Hacker News new | past | comments | ask | show | jobs | submit login
Stealth Cell Tower Disguised as Printer (julianoliver.com)
518 points by guyzero on Nov 1, 2016 | hide | past | favorite | 174 comments

I was walking around San Francisco the other day and suddenly noticed that my phone had switched from its usual AT&T provider to "China something" (maybe "ChinaNet"? I don't remember exactly what it was, and it was only there briefly). And then I got a text saying:

  Welcome to the test network.  Your IMSI is IMSI:  346234543252301
Not very stealth in this case. And I'm still not sure what it was. It went back to AT&T after I walked around some more.

This was likely someone running a test / dev network using OpenBTS, which is open-source software for GSM base stations. The exact phrasing of that message is the default registration message for the software: https://github.com/ttsou/openbts-p2.8/blob/master/apps/OpenB...

Why would it take over as my provider? Aren't there any safety measures to guard against that?

2G networks have basically one way auth. The phone auths to the network but the network doesn't auth to the phone. This is an oversimplification but basically how it works.

Correct. Authentication of the network was added in UMTS/3G.

Nope, none at all. That's how law enforcement like it.

This is not entirely true. LTE is authenticated. If you force your device to not allow any base station using an older protocol (to prevent downgrade attacks), you should be fairly safe. The problem is that most phones will accept a base station that says "No, sorry, can't do LTE, how about this unauthenticated 2G AP instead?" If you are ok with your phone not having network in rural areas, setting it to LTE-only is a reasonable mitigation (assuming your device supports this).

Unfortunately, I don't believe iOS allows selecting the protocol. Android certainly can.

Just checked and iPhone does not seem to have LTE only option.

Are you saying that companies are required to enable this by default?

Some of the other comments are that a 2G tower tells a phone whether it's allowed on or not, but that the phone doesn't have any verification in the other direction. That's just the design of 2G cell networks. It's not an optional setting.

Other comments say that LTE networks authenticate in both directions, so you're safe if you can set your phone to LTE-only.

It's not taking over, rather your phone selects the strongest network subject to partner roaming agreements.

Doors it follow that everyone wandering into that radius for the same text?

Not really, GSM basically connects to the strongest signal with the right codes.

This is a good DefCon talk about how to spoof carrier networks:


Could conceivably have been a temporary test network, run by a Chinese mobile manufacturer. Typically they'd be doing on-location testing of their hardware. I used to do a lot of this kind of work with Chinese and Korean companies and we'd frequently pitch up in a city in the US, Europe or Asia with case loads of GSM test gear.

Also illegal. Call FCC.

I filed a complaint with the FCC regarding a suspected jamming device. I'm pretty sure they didn't even read it. They forwarded the complaint to my wireless carrier, who sent a reply saying that the complaint had nothing to do with them and that my original complaint had reported a jammer. The FCC closed the complaint and considers it satisfied.

This is the gold standard example of the FCC's behavior towards cellular spectrum. They have a very different mission when it comes to HAM spectrum.

Cellular spectrum: Grandstand and extract cash from the carriers.

Ham spectrum: Antenna-laden vans canvasing neighborhoods for radio pirates.

It is despicable.

> Antenna-laden vans canvasing neighborhoods for radio pirates.

Got any photos, or links to accounts of these? I did a quick google image search because you think someone would have caught one in the wild by now, but no.

Here is a video of the inside of one. https://www.youtube.com/watch?v=QIGAOLJh-XE

Wow. Well, thanks for that! That's pretty bizarre!

I don't! I only have stories from radio pirates.

In this case, the complaint is unauthorized radio operation.

Cool, this is the agency I want to have on the job of regulating the Internet so it is "neutral".

There's ways [1] to set up a rogue BTS / IMSI catcher that is seemingly legal [2] - by using US amateur radio bands (that are used as GSM bands in other parts of the world), not using encryption and spitting out your callsign once in a while.

[1] - https://www.youtube.com/watch?v=xKihq1fClQg

[2] - You should not take legal advice from strangers on the Internet.

Sometimes there are reserved parts of the spectrum for test networks you can get assigned for a limited time, the CCC had a GSM (and some 3G I think) network for many years.

