Impersonate The President With Consumer-Grade SDR

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Mayak Turns WiFi Traffic Into Sound

Dial-up modems were well known for their screeching soundtrack during the connection process. Modern networking eschews audio based communication methods, so we no longer have to deal with such things. However, all is not lost. [::vtol::]’s Mayak installation brings us a new sound, all its own.

The installation consists of four WiFi routers, connected to four LTE modems. These are configured as open hotspots that anyone can connect to. [::vtol::] was careful to select routers that had highly responsive activity LEDs. The activity LEDs are wired to an Arduino, which processes the inputs, using them to trigger various sounds from an attached synthesizer.

As users connect to the routers and go about their business on the Internet, the activity LEDs flash and the synthesizer translates this into an otherworldly soundtrack. The hardware is all hung on a beautiful metal and acrylic frame, which stands as a striking form in the sparse gallery.

The piece creates a very electronic soundscape, but you may prefer your installations to have a more mechanical racket. Video after the break.

Continue reading “Mayak Turns WiFi Traffic Into Sound”

Digital License Plates Are Here, But Do We Need Them?

It’s a story as old as time: you need to swap between your custom license plates, but you can’t find a screwdriver and you’re already running late for a big meeting at the Business Factory. You called AAA to see if they could come out and do it for you, but as luck would have it something must be wrong with your phone because the line was disconnected as soon as you explained the situation. As if life in the First World couldn’t get any more difficult.

Luckily, a company called Reviver Auto has come up with a thoroughly modern solution to this age old problem. Assuming you live in Arizona, California, and Michigan and are willing to pay $800 USD (plus a small monthly service fee), you can join the Rplate revolution! Less a license plate and more of a “cool-looking, multi-functional digital display and connected vehicle platform”, the Rplate will ensure you never again find yourself stuck on the side of the road with an unfashionable license plate.

What’s that? You’ve had the same license plate for years, possibly decades, and have never given it much thought? Well, in that case the Rplate might be sort of a tough sell. Did we mention that someday you might be able to display the current weather on it while your car is parked? Of course, if you can see the license plate you’re already outside, so…

This all might sound like an out of season April Fool’s joke, but as far as I can tell from reading the Reviver Auto site and watching their promotional videos, this is essentially the value proposition of their line of Rplate digital license plates. There are some admittedly interesting potential extensions of the technology if they can convince other companies and systems to plug into their ecosystem, but given the cost of the Rplate and the few states in which it’s currently legal to use, that seems far from a given at this point.

But of course we’re fans of weird and wonderful technology here at Hackaday, so we should give this device a fair shake. On the surface it might seem to be a solution looking for a problem, but that’s often said of technology ahead of its time. So what exactly is the Rplate, how does it work, and where does it go from here?

Continue reading “Digital License Plates Are Here, But Do We Need Them?”

Particle Paves Way For LTE Selfies

From cars to refrigerators, it seems as if every new piece of tech is connected to the Internet. For better or for worse, we’re deep into the “Internet of Things”. But what about your camera? No, not the camera in your smartphone; that one’s already connected to the Internet and selling your secrets to the highest bidder. Don’t you think your trusty DSLR could be improved by an infusion of Wide Area Networking?

Regardless of what you’re answer to that question might be, [Thomas Kittredge] decided his life would be improved by making his beloved Canon EOS Rebel T6 an honorary member of the Internet of Things. Truth be told he says that he hasn’t quite figured out an application for this project. But since he was looking to mess around with both the LTE-enabled Particle Boron development board and designing his own PCB for professional production, this seemed a good a way to get his feet wet as any.

The resulting board is a fairly simple “shield” for the Particle Boron that let’s [Thomas] trigger up to two cameras remotely over the Internet or locally with Bluetooth. If LTE isn’t your sort of thing though, don’t worry. Since the Boron follows the Adafruit Feather specification, there’s a whole collection of development boards with various connectivity options that this little add-on can be used with.

In the GitHub repository, [Thomas] has put up the files for the PCB, the STLs for the 3D printed enclosure, and of course the firmware source code to load onto the Particle board. He currently has code to expose the two shutter triggers as functions the the Particle Cloud API, as well as a practical example that fires off the camera when specific words are used in a Slack channel.

Out for a little over a year, the Particle Boron is a fairly new addition to the world of cellular development boards. Historically we haven’t seen a whole lot of cellular capable projects, likely because it’s been such a hassle to get them online, but with new boards like the Boron we might start seeing an uptick in the random pieces of gear that have this form connectivity and an internet-facing IP address. Surely nothing bad could come of this!

Smartphone App Uses AR To Visualize The RF Spectrum

Have you ever wished you could see in the RF part of the radio spectrum? While such a skill would probably make it hard to get a good night’s rest, it would at least allow you to instantly see dead spots in your WiFi coverage. Not a bad tradeoff.

Unwilling to go full [Geordi La Forge] to be able to visualize RF, [Ken Kawamoto] built the next best thing – an augmented-reality RF signal strength app for his smartphone. Built to aid in the repositioning of his router in the post-holiday cleanup, the app uses the Android ARCore framework to figure out where in the house the phone is and overlays a color-coded sphere representing sensor data onto the current camera image. The spheres persist in 3D space, leaving a trail of virtual breadcrumbs that map out the sensor data as you warwalk the house. The app also lets you map Bluetooth and LTE coverage, but RF isn’t its only input: if your phone is properly equipped, magnetic fields and barometric pressure can also be AR mapped. We found the Bluetooth demo in the video below particularly interesting; it’s amazing how much the signal is attenuated by a double layer of aluminum foil. [Ken] even came up with an Arduino with a gas sensor that talks to the phone and maps the atmosphere around the kitchen stove.

The app is called AR Sensor and is available on the Play Store, but you’ll need at least Android 8.0 to play. If your phone is behind the times like ours, you might have to settle for mapping your RF world the hard way.

Continue reading “Smartphone App Uses AR To Visualize The RF Spectrum”

Behind The Scenes At A Pair Of Cell Sites

Those who fancy themselves as infrastructure nerds find cell sites fascinating. They’re outposts of infrastructure wedged into almost any place that can provide enough elevation to cover whatever gap might exist in a carrier’s coverage map. But they’re usually locked behind imposing doors and fences with signs warning of serious penalty for unauthorized access, and so we usually have to settle for admiring them from afar.

Some folks, like [Mike Fisher] aka [MrMobile], have connections, though, and get to take an up close and personal tour of a couple of cell sites. And while the video below is far from detailed enough to truly satisfy most of the Hackaday crowd, it’s enough to whet the appetite and show off a little of what goes into building out a modern cell site. [Mike] somehow got AT&T to take him up to a cell site mounted in the belfry and steeple of the 178-year old Unitarian Church in Duxbury, Massachusetts. He got to poke around everything from the equipment shack with its fiber backhaul gear and backup power supplies to the fiberglass radome shaped to look like the original steeple that now houses the antennas.

Next he drove up to Mount Washington in New Hampshire, the highest point in the northeast US and home to a lot of wireless infrastructure. Known for having some of the worst weather in the world and with a recent low of -36°F (-38°C) to prove it, Mount Washington is brutal on infrastructure, to which the tattered condition of the microwave backhaul radomes attests.

We appreciate the effort that went into this video, but again, [Mike] leaves us wanting more details. Luckily, we’ve got an article that does just that.

Continue reading “Behind The Scenes At A Pair Of Cell Sites”

Kristin Paget Is Hacking Carrier Grade LTE ENodeB

Every once in a while you get lucky and a piece of cool gear lands on your bench to tear down and explore. On that measuring stick, Kristin Paget hit the jackpot when she acquired a fascinating piece of current generation cellphone infrastructure. She’s currently researching a carrier-grade LTE eNodeB and walked through some of the findings, along with security findings of two IoT products, during her talk on the Laws of IoT Security at the 2017 Hackaday Superconference.

Evolved Node B (eNodeB) is the meat and potatoes of the LTE cellular network. It connects the antenna to backhaul — this is not something you’d expect to see on the open market but Kristin managed to pick one up from a vendor at DEF CON. Hearing her walk through the process of testing the hardware is a real treat in her talk and we’ll get to that in just a minute. But first, check out our video interview with Kristin the morning after her talk. We get into the progress of her eNodeB research, and touch on the state of IoT security with advice for hardware developers moving forward.

Continue reading “Kristin Paget Is Hacking Carrier Grade LTE ENodeB”