Researchers from the University of California at San Diego (UC San Diego) have published a paper highlighting location-tracking attacks against mobile devices which leverage fingerprinting of Bluetooth Low Energy (BLE) physical layer attributes.

“Mobile devices increasingly function as wireless tracking beacons. Using the Bluetooth Low Energy (BLE) protocol, mobile devices such as smartphones and smartwatches continuously transmit beacons to inform passive listeners about device locations for applications such as digital contact tracing for COVID-19, and even finding lost devices,” the researchers explain in their paper’s abstract.

“These applications use cryptographic anonymity that limit an adversary’s ability to use these beacons to stalk a user. However, attackers can bypass these defences by fingerprinting the unique physical-layer imperfections in the transmissions of specific devices.”

The team admits to “several key challenges” which limit the ability of an attacker to uniquely identify mobile devices via BLE, but conclude that “physical-layer identification is a viable, although sometimes unreliable, way for an attacker to track mobile devices.”

The full paper is available as a PDF under open-access terms.

Cybersecurity researcher Mordechai Guri, meanwhile, is continuing his work on using unintentional radio signals to capture supposedly-private data from computer systems with LANTENNA – a TEMPEST-style attack focusing on network cables.

“Air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited,” Mordechai writes in his paper’s abstract. “In this paper we present LANTENNA, a new type of electromagnetic attack allowing adversaries to leak sensitive data from isolated, air-gapped networks.

“Malicious code in air-gapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using them as antennas. A nearby receiving device can intercept the signals wirelessly, decode the data, and send it to the attacker.”

The trick lies in being able to control what the Ethernet cable is doing at any given time, which does mean being able to sneak code onto the air-gapped system in the first place – though Mordechai notes that the malware is able to run “in an ordinary user-mode process and successfully operate from within a virtual machine,” and that data could be picked up “to a distance of several metres.”

The full paper is available on arXiv.org under open-access terms.

Osmocom’s Harald Welte has warned of a critical bug in the pySim-prog tool which, if triggered, can corrupt key material – and advises all users to upgrade as soon as possible.

“We fixed a critical bug regarding the writing of key material when using the classic pySim-prog utility. All versions since July 31st are affected,” Harald explains. “This means if you are using any of the affected versions in the range, writing keys will write an erroneous key to your card, where the first byte of the user-specified key is dropped, the remaining 15 bytes are written from offset 0, and the last byte of the key will not be updated on the card.”

The bug is known to affect all versions of pySim-prog from 2e6dc03f345150353ecc796f18614c02256bd2df onwards until the fix in 80901d6d39fd05b923c48145147c47f0ad5252ca and later, and all users are advised to upgrade to the current master as soon as possible.

Those using the sysmo-isim-tool and sysmo-usim-tool, however, were not impacted by the bug.

More information, including links to the patched version, are available on the Osmocom website.

Teddy Apo has shown off an incredibly simple receiver build, designed to trigger in the presence of 2.4GHz signals – and built from a diode and an LED, nothing more.

“[The] simplest 2.4GHz detector from a UHF diode backwards across an ultra-bright red LED,” Teddy writes of his discovery. “Trim the leads to resonate at 2.45 [GHz], and you can see the output from Wi-Fi access points – shown here – as well as microwave oven leakage. Found it in a box of junk that’s getting purged today.

“I think the diode on this one is a 1SS98. 1N5711, similar Schottkys, or even a germanium diode should work as well.”

While functional – and the basis for vintage mobile phone cases which would trigger a notification LED on incoming calls and messages – Teddy admits the design isn’t all that useful in the real world. “It pretty much has to be right on top of the AP’s antenna,” he admits, “[though] it can be a little farther from a leaky microwave.”

More details are available in Teddy’s Twitter thread.

An article published on Inside GNSS highlights the need for a “shielded zone” around the moon, in order to protect far-side radio astronomy efforts from radio-frequency interference.

“The far side of the moon offers a unique scientific opportunity to perform future radio astronomy observations, without RF interference arising from human activities,” the article’s authors note. “Today, several concrete projects of radio astronomy observatories are being designed for implementation on the far side of the Moon or in orbit regularly above this zone.

“Radio regulation and international recommendations clearly show the need to not use in the SZM [Shielded Zone of the Moon] any frequency band situated between 300MHz and 2GHz (and below 100MHz). It is also time to consider lunar orbital missions (with cubesats for instance) to both perform radio astronomy and spectrum monitoring in the critical 300MHz-2GHz band, and to detect interference to RA [Radio Astronomy] from emissions, including the ones coming from communication and PNT RF systems in the lunar region.

“Article 4.4 of ITU RR is not appropriate in the specific case of protection of RA in the SZM since there is no guarantee of no interference. However, some operators still believe it is possible to operate frequencies under RR n°4.4 in the SZM, and this is the reason why lunar spectrum monitoring missions are strongly encouraged.”

The full article is available on Inside GNSS.

Harald Welte has written up his initial efforts in implementing ITU-T V5.1/5.2 for vintage central-office telephone network equipment, though warns “progress will likely be slow.”

“As some of you may know, I’ve been starting to collect ‘vintage’ telecommunications equipment starting from analogue modems to ISDN adapters, but also PBXs and even SDH [Synchronous Digital Hierarchy] equipment,” Harald explains. “The goal is to keep this equipment (and related software) alive for demonstration and practical exploration.

