Slashdot Mirror
Open Source GSM Network At Dutch Hacker Convention
solevita writes "Harald Welte, who's been interviewed previously by Slashdot, has written on his blog about operating an Open Source GSM network at the recent HAR2009 conference. Photographs and a description of the setup, run under license of the Dutch regulatory authority, are provided; essentially the setup consisted of a pair of BTS' (Base Transceiver Stations) running at 100mW transmit power each and tied to a tree. In turn these provided access to the Base Station Controller (BSC), in this case a Linux server in a tent running OpenBSC. The system authenticated users with a token sent via SMS; in total 391 users subscribed to the service and were able to use their phones as if they were on any other network. Independent researchers are increasingly examining GSM networks and equipment, Welte's work proves that GSM is in the realm of the hackers now and that this realm of mobile networking could be set for a few surprises in the future."
I'm not surprised that little walkie-talkies might not work over long distances. FRS radios (which may not be legal for commercial purposes) are limited to 1/2 watt.
Amateur Radio would certainly work, with handhelds easily available that do 5W (such as the Yaesu VX-7R) or you could get models designed for cars that do much more.
The only problem with ham radio is you aren't allowed to use it for business purposes, so for anything other than chatting between farm hands you couldn't use it.
The only real problem I've seen with little radios like the VX-7R tend to be that the interfaces are horrible. They come from the "here is 20 buttons and 3 function keys, plus holding means something" school of interface design. I don't know if there are any with better interfaces.
Ooh! I know what you need. GMRS radios can be up to 50 watts and used for commercial purposes (I'm pretty sure). You need a license, but there is no test, just a fee (according to Wikipedia).
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Isn't that what the summary was referring to when it stated: "run under license of the Dutch regulatory authority"?
I don't care why you're posting AC
Can someone put a figure on the cost of equipment involved? This would be very useful for folks on large farms where radio (read Walkie-talkies) do not cut it.
The setup seems to be:
So, I'd call that about 1000 EUR, not including the Linux PC driving the whole setup.
Yes, my father and I ran a GMRS radio system with a phone patch many many years ago. The primary customer was my uncle with his well drilling & service company, along with a few realtors.
There was a 50 watt repeater on the top of a hill, running on the 450Mhz band.
How? Unless it has GPS, your cellphone doesn't know anything about your physical location. It can be determined by the relative signal strengths received by each tower as your phone stays on the network, but whining about that is like saying "your computer is broadcasting an IP address!!!!!!!"
I'm in Europe and have a prepaid SIM, which is renewed for about 18 months every time I add a bit of money. And of course there's no charge for incoming calls/texts. I don't pay for jack.
I am going to speak in regards to GSM and UMTS networks as I know the protocol
There are security messages in Wireless Networks. There is Authentication and Ciphering in GSM/GPRS/EDGE/WCDMA/HSPA/HSPA+. In addition, there is integrity protection of signalling messages in WCDMA/HSPA,HSPA+ networks. There are a few messages which can not be ciphered/integrity protected for obvious reasons such as the initial Location Update Request/Attach Request. Yes, certain authentication algorithms have been compromised GSM A5/2. It has been superceeded by A5/3.
It is true that malware has made it onto cellular devices (Blackberry in UAE and Symbian come to mind). It is almost impossible for someone to remotely access the phone without such software existing on the device for voice frames.
Yes, the redirecting of packets/frames is a legal requirement in many jurisdictions. It usually has to be accompanied with a warrant from a relevant law enforcement agency otherwise the specific phone company employee faces criminal charges. The usual redirection is done in the MSC or SGSN and I have never seen a case where it was done at the basestation.
It doesn't. The network at HAR is isolated and only allowed internal calls (this is a requirement per the development license that was issued to them). However, I imagine you could do it through a VoIP provider given the right amount of code.
You are in Europe, which may explain why you don't know this bit about all cell phones sold in the US: All phones are required to have GPS or have the capability for triangulation for E911 purposes as of a few years ago. http://en.wikipedia.org/wiki/Enhanced_911
GMRS cannot be licensed for businesses in the US. There are some business users who were grandfathered in when the rules changed. GMRS is licensed to individuals for their and their immediate family's use. This could include business activity though. Also you're not licensed a set frequency, rather a collection of frequencies which make up the GMRS service.
http://wireless.fcc.gov/services/index.htm?job=service_home&id=general_mobile
However, you can acquire a license for your business and depending on your needs, even your own frequency.
http://wireless.fcc.gov/services/index.htm?job=service_home&id=industrial_business
There's also MURS which may be used for any purpose and is license free. However it's only five VHF channels and power is limited to 2 watts, also there's a serious lack of certified equipment for this band. Most users are using grandfathered in part-90 certified radios on MURS.
http://wireless.fcc.gov/services/index.htm?job=service_home&id=multi_use
I suggest you educate yourself before criticising a technology that has served the world (as well as the U.S.) for a good several decades.
