Open Source GSM Network At Dutch Hacker Convention

solevita writes "Harald Welte, who's been interviewed previously by Slashdot, has written on his blog about operating an Open Source GSM network at the recent HAR2009 conference. Photographs and a description of the setup, run under license of the Dutch regulatory authority, are provided; essentially the setup consisted of a pair of BTS' (Base Transceiver Stations) running at 100mW transmit power each and tied to a tree. In turn these provided access to the Base Station Controller (BSC), in this case a Linux server in a tent running OpenBSC. The system authenticated users with a token sent via SMS; in total 391 users subscribed to the service and were able to use their phones as if they were on any other network. Independent researchers are increasingly examining GSM networks and equipment, Welte's work proves that GSM is in the realm of the hackers now and that this realm of mobile networking could be set for a few surprises in the future."

What are the costs?

[bogaboga]

Can someone put a figure on the cost of equipment involved? This would be very useful for folks on large farms where radio (read Walkie-talkies) do not cut it.

Re:What are the costs?

[MBCook]

I'm not surprised that little walkie-talkies might not work over long distances. FRS radios (which may not be legal for commercial purposes) are limited to 1/2 watt.

Amateur Radio would certainly work, with handhelds easily available that do 5W (such as the Yaesu VX-7R) or you could get models designed for cars that do much more.

The only problem with ham radio is you aren't allowed to use it for business purposes, so for anything other than chatting between farm hands you couldn't use it.

The only real problem I've seen with little radios like the VX-7R tend to be that the interfaces are horrible. They come from the "here is 20 buttons and 3 function keys, plus holding means something" school of interface design. I don't know if there are any with better interfaces.

Ooh! I know what you need. GMRS radios can be up to 50 watts and used for commercial purposes (I'm pretty sure). You need a license, but there is no test, just a fee (according to Wikipedia).

Re:What are the costs?

[TheRaven64]

And the legal issues. I was under the impression that the GSM frequencies were licensed and could only be used with permission of whoever bought that slice of the frequency. Are there any special exemptions for very low power transmitters?

Re:What are the costs?

[multisync]

I was under the impression that the GSM frequencies were licensed and could only be used with permission of whoever bought that slice of the frequency

Isn't that what the summary was referring to when it stated: "run under license of the Dutch regulatory authority"?

Re:What are the costs?

[bushing]

Can someone put a figure on the cost of equipment involved? This would be very useful for folks on large farms where radio (read Walkie-talkies) do not cut it.

The setup seems to be:

• two BTS with two TRX each - Each BTS is a surplus Siemens BS-11, which they are selling for 300 Euro. (I almost bought one at 25C3, until I realized they were almost 46 Kg each)
• two antennas -- included in the purchase price of the BS11
• E1-to-PCI interface card - 350 EUR

So, I'd call that about 1000 EUR, not including the Linux PC driving the whole setup.

Re:What are the costs?

[DarthBart]

Yes, my father and I ran a GMRS radio system with a phone patch many many years ago. The primary customer was my uncle with his well drilling & service company, along with a few realtors.

There was a 50 watt repeater on the top of a hill, running on the 450Mhz band.

Re:What are the costs?

[lewko]

Nyet.

In Soviet Russia, Licensed devices interfere with you.

what it means

[phantomfive]

Welte's work proves that GSM is in the realm of the hackers now and that this realm of mobile networking could be set for a few surprises in the future

What this means by 'surprises' is people hacking the network and getting free phone calls. It's a whole new generation of phone phreaking, except it's not as cool because phone calls around the world are super cheap now anyway (or free using skype), and we can do conference calls with as many people as we want easily. So now it's probably not worth the effort. If you can rerout numbers, that might still be cool.

I know for a fact that there are vulnerabilities in the CDMA network, and I don't know as much about GSM, but I have no reason to believe there wouldn't be vulnerabilities in those networks.

Or maybe someone else can think of a use for this, that isn't covered by CB radio already? Besides being cool, I mean.

Re:what it means

[rwwyatt]

I am going to speak in regards to GSM and UMTS networks as I know the protocol

There are security messages in Wireless Networks. There is Authentication and Ciphering in GSM/GPRS/EDGE/WCDMA/HSPA/HSPA+. In addition, there is integrity protection of signalling messages in WCDMA/HSPA,HSPA+ networks. There are a few messages which can not be ciphered/integrity protected for obvious reasons such as the initial Location Update Request/Attach Request. Yes, certain authentication algorithms have been compromised GSM A5/2. It has been superceeded by A5/3.

