Build ProgressMore bars in more airspaces.

June 4, 2011by RedQueen

Okay, so we’ve been keeping something from you.  Mostly because we were not sure it was really going to work.  Anyway, we said last year that after hearing Chris Paget’s talk at Defcon 18 on the vulnerabilities in the GSM cellular network that we wanted to play around with that idea in our UAV.  We were sitting there with the plane, looking at the gear and thinking… “With some cutting, soldering, melting and hammering, do you think we could fit a Universal Software Radio Peripheral (USRP) in our airplane?”

The answer:


The idea is simple, the USRP consists of a main board and two RFX900 daughter-boards (1 TX / 1 RX) and a stable 52MHz clock source called the ClockTamer.  The USRP is managed by an open source software GSM stack called OpenBTS which runs on our on-board payload computer.  OpenBTS handles all of the handshaking and GSM connections to the handsets and passes them onto our PBX which routes the calls.  The PBX resides on our ground station in the Rabbit Hole and is a basic Asterisk installation that is connected to the UAV via a VPN over the 4G data link.

Now, evil operation of such a device would entail changing the Mobile Country Code (MCC) and Mobile Network Code (MNC) of OpenBTS to match a known cellular provider to essentially spoof the intended mobile service and entice handsets to hand over to our “tower”.  Then outbound calls could be routed over our broadband data link and out to the PSTN via our Asterisk PBX and backhaul.  So with that in mind let us be very clear…  Do Not Do That!!!!!!

We all know GSM is broken, badly.  This is not ground breaking stuff, it has been done before.  This is just the first time its been done on a tiny airplane that flies itself.  Here are some things you should know and understand:

  1. Everything about actually doing this to unsuspecting people is evil and ugly and will (rightfully so) get you arrested, fined and perhaps even thrown in jail.  Our setup runs in the HAM radio spectrum (Rich is a licenced HAM) and all of our testing is done locally at low power on test MNCs limited to our own equipment.
  2. We didn’t make or devise any of this, this is able to be done by anyone with 10 minutes of reading.  That’s it.  We did this to prove to ourselves and some nay-sayers that it could be made small enough and be flown and operated remotely.  Not so we can overfly neighborhoods, haxor people’s cell phones and listen to them make sexytalk with their significant other.

So with that said, the Wireless Aerial Surveillance Platform has some new toys and more bells and whistles.