NNSquad - Network Neutrality Squad
[ NNSquad ] Hacker-run GSM network / Private GSM
Begin forwarded message: From: "Hendrik Rood" <Hendrik.Rood@stratix.nl> Date: August 31, 2009 3:08:13 PM EDT To: <dave@farber.net> Subject: RE: [IP] Hacker-run GSM network / Private GSM Professor Farber, As I attended that camp / conference and although I did not hitchike to the site I got a hello message from the GSM network that identified itself as NL 42 and send out messages to register with them via cell-broadcast. Many who carried an iPhone experienced an unexpected freeze up from that message and thought their devices were hacked. The BSC-BTS operated under an experimental low-power license for 100mW in the 900 MHz range from our Radio Agency. The hacker-BSC turned out to be rather old-fashioned stuff in technical sense, they had made a TDM - 2 Mbit/s backhaul. His BTS was a macrocell, albeit at low power and an omnidirectional antenna. His system worked for calls, but I couldn't get an SMS through to another user, but that might have been my misconfiguration in the handset. I wasn't that impressed, it was nice that they work on their open source implementation, but closed source very affordable solutions on a more modern Ethernet / IP-technology base is also on the market and there is much going on with pico- and femtocells. Observing the message I have the impression that most readers of IP are not aware what is going on today in the area of the so-called Private GSM-networks. This year it is the intention to alter the Dutch Frequency plan to allow low-power (200 mW) unlicensed use for GSM1800 in today's unused frequencies at the edge of the GSM and the DECT-band. The so-called GSM/DECT Guard band. A bit comparable change handing out the same frequencies, but then with many low-power GSM licenses to a high number of operators has already been made in the UK. The difference for the Netherlands is that we will go unlicensed low-power and thus make a pure cellular operator bypass. The IT and Telecoms division of the Dutch Military Forces already experiments with this GSM1800 band. All devices working at GSM1800 do operate in those unused bands. The Dutch Forces have bought a pair of 1U height GSM-core servers jointly capable to serve up to 100k subscribers/SIM-cards. The basestations are picocells that are hooked up to core over an IP network (mainly just hooked up on the Ethernet LAN on the military bases and ships). They have received their own E.212 Mobile Network Code and issue their own SIM-cards. They do not use femtocells as these are mainly designed for 3G today. But that may be a next stage. There are also some unused 3G ranges and the WRC2000 has decided that 2G frequencies may also be reused for 3G. License free low power 3G can be arranged for, it was foreseen in the ITU IMT2000, but it is more an equipment availability question. The Dutch Forces currently connect their core to a GSM mobile gateway/HLR of switch based MVNO Tele2, who advertises their MNC, routes their signalling and contracts roaming at wholesale prices for them in the Netherlands and all around the globe. It is the plan of the military to outfit the military field bases (today in Uruzgan) and the Navy ships via satellite backhaul. An uplink of 128 kbit/s per ship or small base suffices to hook up all basestations back to the core. There are even ideas to put satellite backhaul links on trucks in large convoys who then carry the basestation. The Forces' setup with a roaming contract to the public network means that staff and crew can go off base or off in a harbour from a ship and only then they will then roam on the public network on land, while on the ship or a base they are with the GSM in their own MNC-domain. When their own GSM-network fails at a specific base, they automatically roam on a public network. The prime reason to engage in this setup for the Dutch Ministry of Defense were the problems they encountered with Voice-over-WiFi in real field circumstances. Big file downloads did cause problems with voice streams on the radio network. In Kosovo they had got a BTS-BSC with satellite backhaul installed by a public operator. Now it becomes more Do-It-Yourself. There is currently a public consultation going on in the Netherlands to change the E.212 numbering plan so that corporate end users and businesses (you must at least be willing to invest in the now how to operate a GSM-core and learn a lot of new protocols a typical corporate PABX owner today is unfamiliar with) can apply for their own MNC. The installation firm that supplies the Private