🔐Hacking Technology Archives - Good Shepherd News - Fastest Growing Religious, Free Speech & Political Content

PATRIOT Act Author The NSA Is Actively Violating The Law

The Truth News — Tue, 16 Sep 2025 05:51:38 +0000

PATRIOT Act Author: The NSA Is Actively Violating The Law

Jim Sensenbrenner (R-WI), the author of the original USA PATRIOT Act, disagrees.

In a amicus brief filed in support of the American Civil Liberties Union’s lawsuit against the National Security Agency’s bulk collection of U.S. phone records, Sensenbrenner argues that the government has gone far beyond what the legislation authorizes.

Section 215, known as the business records provision, authorizes intelligence agencies to apply for information if “the records are relevant to an ongoing foreign intelligence investigation.”

In practice, the NSA uses section 215 to collect data pertaining to every phone call to, from, and within the U.S. in the name of combating terrorism.

Sensenbrenner and the other members of Congress who enacted Section 215 “did not intend to authorize the program at issue in this lawsuit or any program of a comparable scope,” according to the brief.

The brief goes on to propose this question (emphasis ours):

The NSA is gathering on a daily basis the details of every call that every American makes, as well as every call made by foreigners to or from the United States. How can every call that every American makes or receives be relevant to a specific investigation?“

Filed by the Electronic Frontier Foundation, the brief notes that Sensenbrenner “was not aware of the full scope of the program when he voted to reauthorize Section 215” and would have voted against it if he had known.

In Sensenbrenner’s words: “The suggestion that the administration can violate the law because Congress failed to object is outrageous. But let them be on notice: I am objecting right now.” source

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

The Truth News — Mon, 25 Aug 2025 21:49:26 +0000

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

An IMSI-catcher is a device that intercepts mobile phone communications, acting as a fake cell tower to eavesdrop on calls and track location data. It’s essentially a “man-in-the-middle” attack, placing the device between the target phone and the real cell network. While some security measures exist in newer standards (like 3G), sophisticated attacks can bypass these, especially on older networks. These devices, like the StingRay, are used by law enforcement and intelligence agencies, but their use raises privacy and civil liberty concerns.

IMSI catchers: a security threat

An IMSI catcher, sometimes called a Stingray, is a device that impersonates a legitimate cell tower. It works by mimicking cell tower signals and attracting nearby mobile devices, tricking them into connecting to the device instead of a genuine cell tower. Once a device connects, the IMSI catcher can capture the device’s unique identifier, the International Mobile Subscriber Identity (IMSI).

This allows the IMSI catcher to:

Track the device’s location by analyzing the signal strength of the phone.
Identify and monitor activity, and potentially even intercept communications, including SMS and calls, depending on the network protocol.

IMSI catchers can be used by law enforcement, and potentially by unauthorized actors including criminals or foreign intelligence services. The use of these devices raises significant privacy concerns due to the indiscriminate collection of data, which may include bystanders as well as targeted individuals.

Potential threats

Location Tracking: IMSI catchers can track a phone’s location and movements.
Communication Interception: Older generation networks (like 2G) are more vulnerable, allowing interception of calls and texts. While 3G, 4G, and 5G networks are more secure, some IMSI catchers can potentially force a device to downgrade to an older, less secure network.
Denial of Service: IMSI catchers can also disrupt mobile network connectivity.

Detection

Detecting IMSI catchers with a smartphone alone can be difficult. Hardware-based detection systems provide a more reliable means of identification.

Protecting yourself

Keep software updated: Ensure your phone’s operating system and applications are up to date.
Use encrypted communication tools: Utilize apps like Signal or WhatsApp that offer end-to-end encryption.
Consider using a VPN: A VPN can encrypt your internet traffic.
Enable Airplane mode: When not actively using your phone, switching to airplane mode can help prevent connections to cell towers, including IMSI catchers.
Be aware of your surroundings: Pay attention to suspicious devices resembling cell towers, especially in sensitive areas or during events like protests or rallies.
Consider a Faraday cage: A Faraday cage can block radio waves and protect your phone from interception.

IMSI catchers, sometimes referred to as cell-site simulators or fake cell towers, can be difficult to detect since they imitate real cell towers to capture mobile phone data. With proper cybersecurity testing measures, you can effectively be alert to these unwanted interceptions. Take a look at these common tools and methods that can efficiently assist in identifying IMSI catchers:

Top Techniques and Resources to Detect IMSI Catchers

1. Use Mobile Apps and Tools

Some apps and technologies are designed to monitor and detect irregularities in cell networks.

SnoopSnitch (Android): This app analyses your phone’s network traffic and alerts you of strange cell tower behaviour. It requires access to low-level network data, which is mostly limited to particular Android phones equipped with Qualcomm chipsets.

Cell Spy Catcher (Android): After starting the learning process of this app, it collects data on local networks to identify which one among them is a trap. Then it alerts you with a red interface screen.
AIMSICD (Android): Detects IMSI catchers and reports on odd network activity, such as quick cell tower changes or downgrades to earlier network technologies (such as 2G). Phones switching to older network technologies usually happen due to IMSI catchers.

Croatian Telecom’s AntiSpy (Android/iOS): An app that uses radio signal analysis to determine when your phone connects to a rogue cell tower.

Apple’s limitations on low-level network data access have led to a decrease in the number of apps accessible for iOS; however, network abnormalities can occasionally be found by keeping an eye on variations in signals.

2. Look for Unusual Network Activity

IMSI catchers can force phones to connect to low-security older networks (2G or 3G) to facilitate communication interceptions. Look out for:

Downgraded connection: Your phone may unexpectedly switch from 4G/5G to 2G/3G or lose high-speed internet connection. Specifically, if it happens in an area that has outstanding coverage, it could be due to an IMSI catcher.

Frequent disconnections: When an IMSI catcher is nearby, your phone might keep on disconnecting and reconnecting with the network.

Suspicious network names: IMSI catchers can also broadcast non-standard or dubious network IDs. For example, a tower with an unusual name or ID might be a fake one.

3. Observe Battery and Signal Behaviour

IMSI catchers compel gadgets to transmit at faster speeds and consume more power.

Rapid battery drain: If the battery on your phone runs out more quickly than usual, it can be because it’s transferring an unusual amount of data to a fake tower.

Unusual signal intensity: An IMSI catcher may be indicated by abrupt, inexplicable changes in signal strength or highly fluctuating signal bars. Strong signals can be sent by these devices to overpower authorised cell towers.

4. Monitoring Tools for Experts

Advanced phone users with proper cybersecurity knowledge can utilise monitoring software or equipment to analyse cellular networks themselves.

Software-defined radios (SDRs): SDR devices enable users to identify and analyse mobile phone signals. By identifying aberrant radio frequencies and patterns, an SDR can aid in the detection of IMSI catchers if used with the appropriate software.

Cellular anomaly detectors: These are sophisticated technologies used by security experts and researchers that monitor local signals. These help detect abnormal cell tower behaviour that is essential in the current rise of data breaches, unexpected cyber attacks, or traffic demand in Australia.

5. Network Data Monitoring

Certified cyber security consultants in Australia suggest users to monitor network data. This includes the phone’s network logs like signal strength, base station ID, and encryption status that certain apps or customised firmware can access. Keeping an eye on this data can help determine when the phone connects to a dubious tower that may have less secure encryption or an unidentified ID.

6. Physical Indicators

IMSI catchers are usually non-stationary and can be implanted on vehicles or drones. So if you observe any strange and unknown vehicles or equipment within your local area and your phone network falters near it, it could be a clue.

7. Use Encrypted Communication

If you are wary of an IMSI catcher but are tech savvy or cannot locate it, resolve to the simple methods of using end-to-end encrypted apps. Switch to apps like WhatsApp, Signal, or Telegram for calls and texts for that while. These platforms prevent intercepted communications from being decoded, even if you do not know how to use tools for detecting IMSI catcher.

Limitations

False positives: Certain apps, software, or devices may identify normal network issues as suspicious.

Limited detection on iPhones: iOS restricts access to low-level radio data, making it more difficult to operate apps that monitor cellular networks. source

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes

With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.

This attack isn’t revolutionary in any way—IMSI-catchers are certainly not new, and have become famous because they are commonly (and controversially) used by law enforcement to track suspected criminals. A commercial version made by Harris is called a “Stingray,” and they are sometimes called “cell-site simulators” or “fake cell towers.” This is because they spoof a cell phone tower’s connection, meaning that cell phones in the area will try to connect to it; in doing so, the IMSI-catcher is able to passively collect information about phones in the area.

Harris’s Stingray was so secretive that, for years, the FBI dropped criminal court cases that used Stingrays rather than reveal the details of how the evidence was gathered.

But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

For legal and technical reasons, our IMSI-catcher did not intercept text messages or phone calls, like more powerful versions can. It only captured IMSIs from devices, as well as provides some additional information such as the country and telecom operator of the phone. Motherboard did not store any of the collected data. You should be aware of the laws in your local region before attempting to do this; Motherboard does not condone or suggest you do anything illegal (and, even if legal, you shouldn’t use an IMSI catcher to do anything creepy.)

We’ll explain what each of these are, but in short, the process was:

Buy a cheap, software defined radio
Install Ubuntu
Download IMSI-catcher script with its dependencies
Find the right frequency to scan for
Start scanning on that frequency and picking up IMSIs

As the name implies, a software defined radio, or SDR, is simply a radio that instead of having its feature baked in at a hardware level, can be controlled by a computer program. We bought the ‘NooElec NESDR Mini’ from Amazon for around $20 and received it a few days later.

To get the SDR to talk to phones, I needed to give it some instructions. Fortunately, I didn’t need to write my own, but just take some code from GitHub. I used a Python tool simply called ‘IMSI-catcher’, written by the hacker known as Oros42. The program requires an up-to-date version of Ubuntu, a particular Linux distribution, that can be downloaded for free and written either to a USB stick or installed inside a virtual machine.

To install the IMSI-catcher software, I just followed the instructions on the project’s GitHub.

Once installed, I booted up grgsm_livemon, one of the programs included with the project. which presented a slider and a graph, to find a frequency to scan. This required a bit of trial and error—moving the frequency slider until finding a sweet spot where the graph represented a bell curve. The curve meant that the SDR had found what frequency nearby phones were broadcasting on. Depending on where you are, that frequency is going to be different.

Once I found the sweet spot, after a few seconds IMSIs started appearing on my screen.

Caption: A redacted photo of IMSIs captured by the SDR and related script. Image: Motherboard

If I wanted to make the IMSI-catcher a bit more portable, I could theoretically run it on a Raspberry-Pi, a miniature computer you can buy for as little as $30 or cheaper, depending on what model you need. Note that the IMSI-catcher would still need to have Ubuntu on the Pi, which it is not traditionally designed for, but it is likely possible. I would also need to make sure the SDR is receiving enough power from the USB port.

In all, the process of making an IMSI-catcher didn’t take much time at all, as I thankfully didn’t hit any roadblocks. I just made sure I had the latest version of Ubuntu, followed the instructions carefully, and ended up with an IMSI-catcher on my laptop. source

Oros42/IMSI-catcher DOWNLOAD HERE iMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

CellularPrivacy/Android-IMSI-Catcher-Detector DOWNLOAD HERE IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

Gotta Catch ‘Em All: Understanding How IMSI-Catchers Exploit Cell Networks

Section 1: Introduction

You’ve probably heard of Stingrays or IMSI-catchers, which belong to the broader category of “Cell Site Simulators” (CSSs). These devices let their operators “snoop” on the phone usage of people nearby. There’s a lot of confusion about what CSSs are actually capable of, and different groups—from activists to policy makers to technologists—understand them differently.

In the research community, there has been a tendency to dismiss the prevalence of CSS and the threat they pose to the public. Congress recently asked the Department of Homeland Security for more information about their use by federal law enforcement, as well as state and local partners. It’s unclear how much oversight the Department has been exercising, and when it comes to state and local law enforcement, only a few cities have any protections at all. Many activists aren’t aware that CSSs could be in use around them without their knowledge, particularly during protests. The truth is that CSSs are significantly more widespread than most policy makers, researchers, and activists are aware, and their danger to privacy is more significant than most realize. Of course, it’s hard to acknowledge the prevalence of CSSs when law enforcement goes to great lengths to keep information about them from the public.

There is a plethora of low-level academic research in the area of cell network security, and many high-level posts that don’t really explain in any meaningful detail what’s going on with “IMSI-catcher” type cell network attacks. Our goal is to bridge that gap, and with this post we hope to make accessible the technical inner workings of CSSs, or rather, the details of the kind of attacks they might rely on. For example, what are the different kinds of location tracking attacks and how do they actually work? Another example: it’s also widely believed that CSSs are capable of communication interception, but what are the known limits around cell network communication interception and how does that actually work?

We won’t be updating this post with new kinds of attacks as they come out, and we can’t cover every potentially relevant detail of every attack we explain, but this post should form a basis for non-experts to better understand new attacks.

Section 2: Necessary background info

There’s a lot of confusion about what CSSs actually do and how they do it. This confusion comes from the fact that the term “cell site simulator” actually encapsulates quite a variety of different cell network attacks that have evolved significantly over the last 25 years or so. Adding to the confusion is the fact that the term “IMSI-catcher” is both used interchangeably with “cell site simulator” and also refers to specific capabilities that some CSSs have.

A very important distinction when talking about CSSs is which cell network generations they use when operating. The term “cell network generation” refers to the complete set of operating protocols covering everything from how cell towers are laid out geographically to how a mobile phone establishes a connection with a cell tower.

Here’s a high-level overview of the most relevant cell network generations:

2G (e.g. GSM): the oldest type of cell network still in use and still very widely used. 2G only supports calling/texting, but in 2.5G the capability to support data transmission (e.g. email and Internet access) was introduced.
3G (e.g. UMTS or CDMA2000): improved upon 2G by having much faster data rates (which could support video calls, for example) and adding better security (more on this later).
4G (e.g. LTE or WiMax): significantly faster speeds and better security.

The specifications for these networks are developed by working groups organized by the 3GPP,¹ an international organization that any group can apply to join (though it has a high membership fee). Members typically include mobile carriers, university research labs, and wireless gear manufacturers (including surveillance tech manufacturers).

It’s important to note that in practice there’s often a lot of variance between what the specifications say and what actually ends up being implemented. This is usually due to (1) implementers needing to differ from the specifications for practical reasons (many parts of the specifications get marked as optional), and (2) mistakes.

There’s a bit more vocabulary and background that needs to be introduced:

IMSI (International Mobile Subscriber Identity): the unique identifier linked to your SIM card that is one of the pieces of data used to authenticate you to the mobile network. It’s meant to be kept private (because, as we’ll see later, it can be linked to your physical location and your phone calls/messages/data).
TMSI: upon first connecting to a network, the network will ask for your IMSI to identify you, and then will assign you a TMSI (Temporary Mobile Subscriber Identifier) to use while on their network. The purpose of the pseudonymous TMSI is to try and make it difficult for anyone eavesdropping on the network to associate data sent over the network with your phone.
IMEI (International Mobile Equipment Identity): the unique identifier linked to your physical mobile device.
Ki: a secret cryptographic key also stored on the SIM card used to authenticate your phone to the network (and prove you are who you say you are).
MCC (Mobile Country Code): your mobile country code, but not to be confused with a country’s mobile telephone prefix. For example, Canada’s MCC is 302, but its telephone prefix is +001.
MNC (Mobile Network Code): the code that represents which carrier you’re using. For example, 410 is one of AT&T’s MNCs.
Cell ID: each cell tower is responsible for serving a small geographic area called a cell, which has a cell ID attached it.
LAC/TAC (“Location Area Code”): in GSM, groups of nearby cells are organized by ID into “Location Areas” (“LA” for short), with each LA’s identifier being referred to as a “Location Area Code”. In 4G these are respectively referred to as Tracking Area (TA) and Tracking Area Code (TAC).
BTS (“base station”): a more general term for devices like cell towers (and CSSs pretending to be cell towers).²

It’s important to note that some of this terminology varies by network generation. For example, in LTE a base station is referred to as an eNodeB, and in 3G/UMTS the LAC and Cell ID are replaced by PSC (primary scrambling code) and CPI (Cell Parameter ID). For simplicity, we will be sticking to the above terminology.