It is true that malware has made it onto cellular devices (Blackberry in UAE and Symbian come to mind). It is almost impossible for someone to remotely access the phone without such software existing on the device for voice frames.

Yes, the redirecting of packets/frames is a legal requirement in many jurisdictions. It usually has to be accompanied with a warrant from a relevant law enforcement agency otherwise the specific phone company employee faces criminal charges. The usual redirection is done in the MSC or SGSN and I have never seen a case where it was done at the basestation.

Re:what it means

[Jared555]

The possibility of setting up 'free/cheap cell phone access points' so people can bypass att, verizon, etc.?

Re:what it means

[marcansoft]

I'd be more worried about 'surprises' involving A5/1 cracking and the privacy implications. As they put it in the HAR talk, TCP/IP services have been analyzed all the way and back because anyone can get an Ethernet card, put it in promiscuous mode, and start sniffing/injecting packets. This hasn't been the case for GSM until recently. Nevermind that GSM is designed such that mobile equipment (cellphones) are authenticated, but networks aren't - you can set up a rogue network and any cell will happily connect to it automatically!

A5/1 has been shown to be vulnerable many years ago. There is now an A5/1 cracking project. If you have the resources (Nvidia CUDA graphics card) you should help them build rainbow tables, or just mirror the site and SVN in case bad things happen again like they have in the past (there's more than one government that would like to shut down such a project). A public demonstration of A5/1 cracking would do a lot towards debunking the myth of GSM security.

Free phone calls? I doubt people are *that* interested in them, nevermind that any issues people find are probably easily fixable at the operator's side anyway However, another issue that might arise is DoS attacks against cell networks. Apparently a lot of GSM expects the terminals to "play nice". Deliberately doing things outside the spec can cause an entire cell to deny service to all the other users.

Basically, GSM is a very large part security through obscurity these days, and its end security-wise is looming closer. Let's hope the newer standards (3G) have done things better.

Re:what it means

[Rich0]

You seem to know what you're talking about, and I have to confess that I don't know much about GSM/CDMA in general, although I can theorize some attacks. How does the network defend against the following attacks:

1. Passive listener intercepts the credentials necessary to make calls as a phone transmitting nearby. (I assume they're encrypted, but is it strong, is everything encrypted, and is it secure against replay attacks?). This is easily defeated using encryption if done right.

2. Active transmitter broadcasts GSM service (as a base station), allows a phone to connect, and then when that phone places a call the fake base station records its credentials. Optionally then impersonate the phone to a real base station and perform a MITM. Possible defenses against this include having phones only talk to stations that present a trusted certificate and pass a challenge/response, or by having the phone pass a challenge/response rather than simply transmitting a static identifier.

3. Cell phone company employee or maybe even a shopper copies down the numbers on the outside of a phone's box and uses that to clone the phone. I'm not sure if those numbers are sufficient to impersonate the phone, or if it has some private key of some kind hidden inside.

Basically, to be secure the system has to use some kind of challenge/response system (RSA/etc) and not simply broadcast passwords/etc. The old analog phones worked in this way and cloning was a big problem with them. The question is whether they truly fixed these vulnerabilities or if they simply relied on the fact that the cost of intercepting a spread-spectrum transmission is so high that most thieves would be halted (kind of like the way that CDs were effectively protected back in the 80s by the high cost of writers).

Re:what it means

[SaDan]

You are in Europe, which may explain why you don't know this bit about all cell phones sold in the US: All phones are required to have GPS or have the capability for triangulation for E911 purposes as of a few years ago. http://en.wikipedia.org/wiki/Enhanced_911

Re:what it means

[vlad+valis]

It's inevitable. Years from now when cheap community GSM towers are commonplace, this software project will be seen as a milestone in telecommunications. There are plenty of rural areas all over the world that could some day take advantage of this. And by the way, when we've got ubiquitous cheap GSM, what would we need 802.11 for? Great idea, awesome project! Someone give those guys money!