Using the 33cm band is a nice trick.

And it's still only the second worst modification made to HP Printers.[0]


I don't know if it was HP, but my favorite malicious printer was one that scanned documents and then randomly changed numbers in them. This was the byproduct of an overly clever compression algorithm saving bytes by replacing parts of the image with other similar parts. God only knows how much important information was corrupted by that 'feature'.

You know, you could probably cripple a society over a few years with that bug (if the probability were tweaked right).

Excel is pervasive. If you consider every single spreadsheet used for financial analysis and then used to allocate resources has material bugs in it, you'll be so close to the truth as makes no difference.

Has it crippled society?

Hmmmm... I remember about an Excel macro-virus that would multiply numbers (and adjust the format to hide it) in data cells by small random number, between 0.99 and 1.01 slowly over time. By the time you realized what was going on, your data was completely gone. Can't remember the name though.

I think material but well known bugs are probably less dangerous because they're deterministic.

The true insidiousness of a random mutagen exploit is the fact that you can't pin in down. Hell, you could even specifically code it to be resistant to reproduction attempts. ;)

no no no. Not the many formula implementation bugs. I mean every survey of financial models done in excel has material error in their conclusions. Regardless of known bugs in excel that microsoft won't fix. I mean that merger you just read about where the financial model was done with excel - it has material bugs in it. Material by the GAAP accounting & attest definition. > +/-5% of profit. +/- 10% of total assets. It's quite something...

I'm not sure if it's still possible or not but at one time you could "bounce" port scans and such off of networked HP printers (due to an "IP ID" bug in their IP stack, IIRC).

I did this to a very security-conscious co-worker who freaked out when he noticed his workstation being "attacked" by a printer in a computer lab.

There's always the old News Radio reference you can use with any office copier / mopier or printer.


That was morbid.

I always wondered why these things weren't used in prisons. Maybe they are? Here in the UK there is a massive problem with smuggled phones in prisons, and since by definition their use is illegal in that environment then surely it's OK for law enforcement to jam or even intercept everything? Add to the mix the thick walls and total control of infrastructure and I see no good reason why every illegal phone can't be forced onto a fake network. Legal phones used by staff could be whitelisted.

I don't think jamming would really be reasonable in a building. If the walls can contain the jamming signal to their building then the walls will keep out the original signal anyways. I think just RF blocking paint would be a more reasonable solution but this would also interfere with any radios in use by the guards and wouldn't do anything for any prisoners that are outside during the day.

Having the cooperation of the cell service providers would be good, you could just have a small pico cell that tries to blackhole any phones in the building but if a prisoner can smuggle in a cell phone then they can probably smuggle in any other handheld radio as well.

> RF blocking paint

Isn't really a thing. These paints realistically manage 30 dB attenuation at around 1 GHz, which sounds great as a percentage ("99.x% reduction!"), but isn't sufficient to actually deny cellular service. [Paint also normally doesn't cover things like windows etc. which pretty much nullifies them anyway]

You can in fact dump a phone into a fridge or freezer, which (at least here) have steel sheets all over them. Phones still get cellular service.

What you would need is screen plating and windows with RF screening meshes (and of course special window frames and so on). This is a) extremely expensive b) can manage >60 dB attenuation.

"You can in fact dump a phone into a fridge or freezer, which (at least here) have steel sheets all over them. Phones still get cellular service."

Not necessarily true. I used a fridge as a quick alternative to Faraday cage for device testing and it worked fine. It was an old, heavy fridge though, newer ones may contain more plastics and fail to shield properly.

Is there anything like a chop gun for conductive fibers? I know it wouldn't make some perfect faraday shield but a conductive epoxy like material and some ultra fine metal fibers sound like that should be decent at blocking RF and I think it would be reasonable enough to make a special chop gun for it. It would make application a ton cheaper, a lot faster, and it should still be reasonably effective.

With a fridge is the signal perhaps coming in through the door seals? This would make the cage incomplete.

Also, any cable that penetrates the "shielding" can make a great antenna unless it's specifically designed not to.

> I always wondered why these things weren't used in prisons.

