5G Cellphone’s Location Privacy Broken Before It’s Even Implemented

Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.

When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.

The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.

A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.

Via [The Register]

Header image: MOs810 [CC BY-SA 4.0].

Hackaday Links: March 18, 2018

Oh, boy. You know what’s happening next weekend? The Midwest RepRap Festival. The greatest 3D printing festival on the planet is going down next Friday afternoon until Sunday afternoon in beautiful Goshen, Indiana. Why should you go? Check this one out. To recap from last year, E3D released a new extruder, open source filaments will be a thing, true color filament printing in CMYKW is awesome, and we got the world’s first look at the infinite build volume printer. This year, The Part Daddy, a 20-foot-tall delta bot will be there once again. It’s awesome and you should come.

We launched the 2018 Hackaday Prize this week. Why should you care? Because we’re giving away $200,000 in prizes. There are five challenges: the Open Hardware Design Challenge, Robotics Module, Power Harvesting, Human-Computer Interface, and Musical Instrument Challenge. That last one is something I’m especially interested in for one very specific reason. This is a guitorgan.

Building a computer soon? Buy your SSD now. Someone fell asleep on the e-stop at a Samsung fab, and now 3.5% of global NAND production for March has been lost.

Need to put an Arduino in the cloud? Here’s a shield for that. It’s a shield for SIMCom’s SIM7000-series module, providing LTE for a microcontroller. Why would you ever need this? Because 2G is dead, for various values of ‘dead’. 3G is eventually going to go the same way.

A bridge collapsed in Florida this week. A pedestrian walkway at Florida International University collapsed this week, killing several. The engineering efforts are still underway to determine the cause of the accident, but some guy from Canukistan posted a pair of informative videos discussing I-beams and pre-tensioned concrete. It’s going to be months until the fault (and responsibility) will be determined, but until then we have the best footage yet of this collapse. It’s dash cam footage from a truck that rolled up to the red light just before the collapse. This is one that’s going to go down in engineering history along with the Hyatt Regency collapse.

Need to test your app? Here’s a delta robot designed for phones. You would be shocked at how popular this robot is.

Hologram.io Offers Developers Free Cell Data

If you’ve been thinking of adding cellular connectivity to a build, here’s a way to try out a new service for free. Hologram.io has just announced a Developer Plan that will give you 1 megabyte of cellular data per month. The company also offers hardware to use with the SIM, but they bill themselves as hardware agnostic. Hologram is about providing a SIM card and the API necessary to use it with the hardware of your choice: any 2G, 3G, 4G, or LTE devices will work with the service.

At 1 MB/month it’s obvious that this is aimed at the burgeoning ranks of Internet of Things developers. If you’re sipping data from a sensor and phoning it home, this will connect you in 200 countries over about 600 networks. We tried to nail them down on exactly which networks but they didn’t take the bait. Apparently any major network in the US should be available through the plan. And they’ve assured us that since this program is aimed at developers, they’re more than happy to field your questions as to which areas you will have service for your specific application.

The catch? The first taste is always free. For additional SIM cards, you’ll have to pay their normal rates. But it’s hard to argue with one free megabyte of cell data every month.

Hologram originally started with a successful Kickstarter campaign under the name Konekt Dash but has since been rebranded while sticking to their cellular-connectivity mission. We always like getting free stuff — like the developer program announced today — but it’s also interesting to see that Hologram is keeping up with the times and has LTE networks available in their service, for which you’ll need an LTE radio of course.

Detecting Mobile Phone Transmissions With A Sound Card

Anyone who had a cheap set of computer speakers in the early 2000s has heard it – the rhythmic dit-da-dit-dit of a GSM phone pinging a cell tower once an hour or so. [153armstrong] has a write up on how to capture this on your computer. 

It’s incredibly simple to do – simply plug in a set of headphone to the sound card’s microphone jack, leave a mobile phone nearby, hit record, and wait. The headphone wire acts as an antenna, and when the phone transmits, it induces a current in the wire, which is picked up by the soundcard.

[153armstrong] notes that their setup only seems to pick up signals from 2G phones, likely using GSM. It doesn’t seem to pick up anything from 3G or 4G phones. We’d wager this is due to the difference in the way different cellular technologies transmit – let us know what you think in the comments.

This system is useful as a way to detect a transmitting phone at close range, however due to the limited bandwidth of a computer soundcard, it is in no way capable of actually decoding the transmissions. As far as other experiments go, why not use your soundcard to detect lightning?

33C3: Dissecting 3G/4G Phone Modems

[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.

This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.

Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.

Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.

Continue reading “33C3: Dissecting 3G/4G Phone Modems”

A Field Guide To The North American Communications Tower

The need for clear and reliable communication has driven technology forward for centuries. The longer communication’s reach, the smaller the world becomes. When it comes to cell phones, seamless network coverage and low power draw are the ideals that continually spawn R&D and the eventual deployment of new equipment.

Almost all of us carry a cell phone these days. It takes a lot of infrastructure to support them, whether or not we use them as phones. The most recognizable part of that infrastructure is the communications tower. But what do you know about them?

Continue reading “A Field Guide To The North American Communications Tower”

New A4 Jailbreak Debacle Puts The Brakes On For IPad

If you’ve been waiting in the wings for the next Jailbreak to be release you should know there’s been a bit of a speed bump. [ChronicDevTeam], which has been working on an exploit for A4-based iOS devices called SHAtter, tweeted last Thursday that the fully tested, untethered, and unpatchable package knows as greenpois0n would be released today. But on Friday [Geohot], who you may remember from the PlayStation 3 Hypervisor exploit, rolled out his own mostly untested and admittedly beta jailbreak called limera1n.

So where does that leave the situation? Because [geohot] used a different exploit, the [ChronicDevTeam] decided not to release greenp0ison. If they did, it would give Apple a chance to block two different exploits. Instead they are working feverishly to incorporate, test, and repackage using the same exploit as limera1n.

If you don’t want to wait, jailbreak now, but you risk problems with an unstable exploit method that is only available for Windows.

[via @ChronicDevTeam]