10 February 2014

One Last Word...

Since OpenBTS is a trademark of Range Networks, and since I am no longer at Range Networks, I do not use this blog anymore. I am now at blog.yate.ro.  See you there!

27 May 2013

Return to Pfarrkirchen

Three years ago, we ran an OpenBTS workshop in Pfarrkirchen, hosted by Dieter Spaar at his farm there. Everyone in attendance had a great time, learned a lot about GSM and OpenBTS and had some good opportunities to meet other OpenBTS users from around the world.

We are doing it again at the end of June. For more information follow this link. I hope to see you there.

11 April 2013

Range and SS7Ware at CCA

Range Networks and SS7Ware will be presenting their One Core Network solution for mobile networks, based on OpenBTS and Yate, at the Competitive Carriers Association Expo, 17-19 April in New Orleans.

The Open Core Network is the first flexibile, scalable and affordable solution for mobile carriers in rural areas, both for new networks and for expansion of existing networks. Come see us at booth #137. If you would like to meet with them please contact info @ rangenetworks.com or office @ ss7ware.com.

12 February 2013

See You in Barcelona

OpenBTS is the only open source implementation of the 3GPP GSM/GPRS and UMTS radio access network (RAN). Yate's SS7 stack is the only open source core network solution certified by Deutsche Telekom's test lab. That's a powerful combination and that's why Range Networks and SS7Ware (the new US office of Null Team) have started a development partnership to provide full cellular networks based on their products.

One exciting result of this US-European collaboration is a unified SIP-based network that supports 2.5G GSM/GPRS, 3G UMTS and 4G LTE RANs all on the same core, simplifying the network architecture and providing a higher return on investment. The Range-SS7Ware open source approach also answers concerns over the security of RAN and core network systems by allowing network operators to inspect the source code of their network software. This combination of open standards and open source gives operators tremendous flexibility in the development of new services and represents a new vision in the deployment of cellular networks.

Range and SS7Ware will be in Barcelona together later this month for the Mobile World Congress. If you would like to meet with them please contact
info @ rangenetworks.com.

09 October 2012

China, Cyberwar and your Phone Company

Why we are not paranoid about Huawei

Yesterday, the House Permanent Select Committee on Intelligence published a watershed report highlighting the strategic importance of telecommunications equipment and recommending that US companies not buy gear from either Huawei or ZTE. News coverage of this topic has been widespread, including 60 Minutes and The Wall Street Journal.   The primary fear is that Huawei and ZTE will insert "back doors" into telecom equipment that will allow the Chinese government to disrupt or intercept communications inside American networks.

Such back doors are not unheard of.  Although few are reported publicly, there are publicly known examples of large-scale telecom exploits, like

Whatever Huawei says about "just being a business", do not doubt that the Chinese government can induce a Chinese company into supporting its missions, through coercion, payment, regulatory favors or even simple patriotism.  While some may try to pass off these concerns of the US government as xenophobia or paranoia, there are enough publicly-exposed precedents just in recent years to justify concern, and you can be sure that the people in the intelligence community who raise these concerns are aware of other incidents that were never publicized.  This is not paranoia.  The concerns raised by this report must be taken very seriously.

Multiple threats to US carriers

The internet was designed with the assumption that there are malicious actors inside the network, but telephone systems are different.  The SS7 network, on which the public telephone and cellular networks run, is a true "network of trust", with few internal security controls.  Once malicious code is introduced into a telephone company's core network, there is very little that can be done to control it.  This is what Rep. "Dutch" Ruppersberger, ranking Democrat on the intelligence Commitee meant when he said, "In the telecommunications world, once you get the camel's nose under the tent, you can go anywhere."  This is why the introduction of suspect equipment into US telephone networks raises such serious alarms, much stronger alarms than in the IP routing world.  In some cases, the government has already intervened directly to stop large companies from purchasing suspect equipment, but small companies may make such purchases and not be noticed until after the fact.

Not being noticed does not mean there isn't risk for carriers.  The government could take actions post-facto to limit the perceived security threat.  One measure might be to refuse new spectrum licenses to limit geographic extent of the threat.  Another measure might be to prevent the merger or purchase of the company to prevent the suspect equipment from infiltrating into larger networks.  Either of these actions would be devastating to the growth and valuation of the affected company.  Whether the suspect equipment is a real threat to security or not (and I would wager that it is), just having the government take such a strong position against these vendors makes their equipment a threat to the businesses who use it.


The immediate solution, and the strong advice of the government today, is for carriers avoid Huawei or ZTE equipment.  But this issue of Chinese back doors raises a larger question of how to determine the trustworthiness of any telecom system, Chinese or otherwise.  The real answer is open source software.  By "open source", I am not necessarily referring to software that is released to the public, but simply referring to software that can be provided to customers in source code form.  The license may be GPL or may be something more restrictive, but by allowing end users to review source code and build their own binaries, either for installation or comparison, everyone involved in the process can insure that the software is what it claims to be.  So far, the selection of open source software for cellular and core networks is limited, but it is growing, with products like OpenBTS and yate, and projects like Osmocom.  Security is just one more reason that these products represent the future of telecommunications.

