Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

OpenBSC: Running your own GSM network

2 Comments Posted by on August 15, 2009

Information and the slides for the presentation are available on the HAR2009 Wiki and the OpenBSC website. The slides from the 25C3 talk on OpenBSC can bee downloaded here.

The OpenBSC project is currently running a GSM network at HAR2009 that allows people to call between handsets.

BSC = Base Station Controller

The BSC does most of the actual decision making and controls most of the aspects of the BTSs (handles intra-BSC handover)

GSM operates on a LICENSED spectrum. The OpenBSC project is designed to allow security research without effecting the commercial operators.

GSM protocol specifications are very comprehensively documented (1,108 PDFs, 414 MBytes). Most however other literature is very high-level (location of towers, etc…)

GSM is a bit-synchronous network (drawing mainly from ISDN, SDN). Layer 2 modelled after (Q.291 / LAPD), and call signalling Q.931 (both are used in ISDN within Europe).

Like traditional telco protocols, the intelligence is in the network, not the end nodes.

GSM packets contain only the payload without destination or source information. All delivery routing is based on timing context. This makes it different to other transport mechanisms.

There are details of the GSM protocol and the infrastructure used can be found in the presentation PDF (it’s not really possible to summaries this information into a usable braindump I’m afraid).

Security model – Only the handsets can be evil, the network is ALWAYS trusted.

Since 25C3

Fixed plenty of resource leaks (RAM)

OpenBSC is now a ” gsm network in a box” – no need for MSC/HLR/VLR/…

Future of OpenBSC

  • Separation of BSC and MSC
  • Support actual A interface of SCCP
  • Currently no GPRS/EDGE
  • Routing calls between E1 and IP/RTP based BTS
  • Interface for external apps like SCAPY for packet injection

HAR2009 GSM network

  • License permitted for 4 ARFCN’s
  • Transmit power 100mW on each ARFCN
  • Antenna height restrictions to 3m
  • In the event of interference with other operators, we get shut down
  • 2x BS-11 units, each two TRX
    • Share a single E1 link
  • Linux system running openBSC
    • Uses mISDN driver for HFC-E1 card
    • Network iD: NCC 204(NL), MNC 42
    • Typical CPU usage is <5% (2 year old machine)
    • Black PC, with cables coming out of it !!!
  • No encryption or frequency hoping enabled on the network

To prevent accidentally joining other users (non-camp users), an SMS is sent with authorization URL to enable the phone on the network.

Next talk –> Airprobe, for eavesdropping on GSM communications

Camp network statistics (HAR2009)

  • 1100 phones tried to use the network
  • 450 phones completed registration
  • 1000 SMS sent
  • Not sure on the attempted voice calls at this time

Relationship graphs (who called/messaged who) and the number of calls/messages will be posted to the HAR2009 Wiki once the conference ends.

Conference, Security , ,

2 responses to “OpenBSC: Running your own GSM network

  1. Harshad Joshi August 15, 2009 at 15:13

    Ohh…thats extremely cool..running our own GSM network, I would ❤ it.. 🙂 Would like to know about it in more detail.

    But is it practically possible? Many governments dont allow individuals to use the 900,1800 mhz without paying heavy fees..

  2. ChrisJohnRiley August 15, 2009 at 15:25

    It is very cool. I’ve seen it twice now (25C3 and now HAR2009).

    As you said however, you need to get a license to do testing legally. This is why the team are testing at these kind of conferences, as it give them test users to create traffic, and allows them to have a reason for the license 😉

%d bloggers like this: