Stealth Cell Tower Inside This Office Printer Calls to Say I Love You

If you look around the street furniture of your city, you may notice some ingenious attempts to disguise cell towers. There are fake trees, lamp posts with bulges, and plenty you won’t even be aware of concealed within commercial signage. The same people who are often the first to complain when they have no signal it seems do not want to be reminded how that signal reaches them. On a more sinister note, government agencies have been known to make use of fake cell towers of a different kind, those which impersonate legitimate towers in order to track and intercept communications.

In investigating the phenomenon of fake cells, [Julian Oliver] has brought together both strands by creating a fake cell tower hidden within an innocuous office printer. It catches the phones it finds within its range, and sends them a series of text messages that appear to be from someone the phone’s owner might know. It then prints out a transcript of the resulting text conversation along with all the identifying information it can harvest from the phone. As a prank it also periodically calls phones connected to it and plays them the Stevie Wonder classic I Just Called To Say I Love You.

In hardware terms the printer has been fitted with a Raspberry Pi 3, a BladeRF software-defined transceiver, and a pair of omnidirectional antennas which are concealed behind the toner cartridge hatch. Software comes via  YateBTS, and [Julian] provides a significant amount of information about its configuration as well as a set of compiled binaries.

In one sense this project is a fun prank, yet on the other hand it demonstrates how accessible the technology now is to impersonate a cell tower and hijack passing phones. We’re afraid to speculate though as to the length of custodial sentence you might receive were you to be caught using one as a private individual.

We’ve considered the Stingray cell phone trackers before here at Hackaday, as well as looking at a couple of possible counter-measures. An app that uses a database of known towers to spot fakes, as well as a solution that relies on an SDR receiver to gather cell tower data from a neighbourhood.

[via Hacker News]

35 thoughts on “Stealth Cell Tower Inside This Office Printer Calls to Say I Love You

  1. Header pic is of one of those HP printers that famously bungled the introduction of lead free solder, with that model it’s not a matter of whether it’ll die, it’s when.

    I made sure HP suffered for that one, got people to switch away from them.

    1. Looks like a 1320, got one that was abused at my wife’s old company then we’ve been thrashing on it 10 years. Doesn’t get pampered, $25 for a 5000 copy clone toner, and away we go again for another few months.

      1. I am a jerk at office stores sometimes, when the salesman asks if I need help, and I’ll say, not really, but maybe it’s time I got a new printer, and aren’t these modern ones much more efficient and economical, and he’ll walk right into it and say yes, and I’ll say great, show me what you got that does better than 1.5 cents a copy.

        1. I really like my OKI 4c laser.
          Cheap as sand, build like a mule, prints on almost anything thanks to a linear paper-path when opened on both ends.
          And quality is crazy good – private printers sure have come a long way…

          1. The OKI LED lasers are not real laser printers, but better in my opinion resolution a little less but very sharp print and going strong ten years on, still printing 3000 copies on each 40$ cartridge.

    2. I have one of those and the imaging board would regularly fail about every 18 months or so.

      The solution that the world/internets found? Bake the board at 350° for eight minutes in a toaster oven with it up on foil standoffs for air circulation. Really.

      After a couple of cycles of this – and a lot of amusement for my wife watching me bake the board in a toaster oven – light finally dawned over marblehead and it occurred to me that the problem was thermal stress. I popped the side cover over the board off for ventilation and it’s run for years without a problem.

    1. One of the European GSM bands is in the US amateur band so as long as you have a license and stay under the legal limit of 1500 watts and transmit your call sign and you turn off all encryption (A5/0).

      1. Hm, could that put the users of the phones in a difficult legal position? At least they would be transmitting in a HAM band without possessing a license and without transmitting their callsign…

  2. I still have one of those printers. One of my most functional dumpster dive finds, surprised to hear that they were so failure prone since I actually pulled two out of the dumpster. And it’s the only HP hardware that I’ve run across that doesn’t require installing the manufacturers bloatware ridden drivers just to print.. and it duplexes!!

    Only decent piece of HP hardware I’ve ever owned though (aside from a decent waveform generator which actually happened to be just a rebranded Agilent generator).

    1. You’ve got it backwards. Agilent is spun-off HP. HP used to make test equipment and components, then spun that division off to form Agilent which spun off the components to Avago, and later split off the electrical test equipment division to form Keysight.

      1. Correct. The HP name followed the money. The HP of today has nearly zero connection to the original instrumentation company that many of us grew up with so much respect for. I LOVED HP! Now I wouldn’t use a piece of their junk for a doorstop!

    1. What about the shade of charcoal on this page though? It seems particularly fetching, a kind of aged anthracite look. I’ve got a pair of cargos this very color. Oh, did I ever tell you about when I bought those, it was the funniest thing, there I was in Costco…

    1. That’s a difficult one. There’s an argument to be made in lexicographer circles that the term has expanded its meaning through popular usage to include all base stations, but yes.

      I would have probably called it a femtocell, but used “cell tower” here because that was the term used in the linked article.

  3. I can envision a number of ways to deal with this dilemma:

    1) Using a metallic wave-guide (i.e. coffee can?), triangulate the location of the suspicious cell phone tower. Taking two or more different (RF peaking from the bars display) bearings you can use simple trigonometry to locate the RF target on a Google map.

    2) Go to this website http://opencellid.org/ to see what’s supposed to be there (worldwide). AntennaSearch appears to be experiencing DDoS as of today (3Nov16). I wonder who’s doing that… :-/

    3) OpenCellId will give you Carrier Name, MCC, MNC, LAC, cell ID, and lat/long. However, using the site is a bit of a learning curve. You’ll have to play it by ear unless you can find the help file. You may be surprised to see your neighbor is running one LEGALLY! Like the Feb-1999 SIMPSONS episode “Make Room for Lisa”. :-)

    4) Back in the good old days when SKYPE wasn’t owned secretly by u-know-who, you could make all of your down/low phone calls off of someone’s open unsecured wifi hotspot. A lot of people STILL don’t lock down their AP’s like realtors, private homes, etc. If you use a yagi or a cantenna you could standoff my several thousands of feet and not be spotted by the AP owner in your vehicle using his AP (legally BTW). However, VOIP uses a ton of bandwidth and is noticeable to the poor owner. There are OTHER VOIPs out there that are ostensibly not owned/controlled by the alphabet soup – YET. Good luck finding them.

    5) If you want to test your VOIP voice security… use an old tradecraft technique called BLOWBACK. It’s just a disinformation trick to run something up the verbal flag pole and see who salutes… I don’t recommend doing this at all. It will only piss off the WRONG people! Maybe Julian Assange or Ed Snowden might try it and get away with it. But not you! :-D

    1. BTW #4 is not viewed as legal by some local LEO in USA. They will invariably view your presence as suspicious and tantamount to trespassing. Some US states have ordinances and statutes against this and is viewed as a form computer crime. Fortunately this is not the case with US federal law. So never tell the LEO that your just war-driving. Better to say your working skip on your HAM or CB radio, sight-seeing, or lost your dog or something.

  4. “The same people who are often the first to complain when they have no signal it seems do not want to be reminded how that signal reaches them” – I know those people. They moved in next to the airport and are always complaining about the noise.

    1. Hey! We have those people too! Bought a bunch of luxury houses beside the highway and now they want to lower the speed limit to keep noise pollution down.
      Great system we have…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s