SMSジャック 2Gとは何か? なぜジャックできるのか?入手手段とその裏側

What is SMS Jack 2G? Why can it be hijacked? Means of acquisition and the background behind it

This article is published with permission from Gekiura Information

In recent years, a method called "SMS Jacking" has been attracting attention.

Many of you may know that it became news around April this year.

Especially, SMS jacking using 2G networks is a technique that exploits an old but persistently used communication method.
This article explains the mechanism, the devices used, and how to obtain them purely as knowledge. Misuse is strictly prohibited.

What is SMS Jacking?

SMS Jacking is a technique to eavesdrop on or allow a third party to tamper with or hijack SMS (short messages) sent and received by the target's mobile phone.
In particular, 2G networks (GSM) have very weak encryption and communication security, and it is said that interception is possible even with inexpensive devices.

Unlike the current mainstream 4G and 5G, 2G is a communication standard that spread in the 1990s, with a simple structure aimed at voice calls and SMS transmission. While convenient, the encryption technology remains outdated, so it is like transmitting radio waves in the open.

Why can jacking be done on 2G networks?

The main reason is the old encryption method called "A5/1 encryption." This encryption has already been cracked, and it is known that it can be easily decrypted.

Additionally, 2G communication lacks mutual authentication with base stations, and if a fake base station (Fake BTS) is set up, the device will automatically connect, which is a design flaw. In other words, an attacker can intercept SMS by the following process:

1. Build a "fake base station (IMSI catcher)" with a laptop and specific wireless equipment
2. Nearby smartphones automatically connect to that base station
3. Intercept, obtain, and relay 2G communications such as SMS through that connection

Main devices used

The representative hardware and software used in SMS Jacking are as follows.

USRP (Universal Software Radio Peripheral) series
Examples: HackRF One, BladeRF, LimeSDR, etc.
All are gadgets that can realize software-defined radio (SDR), and by setting the frequency band, they can support 2G communication.

Software: OpenBTS / YateBTS / OsmoBTS
These are open-source software to set up a pseudo base station on a PC. They run on Linux and can send and receive SMS depending on the configuration.

Antenna and RF front-end devices
Sometimes commercial antennas are combined to enhance radio wave reception capability.

How to obtain

The devices themselves are "not illegal," so they can be obtained from general online shopping sites or electronic hobby shops.

Example search keywords:

"HackRF One purchase"
"IMSI catcher DIY"
"GSM base station simulator"
"OpenBTS setup"

They can be purchased from overseas sites (Aliexpress, eBay, Banggood, etc.) and electronic shops in Akihabara, but some may face customs duties or radio law issues upon import, so caution is required.

Note on legality

Radio wave interception, including SMS Jacking, is highly likely to violate Japan's Radio Law Article 59 (Protection of Secrets) and the crime of unauthorized command electromagnetic records (Penal Code Article 168-2), and actual use will be subject to punishment.

This article is written purely as "technical background knowledge" and does not recommend illegal acts.

How to disable 2G on iPhone

In Japanese iPhones, 2G may not be disabled depending on the carrier settings, but please check the following steps.
Basically, iPhones do not pick up 2G domestically, so there is no need to worry.

1. Open Settings
2. Go to "Mobile Data" → "Voice & Data"
3. Select "LTE" or "5G" (deselect 2G/GSM if it appears)

However, since domestic carriers do not support 2G, Japanese iPhones do not connect to 2G in practice.
Be careful only when using overseas.


How to disable 2G on Android

1. Open Settings
2. "Network & Internet" → "Mobile Network"
3. Tap "Preferred network type"
4. Change to a mode that does not include 2G, such as "4G only" or "LTE only"

Depending on the model, it may be in developer options or SIM settings. Some devices can turn off 2G/GSM individually, so please search by model name for details.

AntiSpyPhone can forcibly disable 2G networks and reject connections from suspicious base stations at the OS level. It also supports app design and communication control to build a lifestyle that does not heavily rely on SMS authentication.

 

Summary

2G communication is a communication standard that is too vulnerable by modern standards in exchange for convenience.
Currently, most carriers have transitioned to 4G or 5G, but since 2G is still used in rural areas and some IoT devices, caution is necessary.

As countermeasures from a security perspective, it is necessary to turn off 2G, use apps with E2E encryption instead of SMS, review smartphone communication settings, and use security-specialized devices.

 


[Comment from Gekiura Staff Next Seiko]

Software radios themselves are wireless communication technologies realized by software inside a computer or embedded systems. Therefore, they are not problematic as long as they do not violate the Radio Law.

The A5/1 encryption seems to have been used for keyless entry in rooms and old cars.

Since A5/1 encryption was broken between 2007 and the end of 2009, paradoxically, it seems that keyless entry systems in cars before that time could be breached.

Reference: Encryption of mobile phones and keyless entry systems being broken one after another

 

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.

AntiSpyPhone Product List

View all

SNS is here