Open Source GSM Network At Dutch Hacker Convention 141
solevita writes "Harald Welte, who's been interviewed previously by Slashdot, has written on his blog about operating an Open Source GSM network at the recent HAR2009 conference. Photographs and a description of the setup, run under license of the Dutch regulatory authority, are provided; essentially the setup consisted of a pair of BTS' (Base Transceiver Stations) running at 100mW transmit power each and tied to a tree. In turn these provided access to the Base Station Controller (BSC), in this case a Linux server in a tent running OpenBSC. The system authenticated users with a token sent via SMS; in total 391 users subscribed to the service and were able to use their phones as if they were on any other network. Independent researchers are increasingly examining GSM networks and equipment, Welte's work proves that GSM is in the realm of the hackers now and that this realm of mobile networking could be set for a few surprises in the future."
What are the costs? (Score:5, Interesting)
Can someone put a figure on the cost of equipment involved? This would be very useful for folks on large farms where radio (read Walkie-talkies) do not cut it.
This might be something good (Score:3, Interesting)
Re:What are the costs? (Score:4, Interesting)
OpenBTS? (Score:1, Interesting)
Why not use this?
http://openbts.sourceforge.net/
what it means (Score:5, Interesting)
Welte's work proves that GSM is in the realm of the hackers now and that this realm of mobile networking could be set for a few surprises in the future
What this means by 'surprises' is people hacking the network and getting free phone calls. It's a whole new generation of phone phreaking, except it's not as cool because phone calls around the world are super cheap now anyway (or free using skype), and we can do conference calls with as many people as we want easily. So now it's probably not worth the effort. If you can rerout numbers, that might still be cool.
I know for a fact that there are vulnerabilities in the CDMA network, and I don't know as much about GSM, but I have no reason to believe there wouldn't be vulnerabilities in those networks.
Or maybe someone else can think of a use for this, that isn't covered by CB radio already? Besides being cool, I mean.
I wonder if GNU Radio is ready to join the party.. (Score:4, Interesting)
I wonder how difficult it would be to get a GNU Radio unit, or other software defined radio hardware, to stand in place of the BTS?
Re:I wonder if GNU Radio is ready to join the part (Score:3, Interesting)
already done.
http://openbts.sourceforge.net/
Re:what it means (Score:5, Interesting)
The possibility of setting up 'free/cheap cell phone access points' so people can bypass att, verizon, etc.?
Re:what it means (Score:5, Interesting)
You seem to know what you're talking about, and I have to confess that I don't know much about GSM/CDMA in general, although I can theorize some attacks. How does the network defend against the following attacks:
1. Passive listener intercepts the credentials necessary to make calls as a phone transmitting nearby. (I assume they're encrypted, but is it strong, is everything encrypted, and is it secure against replay attacks?). This is easily defeated using encryption if done right.
2. Active transmitter broadcasts GSM service (as a base station), allows a phone to connect, and then when that phone places a call the fake base station records its credentials. Optionally then impersonate the phone to a real base station and perform a MITM. Possible defenses against this include having phones only talk to stations that present a trusted certificate and pass a challenge/response, or by having the phone pass a challenge/response rather than simply transmitting a static identifier.
3. Cell phone company employee or maybe even a shopper copies down the numbers on the outside of a phone's box and uses that to clone the phone. I'm not sure if those numbers are sufficient to impersonate the phone, or if it has some private key of some kind hidden inside.
Basically, to be secure the system has to use some kind of challenge/response system (RSA/etc) and not simply broadcast passwords/etc. The old analog phones worked in this way and cloning was a big problem with them. The question is whether they truly fixed these vulnerabilities or if they simply relied on the fact that the cost of intercepting a spread-spectrum transmission is so high that most thieves would be halted (kind of like the way that CDs were effectively protected back in the 80s by the high cost of writers).
Personal 3G Hotspot (Score:3, Interesting)
I don't get cell reception in my neighborhood near NYC. I need a "3G hotspot" that will let my GSM phone work on my 1 acre property, but is connected to a Asterisk phone server in my home office wired to the PSTN. Where do I get the 3G hotspot?
Re:what it means (Score:1, Interesting)
I just want to make one point where you say that you think people aren't that interested in free phone calls, and I disagree. Free phone calls don't just take you from what would be a cheap call to being a no-cost call, they also mean you don't have to pay, which means you don't have to prove who you are, which means you have greater anonymity, and this is the true value in "free" calls. So there will be people who are *very* interested.
Carry on, fascinating intelligent discussion people, this is my only observation, posted AC, it's only right.
Re:what it means (Score:2, Interesting)
All your attacks depends on being able to steal credentials and be able to impersonate the phone at a later stage, but the way I've been told it works is that after the initial Location Update, the phone never talks to the network as itself. That is, after the initial connection, the phone is handed a set of temporary IDs (one time pad-style), so each subsequent page is to a different number that only the phone and the network is supposed to know. Once the phone is running low on these temporary IDs it retrieves a set of new ones.
