 Okay, everyone, please welcome Harold Welk to be talking about open-source mobile communications Yeah, hi everyone. That was quite an adventurous beginning of the talk and never happened before Okay, so I'm going to talk about open-source mobile communications and particularly the Osmo-com project which some of you may have heard about before in various different contexts and Before I'm going to talk about the various sub-projects and the various focus areas in which we Work inside the Osmo-com project I'd like to take a little bit of a step back and Compare different communication worlds or different communication systems Sort of to reflect the journey that we've gone through the last Well eight years by now So I'm going to skip the slide about myself. Basically, I've been doing a Linux and Networking related stuff for quite some time And if you have a background in TCP IP the internet world either net Wi-Fi Whatever then it's basically to you it's normal that all the stuff You want to use is open source or at least you can find everything in open source So basically let's say you want to do some research in the TCP IP world Well, you use off-the-shelf hardware like an x86 PC which has an ethernet card built in these days You start with Linux or BSD operating system Which has the entire protocol stack and the drivers and everything open source you add whatever instrumentation you need You do some modifications. Let's say you have a bright idea how to optimize TCP congestion control or something like that you do testing and you write a paper and publish the results and This is why we have been seeing such an enormous amount of innovation in the TCP IP and Internet world over the last whatever 25 years or so And we haven't seen that in the cellular space to the same extent So assume it's 2009 which is basically before we really got started in the osmo-com project And you want to do some research into mobile communication systems where at that point Until 2008 there was no implementation of any of the protocols of functional entities in as free and open source software and Even let's say if you do this in an academic context You would find it quite hard to find universities that have a test lab with all the required equipment So I'm in Germany. I know two universities that had a full GSM network in there on like in at the University But even if they do well then all the equipment is black boxes So you can basically say okay Well, this is the black box that implements the MSC and there is another black box that implements something else And then you can do some protocol sniffing on the interfaces between those black boxes But still it's not really all that exciting because you can't modify those black boxes And the only chance you had at that time to do some research into Seller systems mobile communications is to partner with one of the large Companies that build these equipment. Let's say Ericsson Huawei ZTE Nokia Siemens Networks and so on and then they put you under an NDA and will profit from your research and you Still well, yeah, maybe you can do some interesting research, but you can't really publish all the results and So on so And if we compare these Two sites and basically the internet side with TCP IP the ethernet Wi-Fi and so on all those protocols and we look on the other hand side at the Cellular world where like GSM GPS edge 3g HSPA LTE all those different systems and generations out there You will find that the specifications of both of those worlds are always open and publicly available. So If you want to learn about TCP IP you can read the RFCs if you want to learn about ethernet You can read the IEEE specs If you want to learn about GSM, you can go to the Etsy or to the 3g pp websites where you can find a comprehensive body of standards and specifications and you can learn about them so The documentation for both of those worlds or for systems and protocols in both of those worlds has been public for long time But yet if you look on the internet side you have all this innovation and all kinds of people doing interesting research and Also going beyond just like research into functionality going into security For example all the the journey that the internet world has had you know from from ping of death to to a DOS attacks to all those And much more comprehensive attacks these days All that has not happened Until a couple of years ago and it's still not happening to that extent in the cellular sphere and The reasons I find for this is because well the industry In the cellular world is extremely closed and I have to add closed-minded in many cases And you find very few protocol stack implementations proprietary of course all of them and the chipset Make us talking about the handset side now are not releasing any documentation on the hardware so even if you say well, okay, I I Move away all this proprietary protocol stack. I'm not interested in it. I want to write my own You don't get the documentation that's needed to understand the hardware to the extent that you can actually Implement your own protocol stack on top of it So the only choice you have is to do reverse engineering Which means you spend an awful amount of time doing things which are not the those things that you really wanted to do Which is implementing a protocol stack or even? Doing security research or any kind of research so Now some people think about oh, yeah all this research and in particular from a security point of view in Telephony who is interested in listening to phone calls? I mean we all know the government can do it anyway We all know there is a lawful interception interfaces in all the cellular equipment out there