Cellphone Hacks

539 Articles

Warshipping: A Free Raspberry Pi In The Mail Is Not Always A Welcome Gift

August 19, 2019 by 39 Comments

Leading edge computer security is veiled in secrecy — a world where novel attacks are sprung on those who do not yet know what they need to protect against. Once certain tactics have played out within cool kids’ circles, they are introduced to the rest of the world. An IBM red team presented what they’re calling “warshipping”: sending an adversarial network to you in a box.

Companies concerned about security have learned to protect their internet-accessible points of entry. Patrolling guards know to look for potential wardrivers parked near or repeatedly circling the grounds. But some are comparatively lax about their shipping & receiving, and they are the ideal targets for warshipping.

Bypassing internet firewalls and security perimeters, attack hardware is embedded inside a shipping box and delivered by any of the common carriers. Security guards may hassle a van bristling with antennas, but they’ll wave a FedEx truck right through! The hardware can be programmed to stay dormant through screening, waiting to probe once inside the walls.

The presentation described several ways to implement such an attack. There is nothing novel about the raw hardware – Raspberry Pi, GPS receiver, cellular modems, and such are standard fare for various projects on these pages. The creative part is the software and in how they are hidden: in packing material and in innocuous looking plush toys. Or for persistence, they can be hidden in a wall mounted plaque alongside some discreet photovoltaic panels. (Editor’s note: What? No Great Seals?)

With this particular technique out in the open, we’re sure others are already in use and will be disclosed some years down the line. In the meantime, we can focus our efforts on more benign applications of similar technology, whether it is spying on our cat or finding the nearest fast food joint. The hardware is evolving as well: a Raspberry Pi actually seems rather heavyweight for this, how about a compact PCB with both an ESP32 and a cellular modem?

Via Ars Technica.

5G Power Usage Is Making Phones Overheat In Warm Weather

July 21, 2019 by 52 Comments

As reported by ExtremeTech, the brand new 5G network is running into a major snag with mobile devices as Qualcomm 5G modems literally cannot handle the heat. After just a few minutes of use they’re going into thermal shutdown and falling back to measly 4G data rates. Reports by both PCMag and the Wall Street Journal (paywall) suggest that 5G-enabled phones consistently see problems when used in environments where temperatures hit or exceed 29.5 °C (85.1 °F).

The apparent cause is the increased power draw required by current 5G modems which make heavy use of beam forming and other advanced technologies to increase reception and perform processing on the received data. Unlike 4G and older technologies, 5G needs to have multiple antennas (three or more) to keep a signal, especially when you grab your shiny new smartphone with your millimeter-wave blocking hands.

The spin-off from all of this seems to be that perhaps 5G technology isn’t ready for prime-time, or that perhaps our phones need to have bigger batteries and liquid cooling to keep the 5G modem in it happy. Anyone up for modding a liquid cooling loop and (tiny) radiator into their phone?

Impersonate The President With Consumer-Grade SDR

June 26, 2019 by 43 Comments

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Add Scroll Wheels And Buttons To Smartphones With 3D-Printed Widgets Read By Accelerometer

June 17, 2019 by 22 Comments

The first LED digital wristwatches hit the market in the 1970s. They required a button push to turn the display on, prompting one comedian to quip that giving one to a one-armed man would be in poor taste. While the UIs of watches and other wearables have improved since then, smartphones still present some usability challenges. Some of the touch screen gestures needed to operate a phone, like pinching, are nigh impossible when one-handing the phone, and woe unto those with stubby thumbs when trying to take a selfie.

You’d think that the fleet of sensors and the raw computing power on board would afford better ways to control phones. And you’d be right, if the modular mechanical input widgets described in a paper from Columbia University catch on. Dubbed “Vidgets” by [Chang Xiao] et al, the haptic devices are designed to create characteristic acceleration profiles on a phone’s inertial measurement unit (IMU) when actuated. Vidgets take various forms, from push buttons to scroll wheels, each of a similar size and shape and designed to dock into one of eight positions on the back of a 3D-printed phone case. Once trained, the algorithm watches for the acceleration signature caused by actuating a Vidget, and sends commands to the phone to mimic the corresponding gestures. The video below demonstrates a couple of use cases, of which the virtual saxophone is our favorite.

This is really clever stuff, and ventures deep into “Why didn’t I think of that?” territory. Need to get ahead of the curve on IMUs to capitalize on what they can do? You could start with [Al Williams]’ primer on micro-electromechanical systems, or MEMS.

