5G Cellphone’s Location Privacy Broken Before It’s Even Implemented

December 7, 2018 by 52 Comments

Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.

When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.

The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.

A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.

Via [The Register]

Header image: MOs810 [CC BY-SA 4.0].

Meat Smoker From 55gal Drums

December 31, 2009 by 28 Comments

[Joel] wanted to use his newly acquired welding skills to make something useful. With tasty flesh in mind he put together this meat smoker. What resulted is incredible, but the fact that he then gave it away as a gift is just amazing.

A curved joint between two pipes is known as a ‘fish mouth’. They can be a hassle, as with the pirate wheel project, but [Joel] used his noggin to make things easier. He first modeled two 55 gallon drums in CAD. The intersecting curve was then generated by the software, printed out on paper, and stenciled on the drum to be cut out with a jigsaw.

[Joel’s] writeup is greatly detailed and shares many pictures. He makes every part of this smoker, including the wood handles and the stainless steel grates. The guy really knows how to build stuff, but we should have known that after seeing the Crushtoberfest.

Wireshark screenshot with QCSuper-produced packets streaming into it; QCSuper script running in an adjacent terminal

Turn Your Qualcomm Phone Or Modem Into Cellular Sniffer

April 30, 2024 by 16 Comments

If your thought repurposing DVB-T dongles for generic software defined radio (SDR) use was cool, wait until you see QCSuper, a project that re-purposes phones and modems to capture raw 2G/3G/4G/5G. You have to have a Qualcomm-based device, it has to either run rooted Android or be a USB modem, but once you find one in your drawers, you can get a steady stream of packets straight into your Wireshark window. No more expensive SDR requirement for getting into cellular sniffing – at least, not unless you are debugging some seriously low-level issues.

It appears there’s a Qualcomm specific diagnostic port you can access over USB, that this software can make use of. The 5G capture support is currently situational, but 2G/3G/4G capabilities seem to be pretty stable. And there’s a good few devices in the “successfully tested” list – given the way this software functions, chances are, your device will work! Remember to report whether it does or doesn’t, of course. Also, the project is seriously rich on instructions – whether you’re using Linux or Windows, it appears you won’t be left alone debugging any problems you might encounter.

This is a receive-only project, so, legally, you are most likely allowed to have fun — at least, it would be pretty complicated to detect that you are, unlike with transmit-capable setups. Qualcomm devices have pretty much permeated our lives, with Qualcomm chips nowadays used even in the ever-present SimCom modules, like the modems used in the PinePhone. Wondering what a sniffer could be useful for? Well, for one, if you ever need to debug a 4G base station you’ve just set up, completely legally, of course.

Getting Started With Radio Astronomy

April 17, 2024 by 10 Comments

There are many facets to being a radio hobbyist, but if you’ve ever had the urge to dabble in radio astronomy, check out “The Novice’s Guide to Amateur Radio Astronomy,” a presentation at the 2024 conference of the Society of Amateur Radio Astronomers. In that presentation (see the video below), [Nathan Butts] covers everything from why you should take up the hobby, how to set up a software defined radio (SDR) receiver, and how to repurpose old computers. This is just one of a series of videos recently posted from the conference — check out their channel to see them all.

Unlike optical astronomy, you can listen to the universe by radio during the day or night, rain or shine. You don’t need a dark sky, although these days, a quiet radio location might be hard to find. [Nathan] also points out that some people just want to crunch data collected by others, and that’s fun, too. There are many ways to get involved from designing hardware, writing software, or — of course — just listening.

It has never been easier to get involved. Cheap software-defined radios are perfect for this sort of work, and we all have massive computers and scores of small data-collection computers. Maybe you’ll be the next person to hear a Wow signal. If you are worried about fielding an antenna, many people repurpose satellite dishes.

Continue reading “Getting Started With Radio Astronomy”

Linux Fu: Stupid Systemd Tricks

April 16, 2024 by 15 Comments

Last time, I gave a whirlwind introduction to a very small slice of systemd. If you aren’t comfortable with systemd services, timers, and mounts, you might want to read that now. Otherwise, press on to see a few interesting uses for custom systemd units, including running a few things on a schedule and automatically mounting a Raspberry Pi Zero.

Can you do every one of these things in a different way? Of course you can. I’m not debating the relative merits of using or not using systemd. However, unless you totally control your own environment, good chance you are going to have to interact with systemd at some point.

Stupid Trick #1: Update Your IP Address

A few years ago, I talked about updating your remote DNS server with your public IP address. This lets you refer to a hostname like snoopy.hackaday.com and get back to your computer that often changes IP addresses. Sure, you can get services to do that for you, but you must either pay or agree to read ads on their site to keep your hostname going. This is all under your control. In the original post, I suggested using cron or NetworkManager to run the update script. I also hinted you could do it with systemd, but I didn’t tell you how. Let’s fix that.

Continue reading “Linux Fu: Stupid Systemd Tricks”

Emails Over Radio

April 9, 2024 by 38 Comments

The modern cellular network is a marvel of technological advancement that we often take for granted now. With 5G service it’s easy to do plenty of things on-the-go that would have been difficult or impossible even with a broadband connection to a home computer two decades ago. But it’s still reliant on being close to cell towers, which isn’t true for all locations. If you’re traveling off-grid and want to communicate with others, this guide to using Winlink can help you send emails using a ham radio.

While there are a number of ways to access the Winlink email service, this guide looks at a compact, low-power setup using a simple VHF/UHF handheld FM radio with a small sound card called a Digirig. The Digirig acts as a modem for the radio, allowing it to listen to digital signals and pass them to the computer to decode. It can also activate the transmitter on the radio and send the data from the computer out over the airwaves. When an email is posted to the Winlink outbox, the software will automatically send it out to any stations in the area set up as a gateway to the email service.

Like the cellular network, the does rely on having an infrastructure of receiving stations that can send the emails out to the Winlink service on the Internet; since VHF and UHF are much more limited in range than HF this specific setup could be a bit limiting unless there are other ham radio operators within a few miles. This guide also uses VARA, a proprietary protocol, whereas the HF bands have an open source protocol called ARDOP that can be used instead. This isn’t the only thing these Digirig modules can be used for in VHF/UHF, though. They can also be used for other digital modes like JS8Call, FT8, and APRS.

Continue reading “Emails Over Radio”

Three ZigBee radios in ESD bags, marked "Zigbee Sniffer", "Router" and "Coordinator".

Crash IoT Devices Through Protocol Fuzzing

April 2, 2024 by 1 Comment

IoT protocols are a relatively unexplored field compared to most PC-exposed protocols – it’s bothersome to need a whole radio setup before you can tinker on something, and often, for low-level experiments, just any radio won’t do. This means there’s quite a bit of security ground to cover. Now, the U-Fuzz toolkit from [asset-group] helps us make up for it.

Unlike fuzzers you might imagine, U-Fuzz doesn’t go in blindly. This toolkit has provisions to parse protocols and fuzz fields meaningfully, which helps because many of devices will discard packets they deem too malformed. With U-Fuzz, you feed it a couple packet captures, help it make some conclusions about packet and protocol structure, and get suggestions on how to crash your devices in ways not yet foreseen.

This allows for basically arbitrary protocol fuzzing, and to demonstrate, we get examples on 5G, CoAP and ZigBee probing alike, with a list of found CVEs to wrap the README up. As Wikipedia often states, this list is incomplete, and you can help by expanding it. Fuzzing is an underestimated tool – it will help you hack ubiquitous wireless protocols, proprietary standards, and smart home hubs alike.