Section 3: Overview of attacks

To be clear, as far as we know no one (outside of government or surveillance tech vendors) has ever gotten their hands on a commercial CSS (e.g. a Harris Corp Stingray) and published publicly available details of its inner workings, so this information all comes from academic literature and the work of open source hackers attempting to reproduce how commercial CSSs might work.

There are three main categories of attacks that will be covered:

Communication interception
Denial of service and service downgrading
Location tracking

Practical implementation details are left out of the following explanations for the sake of brevity.

Section 3.1: Basic IMSI-catcher

Classic “IMSI-catchers” simply record nearby IMSIs, and then don’t interact with their target phones in a significant way beyond that. They quite literally “catch” (i.e. record) IMSIs by pretending to be real base stations and then release the target phones (Paget, 2010). Let’s go over how they work in more detail.

In GSM networks, phones will try to connect to whatever base station is broadcasting at the highest signal strength.

Once a phone has identified a base station as having the best signal strength, it can begin negotiating a connection to it. The base station first asks the phone to send its encryption capabilities to it. If the base station is a CSS rather than a cell tower, it can then either ignore the response or set it to have no encryption.³

After this, the base station sends an Identity Request, which the phone responds to with its IMSI. The phone does this because the IMSI is stored on your SIM card, which was issued by your mobile carrier, and the phone network needs to identify that you are in fact a paying customer associated with a mobile carrier. After receiving your IMSI, the CSS then releases your phone back to the real network and moves on to try and capture another phone’s IMSI. That’s all it takes to collect an IMSI from a nearby phone!

The CSS sends an Identity Request to collect the target mobile phone’s IMSI. Afterwards, it proceeds to repeat this same action with other phones.

If law enforcement is operating such a CSS in a geographic area, once they’ve obtained the relevant IMSIs, they can then use legal process to get more data on all the users who were present.⁴

From here, many more sophisticated attacks can be launched, but that’s how the most basic kind of IMSI-catchers work: they simply collect IMSIs during the connection procedure, then abort the connection procedure and move on to their next target.

In later protocols (e.g. 4G/LTE), phones are a bit smarter about not connecting to any random base station with high signal strength, so an attacker needs more involved techniques to convince a phone to connect to their CSS. See section 3.3 for details.

Section 3.2: Communication interception

As far as we know, communication interception between a mobile phone and a legitimate cell tower is only possible in GSM (as opposed to later 3G or 4G protocols). There are two reasons for this:

Communicating over GSM doesn’t always require encryption.
Even when encryption is enabled, several of the cryptographic algorithms used in GSM can be broken (and in real time).

Imagine that the CSS is trying to launch an active attack where it intercepts a phone’s communications. The CSS must be able to situate itself between the phone and the tower to be able to do so, which is what’s usually referred to as a “machine in the middle” (MitM) attack.

There are two main steps to completing the MitM:

Spoofing authentication: the CSS needs to convince the network that it’s actually the targeted mobile phone. (Section 3.2.1)
Deal with any encryption the network tries to set (i.e. disable it or try to break it). (Section 3.2.2)

Section 3.2.1: Spoofing authentication

Picking up from Section 3.1 where the CSS has already obtained a phone’s IMSI via an Identity Request:

The CSS reaches out to a legitimate cell tower with a Location Update Request. This type of request is used to update the cell network about a phone’s location (specifically, its LAC), which the phone needs to do periodically in order for the network to be able to route calls and messages to it quickly.
In response to the Location Update Request, the cell network asks the CSS to identify itself using an Identity Request. The CSS responds using the stolen IMSI.
At this point the tower responds with a cryptographic challenge that requires the secret key Ki (stored on the SIM card) to solve. Since the CSS doesn’t have access to Ki, it passes it onto the phone to solve. The phone solves the challenge, passes it to the CSS, who then passes it back to the network.
After this, the network accepts the connection between it and the CSS as being authenticated.

Reminder: this is only applicable to 2G.

An illustration of steps 1-4 from above on how the CSS is able to complete the authentication MitM.

Section 3.2.2: Dealing with encryption

There are several encryption algorithms used in GSM, and at a high level, they have names like: A5/1, A5/2, etc … with A5/0 being used to indicate that no encryption is being used.

If the network tries to specify that it wants to communicate using encryption, the CSS can just respond by saying it doesn’t have encryption capabilities and defaults to A5/0. The CSS has now completed the MitM attack and can read the plaintext messages being sent between the phone and the real network.

Alternatively, if the network decides to use the A5/1 algorithm to communicate, this type of encryption can be broken in real time. The details of this attack are beyond the scope of this post, but you can read about it in the Barkan et al 2006 paper. Additionally, the A5/2 algorithm is so weak that its use has been banned since 2006. While there are known attacks against A5/3, there are no known real-time attacks.

Section 3.2.3: Why aren’t users alerted that encryption is off?

At this point, many people ask: why doesn’t their phone tell them something’s up? According to the GSM specifications, cell phone users are supposed to be notified when encryption is disabled, and in some markets they used to be. However, this caused a lot of confusion because:

People would travel with their phones to places where cell towers were configured very differently (e.g. in some countries cell network encryption is banned) and it would cause a “Warning: encryption disabled” pop-up to come up a lot.
Cell towers everywhere were misconfigured, also causing this pop-up to appear a lot.

These issues led to many confused consumers and support calls to mobile carriers, resulting in the warning ultimately being disabled.

Section 3.2.4: Service downgrading

Even though, as far as we know, communication interception is only possible in GSM, it’s trivial to downgrade a target cell phone’s connection from 3G or 4G to GSM (see Section 3.5 for more information). This is because in general the base station gets to pick whatever configuration settings it wants, which includes the ability to request a protocol downgrade. Alternatively, someone could jam the 3G or 4G bands by pumping lots of white noise into them, making it too noisy to establish a connection, and phones will downgrade in search of a usable signal. LTE service downgrading is covered in detail at the end of Section 3.5.

Section 3.3: LTE CSS connection techniques

It’s also important to understand how it’s possible for a CSS to get around the safeguards in LTE and other modern protocols that are meant to stop phones from connecting to any base station with a high enough power.

In GSM, phones are always scanning looking for a tower with a higher signal strength to connect to. However, in LTE if the signal strength is above a certain sufficient threshold, the phone will not scan for other towers to connect to in order to save power.

Additionally, in LTE phones keep track of a “nearest neighbors” list that is broadcast from the tower that they are connected to. If for any reason they lose the connection with the tower they’re connected to (or the ability to connect to it), they’ll try to connect to ones that were advertised in the nearest neighbors list first, before doing a full scan of the available LTE bands for other eligible cell towers.

So, how can an attacker force a phone using LTE into connecting to their CSS? One technique would be to masquerade as a tower in the nearest neighbor’s list (e.g. same frequency, same cell id, etc …) and transmit at a higher power, so the phone will eventually switch over.

But there is a faster technique! It relies on the fact that LTE frequencies are assigned various priorities (this is referred to as “absolute priority based cell reselection”), and if a phone sees that there is a base station operating on a higher priority frequency than the one it’s on, it must switch to it, regardless of its signal strength. To discover the higher priority frequencies used in a given area, all that’s required is to extract them from the unencrypted configuration messages from base stations, which anyone can monitor (Shaik et al, 2017).

Using these techniques, attackers can probably force even an LTE phone to connect to their CSS, which reveals the phone’s IMSI and allows followup attacks.

Section 3.4: Location tracking attacks

Often when the dangers of CSSs are being discussed, the focus is on their communication interception ability. However, in practice the consequences of real time location tracking are often much more severe. The potential for location tracking by your cell provider is unavoidable, so the specific threat model being used here is a 3rd party (such as a law enforcement agency) trying to get your location without cooperation from your cell provider.

There are generally two types of location tracking that CSSs are capable of:

Presence testing: check if a phone is present in or absent from a geographic area (where geographic area usually means a “Location Area” from before, i.e. a group of cells)
Fine-grained location: figure out the exact or rough GPS coordinates of a phone either through trilateration or by getting the phone to tell the attacker its exact GPS coordinates

Section 3.4.1: Presence Testing in LTE

Passive Presence Testing

The simplest way to do presence testing in LTE doesn’t actually require someone to have what we usually consider a CSS (e.g. a device that pretends to be a legitimate cell tower). Instead, all that’s required is simple radio equipment to scan the LTE frequencies, e.g. an antenna, an SDR (Software Defined Radio), and a laptop. Passive presence testing gets its name because the attacker doesn’t actually need to do anything other than scan for readily available signals (Shaik et al, 2017).

A fundamental aspect of wireless technology is the paging model. When the network has a message it wants to route to a phone, it sends an “RRC paging message” which is received by every phone listening to their carrier’s paging frequency in that area (which is basically every phone),⁵ asking for that particular phone to contact the base station to negotiate completing a connection to receive a call or message. Thus, phones are constantly listening for RRC paging messages and receiving and discarding ones not addressed to them.

RRC is short for Radio Resource Control, which is the protocol used to communicate between a cell phone and a base station. The RRC takes care of connection establishment and paging notifications that you’re getting a message or phone call, among other things.

The exact way paging works varies based on several factors, including the type of message the network is trying to route to you. For example, say the network is trying to route a phone call to you. Phone calls are considered high priority (since there’s someone on the other side waiting for you to connect), so the network notifies every cell tower in the last Location Area your phone was in to send out the RRC paging message addressed to your phone (as opposed to only the last cell tower the phone was using). More on this later!

RRC paging messages are usually addressed to a TMSI, but sometimes IMSI and IMEI are also used. By monitoring these unencrypted paging channels, anyone can record the IMSIs and TMSIs the network believes is in a given area. In the next section, we’ll see how an attacker can correlate a TMSI to a specific target phone, as right now collecting TMSIs simply means recording pseudonyms.

Additionally, phones periodically transmit unencrypted messages about their location and measurements of cell service quality that anyone with the right equipment can easily intercept. Sometimes these messages contain the phone’s exact GPS location, but usually the information about the signal strength of nearby cells is enough to calculate the phone’s location. We’ll look at these measurement reports in detail in the Exact GPS Coordinates section below.

Semi-Passive Presence Testing

Semi-passive means that the attacker only uses network functions in ways in which they are meant to be used. An example of what it means for an adversary to be “semi-passive”: the attacker can text the person they’re trying to track (assuming they know their phone number) in order to generate a paging message being sent to their phone, but they can’t go and send malicious or malformed data to phones or towers in the area (Shaik et al, 2017).

In this section, we are going to cover two location attacks: one which checks for a phone in a given Location Area (“Basic Location Area Test”), and one which checks for a phone connected to a specific cell tower (the “Smart Paging Test” method, which has a much smaller radius of use).

Basic Location Area Test

The first step of a basic Location Area test is to trigger about 10-20 notifications to the target’s phone via phone calls while also monitoring the RRC paging messages that are sent out. To not alert the user, the attacker can almost immediately hang up after initiating the call so that the paging message makes it to the phone, but the user doesn’t actually get an incoming call notification.

Because there’s someone waiting on the other line to connect to you, phone calls are considered higher priority, so the network notifies every cell tower in the last Location Area the phone was in to send out the RRC paging message (as opposed to only the last cell tower the phone was using). The attacker can then use set intersection analysis (explained in ⁶) with their well-timed calls to figure out the target’s TMSI from the RRC messages.

CSS triggering many RRC paging requests to determine if a phone is in a given LA.

Smart Paging Test

Usually the radius of a Location Area is quite large, so from here the attacker can use something referred to as “smart paging” (explained below) to figure out the exact cell tower the target is using (which translates to knowing the user’s location within a ~2 km radius) (Shaik et al, 2017).

Because general data messages (e.g. WhatsApp and FB Messenger messages) are not high priority, the network initially only broadcasts paging messages for them from the last tower the phone was known to be connected to (this is referred to as “smart paging”). Thus, once the attacker has confirmed the target’s location in a TA (“Tracking Area”), they can test various cells to find the target’s cell. (Note: we’re switching briefly from the “Location Area” terminology to “Tracking Area” here for the sake of a concept covered below.) Similar to before, they send timed WhatsApp or FB Messenger messages and use set intersection analysis to verify the TMSIs being sent in RRC messages in that cell.⁷

Note that in order for this to work, the attacker needs to either have equipment in every cell (which is expensive), or move about through cells repeating this procedure until they get a match.

Section 3.4.2: Active location tracking and exact GPS coordinates

In this section, the attacker’s assumed goal is to find the target’s exact or rough GPS coordinates. In this section, we’ll be describing active attacks, meaning ones in which the attacker can use any means available to them to figure out their target’s information, including operating a CSS and sending malicious or false information to the phone or other cell towers.

In this scenario, suppose the attacker has a CSS and they’ve managed to lure their target into trying to connect using techniques described in Section 3.3. After completing the initial connection procedure steps, the phone enters into a CONNECTED state.

Now the attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.

Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration:

In short, trilateration involves calculating the intersection of circles drawn around the previously specified cell towers, where the radius of each circle is a function of the reported signal strength. Note: trilateration is different than triangulation.

For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).

In addition to the technique described above, there is another way to get similar trilateration and GPS data by using RLF (“Radio Link Failure”) reports, but we will not cover it in any detail as it’s similar to the techniques just covered.

Section 3.5: Denial of Service and Downgrading

Cell network denial of service and protocol downgrade attacks are possible (and can have quite similar implementation details, as we’ll see below). Additionally, downgrade attacks make it such that a target phone can be forced down to a less secure protocol, where more severe privacy invasive attacks can be launched.

Section 3.5.1: Protocol downgrade attacks

Suppose that the attacker has set up their CSS and tricked the target into trying to connect (which was covered in Section 3.3). After the initial connection procedure, the phone will send a “Tracking Area Update Request” (“TAU” for short). This kind of message is used by the phone to keep the cell network updated about the phone’s most recent location, so that the network can route calls to it faster. TAU Requests are usually sent by phones whenever they’re connecting to a new base station.

The CSS responds with a “TAU Reject” message. Within the Reject message is something referred to as the “EMM cause numbers”, which indicates why the message was rejected. In this case, the attacker sets it to 7 (“LTE services not allowed”).

Upon receiving this EMM value, the phone deletes all information it had about the previous real network it was connected to, and then puts itself in a state where it considers its SIM card to be invalid for LTE. It then searches for 3G and GSM networks to connect to, and will not again try to negotiate an LTE connection until it is rebooted (Shaik et al, 2017).

The key reason why protocol downgrade attacks are so bad is that it renders LTE-capable phones vulnerable to attacks that normally only work on earlier protocols (e.g. the communication interception from Section 3.2).

Section 3.5.2: Denial of Service (DoS)

If the attacker is looking to launch a large scale DoS attack, the simplest thing is to jam the LTE frequencies by pumping them full of white noise. However, there are also techniques for DoS attacks that only target individual phones.

Launching a denial of service attack against an individual phone is exactly the same as the protocol downgrade attack described above, except the CSS responds with EMM cause number 8 (“LTE and non-LTE services not allowed”). The phone then puts itself in a state where it does not try to negotiate any network connections until it’s been rebooted.

Additionally, there has been some research done into denying select network services (e.g. only allowing SMS, and disallowing calls and data), but for the sake of space we will not be covering this. Please see Shaik et al, 2017 below for details.

Section 4: Detection methods & apps

At this point you’re probably wondering:

Are there ways to detect CSSs?
How to defend oneself from a CSS?
What led to these vulnerabilities in the cell networks and what do we do about them?

These are three questions we’re going to explore in this section, and unfortunately they don’t have simple answers.

Section 4.1: Detection methods

To reiterate an important truth from before: a fundamental problem when researching detection methods is that we don’t know how commercial CSSs work. Instead we rely on how we think they might work based on research findings. It’s important to keep this in mind when going over some of the known detection methods below. This following list is not exhaustive, and instead is meant to be an introduction to this topic.

