If you look around the street furniture of your city, you may notice some ingenious attempts to disguise cell towers. There are fake trees, lamp posts with bulges, and plenty you won’t even be aware of concealed within commercial signage. The same people who are often the first to complain when they have no signal it seems do not want to be reminded how that signal reaches them. On a more sinister note, government agencies have been known to make use of fake cell towers of a different kind, those which impersonate legitimate towers in order to track and intercept communications.
In investigating the phenomenon of fake cells, [Julian Oliver] has brought together both strands by creating a fake cell tower hidden within an innocuous office printer. It catches the phones it finds within its range, and sends them a series of text messages that appear to be from someone the phone’s owner might know. It then prints out a transcript of the resulting text conversation along with all the identifying information it can harvest from the phone. As a prank it also periodically calls phones connected to it and plays them the Stevie Wonder classic I Just Called To Say I Love You.
In hardware terms the printer has been fitted with a Raspberry Pi 3, a BladeRF software-defined transceiver, and a pair of omnidirectional antennas which are concealed behind the toner cartridge hatch. Software comes via YateBTS, and [Julian] provides a significant amount of information about its configuration as well as a set of compiled binaries.
In one sense this project is a fun prank, yet on the other hand it demonstrates how accessible the technology now is to impersonate a cell tower and hijack passing phones. We’re afraid to speculate though as to the length of custodial sentence you might receive were you to be caught using one as a private individual.
We’ve considered the Stingray cell phone trackers before here at Hackaday, as well as looking at a couple of possible counter-measures. An app that uses a database of known towers to spot fakes, as well as a solution that relies on an SDR receiver to gather cell tower data from a neighbourhood.
[via Hacker News]
Header pic is of one of those HP printers that famously bungled the introduction of lead free solder, with that model it’s not a matter of whether it’ll die, it’s when.
I made sure HP suffered for that one, got people to switch away from them.
Looks like a 1320, got one that was abused at my wife’s old company then we’ve been thrashing on it 10 years. Doesn’t get pampered, $25 for a 5000 copy clone toner, and away we go again for another few months.
I am a jerk at office stores sometimes, when the salesman asks if I need help, and I’ll say, not really, but maybe it’s time I got a new printer, and aren’t these modern ones much more efficient and economical, and he’ll walk right into it and say yes, and I’ll say great, show me what you got that does better than 1.5 cents a copy.
I really like my OKI 4c laser.
Cheap as sand, build like a mule, prints on almost anything thanks to a linear paper-path when opened on both ends.
And quality is crazy good – private printers sure have come a long way…
The OKI LED lasers are not real laser printers, but better in my opinion resolution a little less but very sharp print and going strong ten years on, still printing 3000 copies on each 40$ cartridge.
I have one of those and the imaging board would regularly fail about every 18 months or so.
The solution that the world/internets found? Bake the board at 350° for eight minutes in a toaster oven with it up on foil standoffs for air circulation. Really.
After a couple of cycles of this – and a lot of amusement for my wife watching me bake the board in a toaster oven – light finally dawned over marblehead and it occurred to me that the problem was thermal stress. I popped the side cover over the board off for ventilation and it’s run for years without a problem.
I’ve have one of those, rock solid. Still doesn’t stop me from banning HP products iny house
Won’t the FCC be kinda mad about this?
One of the European GSM bands is in the US amateur band so as long as you have a license and stay under the legal limit of 1500 watts and transmit your call sign and you turn off all encryption (A5/0).
https://www.youtube.com/watch?v=xKihq1fClQg
Hm, could that put the users of the phones in a difficult legal position? At least they would be transmitting in a HAM band without possessing a license and without transmitting their callsign…
Not everyone lives in the US. Julian Oliver is based in Berlin.
I still have one of those printers. One of my most functional dumpster dive finds, surprised to hear that they were so failure prone since I actually pulled two out of the dumpster. And it’s the only HP hardware that I’ve run across that doesn’t require installing the manufacturers bloatware ridden drivers just to print.. and it duplexes!!
Only decent piece of HP hardware I’ve ever owned though (aside from a decent waveform generator which actually happened to be just a rebranded Agilent generator).
You’ve got it backwards. Agilent is spun-off HP. HP used to make test equipment and components, then spun that division off to form Agilent which spun off the components to Avago, and later split off the electrical test equipment division to form Keysight.
Correct. The HP name followed the money. The HP of today has nearly zero connection to the original instrumentation company that many of us grew up with so much respect for. I LOVED HP! Now I wouldn’t use a piece of their junk for a doorstop!
Article about “cell tower” hidden in printer.
Commenters choose to discuss the performance of the stock printer picture in the header.
I love the HaD community.