> Add to the mix the thick walls

Because thick walls do not intercept enough of the radio signal. This only works in really remote locations - but e.g. here in Munich there are a number of jails in the city area. If someone would employ a jammer there, the neighbours would protest and/or sue.

You're probably right about urban prisons. I always think of them as remote but there are plenty in places with very high signal strengths, which would create problems. Low-power pico-cells inside the prison walls could presumably be configured to not cause problems outside. But yes, RF planning is a nightmare and there would doubtless be problems.

The law in the UK was changed a few years ago to permit this but it wasn't installed because of the cost.

A quick search turned up [1] which reckons £300 million for installation and £800,000 per annum to maintain. Which seems a bit pricey.

That said, there was a plan to trial it this year, but I can't remember if that was pre- or post-brexit.

[1]: http://www.bbc.co.uk/news/uk-england-tyne-35411297

They were used in Canadian prisons. And it's set off a backlash about broad capture of everyone's communications (including prisoners and employees).



> And it's set off a backlash about broad capture of everyone's communications

Oh sweet summer Canadian children.

It's very hard to make sure that the signal extends exactly to the perimeter of the prison. If your jamming signal is weaker, some corners of the prison will have reception. If it's stronger, you are illegally blocking the signal outside your prison.

Add to that that signal strength changes with weather, and you have two solutions: either lots of expensive equipment or lots of buffer land owned by the prison. Both are expensive.

Good idea, a pico cell could forward on the calls and SMS from devices with a whitelisted IMSI. Everyone else could just get there's logged and rejected.

Just log everything from non whitelisted devices, but let it through and use the intelligence for law enforcement.

Do phones not do any kind of cryptographic verification that the cell tower is real and that mobile data is sent securely between the phone and the tower?

In 2016?

For 3G/4G networks there is strong mutual authentication between the device and the network, for 2G(GSM) networks only the device is authenticated so these interception devices work by jamming the 3G/4G bands forcing the device onto the (fake) 2G network.

And in the world of TLS, this is called a downgrade attack and treated as a serious problem...

Indeed! A very good advice that read on this topic was this one:

As a rule of thumb, any security protocol that contains lots of "MAY" parts (options) in its specification is suspicious. Even more so if the security layer itself is optional. Ideally, a security protocol contains no "MAY" parts, not even "SHOULD" parts, but only "MUST" parts.

(Not sure where I read this, or who wrote that. So I'm paraphrasing it here. Maybe it's common sense without a single attributable source.)

there's a feature in cell modems that can indicate radio link encryption/auth..put on tinfoil hat...and it's disabled in pretty much all phone firmware



What's the point of such a feature anyway? I don't want my phone to even connect to such tower, just tell me there is no service available.

Not even to connect in an emergency? Maybe "no service, click to attempt unsecure connection" would be better.

If you're willing to give up service when connecting to an untrusted source, then just use an always-on VPN and VOIP for voice + some tcp based messenger for SMS.

Which makes me wonder how Stingray/Hailstorm works. Does Harris Corp have a universal key for LTE?

Best i can tell, stingray is a passive device.

It just use a directional antenna to listen for the "keepalive" exchange between cell tower and device, focusing on a specific IMSI.

Also, even if your device is currently using LTE or similar, the GSM (or whatever 2G radio it has) will still be on and talking to the relevant network (unless you specifically tell the device otherwise, and the OEM allowed you to). This to provide a smoother handover should the LTE signal drop too low.

Hailstorm on the other hand is basically a jammer tuned to 3G and 4G frequencies, thus forcing any devices in range to drop down to 2G. For the general public a jammer would be a big nono, but law enforcement is a different matter.

IMSI catchers (like Stingray) are not fully passive devices. They have an operation mode where they broadcast a signal that appears to come from a legitimate cell phone tower. This captures traffic from all devices within range, targeted or not. This is why they are often called "cell site simulators" because that accurately describes how they are often used. For more information, check out this EFF page.


...but how? Comments above imply that 3G and 4G are protected with strong encryption/authentication. How is a Stingray capturing metadata from calls and SMS?

I was under the impression that Hailstorms either have valid cell tower certificates (dunno if wireless carriers are complicit) or they exploit the vast quantity of modem firmware bugs.


I thought Stingray was active because you can detect it if you have the right firmware.


Also, I thought Hailstorm was LTE only (and doesn't degrade to 2g).


Could have sworn that even though a more recent network is the preferred one at that time, the older ones are still connected and listening to provide a smoother handover experience.

Depending on the device you may be able to tell it to use newer network only though (my somewhat aging Android device can opt for UMTS only for example).

Indeed. But I haven't come across any phones that let you specifically disable 2G(GSM). Most let you disable 4G or 3G, or let you prioritise one over the other, but disabling 2G altogether seems to be missing.

On Android dial [star]#[star]#4636#[star]#[star] in the phone app and you can change what types of cell networks can be connected to. Apparently doesn't work on all phones, but definitely works on my stock Nexus 5X on Android 7.

My Blackberry Priv lets me select any combination of LTE, 3G, and 2G. I currently have it set to use LTE and 3G only. That's the only phone I've seen with that feature, though.

The cell tower is trusted, and the preferred cell tower is the one with the strongest signals. That's literally the entire selection strategy.

Cell towers also choose the encryption that the cell phone should use. I don't think any currently available phone notifies you when no (A5/0) or weak (A5/1) encryption is used.

And then there is the whole "notification fatigue" issue, where people will dismiss or ok notifications because they get so many in a day.

For UMTS and LTE, yes.

GSM is the problem here. Jam the others, and the phone falls back to 2g.

2g needs to die.

It is. It's being shutdown. I believe all/most carriers are doing so, which is problematic for lots of cheap iot solutions.


Elsewhere in the world UMTS is being retired while GSM is being retained because of all the devices (switches, sensors, etc) that use it.

This probably has to do with the historic split between 2G/3G technologies among the major cellular carriers in the US. In the US if you want or need true nationwide coverage (say you are selling a retail IoT device and your customers expect it to work nearly anywhere) you pretty much have to go with AT&T or Verzion and switching a 2G or 3G device between them is impossible. This gives those companies a lot of power to dictate to customers what technologies they can use with their networks.

Since LTE is the lowest common denominator technology between all carriers (and LTE is the only cellular technology with hardware that supports all cellular frequency bands in the US) the cellular market in the US is being pushed very strongly in an all-LTE direction. With the inclusion of Cat-M1 and Cat-NB1 modes in LTE release 13[0], LTE will soon be usable even for low-power IoT devices. AT&T and Verizon are already racing to support those standards on their networks.[1]

[0] https://www.qualcomm.com/invention/technologies/lte/lte-iot

[1] http://www.fiercewireless.com/tech/verizon-at-t-both-claim-l...

The mess that is US mobile protocols and frequencies is what makes me cringe when the rest of the world these days looks to USA for the "latest" in mobile.

Damn it, Nokia had a Symbian phone you could use as a basic desktop for emails and surfing back when iPhone and Android barely did video out (and had to kill the phone screen to do so at least on Android). The mobile world basically came to a standstill, if not went backwards almost a decade, because everyone turned to the odd duck out to lead them into the future...

Kinda weird too considering you can run GSM in the HSPA guard bands without a large degradation of HSPA performance.

Typically HSPA is 5mhz+5mhz FDMA, but the carrier is only 3.6mhz+3.6mhz and can be slimmed to 4.2mhzx4.2mhz on Ericsson equipment. NSN equipment can go as low as 3.8x3.8.

In a slim HSPA situation you can run multiple 0.2x0.2 GSM channels.

LTE I've seen all over deployed in 5mhzx5mhz, but I've never seen the 3mhzx3mhz or 1.4mhzx1.4mhz configurations in the wild (they would overload easy).

Best i can tell, it is for cost reasons.

Non-phone GSM devices are widely operated because of low cost and low data speed needs (most of them just ping a SMS in some direction or other).

UMTS deployments are more likely to be for bandwidth needs, and thus more likely to have moved to LTE setups already.

Sprint has 3x3 deployed on band 26 in some boundary areas of the ibez. There have been some sites spotted in Columbus, Ohio along the ibez boundary that are 3x3 instead of the 5x5 Sprint has deployed everywhere else that's not within 100 km of Canada or Mexico.