Unusual base station parameters or fingerprints

There’s been some speculation that commercial CSSs mask themselves as cell towers that are normally in the area, but with some configuration parameters or characteristics being subtly off (e.g. broadcast power is suddenly much higher), enough so that the “fingerprint” of the tower is different. While configuration parameters and other characteristics differ across network operators, they’re usually uniform across a specific operator (Dabrowski et al, 2014).

Missing normal base station capabilities

It’s unlikely that a CSS manufacturer will have implemented the full set of capabilities of a normal base station. Missing capabilities, such as not broadcasting certain standard System Information Broadcast (SIB) messages, being unable to respond to certain standard requests, or there being very little to no paging traffic coming from the base station might be indicators of a CSS (Dabrowski et al, 2014).

Ephemerality

It’s generally believed that CSSs don’t stay in a single place for a significant period of time, and so a base station appearing for only a short period of time could be worth investigating. However, there are also many completely normal reasons why something would only appear for a short period of time. For example, it could simply be testing equipment, or if there’s a large event happening, it could be there to help facilitate the increased traffic load.

The cell landscape is ever changing. Large scale and long term data collection is the best way to survey an area to be able to determine what’s normal versus what’s unusual. The University of Washington’s Sea Glass project is a great example of this.

You can read much more about this topic in Dabrowski et al’s IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. To reiterate, while these could be indicators that something’s amiss, there are also many completely normal reasons (that have nothing to do with surveillance) as to why we’d be seeing unusual behaviour. E.g. testing equipment, temporary equipment brought in for a large event (e.g. at a sporting event), a cell tower crashed and upon restarting broadcasts temporarily incorrect values until it’s completely finished restarting, and so on.

Section 4.2: Detection apps

Many apps have been released that claim to alert users when it seems likely they’re connected to a CSS. The most popular ones include: Android IMSI-Catcher Detector (AIMSICD), SnoopSnitch, Sitch, GSM Spy Finder, Cell Spy Catcher. The quality of these apps varies, and some are still popular despite no longer being maintained.

Most of these apps implement at least some of the detection methods listed above and in Dabrowski et al. Even though sometimes multiple apps will have implemented the same detection methods, they won’t necessarily produce the same result when evaluating if a particular base station is suspicious or not (Borgaonkar et al, 2017). Let’s look at some examples of how detection apps have failed to include basic detection heuristics, as well as how there could be discrepancies in the evaluations they produce.

Varying power levels

One of the previously described detection methods is to track if a tower you’ve seen before suddenly broadcasts at much higher power. In Borgaonkar et al’s White-Stingray: Evaluating IMSI Catchers Detection Applications, researchers analyzed four of the previously mentioned apps and found that while most of them stored regular measurements of BTS power levels, none of them compared new values to historical values. This means that none of the apps could detect when towers had an unusually high broadcast power.

LAC change

As we saw in Section 3.2.1, when phones move to a new Location Area (or when they’re in the process of connecting to a base station that’s advertising as having a different LAC), they’ll need to update their information. As a result, they’ll eventually respond to an Identity Request (the command that reveals a phone’s IMSI). It’s generally believed that CSSs advertise as having a different LAC than the one that corresponds to the area they’re in, allowing them to exploit this mechanism to force phones to hand over their IMSIs or connect to them.

All previously mentioned detection apps monitor for LAC changes. As Borgaonkar et al point out, one of them checks to see if the LAC matches that of neighbouring base stations, and displays a warning to the user when it’s close to the edge of an LA. Since LAC changes are common when the user is near the edge of a LA, these warnings are often false positives. Another app stores all LACs the phone has seen before, and sends out warnings whenever a new one appears, meaning false positive warnings are constantly sent out when the user travels to new places. Another app defaults to marking anything broadcasting a LAC value between 0-9 as suspicious. This is an example of how even though all the detection apps have heuristics for detecting if a base station is suspicious based on a determination that a required value (the LAC) is unusual, their interpretations of how to do this and their implementations vary so much that they produce different results.

Because we don’t have global standards for what’s normal, and because things vary so wildly by country, carrier, etc, it’s difficult to come up with heuristics that could universally work for detecting CSSs. As a result, the apps that have attempted to tackle this problem so far have ended up having dramatically different thresholds for alerts.

Section 4.3: Defending against CSSs

CSSs have such a wide range of capabilities (based on what we know about possible cell network attacks they could be based on) that there is no feasible way to defend against all of the things they can do. Defense should begin by considering what someone’s specific threat model is and coming up with ways to defend after that.

Examples

At the time of writing, there are no publicly known confirmed examples of CSSs being used by law enforcement for communication interception or service denial. However, there are quite a few examples of CSSs being used for location tracking.

Since the main threat CSSs pose is that of real time location tracking, and there are no adjustable user settings one can change to affect this, there are currently no immediate steps one can take to defend themselves against these devices, other than either not having a cell phone, (which isn’t a reasonable option for many of us) or turning off and/or leaving behind your phone when doing something important.

Despite that, there are many steps you can take to defend against online surveillance, many of which we’ve outlined in EFF’s Surveillance Self Defense Guide.

Conclusion: the past & future of cell network security

The intersection of cell networks, security, and user privacy has historically not been an accessible field, but that’s slowly changing. Each year there is more research in this field being published and open source projects (such as srsLTE) that enable this research are improving dramatically—and more people are starting to question why more work isn’t being done to fix these issues.

Cell network security is broken in some pretty fundamental ways. It’s up to all of us over the next few years to demand lawmakers pay closer attention to the issue, and to put pressure on standards groups, carriers, network operators, and vendors to make necessary improvements. Together, we can protect and defend users’ privacy.

References

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl. https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf (Dabrowski et al, 2014)

IMSI Catcher Detection Apps Might Not Be All That Good, Research Suggests. Joseph Cox. https://www.vice.com/en_us/article/neeb5g/stingray-detection-apps-might-not-be-all-that-good-research-suggests

Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. Elad Barkan, Eli Biham, Nathan Keller. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf (Barkan et al, 2006)

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi§and Jean-Pierre Seifert. https://arxiv.org/pdf/1510.07563.pdf (Shaik et al, 2017)

Practical Cellphone Spying. Kristen Paget. Defcon 18. https://www.youtube.com/watch?v=fQSu9cBaojc (Paget, 2010)

White-Stingray: Evaluating IMSI Catchers Detection Applications. Ravishankar Borgaonkar, Andrew Martin, Shinjo Park, Altaf Shaik, Jean-Pierre Seifert. https://ora.ox.ac.uk/objects/uuid:15738ed0-c144-49e9-a4fa-466362cf7754 (Borgaonkar et al, 2017)

Notes

The name “3GPP” is confusing since it contains “3G”. While they didn’t exist when GSM (a 2G technology) was originally being developed, they did later absorb some of the organizations that were responsible for developing GSM. It is still one of the main organizations that develops and maintains existing and future protocols.
Unfortunately, most phones usually don’t have an ability to specify connection settings. Recently some phones have begun to implement features like “use LTE only” though.
Unfortunately, most phones usually don’t have an ability to specify connection settings. Recently some phones have begun to implement features like “use LTE only” though.
According to the Department of Justice, some CSSs can directly collect a subscriber’s phone number, meaning LE can skip the step of subpoenaing a service provider to obtain the subscriber’s phone number. See page 6 of https://www.eff.org/files/2015/11/30/illinois.dist_.ct_.stingrays.pdf.
Generally, the network will first direct the message to the last known cell tower the phone was connected to, and that tower will send out a paging message to everyone listening on its paging frequency. If it doesn’t get a response, then it will spread out and try all the towers in a given Location Area, and so on. The exact details of how this works varies by type of data being routed (e.g. SMS vs phone call vs LTE data message) and by carrier.
Basically, you compare the paging identities in the RRC messages sent out after each short call you initiate, and extract the value(s) that are repeated the number of times you placed calls. You can read a much more here in the Revealing Identities section here: https://www-users.cs.umn.edu/~hoppernj/celluloc.pdf
Note that Facebook messages have the advantage of not needing to know your target’s phone number to be able to trigger a notification being sent to their phone! (The attacker doesn’t need to be Facebook friends with their target either, as Facebook Messenger messages sent to strangers end up in the ‘Other’ folder, but still trigger LTE push notifications that aren’t displayed to the user.)

Downloads

Gotta Catch ‘Em All

source

Understanding and Detecting IMSI Catchers around the World

One of the good things about working in the area of core network security, is the opportunity to find new and unexpected types of attacks. These are attacks you didn’t even know could happen, much less have a chance to prevent. Finding these unexpected attacks doesn’t just happen though, it requires experience and investigation, but most importantly it needs the mindset to dig deeper into any strange events that are encountered, and try to understand them, rather than just assuming they are random malicious events.

In this particular case, we are discussing IMSI Catchers. First off, the term IMSI catcher is a misused and sometimes contradictory term however. As explained here, there are actually 2 types of equipment that those in the public (and many in the industry) would conflate into what they would call IMSI catchers.

‘Active’ IMSI Catchers, also termed Cell Site Simulators (CSS) or Fake Base Stations – these attempt to force local devices to connect to a Call Site Simulator, in order to decrypt the conversation and texts, and to execute man in the middle interception. These would be considered the more ‘traditional’ type of IMSI catchers most would be aware of. Stingrays are also a common term used for these (named after the brand built by Harris Corporation). A good overview of how the Active IMSI /Cell Site Simulators work is here.
Passive IMSI Catchers – these passively listen into the paging of mobile devices as they move and register to new real Cell towers in the local area, in order to get the IMSI numbers of these devices. They are far less precise, and are unable to do any of the more sophisticated type of interception, but involve no interaction between the mobile device and the IMSI Catcher. An overview of how these could work, and how they function is here.

The primary difference between these two is that the more traditional Active IMSI Catcher/CSSs always involves some form of interaction with the mobile device, whereas the Passive IMSI Catcher doesn’t – it literally just listens in to the paging that occurs in the local areas as the mobile device changes between legitimate cell towers in the vicinity. This makes a big difference when it comes to detection of these IMSI Catcher types.

A lot of research has gone into various ways of detecting Active IMSI Catchers, by looking at how they differ from real Cell towers. One distinctive example of what an Active IMSI Catcher might do is the forced downgrading of their target mobile device to use a less secure radio interface. This detection of an Active IMSI Catchers can be difficult, involves a lot of local measurements and often can and has in the past led to false positives, but it gives some results. From the attacker’s perspective it’s also a trade-off in that they must make the effort to physically deploy an Active IMSI Catchers in a sensitive area, and then hope its radio activity doesn’t give it away. This is often why more sophisticated attackers may often resort to using attacks over signalling interfaces such as SS7 and Diameter to achieve their aims, which can be sent from any part of the world.

A Passive IMSI Catcher changes things somewhat. It still involves physical deployment of a system to listen in the local targeted area, but it is essentially undetectable on the radio interface, as it emits nothing that would allow it to be detected. This makes it very valuable to perform long-term surveillance in sensitive areas, when the goal is to have the least chance of being detected, while still trying to determine the IMSIs of who is in the local area.

The issue with both types of IMSI Catchers, from the attacker’s perspective, is that what they are left with are a collection of IMSIs from around the world. While this information may be useful, often you need more information to profile who has been ‘caught’. For Active IMSI Catcher deployments; the attackers may also intercept calls/text messages etc, so have a better idea of the target, but for passive IMSI catchers they won’t have that. What the attackers really need is the co-corresponding phone number – the MSISDN of the mobile device associated with the IMSI – in order to truly figure out the identities of the mobile device their IMSI catcher has caught.

This is where our analysis and investigation has come in. Over time, we have been seeing patterns of unusual requests over the SS7 interface, for particular IMSIs. Specifically, what we have been seeing is our Signalling Firewalls, deployed at multiple customer mobile operators, receiving suspicious MAP_RESTORE_DATA packets for IMSIs from unexpected sources. A MAP_RESTORE_DATA packet is a particular command that requests that the home operator sends details for a particular IMSI to the roamed-to network. Details in this case includes MSISDN (the actual phone number), call forwarding setting and other specific information. Further investigation showed that we always received this command when these IMSIs were near or attached to specific Cell Sites while roaming in a 3rd country and nowhere else.

Our working theory, is that what we are observing is what we now call “IMSI Profilers”. These IMSI Profilers work in conjunction with IMSI Catchers – they take the list of IMSIs that have been detected and request profile information, in order to feed these phone numbers back to the IMSI catcher operator. The sequence of events that we believe to happen is shown above. From log analysis it also seems likely (but can’t be confirmed 100%) that the IMSI Catcher in the 3rd country is of the passive variety. In this particular case, the IMSI Profiler is using a source SS7 address (called a SCCP Global Title or GT) in a small European mobile operator that we have detected previously in our SIGIL/Signalling Intelligence system to be used by multiple surveillance companies, further confirming our suspicion that it is malicious.

Regardless of the IMSI catcher type used, this method of analysing incoming suspicious signalling activity gives the opportunity for mobile operators to partially protect their subscribers against IMSI Catchers around the world, something they didn’t have in the past. It won’t stop an Active IMSI Catcher from forcing a subscriber to connect to them, but it would stop additional information being retrieved. And in the case of passive IMSI catcher it is potentially one of the only ways to detect these remotely and block any more useful information being obtained.

In the long term, improvements in the new 5G radio and core network standards means that mobile operators should be able to greatly improve the ability to block IMSI Catchers over 5G. If these are implemented correctly and no loopholes are introduced then effective 5G IMSI Catchers may never arise. In the interim however, IMSI Catchers – both Passive and Active – are being used globally in the world to track and record individuals without their consent. By analysing incoming signalling traffic, and detecting and blocking these IMSI Profilers, mobile operators now have the opportunity to help protect their subscribers globally, regardless of how stealthy the IMSI Catcher is. source

How to Catch an IMSI Catcher

IMSI catchers, or fake antennas, are a common cell phone surveillance method. The FADe project helped local NGOs in Latin America detect and document these devices.

Civil Society Needs Help Catching IMSI Catchers

Law enforcement, criminals, and repressive governments monitor cell phone signals for the purpose of counter-terrorism, espionage, or political persecution. One common surveillance method is the placement of fake antennas—or IMSI catchers—which imitate legitimate cell towers in order to track individual mobile subscribers, monitor their communications, or even disable their network connections.

In a high-profile example, a Guatemalan investigation revealed large-scale illegal spying targeting “activists, entrepreneurs, politicians, journalists, diplomats, and social leaders.” Many governments engage in similar practices, often without any meaningful oversight or accountability.

The battle against authoritarian or illegal spying demands a range of methodologies—from legal policies and telecommunications regulations to physical interventions like “Faraday bags,” which shield devices in a casing that blocks electromagnetic transmissions. But the fight between eavesdroppers and victims (often human rights defenders) is not an even one. Most civil society organizations lack the equipment or expertise to effectively monitor phone surveillance.

Equipping Civil Society with Resources to Expose Surveillance

To help Latin American NGOs level the playing field, South Lighthouse created the Fake Antenna Detection project (FADe), with support from Open Technology Fund’s Internet Freedom Fund. The project’s primary focus was detecting and documenting IMSI catchers—surveillance devices that imitate legitimate cell towers in order to track individual mobile subscribers, monitor their communications, or even disable their network connections.

The FADe team provided training, equipment, and other support to enable local partners to scan for IMSI catchers, analyze their findings and, ideally, make use of the results for advocacy. “A fundamental principle of the program has been partnership and capacitation,” says Andrés Schiavi, Executive Director of South Lighthouse.

FADe’s technology coordinator, Carlos Guerra says, “We wanted to open up a discussion for NGOs about how cell technology works and about how it should work to ensure optimal benefits to people’s safety and people’s rights.”

Using methods initially developed by the SEAGLASS project at the University of Washington and the Electronic Frontier Foundation (EFF), FADe partners assembled simple sensors using a few off-the-shelf electronics, a smartphone, and a “feature phone” (a basic device resembling an early mobile phone that is usually more affordable and durable than a smartphone). The sensor setup sits in a moving vehicle and collects signal information over several weeks from local cell towers.