(David Burgess is the lead developer of the the OpenBTS software and co-founder and CEO of Range Networks.)

Follow-up Comment

An advisor to our company read this post and asked some questions: Why is the open source solution adequate? What about hardware? Those questions go to an excellent point, that the open source approach cannot end just with the application source code, but must go down to "bare metal", including operating systems, device drivers, firmware and device schematics. For an "old school" approach, with custom chips and lots of special-built circuit boards, that is anathema, because astronomical development costs and hazy legal standards (like the copyright status of a circuit board) justify strict non-disclosure controls on the intellectual property. But as modern systems move toward commodity hardware, this becomes less of an issue, since more and more of the functionality (and value) of a system can be expressed in source code and protected with well-established copyright law.

I Almost Forgot...

The OpenBTS test network at Burning Man was a great experience.  We had a world-class team and used the unique environment of Black Rock City to run a lot of experiments, with SMS applications, yate, Tropo, and handover.  The detailed results are written up at in the public wiki, including coverage estimates, traffic statistics, photos, and links to other reports.

26 August 2012

Greetings from Black Rock City

A few people have asked if we would be running an OpenBTS network at Burning Man this year.  Well, we are.  Six of us have been here since Wednesday 22 August.  We have three cell sites running and are in the process of installing two more.  We are making phone calls already, but have not yet opened the network to the public.  Details are here and here.  These pages will be updated as the system rolls out.

See you on the playa.  Have a good burn.

04 April 2012

The Terminal-State of the Telecom Industry?

Last week, I attended the OmsocomBB workshop in Berlin. Harald Welte was an excellent host and c-base was a fun venue. I got a chance to put faces to some of the names I see in email and got a much better picture of who is doing what in the world of open source cellular. I got to see Dieter Spaar show his work on writing his own RNC software for UMTS Node B equipment. It was like the early stages of OpenBSC all over again (except that the nauseating complexity of UMTS makes GSM look quaint). I finally met the Alexander Chemeris in person. And I got to spend a week in Berlin, one of my favorite cities.

One the last day of the workshop, H-Online published this article about the OpenBTS and OpenBSC, the two well-known public-release GSM projects. I assume the timing was coincidental (or maybe Jungian synchronicity?), but it was an appropriate terminus for the event.

By chance again, when I returned to California, I had a meeting with a former executive from a major cellular carrier, a big European carrier with a global reach. He told me horror stories about IMS complexity and licensing fees. He pointed me to this article about how big web service providers are buying "raw" network equipment, built to spec in Chinese factories, and then loading that equipment with their own firmware and software, usually a mix of open-source and in-house applications. This executive sees the same thing in the long-term future of telecom: commodification of hardware all the way down to the RAN head, networks based mostly on open source software and a core network protocol based on SIP but a lot simpler than current IMS attempts. In his mind, this is the inevitable "terminal state" of the telecom industry, an inevitability in which the current generation of NEPs have no place. It is a market that will be served by companies that look and work a lot more like Red Hat than like Nokia-Siemens. I see that vision too, and I see products (not projects, products) like OpenBTS and OpenBSC and yate having comfortable places in that world. If we are correct about this vision of the future, then that small gathering of hackers, freelancers and entrepreneurs in Berlin last week may have held the seeds of a revolution that will fundamentally change a multi-trillion dollar industry. That might sound very ambitious, but the software industry has seen revolutions from modest beginnings before and the telecom world is begging for this kind of disruption.

(David Burgess is a lead developer in the OpenBTS project and one of the founders of Range Networks.)

14 March 2012

GMR-1 Revisited

(Do read the comments on this one and follow Sylvain Munaut's link for an example of a GMR Channel Request captured in the wild. Is it technically possible for an unauthorized person to rig up an public Twitter feed of who's calling whom from where on GMR-1 phones all over the world? Yes!)

In a recent post, Some Comments on Satellite Phones, I stated the following:
GMR handsets include GPS receivers and transmit identity and location information to the network operator. These transmissions are completely in the clear, but even if they were encrypted, the network operator would have access to this information.
By "GMR" I was specifically referring to GMR-1, the technology used by Thuraya, and possibly others. There seems to be some confusion about what is and is not encrypted in these systems. Personally, I think the fact that you are transmitting an identifiable GMR signal is enough of a security problem by itself, but there seems to be a lot of interest in what is and is not encrypted in these systems, so let me be clear: The Channel Request message is the first message sent from the handset to the satellite at the start of any transaction. This message cannot be encrypted. This message typically contains the following information:

  • the IMSI of the satellite phone handset
  • the called number (in the case of mobile-originated calls) and
  • the GPS location of the handset.
Don't believe me? Go look at the specification yourself. The official document is TS 101 376-4-8, GMR-1 44.008. You can get it with this search engine. The radio access procedure is defined in Section, which, BTW, starts out with