That doesn't solve anything as long as your phone supports 2G and falls back to it when 3G/4G are unavailable (i.e. when being deliberately jammed).

Actually only AT&T is scheduled for a 2G sunset right now. Also I think one of the Northern European countries is choosing to maintain the GSM network and then retire UMTS. They're going to have a GSM for IOT and LTE for mobile communications. It's kind of insane. Wish I could find a source...

Less insane when you consider the DDOS attacks from GSM connected IOT devices should be less bad than UMTS/LTE connected ones :) .

2020, where the baseline packet wind of billions of compromised GSM IoT devices is an expected and handled feature of the internet.

And a root nameserver DDOS is just like a coronal mass ejection?

"I was born before there were network storms, son. You could load Wikipedia whenever you wanted. Truly, it was the best of times."

I don't think many GSM carriers allow internet originated, mobile terminated traffic, even for IoT. Mass compromise of IoT is going to be way less trivial for GSM capable devices than things on standard wifi.

What I'm trying to say is that while your quip is entertaining:

a) it's impractical to scan/compromise IoT devices remotely without a stupid design (by IoT standards stupid, btw- not regular internet design- we're talking REALLY REALLY STUPID).

b) I would bet my mortgage that the logic you are presenting was never considered by the relevant carriers. They're not that smart.

Not quite true. Verizon is planning to sunset 2G in 2019 [1], and is making efforts to get customers off 2G before that (similar to what AT&T has been doing). They are also rumored to be planning to shutter 3G in 2021. This leaves only T-mobile and Sprint in the US market providing longer-term 2G support, and their coverage is not great if you need to deploy devices outside major metro areas.

[1] https://www.wirelessweek.com/news/2016/07/verizon-targeting-...

Verizon and Sprint CDMA is technically a 3G technology, not 2G.

> They're going to have a GSM for IOT and LTE for mobile communications. It's kind of insane.

I don't think this is that insane. I doubt there are many devices that only support UMTS, but there are tons that only support GSM, including many in embedded systems that can't easily be upgraded. So by using most of your spectrum for LTE, you get spectrum efficiency, and supporting GSM you can support everything that doesn't do LTE (just not at high speeds).

I think it is KPN in The Netherlands.

Don't lots of phones still send SMS & voice calls over GSM/CDMA? I know VoLTE is appearing, but slowly & only on a couple flagship devices, and quality degrades faster with loss of signal...

Haven't actually seen the signal degradation issues you speak of, probably offset by being able to use a lower band than GSM or HSPA for my carrier.

Carriers have made it a policy to not whitelist imported devices for voLTE. IMEI needs to be whitelisted at carrier AND carrier file installed in phone needs to have support turned on. Either thing missing, no voLTE for you.

EDIT: Forgot to mention, non-voLTE still signals with LTE for incoming calls and SMS, it'll handover to HSPA/CDMA/GSM within about 2 seconds of the signal coming in. Unfortunately I don't have specifics of this process.

Actually i think most SMS is handled via "WAP" these days, meaning that it is carried as a short duration data connection rather than as a special packet in the cells control channel (GSM, dunno about how CDMA implemented it).

the GPRS setting is blocked on featurephones. Still opts for CSD sending there. Newer devices send over 'IMS' (which is voLTE, and also part of HSPA+)

It was a funny loophole to get unlimited SMS on T-Mobile back when they just changed name from Voicestream.

I guess it depends on where in the world one lives.

I'm not American, and thus my phone is free of carrier tampering.

I even learned about the SMS over GPRS (thanks) thing because a relative of mine once owned a phone where we had to turn it off to actually get reliable SMS delivery, as it defaulted to GPRS mode.

There was a very informative (terrifying?) talk at Defcon 2012 where it was demonstrated how easily you can pretend to be a GSM base station. Not sure if any of the vulnerabilites have been addressed yet, four years later.

You can watch the talk here: https://www.youtube.com/watch?v=xKihq1fClQg

You're using GSM here which is from 1991. It may be 2016, but your phone still primarily uses or falls-back to 1991 era protocols. Protocols which are the de facto global standard for cellular communication.

And sadly had cryptographic modes that were intentionally weak because the cold war...