#2 is the most blatant flaw in terms of interception: GSM never authenticates who it's talking to, if there's a network in range it is assumed to be friendly.
Re:What are the costs? (Score:3, Interesting)
What is also interresting, a lot of commercial licences will run out in a few years and as everything seems to be moving to newer sutff like 3G (and a lot of people seem to get a new phone every few years), their might be a slight chance the operaters don't want to extended the existing licences. This will mean existing channels might start to free-up. And it might be a lot cheaper to get such a license ? But we'll have to see if that will really happen.
Re:what it means (Score:4, Interesting)
Re:OpenBTS? (Score:4, Interesting)
Because they are running Siemens base stations and for that Harald started OpenBSC. Both projects are under GPL and are in close contact as far as I know.
Harald had a talk at 25C3 [chaosradio.ccc.de] about their project, and were running a small setup there in the basement. AFAIK, because all frequencies are sold in Germany - there should be at least one for independent testing, but they sold all to the telcos - maybe that's why they are running the larger test in the Netherlands now.
Re:GSM? Future? WTF? (Score:5, Interesting)
Interesting. And here I thought that at least where I live, operators would love nothing more than to get rid of the old GSM networks in favor of newer technologies.
They can't do that quite yet but constantly larger part of data transfers utilize 3rd generation technologies... GSM will probably be around 5 years from now, I doubt it will be 10 years from now.
GSM and future just don't mix. Hackers should have looked at it a decade ago.
Laughable.
So you think that half the population of the planet are going to buy a new phone to get the latest whizzy l33t LTE/HSPA/UMTS gadgets? That idea is part of what provoked the inflation of the 3G auction prices back in 2000 - everybody thought UMTS was the Next Big Thing, but no-one thought to examine the true cost of installing it. Each one of those boxes at the bottom of the masts costs between $5K and $20K (depending on size & time at which you bought it - early kit was knocking on around the $20K/box mark) and a national network has thousands of them (except the one in Andorra, which I think has around 50!). So, mucho dinero to just buy the kit. Then you've got to install it (also lots of $$) and connect it into a decent backbone (UMTS promised data rates of up to 2Mbps (haha - most folks don't see more than 384kbps on vanilla 3G)), so you need a chunk of data bandwidth to the site (which in some countries is either/both of exorbitant and flaky). The upgrade to HSPA and its' enhancements promises 3-14Mbps, so even more bandwidth required. So all these companies who thought they'd make a bundle on a mobile data offering with no killer application lost out.
Now we're starting off the whole shebang again with LTE - marketing promises 100Mbps (reality maxes out at around 70, though, and no individual subscriber is likely to see that). Do we see droves of folks ditching their trusty GSM phone to get the latest mobile data gadget? Nope - not in the slightest. The GSM market is still growing - although the hardware vendors are being encouraged to make their kit as upgrade-to-UMTS/LTE-friendly as possible. There are over 3 billion GSM phones out there - they will still mostly be out there in ten years time. UMTS is only just kicking off due to the recent uptake in data dongles that you can stick into a USB port on your netbook. Nobody (or at least only the iPhone fanbois) is buying 3G phones to make video calls as nobody wants that. A phone call is still just a phone call, and GSM is very good at delivering that so no-one wants to change from GSM.
At best, you're going to see a data-friendly tech (UMTS/HSPA/LTE) overlay on top of GSM for most of the world for a long time.
private GSM network + cheap SIP = cheap mobile! (Score:3, Interesting)
- I'm at Vodafone outside the street,
- I go home -> my phone swithces to MyOwnNetwork
- If I call anyone around the house (neighbours, family, etc), it's free
- If I call a landline -> goes through cheap SIP
- If I call a cellphone -> the system would "roaming" me, but for cheap - it would make vodafone believe it's my phone!
How does this smell?:)
Re:p2p (Score:2, Interesting)
"Mr Carlius said he hopes that it will eventually be a feature available on all phones, like Bluetooth."
"The system can also be used to make calls to other TerraNet mesh networks via a net-connected PC fitted with an inexpensive USB dongle. "
You may find some more here http://hardware.slashdot.org/article.pl?sid=05/11/04/1343221 [slashdot.org]
Re:GSM? Future? WTF? (Score:2, Interesting)
Video calls on Skype are all very well sitting in front of a computer at a desk, stick it on a handset and it's a whole different thing - the form-factor of holding a phone shaped object up to your ear is hard to beat, and video doesn't sit well with that. In particular, do you really want to be staring at a tiny screen to see the video feed for a call while moving about? Normally folks like to look where they're going, so a video call would interfere with that, hence video calls on a mobile device doesn't fly high as a service.
Yep - there'll be those few that do make video calls, but they are a long way from getting to a significant minority of the subscriber base.
3's forage into "free Skype for life" is interesting - particularly when the license for Skype is revoked [unthinkable.biz] - I'm watching that one carefully
Data usage is on the up greatly (so says the Orange Digital Media Index (UK specific), and the Cisco global mobile data forecast: "Visual Networking Index"), but it's still got a long way to go to beat voice as a killer app