A Cellular Dev Kit With A Data Plan

After years of futzing around with 433 MHz radios and WiFi, we’re finally seeing a few dev boards that are focused on cellular radio modules. The Konekt Dash is the latest offering that puts a small u-blox SARA cellular module on a board with a small ARM Cortex M4 microcontroller for a complete cellular solution for any project you have in mind. Yes, until we get radios that make sense for an Internet of Things, this is the best you’re going to get.

If the Konekt sounds familiar, you’re right. A few months ago, Spark introduced the Electron, a cellular dev board based on the u-blox SARA-U260 module that includes a SIM with a 1MB of data a month. Practically, it’s not much different from the Konekt, but the Dash and Dash pro offer battery management and a battery connector, two power supplies, and encryption from the board to a server. There are slight differences for about the same price, but that’s what’s great about competition.

The Konekt Dash is now a few days in to a Kickstarter campaign that includes as rewards a board and a SIM with a six months to a year’s worth of data. There are a lot of things that can’t be done with WiFi, Bluetooth, or other radio modules, and if you have something like that in mind, you won’t do better than a Konekt or Spark Electron.

Spark Goes Cellular With The Electron

A few years ago, small and cheap WiFi modules burst onto the scene and with that the Spark was born. It’s a tiny dev board with a TI CC3000 WiFi module, capable of turning any device into an Internet-connected device. It’s only the very beginning of the Internet of Things, yes, but an important step in the right direction. Now, Spark is unshackling itself from WiFi networks with the Spark Electron, a dev kit that comes with a cellular radio and data plan.

If you’ve ever tried to build a high altitude balloon, a project that will be out of range of WiFi, or anything else where cellular data would be a godsend, you’ll quickly realize Verizon, AT&T, Sprint, and all the other carriers out there don’t necessarily care about your project. As far as we can tell, Spark is the first company to fix this gaping hole in what cellular can do by offering their own service – 20,000 messages for $3/month and no contracts. Officially, that’s 1MB of data spread over 20k messages that are about 50 bytes in length.

There are a few dozen companies and organizations working on the next generation of The Internet Of Things, but these require completely new silicon and spectrum allocations or base stations. Right now, there’s exactly one way of getting a Thing on the Internet without WiFi, and that’s with cellular data. We have to hand it to Spark for this one, and can’t wait to see the projects that will be possible due to a trickle of Internet everywhere.

Zubie

Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Retrotechtacular: Ma Bell’s Advanced Mobile Phone Service (AMPS)

This gem from the AT&T Archive does a good job of explaining the first-generation cellular technology that AT&T called Advanced Mobile Phone Service (AMPS). The hexagon-cellular network design was first conceived at Bell Labs in 1947. After a couple of decades spent pestering the FCC, AT&T was awarded the 850MHz band in the late 1970s. It was this decision coupled with the decades worth of Bell System technical improvements that gave cellular technology the bandwidth and power to really come into its own.

AT&T’s primary goals for the AMPS network were threefold: to provide more service to more people, to improve service quality, and to lower the cost to subscribers. Early mobile network design gave us the Mobile Service Area, or MSA. Each high-elevation transmitter could serve a 20-mile radius of subscribers, a range which constituted one MSA. In the mid-1940s, only 21 channels could be used in the 35MHz and 150MHz band allocations. The 450MHz band was introduced in 1952, provided another 12 channels.

repeated channelsThe FCC’s allocation opened a whopping 666 channels in the neighborhood of 850MHz. Bell Labs’ hexagonal innovation sub-divided the MSAs into cells, each with a radius of up to ten miles.

The film explains quite well that in this arrangement, each cell set of seven can utilize all 666 channels. Cells adjacent to each other in the set must use different channels, but any cell at least 100 miles away can use the same channels. Furthermore, cells can be subdivided or split. Duplicate frequencies are dealt with through the FM capture effect in which the weaker signal is suppressed.

Those Bell System technical improvements facilitated the electronic switching that takes place between the Mobile Telephone Switching Office (MTSO) and the POTS landline network. They also realized the automatic control features required of the AMPS project, such as vehicle location and automatic channel assignment. The film concludes its lecture with step-by-step explanations of inbound and outbound call setup where a mobile device is concerned.

Continue reading “Retrotechtacular: Ma Bell’s Advanced Mobile Phone Service (AMPS)”

Hackaday Links: November 9, 2012

Yeah, it’s like Twitter but actually cool

Thingiverse – still the best place on the Internet to find cool 3D models to print out – has gone all Web 3.0 with their new Dashboard feature. Basically, you can think of this as Thingiverse’s version of Twitter. The dashboard allows you to see the latest updates from people you like, follow people, categories, and tags, and check out your all-important ‘who’s following me’ stats. Yes, to the Hackaday crowd it may sound a little lame, but it’s a great way to winnow the (awesome) wheat from the (slightly less awesome) chaff.

Hey, we goofed. And not by using the same image twice

Remember when we jumped on the Occupy Thingiverse bandwagon? Well, there were questions about the Thingiverse Terms of Service and confusion that Makerbot actually owns everything uploaded to Thingiverse. That’s completely wrong according to Makerbot’s lawyer [Rich McCarthy]. The whole issue dealt with “Moral Rights or attribution” – a French legal doctrine that isn’t part of US law (or the law of any English-derived legal system as far as we can tell). Yeah, we goofed.

Now u cn snd SMS msgs wit n ‘ino & cell sheld

[Meir] sent in a cellular library for microcontroller projects that allows for simple sending and receiving of SMS messages. Yes, it’s been done before, but [Meir] hid all the hardware interaction with the cellular shield – a good design practice – to make the code nice and tidy.

And you thought PVC was bad…

Just in time for Thanksgiving, [Lou] shows us the fastest way to make mashed potatoes: an oxygen and propane powered potato gun. The build uses oxy and propane tanks you can pick up for a few bucks at any hardware store, steel pipe for the barrel, a grill igniter, and a few pipe fittings. It’s awesome, and we’ve got to hand it to [Lou] for this one. Now to build one and test it out on our indestructible test dummy.

It’s just like the Raspberry Pi! They’re that backordered!

Remember the Stellaris Launchpad, the very cool (and very inexpensive) ARM dev board put out by TI? Yeah, they’re shipping now. News of this comes from [Ryan Holtz] at Autodesk after the FedEx guy came knocking a few days ago. The good news is they’re shipping, the bad news is the price increased slightly to $13.

 

Going Cellular With Your Arduino Projects

You can add a huge measure of extensibiltiy to a project by using a cellular connection. Anywhere the device can get service you can interact with it. In the past this has been a pretty deep slog through datasheets to get everything working, but this tutorial will show the basics of interacting with phone calls and text messages. It’s the 26th installment of what is becoming and mammoth Arduino series, and the first one in a set that works with the SM5100B cellular shield.

We love the words of warning at the top of the article which mention that a bit of bad code in your sketch could end up sending out a barrage of text messages, potentially costing you a bundle. But there’s plenty of details and if you follow along each step of the way we think you’ll come out fairly confident that you know what you’re doing. Just promise us that you won’t go out and steal SIM cards to use with your next project. Find part two of the tutorial here and keep your eyes open for future installments.

Chumby One Becomes A 3g Router

[bunnie] has taken a few moments to show us how to turn our Chumby One into a 3g router. As it turns out, there is an easter egg that allows it to communicate with certain models of 3g dongles. There’s no GUI for this trick, so you’ll be doing most of your configuration via SSH. That shouldn’t be a problem for this crowd though. The Chumby One just got a lot more appealing.