By analyzing the resulting data, groups can differentiate between signals consistent with legitimate cell towers and signals showing anomalous behaviors, such as a “tower” that changes locations (see animation below); or only operates during certain times; or uses frequencies or signal parameters not used anywhere else in the network. Another common warning sign is suspicious instructions sent to a device, such as a request to disconnect from all other towers, or a command to downgrade from 3G or 4G to a 2G network, which will make the device more vulnerable to surveillance.

A specific cell tower physically moving among different locations is one of the anomalous behaviors that can help identify an IMSI-catcher.

But analysis of these signals can be tricky, says Guerra. “There is no cookie-cutter method,” he says. The data is “noisy,” and cell providers configure their towers differently. It takes many days of monitoring to set a baseline that helps distinguish between legitimate and fake antennas.

The FADe team began working with local organizations in 2018. To mitigate technical and security risks, Schiavi says the first FADe partners were drawn from among South Lighthouse’s network of Latin American organizations. But interest grew rapidly, he says, in part because nothing comparable to the FADe/SEAGLASS approach had ever been available to these organizations. From 2019 to 2022, FADe worked with partners in nine different countries, documenting signals from almost 9,000 antennas, catching more than 150 likely IMSI-catchers.

One of FADe’s local partners, a digital security specialist from Nicaragua, says he was familiar with FADe in 2018 when he read the bombshell reports about Guatemalan surveillance. “The media found the police were using an IMSI-catcher,” he says. “We have known about methods like this in Central America, but we never had the evidence. I said, ‘We need to monitor that. I need to bring this to Nicaragua.’”

Some of the Findings

The results in Nicaragua revealed 23 antennas around Managua with anomalies that indicated the presence of an IMSI catcher. The local partner (who is remaining anonymous for security reasons) says the findings informed a wider discussion in Nicaragua about telephone eavesdropping. Although it was common knowledge that the government had an “open door” from the national ISP to eavesdrop online, the FADe data drove new public scrutiny and media coverage about the use of fake antennas.

Among the other FADe sites, Mexico and Venezuela recorded an especially high number of fake antennas, as experts from PODER recounted in the Washington Post (ES). Data from Caracas, Venezuela, showed 33 different devices with irregular readings that could indicate IMSI-catchers. In Buenos Aires, Argentina, out of 1,000 cell towers monitored, suspicious patterns were found in 17 antennas, with most concentrated around the downtown and university areas. Notably, the suspicious antennas found in Buenos Aires were all on the 2G network, with no irregularities seen in the smaller group of devices on the 4G network, which is known to be harder to surveil. For summaries of the observations in all locations, see the project’s results section. source

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers aka Stingray phone tracker

The Truth News — Sun, 24 Aug 2025 21:49:24 +0000

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers

Cell-site simulators, also known as Stingrays or IMSI catchers, are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower.

Cell-site simulators operate by conducting a general search of all cell phones within the device’s radius, in violation of basic constitutional protections. Law enforcement use cell-site simulators to pinpoint the location of phones with greater accuracy than phone companies and without needing to involve the phone company at all. Cell-site simulators can also log IMSI numbers, (International Mobile Subscriber Identifiers) unique to each SIM card, of all of the mobile devices within a given area. Some cell-site simulators may have advanced features allowing law enforcement to intercept communications.

DOWNLOAD IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

How Cell-Site Simulators Work

Standard Communication

Cellular networks are distributed over geographic areas called “cells.” Each cell is served by one transceiver, also known as a cell-site or base station. Your phone naturally connects with the closest base station to provide you service as you move through various cells.

Source: EFF

Generally, there are two types of device used by law enforcement that are often referred to interchangeably: passive devices (which we will call IMSI catchers), and active devices (which we will call cell-site simulators.) Passive devices, as a rule, do not transmit any signals. They work by plucking cellular transmissions out of the air, the same way an FM radio works. They then decode (and sometimes decrypt) those signals to find the IMSI of the mobile device and track it.

Active cell-site simulators are much more commonly used by law enforcement, and work very differently from their passive cousins. Cellular devices are designed to connect to the cell site nearby with the strongest signal. To exploit this, cell-site simulators broadcast signals that are either stronger than the legitimate cell sites around them, or are made to appear stronger. This causes devices within range to disconnect from their service providers’ legitimate cell sites and to instead establish a new connection with the cell-site simulator. Cell-site simulators can also take advantage of flaws in the design of cellular protocols (such as 2G/3G/4G/5G) to cause phones to disconnect from a legitimate cell-site and connect to the cell-site simulator instead. For the purposes of this article we will focus on active cell-site simulators.

It is difficult for most people to know whether or not their phone’s signals have been accessed by an active cell-site simulator, and it is impossible for anyone to know if their phone’s signals have been accessed by a passive IMSI catcher. Apps for identifying the use of cell-site simulators, such as SnoopSnitch, may not be verifiably accurate. Some more advanced tools have been built, which may be more accurate. For instance, security researchers at the University of Washington have designed a system to measure the use of cell-site simulators across Seattle, and EFF researchers have designed a similar system.

What Kinds of Data Cell-Site Simulators Collect

Data collected by cell-site simulators can reveal intensely personal information about anyone who carries a phone, whether or not they have ever been suspected of a crime.

Source: EFF

Cell-site simulator surveillance: Cell-site simulators trick your phone into thinking they are base stations.

Once your cellular device has connected to a cell-site simulator, the cell-site simulator can determine your location and trigger your device to transmit its IMSI for later identification. If the cell-site simulator is able to downgrade the cellular connection to a 2G/GSM connection then it can potentially perform much more intrusive acts such as intercepting call metadata (what numbers were called or called the phone and the amount of time on each call), the content of unencrypted phone calls and text messages and some types of data usage (such as websites visited). Additionally, marketing materials produced by the manufacturers of cell-site simulators indicate that they can be configured to divert calls and text messages, edit messages, and even spoof the identity of a caller in text messages and calls on a 2G/GSM network.

How Law Enforcement Uses Cell-Site Simulators

Police can use cell-site simulators to try to locate a person when they already know their phone’s identifying information, or to gather the IMSI (and later the identity) of anyone in a specific area. Some cell-site simulators are small enough to fit in a police cruiser, or even on the vest of an officer, allowing law enforcement officers to drive to multiple locations, capturing from every mobile device in a given area—in some cases up to 10,000 phones at a time. These indiscriminate, dragnet searches include phones located in traditionally protected private spaces, such as homes and doctors’ offices.

Law enforcement officers have used information from cell-site simulators to investigate major and minor crimes and civil offenses. Baltimore Police, for example, have used their devices for a wide variety of purposes, ranging from tracking a kidnapper to trying to locate a man who took his wife’s phone during an argument (and later returned it to her). In one case, Annapolis Police used a cell-site simulator to investigate a robbery involving $56 worth of submarine sandwiches and chicken wings. In Detroit, U.S. Immigration and Customs Enforcement used a cell-site simulator to locate and arrest an undocumented immigrant. In California, the San Bernardino county sheriff’s office used their cell-site simulator over 300 times in a little over a year.

Police may have deployed cell-site simulators at protests. The Miami-Dade Police Department apparently first purchased a cell-site simulator in 2003 to surveil protestors at a Free Trade of the Americas Agreement conference. And it is suspected that they have been used more recently than that during protests against police violence in 2020.

Cell-site simulators are used by the FBI, DEA, NSA, Secret Service, and ICE, as well as the U.S. Army, Navy, Marine Corps, and National Guard. U.S. Marshals and the FBI have attached cell-site simulators to airplanes to track suspects, gathering massive amounts of data about many innocent people in the process. The Texas Observer also uncovered airborne cell-site simulators in use by the Texas National Guard. In 2023 it was revealed that ICE, DHS, and the Secret Service have all used cell-site simulators many times without following their own rules on deployment or getting a warrant.

A recent Congressional Oversight Committee report called on Congress to pass laws requiring a warrant before using cell-site simulators. Some states, such as California, already require a warrant, except in emergency situations.

Who Sells Cell-site Simulators

Harris Corporation is the most well known company providing cell-site simulators to law enforcement. Their Stingray product has become the catchphrase for these devices, but they have subsequently introduced other models, such as Hailstorm, ArrowHead, AmberJack, and KingFish. Harris has stopped selling cell-site simulator technology to local law enforcement agencies but still works with the federal government. Digital Receiver Technology, a division of Boeing, is also a common supplier of the technology, often referred to as “dirtboxes.”

Other sellers of cell-site simulators include Keyw, Octastic, Tactical Support Equipment, Berkeley Varitronics, Cogynte, X-Surveillance, Atos, Rayzone, Martone Radio Technology, Septier Communication, PKI Electronic Intelligence, Datong (Seven Technologies Group), Ability Computers and Software Industries, Gamma Group, Rohde & Schwarz, Meganet Corporation. Manufacturers Septier and Gamma GSM both provide information on what the devices can capture. The Intercept published a secret, internal U.S. government catalogue of various cellphone surveillance devices, as well as an older cell-site simulator manual made available through a Freedom of Information Act request.

Threats Posed by Cell-Site Simulators

Cell-site simulators invade the privacy of everyone who happens to be in a given area, regardless of the fact that the vast majority have not been accused of committing a crime. These are general searches that violate the Fourth Amendment requirement that warrants “particularly” describe who or what is to be searched.

The use of cell-site simulators have been shrouded in government secrecy. Police have used cell-site simulators to track location data without a warrant, by deceptively obtaining “pen register” orders from courts without explaining the true nature of the surveillance. In Baltimore, a judge concluded that law enforcement had intentionally withheld the information from the defense, in violation of their legal disclosure obligations. For a while, police departments tried to keep the use of cell-site simulators secret from not just the public but also the court system, withholding information from defense attorneys and judges—likely due in part to non-disclosure agreements with Harris Corporation. Prosecutors have accepted plea deals to hide their use of cell-site simulators and have even dropped cases rather than revealing information about their use of the technology. U.S. Marshalls have driven files hundreds of miles to thwart public records requests. Police have tried to keep information secret in Sarasota, Florida, Tacoma, Washington, Baltimore, Maryland, and St. Louis, Missouri.

To preserve this secrecy, the FBI told police officers to recreate evidence from the devices, according to a document obtained by the nonprofit investigative journalism outlet Oklahoma Watch.

Cell-site simulators often disrupt cell phone communications within as much as a 500-meter radius of the device, interrupting important communications and even emergency phone calls. Cell-site simulators have been shown to disproportionately affect low-income communities and communities of color. In Baltimore, the use of cell-site simulators disproportionately impacted African-American communities, according to a map included in an FCC complaint that overlaid where Baltimore Police were using stingrays over census data on the city’s black population.

Cell-site simulators can also disrupt emergency calls, such as 911 in the US, making them not only a menace to privacy but to public safety as well.

Cell-site simulators rely on vulnerabilities in our communications system that the government should help fix rather than exploit.

EFF’s Work on Cell-Site Simulators

For the reasons above, EFF opposes police use of cell site simulators. Insofar as law enforcement agencies are using cell-site simulators in criminal investigations, EFF argues that use should be limited in the following ways:

Law enforcement should obtain individualized warrants based on probable cause;
Cell-site simulators should only be used for serious, violent crimes;
Cell-site simulators should only be used for identifying location of a particular phone;
Law enforcement must minimize the collection of data from people who are not the targets of the investigation.
Companies making cell-site simulators must confirm that their technology does not disrupt calls to emergency services.

Litigation

We filed a Freedom of Information Act lawsuit to expose and shine light on the U.S. Marshals Service’s use of cell-site simulators on planes.

Along with the ACLU and ACLU of Maryland, we filed an amicus brief in the first case in the country where a judge threw out evidence obtained as a result of using a cell-site simulator without a warrant.

We filed an amicus brief, along with the ACLU, pointing a court to facts indicating that the Milwaukee Police Department secretly used a cell-site simulator to locate a defendant through his cell phone without a warrant in U.S. vs. Damian Patrick. (The government then admitted to having used it.)

Legislation

We were original co-sponsors of the California Electronic Communications Privacy Act (CalECPA), along with the ACLU and the California Newspaper Publisher Association. This law requires California police to get a warrant before using a cell-site simulator. Any evidence obtained from a cell-site simulator without a warrant is inadmissible in court.

EFF supported S.B. 741, which requires transparency measures regarding the use of cell-site simulators. We collected many of these policies.

Further Research

We have written a report on the technical means possibly used by cell-site simulators called “Gotta Catch ‘em All”, and we have developed a proof of concept technical means of detecting cell-site simulators called Crocodile Hunter.

EFF Cases

State of Maryland v. Kerron Andrews

U.S. v. Damian Patrick

EFF v. U.S. Department of Justice

Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic

Tyler Tucker (University of Florida), Nathaniel Bennett (University of Florida), Martin Kotuliak (ETH Zurich), Simon Erni (ETH Zurich), Srdjan Capkun (ETH Zuerich), Kevin Butler (University of Florida), Patrick Traynor (University of Florida)

IMSI-Catchers allow parties other than cellular network providers to covertly track mobile device users. While the research community has developed many tools to combat this problem, current solutions focus on correlated behavior and are therefore subject to substantial false classifications. In this paper, we present a standards-driven methodology that focuses on the messages an IMSI-Catcher textit{must} use to cause mobile devices to provide their permanent identifiers. That is, our approach focuses on causal attributes rather than correlated ones. We systematically analyze message flows that would lead to IMSI exposure (most of which have not been previously considered in the research community), and identify 53 messages an IMSI-Catcher can use for its attack. We then perform a measurement study on two continents to characterize the ratio in which connections use these messages in normal operations. We use these benchmarks to compare against open-source IMSI-Catcher implementations and then observe anomalous behavior at a large-scale event with significant media attention. Our analysis strongly implies the presence of an IMSI-Catcher at said public event ($p << 0.005$), thus representing the first publication to provide evidence of the statistical significance of its findings. source

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

The Truth News — Tue, 15 Jul 2025 20:12:18 +0000

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

ESP32-Div: An ESP32 Based Swiss Army Knife for Wireless Networks

Hardware of ESP32-DIV

The ESP32-DIV is a compact yet powerful device, built from two main sections: the Main Board and the Shield. Together, they enable Wi-Fi, BLE, 2.4GHz, and Sub-GHz operations. Below is a breakdown of the hardware components.

Main Board

LF33: Voltage regulator providing a stable 3.3V supply for reliable operation.
TP4056: Lithium battery charger with built-in protection for safe battery management.
CP2102: USB-to-serial converter for flashing firmware and serial communication.
PCF8574: I/O expander to manage multiple button inputs for user interaction.
SD Card Slot: Stores captured signals, logs, and configurations.
ESP32-U (16MB): The core microcontroller with Wi-Fi and BLE capabilities, featuring 16MB flash memory.
Antenna Connector: Supports external antennas for enhanced signal range.
ILI9341 TFT Display: 2.8-inch screen for user interface and real-time data visualization.
Push Buttons: For navigating menus and interacting with the device.

Shield

3 x NRF24 Modules: Enable 2.4GHz operations, including scanning, jamming, and protocol analysis.
CC1101 Module: Sub-GHz transceiver for replay attacks, jamming, and signal capture.

White Hacker Cyber Security Pro Cifer ” ESP32-Div is a multi-featured wireless analysis device for WiFi, Bluetooth, 2.4 GHz, and sub-GHz signals. While ESP32-Div is not based on SDR technology, it is still an interesting device for wireless hackers to discuss.

ESP32-Div can monitor WiFi packets, spam fake WiFi access points, scan for deauth attacks, and scan nearby WiFi networks. For Bluetooth, it can jam, scan, spoof, and cause unintended behaviours on Apple devices via spoofing the AirDrop function. It can also be used as a general 2.4 GHz scanner and jammer. Finally, it can perform replay attacks and jam signals for sub-GHz signals.

The device consists of a custom PCB with an ESP32 and a built-in battery pack. A piggybacking shield adds 3x NRF24 modules for the 2.4 GHz features and a CC1101 module for the sub-GHz features.

