Last weekend saw the announcement of ProxyHam, a device that anonymizes Internet activity by jumping on WiFi from public libraries and cafes over a 900MHz radio link. The project mysteriously disappeared and was stricken from the DEFCON schedule. No one knows why, but we spent some time speculating on that and on what hardware was actually used in the undisclosed build.
[Samy Kamkar] has just improved on the ProxyHam concept with ProxyGambit, a device that decouples your location from your IP address. But [Samy]’s build isn’t limited to ProxyHam’s claimed two-mile range. ProxyGambit can work anywhere on the planet over a 2G connection, or up to 10km (6 miles) away through a line-of-sight point to point wireless link.
The more GSM version of ProxyGambit uses two Adafruit FONA GSM breakout boards, two Arduinos, and two Raspberry Pis. The FONA board produces an outbound TCP connection over 2G. The Arduino serves as a serial connection over a reverse TCP tunnel and connects directly to the UART of a Raspberry Pi. The Pi is simply a network bridge at either end of the connection. By reverse tunneling a TCP connection through the ‘throwaway’ part of the build, [Samy] can get an Internet connection anywhere that has 2G service.
Although it’s just a proof of concept and should not be used by anyone who actually needs anonymity, the ProxyGambit does have a few advantages over the ProxyHam. It’s usable just about everywhere on the planet, and not just within two miles of the public WiFi access point. The source for ProxyGambit is also available, something that will never be said of the ProxyHam.
“ProxyHam” created controversy because the talk was supposedly suppressed by the US government. In this post, I’ll describe how you can build your own, with off-the-shelf devices, without any code.
First, head on over to NewEgg. For a total of $290.96, buy two locoM9 repeaters (for $125.49 each), and two WiFi routers, like the TL-WR700N for $19.99 each.
Grab your first WiFi device. Configure it in “client” mode, connecting it to the “Starbucks” SSID. In this mode, you can then connect your laptop via Ethernet to this device, and you’ll have access to the Internet via your WiFi device to Starbucks. In other words, it acts as a WiFi dongle, but one that you attach via Ethernet instead of USB.
Now grab your two locoM9 devices and configure them for “transparent bridging”. In this mode, whatever Ethernet packets that are received on one end get sent over the air to the other end. Connect each localM9 via the TL-WR700N via the supplied Ethernet cable.
Now grab the second WiFi device and configure it as a normal WiFi router.
Now, assuming you aim the localM9′s correct toward each other with reasonable line-of-sight, you’ve got a “ProxyHam”.
The reason this works so easily is that everything has been designed to work this way. Bands like 900 MHz, 2.4 GHz, and 5 GHz are the “ISM bands” that are largely unregulated by the government. Unregulated means that if somebody is causing interference in those bands, you can’t complain to the government to make them stop.
The 900 MHz band is attractive because the signal will go a lot further than 2.4 GHz. On the other hand, it’s a smaller band, so can’t carry the same speed as 2.4 GHz band or the 5 GHz band.
Industrial equipment use the 900 MHz band extensively. There are an enormous number of devices that’ll bridge two wires in this band. Most of them are for simple serial protocols like RS232. Some are for Ethernet, like the locoM9. They tend be industrial grade things that cost a lot more. The locoM9 is the cheapest device that does this from Ubiquiti, but they have a lot of more expensive stuff to choose from, often with better directional antennas that’ll go farther.
WiFi, too, is supposed to work this way. When you buy a WiFi router, you normally set it up in “access-point” mode. But virtually every router supports other modes, such as the “client” or “bridging” mode described above. It’s supposed to work this way.
The point of “ProxyHam” isn’t that there is some new magic out there, but that hackers can take existing stuff, for their expected purpose, but achieving an unexpected outcome.
In the Wired article trumpeting the ProxyHam to the world, [Ben Caudill] is shown with a laptop wired to a small box with a rather large yagi antenna. This antenna is pointed well above the horizon, indicating the device is not being used, but that’s completely besides the point. The ProxyHam box contains something with an RJ45 connector on one end, and two RF connectors on the other. A quick perusal of Newegg lands on this, a radio base station designed to bridge networks via 900MHz radio. You’ll need to buy two of those to replicate the ProxyHam.
