Telecom Informer

    

by The Prophet

Hello, and greetings from the Central Office!

We just finished a rainy summer here in Beijing, in which some of the biggest floods in more than 60 years occurred.  This resulted in some rather exciting conditions for the Central Office that challenged our original engineering assumptions, since we never expected to need high-powered sump pumps and Noah's Ark in the parking lot.  The net result is that I'm now in for another long, cold Beijing winter, since it looks like I'll now be here until February.  At least it's so cold that it'll snow instead of rain.  Of course, we didn't engineer for more than 12 feet of snow, so I'd better be careful what I wish for!

Meanwhile in the United States, something incredible happened over the summer: hacker-operated GSM networks sprang up at hacker events all over the country!  At HOPE, the Telephreak crew built a network that was available on the vendor floor.  At DEFCON, the Ninjas (disclaimer: I am one of the Ninjas) ran a "NinjaTel" network that operated inside the conference area of the Rio, and they gave away Android-based HTC phones with some really cool custom Ninja software.  And at ToorCamp, a Seattle-based group of phreaks called ShadyTel built a fully licensed network with an incredible range, covering the entire camp.  You could build one too!  The technology has reached the point where serious geeks and hobbyists are able (although I won't claim easily able) to create their own GSM networks.

At the most basic level, to build a GSM network, you need four components:

Base Transceiver Station (BTS):  The radio transceiver that communicates with mobile phones and devices.

Base Station Controller (BSC):  Controls the BTS and interfaces it to the Mobile Switching Center (MSC).

Mobile Switching Center (MSC):  The MSC is a switch.  It routes calls locally or to the Public Switched Telephone Network (PSTN).

Visitor Location Register (VLR):  Generally a function provided by the MSC, the VLR is responsible for authenticating devices with the Home Location Register (HLR) and granting access to the network.

Building a BTS

The most popular platform for experimenting with building a BTS is called OpenBTS.

When paired with an Ettis Research Universal Software Radio Peripheral (USRP) programmable hobbyist radio and a software tool called GNU Radio, OpenBTS effectively turns it into a BSC.  The Ninjas believe that this is the only reasonably cheap, non-proprietary solution currently available, and they used it for their implementation.

There are a couple of disadvantages to using USRP and OpenBTS.

GSM is a pretty tight specification from a radio perspective, and USRP devices are difficult to tune precisely.  Also, OpenBTS only supports seven voice channels and one data channel.  NinjaTel used a version of OpenBTS called openbts-multi-arfcn, which is a release that supports additional capacity.  Note that OpenBTS is an open-source application, but the hobbyists who created it also maintain a commercial branch offering additional functionality through their company Range Networks.

An alternative to USRP radios which are under development but not currently ready is an open-source hardware design called UmTRX.  When it ships, it is expected to cost under $700.

OpenBTS isn't the only option.  Another open-source BTS implementation is called OpenBSC.

This is designed to work with a limited number of commercial GSM base stations.  Why limited?  Theoretically, it should work on any base station because the protocol, A.bis, should be standardized.

Unfortunately, as often happens in the technology industry, vendors have varying (and incompatible) interpretations of the specification, so only a limited number of devices actually work with OpenBSC.

Until recently, commercial BSC hardware was relatively complicated and expensive to obtain.  However, the large number of carriers upgrading to 3G and 4G BSC units has resulted in a glut of used 2G GSM kits.

ShadyTel took advantage of low prices, large inventories, and no questions asked.  Accordingly, they were somehow able to inexpensively purchase Nokia Insite microcells, which are supported by OpenBSC.

These are typically used to cover indoor areas such as shopping malls, and they work on standard 120 VAC utility power.  However, they work nicely outdoors as well.  The advantage of using purpose-built GSM base stations is that they are specifically designed for use with GSM handsets, and have better performance.  OpenBSC is also more scalable (by default) than OpenBTS, which is another reason why ShadyTel preferred to use it.