Re:what it means

[Blazarov]

True, but the IMEI only identifies the phone (the handset), not the user itself. The user is identified by the IMSI (International Mobile Subscriber Identity), which, after the initial login to the network, is replaced by the temporary valid TMSI. The IMSI itself is stored in the SIM card, along with the symmetric encryption key. In order to participate on any network, you need to provide both valid IMEI and IMSI. The GSM operators should maintain records of the IMEIs used in the network. There are also so called black lists, where banned IMEIs are stored. In theory, if your phone is stolen and you report it, the operator can ban it from being used on the network (and the black lists are supposedly exchanged between operators). However, in my experience, most operators don't care - probably due to the mentioned before easy IMEI change on most handsets.

Re:what it means

[rwwyatt]

1. In GSM/UMTS, The encryption keys are stored on the SIM/USIM and never transmitted over the air. There are two parameters passed to the MS/UE which calculates and returns a value to the network. If the two values don't match, the authentication process fails.

2.) Again, There is the issue of knowing the keys. The IMSI/TMSI/PTMSI is not enough information to successfully intercept a call. I can setup an entirely fake network for Mobile to Mobile calls, and if both mobiles are on my network, I can turn off authentication and ciphering and have complete access to the call.

3.) Private Keys are stored on the SIM/USIM

Don't get me wrong, A number of security issues still remain with Wireless Networks, but they do have a few security measures.

Re:what it means

[Otto]

It varies depending on the phone, the carrier, etc.

Most carriers have the ability to use the time difference of arrival on multiple towers to determine a general position, and this data is sent along to the call centers when a 911 call is made. This works with any phone. Problem is that it's pretty inaccurate. You can only narrow it down to a block or two, at best. Advanced methods of this can be more precise, but it's not something easy to automate for E911 purposes.

If the phone itself has GPS capabilities (or more commonly, Assisted GPS so that it'll work indoors too), then the phone itself sends the location data along with the 911 call. All phones with GPS systems do this.

To the emergency call handler, this is all more or less transparent; they get the callers name, number, and general location (or specific location for outdoors GPS signals).

I wonder if GNU Radio is ready to join the party..

[fuzzyfuzzyfungus]

It's a pretty cool setup; but the notion of depending on decade old EOLed RF hardware, because it is all you can get for a reasonable price, makes one a touch nervous.

I wonder how difficult it would be to get a GNU Radio unit, or other software defined radio hardware, to stand in place of the BTS?

Re:I wonder if GNU Radio is ready to join the part

already done.

http://openbts.sourceforge.net/

For NSA...

[cbraescu1]

Trust me, for NSA all our GSM is already Open Source ;-)

Re:GSM? Future? WTF?

[imroy]

Oh dear, someone clearly has a new 3G phone and thinks everyone should dump that old stuff. Because it's old. Nobody likes old technology! It has to be new and flash!

I suggest you educate yourself before criticising a technology that has served the world (as well as the U.S.) for a good several decades. Apart from video calls and high-speed internet access, GSM does everything that 3G does. For many people, voice calls and text messaging is still what they use a mobile phone for. Mobile phone use is taking off in poorer parts of the world because it's cheaper and simpler to set up towers that can serve hundreds (thousands?) of people across a large area than run telephone lines to every single house ("leapfrogging"). This software (OpenBSC) could certainly be of use in these parts of the world.

UMTS, a 3G technology, uses GSM's Mobile Access Part (MAP) and voice codecs. It's basically GSM with a new air interface. Handsets using UMTS can also use 'old' GSM when there's no 3G coverage.

So this development effort will not be for naught in the 3G world. They'll just have to find some new hardware that does UMTS and will continue working.

Re:GSM? Future? WTF?

[Grieviant]

I suggest you educate yourself before criticising a technology that has served the world (as well as the U.S.) for a good several decades.

UMTS, a 3G technology, uses GSM's Mobile Access Part (MAP) and voice codecs. It's basically GSM with a new air interface. Handsets using UMTS can also use 'old' GSM when there's no 3G coverage.

Actually, you should educate yourself beyond skimming Wiki articles.

GSM has been around only since the early 90s (less than 2 decades).