And it's documented and specified and the laws around it and so on and so on but I think Listening to phone calls is boring indeed, but there's much more interesting stuff out there We have machine-to-machine communication. We know that BMW cars can be unlocked and locked using GSM It's not only BMW can do that Unfortunately, also other people can do it because they were not very smart when implementing that Not talking about the brand smart here There is alarm systems that often burglar alarm systems that can be That either report over GSM or can be unlocked. There's of course mud metering There is one topic that I still haven't seen a lot of research in which I think is a very interesting area is railway GSM GSM are not sure how many people in this room realize that Railways and basically permission to enter certain tracks and the speed permit to to run on certain tracks is Communicated by GSM at least in some tracks in some countries in the in the European Union and more and more of those tracks get converted to Railway GSM. We have vending machines that report if the cash box is full So if you want to be smart and achieve then you could use for example such messages to know where there is lots of coins in the cash boxes There is entire wind power plants windmills that Are controlled over GSM in the end so whether they feed into the grid or not Just think about what it does to the grid once people can Look at or not look but rather control such interfaces We have transaction numbers for electronic banking that can transmit it over SMS and banks Sell that as a secure method of authenticating. I mean not sure what they had smoked when they make such a statement It's to me. It's ridiculous anyway, so There's all kinds of interesting things from security point of view from just the technology point of view In the cellular world and there hasn't been much free software So we started what's called the Osmo-com project open-source mobile communications with typo in the name and that's of course just my slide and my inability to read the slides before presenting them and It's a classic collaborative community-driven Free software project. So there's not a single company behind it. There is no dual licensing. There is no open core. There is nothing. It's it's a mailing lists and people and code and everything of it is released and Osmo-com gathers a number of people who explore The the this world of that's very industry dominated and very closed in in terms of implementations and often also technology You can check out of course the website Yeah, we also have sour code. No, it's source code in git. We have lots of information in a wiki and Yeah, you can you can check it out and there's many different projects inside the Osmo-com project So Osmo-com is the umbrella project and within Osmo-com. We have many different Projects, I don't even know the figure right now, but I would say it's probably two dozen or so active projects at this time at this point So it's a little bit. I mean, of course not in scale, but you think of like the Apache project Well, yes, there is an Apache web server But there's thousands of other products that they that they do under the umbrella and Similar situation with Osmo-com on a much smaller scale, of course so The first project that was publicized about and that was released is called open BSC And it implements What's called an abyss interface towards what's called a BTS a base transceiver station. So basically using open BSC and A base transceiver station for GSM you can run your own cellular network And that's I'm going to talk about in a workshop later at EMF camp if you're interested in that Feel free to check out that workshop We're going to the run through through installing the software configuring it setting up the device and actually getting to the point Where you can run your own cellular network With open BSC It has various different modes in which you can operate But that goes into a lot of details on all the different acronyms and functional splits in in the GSM architecture It's deployed. Well, it's more than 200 now I'm sure it's more than 500 confirmed installations that I know by now But of course, well, it's a free software project. Anyone can download it. Anyone can run it I don't need to know about that. So there can be a much higher figure that we knew so as we are at the camp Actually, this is a reminder to another camp that happened a couple of years ago The hacking at random camp 2009 and the picture that you can see is at the bottom of the tree. There is two 48 kilogram Siemens base transceiver stations a couple of cables running up the tree and you see the red tape Well, not figuratively the literal red tape around the antenna Taping the sector antennas to the tree and that was the first test installation that we ever did with the open BSC software So at the hacking at random camp In 2009 we were running a cellular network for participants of the camp But also for us to basically have a real-world test for our implementation of those protocols This has been become sort of a tradition. So at other events in in the Netherlands or in in Germany at the CCC camps Also at the Congresses. We have been coming back every so often and rerun this network always with new features new equipment and so on So it can be used in several different Modes Not going to go into too much detail here Basically one of the two modes enables you to run your base stations As part of an existing cell network Well, if you're not a cell operator is not a very interesting mode to you because well if you don't happen to have an existing cell network How do you integrate with it? And the other