5G Cellphone’s Location Privacy Broken Before It’s Even Implemented

Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.

When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.

The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.

A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.

Via [The Register]

Header image: MOs810 [CC BY-SA 4.0].

Creating a 3G Raspberry Pi Smartphone

It’s hard to believe, but the Raspberry Pi has now been around long enough that some of the earliest Pi projects could nearly be considered bonafide vintage hacks at this point. A perfect example are some of the DIY Raspberry Pi smartphone projects that sprung up a few years back. Few of them were terribly practical to begin with, but even if you ignore the performance issues and bulkiness, the bigger problem is they relied on software and cellular hardware that simply isn’t going to cut it today.

Which was exactly the problem [Dylan Radcliffe] ran into when he wanted to create his own Pi smartphone. There was prior art to use as a guide, but the ones he found were limited to 2G cellular networks which no longer exist in his corner of the globe. He’s now taken on the quest to develop his own 3G-capable Pi smartphone, and his early results are looking very promising.

Inside the phone, which he calls the rCrumbl, [Dylan] has crammed a considerable amount of hardware. A Raspberry Pi 3B+ with attached Adafruit touchscreen LCD is the star of the show, but there’s also a Pi camera module, battery charging circuit, and Adafruit FONA 3G modem (which also provides GPS). Powering the device is a 2500 mAh 3.7V battery, which reportedly delivers a respectable 8 to 12 hour runtime.

The case is 3D printed, and [Dylan] says it took a long time to nail down a design that would fit all of his hardware, keep things from shifting around, and still be reasonably slim. Obviously DIY phones like this are never going to be as slim as even the chunkiest of modern smartphones, but the rCrumbl looks fairly reasonable for a portable device. We especially like the row of physical buttons he’s included along the bottom of the screen, which should help with the device’s usability.

Speaking of usability, that’s where [Dylan] still has his work cut out for him. The existing software he’s found won’t work on 3G, so he’s going to have to come up with his own software stack to provide a proper phone interface. As it stands he’s made a call on the rCrumbl using command line tools, but while that might score you some extra geek points at the next hacker meetup, it’s not exactly going to fly for daily use. He mentions he would love to talk to any developers out there that would like to team up on the software side of the project.

We’ve covered one of the 2G Pi smartphones in the past, and of course the ZeroPhone is a very interesting project if you don’t mind the “dumb phone” interface. But if you’re looking for something that’s fairly close to commercial devices in terms of usability, you might just want to roll your own Android phone.

Unlock & Talk: Open Source Bootloader & Modem

During the early years of cell phones, lifespan was mainly limited by hardware (buttons wearing out, dropping phones, or water damage), software is a primary reason that phones are replaced today. Upgrades are often prompted by dissatisfaction with a slow phone, or manufacturers simply stopping updates to phone software after a few years at best. [Oliver Smith] and the postmarketOS project are working to fix the update problem, and have begun making progress on loading custom software onto cellphone processors and controlling their cellular modems. Continue reading “Unlock & Talk: Open Source Bootloader & Modem”

Old Modem, New Internet.

Do you remember the screeching of a dial-up modem as it connected to the internet? Do you miss it? Probably not, but [Erick Truter] — inspired by a forum post and a few suggestions later — turned a classic modem into a 3G Wi-Fi hotspot with the ubiquitous Raspberry Pi Zero.

Sourcing an old USRobotics USB modem — allegedly in ‘working’ condition — he proceeded to strip the modem board of many of its components to make room for the new electronic guts. [Truter] found that for him the Raspberry Pi Zero W struggled to maintain a reliable network, and so went with a standard Pi Zero and a USB  Wi-Fi dongle dongle. He also dismantled a USB hub to compensate for the Zero’s single port. Now,  to rebuild the modem — better, faster, and for the 21st century.

Continue reading “Old Modem, New Internet.”

Review: New 3G and Cat-M1 Cellular Hardware from Hologram

In July we reported on the launch of the Hologram developer program that offered a free SIM card and a small amount of monthly cellular data for those who wanted to build connectivity into their prototypes. Today, Hologram has launched some new hardware to go along with that program.

Nova is a cellular modem in a USB thumb drive form factor. It ships in a little box with a PCB that hosts the u-blox cellular module, two different antennas, a plastic enclosure, and a SIM card. The product is aimed at those building connected devices around single-board computers, making it easy to plug Nova in and get connected quickly.