Saying UMTS is "basically GMTS with a new air interface" is completely misleading. GSM is an FDMA / TDMA hybrid, meaning the channels are allocated across frequency but each channel can support multiple time-multiplexed voice streams. UMTS is most commonly CDMA direct sequence spread spectrym, which is an entirely different multiple access method than FDMA / TDMA. All users communicate over the entire spectrum simultaneously, where a unique spreading code provides interference mitigation (processing gain) at the receiver. In addition to different access methods, GSM and UMTS also use different modulation methods (GSM is a spectrally efficient MSK, UMTS is QPSK I believe.

In short, they are entirely different from a telecom standpoint. Multi-mode phones can support both standards only because the RF frequencies are sufficiently close and they have completely separate processing algorithms for each built-in, not because there's a wealth of technical similarities between the two standards. Adoption of the same voice codec is a trivial similarity.

Uhhhhh... I smell trouble

[Opportunist]

Let's see what we got here...

1) Companies with a lot of money and a lot of influence in Washington.
2) Companies that invested little if anything into securing their systems, deeming it inherently secure because nobody could break into it anyway.
3) Companies whose very business model relies on an oligopol, if not monopol in certain areas, on the service they provide.

I smell terrorist laws concerning "private" GSM networks any time soon.

Re:OpenBTS?

[zeromorph]

Because they are running Siemens base stations and for that Harald started OpenBSC. Both projects are under GPL and are in close contact as far as I know.

Harald had a talk at 25C3 about their project, and were running a small setup there in the basement. AFAIK, because all frequencies are sold in Germany - there should be at least one for independent testing, but they sold all to the telcos - maybe that's why they are running the larger test in the Netherlands now.

Re:GSM? Future? WTF?

[stupid_is]

Interesting. And here I thought that at least where I live, operators would love nothing more than to get rid of the old GSM networks in favor of newer technologies.

They can't do that quite yet but constantly larger part of data transfers utilize 3rd generation technologies... GSM will probably be around 5 years from now, I doubt it will be 10 years from now.

GSM and future just don't mix. Hackers should have looked at it a decade ago.

Laughable.

So you think that half the population of the planet are going to buy a new phone to get the latest whizzy l33t LTE/HSPA/UMTS gadgets? That idea is part of what provoked the inflation of the 3G auction prices back in 2000 - everybody thought UMTS was the Next Big Thing, but no-one thought to examine the true cost of installing it. Each one of those boxes at the bottom of the masts costs between $5K and $20K (depending on size & time at which you bought it - early kit was knocking on around the $20K/box mark) and a national network has thousands of them (except the one in Andorra, which I think has around 50!). So, mucho dinero to just buy the kit. Then you've got to install it (also lots of $$) and connect it into a decent backbone (UMTS promised data rates of up to 2Mbps (haha - most folks don't see more than 384kbps on vanilla 3G)), so you need a chunk of data bandwidth to the site (which in some countries is either/both of exorbitant and flaky). The upgrade to HSPA and its' enhancements promises 3-14Mbps, so even more bandwidth required. So all these companies who thought they'd make a bundle on a mobile data offering with no killer application lost out.

Now we're starting off the whole shebang again with LTE - marketing promises 100Mbps (reality maxes out at around 70, though, and no individual subscriber is likely to see that). Do we see droves of folks ditching their trusty GSM phone to get the latest mobile data gadget? Nope - not in the slightest. The GSM market is still growing - although the hardware vendors are being encouraged to make their kit as upgrade-to-UMTS/LTE-friendly as possible. There are over 3 billion GSM phones out there - they will still mostly be out there in ten years time. UMTS is only just kicking off due to the recent uptake in data dongles that you can stick into a USB port on your netbook. Nobody (or at least only the iPhone fanbois) is buying 3G phones to make video calls as nobody wants that. A phone call is still just a phone call, and GSM is very good at delivering that so no-one wants to change from GSM.

At best, you're going to see a data-friendly tech (UMTS/HSPA/LTE) overlay on top of GSM for most of the world for a long time.

private GSM network + cheap SIP = cheap mobile!

[Aadaam]

I'm wondering if I'd set up such a network at home, possibly with a normal GSM modem which would act as my "phone" to the outside carrier... So, for example,
- I'm at Vodafone outside the street,
- I go home -> my phone swithces to MyOwnNetwork
- If I call anyone around the house (neighbours, family, etc), it's free
- If I call a landline -> goes through cheap SIP
- If I call a cellphone -> the system would "roaming" me, but for cheap - it would make vodafone believe it's my phone!

How does this smell?:)