Information and the slides for the presentation are available on the HAR2009 Wiki and the OpenBSC website. The slides from the 25C3 talk on OpenBSC can bee downloaded here.
The OpenBSC project is currently running a GSM network at HAR2009 that allows people to call between handsets.
BSC = Base Station Controller
The BSC does most of the actual decision making and controls most of the aspects of the BTSs (handles intra-BSC handover)
GSM operates on a LICENSED spectrum. The OpenBSC project is designed to allow security research without effecting the commercial operators.
GSM protocol specifications are very comprehensively documented (1,108 PDFs, 414 MBytes). Most however other literature is very high-level (location of towers, etc…)
GSM is a bit-synchronous network (drawing mainly from ISDN, SDN). Layer 2 modelled after (Q.291 / LAPD), and call signalling Q.931 (both are used in ISDN within Europe).
Like traditional telco protocols, the intelligence is in the network, not the end nodes.
GSM packets contain only the payload without destination or source information. All delivery routing is based on timing context. This makes it different to other transport mechanisms.
There are details of the GSM protocol and the infrastructure used can be found in the presentation PDF (it’s not really possible to summaries this information into a usable braindump I’m afraid).
Security model – Only the handsets can be evil, the network is ALWAYS trusted.
Fixed plenty of resource leaks (RAM)
OpenBSC is now a ” gsm network in a box” – no need for MSC/HLR/VLR/…
Future of OpenBSC
- Separation of BSC and MSC
- Support actual A interface of SCCP
- Currently no GPRS/EDGE
- Routing calls between E1 and IP/RTP based BTS
- Interface for external apps like SCAPY for packet injection
HAR2009 GSM network
- License permitted for 4 ARFCN’s
- Transmit power 100mW on each ARFCN
- Antenna height restrictions to 3m
- In the event of interference with other operators, we get shut down
- 2x BS-11 units, each two TRX
- Linux system running openBSC
- Uses mISDN driver for HFC-E1 card
- Network iD: NCC 204(NL), MNC 42
- Typical CPU usage is <5% (2 year old machine)
- Black PC, with cables coming out of it !!!
- No encryption or frequency hoping enabled on the network
To prevent accidentally joining other users (non-camp users), an SMS is sent with authorization URL to enable the phone on the network.
Next talk –> Airprobe, for eavesdropping on GSM communications
Camp network statistics (HAR2009)
- 1100 phones tried to use the network
- 450 phones completed registration
- 1000 SMS sent
- Not sure on the attempted voice calls at this time
Relationship graphs (who called/messaged who) and the number of calls/messages will be posted to the HAR2009 Wiki once the conference ends.