GSM Sniffing on a Budget with Multi-RTL

If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.

[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.

Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation.
Continue reading “GSM Sniffing on a Budget with Multi-RTL”

Building Beautiful Cell Phones Out Of FR4

Over on Hackaday.io, [bobricius] took this technology and designed something great. It’s a GSM cell phone with a case made out of FR4. It’s beautiful, and if you’re ever in need of a beautifully crafted burner phone, this is the one to build.

The components, libraries, and toolchains to build a cellphone from scratch have been around for a very long time. Several years ago, the MIT Media Lab prototyped a very simple cellphone on a single piece of FR4. It made calls, but not much else. It was ugly, but it worked. [Bobricius] took the idea and ran with it.

Continue reading “Building Beautiful Cell Phones Out Of FR4”

Barely-There GSM GPS Tracker

What’s the most un-intrusive GPS you’ve ever seen? How about for a bike? Redditor [Fyodel] has built a Teensy-based GPS/GSM tracker that slides into your bike’s handlebars and really is out of sight.

The tracker operates on T-Mobile’s 2G service band — which will enable the device to work until about 2020 — since AT/T is phasing out their service come January. Since each positioning message averages 60 bytes, an IoT data plan is sufficient for moderate usage, with plans to switch over to a narrow-band LTE service when it becomes more affordable. [Fyodel] admits that battery life isn’t ideal at the moment, but plans to make it more efficient by using a motion sensor to ensure it’s only on when it needs to be.

Continue reading “Barely-There GSM GPS Tracker”

Rotary Cell Phone: Blast from a Past that Never Was

The 1970s called and they want their rotary dial cell phone back.

Looking for all the world like something assembled from the Radio Shack parts department – remember when Radio Shack sold parts? – [Mr_Volt]’s build is a celebration of the look and feel of a hobbyist build from way back when. Looking a little like a homebrew DynaTAC 8000X, the brushed aluminum and 3D-printed ABS case sports an unusual front panel feature – a working rotary dial. Smaller than even the Trimline phone’s rotating finger stop dial and best operated with a stylus, the dial translates rotary action to DTMF tones for the Feather FONA board inside. Far from a one-trick pony, the phone sports memory dialing, SMS messaging, and even an FM receiver. But most impressive and mysterious is the dial mechanism, visible through a window in the wood-grain back. Did [Mr_Volt] fabricate those gears and the governor? We’d love to hear the backstory on that.

This isn’t the first rotary cell phone hybrid we’ve featured, of course. There was this GSM addition to an old rotary phone and this cell phone that lets you slam the receiver down. But for our money a rotary dial cell phone built from the ground up wins the retro cool prize of the bunch.

Continue reading “Rotary Cell Phone: Blast from a Past that Never Was”

How To Detect And Find Rogue Cell Towers

Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.

These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).

No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.

A Stingray / cell site simulator detector
A Stingray / cell site simulator detector

Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.

To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.

This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.

Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.

Fallout Inspired Cellphone Wristwatch

[Mr. Volt] mentions that some of the commenters on his videos believed that he shouldn’t be making large, retro computer themed communicator watches. He believes they are wrong, naturally we are compelled to agree with him.

thrumbzIn his latest build he has produced a rather well-built and large cell-phone watch. After the untimely death of an Apple II cellphone watch, he decided to up his game and make one that could take more of a beating. The case is 3D printed, which is hard to believe given the good finish. He must have spent a long time sanding the prints. Some wood veneer for looks and aluminum panels for strength complete the assembly.

The electronics are a Teensy and a GSM module. It looks like he places calls by calling the operator since the wrist communicator only has four inputs: a red button, a blue button, and a momentary switch rotary encoder.

The communicator appears to work really smoothly, and it would certainly draw attention to him were he to wear it anywhere other than the Wasteland. Video after the break.

Continue reading “Fallout Inspired Cellphone Wristwatch”

Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.