In fact argument was because of the cold war encryption should be strong. But later was intentionally tailored to allow wiretapping.

It's a collective action problem. How do you incentivize an upgrade while allowing for seamless fallback? For billions of devices made by thousands of manufacturers? Which access hundreds of different carrier networks around the world?

I think you need some industry leader to push for this. Apple could do it, or possibly Google although they have a hard time exerting influence over Android device manufacturers.

Apple and Google aren't going to do anything. If you want someone to change it talk to Ericsson, Nokia and Qualcomm.

Well, here's the deal. They can't do anything as it would be a potential quality of service issue to the end user if GSM were disabled currently. Can't blame the vendors either, they built the hardware years ago that operators continue to operate. It's like wanting to blame Ford and Chevy because you bought a car from the 1950's and it doesn't have airbags.

T-Mobile and AT&T are the national carriers supporting GSM through most of their footprint, AT&T is phasing out their network at the end of the year. T-Mobile moved to A5/3 to try to slow down eavesdropping a bit. There are more rural carriers who aren't in a rush to upgrade and probably still use the older ciphers.

Currently, I am on T-Mobile. There are a few areas that never saw HSPA deployed, and voLTE is not supported on all devices and also suffers separate outages. GSM is needed in those situations as fallback.

Operators would prefer to not have customers complain about outages due to accidentally having GSM turned off. So many phones don't have the option to disable.... though I'd argue now with low band LTE, the footprint is becoming larger than GSM.

I would expect Apple to whitelist 'disable 2G' option sometime in the future for AT&T sims. If not just disabling it outright (unless gov pressure gets in the way)

EDIT: as noted below, some manufacturers/OS you can set 3G only. Android is pokey about it on some devices. With Blackberry 10, I have the option to change network generations on T-Mobile, but not if I put an AT&T sim in.

Interesting, you could set Android phones to 3G only since I can remember (2010).

I just checked my phone and I can indeed do that ("3G only"), though if I wanted 4G, the only option is to enable "4G/3G/2G".

You may be able to disable it through the data settings menu. On sprint it's


For my phone it is

then Service Settings in the menu.

Indeed, there are more options there, cool!

You have to remember that GSM, which provides fall back for most providers, was framed as a standard in Europe in the 90s. So when you wonder "why is this so insecure?", the answer is not naivete on the designers' parts.

Great project IMO.

But the conceit that cell towers are 'badly disguised' is incorrect; the goal is not to successfully hide, but simply to meet the much lower bar of obscuring a non-conforming shape in the environment, so that it doesn't trigger human perceptual interest.

You don't put duplicitously palm fronds on a tower to hide it; you put them so that someone scanning the cityscape from a mile away is not distracted by the utilitarian tower.

> Masquerading as a regular cellular service provider, Stealth Cell Tower surreptitiously catches phones and sends them SMSs written to appear they are from someone that knows the recipient. It does this without needing to know any phone numbers.

Pretty witty, but how does this work? Does it wait for the user to send a message and snoop?

No. The devices automatically connect to the base station with the strongest available signal.

That doesn't explain how the SMS message comes from someone the user knows. I would assume (and I think this is what GP was getting at) that the fake tower snoops on outgoing messages in order to collect numbers that the user has in their address book, and then spoofs a message from that number?

> SMSs written to appear they are from someone that knows the recipient

I don't think this means they are sent from numbers known to the recipient. Only that the content is written such that it appears to be from someone who knows the recipient.

I don't know if actual spoofing is possible.

Yeah, if you look at the codebase it just selects a random string from an array of prewritten messages and sends that.

I believe the question was "how do they form text messages from believable senders", not "how do they hijack the phone signal".

Monthly (daily?) reminder that you should use an app that encrypt your messages.

There are also apps that can tell you when you are connected to a new unknown tower.

Can you post some names and links? I'd like to check them out.

There aren't any that don't require rooted phones or specific hardware. So not at all practical.

Any for iOS?

No, iOS has no way to expose the cellid information to the apps on phone. Well at least for non-jailbroken.

Best you can do is


and memorize your regular cell information for areas you frequent.

(NFC how to get asterisks to show on here, help is useless put them in where the backslashes are)

(indent two spaces to disable formatting)

That didn't work on my iphone on att. :(

It'll work, I just have no idea how to escape special characters here, see my parent.

