12 August 2009

GSM Security Workshop

On November 17 & 18, at the DeepSec conference in Vienna, Harald Welte and I will present a workshop on GSM security. Because I was under an injunction at the time the original workshop description was drafted, the material on the official schedule is very limited, which harms me and DeepSec by limiting advertising. Now that my speech rights have been restored, I'd like to use this blog for a shameless plug.

The DeepSec GSM security workshop will begin with an overview of the GSM air interface, Um, sufficient for those not yet familiar with cellular protocols to follow the subsequent material. We will then describe standard Um security mechanisms, their fundamental flaws, common operational mistakes and known techniques for exploiting these flaws and mistakes. We will describe the mechanisms, capabilities and limitations of passive interception, jamming, active attacks on Um and the use of other public networks for higher-layer attacks. More importantly, we will describe best security practices, means of identifying various attacks and the countermeasures available to carriers and to individual subscribers. Going beyond theory, we will demonstrate many of the attacks and countermeasures using a private GSM network built with commercially available components, software from the OpenBTS and OpenBSC projects, and additional software components not found in the public distributions of those projects. We will also take this opportunity to blow away a lot of the trade secret claims that typically surround this field by reviewing publicly available sources, including patents, academic papers and even the court records of intellectual property disputes, that describe these attacks and countermeasures in sufficient detail to allow their recreation by engineers of ordinary skill.

Of course, that's assuming we get at least three people to sign up for the workshop, which is the minimum number to justify the cost to the conference. For more information, see the conference registration page. Early bird registration ends September 7.


  1. Hi there i have been following the progress of openbts for a while now and its been very interesting. I know its barely a year since the birth of openbts so resources are limited but I would like to know, if openbts would work on sipx instead of asterix, considering the scale of the target for the end product of this project(rural Africa)?

  2. Actually, OpenBTS work started just over 2 years ago, but we did not make a public announcement until Sept 2008. Thanks, though.

    There is no reason OpenBTS would not work with other SIP PBXs.

  3. I stand corrected and its good to know about the versatility of openBTS. I would like to know if one can get an RSS to follow the progress of your work. I just can't seem to detach myself from this project.

  4. Is this software being used in products by www.vnl.in? theyve just been mentioned in
    WallStreet journal

  5. Mr. David A. Burgess,

    The work you are doing is really important,
    but because you guys are always doing presentations in country's most of us cant
    attend, you really really really need to consider doing some online presentations as everyone will have a better opportunity to attend those without issue.

    I would be one that would always be able to attend those, and would like for you to do
    this, if possible, on a monthly basis.

    Please consider this!

    Much respect to you.