Obviously, functions like jamming and spoofing are highly illegal in most countries, but it is interesting to see the capabilities available to anyone with these cheap chips and the right software. source

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

I’m Cifer, and after months of anticipation, I’m finally ready to introduce you to the ESP32DIV—an upgraded version of my original project that has been years in the making. If you’re excited about wireless tech, cybersecurity, and open-source hardware, then this is the project for you! Today, I’ll walk you through all the new features and the hardware behind this amazing device.

The ESP32DIV Evolution

The ESP32DIV project originally started a few years ago. You all loved the first version, but compared to the new iteration, that one was like a “kindergarten project.” The new version is packed with upgrades and is much more powerful. While the old version only supported Wi-Fi and BLE, the ESP32DIV now has support for 2.4GHz and Sub-GHz frequencies, expanding its capabilities beyond what we originally imagined.

You might be wondering about the name—ESP32DIV. The “ESP32” part is obvious, but “DIV” comes from Persian mythology. In Persian culture, div refers to a supernatural being or demon—powerful and often associated with chaos and evil. It’s a fitting name for a tool that disrupts and manipulates wireless signals!

Exploring the Features

Let’s dive into the features that make the ESP32DIV so special. I’ve split the functionalities into several menus, each offering a unique set of tools for wireless manipulation and analysis.

Wi-Fi Menu:

• Packet Monitor:
The Packet Monitor displays live traffic across all 14 Wi-Fi channels, visualized as a waterfall graph. This feature gives you real-time insight into what’s happening in your Wi-Fi environment.

• Beacon Spammer:
This tool sends out fake Wi-Fi access points (beacon frames) to flood the airwaves. You can use it to disrupt connections, confuse nearby devices, or even trick users into connecting to fake networks. It offers two options: one that targets specific access points with custom names, and another that generates random fake networks.

• Deauth Detector:
This feature scans for deauthentication attacks and other suspicious activity. Originally focused on detecting deauth attacks, it has evolved into a more general-purpose threat detection tool.

• Wi-Fi Scanner:
The Wi-Fi Scanner provides a full list of nearby Wi-Fi networks along with detailed information about each one. It’s perfect for network analysis or security assessments.

Bluetooth Menu:

• BLE Jammer:
The BLE Jammer floods Bluetooth Low Energy (BLE) advertising channels with noise, making it harder for devices to discover or connect to each other. It also supports classic Bluetooth channels.

• BLE Spoofer:
The BLE Spoofer mimics real BLE devices by sending fake advertising packets. You can impersonate specific devices and launch spoofing operations to test how other devices respond to fake signals.

• Sour Apple:
Designed for Apple devices, the Sour Apple tool exploits BLE features like AirDrop and Continuity. It spoofs Apple BLE advertisements to trigger unintended behaviors or potentially cause data leaks.

• BLE Scanner:
This tool scans for nearby BLE devices, even those normally hidden from your phone or laptop. You’ll receive detailed information on each device, making it great for analysis or security research.

2.4GHz Menu:

• 2.4GHz Scanner:
This scans the entire 2.4GHz spectrum across 128 channels, enabling detection of a variety of wireless protocols—not just Wi-Fi and Bluetooth. It’s especially useful for spotting Zigbee networks or proprietary RF protocols operating in the same frequency range.

• Protokill:
Protokill lets you jam different wireless protocols on the 2.4GHz band, including Zigbee and Wi-Fi. It’s perfect for stress testing protocols and conducting specific jamming operations.

Sub-GHz Menu:
• Replay Attack:
Capture a signal (such as a door unlock command) and replay it to gain unauthorized access. This tool allows you to store and replay captured signals, visualized with a real-time waterfall graph to help you better understand the process.

• Sub-GHz Jammer:
This feature disrupts wireless communication in Sub-GHz frequencies, targeting devices like garage door openers, remote controls, and IoT sensors. You can select specific frequencies to jam or let the device automatically cycle through them.

• Saved Profiles:
This section stores all captured signals from the Replay Attack feature, allowing you to revisit them, replay frequencies, or delete profiles as needed.

The Hardware Behind ESP32DIV

Now that you’ve seen the features, let’s take a look at the hardware. The ESP32DIV is made of two main sections: the Main Board and the Shield.

Main Board:

• LF33: A voltage regulator providing a stable 3.3V supply.
• TP4056: Lithium battery charger with protection.
• CP2102: USB-to-serial converter for flashing and communication.
• PCF8574: I/O expander for managing multiple button inputs.
• SD Card Slot: For saving captured signals, logs, and configurations.
• ESP32-U (16MB version): The core microcontroller with Wi-Fi and BLE.
• Antenna Connector: For connecting external antennas.
• ILI9341 TFT Display: A 2.8-inch screen for UI and live data.
• Push Buttons: For menu navigation.

Shield:
• 3 x NRF24 Modules: For 2.4GHz operations like jamming and attacks.

• CC1101 Module: Su

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

In our increasingly connected world, where Wi-Fi networks are the backbone of our digital lives, there’s a growing need for tools that can help us understand, troubleshoot, and secure these networks. Imagine having a device that can not only monitor network traffic but also scan for nearby Wi-Fi networks, simulate beacon frames, and detect deauthentication attacks. Sounds intriguing, right? Well, you’re in luck because we’ve built just the gadget for you.

About the Project

Our creation is a versatile gadget that combines the power of the ESP32 microcontroller, the visual appeal of an ST7735 TFT LCD screen, and the convenience of microswitches for easy navigation. This multifaceted device is designed to assist network administrators, security enthusiasts, and IoT developers in understanding and managing wireless networks.

Let’s dive deeper into the features, the technology, and the journey of building this remarkable gadget.

Features

Our ESP32-based gadget boasts four main features, each catering to a specific aspect of wireless network management:

• Packet Monitor
The Packet Monitor function allows you to capture and analyze network traffic in real-time. Whether you’re troubleshooting network issues or simply curious about the data flowing through the airwaves, this feature provides valuable insights.

• Wi-Fi Analyzer
With the Wi-Fi Analyzer, you can scan the vicinity for available Wi-Fi networks. Discover SSIDs, signal strengths, and security protocols, all at the press of a button. It’s an indispensable tool for finding the best Wi-Fi connection.

• Beacon Spam
Beacon Spamming is both intriguing and educational. It involves simulating beacon frames to broadcast information about a non-existent network. While not for malicious purposes, this function sheds light on the inner workings of Wi-Fi networks.

• Deauth Detector
Network security is paramount, and the Deauth Detector function ensures you stay vigilant. It monitors for deauthentication packets, often a sign of an unauthorized intrusion. When detected, the gadget alerts you with both visual and audible cues.

Now that you’re familiar with what our gadget can do let’s get into the nitty-gritty of creating your very own wireless network Swiss Army knife.

Getting Started

• TFT LCD ST7735
The ST7735 TFT LCD is the visual gateway to your gadget’s capabilities. Its vibrant display provides real-time feedback and enables user interaction. With a resolution of X by Y, it ensures that information is presented clearly and intuitively.

• ESP32 Microcontroller
The ESP32 microcontroller is the brains behind the operation. Its built-in Wi-Fi and Bluetooth capabilities make it the ideal choice for this project. It handles the various functions, communicates with the TFT LCD, and manages user input through micro switches.

• Micro Switches
Navigation is made easy thanks to the inclusion of micro switches. These tactile buttons allow users to move through menus, select functions, and interact with the gadget effortlessly.

Schematic

Before you begin assembling your gadget, it’s essential to understand the connections between the components. The table below outlines the connections between the ESP32, ST7735 TFT LCD, and micro switches:

• ESP32 / st7735 TFT LCD

Pin Name	Description
14	CS
33	RST
27	DC
18	CLK
23	DIN
5V	VCC
3V3	LED
GND	GND

• ESP32 / Micro Switch

Name	GPIO Pin
Select	25
Up	21
Down	22
Back	26

Core Functions

Now, let’s delve into the core functions of your gadget:

• Packet Monitoring
the packet monitor allows you to receive the packets and surveillance the specific chosen channel. The Packet Monitoring function leverages the ESP32’s Wi-Fi capabilities to capture and analyze wireless packets. in promiscuous mode, enabling it to monitor all nearby Wi-Fi traffic. The information gathered is then displayed on the TFT LCD screen in real time.

• Wi-Fi Scanning
The Wi-Fi Scanning function detects and lists nearby access points. You’ll utilize the ESP32’s scanning functions to retrieve information about SSIDs, signal strengths, channels and security protocols. This valuable data is presented to the user for network selection.

• Beacon Spamming
in this section, by choosing the desired channel you can create and spam fake Wi-Fi access points. Beacon Spamming involves crafting and broadcasting fake beacon frames. This function is for educational purposes, allowing users to understand how networks announce their presence.

• Deauth Detection
Implement de-authentication detection by monitoring the network for deauth packets. all channels will be scanned for any de-authentication attack and will display the amount of detected packets for every channel. When detected, trigger the buzzer and LED to alert the user.

Use Cases

Explore practical use cases for your gadget:

Network Troubleshooting: Use the packet monitoring and Wi-Fi scanning functions to troubleshoot network issues, identify interference, and optimize Wi-Fi performance.

Ethical Hacking Practice: Beacon spamming and deauth detection can be used for educational purposes in learning about network security and ethical hacking techniques.

Security Audits: Offer your gadget as a tool for security professionals to perform security audits on wireless networks.

IoT Projects: Extend the capabilities of your gadget by integrating it into IoT projects where wireless network monitoring is essential.

Code

If you’re interested in building this project on your own, the code is available on GitHub. Simply go to the GitHub repository, and download the code.

GitHub repository: github.com/cifertech/ESP32-DIV

Special Thanks to Our Sponsor: PCBWay

No project is complete without the right tools and materials. That’s where our sponsor, PCBWay, stepped in to provide essential support for this project. PCBWay is a leading provider of high-quality printed circuit boards (PCBs) and PCB assembly services.

Website: PCBWay Official Website

Conclusion

In this blog, we embarked on an exciting journey to create a multifunctional gadget using the ESP32 microcontroller, a TFT LCD, and various other components. We explored the hardware components, designed a custom PCB, programmed the device to perform packet monitoring, Wi-Fi scanning, beacon spamming, and deauth detection, and discussed practical use cases.

The world of wireless network monitoring and security is vast, and our gadget can be a valuable tool for enthusiasts, professionals, and learners alike. By understanding the core functions and use cases, you’re well-equipped to build, use, and expand upon this versatile ESP32-based device.

As technology continues to evolve, having the ability to create custom gadgets that address specific needs becomes increasingly valuable. Whether you’re a tinkerer, a student, or a professional, the skills and knowledge gained from this project open doors to countless possibilities in the world of IoT and network security.

So, what’s next for your ESP32 gadget? Will you explore more functions, enhance the user interface, or find new and innovative ways to apply it in your projects? The choice is yours, and the journey is bound to be exciting and rewarding.source

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

Imagine having a device that can not only monitor network traffic but also scan for nearby Wi-Fi networks, simulate beacon frames, and

View this post on Instagram

A post shared by Cifer (@cifertech)

What is a Wi-Fi Pineapple? How to Protect Yourself From Pineapple Attacks

The Truth News — Mon, 14 Jul 2025 21:00:06 +0000

What is a Wi-Fi Pineapple? How to Protect Yourself From Pineapple Attacks

Wi-Fi Pineapples trick you into connecting to fake networks, in an attempt to compromise your security and data.
Protect yourself by avoiding public Wi-Fi, using VPNs, and watching for suspicious activity.
Businesses should invest in secure Wi-Fi hardware, monitor their networks for unknown devices, and pay attention to what their IT department says.

“Wi-Fi Pineapple” is a silly name for a real threat to your cybersecurity. These devices trick you into connecting to fake Wi-Fi networks to intercept data and compromise your privacy. Here’s how to protect against Pineapples and Wi-Fi attacks.

What Is a Wi-Fi Pineapple?

A Wi-Fi Pineapple is a device ostensibly sold for Wi-Fi security auditing, that can also be used to perform real attacks on your devices.

It’s not literally a pineapple (though I’m sure some enterprising hacker out there has at least attempted to house a Raspberry Pi in an actual pineapple fruit), but named because early devices resembled pineapples, with antennas sticking out at all angles much like pineapple leaves.

“Wi-Fi Pineapple” referred to a specific commercial device that automates man-in-the-middle attacks, but these attacks can also be performed with readily available off-the-shelf hardware, including laptops and single board computers.

\n
\n "">

How Do Wi-Fi Attacks Work?

There are two main types of attacks that use Wi-Fi networks: “evil twin” attacks impersonate known Wi-Fi networks, and trick your device into connecting to them, intercepting data and potentially giving remote access to your device. “Rogue AP (access point)” attacks advertise open networks in the hope that naive or internet-desperate users will connect, with the same outcomes.

Malicious Wi-Fi hotspots are set up in coffee shops, airports, and hotels in an attempt to get you to connect without any technical trickery. Often, simply naming the network something legitimate-sounding (like the name of the hotel) is enough to fool people into thinking it’s the real deal.

Joe Fedewa \/ How-To Geek<\/em>"">

For individuals, the primary threat of joining a malicious Wi-Fi network is the interception and recording of the data that is transmitted: emails, social network logins, and other sensitive information (including what websites you visit) can be recorded, and even if encrypted, there’s still the possibility that they can be exploited. Devices with improperly configured firewalls may also be remotely accessed via a compromised network, putting all the data on your device at risk.

For businesses, there is an additional threat: Wi-Fi Pineapples and other malicious devices can be inserted into networks (either using an unguarded Ethernet socket, or by capturing legitimate Wi-Fi credentials and cracking them), granting the attacker unfettered access to internal company infrastructure.

How To Protect Yourself From Pineapples

The best way to protect yourself from a pineapple is to stay out of its way. Avoid public Wi-Fi if you can by tethering to your mobile phone to get online. If you do have to use public Wi-Fi, use a reputable VPN and set it up so that all internet traffic must go through it (known as a “kill switch” in some VPN interfaces). Travel routers are also great for this, allowing you to tether multiple devices or put multiple devices behind a VPN.

While an actual Wi-Fi Pineapple device may be difficult to detect, there are additional measures you can take to protect yourself from fake hotspots and man-in-the-middle attacks in general. Before you connect to a network, check for duplicates or suspicious network names, and avoid scanning QR codes to connect unless they’re in a position they’re unlikely to have been tampered with. You can also disable auto-connect for public networks you’ve joined previously so that you don’t mistakenly reconnect to an impostor.

At home, make sure you change the default Wi-Fi network and administrator passwords and set up a guest network for visitors to use. A separate IoT network for your “smart” devices can also prevent them becoming a vector for network intruders. If you notice similar network names appearing in your neighborhood, consider changing the name of your own network so you don’t accidentally connect to someone else’s.

Generally, you should always heed SSL certificate warnings and unexpected redirects that may indicate your connection has been compromised. Never log into a website or app if you see one of these warnings. If you’re on public Wi-Fi, disconnect, and if you’re at home, start taking steps to diagnose and fix the issue(or call your local tech support). If a website login screen looks different to what you’re used to, you should also be suspicious that your traffic may be being re-routed to a fake site intended to steal your details.

How Businesses Can Prevent Pineapple Attacks

If you run a business that provides Wi-Fi to staff or the public, it’s your responsibility to keep it secure. Give your IT team the time and resources they need to deploy, secure, and maintain infrastructure properly, or risk it falling out of date and being vulnerable to new attacks.

Your network should be regularly scanned for unauthorized devices and rogue Wi-Fi networks that may have been set up to trap employees or customers. If something suspicious is found, hunt down the rogue device (it might be hiding in a dusty corner under a couch in a café, for example) and remove it. Use enterprise-grade Wi-Fi hardware like Unifi that provides client isolation, management tools, and additional security features to make sure your network is under your control.

Tips for Staying Safe in a Dangerous Digital World

Antivirus and personal firewalls also play a key part in staying safe when connecting to public networks. If your device is compromised, they can help detect and block malicious software and activity so that you can secure your accounts and get your device fixed.