mode which is much more commonly used in the community is what we call the NITB the network in the box And that's basically well the name as the name implies all the elements that you need for a GSM network are Implemented in one box. So you don't need all this complicated setup of you know A half a dozen of different components and configure all the interfaces and so on So it's just one program you started and you attach your your transceiver hardware and that's it So that's very suitable for private and private and or autonomous small networks Like a PBX, but with a wireless interface for the actual phone There is No dependency on external components. So you don't need anything else, but this open VSC And the transceiver hardware you can if you want to connect to the outside world Using ISDN or VoIP or whatever you you feel fit basically we have an interface how external how we call them MNCC handler mobile network call control handlers can register You can interface that with asterisk was free switch with whatever you want There are some people who run this for example on offshore Drilling rigs for oil and underground mining as an alternative to PMR professional mobile radio Because well professional mobile radio has professional in the name Which means all the equipment is like ten times more expensive So if you can use inexpensive phones and GSM phones, you can buy for ten dollars twelve dollars these days It's actually a quite economic alternative to buying, you know, two hundred three hundred dollar professional mobile radio Terminals even if the cheap phones break Frequently, it's still going to be an economic advantage It's also the configuration this open BC The the NITB configuration, which is what you would use if you want to do security research or something into cellular technology We extended that over the time with other network elements needed for gprs for packet switch communication because GSM is actually many people use GSM as a synonymous as synonymous for Any kind of cellular telephony that's not technically correct GSM is the system That was originally described in the late 1980s and deployed deployed first around 91 92 if I remember correctly And it's only about SMS and circuit switch Telephony is no packet data in there So we added these sgs and in ggs and components which are needed to have a packet switch service gprs and edge Some people may still remember that these were the first Well mobile data systems out there in the cellular worlds and Using those components Well the the last sentence. I'm not so sure anymore. It's pretty stable and some people are using it actually in production But still it's less mature than the other components. So this of course once you have mobile data You can for example test M2M devices doing that. So if you develop a smart meter or develop some Mobile device that includes a modem Then testing against the real network and if something fails. Well, you don't see what's really happening on the network You don't get a protocol trace on the network And you don't know what the network overloaded was a bad reception So you don't have a control test environment But by using your own network basically you can do that mobile malware research And of course again Learning actually about the technology involved in all these protocol layers because if you think of a gprs network And you look at the protocol stack I think there's like eight or nine layers below the IP that you as a user consume And you know to me as somebody who isn't to networking if there's some protocol that I don't know about I want to know about So I'm interested in how these systems work and how those Protocol stacks look like that's just my personal interest, but there are other people out there who find it interesting to really learn about how these systems work and How they are designed and how they are different from other systems out there and that's something you can do with this stack Okay, let's switch to another project which we have in the osmo-com project Which is the osmo-com BB project where BB is for baseband sort of Not entirely correct, but then naming, you know, it's always the last thing you think about so What it is actually is an implementation of all the software that you need to run a mobile phone except the actual hardware transceiver So we reuse existing phone hardware Specifically some older feature phones that are sold under the Motorola brand and not actually built by Motorola and using such a phone Basically, we remove all the or we ignore all the original software that's in there all the binary only firmware that it chips with but we developed our own software from the drivers the layer one layer two layer three basically everything that you need to run inside the phone and Using this You can then from free software run a complete phone that you can register to an official network Where you can make calls do hand over send SMSes receive SMSes and so on well, okay I can do that with the phone as it is. Why do I need osmo-com? Viva the difference is you can see everything that's going on and you can influence it of course, so let's say you're somebody who is particularly cautious about not revealing his location With Osmo-com BV you can put an offset to all the transmission So you appear to be further away from the cell and the network doesn't really know where you really where you are anymore These are the kind of things you can do once you control the technology Which you cannot do if you just use a black box and the proprietary protocol stack And of course you can see everything that's going on So if you suspect something fancy going on you have not only the