This device that Hologram sent me is a 3G modem. They have something like 1,000 of them available to ship starting today, but what I find really exciting is that there is another flavor of Nova that looks the same but hosts a Cat-M1 version of the u-blox module. This is a Low Power Wide Area Network technology built on the LTE network. We’ve seen 2G and 3G modems available for some time now, but if go that route you’re building a product around a network which has an end-of-life concern.

Cat-M1 will be around for much longer and it is designed to be low power and utilizes a narrower bandwidth for less radio-on time. I asked Hologram for some power comparison estimates between the two technologies:

AVERAGE current consumption comparisons:

Cat-M1: as low as 100 mA while transmitting and never more than 190 mA
Equivalent 3G: as high as 680 mA while transmitting

PEAK current consumption comparisons (these are typically filtered through capacitors so the power supply doesn’t ever witness these values, and they are only momentary):

Cat-M1: Less than 490 mA
Equivalent 3G: As high as 1550 mA

This is an exciting development because we haven’t yet seen LTE radios available for devices — of course there are hotspots but those are certainly not optimized for low power or inclusion in a product. But if you know your ESP8266 WiFi specs you know that those figures above put Cat-M1 on a similar power budget and in the realm of battery-operated devices.

The Cat-M1 Nova can be ordered beginning today, should ship in limited quantities within weeks, with wider availability by the end of the year. If you can’t get one in the first wave, the 3G Nova is a direct stand-in from the software side of things.

I suspect we’ll see a lot of interest in Cat-M1 technology moving forward simply because of the the technology promises lower power and longer support. (I’m trying to avoid using the term IoT… oops, there it is.) For today, let’s take a look at the 3G version of the new hardware and the service that supports it.

Continue reading “Review: New 3G and Cat-M1 Cellular Hardware from Hologram”

Hologram.io Offers Developers Free Cell Data

If you’ve been thinking of adding cellular connectivity to a build, here’s a way to try out a new service for free. Hologram.io has just announced a Developer Plan that will give you 1 megabyte of cellular data per month. The company also offers hardware to use with the SIM, but they bill themselves as hardware agnostic. Hologram is about providing a SIM card and the API necessary to use it with the hardware of your choice: any 2G, 3G, 4G, or LTE devices will work with the service.

At 1 MB/month it’s obvious that this is aimed at the burgeoning ranks of Internet of Things developers. If you’re sipping data from a sensor and phoning it home, this will connect you in 200 countries over about 600 networks. We tried to nail them down on exactly which networks but they didn’t take the bait. Apparently any major network in the US should be available through the plan. And they’ve assured us that since this program is aimed at developers, they’re more than happy to field your questions as to which areas you will have service for your specific application.

The catch? The first taste is always free. For additional SIM cards, you’ll have to pay their normal rates. But it’s hard to argue with one free megabyte of cell data every month.

Hologram originally started with a successful Kickstarter campaign under the name Konekt Dash but has since been rebranded while sticking to their cellular-connectivity mission. We always like getting free stuff — like the developer program announced today — but it’s also interesting to see that Hologram is keeping up with the times and has LTE networks available in their service, for which you’ll need an LTE radio of course.

Detecting Mobile Phone Transmissions With a Sound Card

Anyone who had a cheap set of computer speakers in the early 2000s has heard it – the rhythmic dit-da-dit-dit of a GSM phone pinging a cell tower once an hour or so. [153armstrong] has a write up on how to capture this on your computer. 

It’s incredibly simple to do – simply plug in a set of headphone to the sound card’s microphone jack, leave a mobile phone nearby, hit record, and wait. The headphone wire acts as an antenna, and when the phone transmits, it induces a current in the wire, which is picked up by the soundcard.

[153armstrong] notes that their setup only seems to pick up signals from 2G phones, likely using GSM. It doesn’t seem to pick up anything from 3G or 4G phones. We’d wager this is due to the difference in the way different cellular technologies transmit – let us know what you think in the comments.

This system is useful as a way to detect a transmitting phone at close range, however due to the limited bandwidth of a computer soundcard, it is in no way capable of actually decoding the transmissions. As far as other experiments go, why not use your soundcard to detect lightning?