osmocom.org - foss for mobile networks
TRANSCRIPT
Researching communications systemsBootstrapping Osmocom
The Osmocom project
osmocom.org - FOSS for mobile networkscommunity based Free / Open Source Software for
communications
Harald Welte <[email protected]>
gnumonks.orghmw-consulting.desysmocom GmbH
March 09, CeBIT, Hannover / Germany
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Outline
1 Researching communications systems
2 Bootstrapping Osmocom
3 The Osmocom project
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
About the speaker
Using + toying with Linux since 1994Kernel / bootloader / driver / firmware development since1999IT security expert, focus on network protocol securityFormer core developer of Linux packet filternetfilter/iptablesBoard-level Electrical EngineeringAlways looking for interesting protocols (RFID, DECT,GSM)OpenEXZ, OpenPCD, Openmoko, OpenBSC,OsmocomBB, OsmoSGSN
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
Research in TCP/IP/Ethernet
Assume you want to do some research in the TCP/IP/Ethernetcommunications area,
you use off-the-shelf hardware (x86, Ethernet card)you start with the Linux / *BSD stackyou add the instrumentation you needyou make your proposed modificationsyou do some testingyou write your paper and publish the results
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
Research in (mobile) communications
Assume it is before 2009 (before Osmocom) and you want todo some research in mobile comms
there is no FOSS implementation of any of the protocols orfunctional entitiesalmost no university has a test lab with the requiredequipment. And if they do, it is black boxes that you cannotmodify according to your research requirementsyou turn away at that point, or you cannot work on reallyexciting stuffonly chance is to partner with commercial company, whoputs you under NDAs and who wants to profit from yourresearch
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
GSM/3G vs. Internet
ObservationBoth GSM/3G and TCP/IP protocol specs are publiclyavailableThe Internet protocol stack (Ethernet/Wifi/TCP/IP) receiveslots of scrutinyGSM networks are as widely deployed as the InternetYet, GSM/3G protocols receive no such scrutiny!
There are reasons for that:GSM industry is extremely closed (and closed-minded)Only about 4 closed-source protocol stack implementationsGSM chipset makers never release any hardwaredocumentation
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
The closed GSM industryHandset manufacturing side
Only very few companies build GSM/3.5G baseband chipstoday
Those companies buy the operating system kernel and theprotocol stack from third parties
Only very few handset makers are large enough tobecome a customer
Even they only get limited access to hardwaredocumentationEven they never really get access to the firmware source
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
The closed GSM industryNetwork manufacturing side
Only very few companies build GSM network equipmentBasically only Ericsson, Nokia-Siemens, Alcatel-Lucent andHuaweiException: Small equipment manufacturers for picocell /nanocell / femtocells / measurement devices and lawenforcement equipment
Only operators buy equipment from themSince the quantities are low, the prices are extremely high
e.g. for a BTS, easily 10-40k EUR
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
The closed GSM industryOperator side
Operators are mainly banks todayTypical operator outsources
Network planning / deployment / servicingEven Billing!
Operator just knows the closed equipment as shipped bymanufacturerVery few people at an operator have knowledge of theprotocol beyond what’s needed for operations andmaintenance
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
GSM is more than phone calls
Listening to phone calls is boring...Machine-to-Machine (M2M) communication
BMW can unlock/open your car via GSMAlarm systems often report via GSMSmart Metering (Utility companies)GSM-R / European Train Control SystemVending machines report that their cash box is fullControl if wind-mills supply power into the gridTransaction numbers for electronic banking
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
The closed GSM industrySecurity implications
The security implications of the closed GSM industry are:Almost no people who have detailed technical knowledgeoutside the protocol stack or GSM network equipmentmanufacturersNo independent research on protocol-level security
If there’s security research at all, then only theoretical (likethe A5/2 and A5/1 cryptanalysis)Or on application level (e.g. mobile malware)
No open source protocol implementationswhich are key for making more people learn about theprotocolswhich enable quick prototyping/testing by modifying existingcode
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
The Rolle of FOSSThe closed GSM industrySecurity implications
The closed GSM industryMy self-proclaimed mission
Mission: Bring TCP/IP/Internet security knowledge to GSMCreate tools to enable independent/public IT Securitycommunity to examine GSMTry to close the estimated 10 year gap between the state ofsecurity technology on the Internet vs. GSM networks
Industry thinks in terms of walled garden and phonesbehaving like specifiedNo proper incident response strategies!No packet filters, firewalls, intrusion detection on GSMprotocol levelGeneral public assumes GSM networks are safer thanInternet
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
To actually do research on GSM, we needdetailed knowledge on the architecture and protocol stacksuitable hardware (there’s no PHY/MAC only device likeEthernet MAC)a Free / Open Source Software implementation of at leastparts of the protocol stack
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Bootstrapping GSM ResearchHow would you get started?
If you were to start with GSM protocol level security analysis,where and how would you start?
On the handset side?Difficult since GSM firmware and protocol stacks are closedand proprietaryEven if you want to write your own protocol stack, the layer1 hardware and signal processing is closed andundocumented, tooPublicly known attempts
The TSM30 project as part of the THC GSM projectmados, an alternative OS for Nokia DTC3 phones
none of those projects successful so far
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Bootstrapping GSM researchHow would you get started?
If you were to start with GSM protocol level security analysis,where and how would you start?