The Wired article describes the ProxyHam further: “…a Raspberry Pi computer connected to a Wi-Fi card and a small 900 megaherz antenna…” Newegg also stocks Raspberry Pis, antennas, and WiFi adapters. You might want to pick up a few SD cards too.
900MHz router seen in the original promo image
To set up the ‘throwaway’ part of the ProxyHam, you’ll need to first connect to the desired WiFi network, then bridge the WiFi and wired connections. Bridging networks with the Raspberry Pi is left as an exercise for the reader with sufficient Google-fu. Of course the 900MHz base station must also be configured, but according to the user guides on theUbiquiti product page it’s not much harder than configuring a WiFi router. Set the radio to ‘bridge’ mode.
From there, it’s a simple matter of connecting a large yagi antenna to the ‘mobile’ part of the ProxyHam. Here’s how you build one. Configure the base station, and plug an Ethernet cable into a laptop. Congratulations, you’ve just replicated a talk at DEFCON by buying stuff from Newegg.
That’s how you build a ProxyHam. That’s also how to violate the FCC Part 97 prohibition against encryption – you can not use SSH or HTTPS over amateur radio. It’s also how you can be charged with the Computer Fraud & Abuse Act; connecting to a library’s WiFi from miles away is most certainly, “exceeding authorized access.”
Do not attempt this build. It’s illegal, it’s dumb, and the 900MHz band is flooded anyway. Also, if your plan for anonymity online revolves around stealing WiFi from Starbucks, why not just steal Starbucks WiFi from the McDonald’s across the street?
Let’s Speculate Why The ProxyHam Talk Was Cancelled
It’s July. In a few weeks, the BlackHat security conference will commence in Las Vegas. A week after that, DEFCON will begin. This is the prime time for ‘security experts’ to sell themselves, tip off some tech reporters, exploit the Arab Spring, and make a name for themselves. It happens every single year.
The idea the ProxyHam was cancelled because of a National Security Letter is beyond absurd. This build uses off the shelf components in the manner they were designed. It is a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges, but so will blowing up a mailbox with some firecrackers.
If you believe the FBI and other malevolent government forces are incompetent enough to take action against [Ben Caudill] and the ProxyHam, you need not worry about government surveillance. What you’re seeing is just the annual network security circus and it’s nothing but a show.
The ProxyHam is this year’s BlackHat and DEFCON pre-game. A marginally interesting security exploit is served up to the tech media and devoured. This becomes a bullet point on the researcher’s CV, and if the cards land right, they’re able to charge more per hour. There is an incentive for researchers to have the most newsworthy talk at DEFCON, which means some speakers aren’t playing the security game, they’re playing the PR game.
In all likelihood, [Ben Caudill] only figured out a way to guarantee he has the most talked-about researcher at DEFCON. All you need to do is cancel the talk and allow tech journos to speculate about National Security Letters and objections to the publication of ProxyHam from the highest echelons of government.
If you think about it, it’s actually somewhat impressive. [Ben Caudill] used some routers and a Raspberry Pi to hack the media. If that doesn’t deserve respect, nothing does.
Discovered at least 5 (possibly 2-3 broadcasting different SSIDs from the same box ) access points near the office. Strongest source was here. If I wasn’t due to park in my seat and get to work, I’d have investigated more closely. I suspect they’re hidden in either the bottom of a bench, a cigarette drop or in one of the valve access pockets for the sprinkler system.
most suspect SSIDs were -
Samsung Galaxy S 5 2412
Park Bench_Guest
Courtyard_Guest
There were others, but I didn’t note them. I may try a return pass during my lunchtime walkies.
{edit – the “galaxy” and alternates were gone, or at least not transmitting. I’ll sniff for it at a similar time tomorrow morning. – The two “guest” items were still there, but appear to be part of the park. ]
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
