Hackaday Prize Entry: A Mobile Electric Gate

Electric gates can be an excellent labor-saving device, allowing one to remain in a vehicle while the gate opens and closes by remote activation. However, it can become somewhat of a hassle juggling the various remotes and keyfobs required, so [bredman] devised an alternative solution – controlling an electric gate over the mobile network.

20 years ago, this might have been achieved by wiring a series of relays up to the ringer of a carphone. These days, it’s a little more sophisticated – a GSM/GPRS module is connected to an Arduino Nano. When an incoming call is detected, the gate is opened. After a 3 minute wait, the gate is once again closed.

[bredman] suffered some setbacks during the project, due to the vagaries of working with serial on the Arduino Nano and the reset line on the A6 GSM module. However, overall, the gate was a simple device to interface with, as like many such appliances, it has well-labelled and documented pins for sending the gate open and close signals.

[bredman] was careful to design the system to avoid unwanted operation. The system is designed to always automatically close the gate, so no matter how many times the controller is called, the gate will always end up in a closed state. Special attention was also paid to making sure the controller could gracefully handle losing connection to the mobile network. It’s choices like these that can make a project much more satisfying to use – a gate system that constantly requires attention and rebooting will likely not last long with its users.

Overall, it’s a great project that shows how accessible such projects are – with some carefully chosen modules and mastery of serial communications, it’s a cinch to put together a project to connect almost anything to the Internet or mobile networks these days.  For a different take, check out this garage door opener that logs to Google Drive.

Particle Electron – The Solution To Cellular Things

Just over a year ago, Particle (formerly Spark), makers of the very popular Core and Particle Photon WiFi development kits, released the first juicy tidbits for a very interesting piece of hardware. It was the Electron, a cheap, all-in-one cellular development kit with an even more interesting data plan. Particle would offer their own cellular service, allowing their tiny board to send or receive 1 Megabyte for $3.00 a month, without any contracts.

Thousands of people found this an interesting proposition and the Electron crowdfunding campaign took off like a rocket. Now, after a year of development and manufacturing, these tiny cellular boards are finally shipping out to backers and today the Electron officially launches.

Particle was kind enough to provide Hackaday with an Electron kit for a review. The short version of this review is the Electron is a great development platform, but Particle pulled off a small revolution in cellular communications and the Internet of Things

Continue reading “Particle Electron – The Solution To Cellular Things”

Hack Anything into a Phone

If you’ve spent much time tinkering with electronics, you’ve probably heard of [Seeedstudio] from their development boards, tools, and their PCB fabrication service. Their latest Kickstarter venture is the RePhone, an open source and modular cell phone that will allow hackers to put together a phone by blending GSM modules, batteries, screens, and other stock units, including an Arduino-based processing core, GPS, NFC, and other building blocks.

The funding campaign has already exceeded its goal and delivery is scheduled for next year with a basic kit weighing in at a projected $59, according to [Seeed]. Presumably, the core phone module will have regulatory acceptance, but the other ancillary modules won’t require as rigorous testing and certification.

What would you do with an inexpensive, embeddable cell phone? The modules are tiny, so you could implant them in lots of places. Some of [Seeed’s] more interesting ideas include building a phone into a walking stick, a dog collar, or a kite (although we were thinking quadcopters).

Of course, we’ve seen GSM and cell phone shields for Arduino before. Difficult to imagine sticking those in a dog collar, though, unless you have a fairly large dog. If you are a fan of 1960’s TV, it is easy to imagine a better shoe phone or a working Star Trek communicator.

Continue reading “Hack Anything into a Phone”

A Cellular Dev Kit With A Data Plan

After years of futzing around with 433 MHz radios and WiFi, we’re finally seeing a few dev boards that are focused on cellular radio modules. The Konekt Dash is the latest offering that puts a small u-blox SARA cellular module on a board with a small ARM Cortex M4 microcontroller for a complete cellular solution for any project you have in mind. Yes, until we get radios that make sense for an Internet of Things, this is the best you’re going to get.

