[ NNSquad ] Hacker-run GSM network / Private GSM

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ NNSquad ] Hacker-run GSM network / Private GSM
To: nnsquad@nnsquad.org
Subject: [ NNSquad ] Hacker-run GSM network / Private GSM
From: Lauren Weinstein <lauren@vortex.com>
Date: Tue, 1 Sep 2009 08:22:45 -0700

Begin forwarded message:

From: "Hendrik Rood" <Hendrik.Rood@stratix.nl>
Date: August 31, 2009 3:08:13 PM EDT
To: <dave@farber.net>
Subject: RE: [IP] Hacker-run GSM network / Private GSM

Professor Farber,

As I attended that camp / conference and although I did not hitchike to
the site I got a hello message from the GSM network that identified
itself as NL 42 and send out messages to register with them via
cell-broadcast.

Many who carried an iPhone experienced an unexpected freeze up from that
message and thought their devices were hacked.

The BSC-BTS operated under an experimental low-power license for 100mW
in the 900 MHz range from our Radio Agency.

The hacker-BSC turned out to be rather old-fashioned stuff in technical
sense, they had made a TDM - 2 Mbit/s backhaul. His BTS was a macrocell,
albeit at low power and an omnidirectional antenna.

His system worked for calls, but I couldn't get an SMS through to
another user, but that might have been my misconfiguration in the
handset.

I wasn't that impressed, it was nice that they work on their open source
implementation, but closed source very affordable solutions on a more
modern Ethernet / IP-technology base is also on the market and there is
much going on with pico- and femtocells.



Observing the message I have the impression that most readers of IP are
not aware what is going on today in the area of the so-called Private
GSM-networks.

This year it is the intention to alter the Dutch Frequency plan to allow
low-power (200 mW) unlicensed use for GSM1800 in today's unused
frequencies at the edge of the GSM and the DECT-band. The so-called
GSM/DECT Guard band.

A bit comparable change handing out the same frequencies, but then with
many low-power GSM licenses to a high number of operators has already
been made in the UK. The difference for the Netherlands is that we will
go unlicensed low-power and thus make a pure cellular operator bypass.

The IT and Telecoms division of the Dutch Military Forces already
experiments with this GSM1800 band. All devices working at GSM1800 do
operate in those unused bands.

The Dutch Forces have bought a pair of 1U height GSM-core servers
jointly capable to serve up to 100k subscribers/SIM-cards. The
basestations are picocells that are hooked up to core over an IP network
(mainly just hooked up on the Ethernet LAN on the military bases and
ships). They have received their own E.212 Mobile Network Code and issue
their own SIM-cards.

They do not use femtocells as these are mainly designed for 3G today.
But that may be a next stage. There are also some unused 3G ranges and
the WRC2000 has decided that 2G frequencies may also be reused for 3G.
License free low power 3G can be arranged for, it was foreseen in the
ITU IMT2000, but it is more an equipment availability question.

The Dutch Forces currently connect their core to a GSM mobile
gateway/HLR of switch based MVNO Tele2, who advertises their MNC, routes
their signalling and contracts roaming at wholesale prices for them in
the Netherlands and all around the globe.

It is the plan of the military to outfit the military field bases (today
in Uruzgan) and the Navy ships via satellite backhaul. An uplink of 128
kbit/s per ship or small base suffices to hook up all basestations back
to the core. There are even ideas to put satellite backhaul links on
trucks in large convoys who then carry the basestation.

The Forces' setup with a roaming contract to the public network means
that staff and crew can go off base or off in a harbour from a ship and
only then they will then roam on the public network on land, while on
the ship or a base they are with the GSM in their own MNC-domain. When
their own GSM-network fails at a specific base, they automatically roam
on a public network.

The prime reason to engage in this setup for the Dutch Ministry of
Defense were the problems they encountered with Voice-over-WiFi in real
field circumstances. Big file downloads did cause problems with voice
streams on the radio network. In Kosovo they had got a BTS-BSC with
satellite backhaul installed by a public operator. Now it becomes more
Do-It-Yourself.

There is currently a public consultation going on in the Netherlands to
change the E.212 numbering plan so that corporate end users and
businesses (you must at least be willing to invest in the now how to
operate a GSM-core and learn a lot of new protocols a typical corporate
PABX owner today is unfamiliar with) can apply for their own MNC.

