This WAV File Can Confuse Your Fitbit

As the devices with which we surround ourselves become ever more connected to the rest of the world, a lot more thought is being given to their security with respect to the internet. It’s important to remember though that this is not the only possible attack vector through which they could be compromised. All devices that incorporate sensors or indicators have the potential to be exploited in some way, whether that is as simple as sniffing the data stream expressed through a flashing LED, or a more complex attack.

Researchers at the University of Michigan and the University of South Carolina have demonstrated a successful attack against MEMS accelerometers such as you might find in a smartphone. They are using carefully crafted sound waves, and can replicate at will any output the device should be capable of returning.

MEMS accelerometers have a microscopic sprung weight with protruding plates that form part of a set of capacitors. The displacement of the weight due to acceleration is measured by looking at the difference between the capacitance on either side of the plates.

The team describe their work in the video we’ve put below the break, though frustratingly they don’t go into quite enough detail other than mentioning anti-aliasing. We suspect that they vibrate the weight such that it matches the sampling frequency of the sensor, and constantly registers a reading at a point on its travel they can dial in through the phase of their applied sound. They demonstrate interference with a model car controlled by a smartphone, and spurious steps added to a Fitbit. The whole thing is enough for the New York Times to worry about hacking a phone with sound waves, which is rather a predictable overreaction that is not shared by the researchers themselves.

Continue reading “This WAV File Can Confuse Your Fitbit”

Hush Those Old-Fashioned Phones

Most people hate unsolicited calls, and it’s worse in the dead of night when we’re all trying to sleep. Smartphones are easy to configure to block nuisance calls, but what if you need a solution for your Plain Old Telephone System (POTS)? [Molecular Descriptor] has built a system to invisibly stop landline phones ringing after hours.

The basic principle relies on an analog circuit that detects the AC ringing signal from the phone network, and then switches in an impedance to make the phone company think the phone has been picked up. The circuit is able to operate solely on the voltage from the phone line itself, thanks to the use of the LM2936 – a regulator with an ultra-low quiescent current. It’s important if you’re going to place a load on the phone line that it be as miniscule as possible, otherwise you’ll have phone company technicians snooping around your house in short order wondering what’s going on.

The aforementioned circuitry is just to block the phone line. To enable the system to only work at night, more sophistication was needed. An Arduino Mega was used to program an advanced RTC with two alarm outputs, and then disconnected. The RTC is then connected to a flip-flop which connects the blocking circuit only during the requisite “quiet” hours programmed by the Arduino. The RTC / flip-flop combination is an elegant way of allowing the circuit to remain solely powered by the phone line in use, as they use far less power when properly configured than a full-blown microcontroller.

It’s a cool project, with perhaps the only pitfall being that telecommunications companies aren’t always cool with hackers attaching their latest homebrewed creations to the network. Your mileage may vary. For more old-school telephony goodness, check out this home PBX rig.

Banana Phone Blocks Robocalls

Despite the implementation of the National Do Not Call Registry in the US (and similar programs in other countries), many robocallers still manage to get around the system. Whether they’re operating outside the law somehow (or they simply don’t care about it) there are some ways you can take action to keep these annoying calls from coming through. [Alex] is among those to take matters into his own hands and built a specialty robocall-blocking device.

Based on a Raspberry Pi, the “Banana Phone” is able to intercept incoming calls on standard land lines or VoIP phones. After playing a short message, the caller is asked to input a four-digit code. Once the code is correctly entered, the caller is presumed to be human, added to a whitelist, and then the Pi passes them on to the recipient. There are, however, some legitimate robocallers such as emergency services regarding natural disasters or utility companies regarding outages. For these there is a global whitelist that the Pi checks against and forwards these robocalls on to the recipient automatically.

This project was originally an entry into a contest that the Federal Trade Commission put on a few years ago for ideas about how to defend against robocalls. We covered it back then, but now there are full build instructions. Even though the contest is long over, the Banana Phone is still in active development so if you have a spare Pi lying around you can still set this up yourself. There are some other interesting ways to defend against robocalls as well, like including the “line disconnected” tone in your voicemail, for example.

GSM Sniffing on a Budget with Multi-RTL

If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.

[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.

Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation.
Continue reading “GSM Sniffing on a Budget with Multi-RTL”

ZeroPhone gives Smartphones the Raspberry (Pi)

There are several open source phones out there these days, but all of them have a downside. Hard to obtain parts, hard to solder, or difficult programming systems abound. [Arsenijs] is looking to change all that with ZeroPhone. ZeroPhone is based upon the popular Raspberry Pi Zero. The $5 price tag of the CPU module means that you can build this entire phone for around $50 USD.

The radio module in the ZeroPhone is the well known SIM800L 2G module. 2G is going away or gone in many places, so [Arsenijs] is already researching more modern devices. An ESP8266 serves as the WiFi module with an OLED screen and code in python round out this phone. Sure, it’s not a fancy graphical touchscreen, but a full desktop is just a matter of connecting a display, mouse, and keyboard.

For the security conscious, the ZeroPhone provides a unique level of control. Since this is a Raspberry Pi running Linux, you choose which modules are included in the kernel, and which software is loaded in the filesystem. And with news that we may soon have a blobless Pi, the firmware hiding in the radio modules are the only black boxes still remaining.

If a Raspberry Pi is a bit too much for you to bite off, check out this Arduino based phone. Don’t want to do any soldering? Check out what you can do with a cheap Android phone and a bit of hacking.

Smartphone Case For The Retro Gamer

A well-designed phone case will protect your phone from everyday bumps with only as much style flair as you’d like. While protection is usually the only real function of a case, some designs — like [Gabbelago]’s Emucase — add specific utility that you might not have known you needed.

Contrary to most cases, the Emucase fits over your phone’s screen, and the resulting facelift emulates the appearance of a Game Boy for easier — you guessed it — Game Boy emulation play on your smartphone.

Cannibalizing a USB SNES gamepad for its buttons and rubber contact pads, Gabbelago then threaded some wire through the contacts, securing it with copper tape and glue; this provides a measurable level of capacitance to register on the touchscreen. Using heat to bend the sides of the 3D printed case so it can attach to the phone is probably the trickiest part of this cool project. Check out his build instructions for any pointers you need.

Continue reading “Smartphone Case For The Retro Gamer”

Blynk with Joy

Last time, I talked about how my storage situation and my cheap nature led me to build an RC joystick controller with a cell phone app and an ESP8266. The key to making this easy was to use the GUI builder called Blynk to make a user interface for an Android or Apple phone. Blynk can communicate with the ESP8266 and makes the project relatively simple.

ESP8266 and Arduino IDE

The ESP8266 Blynk code is straightforward. You do need to set up the Arduino IDE to build for the ESP8266. That can vary by board, but here’s the instructions for the board I was using (from Adafruit; see below).

adaesp

Depending on the type of ESP8266 device you are using, you may need a 3.3 V serial cable or some other means of getting the firmware into the device. For the Adafruit device I had, it has a 5 V-tolerant serial connection so a standard USB to serial dongle plugs right in. There’s also two switches on my device. To get into bootload mode, you have to push the one button down, hold it, and then press the reset button. Once you release the reset button you can release the other button. The red LED half-glows and the device is then waiting for a download.
Continue reading “Blynk with Joy”