GSM base station hid in an office printer

GSM Base Station

Intelligence agencies and intelligence agencies around the world use fake base stations (IMSI-traps, the Americans call StingRay), which operate in a passive or active mode . In passive mode, the fake station simply analyzes the signal from the surrounding base stations. Much more interesting when the device is transferred to the active mode. In this case, the IMSI trap forces the surrounding client devices of the cellular communication to connect to themselves, disconnecting them from the operator’s base station (MTS, VimpelCom, etc.). The task is accomplished by broadcasting a more powerful signal than the surrounding stations (for more information on the operation of fake base stations, see the article “The Brave New World of Cell-Site Simulators” (Albany Law School: 11–12. Doi: 10.2139 / ssrn. 2440982).

Fake base stations are used not only by special services, but also by other people. For example, in the last season Mr. Robot hackers installed a femto (a low-power and miniature cellular communication station) right in the FBI office, having the opportunity to listen to their conversations. In business, competitors can use such a device to quietly listen to conversations from the other side. In Russia, Natalya Kasperskaya suggests installing spy femtocells in the offices of commercial companies so that management can safely record conversations of employees and visitors.


The device is connected to the fake cellular station PRISM: The Beacon Frame . As part of a research project, the station sends a notification of the connection to the subscriber’s phone. This special services infrastructure works without sending notifications.
')
Such gadgets are very popular in the modern era, because so many people constantly use cellular communication, transferring confidential information through these channels, without using end-to-end encryption. It is very convenient to identify people by their phone numbers.

Heroes of the show Mr. Robot put a femtocell under the table next to the router. Obviously, in this form, it cannot work for a long time, because sooner or later the “extra” device will be noticed by a cleaning woman or an occasional agent who will bend down. In addition, the femtocell has a very small radius of action, so it is unlikely that she will be able to kill the signal of a real base station for subscriber devices on adjacent floors. It is guaranteed to work except in the same office, and then - as lucky.

To correct this deficiency, the office needs to install a more powerful base station. But how to disguise it? An excellent solution was proposed by New Zealand engineer Julian Oliver. He designed the base station design disguised as an HP office printer .

On the streets, base stations are disguised as objects of the environment - trees or lanterns .


Cellular station, poorly disguised as a palm tree. Marrakesh, Morocco


Cellular station, disguised as a lamp, for some reason, put next to this lamp. Milton Keynes, United Kingdom

The Hewlett-Packard Laserjet 1320 laser printer for office space looks as natural as a lantern on the street. He will not cause suspicion. At least as long as it continues to work properly. For demonstration purposes in the Oliver project, the printer is set to automatically print metadata about intercepted calls and SMS messages, along with the text of these messages.



The author explained in detail how the fake base station works. A BladeRF programmable SDR transceiver was placed in the printer case (this wonderful device was told in Habré). In the photo it is fixed at the top right. The transceiver connects to the Raspberry Pi 3 miniature board (bottom left), and all the hacker electronics are connected to the printer’s motherboard (the largest board in the photo).



For power, a car USB adapter is used that converts the printer 21−22 V to 5 V, necessary for the transceiver and the “raspberry”. Such adapters are usually inserted into the vehicle's cigarette lighter (12−24 V) to power portable electronics.



The cartridge compartment is slightly modified to fit two omnidirectional antennas (TX and AX) connected via an SMA cable to a BladeRF transceiver.

The author of the paper says that they chose a Hewlett-Packard Laserjet 1320 printer for several reasons. First, it has a strikingly inconspicuous appearance - a completely faceless design that does not attract attention. Secondly, the internal cavities in the housing are ideal for accommodating all electronics and cables. No detail comes out and is not visible from the outside, except the standard power cable. When the USB adapter is plugged into a standard connector, the Hewlett-Packard Laserjet 1320 functions normally as a regular office printer.