Pictured*
What about the shade of charcoal on this page though? It seems particularly fetching, a kind of aged anthracite look. I’ve got a pair of cargos this very color. Oh, did I ever tell you about when I bought those, it was the funniest thing, there I was in Costco…
Exactly, you just can’t get quality digression anywhere else.
@RW: Why thank you! It’s 1A1A1A. Which reminds me of my favorite binary number: A5, or was it 5A? I can never get the polarity straight. Ummm, and speaking of polarity, let’s go ride bikes!
I’d love to send my students texts to not play with their phones in class, but the uproar over non-government phone hijacking (cf. Limor Fried/LadyAda and her “personal space” project: http://www.ladyada.net/pub/research.html ) puts it very much in the “Cute, but I wouldn’t try it” category.
To be fair, the header image *did* come from the linked article.
True, I’ll grant you that much.
Any cheaper alternatives for the sdr? love to pull a joke with collegaes, but 400 USD is a bit steep O_o
Unfortunately that is going to be the best you can get for a bit. Even the LimeSDR that can do LTE and is still coming via CroudSupply is about that much for a BTS setup. To to Transmit is a bit more of a challenge than Receive.
Maybe someone can correct me. Checking the YatesBTS site leads me to think that the BladeRF might be one of the few that works natively with it. http://yatebts.com/technology/software_defined_radio
Surely there’s scope for hacking one of the femto-cell products that are widely available – e.g. vodafone sure signal.
Ah – some of the work has already been done:
http://hackaday.com/2011/07/14/vodafone-femtocells-hacked-root-password-revealed/
I hate the use of “cell tower” when they mean “cell base station.” Hiding a tower in a printer would be quite the accomplishment – sort of a HP Tardis.
That’s a difficult one. There’s an argument to be made in lexicographer circles that the term has expanded its meaning through popular usage to include all base stations, but yes.
I would have probably called it a femtocell, but used “cell tower” here because that was the term used in the linked article.
Would be much cooler if it played Rick Astley instead of Stevie Wonder.
Archer did it better…
https://uproxx.files.wordpress.com/2015/02/archer-milton-making-toast.gif
https://youtu.be/AH-uy9W6wOA – Did you notice that if I took the name in the marquee display in that crazy robotic copier machine above, I could spell your screenname with it? Coincidence? Of course it is! (LOL)
I can envision a number of ways to deal with this dilemma:
1) Using a metallic wave-guide (i.e. coffee can?), triangulate the location of the suspicious cell phone tower. Taking two or more different (RF peaking from the bars display) bearings you can use simple trigonometry to locate the RF target on a Google map.
2) Go to this website http://opencellid.org/ to see what’s supposed to be there (worldwide). AntennaSearch appears to be experiencing DDoS as of today (3Nov16). I wonder who’s doing that… :-/
3) OpenCellId will give you Carrier Name, MCC, MNC, LAC, cell ID, and lat/long. However, using the site is a bit of a learning curve. You’ll have to play it by ear unless you can find the help file. You may be surprised to see your neighbor is running one LEGALLY! Like the Feb-1999 SIMPSONS episode “Make Room for Lisa”. :-)
4) Back in the good old days when SKYPE wasn’t owned secretly by u-know-who, you could make all of your down/low phone calls off of someone’s open unsecured wifi hotspot. A lot of people STILL don’t lock down their AP’s like realtors, private homes, etc. If you use a yagi or a cantenna you could standoff my several thousands of feet and not be spotted by the AP owner in your vehicle using his AP (legally BTW). However, VOIP uses a ton of bandwidth and is noticeable to the poor owner. There are OTHER VOIPs out there that are ostensibly not owned/controlled by the alphabet soup – YET. Good luck finding them.
5) If you want to test your VOIP voice security… use an old tradecraft technique called BLOWBACK. It’s just a disinformation trick to run something up the verbal flag pole and see who salutes… I don’t recommend doing this at all. It will only piss off the WRONG people! Maybe Julian Assange or Ed Snowden might try it and get away with it. But not you! :-D
BTW #4 is not viewed as legal by some local LEO in USA. They will invariably view your presence as suspicious and tantamount to trespassing. Some US states have ordinances and statutes against this and is viewed as a form computer crime. Fortunately this is not the case with US federal law. So never tell the LEO that your just war-driving. Better to say your working skip on your HAM or CB radio, sight-seeing, or lost your dog or something.
“The same people who are often the first to complain when they have no signal it seems do not want to be reminded how that signal reaches them” – I know those people. They moved in next to the airport and are always complaining about the noise.
Hey! We have those people too! Bought a bunch of luxury houses beside the highway and now they want to lower the speed limit to keep noise pollution down.
Great system we have…
yep mine died, So lead free solider was the reason, thanks h4rm0n1c