“Hence, I’ve always wanted to get my hand on some more real-world central-office telephone network equipment, and I finally have a source for so-called V5.1/V5.2 access multiplexers. Those are like remote extension boxes for the central office switch (like EWSD or System 12). They aggregate/multiplex a number of analogue or ISDN BRI [Basic Rate Interface] subscriber lines into E1 lines, while not implementing any of the actual call control or ISDN signalling logic. All of that is provided by the actual telephone switch/exchange.

“So in order to integrate such access multiplexers in my retro-networking setup, I will have to implement the LE (local exchange) side of the V5.1 and/or V5.2 protocols, as specified in ITU-T G.964 and G.965,” Harald continues. “In the limited spare time I have next to my dayjob and various FOSS projects, progress will likely be slow. Nonetheless I started with an implementation now, and I already had a lot of fun learning about more details of those interfaces and their related protocols.”

The full write-up is available on Harald’s homepage alongside links to the relevant standards.

A wireless power specialist has teamed up with Ericsson to produce 5G cellular base-stations which operate entirely wirelessly – receiving power via laser, rather than cables.

“The idea that Ericsson is promoting is, we now have wireless connectivity,” PowerLight chief executive Richard Gustafson told GeekWire in an interview, “it’s time to cut the final cord — and that’s the power cord. [We won’t] go from our proof of concept to an urban environment, but to start to work toward packaging for an environment such as disaster response or emergency response, where you’ve got to get equipment up and running quickly.”

The PowerLight demonstration platform successfully beamed power to an Ericsson Streetmacro 6701 5G base station’s battery via infra-red laser – and with more than 200W of power required to run the system, safety is key: any obstructions entering the “power ring” shut the laser off in milliseconds, while the battery keeps the base station running until the laser can be reactivated.

PowerLight is hoping that it will be able to extend the concept to the point where kilowatts of power could be transmitted over a kilometre or more – and could even be used to power moving devices like drones as they pass over a transmission station.

The full article is available on GeekWire.

Lynk, formerly known as Ubiquitilink, has announced another step towards allowing unmodified cellular phones to use satellites for live voice calls – dramatically increasing global coverage in currently under-served areas.

We originally covered Lynk’s efforts back in March 2019 when the company showcased its proof-of-concept satellite communication system at Mobile World Congress – offering satcoms from any cellular handset built within the last decade.

Now, the company is moving on from simple SMS communication: it hopes it will be able to offer full two-way voice communication, as it sees a fifth satellite enter its constellation. Its demonstrations so far, however, concentrate on asynchronous communication – and it admits that it is looking to sell the service to mobile networks, rather than end users.

More details are available on Universe Today.

The O-RAN Alliance has announced its latest specification release and its impending Plugfest Virtual Showcase – plus 18 examples of open radio access network (open RAN) technologies across five key demonstrations at Mobile World Congress.

In its latest release, the O-RAN Alliance has published nine key specifications: O-RAN Non-Real-Time RAN Intelligent Controller (RIC) Architecture; Near-Real-Time RIC and E2 Interface: Use Cases and Requirements; O-RAN E2 Service Model: RAN Control (E2SM-RC); O-RAN O1 Interface specification for O-CU-UP and O-CU-CP towards the Service Management and Orchestration (SMO) framework; O-RAN Acceleration Abstraction Layer FEC Profiles; Infrastructure management services of the O2 interface; O-Cloud Notification API Specification for Event Consumers; O-RAN Xhaul Transport Testing Specification; and the O-RAN Security Requirements Specifications.

The organisation has also announced its Plugfest Virtual Showcase, which will take place later this year following the participation of 77 companies in the Alliance’s third Global Plugfest interoperability event. Alongside this, it has confirmed 18 examples of O-RAN technologies to appear at Mobile World Congress – including demonstrations from VMware, Northeastern University, Dell, Rohde & Schwarz, and Juniper Networks, among others.

More details on the new specifications, which at the time of writing had not been published publicly, are available on the O-RAN Alliance website.

Finally, the Canadian Centre for Experimental Radio Astronomy (CCERA) has published a memo on open-source small-aperture antenna designed for introductory 21cm radio telescopes built using software defined radios and GNU Radio.

“The amateur radio astronomy observer is often faced with the question ‘what type of antenna should I use for initial experiments,'” the memo, penned by Marcus Leech, explains. “There are a considerable variety of paths one might follow in this regard, and we try to explore a few of them.

“Some observers now use a ‘para-grid’ type antenna that is available primarily for use in terrestrial point-to-point Wi-Fi links at 2.4GHz, but also have been marketed for use with GOES and Iridium L-band satellites. We wanted to understand how well these antennae worked at 21cm and explore other viable options.”

In the memo, Marcus and colleagues experiment with a 30x60cm para-grid antenna, an “‘odd’ horn-like antenna” made from a maple-sap bucket, another larger converted-bucket antenna, and a six-turn axial mode helix antenna – with the para-grid antenna the only off-the-shelf option on test.

“It is clear that nearly ANY antenna with 8-12dB of forward gain will work adequately for initial experiments with the hydrogen line at 21cm,” Marcus concludes. “A para-grid antenna performs well, but it should be noted is considerably more expensive than any of the ad hoc choices presented here.

“In balance with that is the fact that the other choices do require some amount of DIY skill, which may be missing in the novice observer. It is clear that small ad-hoc horn-type antenna perform exceptionally well considering their modest aperture. This is not unexpected, since horn antennae in general have excellent side-lobe and back-lobe behaviour, and it is clear that behaviour can be relied upon even in ‘unconventional’ horn antenna designs.”

The full memo is available to download as a PDF.