Less Radiation

Interesting article in New Scientist this week. Karsten Nohl has assessed various manufacturers keyfob immobilisers and concluded that most of the older 40 & 48 bit AES systems are now hackable. Last year he took 6 hours to discover the algorithm used to create the encryption key in a Hitag 2 system. Armed with that algorithm he could in theory unlock any car using NXP Semiconductors Hitag 2 system – according to New Scientist.

Security professionals now believe a move to 128 bit immobilisers is the way forward. Both Texas Instruments & NXP now offer 128 bit AES systems – which would take so long to crack that it’s not worth even trying. Apparently, the car manufacturers don’t see the urgency to switch. They point out that any car can still be removed by a thief using a flat-bed truck & a GPS/GSM radio jammer.

We’ve written previously about crimes here in the UK, involving the theft of laptops & phone from cars by thieves using jammers to stop the owners locking their car doors using the immobiliser keyfobs. Now, in theory at least, they can take your car too.

I’ve been playing about with motorised webcams this week.

I have a Panasonic BL-C111 IP camera, which looks like any other motorised webcam, but has a web server built in too. This means it doesn’t need a PC to operate, it only needs to be plugged into your router. You can then log in from any other internet connected PC and pan & tilt the camera around. The Panasonic camera gives a great image & can output its video stream in MJPEG or MPEG4 modes – it’s really impressive.

Even better still, you can now get apps for iPhone & Android that allow you to view the camera remotely, move it around & take snapshot photos to the memory card in your phone. The Panasonic BL-C111 is available for around £129 & a wireless model is also available. The free trial app I tried on my Google Android phone can be downloaded from Android Marketplace, just search for “IP Cam Viewer” by Robert Chou. Once downloaded to your phone you can move the camera left, right, up & down just by dragging your thumb over the touch-screen.

If the Panasonic option sounds a bit expensive, you can do things cheaper still. If you already own a motorised Logitech Sphere webcam, you can load up “My Webcam Broadcaster” from Eyespyfx.com for free, and then just pay 5 Euros for the Android or iPhone app to remotely view & move the webcam around. If you don’t have the Logitech Sphere the software will use your laptop’s built-in webcam instead. So for a total outlay of 5 Euros you can see what’s going on in your home when you’re not there, all on your smartphone. Nice!

If you want a really good nights sleep, it might be worth trying unplugging your WiFi router & Dect phone from the power at bedtime. They both transmit constantly, and if they’re near where you sleep they might be the cause of your poor sleep.

Now it’s a great big hassle to remember to unplug each of these from the mains each night, especially if they’re in different rooms in your house. So a neat way to turn them both off remotely is to buy a pair of Remote Control Sockets from somewhere like CPC for £3.95+vat+p&p (order code PL1115610 at cpc.co.uk). You can also find them on eBay for around £10 for a pack of 3.

If you have trouble peeling your kids away from the TV at mealtimes this could be the answer for you too. Food on table, TV mysteriously dies…

Also, don’t leave your mobile turned on overnight, sitting on the bedside cabinet next to your head – modern 3G phones, like the iPhone & Android models, are constantly transferring data with Facebook & Google Mail (assuming you use them) while you sleep. Olders GSM models like the Nokia 3310 transmit for maybe 10 seconds every 20 minutes while you sleep, so the mast can keep track of them.

In the past 12 months we’ve seen GSM pulled to bits by the hacker/security researcher community.

We now have software for the USRP radio peripheral that can make it behave just like a GSM cell phone tower – routing calls on cruise ships & 3rd world countries (or anywhere else you can get away without a proper licence) via Asterisk VOIP from regular GSM phones.

Also, we’ve now got the ability to snoop almost real-time on encrypted GSM phone calls, thanks to 2GB of Rainbow Lookup tables & the USRP peripheral.

The last piece of the puzzle is getting an open source OS onto a regular mobile phone and grabbing hold of the phone’s baseband firmware – so you can make it do what you want. This is a crucial step – it’s the difference between merely sniffing traffic & being able to inject your own malformed packets. Normally a phones baseband firmware is set in stone – a bit like sending fixed AT commands to a MODEM, but once you can build you own baseband OS, you can then make up your own commands – which is real progress.

