Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.

SDR Cape for BeagleBone

In the old days if you wanted to listen to shortwave you had to turn a dial. Later, you might have been able to tap in a frequency with a keypad. With modern software-defined radio (and the right hardware) you can just listen to the entire high-frequency spectrum at one time. That’s the idea behind KiwiSDR, an open source daughterboard (ok, cape) for the BeagleBone.

The front end covers 10 kHz to 30 MHz and has a 14-bit converter operating at 65 MHz. There is a Xilinx Artix-7 A35 FPGA onboard and a GPS, too. The design is open source and on GitHub.

The interface uses the OpenWebRX project for a powerful HTML 5 interface. You can see a video of its operation below or, if you can get one of the four available slots, you can listen online. From a network point of view, the demo station in Canada worked best for us. However, there are also stations in New Zealand and Sweden.

Continue reading “SDR Cape for BeagleBone”

Breaking SimpliSafe Security Systems With Software Defined Radio

The SimpliSafe home security system is two basic components, a keyboard and a base station. Sensors such as smoke detectors, switches, and motion sensors can be added to this system, all without a wired installation. Yes, this security system is completely wireless. Yes, you can still buy a software defined radio for ten dollars. Yes, the device has both “simple” and “safe” in its name. We all know where this is going, right?

Last week, [Andrew Zonenberg] at IOActive published a security vulnerability for the SimpliSafe wireless home security system. As you would expect from an off-the-shelf, wireless, DIY security system, the keypad and base station use standard 433 MHz and 315 MHz ISM band transmitters and receivers. [Dr. Zonenberg]’s attack on the system didn’t use SDR; instead, test points on the transmitters were tapped and messages between the keypad and base station were received in cleartext. When the correct PIN is entered in the keypad, the base station replies with a ‘PIN entered’ packet. Replaying this packet with a 433 MHz transmitter will disable the security system.

[Michael Ossmann] took this one step further with a software defined radio. [Ossmann] used a HackRF One to monitor the transmissions from the keypad and turned to a cheap USB SDR dongle to capture packets. Replaying keypad transmissions were easy, but with a little bit more work new attacks can be found. The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.

It’s a hilarious failure of wireless security, especially given the fact that this exploit can be performed by anyone with $100 in equipment. With a little more effort, an attacker can execute a PIN replay from a mile away. Sadly, failures of security of this magnitude are becoming increasingly common. There will assuredly be more attacks of this kind in the future, at least until hardware manufacturers start taking the security (of their security products) seriously.

SDR Pan Adapter

Ham radio operators have a long history of using pan adapters to visualize an entire range of the radio spectrum. Traditionally, an adapter was essentially a spectrum analyzer that shows a trace where the X-axis is the frequency, and the Y-axis shows the signal strength at any particular frequency. You can quickly find either busy frequencies or empty frequencies at a glance.

Although the pan adapter has been around since the 1930’s, they aren’t as common as you’d think with regular analog radios. However, if you’ve used an SDR (Software Defined Radio), a spectrum display is par for the course. [Mehdi Asgari] did what a lot of hams have been doing lately: he married an SDR and his traditional receiver to provide a great pan adapter with very little effort.

Continue reading “SDR Pan Adapter”

Low Parts Count ARM SDR

[Alberto di Bene] wanted to build an SDR for relatively low frequencies. Usually, you’d start with some front end to get the radio frequency signal down where you can work with it. But [Alberto] practically just fed an antenna into an STM32F429 Discovery board and did all the radio processing in the onboard ARM chip.

There is a little more to it than that, but only a little. If you open the PDF file on [Alberto’s] site, you’ll see there is a simple front end filter (a transformer, along with a few capacitors and inductors). This low pass filter prevents high frequencies from reaching the ARM processor’s analog to digital converter. In addition, a capacitor and a couple of resistors ensure the converter only sees positive voltages.

The CPU digitizes the incoming signal and processes it, demodulating several different types of radio transmission. The recovered audio is sent through the onboard digital to analog converter.

In addition to an input filter, the output also needs a filter to prevent high frequencies from reaching the speaker. Unlike the input filter, this one is a bit more complicated. The inductors needed for a passive filter were too large to be practical, so the output filter is an active one with a few transistors. The only other external circuitry is the power supply for the Discovery board.

The document does a great job of explaining the rationale behind the design choices and how the whole system works. It also includes simulations of both analog and digital filters used in the design.

This is really bare metal SDR and reading the code is educational. However, if you want to start with something simpler, consider GNU Radio and either an SDRPlay or a cheap RTL-SDR dongle.


Your First GNU Radio Receiver with SDRPlay

Although GRC (the GNU Radio Companion) uses the word radio, it is really a graphical tool for building DSP applications. In the last post, I showed you how you could experiment with it just by using a sound card (or even less). However, who can resist the lure of building an actual radio by dragging blocks around on a computer screen?

For this post and the accompanying video, I used an SDRPlay. This little black box has an antenna jack on one end and a USB port on the other. You can ask it to give you data about a certain area of the RF spectrum and it will send complex (IQ) data out in a form that GRC (or other DSP tools) can process.

The SDRPlay is a great deal (about $150) but if you don’t want to invest in one there are other options. Some are about the same price (like the HackRF or AirSpy) and have different features. However, you can also use cheap TV dongles, with some limitations. The repurposed dongles are not as sensitive and won’t work at lower frequencies without some external help. On the other hand, they are dirt cheap, so you can overlook a few little wrinkles. You just can’t expect the performance you’ll get out of a more expensive SDR box. Some people add amplifiers and converters to overcome these problems, but at some point it would be more cost effective to just spring for a more expensive converter.

Continue reading “Your First GNU Radio Receiver with SDRPlay”

RPiTX Turns Rasberry Pi into Versatile Radio Transmitter

Since the discovery that some USB TV tuner dongles could be used to monitor radio waves across a huge amount of spectrum, the software-defined radio world has exploded with interest. The one limiting factor, though, has been that the dongles can only receive signals; they can’t transmit them. [Evariste Okcestbon, F5OEO] (if that is his real name! Ok c’est bon = Ok this is good) has written some software that will get you transmitting using SDR with only a Raspberry Pi and a wire.

There have been projects in the past that use a Pi to broadcast radio (PiFM), but this new software (RPiTX) takes it a couple steps further. Using just an appropriately-sized wire connected to one of the GPIO pins, the Raspberry Pi is capable of broadcasting using FM, AM, SSB, SSTV, or FSQ signals. This greatly increases the potential of this simple computer-turned-transmitter and anyone should be able to get a lot of use out of it. In the video demo below the break, [Evariste] records a wireless doorbell signal and then re-transmits it using just the Rasbperry Pi.

The RPiTX code is available on GitHub if you want to try it out. And it should go without saying that you will most likely need an amateur radio license of some sort to use most of these features, depending on your locale. If you don’t have a ham radio license yet, you don’t need one to listen if you want to get started in the world of SDR. But a ham license isn’t hard to get and at this point it shouldn’t take much convincing for you to get transmitting.

Continue reading “RPiTX Turns Rasberry Pi into Versatile Radio Transmitter”