Retro tech is cool. Retro tech that works is even cooler. When we can see technology working, hold it in our hand, and use it as though we’ve been transported back in time; that’s when we feel truly connected to history. To help others create small time anomalies of their own, [Dmitrii Eliuseev] put together a quick how-to for creating your own Advanced Mobile Phone System (AMPS) network which can bring some of the classic cellular heroes of yesterday back to life.
Few readers will be surprised to learn that this project is built on software defined radio (SDR) and the Osmocom-Analog project, which we’ve seen before used to create a more modern GSM network at EMF Camp. Past projects were based on LimeSDR, but here we see that USRP is just as easily supported. [Dmitrii] also provides a brief history of AMPS, including some of the reasons it persisted so long, until 2007! The system features a very large coverage area with relatively few towers and has surprisingly good audio quality. He also discusses its disadvantages, primarily that anyone with a scanner and the right know-how could tune to the analog voice frequencies and eavesdrop on conversations. That alone, we must admit, is a pretty strong case for retiring the system.
The article does note that there may be legal issues with running your own cell network, so be sure to check your local regulations. He also points out that AMPS is robust enough to work short-range with a dummy load instead of an antenna, which may help avoid regulatory issues. That being said, SDRs have opened up so many possibilities for what hackers can do with old wireless protocols. You can even go back to the time when pagers were king. Alternatively, if wired is more your thing, we can always recommend becoming your own dial-up ISP.
As most in the technology community know, nation states have a suite of powerful tools that can be used to trace and monitor mobile phones. By and large, this comes up in discussions of privacy and legislation now and then, before fading out of the public eye once more. In the face of a global pandemic, however, governments are now using these tools in the way many have long feared – for social control. Here’s what’s happening on the ground.
The Current Situation
With COVID-19 sweeping the globe, its high level of contagiousness and rate of hospitalizations has left authorities scrambling to contain the spread. Unprecedented lockdowns have been put in place in an attempt to flatten the curve of new cases to give medical systems the capacity to respond. A key part of this effort is making sure that confirmed cases respect quarantine rules, and isolate themselves to avoid spreading the disease. Rules have also been put in place in several countries where all overseas arrivals must quarantine, regardless of symptoms or status. Continue reading “Cellular Tracking Used During COVID-19 Pandemic”
Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.
When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.
The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.
A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.
Via [The Register]
Header image: MOs810 [CC BY-SA 4.0].
Anyone who had a cheap set of computer speakers in the early 2000s has heard it – the rhythmic dit-da-dit-dit of a GSM phone pinging a cell tower once an hour or so. [153armstrong] has a write up on how to capture this on your computer.
It’s incredibly simple to do – simply plug in a set of headphone to the sound card’s microphone jack, leave a mobile phone nearby, hit record, and wait. The headphone wire acts as an antenna, and when the phone transmits, it induces a current in the wire, which is picked up by the soundcard.
[153armstrong] notes that their setup only seems to pick up signals from 2G phones, likely using GSM. It doesn’t seem to pick up anything from 3G or 4G phones. We’d wager this is due to the difference in the way different cellular technologies transmit – let us know what you think in the comments.
This system is useful as a way to detect a transmitting phone at close range, however due to the limited bandwidth of a computer soundcard, it is in no way capable of actually decoding the transmissions. As far as other experiments go, why not use your soundcard to detect lightning?