On the network side?Difficult since equipment is not easily available andnormally extremely expensiveHowever, network is very modular and has manystandardized/documented interfacesThus, if BTS equipment is available, much easier/fasterprogress
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Bootstrapping GSM researchThe bootstrapping process
Read GSM specs (> 1000 PDF documents, each hundredsof pages)Gradually grow knowledge about the protocolsObtain actual GSM network equipment (BTS)Try to get actual protocol traces as examplesStart a complete protocol stack implementation fromscratchFinally, go and play with GSM protocol security
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
Osmocom / osmocom.org
Osmocom == Open Soruce Mobile CommunicationsClassic collaborative, community-driven FOSS projectGathers creative people who want to explore thisindustry-dominated closed mobile communications worldcommunication via mailing lists, IRCsoure code in git, information in trac/wikihttp://osmocom.org/
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OpenBSC
first Osmocom projectImplements GSM A-bis interface towards BTSSupports Siemens, ip.access, Ericsson and Nokia BTScan implement only BSC function (osmo-bsc) or a fullyautonomous self-contained GSM network (osmo-nitb) thatrequires no external MSC/VLR/AUC/HLR/EIRdeployed in > 200 installations world-wide, commercial andresearch
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OpenBSC test installation
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmoSGSN / OpenGGSN
extends the OpenBSC based network from GSM toGPRS/EDGE by implementing the classic SGSN andGGSN functional entitiesOpenGGSN existed already, but was abandoned byoriginal authorWorks only with BTSs that provides Gb interface, likeip.access nanoBTSSuitable for research only, not production ready
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmocomBB
Full baseband processor firmware implementation of amobile phone (MS)We re-use existing phone hardware and re-wrote the L1,L2, L3 and higher level logicHigher layers reuse code from OpenBSC whereverpossibleUsed in a number of universities and other researchcontexts
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmocomTETRA
SDR implementation of a TETRA radio-modem(PHY/MAC)Rx is fully implemented, Tx only partialCan be used for air interface interceptionAccompanied by wireshark dissectors for the TETRAprotocol stack
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmocomGMR
ETSI GMR (Geo Mobile Radio) is "GSM for satellites"GMR-1 used by Thuraya satellite networkOsmocomGMR implements SDR based radiomodem +PHY/MAC (Rx)Partial wireshark dissectors for the protocol stackReverse engineered implementation of GMR-A5 cryptoSpeech codec is proprietary, still needs reverseengineering
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmocomDECT
ETSI DECT (Digital European Cordless Telephony) is usedin millions of cordless phonesdeDECTed.org project started with open source protocolanalyzers and demonstrated many vulnerabilitiesOsmocomDECT is an implementation of the TETRAhardware drivers and protocols for the Linux kernelIntegrates with Asterisk
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmocomOP25
APCO25 is Professional PMR system used in the USCan be compared to TETRA in EuropeOsmocomOP25 is again SDR receiver + protocol analyzer
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmoSDR
small, low-power / low-cost USB SDR hardwarehigher bandwidth than FunCubeDonglePromuch lower cost than USRPOpen HardwareAvailable soon (Firmware not finished)
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
OsmocomSIMTRACE
Hardware protocol tracer for SIM - phone interfaceWireshark protocol dissector for SIM-ME protocol (TS11.11)Can be used for SIM Application development / analysisAlso capable of SIM card emulation and man-in-the-middleattacks
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
Osmo-E1-Xcvr
Open hardware project for interfacing E1 lines withmicrocontrollersSo far no software/firmware yet, stay tuned!
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
osmo_ss7, osmo_map, signerl
Erlang-language SS7 implementation (MTP3, SCCP,TCAP, MAP)Sigtran variants (M2PA, M2UA, M3UA and SUA)Enables us to interface with GSM/UMTS inter-operatorcore networkAlready used in production in some really nastyspecial-purpose protocol translators (think of NAT for SS7)
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
The OpenBTS Um - SIP bridge
OpenBTS is a SDR implementation of GSM Um radiointerfacedirectly bridges to SIP/RTP, no A-bis/BSC/A/MSCsuitable for research on air interface, but very different fromtraditional GSM networkswork is being done to make it interoperable with OpenBSC
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
airprobe.org
SDR implementation of Um sniffersuitable for receiving GSM Um downlink and uplinkpredates all of the other projectsmore or less abandoned at this point
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
sysmocom GmbHsystems for mobile communications
small company, started by two Osmocom developers inBerlinprovides commercial R&d and support for professionalusers of Osmocom softwaredevelops its own producst like sysmoBTS (inexpensive,small-form-factor, OpenBSC compatible BTS)runs a small webshop for Osmocom related hardware likeOsmocomBB compatible phones, SIMtrace, etc.
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
Where do we go from here?
Dieter Spaar has been working with 3G NodeBs (Ericsson,Nokia) to be able to run our own RNCResearch into intercepting microwave back-haul linksResearch into GPS simulation / transmission / fakingPort of OsmocomBB to other baseband chipsLow-level control from Free Software on a 3G/3.5G phoneRe-using femtocells in creative waysProprietary PMR systems
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
Call for contributions
Don’t you agree that classic Internet/TCP/IP is boring andhas been researched to death?There are many more communications systems out thereNever trust the industry, they only care about selling theirstuffLets democratize access to those communication systemsBecome a contributor or developer today!Join our mailing lists, use/improve our codefor OsmocomBB you only need a EUR 20 phone to start
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
Thanks
I’d like to thank the many Osmocom developers andcontributors, especially
Dieter SpaarHolger FreytherAndreas EversbergSylvain MunautOn-Waves e.h.fNETZING AG
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks
Researching communications systemsBootstrapping Osmocom
The Osmocom project
Osmocom sub-projectsNon-osmocom projectsFuture projects
Thanks
Thanks for your attention. I hope we have time for Q&A.
Harald Welte <[email protected]> osmocom.org - FOSS for mobile networks