protocol traces, but you you can literally look at every part of the software So yeah, where is this being used? Well, it's mostly actually research and Teaching or studying so Applied security research as lots of people have been using this over the the years for example in You can fuzz Base stations or other parts of the cellular network because now for the first time with Osmo-com BV people can send malicious or intentionally malformed messages to any of those protocol stacks on the network side Which hasn't been the case before so Basically there there were a lot of low-hanging fruits in in the network implementations where well They just didn't think of what happens if a message is not malformed So we're like in the internet of the mid 1990s the security mindset sort of that's what you see in the cellular world There's an attack called the ratchet denial of service, which is basically an overload of the initial Process when you register to a cell when you establish a channel to a cell and that has been implemented And published about that so using Osmo-com BV It's easy to do that and to perform denial of service against cells you can Check for all kinds of features which networks recently added to increase or improve their security so there's some random padding that has been rolled out by a lot of operators to combat some of the a5 encryption breaking and You can check if a network actually uses that or not You can also use this to do heuristics on detecting emcee catchers or other false base stations That might be in the vicinity. So if you're worried about some Evil attacker putting false base stations and trying to play man in the middle with GSM. Well, then Osmo-com BV is a very good Technology to Look into what's really happening on a protocol level and once again. Well, yeah, you can study and learn how this works Okay, well that's Basically a lot of GSM related projects. Let's look at Well, actually, yeah Osmo BTS very quickly about this slide. So so far I've been talking about Well, you need this base station and at this camp in 2009 we used the Siemens base station So there's still a proprietary element in this chain with Osmo BTS We also implemented the actual BTS itself in software So you can now use a combination of different software components including Osmo BTS and the network in the box and something else That's called Osmo TRX And run that on a software defined radio and then run your entire base station out of software defined radio at that point You don't have any proprietary Software involved anymore and no firmware or anything. That's a close source at that point Okay, that was all GSM and related technology Now there's many other projects in the Osmo com umbrella project that look at different mobile or cellular technologies One it's called Osmo com Tetra, which is an implementation of the fire and Mac layers of Tetra, which is terrestrial trunk radio Which is used for example by Police all over Europe for communication But no you cannot listen into police with Osmo com Tetra because they use normally at least if they deployed it correctly strong end-to-end encryption But there are many other networks Let's say at airports or chemical plants or ports or I mean seaports or something like that Where they run Tetra as a professional mobile radio system and they don't use any of the security features So there's no authentication and no encryption involved So using Osmo com Tetra for example In Berlin and my home city you can tap into the radio of the subway So you can basically listen to the subway radio and there's also a network by Wattenfall the local electricity utility company where There's not much traffic going on But I think they are using or having they have this network in for disaster cases So basically whenever all the other communication channels should break down in case of a bigger disaster that the utility company can still Communicate with people in the field trying to fix the grid or something like that In Hamburg there is a network That includes the Hamburg port and there's several airports in Germany which have completely unencrypted open Tetra communication and then you know we think about all the you know the the body scanners and all the security Simulation that they do to the passengers and then on the other hand all their internal communication is completely public to anyone and they Don't put even encryption or authentication there which is specified But they're just too lazy to actually deploy it. So Like on the airport you can listen to everything that's going on Not between the planes and the airport where they use regular Regular air band AM, but it's about the staff on the ground The coordination which vehicles go where the buses and so on that's basically what's communicated there So using osmo-com Tetra you can do protocol analysis on tetra and and also decode the voice that's in there The receiver is fully implemented transmitters only a partial implementation We never even really bothered to do a real transmission the transmitter Implementation basically only served as a test case against the receivers or we could verify the receiver without having a third-party signal Yeah, so there is some wire shark dissectors merged into wire shark So you also get a protocol decode like you would get in in a TCP IP network Yeah, so what to use this for well for analysis assessment of network security learning how tetra works and so on Actually, the code has been extended To also there's also like a cellular data over tetras or something like gprs for tetra And that also gets fully decoded and you actually see some in those networks that I've looked at you see IP