There’s also a laundry list of security tips and best practices you should follow to help prevent yourself becoming a victim of cybercrime. Following security advice can be inconvenient (especially when you really need to get online and you’re out of phone reception), but it’s worth it in the long run. source

Building a $23 Wi-Fi Pineapple in 6 Minutes ― EASIEST method!

The Truth News — Sat, 12 Jul 2025 15:12:24 +0000

Building a $23 Wi-Fi Pineapple in 6 Minutes ― EASIEST method!

WIFI Pineapple : DIY WIFI Pineapple Setup Guide

Tp-Link Router with WIFI Pineapple Firmware

I was just poking around for new projects and stumbled upon something cool. I’ve always had my eye on the Hak5 Wi-Fi Pineapple to build up my red teaming toolkit, but I needed to stick to a budget. The Hak5 Wifi Pineapple is a powerful and versatile wireless penetration testing. It allows users to create rogue Wi-Fi networks, enabling them to intercept and analyze network traffic for security testing purposes. It could perform Evil Portal, MITM, DNS poisoning and many wireless attacks using web interface.

After some initial research, I found that the Wifi Pineapple runs on OpenWrt. Also, I found this GitHub project by Xchwarze which talks about cloning the Wifi Pineapple.

Here’s the outline of this project:

Install OpenWrt firmware.
Install the Pineapple firmware upgrade file.
Set up Wifi Pineapple.

You’ll need the following essentials for this project:

Any compatible router with OpenWRT (I’ll be using Tp-Link Archer C7).
A USB drive for installing modules.
OpenWrt 19.07.7.
Wi-Fi Pineapple firmware.

With these in hand, we’re ready to proceed with the setup process! So, let’s jump right into it!

Install OpenWrt firmware:

Download the OpenWrt firmware 19.07.7 using this link. Then, navigate to your default router login page and upgrade the firmware by simply uploading the OpenWrt router firmware file.

It will take a few minutes for the router to reboot. Do not restart or power off your router during this process, as it may brick your device. Once it’s flashed with OpenWrt, it’s time to upgrade to the Pineapple firmware.

Install the Pineapple firmware upgrade file:

First, we need to download the Pineapple firmware upgrade file. Choose the appropriate router and download the firmware file from the Github repo. For my setup, I will be using the Archer C7 v4 universal file.

Connect your device using an Ethernet port and open 192.168.1.1 in your browser. Navigate to the System tab and click on the Flash Image option. Choose the Flash Image and upload the Pineapple firmware sysupgrade file you recently downloaded. Uncheck the “Keep settings and retain the current configuration” box, then click continue. Again, this process should take a couple of minutes. Just a reminder: do not restart or power off your router during this time to avoid any interruptions in the firmware upgrade.

Setup Wifi Pineapple:

Once the router restarts, connect it to the internet and browse to 172.16.42.1:1471 to setup your WIFI Pineapple. Congratulations, enjoy your newly configured Wifi Pineapple!”

Wifi Pineapple Dashboard

Now that the Wifi Pineapple is set up, let’s proceed with installing modules to make it fully functional.

Plug the USB drive into the router and format it using the provided tool under Advanced > USB & Storage > Format SD Card. This step ensures your USB drive is ready to install the necessary modules for your Wifi Pineapple.

Simply click the Get Modules button and then click Install for the modules you would like to use. Be sure to install dependencies for each module once they are installed.

Installing Modules

Conclusion

This is just a proof of concept to show that we can build a Wifi Pineapple on a budget, achieving similar functionality as the official one. Of course, I’d still suggest buying the Hak5 WIFI Pineapple to support the creators. I had a blast experimenting with my homemade version.

I’m thinking of getting a compatible router like Gl.iNet, which is pocket-sized and can be powered by a power bank. This could come in handy, especially when traveling with a gigantic router is a hassle. Big thanks to Xchwarze for sharing this project with the community. source

DIY WiFi Pineapple

Introduction

This guide will give you everything you need to build your own customizable wifi pineapple on a budget using the GL.iNet GL-AR150. The guide includes step by step pictures, alternative analysis, power metrics, and more!

What is WiFi Pineapple?

WiFi Pineapple is formally a product produced and sold by the company Hak5
The device is used as a pentest tool and can be used as a rogue access point in both passive and active attacks.
Check out the official documentation for more information: https://wiki.wifipineapple.com

This guide contains the following sections:

Comparing Pineapples – Shows hardware differences of both products
Materials Needed – List of materials you need to build an AR150 WiFi Pineapple
Flashing Pineapple Firmware – Step by step guide to install the Pineapple firmware
Hardware Modifications – A guide to integrate the USB hub into the case of the AR150

For additional resources on my website click the links below:

Comparing Pineapples

Hardware Differences: None

	Nano	AR150
CPU	Atheros9331, 400MHz SoC	Atheros9331, 400MHz SoC
Memory	DDR2 64MB	DDR2 64MB
Storage	Flash 16MB	Flash 16MB
Wireless 1	Atheros AR9331 (IEEE 802.11 b/g/n)	Atheros AR9331 (IEEE 802.11 b/g/n)
Wireless 2	Atheros AR9271 (IEEE 802.11 b/g/n)	RT5370 USB WiFi Adapter (IEEE 802.11 b/g/n)
Price	$100	$35

Materials Needed

Basic (Total $35):

AR150 – $26 (https://www.amazon.com/dp/B01FJ4S9JK)
RT5370 Wifi adapter – $6 (https://www.ebay.com/itm/282647848601)
Flash Drive (1gb and up)
USB 2.0 Hub (NOT 3.0)
Power adapter or external battery (CURRENT)

Advanced Materials:

USB Hub – $4 (https://www.ebay.com/itm/173995917456)
Soldering Iron with fine “I” tip (https://www.amazon.com/dp/B07GTGGLXN)
Helping Hand (https://www.amazon.com/dp/B000P42O3C)
3D Printed Case Extension
- Print: https://github.com/LinuxOperator/AR150-Case-Extension
- Buy:

Flash Pineapple Firmware

Step 1:

Download the WiFi Pineapple firmware that was modified for the AR150: gl-ar150-nano--optimized.bin

Step 2:

Power on AR150 and connect a computer to the device’s LAN by one of the following:

Connect an Ethernet cable to your computer from the “LAN” port
Connect to its WiFi network “GL-AR150-xxx” using the password “goodlife”

Step 3:

Navigate to http://192.168.1.1 in a web browser and perform initial setup:

Set Password (Note: this password will only be used once)

Step 4:

From the admin panel click on “More Settings” then click “Advanced”

Step 5:

Step 6:

Click on “System” then on “Backup / Flash Firmware”

Step 7:

Flash the optimized .bin file:
- Under “Flash new firmware image” uncheck “Keep settings”
- Choose File and select the .bin you downloaded in step 1
- Click “Flash image”

Step 8:

Click “Proceed”

Step 9:

Wait about 5min for the flash to complete.
Join the new network:
- The device will now have a different Wifi SSID and IP address range.
- Follow the guide bellow to connect to the pineapple over Wifi or LAN…

Step 10:

If on WiFi

Search for a network with “pineapple” in the name, connect to it
Change your computer’s IP address to “172.16.42.42”
Navigate to https://172.16.42.1:1471 in your web browser
When you see the prompt for “Secure Setup”, proceed by holding the reset button for ~5 seconds

If on Ethernet LAN

Change your computer’s IP address to “172.16.42.42”
Navigate to https://172.16.42.1:1471 in your web browser
When you see the prompt for “Secure Setup”, proceed by quickly pressing the reset button (don’t hold it)

Step 11:

Pineapple Configuration:
- Root Password
- Time Zone
- other

Hardware Modifications

Step 1:

Remove the back cover

Step 2:

Dissasemble the USB Hub (A screwdriver and some prying should do the trick, don’t damage the female usb ports)

Step 3:

Note the order of the wires, the wires should go in this order onto the AR150 board

Step 4:

Solder the wires with a fine soldering tip (“I” is recommended)

Step 5:

3D print the case extender using the following settings (or Buy: )
Plastic: PLA or PETG (ABS may shrink and cause model to not fit)
Layer Height:
Density: %

Step 6:

Insert the USB hub and hot glue it in place for added support

Step 7:

Snap the pieces together making sure it is correctly aligned source

HOW TO USE YOUR WIFI PINEAPPLE

if you need a full sevice PCB manufacturer go here PCBWay

GitHub/ wifi-pineapple-cloner

by xchwarze

learn how to defend yourself below

What is a Wi-Fi Pineapple? How to Protect Yourself From Pineapple Attacks

WiFi Pineapple Definition & Pineapple Router Uses

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

A WiFi Pineapple is a small piece of equipment with a silly name and a lot of power. Some people use this tool for a legitimate security purpose. Others use it for hacking.

Whether you work in security or are concerned about the safety of your own data, it pays to know what a Pineapple router is. Chances are, you’ll encounter it at least once during your lifetime.

What Is a WiFi Pineapple?

The size and shape of this device give the WiFi Pineapple its name. It’s a small, black device with several spikes. Developers thought it looked a bit like tropical fruit, so they named it accordingly.

The WiFi Pineapple was developed by Hak5, a private company. For about $100opens in a new tab, you can purchase one for yourself or your company. And you’re not required to disclose what you’d like to use it for.

Hak5 is known for creating testing tools. When the WiFi Pineapple was released in 2008opens in a new tab, most people assumed testers would find it useful and everyone else would ignore it. The reality is a bit different.

How a WiFi Pineapple Works

< Open a WiFi channel on your computer, and the device will make a connection to an available router. A WiFi Pineapple is positioned between the device and the router, and with the proper programming, it can inspect all the data as it moves from one location to another.

Setting up a WiFi Pineapple isn’t always easy. Bloggers who detail their work create posts that take up dozens of screensopens in a new tab. But when the work is done, you’ll be able to look over all the traffic moving to and from a device and a WiFi router.

The device makes use of the underlying technology in any WiFi system. When you connect to a WiFi, your device remembers the service set identifier (SSI) of that router. When you’re in the same location, your device seeks out a router with the right SSI.

A WiFi Pineapple imitates the proper SSI, and that means anyone preprogrammed to connect will link with the Pineapple router instead.

Legitimate Uses of a Pineapple Router

Computer security experts must understand how their systems work, where they are breaking, and why they might be vulnerable to an attack. A Pineapple WiFi router makes that work much easier.

During a penetration test (or pentest), experts attempt to hack a system, and they document their work for fixes and corrections. Typically, a pentest requires specialized software and operating systemsopens in a new tab. But a WiFi Pineapple makes it really easy.

A security analyst might set up a Pineapple WiFi and then:

Look for hookups. Do people from your company attach to it automatically rather than using your authorized WiFi?
Watch for disclosures. During a man-in-the-middle attack, a hacker watches all the data that passes between a device and a server. A WiFi Pineapple mimics this approach. How much would an attacker see?
Seek out access. Can a hacker who sets up a man-in-the-middle attack gain further access to your system?
Watch for alarms. Do your automated systems catch the intruder? How long does it take?

WiFi Pineapple softwareopens in a new tab makes monitoring easy. You’ll get email alerts throughout the simulated attack, and you can even tag interesting devices and follow them after they’ve been tapped by the program.

Someone using a WiFi Pineapple emerges with a significant amount of data about how the system works and what should be fixed.

Hackers Use Pineapple WiFi Too

Just as security experts can launch man-in-the-middle attacks, so can hackers. The technology works in the same way.

A hacker might take over the SSI of a well-known WiFi router, such as one located inside of a college campus. An attack might look like this:

Select victims. Anyone who has attached to the server before is a target.
Set up the attack. Using the WiFi Pineapple, the hacker spoofs the SSI of the intended server.
Connect. A student comes within range of the spoofed router and connects.
Attack. The hacker can now see everything that moves from the device to the server and back.

A quick search brings up plenty of step-by-step instructionsopens in a new tab hackers can follow to craft code. All they need are willing victims.

Unfortunately, many people are willing to connect with WiFi resources that seem free and readily available. They may push past security warnings and decline commonsense steps so they can hop online and complete their tasks.

A hacker even launched an attack like this at a conference for hackersopens in a new tab, proving that it’s almost irresistible for some people.

But some devices now come with sophisticated warning systems, and some don’t allow connections with devices that don’t seem secure or legitimate. Some hackers believe the WiFi Pineapple heyday is overopens in a new tab, as taking control is more difficult now than it once was.

But if a hacker can execute an attack like this, they can gain access to critical information, such as these:

Social Security numbers
Photographs
Bank account numbers
Passwords

Protecting Against Wireless Pineapple Attacks

Hackers are clever, and they use all sorts of tips and tricks to gain access into assets they have no business touching.

Commonsense protection steps involve:

Avoiding public WiFi. Don’t connect to any device you don’t own. Rely on your cell service instead.
Turning off WiFi when you leave your house. Don’t allow your device to scan for SSIDs as you move from location to location. Snap off the functionality when you’re on the go.
Leaning on a VPN. Virtual private networksopens in a new tab (or VPNs) encrypt your data as it moves through the internet. Even if you’re connected via a WiFi Pineapple, your data will be protected.

We can help too. Contact us to learn how Okta can help keep your data and users safe from network attacks and vulnerabilities. source

in case the youtube videos are deleted here they are

https://goodshepherdmedia.net/wp-content/uploads/2025/07/Build-a-23-Wi-Fi-Pineapple-in-6-Minutes-—-EASIEST-Method-pt-1.mp4

https://goodshepherdmedia.net/wp-content/uploads/2025/07/Upgrading-the-23-Wi-Fi-Pineapple-for-MAX-Hackability-part-2.mp4

https://goodshepherdmedia.net/wp-content/uploads/2025/07/How-Hackers-Use-DNS-Spoofing-to-Phish-Passwords-WiFi-Pineapple-Demo.mp4

https://goodshepherdmedia.net/wp-content/uploads/2025/07/Did-you-know-you-can-make-your-own-Wifi-Pineapple-for-30_.mp4

ESP32 Marauder Puts a Bluetooth and Wi-Fi Pen Testing Toolkit In Your Pocket

The Truth News — Mon, 23 Jun 2025 17:45:57 +0000

UPDATE: justcallmekoko has launched a new iteration of the Marauder (v6) for $60, which includes a sleeker look, options for external antennas, and the ability to update its firmware over Wi-Fi and/or SD card.

The original article continues below.

Penetration testers and security analysts looking for an easily-pocketable tool for Bluetooth and Wi-Fi testing purposes have another option, in the form of the ESP32 Marauder from security tester justcallmekoko.

“The Marauder is a portable penetration testing tool created for Wi-Fi and Bluetooth analysis,” the pseudonymous justcallmekoko explains. “It comes installed with a suite of offensive and defensive tools all running on an ESP32. I was inspired to create this tool by Spacehuhn’s deauther project. I wanted to bring similar functionality to the ESP32 and introduce new Bluetooth capabilities to the tool.”

“The tool itself serves as a portable device used to test and analyze Wi-Fi and Bluetooth devices. Use this tool and its firmware with caution as the use of some of its capabilities without explicit consent from the target owner is unlawful in most countries.”

The firmware justcallmekoko has created is compatible with any ESP32-based development board, and designed to provide feedback via a 2.8″ ILI9341-based TFT touchscreen display. The pre-assembled versions take the firmware and install it onto a custom PCB with Espressif ESP32-WROOM chip at its heart and an integrated lithium-polymer charging circuit for power on the go.

The custom PCB is powered by an ESP32-WROOM. (: justcallmekoko)

The entire unit is then enclosed in a 3D-printed chassis, which in the case of the pre-assembled version comes in a selection of colors: black, “Galaxy Black,” neon green, and silver. Justcallmekoko warns, however, that “most of the work so far has been put into designing the hardware,” meaning that the current release has “limited firmware capabilities” — but that development is ongoing to add new features and functionality.

More details on the project can be found on GitHub, where the firmware, hardware, and 3D print files can be downloaded; the pre-assembled ESP32 Marauder, meanwhile, can be purchased from Tindie. source

ESP32 Marauder Kit Assembly and Programming Guide

Thank you for purchasing the ESP32 Marauder Kit! Let’s get started with assembling and programming your device.