UMTS, a 3G technology, uses GSM's Mobile Access Part (MAP) and voice codecs. It's basically GSM with a new air interface. Handsets using UMTS can also use 'old' GSM when there's no 3G coverage.
Actually, you should educate yourself beyond skimming Wiki articles.
GSM has been around only since the early 90s (less than 2 decades).
Saying UMTS is "basically GMTS with a new air interface" is completely misleading. GSM is an FDMA / TDMA hybrid, meaning the channels are allocated across frequency but each channel can support multiple time-multiplexed voice streams. UMTS is most commonly CDMA direct sequence spread spectrym, which is an entirely different multiple access method than FDMA / TDMA. All users communicate over the entire spectrum simultaneously, where a unique spreading code provides interference mitigation (processing gain) at the receiver. In addition to different access methods, GSM and UMTS also use different modulation methods (GSM is a spectrally efficient MSK, UMTS is QPSK I believe.
In short, they are entirely different from a telecom standpoint. Multi-mode phones can support both standards only because the RF frequencies are sufficiently close and they have completely separate processing algorithms for each built-in, not because there's a wealth of technical similarities between the two standards. Adoption of the same voice codec is a trivial similarity.
GSM has been around only since the early 90s (less than 2 decades).
OK, I stand corrected.
Saying UMTS is "basically GMTS with a new air interface" is completely misleading. GSM is an FDMA / TDMA hybrid... UMTS is most commonly CDMA...
Uh, that's what I meant when I said "air interface". Yes, the modulation/multiplexing techniques are completely different. But the protocol(s) used between the tower and phone, and between towers, are (from what I understand) essentially the same. And that's what this OpenBSC project is handling.
Multi-mode phones can support both standards only because the RF frequencies are sufficiently close and they have completely separate processing algorithms for each built-in, not because there's a wealth of technical similarities between the two standards.
No, they support both standards (with two modems) because they both use the same underlying protocols. To put it in Internet terms, you're arguing that my desktop using wired Ethernet is using completely different Internet protocols than your laptop using Wi-Fi. We're simply talking about different layers.
If the "numbers" you're talking about are the IMEI (International Mobile Eqipment Identifier), then yes, that's all you need to impersonate a phone. I'm not sure about anywhere else, but in Australia it's illegal to change a phone's IMEI - but it's trivial to do it with most (all?) phones.
True, but the IMEI only identifies the phone (the handset), not the user itself. The user is identified by the IMSI (International Mobile Subscriber Identity), which, after the initial login to the network, is replaced by the temporary valid TMSI. The IMSI itself is stored in the SIM card, along with the symmetric encryption key. In order to participate on any network, you need to provide both valid IMEI and IMSI. The GSM operators should maintain records of the IMEIs used in the network. There are also so called black lists, where banned IMEIs are stored. In theory, if your phone is stolen and you report it, the operator can ban it from being used on the network (and the black lists are supposedly exchanged between operators). However, in my experience, most operators don't care - probably due to the mentioned before easy IMEI change on most handsets.
Regards, Boyan
In the UK this is done centrally, not by the operators individually. Consequently, most nicked handsets get shipped abroad...
-- Intelligence is soluble in alcohol
Mildly pedantic here, but GSM started in 1982, even if it took 9 years to actually get to a point where a call was made on a network :-)
But, imroy is reasonably correct. UMTS is ostensibly an "upgrade" of LTE in that the network protocols are augmented to allow UMTS calls over the newer radio layer (which has its own adjusted control protocols). You can even interject GPRS & EDGE as intermediate steps between GSM and UMTS. Similarly, LTE is an "enhancement" of UMTS (HSPA has an even closer relationship with UMTS, too).
-- Intelligence is soluble in alcohol
1. In GSM/UMTS, The encryption keys are stored on the SIM/USIM and never transmitted over the air. There are two parameters passed to the MS/UE which calculates and returns a value to the network. If the two values don't match, the authentication process fails.
2.) Again, There is the issue of knowing the keys. The IMSI/TMSI/PTMSI is not enough information to successfully intercept a call. I can setup an entirely fake network for Mobile to Mobile calls, and if both mobiles are on my network, I can turn off authentication and ciphering and have complete access to the call.
3.) Private Keys are stored on the SIM/USIM
Don't get me wrong, A number of security issues still remain with Wireless Networks, but they do have a few security measures.
It varies depending on the phone, the carrier, etc.
Most carriers have the ability to use the time difference of arrival on multiple towers to determine a general position, and this data is sent along to the call centers when a 911 call is made. This works with any phone. Problem is that it's pretty inaccurate. You can only narrow it down to a block or two, at best. Advanced methods of this can be more precise, but it's not something easy to automate for E911 purposes.
If the phone itself has GPS capabilities (or more commonly, Assisted GPS so that it'll work indoors too), then the phone itself sends the location data along with the 911 call. All phones with GPS systems do this.
To the emergency call handler, this is all more or less transparent; they get the callers name, number, and general location (or specific location for outdoors GPS signals).
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.