The MES shall attempt to obtain the current GPS position before sending a CHANNEL REQUEST message on the RACH. A position shall be current if less than Page GPS Position Age (Mobile Terminated (MT) calls) or GPS Position Age (other accesses) time has elapsed since it was measured. If the last measured position is not current and the Establishment Cause is not IMSI Detach, the MES shall start the RACH Position timer and initiate GPS position calculation. If the position calculation is successful, the timer shall be stopped and the newly calculated position is used. If the timer expires or the Establishment Cause is IMSI Detach, the last available position (if any) shall be used. If no position information is available, an access attempt shall be made without position information. ...
The Channel Request message is defined in Section 10.1.8. It looks like this:

The "SP/HPLMN ID" is usually an IMSI and the "Number Digits" are the dialed number and the "GPS Position" is exactly what it sounds like. This message cannot possibly be encrypted. Why? Because GMR uses symmetric encryption, so it cannot engage encryption until the network knows your identity, and it does not know your identity until after it decodes this message.

Are we all clear on that?

It gets better...

In the process of nailing down all of my facts on this, I also stumbled onto the GMR-1 3G specs. While GMR-1 is modeled largely after GSM, GMR-1 3G is modeled largely after UMTS. The ETSI document number for that radio resource control specification is TS 101 376-4-13, GMR-1 3G 44.118. "RRC Connection Establishment" is defined in Section 7.5.1. The first message from the terminal to the network is "RRC CONNECTION REQUEST", defined in Section 9.2.40. But 9.2.40 just refers back to TS 101 376-4-8 GMR-1 3G 44.008 Section, "Channel Request Type 3". And guess what? That message also contains an element called "MES Position" that encodes the terminal position relative to the center of the serving beam. Again, given the secret-key encryption of GMR, this message cannot possibly be encrypted. Furthermore, the terminal will need to expose some kind of identity token in the open before encryption can start.

And now it gets really interesting...

These Channel Request messages appear on the uplink. They go from the handset to the satellite. But where do they go from there? It turns out that they just go right back down to the Earth on a different radio frequency on a so-called "feeder link". What's so special about that? Well, the uplink from the handset is only visible for a kilometer or so, but the feeder link is visible over roughly 1/3 of the planet's surface to anyone with a C-Band dish and is not given any additional encryption. (Thanks Sylvain, for pointing this out.)

(David Burgess is a lead developer in the OpenBTS project and one of the founders of Range Networks.)

23 February 2012

Some Comments on Satellite Phones

(There is now a follow-up to this post that digs into some of the details of GMR-1 transmissions. The (in)security implications are stunning.)

With the recent attack on journalists by Syrian troops, there has been a lot of discussion on the security of satellite phones, especially GMR, the technology used by Thuraya. Here are some basic facts on the security of GMR and satellite phones in general:
  • GMR uses geostationary satellites. Downlink signals from this system are visible over large areas of the Earth's surface, especially for someone looking at the sky with a dish antenna.
  • GMR handsets use wide-beam antennas. Uplink signals from the handsets are visible from space, not just at the serving satellite, but over really big regions of space, occupied by lots of other satellites.
  • Uplink signals from satellite phones are also visible on the ground in a vicinity of the handset, probably at ranges of several kilometers for interceptors with directional antennas. These handsets are easy to detect in a radio environment because they transmit distinctive patterns and are relatively rare (much rarer than cellular handsets, for instance). And any transmitter that can be detected can be located, using any of a number of techniques commonly practiced by most intelligence services.
  • The level of air interface security on GMR handsets is probably lower than on cellular handsets. But even if the air interface were absolutely secure, a GMR handset would still be easy to locate by it's distinctive radio signature.
  • GMR handsets include GPS receivers and transmit identity and location information to the network operator. These transmissions are completely in the clear, but even if they were encrypted, the network operator would have access to this information.
  • GMR encryption is not end-to-end, so the network operator normally has access to plaintext user traffic.
  • GMR handsets register with the network periodically, reporting identity and location, even when you are not "using" them.
  • Even if a GMR operator, as an organization, is sincerely dedicated to the security and privacy of its customers, it is difficult to completely protect a large organization from infiltration by criminal organizations or state intelligence services, through technical hacking, social engineering, bribery, blackmail, political/religious recruitment, etc.
  • Everything I just said about GMR is at least mostly true (if not completely true) of any civilian satellite telecom product and even a lot of military satcom systems.
  • Satellite phone users tend to be more interesting than the general population. Because satellite phones are relatively expensive and mostly used by international travelers, the conversations they carry tend to have interesting content, things that the users thought were important enough to spend real money talking about. So, for an intelligence service, eavesdropping on satellite phones is a more effective use of resources than eavesdropping on most other kinds of networks. They get less "mom and pop crap" and a lot more useful information.
  • In any given country, the users of satellite phones are mostly foreigners, who are often subject to a lower legal standard for eavesdropping, especially for international telephone calls.
Just some things to think about the next time you use your GMR phone, BGAN terminal, Iridium 2-way pager, etc., especially in a war zone. Regardless of encryption, authentication, etc., the mere existence of one of these radio signals sends a message to an observing military force: There's someone over there with fancy comms and it's not us. That can be a very dangerous message.

(David Burgess is a lead developer in the OpenBTS project and one of the founders of Range Networks.)