The talk was hype to begin with. You can buy a 900 MHz bridge from Ubquiti for $125 (or MicroTik device for $129) and attach it to a Raspberry Pi. How you'd do this is obvious. It's a good DEF CON talk, because it's the application that important, but the technical principles here are extremely basic.
If you look careful at the pic in the Wired story on ProxyHam, it appears they are indeed just using the Ubuiti device. Here is the pic from Wired:
And here is the pic from Ubquiti's website:
I don't know why the talk was canceled. One likely reason is that the stories (such as the one on Wired) sensationalized the thing, so maybe their employer got cold feet. Or maybe the FBI got scared and really did give them an NSL, though that's incredibly implausible. The feds have other ways to encourage people to be silent (I've personally been threatened to cancel a talk), but it wouldn't be an NSL.
Anyway, if DEF CON wants a talk on how to hook up a Raspberry Pi to a UbiQuiTi NanoStation LOCOM9 in order bridge WiFi, I'll happily give that talk. It's just basic TCP/IP configuration, and if you want to get fancy, some VPN configuration for the encryptions. Just give me enough lead time to actually buy the equipment and test it out. Also, if DEF CON wants to actually set this up in order to get long distance WiFi working to other hotels, I'll happily buy a couple units and set them up this way.
Update: Accessing somebody's open-wifi, like at Starbucks, is (probably) not a violation of the CFAA (Computer Fraud and Abuse Act). The act is vague, of course, so almost anything you do on a computer can violate the CFAA if prosectors want to go after you, but at the same time, this sort of access is far from the original intent of the CFAA. Public WiFi at places like Starbucks is public.
This is not a violation of FCC part 97 which forbids ham radios from encryption data. It's operating in the unlicensed ISM bands, so is not covered by ham rules, despite the name "ProxyHam".
Update: An even funner talk, which I've long wanted to do, is to do the same thing with cell phones. Take a cellphone, pull it apart, disconnect the antenna, then connect it to a highly directional antenna pointed at a distant cell tower -- several cells away. You'd then be physically nowhere near where the cell tower thinks you are. I don't know enough about how to block signals in other directions, though -- radio waves are hard.
Update: There are other devices than those I mention:
@ErrataRob Also, the Mikrotik Metal 9HPn is a better radio for this stuff
http://t.co/12ljqeuF7H
— Mark Burnett (@m8urnett) July 14, 2015
About 40 years ago the USA imposed a 55 MPH nationwide speed limit. One tag line was "it's not just a good idea, it's the law". Some wag quickly turned that into something like "186,282 miles per second. It's not just a good idea, it's the law".
ReplyDeleteWhich is a longabout way of saying that a cell tower knows exactly how far away you are. The technology depends on it. And it usually knows the general direction (to perhaps 60 or 120 degrees).
It's very hard not to love you, Robert.
ReplyDeleteAlso, it would be great to use such devices as repeaters in a relatively big area to build a free, private and censor-free intranet
ReplyDeleteBohdan: Perhaps if you're far enough away you can cause GSM's Timing Advance to wrap around>
ReplyDeleteA satellite dish pointed at the ground in the direction of the cell tower that you want to use would do the trick.
ReplyDeleteThe directional pointed to a spot some distance out from the base of the tower might actually work better as cell towers have sectorized antennas with a 3 degree down tilt. You will need the "skip" to work in both directions to have both a good link and to spoof the cell tower location services.
ReplyDelete"Take a cellphone ... connect it to a highly directional antenna pointed at a distant cell tower ... I don't know enough about how to block signals in other directions, though -- radio waves are hard."
ReplyDeleteNot that hard really. Your directional antenna works in 2 ways exactly the same. It acts like horse-blinders so your receiver can only hear what the antenna is pointed at, so all other cell towers cease to exist. It also acts like putting your hands on either side of your mouth while yelling, so your transmission only reaches the tower your antenna is aimed at. Of course there can be slight spill or scattered emissions in other directions, depending on your antenna or dish, but they'd be weak and insubstantial.
Ignore the other comments. They're, like you, thinking in terms of a phone with an omnidirectional antenna even though you're using a directional antenna or dish. No other towers should hear you, or if they do it's background scatter and cannot be used for predicting position. Cellular triangulation presumes omnidirectional Tx/Rx.
Yes, ignore all the other comments and point your directional antenna, from "several cells away", straight at a 30 degree panel antenna (less directivity and lower gain than yours) that is down tilted (not pointed back at you) and see how that works out.
ReplyDeleteAlthough I doubt it will give the desired result, it will be a fun project and invaluable learning experience.
Less directivity and lower gain are irrelevant as long as yours is good enough; the gain works for transmission as well as reception. If you look at the antennas used to bounce UHF signals off the moon you can be sure these things will be unfazed in the view of a few degrees downward tilt at the cell tower. The real problem is exactly the one Bodhan has pointed out: GSM and friends depend on each phone transmitting exactly in its allocated time slot, and to allocate these slots they have to account for signal propagation delays, i.e. they measure the distance to a phone by nanosecond timing of its signal. The base stations simply aren't fooled by directional antennas.
ReplyDeleteYou don't think the FBI might want to serve up an NSL to get the customer list? That the FBI would consider anyone buying one as "suspicious"? Oh noez, think of the terrorizmz!
ReplyDeleteWould the directional antenna & cellphone idea work? e.g. do cell phones insert a timing delay into the signals to allow for the distance between the transmitter tower and the phone? If your cell phone was at a large distance, the delay value would still be larger than every other phone connected to the cell.
ReplyDeleteThe directional antenna thing would still tell the tower exactly how far away you are (speed of light and all that; yes, GSM really depends on that).
ReplyDeleteThe problem is that when you're in a city, everybody else is <300m to the next tower, only you are talking to a cell much farther away than that ?? your signal sticks out like a sore thumb. You don't want that if you've got to hide something.
I'm so expected to hear your speech on the topic. : )
ReplyDelete