Raspberry Pi 3 was chosen after unsuccessful attempts to ensure stable operation of the YateBTS base station controller program under Intel Edison, Beaglebone Black and even I-MX6 Marsboard. Unlike the ancient OpenBTS, the YateBTS program is more demanding on processor performance.

The fake base station software in the printer runs on top of the open source YateBTS code. For demonstration purposes, developed several scripts. For example, one of them filters the log, forms a PDF document and sends it to print.

#!/bin/bash readonly FH=/home/pi/yate.log rm -f $FH # Start the BTS, log to $FH and background yate 2>&1 -l $FH & sleep 1 echo "Starting up..." last=" " while true; do # Poll every 10 seconds sleep 10 # Check log for new sniffed 'call route' entries and do some subbing cur=$(cat $FH | grep -A 16 "Sniffed\ 'call.route'" | sed -e "s/param\['//" \ -e "s/'\]//" -e 's/thread.*//' -e 's/time\=[0-9].*//' \ -e 's/\ data=(.*//' -e 's/\ retval=.*//' \ -e 's/\ tmsi.*//' -e 's/ybts/Stealth\ Cell\ Tower/' \ -e 's/Sniffed/Monitored\ =/' -e '/^\s*$/d' \ -e 's/^\s*//' | tail -n 13) if [ "$cur" != "$last" ]; then if [ ${#cur} -gt 1 ]; then echo "New SMS events detected" # Test to see if an IMSI is in the string. If not, look it up and put it in if [[ $cur != *imsi* ]]; then caller=$(echo "$cur" | grep "caller" | awk '{ print $3 }' | sed "s/'//g" \ | tr -cd '[:print:]') imsi=$(cat /usr/local/etc/yate/tmsidata.conf | grep "$caller" \ | cut -d '=' -f 1) cur=$(echo "$cur" | sed -e "s/\ called\ .*/imsi\ =\ '$imsi'/" ) fi # Make it all uppercase event=$(echo -e \\n"$cur" | tr 'az' 'A-Z') echo "printing file..." echo "$event" > printme # Format a postscript file with enscript enscript -r --header='SMS EVENT RECORD|%W|%* UTC' -i2cm --margins=10:10:30:10 \ -o printme.ps -f Courier@15/12 printme # Convert to PDF ps2pdfwr printme.ps printme.pdf # Send it to the print queue for immediate processing lp -U pi -o a4 -q 100 -d hp_LaserJet_1320_2 printme.pdf fi last=$cur fi done 

Another script randomly selects one of the phone numbers that connected to the base station, calls it and reproduces the classic hit Stevie Wonder "I Just Called To Say I Love You" .

 #!/bin/bash readonly HOST=127.0.0.1 readonly PORT=5038 readonly DATA=/usr/local/share/yate/sounds/stevie.au readonly TMSI=/usr/local/etc/yate/tmsidata.conf readonly CC=49 #MSISDN prefix, matching that of definition in yate conf. callone () { # Play "I Just Called To Say I Love You" by Stevie Wonder, on pickup echo "call wave/play/$DATA $mt" | netcat -i 1 -q 1 $HOST $PORT # Or, setup channel and route to IAX/SIP # echo "call 'iax/iax:$PORT@11.22.33.44/$PORT' $mt" | netcat -q 1 $HOST $PORT } callall() { for mt in ${UES[@]} #override $mt do echo "calling $mt" callone done } while true; do tmsilen=$(wc -l $TMSI | awk '{ print $1 }') ues=($(cat $TMSI | grep -A $tmsilen ues | sed 's/\[ues\]//' | cut -d ',' -f 3)) if [ ! -z $ues ]; then ueslen=${#ues} RANGE=$ueslen select=$RANDOM let "select%=$RANGE" mt=${ues[$select]} callone fi sleep 30 done 

Compiled binaries for Raspberry Pi 3: yate_r-pi3_4.4.11-v7_debian-8.0.tar.gz .

Good luck with your experiments!