Unlike the garden-variety Ethernet interface available on USRP radios, commercial BTS equipment comes with a variety of interfaces.  Unfortunately, none of these are particularly standard on PCs.  The Nokia InSITE microcells that ShadyTel used have an E1 interface (E1 is the European flavor of a T1).  Fortunately, E1 line cards for PCs are readily available on eBay for about $100, so ShadyTel bought one of these and they were in business.

Whether you're using OpenBTS or OpenBSC for your BTS, you'll need to decide which frequencies to use.  Unfortunately, using any frequency commonly used by GSM worldwide (frequencies in the 850, 900, 1800, and 1900 MHz ranges) requires a license in the U.S.  Fortunately, for low-power applications, licenses are available from the FCC for only $60!  For their ToorCamp deployment, ShadyTel obtained a Special Temporary Authority (STA) license from the FCC to transmit on the 1900 MHz frequency range.  It took about three months to obtain the license, so planning ahead is advised.

VoIP MSC

Obviously, the next piece is the MSC.

Both OpenBTS and OpenBSC are designed to work with Asterisk, an incredibly versatile soft PBX platform.  An MSC isn't the only necessary piece of the network (note that a VLR is also required), so a MySQL database is used to provide this.  Asterisk can already act as a full-fledged switch, offering nearly infinite opportunity to customize.

NinjaTel offered far and away the most customizations, offering voice prompts recorded by Pat Fleet (the "voice of AT&T"), a replica of the DEFCON conference bridge, a time service, and much more.

ShadyTel, for its part, offered full-blown connectivity worldwide via VoIP (which hackers used to great delight, running up a whopping $22 bill with the SIP provider).  None of the three networks at hacker events opened their networks to roamers; all required their own SIM cards to register.  Oddly enough, every group purchased their SIM cards from China.  The most interesting SIM cards were those obtained by ShadyTel.  They are Java-capable SIM cards that run custom applications, allow the carrier to modify numbers dialed by the subscriber, and more.

Lessons Learned

Every network experienced challenges - even when really smart hackers build it, it's pretty hard to make a pop-up GSM network run well!

Telephreak and NinjaTel experienced difficulty with the hostile radio environment of a hacker event.  Too many people were walking around with cellular jammers, and these took their toll on the networks.

NinjaTel also relied on the DEFCON wireless network to deliver a significant amount of the functionality built into their Android-based operating system, but the network proved less reliable than they hoped.  Exacerbating the problem, NinjaTel experienced a hardware failure on their USRP BTS, resulting in a significant loss of transmitting power for several hours until repairs were made.

ShadyTel, meanwhile, planned that their equipment cabinet would be located in a cabin.  At the last minute they were given a portable toilet instead, so they needed to re-engineer their equipment rack to fit inside.  As it turns out, portable toilets are really well insulated!  They retain heat well, and this is exactly the opposite of what you want when you're running equipment that needs to be cooled.  The Asterisk server then overheated repeatedly causing the network to "crap out."

Future Possibilities - And a Warning

One of the biggest vulnerabilities of the GSM protocol is that the designers never contemplated the possibility of malicious base stations.

As Chris Paget demonstrated at DEFCON in 2010, it's relatively trivial to spoof a base station and disable GSM encryption.

Two years ago, it required a big antenna and a lot of bulky equipment, but we're now not far away from being able to fit everything needed to run a GSM network with a half-mile range into a backpack.  Like most technological innovations, this is a double-edged sword.  Although you can't trust the security of 2G GSM anymore, this also means that it could become relatively easy for dissidents in various countries to work around shutdowns of cellular towers.

There is much more to explore about this topic than I have space for in this column, so if you're curious about building your own GSM network, I hope you'll go online to learn more!  The possibilities are really infinite and I hope to see hackers and tinkerers everywhere playing with this stuff.

Please check out the references below, and have a phun autumn!

Phun References
Return to $2600 Index