back to article Want to spy on the boss? Try this phone-mast-in-an-HP printer

An engineer has shown how you can sneak a tiny cellphone base station into an innocuous office printer. The idea is the brainchild of New Zealand's Julian Oliver, who was inspired by the Stingray cellphone snooping technology now in widespread use by the cops and FBI. He was looking to see how such tech could be hidden and …

  1. Adam 1

    Why does the phone trust the base station? Naïve me thought thinking my phone might expect some sort of certificate gets checked before it connects and can emulate a network I connect to.

    1. Field Commander A9

      Because people just can't get rid of antique GSM techs.

    2. Valeyard

      the phone trusts the dodgy base station because the police and gchq etc want your phone to trust dodgy base stations

      something something terrorists

      1. Matt Bryant Silver badge

        Re: Valeyard

        "the phone trusts the dodgy base station because the police and gchq etc want your phone to trust dodgy base stations...." Wow, the paranoia! Actually, it's because most telcos allow roaming, which means your phone will always query any cell tower it finds within range to see if it will provide a better service than your carrier's nearest tower. Roaming was introduced due to international customer demand, not the government nor the GCHQ. if you disable roaming, all the fake tower will be able to do is record your IMEI and details from your phone's registration request (unless it also spoofs the real carrier's SID), which anyone with the right toys can do already just by listening to radio traffic between phones in an area and local cell towers.

        1. Valeyard

          Re: Valeyard

          you missed the register article earlier about cops using fake basestations then?

          i bet you feel silly now

      2. Christian Berger

        No that was the 1980s

        "something something terrorists"

        No, back then it was "something something Russian spies".

        Back when GSM came out there was a huge crypto discussion on whether it should be allowed to be encrypted. Not allowing the network to authenticate itself to the handset was the compromise.

    3. Net Admin

      Simply put, there's a common misconception that mobile communications are secure to the nth degree, but I should clarify that. The greatest insecurity is in the design of the technology which allows your call to remain 'connected' even if you are speeding down the highway for hours on end. To be fair, it's not that it was designed badly, it just wasn't designed to be a mobile 'solution'. In fact, it's quite old. Back on the pre-mobile days, digital phone exchanges needed some smarts to manage call volumes and routes to the next exchange between caller and recipient. Logically, if an exchange was too busy, the routing smarts would send the data via a different path as required to keep the call connected and of acceptable quality. That logic was based on both caller/recipient being in fixed locations, as were the exchanges, and only the data was routed around as needed. But when phones needed to become mobile, the network had to cater for points that were no longer fixed. The simplest way to do that at the time was to take the existing routing smarts that operated between exchanges, and use that as the framework for the new mobile network between phone towers. The logic was not overly complex; the towers were fixed, the callers may not be, so the job of the 'software' was to find the best route between towers and keep the call connected. None of which is a problem, except when you consider the level of security present in the pre-mobile era. Exchanges are fixed points, and the phone companies owned the cabled in the ground. So when you placed a call, the data traveled on their property 'hard wired" to their exchange - which was then on their closed network between exchanges. Simply put, there was no need for encryption between changes. The assumption was the traffic was secure because it was a closed network. For the most part, that logic was solid. But now the phone makes a connection to (typically) the closest tower, it asks who the tower is etc, but so long as it can make a connection (or thinks it can), it doesn't interrogate it further. Remember, the old network had fixed exchanges and fixed phones running from fixed wires in the ground. The objective was to ensure connectivity - not security. It was rightly considered to be sufficiently secure. That logic was fine with everything fixed. With a roaming world, it's completely flawed as it opened up a man-in-the-middle vulnerability.

      So when your phone talks to a cell tower, it isn't interested in finitely learning what it's talking to - it's only interested in knowing it's 'connected'. It has a signal and (what it believes) is a valid connection to a trusted tower. The assumption can be made that the tower will route the call data as needed, not that it will do so AND take a copy for itself.

      For more information on this and how it all comes together in a very scary way, have a look at how Signaling System 7 (SS7) can be exploited just like this article has demonstrated.

      Oh, and why hasn't it been fixed? Well, two reasons come to mind. It would be a lot of work. At the very least a means of challenging the validity of the roaming connection between phone and tower at each tower and requiring new smarts in the phone as well - would it be backwards compatible with phones still vulnerable? The second is a theory only, but I don't believe law enforcement want it to be fixed. It represents a very simple method of capturing information from mobile devices in range, and that is both valuable and of extreme merit in fighting legitimate crime and terror.

      Hope this helped - and you're not naive. You're right to think something we rely upon every single day is free from known and serious exploits - or at least that it should be!

      1. hailbaal

        Absolutely spot on. Couldn't have said it any better

  2. ForthIsNotDead
    Thumb Up

    That's genius.

  3. frank ly

    I'm wondering

    Who replies to text messages from numbers they don't recognise or people who won't identify themselves?

    1. sysconfig

      Re: I'm wondering

      Who replies to text messages from numbers they don't recognise or people who won't identify themselves?

      The same people who click on links in spam and phishing emails, and hand over credentials to third parties. We wouldn't see any of those "attacks", if there weren't enough stupid "customers".

      1. Adam JC

        Re: I'm wondering

        I would have said the same people who pick up memory sticks that someone appears to have 'lost' in the corporate car park and then proceeds to plug them into a computer.

        1. WolfFan

          Re: I'm wondering

          I would have said the same people who pick up memory sticks that someone appears to have 'lost' in the corporate car park and then proceeds to plug them into a computer.

          I plug 'em into a computer. Just not my computer, or any computer on my network. I tend to pick computers which have been left logged in and unsecured and all alone for this kind of thing, which usually means that if there wasn't something roaming loose on that USB stick before I plugged it in, there is now.