Continue reading “Add Scroll Wheels And Buttons To Smartphones With 3D-Printed Widgets Read By Accelerometer”

This Vintage Phone Goes Cellular

February 5, 2019 by 8 Comments

Way back in the good old days, life ran at a slower pace. It took us almost a decade to get to the moon, and dialling the phone was a lazy affair which required the user to wait for the rotary mechanism to rewind after selecting each digit. Eager to bring a taste of retro telephony into the modern era, [Marek] retrofitted this vintage Polish telephone with a GSM upgrade.

The phone [Marek] salvaged had already been largely gutted, so there was little to lose in the transformation. A Motorola D15 GSM module was sourced from an alarm system to provide a network connection to the project. An Atmega328 was then used to translate the rotary dial mechanics into something more usable by the cellular module.

Attention to detail can really make a project shine, and [Marek] didn’t skimp in this area. The original ringer was rewound to operate with a half H-bridge at a lower voltage more suitable to the modern electronics inside. The microcontroller also helped out by using its PWM hardware to simulate a dialtone and the characteristic sound of pulse dialling.

It’s always nice to see retro hardware given a new lease on life. Unfortunately, GSM networks aren’t long for this world, so a further update may be required before long. These old phones have plenty of potential, as we’ve seen before.

A Very Different ‘Hot Or Not’ Application For Your Phone

February 3, 2019 by 27 Comments

Radioactivity stirs up a lot of anxiety, partially because ionizing radiation is undetectable by any of the senses we were born with. Anytime radiation makes the news, there is a surge of people worried about their exposure levels and a lack of quick and accurate answers. Doctors are flooded with calls, detection devices become scarce, and fraudsters swoop in to make a quick buck. Recognizing the need for a better way, researchers are devising methods to measure cumulative exposure experienced by commodity surface mount resistors.

Cumulative exposure is typically tracked by wearing a dosimeter a.k.a. “radiation badge”. It is standard operating procedure for people working with nuclear material to wear them. But in the aftermath of what researchers euphemistically call “a nuclear event” there will be an urgent need to determine exposure for a large number of people who were not wearing dosimeters. Fortunately, many people today do wear personal electronics full of components made with high purity ingredients to tightly controlled tolerances. The resistor is the simplest and most common part, and we can hack a dosimeter with them.

Lab experiments established that SMD resistors will reveal their history of radiation exposure under high heat. Not to the accuracy of established dosimetry techniques, but more than good enough to differentiate people who need immediate medical attention from those who need to be monitored and, hopefully, reassure people in neither of those categories. Today’s technique is a destructive test as it requires removing resistors from the device and heating them well above their maximum temperature, but research is still ongoing in this field of knowledge we hope we’ll never need.

If you prefer to read about SMD resistor hacks with less doomsday, we recently covered their use as a 3D printer’s Z-axis touch sensor. Those who want to stay on the topic can review detection hacks like using a single diode as a Geiger counter and the IoT dosimeter submitted for the 2017 Hackaday Prize. Or we can choose to focus on the bright side of radioactivity with the good things made possible by controlled artificial radioactivity, pioneered by Irène Joliot-Curie.

[via Science News]

A Nexus 5 Smartphone Running PostmarketOS

PostmarketOS Turns 600 Days Old

January 17, 2019 by 18 Comments

PostmarketOS began work on a real Linux distribution for Android phones just over 600 days ago. They recently blogged about the state of the project and ensured us that the project is definitely not dead.

PostmarketOS’ overarching goal remains a 10 year life-cycle for smartphones. We previously covered the project on Hackaday to give an introduction. Today, we’ll concern ourselves with the progress the PostmarketOS team has made.

The team admits that they’re stuck in the proof-of-concept phase, and need to break out of it. This has required foundational changes to the operating system to enable development across a wide variety of devices and processor architectures. There’s now a binary package repository powered by builds.sr.ht which will allow users to install packages for their specific device.

Other updates include fixing support for the Nexus 5 and Raspberry Pi Zero, creating support for open source hardware devices including the Pine A64-LTS and Purism Librem 5. PostmarketOS now boots on a total of 112 different devices.

We’re excited to see the PostmarketOS project making progress. With the widespread move to mobile devices, users lose control over their computing devices. PostmarketOS gives us the ability to run code that we can read and modify on these devices. It’s no small feat though. Supporting the wide variety of custom hardware in mobile devices requires a lot of effort.

While it may be a while before PostmarketOS is your daily driver, the project is well suited to building task-specific devices that require connectivity, a touch screen, and a battery. We bet a lot of Hackaday readers have a junk drawer phone that could become a project with the help of PostmarketOS.