Works on my phone. Reminds me of phreaking. What other secret codes are there like this? How did you come to learn about this one?

It's called USSD, there's a short list on Wikipedia. A lot of them are carrier dependant, and some carrier models of certain handsets will block some codes.


Not the OP, but I remember these codes from my first phone, a Nokia 5110.

In addition to the already mentioned code of [STAR]3001#12345# there is also [STAR]#06# which will show your IMEI.

There were plenty of others (including spelling out 'WARRANTY' to get the manufacture date of the phone) but I forgot most of them.

Interestingly, on the iPhone, dialling anything of the format [STAR]# ...anything... # will cause the screen to go grey as if a separate app, then after a short delay tell you that your code was invalid.

oh this is sweet!

For anyone who is confused:

Star #3001#12345# Start

I love how it opens up a separate app. Good stuff

That first # is extraneous. It's


Sorry, none of us could figure out how to escape the asterisks, how'd you do it? Feel like I'm trying to triforce here.

GP used indenting (which wraps text in (the equivalent of a) <pre>-tag -- intended for code listings and such:

  I'm an asterix * and I'm ok
  [ed: ***proof-no-space*required**]
However, a single asterix * with spaces on both sides is also "escaped": I * blink * all day and sleep all night?

So: " * #999# * " should work.


Yeah, formatting on HN is a bit of a dark art. This explains it: https://news.ycombinator.com/formatdoc

This one works, thanks.

Doesn't seem to work on Verizon.

Worked on my version of Verizon. Wow is that ever cool.

The extra '#' made it not work, I think. Yeah, neat!

This is good advice, but I'd like to point out that you could avoid the surveillance revealed in this project by simply using anything other than default SMS.

Would be interesting to deploy an app that can send encrypted/signed SMS. It would likely spike your messaging bill thought, as fitting all that in 140 would be hard, resulting in multiple SMSs going out pr message sent.

It was done before. See Signal's predecessor, Textsecure (before they added Signal protocol, pre-2.7.0).

If I recall it limited encrypted messages to 60 characters before splitting. It was also annoying in that you needed to initiate an OTR handshake to start messaging.

That handshake, or the initial exchange of public keys, is the one thing that seems to stymie general adoption of encryption for personal communication.

Current Signal fortunately doesn't make this apparent to the end user, it's install and go message whomever advertises support.

I'm ditching Pidgin-OTR today actually because of the OTR usability issues needing to handshake on every laptop restart. Will be going over to bitlbee terminating OTR on a server and then accessing my ZNC supporting push through TLS. Much less jarring.

OMEMO would be better than OTR for this, but not much supports it yet.

If only there was some robust, open, mature protocol supported by every device on the planet that supported encrypted sessions using an open, mature form of encryption.

Use Tor. Use Signal.

That won't protect your location and identity from constantly being leaked.

Don't use a phone then. Identifying information is being collected and stored by the carrier for at least a month, which can then be handed to regular law enforcement upon subpoena. Federal level likely doesn't even need due process.

Moxie himself spoke about this in the past.

I'm not talking about carriers identifying you, I'm talking about people intercepting your IMEI and phone number and being able to uniquely identify you wherever you go. People have been drone strike'd based on the location of their phones.

Carriers being awful is a separate problem. My annoyance rests with the 2G protocol being awful.

At least in the past anyone with SS7 access could already do that based on either of those identifiers.

Phones, especially smartphones, are pocket spies. If you need privacy, don't take them with you!*

There is no such thing as a privacy smartphone.

* Honestly if you want a private conversation don't have any kind of phone or laptop in the same room.

I get that, and carriers are definitely stupid. But preventing people from gaining SS7 access is much easier than fixing a broken protocol in use by many devices. Blocking SS7 access is something carriers can do. Fixing 2G is just not possible, and anyone can break it, right at this very moment, with a tiny bit of hardware.

> People have been drone strike'd based on the location of their phones.

Do you have any credible source for this claim. If true, it's truly alarming!

Thanks. From the Vice Report...