Communication going over this There's other projects in the osmo-com umbrella one is called the osmo-com GMR GMR is as everyone in here certainly knows the geo mobile radio which is One of these acronyms from Etsy the European telecommunications standardization Institute about satellite radio or satellite Telephony, so I Was just kidding. I guess nobody here heard about GMR before but Thuraya some people might have heard before it's one of the commercial operators operating a satellite telephony network using the GMR one Standard and the osmo-com GMR project implements an str based radio modem and fire and Mac layer for receive So basically this means you can using a suitable antenna Which is relatively easy to to to build and an str and osmo-com GMR you can get the the protocol traces of the Of the decoder the speech code I'm now sorry whose light is outdated is is implemented So it's it is proprietary, but the reverse engineering on the speech code. It has been done So you can actually Tap into calls. There's also some work not done within the osmo-com project on breaking the encryption And there is a reverse engineered implementation of the well encryption in quotes and they put on on this system. So it's Even weaker than the GSM encryption you have on land Yeah, so well again use cases well not really any anything beyond looking at the security learning about the technology and Intercepting communication There's also a project about decked the digital European cordless telephony Which has been broken many years before osmo-com even it was a project called deducted org which Discovered security issues in the cordless telephony standard and osmo-com decked is an implementation of Hardware drivers and protocol stacks inside the Linux kernel so if you compile that and have the right hardware in place you can Actually serve as a as a PBX and have all the decked stack in in free software a Seminal project for OP 25, which is App code 25, which is a professional PMR system used in the US again by police and and other public authorities It can be compared on the same like feature level and and so on technology like tetra in Europe and There's a project again for an SDR based receiver and protocol analyzer So it's pretty much the same just for yet another communication system We also did an osmo-com SDR quite some time ago, but then basically RTL SDR happened and nobody was interested in osmo SDR anymore And I'm going to get to RTL SDR in the next slide, but it's a small USB SDR hardware that we built With a higher bandwidth that at that time available the funcube dongle pro much lower cost than usrp and Yeah, we've made it. I think to like 20 or 50 units and then yeah It's sort of the timing was bad because well luckily and I'm very happy about that RTL SDR happened which is also the the actual source code for RTL SDR is developed in the osmo-com project and What Some of you may have heard or seen this before even use one. It's basically there's some cheap DVBT USB receivers that you can buy at very low cost And these devices normally they have a tuner that down converts the signal from the RF into into INQ baseband and analog baseband and then you have an ADC which also integrates the DVB decoder So all the demodulation and so on and so on but through some special commands the The DVB decoder can be disabled and you can forward the raw samples into the PC And then basically it means you can turn one of those consumer grade receivers into a software defined radio that you can use to Receive pretty much anything that's within the frequency range and the bandwidth of this device and the software for actually Talking to the hardware and implementing the drivers for it and so on is what we call the RTL SDR in the osmo-com project There's another project also closer to hardware, which is osmo-com sim trace Which is hardware and firmware and software for protocol tracing of the interface between sim card and phone So if you ever were interested for whatever we had reason in the communication between your sim card and a phone or Actually any contact-based smart card and its reader because it's always the same standard that's used So some people are also using this to look at EMV payment cards using the sim trace Because it's the same physical interface. So it works as you can see in the picture you insert Sim card adapter with a flex cable into the actual phone We also have these for the micro and nano sim cards not just for the large ones and the actual sim card then gets put into the the PCB there's a sim card reader where the sim card is Inserted and then there's a microcontroller on the board which sniffs the communication going back and forward between sim card and The phone and there's a USB port on the other side So you basically can get the protocol traces into the PC where once again They are fed into wire shark and we have a wire shark decoder for the sim card a related protocol. So in It's also possible using this hardware to do man in the middle or sim card emulation stress the software is not complete in that part of the software implementation only for card emulation and for Tracing has been a fully completed man the middle. I think there were some patches at the mailing list at some point But it's not really integrated. So about sim trace There's also going to be a workshop at EMF camp if you're interested in playing with this and in tracing sim card Communication feel free to attend this workshop. I have ten devices with me. So we can have some fun with those Maybe one more thing to why would anyone do this a sites again from well I want to understand this protocol in this interface and how it works Well, there