To give you an idea of what can be done when you can grab a phone by its low-level-balls like this – at the CCC 2009 conference a phone was reprogrammed so it would constantly request that the cell phone tower open a channel for it. Flooded with enough requests this would stop anyone else using that mast.

Phones which are likely usable for this are hard to get hold of. Try looking for a Calypso C123 on eBay…. good luck. Alternatives available to UK readers are the J100i from Nokia and the V171 from Motorola. I counted a handful of each. The J100i sports a colour screen, but is otherwise about as sophisticated as an old Nokia 3310. You need old hardware like this for reverse engineering.

More here.

For quite some time we’ve insisted that WiFi routers & Dect cordless home phones are the big enemy in electrosmog terms – if you stay at home they’re both blasting you constantly.

We’ve always said that mobile phones only radiate when you’re actually speaking on them. A regular mobile will talk to the mast for maybe 10 seconds every 15 minutes in standby.

However, after playing around with a Google 3G smartphone for 6 months now (and owning an electrosmog detector), i’ve come to the conclusion that smartphones fully loaded with various apps are just about as bad as a WiFi router stuck in your pocket – this is bad, very bad.

On my own Google Nexus One that means Google Mail checking in every minute, and every other network aware application doing the same.

Our heartfelt advice is to make sure you’re on the network that gets the easiest signal. Compare Sims from different providers and then get a PAC code and switch as soon as you can. If your smartphone is constantly switching between GSM & 3G that’s no good for you, at all.

Once you’ve done that you need to turn off all the apps that are transmitting data in the background. Googlemail will constantly check for new mail – but on my Android OS phone it won’t if I turn off ‘Background Sync’.

Also, the latest versions of Android support setting up your phone as a portable WiFi hotspot. Please make sure this is turned off again, once you’ve finished using it, otherwise your leg will be getting full of unwanted RF signal. Better still, stick your phone in Aircraft mode.

If you don’t hold the phone next to your head to hold conversations – or keep it in a trouser pocket – this advice probably doesn’t matter too much.

Further away from your body the better. Every time the distance from your body doubles the absorbed signal halves.

A report in this week’s The Sunday Times warns that lots of car thieves are now using radio jammers to stop your car’s remote door-locking keyfob doing its job properly.

Radio jammers for all bands are available direct from China these days. The best sites accept Paypal and ship quickly to UK addresses, describing the consignments as test equipment, or something equally inconspicuous.

You can buy jammers for GPS, GSM, 3G, 433MHz. Anything you can think of, they’ll make – in a selection of power outputs and prices. You could take down GPS or Mobile phones on a city-wide basis if you were daft enough, but you’d be pretty easy to find (you’d be glowing!) and would spend a long time in jail!

Most car keyfobs operate in the unlicensed 433MHz band. If you don’t actually watch your lights flash and you doors lock you may be coming back to an empty car.

Police around the country have noticed a rise in this type of crime around big cities – often dozens of cars in one street will have been done-over without a single window being smashed.

According to The Sunday Times, all the car thieves need do is leave a suitable jammer hidden in a prime spot with a decent extra battery pack attached, it could then run for hours, or they can just trigger the jammer when you go for your keyfob – if they started using decent antennas they could be watching through binoculars.

Imagine the haul of satnavs, iPods, laptops and phones from that lot!

Worryingly, a lot of the wireless burglar alarms in peoples homes use the same frequency bands to receive signals from PIRs dotted around the home…

Another great reason to remove all the electrosmog generating devices from your home & go back to being Wired. If you didn’t realise yet, we love being Wired…

According to Mast Sanity, the respected Swedish researcher Prof. Olle Johansson has been having problems finding lab space for his latest experiments. The labspace he planned to use, to replicate recent studies that led to the cancellation of city-wide WiFi in San Francisco, have been instead grabbed by very important ferret research. If ever you needed an indication that you were getting close to the truth, then this has to be it!

There’s loads of interesting stuff here, just read the
link.

Basically, you need to know that governments around the world are far more interested in how much money can be made from wireless services, than the well-being of their ill-informed populations!

