We’ve seen quite a few DIY 2G networks over the years, but the 4G field has been relatively barren. Turns out, there’s an open source suite called srsRAN that lets you use an SDR for setting up an LTE network, and recently, we’ve found a blog post from [MaFrance351] (Google Translate) that teaches you everything you could need to know if you ever wanted to launch a LTE network for your personal research purposes.
For a start, you want a reasonably powerful computer, a transmit-capable full-duplex software defined radio (SDR), suitable antennas, some programmable SIM cards, and a few other bits and pieces like SIM card programmers and LTE-capable smartphones for testing purposes. Get your hardware ready and strap in, as [MaFrance351] guides you through setting up your own base station, with extreme amounts of detail outlining anything you could get caught up on.
Although wireless standards like 3G, 4G, and 5G are mostly associated with mobile internet, they also include a phone (voice) component. Up till 4G this was done using traditional circuit-switched telephony service, but with this fourth generation the entire standard instead moved to a packet-switched version akin to Voice-over-IP, called VoLTE (voice-over-LTE). Even so, a particular phone can choose to use a 4G modem, yet still use 3G-style phone connections. Until the 3G network is shutdown, that is. This is the crux of [Hugh Jeffreys]’s latest video.
In order to make a VoLTE phone call, your phone, your provider, the receiving phone and the intermediate network providers must all support the protocol. Even some newer phones like the Samsung Galaxy J3 (2016) do not support this. For other phones you have to turn the feature on yourself, if it is available. As [Hugh] points out in the video, there’s no easy way to know whether an Android phone supports it, which is likely to lead to chaos as more and more 3G networks in Australia and elsewhere are turned off, especially in regions where people use phones for longer than a few years.
The cessation of such basic functionality is why in most countries 2G networks remain active, as they are being used by emergency services and others for whom service interruptions can literally cost lives, as well as countless feature phones and Internet of Things devices. For some phones without VoLTE, falling back to 2G might therefore still be an option if they support this. With the spotty support, lack of transparency and random shutdowns, things may however get rather frustrating for some the coming years.
LTE networks have taken over from older technologies like GSM in much of the world. Outfitted with the right hardware, like a software defined radio, and the right software, it’s theoretically possible to sniff some of this data for yourself. The LTESniffer project was built to do just this.
LTESniffer is able to sniff downlink traffic from base stations using a USRP B210 SDR, outfitted with two antennas. If you want to sniff uplink traffic, though, you’ll need to upgrade to an X310 with two daughterboards fitted. This is due to the timing vagaries of LTE communication. Other solutions can work however, particularly if you just care about downlink traffic.
If you’ve got that hardware though, you’re ready to go. The software will help pull out LTE signals from the air, though it bears noting that it’s only designed to work with unencrypted traffic. It won’t help you capture the encrypted communications of network users, though it can show you various information like IMSI numbers of devices on the network. Local regulations may prevent you legally even doing this, and if so, the project readme recommends setting up your own LTE network to experiment with instead.
Cellular sniffing has always been somewhat obscure and arcane, given the difficulty and encryption involved, to say nothing of the legal implications. Regardless, some hackers will always pursue a greater knowledge of the technology around them. If you’ve been doing just that, let us know what you’re working on via the tipsline.
In their monthly announcement, among all the cool things Pine64, they talked about the open firmware for PinePhone’s LTE modem. The firmware isn’t fully open – a few parts remain closed. And Pine emphasizes that they neither pre-install nor officially endorse this firmware, and PinePhones will keep shipping with the vendor-supplied modem firmware image instead.
That said, the new firmware is way more featureful – it has less bugs, more features, decreased power consumption, and its proprietary parts are few and far between. I’d like to note that, with a special build of this firmware, the PinePhone’s modem can run Doom – because, well, of course.
And with all that, it’s become way easier to install this firmware – there’s fwupd hooks now! You can think of fwupd as the equivalent of Windows Update for firmware, except not abusive, and aimed at Linux. A perfect fit for keeping your open-source devices as functional as they can be, in other words.
When modern connected cars cross continents, novel compatibility problems crop up. [Oleg Kutkov], being an experienced engineer, didn’t fret when an USA-tailored LTE modem worked poorly on his Tesla fresh off its USA-Europe import journey, and walks us through his journey of replacing the modem with another Tesla modem module that’s compatible with European LTE bands.
[Oleg]’s post goes through different parts on the board and shows you how they’re needed in the bigger picture of the Tesla’s Media Computer Unit (MCU), even removing the LTE modem’s shield to describe the ICs underneath it, iFixit teardown diagram style! A notable highlight would be an SIM-on-chip, essentially, a SIM card in an oh-so-popular DFN package, and thankfully, replacing it with a socket for a regular SIM card on some extender wires has proven fruitful. The resulting Tesla can now enjoy Internet connectivity at speeds beyond those provided by EDGE. The write-up should be a great guide for others Tesla owners facing the same problem, but it also helps us make electric cars be less alike black boxes in our collective awareness.
These days, we’re blessed with cellular data networks that span great swathes of the Earth. By and large, they’re used to watch TV shows and argue with strangers online. However, they’re also a great tool to use to interact with hardware in remote locations, particularly mobile ones where a wired connection is impractical.
In this series, we’re taking a look at tips and tricks for doing remote cellular admin the right way. First things first, you’ll need a data connection – so let’s look at choosing a modem.
Options Abound
When shopping around for cellular data modems, it can be difficult to wade through the variety of options out there and find something fit for purpose. Modems in this space are often marketed for very specific use cases; at the consumer level, many are designed to be a no-fuss home broadband solution, while in the commercial space, they’re aimed primarily to provide free WiFi for restaurants and cafes. For use in remote admin, the presence of certain features can be critical, so it pays to do your research before spending your hard earned money. We’ve laid out some of the common options below.
Consumer Models
Many telecommunications providers around the world sell cheap USB dongles for connecting to the Internet, with these first becoming popular with the rise of 3G. They’re somewhat less common now in the 5G era, with the market shifting more towards WiFi-enabled devices that share internet among several users. These devices can often be had for under $50, and used on prepaid and contract data plans.
These devices are often the first stop for the budding enthusiast building a project that needs remote admin over the cellular network. However, they come with certain caveats that can make them less attractive for this use. Aimed at home users, they are often heavily locked down with firmware that provides minimal configuration options. They’re generally unable to be set up for port forwarding, even if you can convince your telco to give you a real IP instead of carrier-grade NAT. Worse, many appear to the host computer as a router themselves, adding another layer of NAT that can further complicate things. Perhaps most frustratingly, with these telco-delivered modems, the model number printed on the box is often not a great guide as to what you’re getting.
A perfect example is the Huawei E8327. This comes in a huge number of sub-models, with various versions of the modem operating in different routing modes, on different bands, and some even omitting major features like external antenna connectors. Often, it’s impossible to know exactly what features the device has until you open the box and strip the cover off, at which point you’re unable to return the device for your money back.
All is not lost, however. The use of VPNs can help get around NAT issues, and for the more adventurous, some models even have custom firmware available on the deeper, darker forums on the web. For the truly cash strapped, they’re a viable option for those willing to deal with the inevitable headaches. There are generally some modems that stand out over others in this space for configurability and ease of use. This writer has had great success with a now-aging Sierra Aircard 320U, while others have found luck with the Huawei E3372-607. As per earlier warnings though, you don’t want to accidentally end up with an E3372-608 – thar be dragons.
In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?
According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.
The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.
So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.
This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.
The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.
All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.