are a lot of things that a sim card can do to a phone Which most people are not aware of a sim card can request the GPS position from the phone For example, why would a sim card ever need to know that a sim card can? Send SMSS by itself using the phone where the user has no idea that those messages are being sent A sim card can do all kinds of other things Which is not presented to the regular user of a mobile phone and That's why doing protocol analysis can be quite interesting to see really what's what's using this and what's happening in this communication We also did another small hardware project and there's many more of these I'm not going to go through all of them one is an e1 transceiver, which is well if you ever Are in need of interfacing with a physical e1 or t1 line? That's the synchronous System which is used a lot in GSM base stations. That's why we implemented it. We build a small board for that There is protocol stack implementations in Erlang if anyone here fancies Erlang as a programming language Normally in all the other osmo-com projects. We use low level C no C++ But here is some projects in Erlang that Implement Various protocol stacks that are used in cellular networks. I'm not going to go into the details here But if you're interested in the core network protocols Which are spoken on the roaming interfaces between the cellular operators These are the protocols basically that are used in those interfaces and we have these implementations So there's some smaller MV and O's virtual network operators that don't have their own Radio network their own physical network, but they only operate a core network and some of them actually use this code For some of the functional elements they need There is more osmo-com projects. I'm sure the number 79 is outdated now. I didn't do a recount before Today, but there's lots of public git repositories there and Way more than I can cover in this talk often, I mean The larger projects or the more more frequently used ones you will find the wiki and and some documentation But some of them there's basically just a git repository. It's because somebody needed to write some code And put it in there So it is sometimes rtfs and there is no manual or documentation, but then you can always come to the project mailing lists and Discuss questions that you have Finally a couple of slides about non osmo-com projects, which are also related to open source mobile communications I just want to name them because I think they're also important if you have an interest in mobile communications There is what's called open bts. Don't mistake it with osmo bts that I presented earlier Osmo bts is an osmo-com project open bts is not open bts is Functionally best described as a um to sip bridge um is the radio interface between your phone and the cell tower and sip well sip is voice over IP telephony, so it is a Very quick and direct bridge between this radio interface and sip So if you don't want to bother with all of these deep protocol stacks and all these strange acronyms and all the complex architecture of GSM, this is a very quick way how to attach a cellular phone to a voice over IP system There is another project also slightly outdated and un-maintained these days called air probe which is a SDR implementation again for the GSM radio interface Which predates osmo-com and all of the other work that I presented today And but you can use it and we're using SDR hardware like a usrp or something like that you can use it to demodulate and Decode the radio interface of GSM and then Feed it again into wireshark for protocol analysis It's not so much used these days anymore because you can do the same with osmo-com bb and osmo-com bb You need a small inexpensive phone and you have an excellent decoder When you use air probe you need a very expensive SDR and you have a very poor software decoder So you had to get lots of bit errors and and frames just because the quality of the decoder Implemented in air probe is not as good as the one in the DSP of the phone. So that's why it's a bit abandoned There is another project called you mtrx, which is an SDR hardware project specifically for the GSM radio interface Which you can use with either open BTS or osmo BTS It's an open hardware design. So you can also check that out and Finally one last project that I find very interesting is X-Gold mon, which is basically Software for phones that are based on the X-Gold chipset. That's a formerly in Phineon now Intel series of GSM baseband processes that's used in some phones You can see like Samsung Galaxy S3 S2 Galaxy Note 2 and so on They use this chipset and there is some Undocumented commands by which over USB you can basically enable tracing in the phone and then you get all the low-level messages from the GSM radio interface or not just GSM, but also 3g radio interface Over USB feed them into your PC where you run X-Gold mon, which then feeds it into a wire shark again and you can again look at protocol traces and observe and Analyze what the phone is doing in terms of the network Okay. Well, where do we go from here? That's sort of the wrap-up of all the various different projects Our team member Dita has been working a lot with 3g and node bees from Ericsson Nokia And the goal is also to run our own RNC with those base stations. We meanwhile also have implemented What's called a home node be gateway So with certain femto cells you can also run your own 3g network similar to the network in the box for 2g and 2.5g There's some research into intercepting microwave backhaul links because a lot of the microwave backhaul links that are between Cellular base stations are unencrypted