Spoofing Cell Networks with a USB to VGA Adapter

RTL-SDR brought cheap and ubiquitous Software Defined Radio (SDR) to the masses, opening up whole swaths of the RF spectrum which were simply unavailable to the average hacker previously. Because the RTL-SDR supported devices were designed as TV tuners, they had no capability to transmit. For the price they are still an absolutely fantastic deal, and deserve to be in any modern hacker’s toolkit, but sometimes you want to reach out and touch someone.

GSM network broadcast from a VGA adapter

Now you can. At OsmoDevCon [Steve Markgraf] released osmo-fl2k, a tool which allows transmit-only SDR through cheap USB 3.0 to VGA adapters based on the Fresco Logic FL2000 chip. Available through the usual overseas suppliers for as little has $5 USD, these devices can be used unmodified to transmit low-power FM, DAB, DVB-T, GSM, UMTS and GPS signals.

In a demonstration on the project page, one of these USB VGA adapters is used to broadcast a GSM cellular network which is picked up by the adjacent cell phones. Another example shows how it can be used to broadcast FM radio. A GitHub repository has been set up which includes more examples. The signals transmitted from the FL2000 chip are obviously quite weak, but the next step will logically be the hardware modifications necessary to boost transmission to more useful levels.

To say this is a big deal is something of an understatement. For a few bucks, you’ll be able to get a device to spoof cellular networks and GPS signals. This was possible before, of course, but took SDR hardware that was generally outside the budget of the casual experimenter. If you bought a HackRF or an Ettus Research rig, you were probably responsible enough not to get into trouble with it, but that’s not necessarily the case anymore. As exciting as this technology is, we would be wise to approach it with caution. In an increasingly automated world, GPS spoofing can have some pretty bad results.

84 thoughts on “Spoofing Cell Networks with a USB to VGA Adapter

  1. As things like this become more widespread. Security of online transactions becomes impossible for the average user. Will people stop using online services and go back to face to face transactions – is the openess of the internet the very thing that will kill it?

    1. I’m not sure why you’d identify this as the mechanism that breaks transaction security.

      In non-doomed systems the authentication and encryption have treated the network connection as untrusted and potentially hostile for ages now; and any implementation that doesn’t is toast the minute it hits an open wifi hotspot.

      I suppose this makes grabbing SMS ‘two factor’ jokes slightly easier(at least for systems that will accept being downgraded to one of the old, vulnerable, cell standards, which is a bad idea though a common one); but those have always been bad practice and vulnerable via SS7 if not other means.

      People already ignore much more serious threats to the integrity of a transaction to buy stuff online, this seems unlikely to deter them.

        1. I don’t see this as THE mechanism to “break” the internet but another mechanism to further reduce trust. Are we happy to continually chase our tails or just accept that we are just pawns in some global game… what we have is not ours to keep

      1. You’re saying you could perhaps intercept someone’s SMSes with this? How so? Doesn’t the network only transmit an SMS from the cell tower the destination phone is logged on to? So you’d have to be in the same (nowadays quite small) physical area. And you’d need to spoof both the phone and the mast. Or would you log on to any old tower, impersonating the victim’s phone?

        Sounds hard. Unless I’ve not understood it fully, which is pretty likely, so please tell more if there is more.

        Anyway neat bit of hardware. If radio goes fully cognitive though, this probably won’t matter, EVERYONE will have full SDR. Cracks involving SDR might even hurry cognitive radio up a bit.

    2. I don’t think the world is ready to pack up and go home. but we are in for a world of new wireless exploit discoveries for systems that operate in this devices extensive freq range. good time for researchers and repair technicians to replace all this insecure shit.

    3. Honestly I could run secure transactions through unencrypted email if I wanted to. The physical layer network is not normally trustworthy, especially if it is wireless, and most reasonable protocols don’t make too many assumptions about a link that can’t be authenticated.

      Until the classic Alice and Bob model presented by R.S.A. the industry was generally ignorant about the importance and capabilities of cryptographic protocols and authentication. Avoiding the man-in-the-middle attack has been a think for about 40 years now. Even if we don’t always get it implemented right :-)

    1. “Anyone know of a dongle that has the correct chip in?”

      I’ve bet my “about five bucks” on this one -> https://www.ebay.co.uk/itm/USB-3-0-to-VGA-Multi-display-Adapter-Converter-External-Video-Graphic-Cards-ED/132205650482?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649
      … based on nothing more than the description, price, and pictures.
      I could of course be wrong. If so, you will still have an extra head for your laptop, so don’t come back to me to complain.

      1. Some of both. Any implementation of VGA requires the pretty-impressive-for-the-money DACs; but ‘smarter’ implementations are more likely to include (normally helpful) features like framebuffers and automatic handling of vertical and horizontal blanking intervals that reduce your control over the output of the DACs. It will likely be as good or better for VGA, and with less effort on the software side(in this case, it looks like the fancy Displaylink stuff can handle markedly higher resolutions at equivalent bandwidth; and is actually somewhat useful on USB2, while the FL2000 just sneaks 1920×1080 in on USB3) ; but if you are trying to generate a signal that doesn’t have horizontal and vertical blanks dumber is better, since the hardware won’t even notice that you are blatantly violating the expectations of VGA in order to get what you want.