> Rather than confirming a target’s identity with operatives or informants on the ground, the CIA or the U.S. military then orders a strike based on the activity and location of the mobile phone a person is believed to be using.

You are right. This is very disturbing. I guess they do this a lot in Northern Pakistan / Waziristan area in the tribal lands and mountains? What if the Terrorist read stories like this, and gave their cell phone to mules who then get killed?

My father's family (he grew up in India in Bombay) got split in half during the Partition of India and Pakistan when the Brits left India. No wonder there is so much rage and anti-american sentiment in Pakistan (my Pakistani relatives complaint all the time on Skype)

Would you count WhatsApp amongst that list of apps?

I believe that WhatsApp would protect against this attack in particular, so it's at least an upgrade over the status quo.

But you really want something like like Signal.

Before they were bought by Facebook, maybe.

So do cell phones automatically connect to the strongest 2G cell tower? Aren't they filtering for cell towers that only belong to their respective carrier?

The SIM includes a list of preferred and forbidden networks, but I'd guess if a non-preferred, non-forbidden network is significantly stronger than a preferred network, the phone would ask if it could connect.

Also, the fake tower could just claim to be networks that are commonly preferred.

The unlocked phones I've used can be put into auto mode (strongest signal, I guess?) or preference mode. Carrier locked phones do not switch to other providers unless there's no service. Then it'll switch over to another carrier but only allow emergency calls (911 in NA). I'm not sure what type of handshakes/communications happen in the background

But even carrier unlocked phones connect to other carries, hence what they call "roaming charges".

2G is an open standard, and I'd imagine it's not hard to find a lecture deck about how 2G handshake and session establishment. But to briefly guide your inquiry, I recommend looking up CRO and C1/C2 criteria.

In the same vein as Reddit's ELI5 (Explain Like I'm 5) For Us Laymen (FUL) on this topic, why can't Apple/Google currently default to a Full dropdown to 2G and give the option for by choice users to never allow dropdown to 2G (or 3G/4G) at the OS Level?

Is there a legal mandate (911 Surface Area increase), a hardware impasse (phones physically can't) or is it a company decision to not allow (for whatever reason)?

I've had Sony Ericsson Android phones where you can completely disable 2G/GSM, so it seems to purely be a UI decision.

Perhaps a temporary fix might be to have a on-board verifiable hash map of cell tower addresses by location. Either that, or a way to block 2G on the device.

First question/thing i wonder about is if this printers toner does last as long as expected instead of those you get with printers generally.

Well, that was entirely pointless. The meat of the post (the photos of disguised cell towers) would have been exactly as relevant and impactful without that pre-pubescent "hacking". (ooh! we can run six year old software (an openbts fork) on a raspberry pi! we are so cool!)

Art is one of the tools we use in society to alert each other about issues, i.e. social commentary. The point is, that it's rhetorical so you may be having a reaction that "Yes, I already know this", because you are working from a privileged position of knowledge inside the system being commented on.

Some fairly well-known examples of art as commentary:

Guernica - https://en.wikipedia.org/wiki/Guernica_(Picasso)

Banksy - http://www.relevantmagazine.com/culture/banksy%E2%80%99s-10-...

George Orwell - https://en.wikipedia.org/wiki/Animal_Farm

Given that today we live surrounded by technology, it's not surprising that artists will use that technology to comment about and around our lives, particularly to announce to those outside the sphere of technology how networks, appliances and technological actions actually are affecting their lives.

Honestly this is a great piece of workmanship, having integrated the necessary equipment into something completely innocuous that does generally get ignored or overlooked. And the fact that the printer still works with this extra hardware, is a testament to how little you can assume any piece of equipment is safe/unmodified. Interfacing the cell interception with the printer is just gravy, a real undercover device wouldn't do that, but it's neat.

The disguised cell towers aren't "the meat", they're, as described in the post, just "conceptual background". Possibly irrelevant background, as they really aren't intended to be secret surveillance devices in those cases.

It is an art installation. About the only thing prepubescent is your commentary.

Oh! It is art? Well, in that case it must be good.

That's not why it's good, that's why it exists in that state. A lot of people don't know about stuff like this and won't want to trudge through a heavy technical post.

But send them a fake SMS and maybe they'll start listening.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact