Hackaday Links: April 8, 2018

SiFive raised $50 Million in funding. SiFive is a semiconductor working on two fronts: they want to democratize silicon prototyping, and they’re the people making the HiFive series of microcontrollers and SoCs. The HiFives are built on the RISC-V instruction set, a Big-O Open instruction set for everything from tiny microcontrollers to server CPUs. With RISC-V, you’re not tied to licensing from ARM or their ilk. Recently SiFive introduced an SoC capable of running Linux, and the HiFive 1 is a very fast, very capable microcontroller that’s making inroads with Nvidia and Western Digital. The new round of funding is great news for anyone who wants Open Source hardware, and the silicon prototyping aspect of it is exceptionally interesting. Great news for SiFive.

Guess what’s in just a few weekends? The Vintage Computer Festival Southeast. The VCFSE is Hotlanta’s own vintage computer festival, with a whole host of speakers, exhibits, and consignment to tickle those vintage dopamine receptors. On deck for the speakers is [Michael Tomczyk], one of the people responsible for the VIC-20, and [Scott Adams], no the other [Scott Adams], creator of adventure-style games for personal computers but not that adventure-style game. The exhibits will include Japanese retro computers, simulating an ENIAC and a mechanical keyboard meetup. If you’re around Georgia, this is an event worth attending.

Conference season is just around the corner, and you know what that means. It’s time to start ramping up for #badgelife. What is badgelife? It’s a hardware demoscene of electronic conference badges. This year, the badgelife scene has stumbled upon something everyone can get in on. Add-ons! They’re electronic hats (or shields, or capes) for all the badges. Physically, it’s a 2×2 pin header. Electronically, it’s power, ground and I2C. Want to prototype your own add-on? Good news, there’s a development board.

The Titius-Bode law states the semi-major axes of planets follow a geometric progression. The (simplified, incorrect) demonstration of this law states Mercury orbits at 0.25 AU, Venus at 0.5 AU, Earth at 1 AU, Mars at 2 AU, and continues to the outer planets. The Titius-Bode law is heavily discredited in the planetary science community, and any paper, talk, or manuscript is rejected by scientific editors out of hand. The Titius-Bode law is the planetary science equivalent of flat Earth conspiracy theories and Nazi moon bases; giving any consideration to the idea confirms you’re a moron. This week, some consulting firm posted something that is the Titius-Bode law on their blog. Why? So it could be submitted to Hacker News for that sweet SEO. This submission was upvoted to the top position, and is a wonderful springboard to argue an interesting point on media literacy. I posit the rise of news aggregators (facebook, twitter, digg, reddit, and HN), is the driving force behind ‘fake news’ as lay people become the gatekeepers. Prove me wrong.

The Department of Homeland Security has confirmed there are cell-site simulators (Stingrays, IMSI-catchers, or otherwise known as your own private cell phone base station) around Washington DC. It’s unknown who is operating these simulators, or even where they are. There are two things to read between the lines with this information: Duh, there are rogue Stingrays in DC. Holy crap duh. I bet there are also some around midtown Manhattan. You can buy the stuff to do this on eBay. Personally, I’ve found half a dozen Stingrays or other rogue cell stations this year (guess where?). Second, why is this a news item now? Is this a signal that the DHS will start clamping down on stuff you can buy on eBay? Hop to it, people; cellular hardware is a great way to make a liquid nitrogen generator.

LTE IMSI Catcher

GSM IMSI catchers preyed on a cryptographic misstep in the GSM protocol. But we have LTE now, why worry? No one has an LTE IMSI catcher, right? Wrong. [Domi] is here with a software-defined base transceiver station that will catch your IMSI faster than you can say “stingray” (YouTube video, embedded below).

First of all, what is an IMSI? IMSI stands for International Mobile Subscriber Identity. If an IMEI (International Mobile Equipment Identity) is your license plate, your IMSI would be your driver’s license. The IMEI is specific to the phone. Your IMSI is used to identify you, allowing phone companies to verify your origin country and mobile network subscription.

Now, with terminology in tow, how does [Domi] steal your IMSI? Four words: Tracking Area Update Request. When a phone on an LTE network received a tracking area request, the LTE protocol mandates that the phone deletes all of its authentication information before it can reconnect to a base station. With authentication out of the way [Domi] spoofs a tower, waits for phones to connect, requests the phone’s IMSI and then rejects the phones authentication request, all under the nose of the phone’s user.

Now, before you don your tinfoil hat, allow us to suggest something more effective. Need more cell phone related hacks? We’ve got your back.

Continue reading “LTE IMSI Catcher”

Stealth Cell Tower Inside This Office Printer Calls to Say I Love You

If you look around the street furniture of your city, you may notice some ingenious attempts to disguise cell towers. There are fake trees, lamp posts with bulges, and plenty you won’t even be aware of concealed within commercial signage. The same people who are often the first to complain when they have no signal it seems do not want to be reminded how that signal reaches them. On a more sinister note, government agencies have been known to make use of fake cell towers of a different kind, those which impersonate legitimate towers in order to track and intercept communications.

In investigating the phenomenon of fake cells, [Julian Oliver] has brought together both strands by creating a fake cell tower hidden within an innocuous office printer. It catches the phones it finds within its range, and sends them a series of text messages that appear to be from someone the phone’s owner might know. It then prints out a transcript of the resulting text conversation along with all the identifying information it can harvest from the phone. As a prank it also periodically calls phones connected to it and plays them the Stevie Wonder classic I Just Called To Say I Love You.

In hardware terms the printer has been fitted with a Raspberry Pi 3, a BladeRF software-defined transceiver, and a pair of omnidirectional antennas which are concealed behind the toner cartridge hatch. Software comes via  YateBTS, and [Julian] provides a significant amount of information about its configuration as well as a set of compiled binaries.

In one sense this project is a fun prank, yet on the other hand it demonstrates how accessible the technology now is to impersonate a cell tower and hijack passing phones. We’re afraid to speculate though as to the length of custodial sentence you might receive were you to be caught using one as a private individual.

We’ve considered the Stingray cell phone trackers before here at Hackaday, as well as looking at a couple of possible counter-measures. An app that uses a database of known towers to spot fakes, as well as a solution that relies on an SDR receiver to gather cell tower data from a neighbourhood.

[via Hacker News]

Hackaday Prize Entry: Catch The IMSI Catchers

An IMSI catcher is an illicit mobile phone base station designed to intercept the traffic from nearby mobile phones by persuading them to connect to it rather than the real phone company  tower. The IMSI in the name stands for International Mobile Subscriber Identity, a unique global identifier that all mobile phones have. IMSI catchers are typically used by government agencies to detect and track people at particular locations, and are thus the subject of some controversy.

As is so often the case when a  piece of surveillance technology is used in a controversial manner there is a counter-effort against it. The IMSI catchers have spawned the subject of this post, an IMSI catcher detector app for Android. It’s a work-in-progress at the moment with code posted in its GitHub repository, but it is still an interesting look into this rather shadowy world.

How them you might ask, does this app hope to detect the fake base stations? In the first case, it will check the identity of the station it is connected to against a database of known cell towers. Then it will try to identify any unusual behaviour from the base station by analysing its traffic and signal strength. Finally it will endeavour to spot anomalies in the implementation of the cell phone protocols that might differentiate the fake from the real tower.

They have made some progress but stress that the app is in alpha stage at the moment, and needs a lot more work. They’re thus inviting Android developers to join the project. Still, working on projects is what the Hackaday Prize is all about.

How To Detect And Find Rogue Cell Towers

Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.

These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).

No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.

A Stingray / cell site simulator detector
A Stingray / cell site simulator detector

Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.

To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.

This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.

Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.

Tissue-Engineered Soft Robot Swims Like a Stingray

We’re about to enter a new age in robotics. Forget the servos, the microcontrollers, the H-bridges and the steppers. Start thinking in terms of optogenetically engineered myocytes, microfabricated gold endoskeletons, and hydrodynamically optimized elastomeric skins, because all of these have now come together in a tissue-engineered swimming robotic stingray that pushes the boundary between machine and life.

In a paper in Science, [Kevin Kit Parker] and his team at the fantastically named Wyss Institute for Biologically Inspired Engineering describe the achievement. It turns out that the batoid fishes like skates and rays have a pretty good handle on how to propel themselves in water with minimal musculoskeletal and neurological requirements, and so they’re great model organisms for a tissue engineered robot.

The body is a laminate of silicone rubber and a collection of 200,000 rat heart muscle cells. The cardiomyocytes provide the contractile force, and the pattern in which they are applied to the 1/2″ (1.25cm) body allows for the familiar undulating motion of a stingray’s wings. A gold endoskeleton with enough stiffness to act as a spring is used to counter the contraction of the muscle fibers and reset the system for another wave. Very clever stuff, but perhaps the coolest bit is that the muscle cells are genetically engineered to be photosensitive, making the robofish controllable with pulses of light. Check out the video below to see the robot swimming through an obstacle course.

This is obviously far from a finished product, but the possibilities are limitless with this level of engineering, especially with a system that draws energy from its environment like this one does. Just think about what could be accomplished if a microcontroller could be included in that gold skeleton.

Continue reading “Tissue-Engineered Soft Robot Swims Like a Stingray”

Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.