If the Konekt sounds familiar, you’re right. A few months ago, Spark introduced the Electron, a cellular dev board based on the u-blox SARA-U260 module that includes a SIM with a 1MB of data a month. Practically, it’s not much different from the Konekt, but the Dash and Dash pro offer battery management and a battery connector, two power supplies, and encryption from the board to a server. There are slight differences for about the same price, but that’s what’s great about competition.

The Konekt Dash is now a few days in to a Kickstarter campaign that includes as rewards a board and a SIM with a six months to a year’s worth of data. There are a lot of things that can’t be done with WiFi, Bluetooth, or other radio modules, and if you have something like that in mind, you won’t do better than a Konekt or Spark Electron.

Spark Goes Cellular With The Electron

A few years ago, small and cheap WiFi modules burst onto the scene and with that the Spark was born. It’s a tiny dev board with a TI CC3000 WiFi module, capable of turning any device into an Internet-connected device. It’s only the very beginning of the Internet of Things, yes, but an important step in the right direction. Now, Spark is unshackling itself from WiFi networks with the Spark Electron, a dev kit that comes with a cellular radio and data plan.

If you’ve ever tried to build a high altitude balloon, a project that will be out of range of WiFi, or anything else where cellular data would be a godsend, you’ll quickly realize Verizon, AT&T, Sprint, and all the other carriers out there don’t necessarily care about your project. As far as we can tell, Spark is the first company to fix this gaping hole in what cellular can do by offering their own service – 20,000 messages for $3/month and no contracts. Officially, that’s 1MB of data spread over 20k messages that are about 50 bytes in length.

There are a few dozen companies and organizations working on the next generation of The Internet Of Things, but these require completely new silicon and spectrum allocations or base stations. Right now, there’s exactly one way of getting a Thing on the Internet without WiFi, and that’s with cellular data. We have to hand it to Spark for this one, and can’t wait to see the projects that will be possible due to a trickle of Internet everywhere.

Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Retrotechtacular: Ma Bell’s Advanced Mobile Phone Service (AMPS)

This gem from the AT&T Archive does a good job of explaining the first-generation cellular technology that AT&T called Advanced Mobile Phone Service (AMPS). The hexagon-cellular network design was first conceived at Bell Labs in 1947. After a couple of decades spent pestering the FCC, AT&T was awarded the 850MHz band in the late 1970s. It was this decision coupled with the decades worth of Bell System technical improvements that gave cellular technology the bandwidth and power to really come into its own.

AT&T’s primary goals for the AMPS network were threefold: to provide more service to more people, to improve service quality, and to lower the cost to subscribers. Early mobile network design gave us the Mobile Service Area, or MSA. Each high-elevation transmitter could serve a 20-mile radius of subscribers, a range which constituted one MSA. In the mid-1940s, only 21 channels could be used in the 35MHz and 150MHz band allocations. The 450MHz band was introduced in 1952, provided another 12 channels.

repeated channelsThe FCC’s allocation opened a whopping 666 channels in the neighborhood of 850MHz. Bell Labs’ hexagonal innovation sub-divided the MSAs into cells, each with a radius of up to ten miles.

The film explains quite well that in this arrangement, each cell set of seven can utilize all 666 channels. Cells adjacent to each other in the set must use different channels, but any cell at least 100 miles away can use the same channels. Furthermore, cells can be subdivided or split. Duplicate frequencies are dealt with through the FM capture effect in which the weaker signal is suppressed.

Those Bell System technical improvements facilitated the electronic switching that takes place between the Mobile Telephone Switching Office (MTSO) and the POTS landline network. They also realized the automatic control features required of the AMPS project, such as vehicle location and automatic channel assignment. The film concludes its lecture with step-by-step explanations of inbound and outbound call setup where a mobile device is concerned.

Continue reading “Retrotechtacular: Ma Bell’s Advanced Mobile Phone Service (AMPS)”