again, and then only protected by well some proprietary encoding There's research into GPS simulation And some ongoing effort of Osmo combi bee with other baseband ships or with SDR Because the phones that we originally developed for increasingly hard to find these days Try to find the phone from 2007 you have to go to a museum these days You can still find them, but it's getting increasingly difficult there is well the femto server are already spoke about and there's some research into proprietary PMR systems and And yeah many many other people looking at interesting Communication systems out there And I think it's important that we understand those communication systems and they're not just controlled and understood by very few large corporations on this planet Yeah, so if you tend to agree that well on a classic internet TCP IP is boring because it has been researched to death And everyone learns about it at university or even in school so there are many many many other communication systems out there and Never trust the industry in terms of any kinds of claims regarding safety or privacy of those systems always have a look yourself and Yeah, I think it's important. We can democratize access to those communication systems and to the related Projects so yeah, if you haven't interested any of these areas, please Contribute to the project start your own projects join the mailing lists and Yeah, let's proceed that way Okay, that's a thanks slide. I'm not going to read the names and Yeah, we have time for questions. So there's I Can't see but there's supposed to be somebody with a microphone. Yeah over there indeed so if you want to raise questions, please wait for the microphone and Ask the question the microphone for the recording. Yeah, I can't see very well. So wait, please. Oh, yeah. Hey there Do you have any concern that anything you're doing might get you in any trouble at all? I don't really have much of a concern In the sense that research into all these topics there is nothing illegal about it Of course if you use it to actually intercept systems Then that is depending on the national law and where you are in the jurisdiction and so on might have an issue But I mean my standard response as well if I manufacture a hammer it can be used for you know nailing nails into the wall or you can smash somebody's head with a hammer and It's sort of just because there are many useful cases of using a hammer We shouldn't outlaw hammers just because they can also be used to create damage. So It's maybe not a very nice analogy, but that's sort of my attitude to that and I mean all the tools that I'm talking about they all exist for the internet, but they didn't or don't exist to the extent for Other systems and I mean the internet also is alive and yes There are criminals online as there are criminals in the real world as there are criminals who Want to do something fancy and sell the networks. So Yeah, hi, very interesting talk I have two small questions The first one is what's the cost of getting a BTS? more or less depends, I mean Sometimes so if you want to get an existing proprietary BTS of like from from a manufacturer Then you can sometimes on eBay or other online sales. You can find pretty cheap. So I've heard some people Like for 100 120 euros sometimes you have to be lucky for that if you want to go for SDR Well, I think like 500 to 600 dollars. You can get an SDR that's capable of doing that You attach it over USB to a PC and then you run all the software on the PC If you want to buy a new base station from a manufacturer, then of course it's going to be more expensive But yeah, so okay, and the other part of the question would be Is it actually legal to run one of the? base station and That depends on where you are And whether you manage to get permission from the regulatory body or not In many countries, it's possible to get what is often called as non-operation or a non-commercial or test or Experimental licenses. I don't know how often in the UK is handling this but At least it would be worth approaching them about this So if you say well, you know, I'm doing some research into cellular communications and so on and you want to have an Experimental license. I'm not sure what would be the response. I know there is a procedure in every regulatory authority has a procedure for that and Yeah, so unfortunately, there is no license-free spectrum that anyone can just use Except if you're in the Netherlands, so the Netherlands has a couple of channels in the GSM 1800 spectrum which is license-free But that's a peculiarity of the Netherlands. I'm not aware of any other country where this is the case If you want to play with this technology and not really want to run a network Then what you can do is you can connect the components over coaxial wiring with attenuators It's not so exciting if you have a wireless phone with a wire coming out of it But still if you want to do some research into this It's a perfectly valid setup and then you're not broadcasting. You're just feeding the signals over coaxial cable That's sort of the the the last resort that you can do And so how quickly do you catch up with because you know You're talking about trying to reverse engineer and everything and how quickly do you catch up with things and how quickly do they Come up with new things that you'd have to then You know reverse engineer again Well the reverse engineering we haven't really We haven't really done so much it depends on the protocol of the system that you want to look at I mean as that for this commercial cellular networks like GSM to LTE basically all of them all the specs are out there So if you have an SDR and you want