GSM to the Dutch Ministry of Defense is here: http://www.radioaccess.nl/en/ They work with equipment from an English firm apptly called Private Mobile Networks: http://www.privatemobilenetworks.com/whatis/ That firm also has a Rapid Deployment GSM network that can be set up in a few minutes for emergency situations http://www.privatemobilenetworks.com/products/rapidgsm/ The bottom line. While the hacker is programming his own BSC which still had to link to a TDM-BTS microcell, similar efforts on IP based picocells and femtocells are on the way. Otherwise products that do work are already commercially available for non-operator businesses. It mainly requires a forward looking spectrum agency to free up some frequencies for unlicensed, low-power use of cellular technology and also willing to issue E.212 Mobile Network Codes directly to non-operator businesses. There is something moving in the UK and The Netherlands in this respect, but I doubt if this will happen in the USA. In the UK and the Netherlands businesses are also able to get 0800/0900 numbers as well as corporate PABX E.164 numbering ranges straight from the regulator. In the USA all this type of numbers and numbering block distribution from NANPA seems still to be routed via operators, who are used to play all kinds of hoarding games with them. I do not know how E.212 MNC's are distributed. Interest from corporate and campus users, in particular those who occupy high-risers and difficult to cover buildings is growing fast. It is a way to get rid of most of the fixed telephones on desks, provide good coverage everywhere and keep metering down and even connect all your offices over the IP network. Unsurprisingly the entire "movie" of operator resistance against such deployment is reprised. The "no harm to the network discussions" seems to be done over again as well as the rules from old playbooks with titles like "PABX-es must be operator owned and controlled devices". With kind regards, Hendrik Rood -- > -----Oorspronkelijk bericht----- > Van: David Farber [mailto:dave@farber.net] > Verzonden: maandag 17 augustus 2009 15:32 > Aan: ip > Onderwerp: [IP] Hacker-run GSM network > > > > Begin forwarded message: > > From: Randall <rvh40@insightbb.com> > Date: August 17, 2009 7:28:14 AM EDT > To: johnmacsgroup@yahoogroups.com, Dewayne Hendricks > <dewayne@warpspeed.com >, David Farber <dave@farber.net> > Subject: Hacker-run GSM network > > [[From the Telecom Digest]] > > From: Thad Floryan <thad@DELETED.com> > To: moder8@telecom.csail.mit.edu > Subject: Hacker-run GSM networks are coming [Telecom] > Message-ID: <4A88B360.7020506@thadlabs.com> > > I have mixed emotions when I read something like the > following which appeared on Slashdot earlier today, > especially given the known GSM interference problems. > > However, this is telephony and this is news (from Slashdot): > > Harald Welte, who's been interviewed previously by Slashdot, > has written on his blog about operating an Open Source GSM > network: > > <http://laforge.gnumonks.org/weblog/2009/08/14/#20090814-har20 > 09_gsm_network >> > > at the recent HAR2009 conference: > > <https://wiki.har2009.org/page/Main_Page> > > Photographs and a description and of the setup, run under > license of the Dutch regulatory authority, are provided; > essentially the setup consisted of a pair of BTSs (Base > Transceiver Stations) running at 100mW transmit power each > and tied to a tree. In turn these provided access to the Base > Station Controller (BSC), in this case a Linux server in a > tent running OpenBSC: > > <http://bs11-abis.gnumonks.org/trac/wiki/OpenBSC> > > The system authenticated users with a token sent via SMS; in > total 391 users subscribed to the service and were able to > use their phones as if they were on any other network. > > Independent researchers are increasingly examining GSM > networks and equipment, Welte's work proves that GSM is in > the realm of the hackers now and that this realm of mobile > networking could be set for a few surprises in the future. > > [ We need to keep an eye on this; "a few surprises" could mean > many different things :-) ] > > -- > The war on privilege will never end. Its next great campaign > will be against the privileges of the underprivileged. H. L. Mencken > > > > > > ------------------------------------------- > Archives: https://www.listbox.com/member/archive/247/=now > RSS Feed: https://www.listbox.com/member/archive/rss/247/ > Powered by Listbox: http://www.listbox.com > ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ----- End forwarded message -----