory on one of these small little devices. And everything goes up to LogStash over that single channel, no longer using open VPN and, uh, LogStash has some great output plugins that you can use to take that structured information that's coming in and spit it right out to Graphite. So kind of coalescing those two paths was super, super that it just make things seem simpler to me. So this is kind of a, a block diagram of what goes on inside the sensor. Uh, for a calibrate scan, everything goes, um, it goes into the enriched thread, or enriched thread picks it up from Q and, um, and it can fire alerts on its own, um, based on a threshold that you set in the environment variables in Resin. Resin is the service that manages it, pushes out environment variables for running your program. Um, so you can set a device specific threshold depending on where in the building it is cause you don't want to set the same, I mean that's, that wouldn't work. Um, and it also sends individual events or individual, uh, structures for ARFS and metadata and the original scan document containing your timestamp, all that other good stuff. It's a little more interesting when you start pulling from the SEM 808 module, which is your GSM modem. Uh, the enriched thread gets it, does a comparison against the enrichment database, which is kind of sizable, but it does do a little in-memory caching for a little while, just so you don't have to keep hitting disk for everything that, that comes through. And it can set, it can do alerts on changes in the primary cell global ID. It can do alerts on the cell global ID not being in database. And it can also do alerts on the cell global ID, uh, not being arranged based on the geolocation that's coming down through the feet. Um, what I kind of want to draw your attention to is this calculation is actually happening on the Raspberry Pi. So the idea is that you should be able to stand that stuff up and, um, and have a fairly small compute overhead compared to some other services, because a lot of the compute's happening on the device itself, uh, so doing stuff like geospatial calculation and stuff like that. You don't have to do all of that stuff because the, um, something I'd fail to mention earlier, remember I said that there's about a seven minute delay on getting results with an RTL-SDR device. When you throw one of those little GSM devices into engineering mode, it's every few seconds you get a list of all of your, um, nearby cells by preference according to the GSM. So, uh, the RTL-SDR device is more of an objective observation. I see these channels, here's the power, but you're interrogating the GSM modem actually tells you what it prefers. So the stuff that's a little more GSM heavy of why do I prefer this tower over another takes care of all of that and you can just query the GSM modem and ask it what do you prefer the most and you can tell when your primary changes and you cut the resolution from around seven minutes down to just a few seconds. Woo! Uh, so this is what you see in Slack when, uh, you know, after the thing gets, gets started and gets warmed up. Uh, these alerts are for things, you know, like not being in the feed database, other stuff like that. And you also get alerts for, um, Graphite Beacon when you have problems with anomalies being detected when things fall outside of the forecasted expectation for your time series measurements. So, here's when we return to the demo and see if these things are actually going to behave for us. So, I don't think I get a drum roll up here but it's, I hope you can, I hope the anxiety is palpable. Just truck this over there. Sorry, this is, somebody told me not to do it like this and I thought I had enough sense to listen. What? All right. Yeah, thanks. Probably me again. Where did you go? All right, so. You got a 12. Every failure goes down. Here in a minute, you're going to have me some Jack Daniels and I'll know I just need to walk off stage. Let's try mirroring for the win. All right, can you see that? Okay, so it actually was able to download all of the feed database and everything. I'm going to take a drink. Live demo, y'all. You don't want that. All right, so, this is what it looks like in resin. And with resin, you can actually, okay, truth in advertising. One of these, I plugged in in the speaker's green room, just because I was afraid that it wouldn't have enough time to download all of the things. And the one that I plugged up a few minutes ago, let's see how far along it is. This one's called Misty Mountain. Isn't that beautiful? Okay, so, yep, still downloading. Depending on bandwidth, I mean, it can take a little while. The initial download, so you've got a couple of minutes at the beginning. When you pop in the SD card, it reformats it to work right for resin's operating system and then it dials home to the service and it starts pulling your Docker image down. This is actually a lot smaller. Originally, I tried doing this with GNU Radio and oh my God, that thing is a monster. So you start dealing with image sizes over two gigs and Raspberry Pi has struggled with it. It is my hope that someday that I can get GNU Radio trimmed down enough because I think that and especially the GNU Radio GSM project, Peter Kreisik put that together. So if you're looking for something fun to play around with, I highly recommend that. I was hoping to get that originally worked into this, but I think arm's going to have to get a little bit more powerful with the stuff that you can buy off the shelf before we'll actually be able to get GNU Radio working at least the way that I need for this project. But check out GRGSM if you have a minute. It's awesome stuff. Now let's go back to the working sensor. All right. So in the start up process, you see download pulls everything down from the feed, gets your secrets from the vault. Yeah, this one started up just fine. Oh man, that's great. It's not that I thought that it would really not work, but superstition, you know, the same reason you don't do a do a change window on a Friday afternoon. So to Sarah, let's see what that looks like. Let's see if we have anything for DEF CON yet. And we do have a little bit. So these are time series measurements and it, honestly, it looks a little ugly. This is probably due to my configuration of graphite. Let's find a resolution that looks decent. There we go. That's a little bit better. And you can see the channels that are being tracked by ARSEN. And this is kind of the Rx level. This is the cell radio itself. Here's, yeah, this is the Holtwinners anomaly stuff. This doesn't get really interesting until you actually have a measurement period by which