Want to listen in on cellphone calls or intercept test messages? Well that’s a violation of someone else’s privacy so shame on you! But there are black-hats who want to do just that and it may not be quite as difficult as you think. This article sums up a method of using prepaid cellphones and some decryption technology to quickly gain access to all the communications on a cellular handset. Slides for the talk given at the Chaos Communications Congress by [Karsten Nohl] and [Sylvain Munaut] are available now, but here’s the gist. They reflashed some cheap phones with custom firmware to gain access to all of the data coming over the network. By sending carefully crafted ghost messages the target user doesn’t get notified that a text has been received, but the phone is indeed communicating with the network. That traffic is used to sniff out a general location and eventually to grab the session key. That key can be used to siphon off all network communications and then decrypt them quickly by using a 1 TB rainbow table. Not an easy process, but it’s a much simpler method than we would have suspected.
[Ryan O’Hara] built a location tracker he could use on motorcycle trips. Ostensibly this is to give his wife piece of mind be we think that was an excuse to play with GPS and SMS. To stand up to the trials of the road [Ryan] took his breadboarded prototype to the next level, using a manufactured board and a SparkFun enclosure. Tucked safely away is a PIC 18F25K20 gathering longitude and latitude from a GM862, formatting the info into a Google Maps link, and sending it to the Twitter feed via an SMS message. If you’re not familiar with the GM862, in addition to being a GPS module it can send and receive cellular data on a GSM network.
This is a nice solid hardware platform from which we can envision a couple of other hacks. The feed could be parsed to make a nice map graphic like the webpage for that Twittering Road Bike. It also might be nice to have a d-pad and character LCD to post your own tweets to the feed at the end of the day.
Open source GSM cracking software called “Kraken” has been released into the wild. You may recognize some of the information from back in December when we announced that they had cracked GSM encryption. Well, now you can participate as well. You’ll need a pretty beefy Linux machine and some patience. They say that an easier GUI and support for GPU processing is coming in the near future.
[Thanks Eliot Via Slashdot and PCWorld]
[Dave] Had been working on a cell phone activated remote start for his car for a while when we posted the GSM car starter. While both do carry out the same job, we feel that there is enough good information here to share. He’s gone a pretty simple way, by connecting the vibrator motor leads to a headphone jack. He’s using that signal to then activate the remote start by setting off an extra fob. Though it is amazingly simple, this version does have an advantage. As [Dave] points out, his cell phone has several features which could be utilized to automate some of his car starts. He can set alarms as well as recurring calendar events to get his car started without his interaction. Lets just hope he doesn’t forget and let his car run too long unattended, especially if it is in a garage attached to his house.
It’s just starting to warm up around here but it was very cold for a long time. We’re not fond of going anywhere when it’s way below freezing but those professional hermit opportunities never panned out so we’re stuck freezing our butts off. Fed up with his frigid auto, [Aaron] installed a remote starter to warm the car up before he got to it. This didn’t help at work because of the distance from his office to the sizable parking lot is too far for the key fob’s signal to carry. He decided to make his starter work with GSM so he could start the car with a phone call.
The first attempt involved a pre-paid cell phone for $30. The problem is that anyone who called the phone would end up starting the car. After a bit of looking he found a GSM switch that just needs an activated SIM to work. When called, it reads the incoming phone number for authentication but never picks up the phone so there’s no minutes used. He cracked open an extra key-fob and wired up the lock and start buttons to the relays in the GSM switch. Bam! A phone call starts (and locks) his car.
Maybe this isn’t as hardcore as body implants but it’s a fairly clean solution. He uses the car’s 12v system to power the switch and pays $10 every three months to keep the SIM card active. There’s an underwhelming demonstration video after the break showing a cellphone call and a car starting. Continue reading “GSM car starter”
[Karsten Nohl], with a group of security researchers has broken the A5/1 Stream Cipher behind GSM. Their project web site discusses their work and provides slides(pdf) presented at 26C3. A5/1 has had known vulnerabilities for some time now and is scheduled to be phased out for the newer KASUMI or A5/3 block cipher. This should be an interesting time in the cell phone business.
Thanks to [Tyco] and [MashupMark] for pointing us to this story.