GSM Mobile Phone Security is now practically dead. Anyone with a spare couple of grand can now do what was previously the exclusive preserve of national security agencies. Previously you’d have to spend £100K and prove you were a suitable government-grade customer.

According to the theregister.co.uk’s security pages, several talks at the Black Hat security conference in Las Vegas this week will take GSM hacking down to the script-kiddie level – all you need is enough cash for a modified USRP USB radio peripheral & a 2000GB hard drive to store the rainbow lookup tables.

With that kit you can grab big chunks of the mobile phone spectrum in real time and target individual IMSI numbers. The researchers reckon that 80% of mobile traffic passes over the old A5/1 GSM system. A5/3 & 3G phones should still be considered secure. But remember if your 3G phone isn’t near a strong signal it will be stepping back down to A5/1 anyway.

Think about all those corporate espionage guys out there, they must be salivating like crazy. The rainbow lookup tables are a hefty download at 2TB, but if you’re prepared to travel to Oslo, The Register reports that Frank A. Stevenson (guy who cracked the CSS encryption scheme on DVDs) will swop you a blank drive for one with the rainbow tables on. (Rainbow Tables are lookup tables with the answers to all the possible challenge answers for the GSM A5/1 algorithm – this saves lots of time working each one out indivdually, and crucially makes near real-time decryption possible).

Of course the GSM Alliance makes light of all this, still calling it theoretical – and in some ways they have a point, it’s not like you can do this on an old reprogrammed Nokia 3310 after all!

When Dect (the cordless phone you use at home) was hacked last year we didn’t see UK identity thieves having a field day, gathering up bank pins etc. Only a couple of thousand of the PCMCIA Dect cards were in circulation, and most were probably bought up by security researchers quite quickly. So the hardware to hack Dect became expensive & you had to be able to configure a Linux laptop yourself to use it – the barrier to entry was therefore set high.

With GSM it’s even higher. You needs lots of Linux knowledge & £1000 worth of USRP radio hardware + soldering skills too. Sure organised criminals, corporate spies & bent media companies will use this technology to spy on the rich and famous, but it won’t become a massive problem in the UK. If anything, it will just speed along the adoption of 3G smartphones.

I wonder where Karsten Nohl & friends will be heading next with their USRPs? Dect cracked last year, this year GSM. Airwave/Tetra next year, maybe?

http://en.wikipedia.org/wiki/IMSI-catcher

There’s an interesting piece by Adam Higginbotham in this months US edition of Wired magazine.

It’s all about the US military’s escalating game of wits with insurgents in Iraq & Afganistan.

The biggest problem for the US isn’t AK47s or rocket launchers, it’s IEDs – Improvised Explosive Devices or roadside bombs. These cause more mayhem & carnage than anything else, and are built for peanuts.

It’s not the explosives aspect that caught my eye, rather the ingenious ways that they are triggered. Anything which can send a wireless signal is fair game: garage door openers, remote doorbells, cell phones, walkie-talkies, CB radios. The US’s answer to this was to buy radio jammers, 40,000 of them in fact for Iraq alone. Then the insurgents start to use Frequency Counters as triggering devices – because they detect the jammers. Then they move to using PIRs that pick up the heat signature of the Humvees. Then a US army officer decides to stick a toaster on a 10 foot pole on the front of his Humvee, to confuse the PIR. Then the insurgents set the IEDs to target back 10 feet from the heat signature. Any so it goes on… it’s almost comical… like Road Runner & Wile E. Coyote. Except of course, it’s not funny at all.

Page 138 of Wired’s August 2010 US edition.

Steve Jobs gave a video interview today with Sky News that admits that not all their products are perfect. This of course is all about the iPhone4. Apple have sold 3 million units in 22 days – which is a million a week.

Steve refers to the problem with iPhone 4 as ‘Antenna-Gate’. Apple have now said they’ll issue rubber iphone covers to anyone having a problem, or they can have their money back if they prefer.

The price gap between Apple smartphones and HTC Android phone is huge. A second hand iPhone 3G costs £250 from eBay, but a comparable and equally functional HTC G1 can be had for less than £100. Apple have a huge cash-cow franchise with the iPhone G4, and good luck to them, they deserve it all.

Just remember Steve J, it’s Woz that helped put you where you are today…