    1. From a quick read, this chipset is useful because it doesn’t have a local framebuffer, and streams direct from the host over USB (with associated problems…). It also allows VGA configs without H/V pulses, so can effectively spew a high speed raw datastream from host out the DACs.

      1. I always wondered if Pee DPI parallel Video interface allowed 0 length blanking period, it seemed perfect for pumping data out at high speed, but this, this is even better!
        8MB SPI chip on the pcb suggests FL2000DX to be programmable with a micro-controller inside :o Imagine what treasures lie there.
        Wonder if its possible to wiggle H/V sync IO at 150MHz too. There is also provision for one more digital IO with missing Q3 on the board.

        Universal triple >100 MS/s DAC at $5 is INSANE. Holy shit, $5 10MHz signal generators for everyone!

        Are there any more chips like this in the wild? FX2LP was pretty revolutionary in its day, started out in USB 2.0 HDD enclosures, Cameras, digital tuners, ended up enabling low cost logic analyzer revolution.
        I know of one more, quite old by now design from 2011, genesyslogic GL3220 used in multiple USB 3.0 multi card readers, capable of >100MB/s 8bit parallel transfers over its buildin UDMA7 CF interface. Available in $15 readers. Internally 8051.

        1. If I have understood correctly that SPI flash is for the drivers.
          So that you don’t need to ship a CD with the dongle.
          Still interesting, as is the VGA I2C interface.
          I do expect tons of interesting projects to rise from this.

          1. Yes, I found this out hour later while reading sources :(
            still 3x 8bit (at least in theory) >100MHz DACs!
            Cant wait for some tests with fast scope (jitter and actual number of bits).

    2. My guess is a delta sigma modulator. Because there is mention of the fundamental frequency, 3rd, 5th, 7th, 9th harmonics, this would suggest to me that it is high speed on/off switching which is in effect generating square waves and all their associated harmonics.

      1. At these speeds, that’s pretty unlikely. They probably just brute-forced it with 3 8-bit flash DACs.

        Any DAC will generate harmonics without a reconstruction filter, although they’re usually Nyquist aliases rather than harmonics of the generated frequency.

        1. I was thinking that as well until they explicitly mentioned 3rd, 5th and 7th harmonics. Well it will be easy enough to see with an actual device, create a carrier at 100MHz and check signal power at various frequencies. If the 3rd harmonic is ~9.5 dB down from the fundamental, the 5th harmonic is ~14dB down from the fundamental, the 7th is ~17dB down from the fundamental and the 9th is ~19dB down it would imply fast switching.

    1. “Anyone got a link to the datasheet? A custom PCB with SMA connectors and amplifiers in is my future”

      For initial prototyping, or if the datasheet is not available, you could of course treat the FL2000 dongle as a “module” remove the VGA and USB connectors and solder it piggy back style to your custom board.

        1. So you also want to control the sell of transistors, ferrite rods and magnet wire? This chip is not intended to broadcast. The reason the companys often keep the datasheet secret is first to avoid opening their know how (trade secrets) and often to avoid too much support calls from hobbyists.

    2. Honestly you could probably use the connector as-is. VGA signals are 75ohm and with a small matching pad you could easily break out the red+gnd signals to a 50ohm sma connector. That’s what I’m planning on doing anyway.

      1. Why not use the 75 ohm signals directly? All the digi TV coax is 75 ohm (lower losses and cheaper than 50 ohm coax here), dipoles are better matched to 75 ohms, BNCs are readily available for 75 ohms as well. In fact, most of my radio stuff is 75 ohms, because the power handling is not an issue for me.

        1. Of course you can do that, if it fits your equipment. Probably even the mismatch is acceptable, if you use your 50 Ohm equipment. The 15pin sub D connector is not impedance controlled anyway.

    1. Those have been reality for more than a decade.
      And this is just a transmitter without any return channel.
      I’m unsure if it is even possible to make a GSM basestation with one of these and rtl-sdr.
      That has not been possible even with two hackRF’s and those are built to be SDR transceivers.
      So the title is a bit clickbaity even if technically true.

      1. You can basically force the phone to use the lower frequencies with this one, you don’t need to be listening with this device. Most phones are happy to fall back to lower freq which you can more easily listen/talk on with a piece of different gear.

  2. Does anybody know, what the effective frequency range of this chip is?
    I’m thinking of using it simply as a frequency generator, maybe with some additional functions like wobbling, comb generation, etc.

    1. “Does anybody know, what the effective frequency range of this chip is?
      I’m thinking of using it simply as a frequency generator, maybe with some additional functions like wobbling, comb generation, etc.”