The installation firm that supplies the Private GSM to the Dutch
Ministry of Defense is here: http://www.radioaccess.nl/en/

They work with equipment from an English firm apptly called Private
Mobile Networks: http://www.privatemobilenetworks.com/whatis/

That firm also has a Rapid Deployment GSM network that can be set up in
a few minutes for emergency situations
http://www.privatemobilenetworks.com/products/rapidgsm/


The bottom line. While the hacker is programming his own BSC which still
had to link to a TDM-BTS microcell, similar efforts on IP based
picocells and femtocells are on the way.
Otherwise products that do work are already commercially available for
non-operator businesses.

It mainly requires a forward looking spectrum agency to free up some
frequencies for unlicensed, low-power use of cellular technology and
also willing to issue E.212 Mobile Network Codes directly to
non-operator businesses.

There is something moving in the UK and The Netherlands in this respect,
but I doubt if this will happen in the USA.
In the UK and the Netherlands businesses are also able to get 0800/0900
numbers as well as corporate PABX E.164 numbering ranges straight from
the regulator.
In the USA all this type of numbers and numbering block distribution
from NANPA seems still to be routed via operators, who are used to play
all kinds of hoarding games with them. I do not know how E.212 MNC's are
distributed.

Interest from corporate and campus users, in particular those who occupy
high-risers and difficult to cover buildings is growing fast. It is a
way to get rid of most of the fixed telephones on desks, provide good
coverage everywhere and keep metering down and even connect all your
offices over the IP network.

Unsurprisingly the entire "movie" of operator resistance against such
deployment is reprised.
The "no harm to the network discussions" seems to be done over again as
well as the rules from old playbooks with titles like "PABX-es must be
operator owned and controlled devices".

With kind regards,

Hendrik Rood
--

> -----Oorspronkelijk bericht-----
> Van: David Farber [mailto:dave@farber.net]
> Verzonden: maandag 17 augustus 2009 15:32
> Aan: ip
> Onderwerp: [IP] Hacker-run GSM network
>
>
>
> Begin forwarded message:
>
> From: Randall <rvh40@insightbb.com>
> Date: August 17, 2009 7:28:14 AM EDT
> To: johnmacsgroup@yahoogroups.com, Dewayne Hendricks
> <dewayne@warpspeed.com  >, David Farber <dave@farber.net>
> Subject: Hacker-run GSM network
>
> [[From the Telecom Digest]]
>
> From: Thad Floryan <thad@DELETED.com>
> To: moder8@telecom.csail.mit.edu
> Subject: Hacker-run GSM networks are coming [Telecom]
> Message-ID: <4A88B360.7020506@thadlabs.com>
>
> I have mixed emotions when I read something like the
> following which appeared on Slashdot earlier today,
> especially given the known GSM interference problems.
>
> However, this is telephony and this is news (from Slashdot):
>
> Harald Welte, who's been interviewed previously by Slashdot,
> has written on his blog about operating an Open Source GSM
> network:
>
> <http://laforge.gnumonks.org/weblog/2009/08/14/#20090814-har20
> 09_gsm_network
>>
>
> at the recent HAR2009 conference:
>
> <https://wiki.har2009.org/page/Main_Page>
>
> Photographs and a description and of the setup, run under
> license of the Dutch regulatory authority, are provided;
> essentially the setup consisted of a pair of BTSs (Base
> Transceiver Stations) running at 100mW transmit power each
> and tied to a tree. In turn these provided access to the Base
> Station Controller (BSC), in this case a Linux server in a
> tent running OpenBSC:
>
> <http://bs11-abis.gnumonks.org/trac/wiki/OpenBSC>
>
> The system authenticated users with a token sent via SMS; in
> total 391 users subscribed to the service and were able to
> use their phones as if they were on any other network.
>
> Independent researchers are increasingly examining GSM
> networks and equipment, Welte's work proves that GSM is in
> the realm of the hackers now and that this realm of mobile
> networking could be set for a few surprises in the future.
>
> [ We need to keep an eye on this; "a few surprises" could mean
>  many different things :-) ]
>
> --
> The war on privilege will never end. Its next great campaign
> will be against the privileges of the underprivileged. H. L. Mencken
>
>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com
>




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

----- End forwarded message -----
Prev by Date: [ NNSquad ] Re: Fractional connections / duty cycles / usage caps
Next by Date: [ NNSquad ] Request for input on the definition of Broadband
Previous by thread: [ NNSquad ] Argentina ISP ignored reports of proxy block vulnerability?
Next by thread: [ NNSquad ] Request for input on the definition of Broadband
Index(es):
- Date
- Thread