you can start to look at, because Holtwinners is super cool. You could probably do this with standard deviation, but I was, oh, Holtwinners, it's a bigger word, right? And it's free. It's already baked in. There's another buzzword if anybody's playing bingo. So Holtwinners never see this in the real world. But if you have, like, if Monday afternoons are really hot, then it'll accommodate for that. You just have to let it see a Monday afternoon or else you get that. So we're even tracking the affinity, which looks like it may have made a change. That's interesting, isn't it? So the cell made an affinity change shortly after coming online, but it's higher than that. 238. Yeah, that's cool. Anyway, we're all kind of discovering this. Honestly, I was pretty afraid of turning this thing on a DEF CON and blowing up the service by throwing so much information into it, but it's surprisingly well. So let's see. And here is my Kibana server. Oh, no results yet. And that's because my time range is crap. All right. There's that. Let's trim that down a little bit two hours. And there you can see we started getting stuff coming through and scans of all type. And this is all structured data. So if you wanted to build something on top of it just to interrogate Elasticsearch and pull these results out, go nuts, all this stuff is going to be released open source after the talk. So I hope that somebody out there enjoys this thing after how much time I spent doing it. So let's return to the demo and see if I can figure out this mirroring thing again. All right. So summary of Mark 1 and Mark 2 So like we discussed earlier, ARFs and over threshold and outside of forecast worked great with the first one. It was just really slow to return results. Seven minutes you've already told them your stock trading tips and somebody else has them too. With the Mark 2 we hit all of our objectives. ARFs and over threshold and outside of forecast of course because we were still using Calibrate. Unrecognized Cell Global ID we're able to pick that up. Gratuitous BTS Reassociation we're able to pick that up as well. And the price was 150 bucks. So considering that this if you buy this at list price not the product they've got a great deal in the vendor booth you should all go and buy one these are so expensive and they've got a great deal running in the vendor booth they didn't pay me to say that. But with one of these I think you're looking at maybe around 650 dollars with this Raspberry Pi you can build an evil BTS for about 150 bucks you can build a sensor to detect when these things around. So the original goal of having something that was easy to deploy you know something I mean you just pop the SD card in make sure everything's plugged up you ship it out plug it up wherever and leave it alone and let it collect its stuff to have it less expensive than the evil devices and so there's that going forward this is what I kind of like to do with it automatic device detection something I shielded you guys from was all the environment variables you have to configure some of them you want to have to configure you know like what is the you know the key to retrieve all of my information from vault right you don't want your search just hanging out there so you can infer because you'll start getting graphite alarms um but it's really something you just have to infer I'd like to get more specific with that GNU radio like I said earlier I would love for GNU radio to be the core of this if I could figure out a way to make it run quickly and and honestly to run it all on a Raspberry Pi because running that sample rate is only grgsm but you can start playing around with adsb broadcasts from aircraft looking up fpv fpv drones all sorts of fun stuff and maybe even running connectors for ubertooth1 and yardstick one because those are you know those are some kind of fun things to play around with and if you can just if you never have to touch the thing except installing hardware why not right so here's a little cloning with a compromise femto cell that served as the original inspiration that kind of got me thinking in this direction because you can get a femto cell for 250 bucks or you can social engineer one out of Verizon for pretty I've been with you guys for so long if that argument has never worked before it worked for me I've been your customer for so many years and I have crap reception in my little to be able to do some positively evil things and last year Ducca Huna and Satan Claus put on a great intro to SDR on the wireless village was a one-on-one track that that I really enjoyed and kind of set me down the road of trying to figure this problem out fake BTS is served as the original functional inspiration for this kind of the interaction between Ryershark and Air Probe and unfortunately it's a little too intense to run on arms together thing and how to build your own rogue GSM BTS for fun and profit Simone Margueritelli thank you if evil socket is here I want to buy you a beer if you're not I owe you one it was a really well written blog post on how to simply set up an evil BTS using one of these and a Raspberry Pi 3 and a battery pack and a ease of access for parts so thank you evil socket that was a huge help for this talk and gave me a really good solid target to shoot for thanks GNU radio as much as I wish it could have made it in here it actually worked pretty well on the Intel NUC but those things are kind of pricey you were not going to beat anybody on price using Intel NUC but GNU radio runs pretty well on that for this purpose I mean on the on the GSM stuff and Calibrate Calibrate's the core of this and without Calibrate it really probably wouldn't work very well so hat tip and thanks to all the prior art and thanks to all these fools John Minerig made a not small investment in test hardware he was one of my first beta testers so John if you're out there thanks bunch maybe not Gillis Jones super helpful great advice Christian Wright and Dave Duhlin and there were a lot of silent contributors they didn't necessarily want to be associated with a DEF CON talk but I don't know why I have no problem with it but I got a really useful information on GSM networks from some really helpful people in the background anyway we can do Q&A now or we can take it off stage yep I'm going to release it as soon as I get to a reasonably secure network check on your DEF CON CD there's a white paper with the links in it alternatively my handle is Ash Mastaflash check me out on Twitter and and I'll post there and I may see if I can get squeeze an email through full disclosure as well Ash Mastaflash two A's alright thanks a whole bunch everybody