          For some reason the number of computers left alone and logged in tends to fall when I'm around. I can't imagine why this would be.

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm wondering

        "The same people who click on links in spam and phishing emails, and hand over credentials to third parties...."

        Phone-based MITM attacks are potentially incredibly powerful, effective even against not-incredibly-stupid users. For example:

        1) Send legitimate-enough looking texts to unsuspecting-but-well-educated target claiming to be a bank having detected fraudulent activity, and for them to call the number listed on the back of their card

        2) Reroute any/all calls to common bank numbers to your nearest criminal call centre where you harvest their security answers but otherwise take no obvious fraudulent action. Forward all other traffic over GSM to a legitimate base station.

        3) Call their bank, take their money.

        Imagine the internet without any kind of TLS. That's what we're talking about.

        Or rather, we're talking about the internet where the person you're talking to can force you to remove any and all security measures and the only thing that determines who you're talking to is *how loud they're shouting back at you*.

    2. Dazed and Confused

      Re: I'm wondering

      Who says the numbers need to be random. If you can get close enough to plant this inside the bosses printer presumably you can get close enough to know some contacts.

    3. Fungus Bob

      Re: I'm wondering

      "Who replies to text messages from numbers they don't recognise or people who won't identify themselves?"

      I do as it's usually some idiot texting to the wrong number and I respond with the most bizarre thing I can think of (the metropolitan area I live in has four local area codes so right number but wrong area code calling is common).

    4. Frank N. Stein

      Re: I'm wondering

      Not me, as I just block unfamiliar numbers that are not in my address book.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm wondering

        @Frank N. Stein,

        That wouldn't help. They control the network, so they can make an incoming call look as though it's from any number. If they know, say, the switchboard number for your work (which would be in your contacts list) then it'd show up as the office calling.

        Or, as suggested above, if you've got a number for your bank then they can text using that number and have you call the number on the back of your card- normally good security practice- and intercept that call or parts of that call.

        Your whitelisting is little protection against this unfortunately.

  4. M.Zaccone


    The adverts at the top of this comment page are for RS Components. They want me to buy a pi 3 and a touchscreen for it too. Is El regf trying to tell me something here?

  5. SquidEmperor

    HP Inc - please don't tell them...

    Can you imagine? They'd be delighted to have a printer sms you asking for some love...

    1. Pirate Dave Silver badge

      Re: HP Inc - please don't tell them...

      I was thinking they could use it to send you an SMS telling you it's time to bend over and buy a replacement toner cartridge.

      1. hypernovasoftware

        Re: HP Inc - please don't tell them...

        I've got an HP LaserJet 400 that has been telling me the toner is low for 3 years and yet it still prints fine.

    2. Adam 1

      Re: HP Inc - please don't tell them...

      Only buy genuine HP phone mast printer accessories! They updated the firmware a few months back and now if the printer detects a non genuine phone mast it will refuse to work.

  6. DJV Silver badge


    They're telling you it's time to install something like Adblock!

  7. David Kelly 2

    Whats The Deal?

    I don't get it, someone installs a fake cell site in a printer? This is new? Creative? Back in my day we put bugs in table lamps and potted plants.

    I was expected to read how one "spied on boss" by capturing print jobs.

    1. Robert Carnegie Silver badge

      Re: Whats The Deal?

      "Capturing print jobs"

      Sure, fit a camera.

      Boss may wonder why the printer lights up inside and makes a "click whirr" camera noise though.

    2. phuzz Silver badge

      Re: Whats The Deal?

      What's the smallest mobile phone base station you've built then David?

    3. Anonymous Coward
      Anonymous Coward

      Re: Whats The Deal?

      "I was expected to read how one "spied on boss" by capturing print jobs."

      That's easy...unless your boss has a directly attached USB printer and you haven't been able to install a print queue interceptor. If the printer is on the network, security is not, to say the least, brilliant.

  8. Anonymous Coward
    Anonymous Coward

    Every step you take, every move you make

    Would have been a better choice of song to play.

    1. Christian Berger

      Re: Every step you take, every move you make

      How about Rudi gib acht? It'S more about spying.

  9. John Ellin

    Wrong song

    Not Rick Astley's "Never gonna give you up"? For shame!

    1. Soruk

      Re: Wrong song

      Intercept all the outgoing calls and redirect to a recording of Never Gonna Give You Up.

  10. Swarthy

    For added awesome

    Could this faux-base be made to link to the printer's NIC, potentially using the company Internet for back-haul?

    Having worked in a second sub-basement surrounded by dirt, concrete, and steel I could see the benefit of a small portable base-station; but the Networks guys usually object to something like that. It may take them a bit longer to identify the strange and excessive packets coming out of the printer than it would take them to see a new, unauthorized device on the network.

    1. Timo

      Re: For added awesome

      It is getting off topic, but that is part of the reason for Wi-Fi calling. Hard to beat the price of an already installed wireless access point. Put the coverage where you need it.

  11. Harry the Bastard

    "...plays them Stevie Wonder’s I Just Called To Say I Love You"

    ...sure sounds like malicious intent, i'd throw away the key

    1. Anonymous Coward
      Anonymous Coward

      Re: "...plays them Stevie Wonder’s I Just Called To Say I Love You"

      Wrong number idiot! are you blind! Oh wait.

  12. Stevie


    Good to know. Shared this with a few colleagues, a lively somewhat paranoid discussion broke out, long story short all printers two flatbed scanners and a microwave oven smashed to flinders in ensuing Night Of The Long Sledgehammers.

    Bad news: no way to get timesheet signed now.

  13. Anonymous Coward
    Anonymous Coward

    Stevie Wonder

    Judging on the way that it spies on you "He's Misstra Know-It-All" would be more appropriate

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like