to implement something You don't need to reverse engineer anything But if you want to work with an existing phone or if you buy an Ericsson BTS of eBay and want to interface it and of course Ericsson has modified some bits here and there to make it nice and easy for you to use it and So there's like some additional work required, but in general it's not so much. I mean about catching up I think it's not so much related to The proprietary bits in the technology, but it's more related to the pace of the development so I Mean these days of course everyone talks of everyone in the industry I mean even LTE is old for them. They're talking about LTE advanced They're talking about 5G systems where you have 120 megahertz wide channels up to 30 gigahertz or something absurd like that and That's that's what they are working on. That's what they are looking into and of course with every new generation a new Technology and probably a more complex technology gets introduced and lots of people are required to implement that as free software if needed, but How can I say with LTE? It's slightly different because There actually is an open-source LTE Terminal side implementation so using a USRP or another software defined radio and Reasonably powerful Intel like a core i7 core i5 kind of CPU you can actually run the entire LTE Physical layer and protocol stack in your in software in in free software on your PC and you can transmit I think about 50 to 70 megabits Through that so it's actually quite useful That's not something that has happened in the osmo-com project But still I mean there are people doing free software in those technologies even if there are more Advanced and then the 20 year old GSM that we started to look into Okay, and when questions are got Chop over here and I'll go over to the back there Yes, I say if you're for example, I experience intermittent issues between two commercial operators Which osmo-com tools can actually help you debug and find out which operator messed up Between two operators so you're talking about roaming situations You cannot debug that unless you can tap into the interface between those operators But can you at least see that one of operators if he cooperated or well had had less problems than your or It's difficult. I mean you can do one of these. I mean tracing on the device so if you trace Let's say using x goldmone or something like that You can you can take a protocol trace of what your device is doing towards the network And you observe that in in an operator where it works and in another operator where it doesn't work Then maybe you can get some conclusions on where the problem might be but if it's Roaming then I think it's very hard to get any results without actually being able to look at the the core network of the operator What's the current state of the art in femtocell hacking? It's not so okay, how can I say well There are some femtocells I'm not going to name them yet where there has been made a lot of progress and where we could actually Convince the femtocell to talk to our own network and our own network implementation And that's going to be some news later this year about this The problem with most femtocells is that by today they have reasonably good security in their in their system, so the idea of a femtocell is that basically you get a small cell into your home But this cell Establishes an IP sec tunnel to the operator that has issued or that has given you that femtocell and then this cell becomes part of the Radio access network of this operator So you have this for for a good coverage in your home now if you want to use it from your own network Well, first of all, you need your own network implementation. We did that with the the Osmo IUH and the Home note be gateway that we implemented so from the protocol side the implementations exist now But what you still need to do is basically you need to somehow route the cell locally And make it either install your own certificate for the IPsec So it connects to your own IPsec gateway or disable IPsec all together so that it just connects overplane TCP to your to your network implementation and some people have tried this with Huawei femtocells UAP 2 1 0 5 or something like that and there the the main problem was that well as there was one specific Russian firmware version where it was very easy to circumvent all the the Lockdown basically, but all the other firmware versions that you find in the devices that you can find online on eBay or something like that they are secured and Serial console and JTAG and that stuff has been disabled. So that's Not so interesting. There are some older femtocells which have less security in a sense of physical security So they're like the the original Vodafone, I'm not sure how they called it here in the UK. I Was even I think 2009 2010 sorry on no, I think it was called different back then but anyway Okay, maybe was called what a phone on but they were the first in Europe I think to deploy femtocells and if you look at those It's very easy to break into them and to root them But they predate all the standardized femtocell protocols So basically you need a different you need to speak a different protocol to talk to them. It's a proprietary Protocol and not the later standardized IUH protocol So you basically have modern femtocells that are very hard to break in which speak a standardized protocol for which there is code Or you have old femtocells where you can break in easily, but which don't speak a protocol. That's interoperable and documented so Not so nice the situation I think I'm out of it for questions Next speaker, but thank you how that's very interesting. Thank you so much