      “A typical 1920×1080@60 Hz requires 1920 * 1080 * 24bpp * 60 = 373,248,000 bytes/sec of traffic over the USB bus.”

      So we can be sure that the bandwidth is of that order of magnitude. i.e. 373.248MHz however since you can spoof cell phones, it must be greater than that, or at lest there is some clever trickery going on that makes it appear to be greater than that.

      For more info, you will need to read the article linked above.

  3. btw : last year STM produced an STB with 2 WAYS communication with a satellite : i.e. satellite sends (ip ?) packets to the transponder on the actual satellite; they used the usual digital to analog converter and added an RF amplification stage instead of the RGB interface, kind of similar to what has been done here

  4. So looks like it is finally time where we can brew up a nice all in one poor ham full SDR; a preamp to an RTL and linear output from the FL with some good bandpass filtering.
    We can start by prototyping it at low power with our Linux laptops but should quickly move to a cool does everything big handheld run by a capable ARM SCB with USB-3.0.
    Imagine bringing well beyond the capabilities of those schmancy >$20K unobtanium Harris military radios into our hands for under $100!
    Probably want some FPGAs to get fast encoding/decoding, change FPGA modes on the fly to change modes because we can with that tech.

  5. It’s really going to cost you a good bit more than $5, because you need a fast enough computer to do the job (plus it needs USB-C, though that’s becoming available on cheap laptops by now. My work laptop doesn’t have USB-C yet or I’d have to get one of these.)

  6. What is the point of this if you can only intercept outgoing calls/texts there is no way to intercept incoming calls/texts so this is pretty much useless because even if your target is making a call it won’t connect him to the people he is calling.
    This is just for show.

  7. This is kind of exciting but… I wonder how practical it is.
    Is it likely that one could build a diy filter to bring the harmonics and other spurious signals down low enough to be legal? Could it be done for little enough money and effort that it is worth it over just getting a purpose-made SDR chip?

    I don’t know about part15 or other services but here in the US for the ham bands that means that all spurious signals must be 43db down from the desired one if the desired signal is below 30MHz. From 30MHz up to 225MHz its 60 db and above that it’s 40db. If I remember right, I might be just a little off.

    1. It should not be too difficult to design some “band select” filters to bring down the unwanted harmonics. Frequency multiplication was done long before the invention of PLL synthesizers by generation of harmonics (often 2nd or 3rd) and filtering.
      I once built an oscillator for something like 2,3GHz with several multiplication stages, even the crystal was running at the 5th or 7th overtone because the fundamental of a crystal is hardly possible above 30MHz. But tuning this device was very difficult. There were transistor stages between the tuned circuits, or better: the LC circuits were part of the amplifiers to make them resonant. And anything interacted with anything due to parasitic capacitances of the transistors.

  8. From a quick read of the project, I’m thinking it could even be matched up with 3 different matching networks to filter the signal to a specific set of bands, with one on the Red, one on the Green, and one on the Blue. All being bands of choice, then have the signal amplified. I’m wondering if there could even be a little control signal put out on any of pins 12-13 to enable even more possibilities with a small microcontroller… I see there’s already a +5V signal that could be purposed as an enable line for other logic, so there isn’t noise activating an amplified circuit when the computer isn’t connected.

  9. Can somebody explain to me what will be the use of this one since it is transmit only? Are there any projects that this can be used? I’m interested in this stuff but I’m a beginner. Regards

    1. Some limited uses are transmit only, but it could easily be paired with one of the RX only SDR projects for a full (or half) duplex solution. Basically like the old days. Originally, there were no transceivers, just discreet transmitters and receivers. To switch back and forth, you’d literally switch the antenna between the two, and bring up the power on the transmitter when you want to transmit.

    2. There’s plenty of one-way protocols of interest. GPS spoofing is arguably the biggest one, probably some interesting applications of DVB-T as well. But ideally this would be paired with an RTL-SDR device to get two way SDR for easily a 10th of what the HackRF costs (and that was already very cheap compared to what was already on the market).

      Is usability and performance going to be amazing? Probably not. But at those kind of prices, people will put up with some fiddling.

  10. Instead of using it to fool the phones of others, it could be used to keep one’s one phone (including the one in the car (e.g. OnSt*r) ) or a hidden tracking device, from sending out updates on your position.

    “Just because you’re paranoid, doesn’t mean someone isn’t out to get you!”

  11. Anyone knows how the following parameter translated to 95MHz FM?

    fl2k_fm – -s 130e6 -c 35e6 -i 44100

    When I try different sample rate, the main output frequency is different and is not 95MHz any more.

        1. yes, and I think on top of that you get reflected signal at 165MHz + at all the harmonics, so 390, 640, 910 etc…

          Steve Markgraf gave a talk with slightly more detail, a slide at 18:30 covers this

  12. Carl at RTL-SDR Blog told me they are solving filtering and some other problems to bring us nice cheap RTL-FL2k transceiver. That’d be great because it gives another boost to ham community around the globe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s