Things You’ll Need

A computer with Google Chrome
A 3 mm Allen Wrench
An ESP32 Marauder Kit

Programming the Device

1. First lets program the device as the buttons are not accessible while assembled. Go to :
  Marauder Online Flasher (https://flasher.biscuitshop.us)
2. Hold the BOOT button (bottom one) on the back of the Marauder while plugging it into your computer. The screen should stay black if done correctly.
3. Click the connect button on the website and select the COM port associated with your device. If you have multiple COM ports, unplug the device, see which port disappears, then repeat step two and connect to the correct port.

1. Click the dropdown menu and select CYD2USB w/o GPS. Do not choose the one shown in the pic (Unless you purchased from me early on and your device does not have USB-C), I have started using the new models for all orders going forward.

1. Click the latest version 2.8 inch – (1.0.0) and click the program button. Allow it to finish without switching windows.

Once programming is complete, the display will stay black. Power cycle the device, and it should boot into the Marauder firmware.

This same process can be used to update your device as new releases come out. As of July 15, 2024, Version 1.0.0 has just been released.

Assembling the Device

Switch to Battery-Powered Instructions

Take the bottom part of the case and place the ESP32 Marauder PCB into it.
Install the top cover and use the 4 provided screws to fasten it to the bottom half.

source

Work IT? Know What a BLEShark Nano is? Lets Explore….

The Truth News — Tue, 13 May 2025 15:11:26 +0000

Work IT? Know What a BLEShark Nano is? Lets Explore….

BLEShark Nano: A Compact Wireless Multi-Tool for Hackers

https://goodshepherdmedia.net/wp-content/uploads/2025/05/The-Truth-The-concept-of-law-rules-and-morality-require-equality.mp4

InfiShark’s BLEShark Nano Is a Pocket-Friendly Espressif ESP32-Powered Bluetooth and Wi-Fi Tool

Built around a Seeed Studio XIAO ESP32C3, this tiny tool delivers powerful potential — but in a proprietary firmware.

A portable device for testing Bluetooth. Wi-Fi, and Infrared vulnerabilities—including games, apps, auto updates, and a buttery-smooth interface.

The multi-functional Bluetooth Low Energy (BLE) and Wi-Fi security-testing and debugging tool is priced at at $35, at claimed 10 percent discount over the eventual retail price — with discounts rising if you need more than one unit, maxing out at 20 per cent for “early bird” backers of a five-pack.

The campaign is now live on Kickstarter, with all hardware expected to ship in March or April 2025.

Original article continues below.

Ontario-based InfiShark Tech is preparing to launch a crowdfunding campaign for the BLEShark Nano, an Espressif ESP32-powered tool designed for testing Bluetooth and Wi-Fi systems for vulnerabilities.

“The BLEShark Nano is a pocket-sized [Espressif] ESP32 based device that brings a massive amount of pentesting features, apps, and games into a very compact device,” the company writes of its creation. “In a sense, it is the Swiss Army knife of wireless tools. The BLEShark Nano packs a surprising array of features designed for network testing and experimentation, making it an accessible and effective tool for those interested in cybersecurity!”

InfiShark’s BLEShark Nano is an upcoming Seeed XIAO ESP32C3-based pentesting tool for Bluetooth and Wi-Fi. (: InfiShark Tech)

The Swiss Army Knife of Hacking Tools.

The compact gadget, housed in a 3D-printed case, features a 0.66″ OLED display below which three tactile buttons act as the user interface. Inside the housing is a Seeed Studio XIAO ESP32C3 microcontroller board and a 500mAh battery — good, the company claims, for an average of 10 hours of active use between charges.

In use, the firmware delivers a range of tools designed for penetration testing of wireless networks: BLE Beacon spamming, Wi-Fi access point spamming, captive portal creation, and Bad-BT keystroke injection — plus a selection of reimplementations of classic arcade games like Space Invaders and Pong, for downtime. The gadget can also be used as a Bluetooth remote, with plans to launch additional features including infrared support.

InfiShark is planning to launch a crowdfunding campaign for the gadget at the end of this month, with interested parties invited to sign up on Kickstarter to be notified when it goes live. Additional details are available on Hackaday.io and the company website, though while the company maintains a GitHub repository with STL files for the case it says the firmware is “proprietary and closed-source.” source

BLEShark Nano: Your Ultimate Wireless Testing Companion

The BLEShark Nano combines cutting-edge technology with an intuitive interface, offering full control over wireless network interactions. Whether you’re securing your network or developing custom apps and games, this tool provides the flexibility and power you need.

Now, let’s get into the features and functions in more detail!

What is it?

The BLEShark Nano is an all-in-one sleek & compact multi-tool for hackers, tech enthusiasts, and cybersecurity beginners. With features like Wi-Fi, BLE, and IR pentesting tools, getting into cybersecurity has never been easier to access with the BLEShark Nano.

The BLEShark Nano is a powerful, ESP-32-based tool for attacks like Bluetooth Low Energy (BLE) spamming, Wi-Fi spamming, deauthentication attacks, a wide range of network testing functions, and even various wireless apps. With its sleek OLED interface, exploring and testing vulnerabilities in BLE and Wi-Fi networks has never been more intuitive or accessible. A 500mah battery keeps it on for 4+ hours while spamming. The durable case is 3D printed with PLA-CF, closed up tightly with M3x12 screws and brass inserts.

Why did we make it?

We built the BLEShark Nano to empower security researchers and hobbyists with a compact, cheap, unique and versatile tool for assessing vulnerabilities in BLE and Wi-Fi bands. It’s an all-in-one platform designed to educate and inspire, offering a hands-on approach to wireless security without the need for multiple, specialized tools.

What makes it special?

What sets the BLEShark Nano apart is its ability to automatically download and run custom firmware that unlocks a suite of:

BLE spoofing (and spamming),
Wi-Fi beacon spamming,
Captive portals,
Wi-Fi deauth attacks,
Games,
BadBT,
Apps (like a TikTok scroller),
Automatic Updates,
And much more.
Upcoming Features include:
Handshake Capturing,
BadUSB,
Evil Portal Cred Detector,
And MUCH more.

Whether you’re conducting professional network assessments or diving into wireless security as a hobby, the BLEShark Nano offers an unparalleled combination of power, ease-of-use, and flexibility.

Small enough to fit in the palm of your hand, it’s designed for portability and ease of use, no matter where you are. The BLEShark Nano offers all the power of high-end wireless testing gear in a sleek, easy-to-carry form.
No extra hardware or accessories needed: The BLEShark Nano is a fully self-sufficient device, unlike many other tools that require additional setups or builds to work effectively.
500mAh Rechargeable Battery: A massive internal battery provides up to 16 hours of continuous operation with BLE, and up to 6 hours of continuous operation with Wi-Fi on a full charge. On average, you can expect 10 hours of use per charge.

Using Bluetooth Low Energy, you can broadcast connection requests to many devices – great for testing your device’s Bluetooth capabilities. Select specific targets like Android, Windows, iOS, or Samsung devices. In addition, you can use this feature across all platforms simultaneously.

The BLEShark Nano creating popups on iOS, Samsung (or android), and Windows devices.

This feature works by broadcasting BLE advertisement packets, which trigger popups or notifications on various devices like Android, iOS, Windows, and Samsung. This is achieved by sending out specially crafted packets that mimic legitimate Bluetooth service requests or notifications, thus creating popups on the targeted devices with pairing prompts or similar connection requests.

With the BLEShark Nano, you can create and broadcast hundreds of custom Wi-Fi network names (SSIDs) for legitimate testing and educational activities. Whether you’re testing network resilience, conducting penetration testing, or performing network traffic management simulations, the BLEShark Nano empowers you to generate Wi-Fi networks in a controlled environment. Create networks with randomly generated SSIDs, rickrolls, funny names, duplicate SSIDs, and custom creations.

This feature is particularly useful for security professionals and network administrators who want to see how their infrastructure handles a large number of SSID broadcasts, test how devices react to duplicate or misleading network names, or to simulate a public environment.

Any Bluetooth-enabled device completely trusts any Bluetooth-connected input devices like keyboards and mice. The BLEShark Nano can emulate a Bluetooth HID device, allowing it to be recognized by the target system as a normal Bluetooth keyboard. You can write your own payloads to send any key sequence over Bluetooth, enabling control over the target device, just like the USB Rubber Ducky—but wirelessly. This can be used for testing Bluetooth input vulnerabilities or automating actions on target devices.

A demonstration of the BLEShark Nano typing ‘Hello World!’ in Notepad using BadBT.

This feature allows you to write and upload custom scripts that are then executed over a Bluetooth connection. This enables the BLEShark Nano to send precise and pre-programmed keystroke sequences to any paired device. You can deploy attacks like opening terminal windows, launching programs, or even typing commands—all without needing physical access to the target.

This is a great tool for vulnerability testing, penetration tests, or simply automating common actions on paired devices.

The BLEShark Nano takes network control and testing to the next level with its powerful captive portal feature. A captive portal is a webpage that users must interact with before gaining access to a network. You’ve probably encountered these on public Wi-Fi networks that require you to log in, accept terms of service, or enter a password. The BLEShark Nano allows you to create your own customized captive portal that you can deploy instantly across any Wi-Fi network you set up.

This feature works by creating a Wi-Fi access point (AP) that any device can connect to, but instead of granting full internet access, it redirects users to a web page that you control. Whether you want to conduct security assessments or just show off your creative custom pages, the captive portal offers endless possibilities for network testing. Once users connect to your network, they are automatically directed to your captive portal without needing to type anything into the browser.

The BLEShark Nano creates a captive portal under the name “Free WiFi”, then saves the email entered by the user.

You might be thinking, what are some use cases of this (without actual internet)?

Interactive Games:
Embed small games or quizzes to keep users engaged, even when they’re not accessing the web.
Informational Pages:
Set up informational splash pages to share important content with users who connect to your Wi-Fi network.
Wi-Fi Terms and Conditions:
Create a terms and conditions page that must be accepted before connecting to the internet. This is a common feature of public Wi-Fi networks, which can demonstrate how users often accept such agreements without reading the fine print.

Unlike many existing tools, the BLEShark Nano offers a fully standalone captive portal feature. There’s no need for additional hardware, complex setups, or relying on external networks. Simply power it on, set up your portal, and start testing or demonstrating its capabilities in seconds.

The BLEShark Nano also doubles as a mini entertainment hub! Whether you’re waiting for a process to finish or just looking for a bit of fun, these built-in games will keep you entertained wherever you are.

Play timeless arcade hits, including:

Flappy Bird: Test your reflexes and skill by guiding the bird through endless obstacles. Simple to play, hard to master!
Invaders: Take command of your spaceship and defend Earth from waves of aliens in this legendary shoot ’em up.
Pong: Experience the game that started it all—bounce the ball back and forth in this iconic two-player challenge, available for solo play against AI or multiplayer fun.
Breakout: Smash your way through walls of bricks with a bouncing ball in this addictive classic.
T-rex game: It’s the classic “no internet” game! Jump over the cacti in the desert!

Play a classic collection of games: Flappy Bird, Invaders, Pong, and Breakout (more games coming in future updates!)

The BLEShark Nano is packed with many convenient apps to simplify tasks and keep you entertained. These built-in tools are designed for both practical use and a bit of fun. Let’s get into them!

TxtViewer:
Easily view and navigate through custom text files, perfect for notes, presentations, or documentation. With smooth scrolling, seamless word wrapping, and an intuitive built-in scroll bar, you can browse long documents effortlessly – even on the tiny display. (Yep, you can use this for exams )

TxtViewer Demo

Video Scroller:
Connect effortlessly to your phone and unlock a suite of functions with the press of a button. Control every aspect of your watching experience – just pair with the BLEShark Nano first!

A demonstration of the Video Scroller app. Scroll, pause, or like any video.

Mini Programmable Keypad:
Take control with a customizable keypad that fits in the palm of your hand. Using BLE, assign up to 8 shortcuts, to streamline your workflow or gaming. Whether for productivity or fun, it offers quick access to your favorite commands.

A demonstration of the default keypad commands ([R] x1, [L] x1, [S] x1)

For more information about this app, visit here.

Timers:
Set timers with ease, with options ranging from 1 second to 99 minutes. Perfect for quick tasks, workouts, studying, or reminders. Just a few taps and you’re ready to go, all managed from the BLEShark Nano.

A 5-second timer demo

Stopwatch:
Transform your device into a sleek, easy-to-use stopwatch. With just a tap, you can start, stop, and reset the stopwatch with absolute precision.

A very simple stopwatch app.

Stay effortlessly updated with automatic updates, ensuring you never miss out on exciting new features. Each update introduces a variety of enhancements, and we’re dedicated to continuously expanding our offerings. Your BLEShark Nano will only improve over time, making it an even more powerful tool!

The BLEShark Nano updating firmware (sped up)

The BLEShark Nano offers an extensive range of customization options through the Extra Settings Mode, giving you full control over the device’s behavior and features. It creates its own captive portal, allowing you to connect and manage all settings directly from your browser on any connected device. The sleek and intuitive user interface ensures simple customization, with transitions and an optional extra dark mode for easy navigation.

Customize Wi-Fi networks, Security Settings, Spamming Settings, Captive Portal Settings, Update Settings, and Apps Settings.

Emergency Mode:
Sometimes, you may have to get away from an app quickly, and that’s where the Emergency Mode of the BLEShark Nano comes into play. By holding the left and right buttons together for half a second, you can instantly launch Flappy Bird, no matter where you are in the device. It might sound a bit unconventional, but when the situation calls for it, a quick switch to a harmless game could be just what you need.

Holding down the left and right button together for half a second opens flappy bird.

SPIFFS System:
The SPIFFS (Serial Peripheral Interface Flash File System) integration in the BLEShark Nano ensures that every little configuration and setting you make on the device is securely stored, so you never lose your work. This powerful embedded file system is used to save your custom settings, Wi-Fi SSIDs, BLE spam configurations, captive portal credentials, captive portal HTML code, TxtViewer files, Ducky Scripts, and much more, directly onto the device’s onboard memory.

With SPIFFS, even if the BLEShark Nano is powered off, reset, or updated, all your configurations remain safe, providing seamless continuity for your work. No need to constantly re-enter or reconfigure your preferred settings—your personalized setup is always ready to go!

More Games:
We will add some more classics like a high-speed racing/drifting game, a platformer, and more!

BadUSB:
Instead of using Bluetooth, you can transform the device into a USB device, allowing you to execute powerful scripts quickly and efficiently.

PC Monitor:
Using BLE, you can connect your BLEShark Nano to your PC to monitor real-time performance metrics, including CPU, GPU, and memory usage, all at a glance!

Custom Apps:
Build and run your own custom apps directly on the device, tailored to your imagination. Want to share your creation? Submit it to us, and your app could become part of the official firmware for the entire BLEShark Nano community to enjoy!

If you’re excited to discover even more features we’re planning to add, check out our GitHub for the latest updates and future developments!

It’s Extremely Affordable: Similar tools can cost hundreds of dollars or require custom builds – the BLEShark Nano is priced with accessibility in mind.
It Has an Easy Setup: No coding or technical expertise required to get started. Charge it up (if not shipped pre-charged), complete the easy setup (for OTA updates), and you’re ready to go!
It’s Built for the Future: As technology evolves, so will your BLEShark Nano. We are committed to continually releasing firmware updates with new features and improvements!
Unique Features: Unlike other tools, the BLEShark Nano includes built-in apps and games, adding functionality and entertainment that competitors lack.

On top of this, we will also:

Create Better Packaging: We’ll design premium packaging that not only protects your BLEShark Nano but also elevates your unboxing experience. The new packaging will feature an amazing design with eco-friendly materials and organized compartments for each accessory.

($7,500) Infrared Control Capability

Hitting this goal unlocks an all-new infrared transceiver, allowing BLEShark Nano to control a wide range of electronics like TVs, air conditioners, LED lights, and stereo systems. We’ll also include a preset library for easy setup, adding powerful new functionality not available in the original version.

