Stealth Cell Tower Inside This Office Printer Calls To Say I Love You

If you look around the street furniture of your city, you may notice some ingenious attempts to disguise cell towers. There are fake trees, lamp posts with bulges, and plenty you won’t even be aware of concealed within commercial signage. The same people who are often the first to complain when they have no signal it seems do not want to be reminded how that signal reaches them. On a more sinister note, government agencies have been known to make use of fake cell towers of a different kind, those which impersonate legitimate towers in order to track and intercept communications.

In investigating the phenomenon of fake cells, [Julian Oliver] has brought together both strands by creating a fake cell tower hidden within an innocuous office printer. It catches the phones it finds within its range, and sends them a series of text messages that appear to be from someone the phone’s owner might know. It then prints out a transcript of the resulting text conversation along with all the identifying information it can harvest from the phone. As a prank it also periodically calls phones connected to it and plays them the Stevie Wonder classic I Just Called To Say I Love You.

In hardware terms the printer has been fitted with a Raspberry Pi 3, a BladeRF software-defined transceiver, and a pair of omnidirectional antennas which are concealed behind the toner cartridge hatch. Software comes via  YateBTS, and [Julian] provides a significant amount of information about its configuration as well as a set of compiled binaries.

In one sense this project is a fun prank, yet on the other hand it demonstrates how accessible the technology now is to impersonate a cell tower and hijack passing phones. We’re afraid to speculate though as to the length of custodial sentence you might receive were you to be caught using one as a private individual.

We’ve considered the Stingray cell phone trackers before here at Hackaday, as well as looking at a couple of possible counter-measures. An app that uses a database of known towers to spot fakes, as well as a solution that relies on an SDR receiver to gather cell tower data from a neighbourhood.

[via Hacker News]

How To Detect And Find Rogue Cell Towers

Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.

These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).

No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.

A Stingray / cell site simulator detector
A Stingray / cell site simulator detector

Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.

To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.

This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.

Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.