[gw0udm] had an ancient monitored alarm system fitted to their home, and decided it was time to upgrade to something a little more modern. They chose a system from Texecom, but when it came time to hook it up to their computer, they were alarmed at the costs – £40 for what amounted to a USB-to-Serial cable! There were other overpriced modules too. But [gw0udm] wanted to upgrade, so it was time to hack the system.
The first step was grabbing a £4 USB-to-Serial board and wiring it up – a simple job for the skilled hacker. As we always say – everything speaks serial. [gw0udm] then set their sights higher – they wanted the Ethernet interface but weren’t about to cough up the coin. After some research, it was determined that a Raspberry Pi could be used with a utility called ser2net with the existing serial interface to do pretty much the same job. It was a simple matter of figuring out the parity and messaging format to get things up and running.
From there, the project moves on to tackling the creation of a GSM module for monitoring in the absence of a local network, and on flashing the firmware of the system itself. It’s great to see a project continually grow and expand the functionality of a product over time.
If you want to eavesdrop on GSM phone conversations or data, it pays to have deep pockets, because you’re going to need to listen to a wide frequency range. Or, you can just use two cheap RTL-SDR units and some clever syncing software. [Piotr Krysik] presented his work on budget GSM hacking at Camp++ in August 2016, and the video of the presentation just came online now (embedded below). The punchline is a method of listening to both the uplink and downlink channels for a pittance.
[Piotr] knows his GSM phone tech, studying it by day and hacking on a GnuRadio GSM decoder by night. His presentation bears this out, and is a great overview of GSM hacking from 2007 to the present. The impetus for Multi-RTL comes out of this work as well. Although it was possible to hack into a cheap phone or use a single RTL-SDR to receive GSM signals, eavesdropping on both the uplink and downlink channels was still out of reach, because it required more bandwidth than the cheap RTL-SDR had. More like the bandwidth of two cheap RTL-SDR modules.
Getting two RTL-SDR modules to operate in phase is as easy as desoldering a crystal from one and slaving it to the other. Aligning the two absolutely in time required a very sweet hack. It turns out that the absolute timing is retained after a frequency switch, so both RTL-SDRs switch to the same channel, lock together on a single signal, and then switch back off, one to the uplink frequency and the other to the downlink. Multi-RTL is a GnuRadio source that takes care of this for you. Bam! Hundreds or thousands of dollar’s worth of gear replaced by commodity hardware you can buy anywhere for less than a fancy dinner. That’s a great hack, and a great presentation. Continue reading “GSM Sniffing on a Budget with Multi-RTL”→
Over on Hackaday.io, [bobricius] took this technology and designed something great. It’s a GSM cell phone with a case made out of FR4. It’s beautiful, and if you’re ever in need of a beautifully crafted burner phone, this is the one to build.
The components, libraries, and toolchains to build a cellphone from scratch have been around for a very long time. Several years ago, the MIT Media Lab prototyped a very simple cellphone on a single piece of FR4. It made calls, but not much else. It was ugly, but it worked. [Bobricius] took the idea and ran with it.
What’s the most un-intrusive GPS you’ve ever seen? How about for a bike? Redditor [Fyodel] has built a Teensy-based GPS/GSM tracker that slides into your bike’s handlebars and really is out of sight.
The tracker operates on T-Mobile’s 2G service band — which will enable the device to work until about 2020 — since AT/T is phasing out their service come January. Since each positioning message averages 60 bytes, an IoT data plan is sufficient for moderate usage, with plans to switch over to a narrow-band LTE service when it becomes more affordable. [Fyodel] admits that battery life isn’t ideal at the moment, but plans to make it more efficient by using a motion sensor to ensure it’s only on when it needs to be.
Looking for all the world like something assembled from the Radio Shack parts department – remember when Radio Shack sold parts? – [Mr_Volt]’s build is a celebration of the look and feel of a hobbyist build from way back when. Looking a little like a homebrew DynaTAC 8000X, the brushed aluminum and 3D-printed ABS case sports an unusual front panel feature – a working rotary dial. Smaller than even the Trimline phone’s rotating finger stop dial and best operated with a stylus, the dial translates rotary action to DTMF tones for the Feather FONA board inside. Far from a one-trick pony, the phone sports memory dialing, SMS messaging, and even an FM receiver. But most impressive and mysterious is the dial mechanism, visible through a window in the wood-grain back. Did [Mr_Volt] fabricate those gears and the governor? We’d love to hear the backstory on that.
Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.
These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).
No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.
Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.
To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.
This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.
Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.
[Mr. Volt] mentions that some of the commenters on his videos believed that he shouldn’t be making large, retro computer themed communicator watches. He believes they are wrong, naturally we are compelled to agree with him.
In his latest build he has produced a rather well-built and large cell-phone watch. After the untimely death of an Apple II cellphone watch, he decided to up his game and make one that could take more of a beating. The case is 3D printed, which is hard to believe given the good finish. He must have spent a long time sanding the prints. Some wood veneer for looks and aluminum panels for strength complete the assembly.
The electronics are a Teensy and a GSM module. It looks like he places calls by calling the operator since the wrist communicator only has four inputs: a red button, a blue button, and a momentary switch rotary encoder.
The communicator appears to work really smoothly, and it would certainly draw attention to him were he to wear it anywhere other than the Wasteland. Video after the break.