($10,000) Expanded Color Choices

At this level, we’ll introduce more color options, including a transparent case and a crisp, modern white. These additional colors let you personalize your BLEShark Nano to your style.

($12,500) Custom Silicone Protection

When we reach our final goal, we’ll introduce a durable, soft silicone case custom-fitted for the BLEShark Nano. Choose from a range of colors to add a unique, protective touch to your device. As a token of our appreciation, every backer will receive 30% off the silicone bumper!

To craft the best BLEShark Nano possible, we had to create a lot of prototypes. Each of these prototypes helped shape the final product. Here are some of the prototypes we’ve built:

First prototype and video of the BLEShark Nano.

First fully functional BLEShark Nano (ignore the rough print—it’s all about progress!)

Some of the 3D printed prototypes

We’re excited to continue pushing boundaries with each new update, ensuring the BLEShark Nano grows with you. And with its blend of cutting-edge features, ease of use, and affordability, it’s more than just a tool—it’s a gateway to innovation.

So whether you’re testing Bluetooth vulnerabilities, creating custom Wi-Fi networks, or just passing the time with some games, the BLEShark Nano has you covered.

Note: USB-C cable not included with shipment. Another note: This is a prototype of the final product, some hardware features may vary. source

Check out our github repo for more information INCLUDING source code: https://github.com/grdashark/BLEShark

GET YOUR HERE

Access ANY Network (remotely) What is a Hacker Dropbox?

The Truth News — Mon, 31 Mar 2025 04:49:03 +0000

Access ANY Network (remotely) What is a Hacker Dropbox?

What is a Hacker Dropbox? (and why you need one….even if you aren’t a hacker)

Build your Hacker Dropbox with Twingate (it’s free): https://ntck.co/twingate_ztna
Raspberry Pi Imager: https://www.raspberrypi.com/software/
Buy a Raspberry Pi: Raspberry Pi 4: amazon.com
Raspberry Pi 5: amazon.com

Here is a great definition from ChatGPT: a small, discreet, and often portable device designed to be covertly placed in a target network to provide remote access for a hacker or penetration tester. It typically contains hardware and software configured to exploit the network or collect sensitive information.
If you’re a hacker…this is a no brainer. Get instant access to a remote network by dropping off a device. But….if you’re not a hacker…why do you need this?

Family HelpDesk Support

If you’re like me, you are likely the official technical support for your family and friends. I also inherited the role of helpdesk support for my church…these kinds of things just happen by default when you are in tech and people find out about your technical skills.
This isn’t an easy thing to do, especially when it comes to troubleshooting networks for your family. Is the network up? Why is it slow? Sometimes a FaceTime call just isn’t going to cut it.
If I’m going to be the support for my church and family, I’m going to take my role seriously. I need FULL control of the remote network……no more playing around!!!
With the Hacker Dropbox, I can drop off a small device, in my case it’s going to be a Raspberry Pi 4. (it can be a lot of things, as long as the device is Linux-based and is 64-bit). Instantly I get access to this remote network, enabling me to provide remote support and access any device.

This is NOT VPN

This is not a VPN (VIrtual Private Network) solution….it’s much better.
This is a ZTNA (Zero-Trust Network Access) solution. It’s called Twingate and I’ve been using them for a long time in my business and personal networks. I talk more about them in the video above but in short, they allow you to get and give remote access to networks in the most secure way. They are used by everyone from large enterprises to homelabbers looking to access their Plex server.
This isn’t the first video I’ve made about them but this is the first time I’ve featured a use-case like this.
Oh, it’s also FREE for home labbers. (And…cough….businesses that don’t have a ton of employees….like me.)

You don’t need to know ANYTHING about the network

I wanted this to be a turnkey solution even if you don’t know anything about the remote network. All you’ll have to do is plug in an ethernet cable (or connect to wifi….but you’ll need to know the SSID and password) and you will know everything you need to know about that network…..but how?
Twingate has a powerful API that allows us to do many things…including write python scripts that will automagically tell us the private IP address of our Hacker Dropbox (Raspberry Pi) and the Public IP address of the network, giving us instant access to this Hacker Dropbox AND the network.
This guide will contain that script.

What do you need?

Any Linux-based 64-bit system will do. You’ll need at least 1 CPU and 2GB RAM (recommended)…but you can go as low as 512MB of RAM.
You can also run this as a Docker container, which is my favorite way to deploy this in my home lab.
In this example, with the Hacker Dropbox, I’m using a Raspberry Pi 4 running Raspberry Pi OS Lite – 64-bit and installing it directly on the system (no docker container)

What other hardware options do I have?

Again, this can be many things, but here are some ideas to get the juices flowing:

ZImaboard
Raspberry Pi 4/5
Raspberry Pi 400/500
Old laptops
NAS
Intel NUC or other mini-pcs

The Tutorial

Step 1 – Setup Twingate

This setup is VERY easy and is all done in the cloud.

Step 2 – Add your first remote network

You will be prompted to go through a wizard, we can skip that for now.

Click on Remote Networks

And then add a Remote Network

Choose on-premise for location

Once created, we’ll click on the remote network link to jump in and add more config…like adding a connector.

Step 2.5 – Prep your Hacker Dropbox

This will vary based on what device you choose but this will normally involve installing a compatible OS (64-bit Linux OS) and getting access to your device via CLI.
I demo flashing an SD-card for the Raspberry Pi 4 in the video.

Step 3 – Adding a connector for your remote network

The connector, in our case, will be the Hacker Dropbox, a linux-based device running Twingate software, aka, The Connector

Click on Deploy Connector

Good practice, run sudo apt update to make sure all your repos are up-to-date (this will different for you if you are running something that isn’t Debian-based)
For the Raspberry Pi example, we are installing the Twingate connector directly on the OS, no container. So we’ll select Linux as our option.

Now, generate your access tokens. These will automatically be added the command we’ll use to install Twingate here in a moment.

Copy the provided command

Paste that command in your terminal and watch the magic happen.

We are actually….done. Check Twingate to see if your connector is up.

Step 4 – Add a remote WiFi Network (if not using ethernet)

This will be Raspberry Pi specific.
Run this command to access the NetworkManager TUI

sudo nmtui

Edit a connection

Select Add

Select WiFi

Add SSID and Password (you’ll need to know this for the remote network)

Select Ok and then hit ESC to save and get out of there.

Step 5 – Use the Twingate API to learn about the remote network

You only need this option if this is a network you are unfamiliar with. So, for example, you might be offering remote support for your family and you will likely already know their network, 192.168.1.0/24 (for example) and you may have set the static IP address of your Hacker Dropbox and can easily, manually add this as a resource in Twingate.

Generate an API token

Our script will be provisioning resources so we’ll need to give it a good amount of access.

Copy that key and put it somewhere safe.

Run the Python Script

You’ll need another computer, can be anything that can run Python. (which…can be anything, Windows, Mac, Linux.)
You’ll also need Python3 installed, refer to your OS-specific documentation to install Python.

Create the script

Create a new python script

nano twingate.py

paste the following script
Replace the following variables:
- API_URL
- API_KEY
- TARGET_NETWORK_NAME

from gql import gql, Client
from gql.transport.requests import RequestsHTTPTransport

# Twingate API settings
API_URL = "https://****your Twingate network here****.twingate.com/api/graphql/"  # Replace  with your Twingate subdomain
API_KEY = "YOUR TWINGATE API KEY"
TARGET_NETWORK_NAME = "YOUR REMOTE NETWORK"  # Replace with your target network name

QUERY_REMOTE_NETWORKS = gql("""
query GetRemoteNetworkDetails {
  remoteNetworks(after: null, first: 10) {
    edges {
      node {
        id
        name
        connectors {
          edges {
            node {
              id
              name
              publicIP
              privateIPs
              remoteNetwork {
                id
                name
              }
            }
          }
        }
      }
    }
  }
}
""")

MUTATION_CREATE_RESOURCE = gql("""
mutation CreateResource($name: String!, $address: String!, $remoteNetworkId: ID!) {
  resourceCreate(
    name: $name,
    address: $address,
    remoteNetworkId: $remoteNetworkId
  ) {
    ok
    error
    entity {
      id
      name
      address {
        type
        value
      }
    }
  }
}
""")

def setup_client():
    transport = RequestsHTTPTransport(
        url=API_URL,
        headers={"X-API-KEY": API_KEY},
        use_json=True,
    )
    return Client(transport=transport, fetch_schema_from_transport=True)

def get_target_network(client):
    response = client.execute(QUERY_REMOTE_NETWORKS)
    for edge in response["remoteNetworks"]["edges"]:
        network = edge["node"]
        if network["name"] == TARGET_NETWORK_NAME:
            return network
    return None

def create_resource(client, name, address_value, remote_network_id):
    params = {
        "name": name,
        "address": address_value,
        "remoteNetworkId": remote_network_id
    }
    response = client.execute(MUTATION_CREATE_RESOURCE, variable_values=params)
    if not response["resourceCreate"]["ok"]:
        raise Exception(f"Failed to create resource: {response['resourceCreate']['error']}")
    return response["resourceCreate"]["entity"]

def automate_resource_creation():
    client = setup_client()

    print(f"Searching for target network: {TARGET_NETWORK_NAME}...")
    target_network = get_target_network(client)

    if not target_network:
        print(f"Network '{TARGET_NETWORK_NAME}' not found.")
        return

    print(f"Found network: {target_network['name']}")
    remote_network_id = target_network['id']

    for connector_edge in target_network["connectors"]["edges"]:
        connector = connector_edge["node"]
        public_ip = connector.get("publicIP")
        private_ips = connector.get("privateIPs", [])

        if public_ip:
            resource_name = f"Resource-Public-{public_ip.replace('.', '-')}"
            print(f"Creating Resource for public IP: {public_ip}...")
            resource = create_resource(client, resource_name, public_ip, remote_network_id)
            print(f"Resource created: {resource['name']} (ID: {resource['id']}, Address: {resource['address']['value']})")

        for private_ip in private_ips:
            resource_name = f"Resource-Private-{private_ip.replace('.', '-')}"
            print(f"Creating Resource for private IP: {private_ip}...")
            resource = create_resource(client, resource_name, private_ip, remote_network_id)
            print(f"Resource created: {resource['name']} (ID: {resource['id']}, Address: {resource['address']['value']})")

if __name__ == "__main__":
    try:
        automate_resource_creation()
    except Exception as e:
        print(f"Error: {e}")

Save the file.

Now, we’ll create a python virtual environment

This will make sure we can install packages and prerequisites without hurting your other projects. (if you have some….if you don’t…that’s okay….it’s just good practice)
First make sure you have it installed. See below for Linux.

sudo apt install python3-venv -y

Also make sure you install PIP

sudo apt install python3-pip

Now create a Python virtual environment and activate it.

python3 -m venv twingatesomething

source twingatesomething/bin/activate

Install the pre-reqs

pip install gql requests requests.toolbelt

Type to run the script

python3 twingate.py

Check your resources in Twingate…you should see something cool

source

What is the Morris Worm? How One Man Accidentally Destroyed the Internet 30 Years Ago

The Truth News — Mon, 10 Mar 2025 17:00:34 +0000

This Is How One Man Accidentally Destroyed the Internet 30 Years Ago

It all started with the Morris worm.

Pixabay

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was — that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.

The program worked well — too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.

His program became the first of a particular type of cyberattack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams, and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.

As the chair of the integrated Indiana University Cybersecurity Program, I can report that these kinds of attacks are increasingly frequent today. In many ways, Morris’s program, known to history as the “Morris worm,” set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming “Internet of Everything.”

Unpacking the Morris Worm

Worms and viruses are similar but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book.

In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm. In that time, it infected tens of thousands of systems — about 10 percent of the computers then on the internet. Cleaning up the infection cost hundreds or thousands of dollars for each affected machine.

In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection. Sadly, many journalists as a whole haven’t gotten much more knowledgeable on the topic in the intervening decades.

Robert Tappan Morris, in 2008.

Trevor Blackwell/Wikimedia, CC BY-SA

Morris wasn’t trying to destroy the internet, but the worm’s widespread effects resulted in him being prosecuted under the then-new Computer Fraud and Abuse Act. He was sentenced to three years of probation and a roughly $10,000 fine. In the late 1990s, though, he became a dot-com millionaire — and is now a professor at MIT.

Rising Threats

The internet remains subject to much more frequent — and more crippling — DDoS attacks. With more than 20 billion devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding.

In October 2016, a DDoS attack using thousands of hijacked webcams — often used for security or baby monitors — shut down access to a number of important internet services along the eastern US seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai. Today’s internet is much larger, but not much more secure, than the internet of 1988.

Some things have actually gotten worse. Figuring out who is behind particular attacks is not as easy as waiting for that person to get worried and send out apology notes and warnings, as Morris did in 1988. In some cases — the ones big enough to merit full investigations — it’s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages when playing the Minecraft computer game.

Fighting DDoS Attacks

But technological tools are not enough, and neither are laws and regulations about online activity — including the law under which Morris was charged. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity of attacks, in part because of the global nature of the problem.

There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures — a notion that comes with a number of downsides, including the risk of escalation — and to require better security for internet-connected devices. But passage is far from assured.

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.

More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility, they — and their staff, customers, and business partners — would be safer.

In 3001: The Final Odyssey, science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon — which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone — governments, companies, and individuals alike — to set up rules and programs that support widespread cybersecurity, without waiting another 30 years. source

🔐Hacking Technology Archives - Good Shepherd News - Fastest Growing Religious, Free Speech & Political Content

PATRIOT Act Author The NSA Is Actively Violating The Law

PATRIOT Act Author: The NSA Is Actively Violating The Law

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

IMSI catchers: a security threat

Top Techniques and Resources to Detect IMSI Catchers

1. Use Mobile Apps and Tools

2. Look for Unusual Network Activity

3. Observe Battery and Signal Behaviour

4. Monitoring Tools for Experts

5. Network Data Monitoring

6. Physical Indicators

7. Use Encrypted Communication

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes

Oros42/IMSI-catcher DOWNLOAD HERE iMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

CellularPrivacy/Android-IMSI-Catcher-Detector DOWNLOAD HERE IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

Gotta Catch ‘Em All: Understanding How IMSI-Catchers Exploit Cell Networks

Section 1: Introduction

Section 2: Necessary background info

Section 3: Overview of attacks

Section 3.1: Basic IMSI-catcher

Section 3.2: Communication interception

Section 3.2.1: Spoofing authentication

Section 3.2.2: Dealing with encryption

Section 3.2.3: Why aren’t users alerted that encryption is off?

Section 3.2.4: Service downgrading

Section 3.3: LTE CSS connection techniques

Section 3.4: Location tracking attacks

Section 3.4.1: Presence Testing in LTE

Section 3.4.2: Active location tracking and exact GPS coordinates

Section 3.5: Denial of Service and Downgrading

Section 3.5.1: Protocol downgrade attacks

Section 3.5.2: Denial of Service (DoS)

Section 4: Detection methods & apps

Section 4.1: Detection methods

Section 4.2: Detection apps

Section 4.3: Defending against CSSs

Conclusion: the past & future of cell network security

References

Notes

Downloads

Understanding and Detecting IMSI Catchers around the World

How to Catch an IMSI Catcher

Civil Society Needs Help Catching IMSI Catchers

Equipping Civil Society with Resources to Expose Surveillance

Some of the Findings

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers

DOWNLOAD IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

How Cell-Site Simulators Work

Standard Communication

What Kinds of Data Cell-Site Simulators Collect

How Law Enforcement Uses Cell-Site Simulators

Who Sells Cell-site Simulators

Threats Posed by Cell-Site Simulators

EFF’s Work on Cell-Site Simulators

Litigation

Legislation

Further Research

EFF Cases

Suggested Additional Reading

IMSI Catcher System

Passive GSM Interception System

Features

Semi-Active GSM Interception System

Features

Hybrid GSM Interception System

Features

Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

ESP32-Div: An ESP32 Based Swiss Army Knife for Wireless Networks

Hardware of ESP32-DIV

Main Board

Shield

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

The ESP32DIV Evolution

Exploring the Features