Luca Bongiorni OpenBTS UNIVERSITY OF OSTRAVA Department of Telecommunication
<ul><li>AUC  -  Authentication center </li></ul><ul><li>BSC  -  Base Station Controller </li></ul><ul><li>BTS  -  Base Tra...
What is ?! <ul><li>OpenBTS is an open-source Unix application that uses the  Universal Software Radio Peripheral  (USRP) t...
Advantages <ul><li>Backhaul GSM through any SIP/IAX carrier (Asterisk). </li></ul><ul><li>Replace GSM core network with co...
How GSM works !? Mobile Stations Base Station  Subsystem Network  Management Subscriber and terminal  equipment databases ...
GSM Mobile Station <ul><ul><li>Mobile Equipment (ME) </li></ul></ul><ul><ul><ul><li>Physical mobile device </li></ul></ul>...
Subscriber Identity Protection <ul><li>TMSI – Temporary Mobile Subscriber Identity </li></ul><ul><ul><li>Goals </li></ul><...
Key Management Scheme <ul><li>K  i  – Subscriber Authentication Key </li></ul><ul><ul><li>Shared 128 bit key used for auth...
Detection of Compromised Equipment <ul><li>International Mobile Equipment Identifier (IMEI) </li></ul><ul><ul><li>Identifi...
Authentication <ul><li>Authentication Goals </li></ul><ul><ul><li>Subscriber (SIM holder) authentication </li></ul></ul><u...
Authentication and Encryption Scheme A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Challeng...
Authentication <ul><li>AUC – Authentication Center </li></ul><ul><ul><li>Provides parameters for authentication and encryp...
Authentication Sequence
Authentication Sequence
Authentication Sequence
Authentication Features
A5 Encryption Mobile Stations Base Station  Subsystem Network  Management Subscriber and terminal  equipment databases BSC...
A5 Streaming Implementation A5 output is 228 bit for both directions A5 K c  (64 bit) F n  (22 bit) 114 bit XOR Data (114 ...
SMS Architecture <ul><li>SMS is a &quot;store and forward&quot; message system </li></ul><ul><ul><li>the message is sent f...
SIM Anatomy <ul><ul><li>Subscriber Identification Module (SIM) </li></ul></ul><ul><ul><ul><li>Smart Card – a single chip c...
Smart Card Anatomy
Microprocessor Cards <ul><li>Typical specification </li></ul><ul><ul><li>8 bit CPU </li></ul></ul><ul><ul><li>16 K ROM </l...
USRP/GNU Radio: these unknown… <ul><li>What is… </li></ul><ul><li>How to install… </li></ul><ul><li>How to configure… </li...
<ul><li>The USRP is intended to be a comparatively inexpensive hardware device facilitating the building of a software rad...
<ul><li>Very Low Cost </li></ul><ul><li>Open Design </li></ul><ul><li>Interchangeable RF sections </li></ul><ul><li>Wide B...
Features <ul><li>Tansceiver Daughterboards: RFX900 / RFX1800 </li></ul><ul><li>Frequency Range:  750 to 1050 MHz / 1.5 to ...
Hardware Requirements <ul><li>One  - Computer (at least Core 2 Duo 2.0 GHz, 2GB RAM, USB port); </li></ul><ul><li>One  - U...
Software Requirements <ul><li>At least… </li></ul><ul><li>GNU/Linux – Ubuntu 8.04 - 32 bits;  </li></ul><ul><li>OpenBTS 2....
GNU Radio <ul><li>A Free Software for rapid prototyping and deployment for softwares radioand for radio research.  </li></ul>
Installation of Gnu Radio <ul><li>Installing the dependencies ; </li></ul><ul><li>Getting and installing boost libraries ;...
OpenBTS installation and settings <ul><li>Installing the dependencies ; </li></ul><ul><li>Getting the source code ; </li><...
Configuring Asterisk <ul><li>Getting SIM Card IMSI (International Mobile Subscriber Identity) ; </li></ul><ul><li>Edit the...
Testing the OpenBTS <ul><li>Setting the phone ; </li></ul><ul><li>Execute OpenBTS ; </li></ul><ul><li>Testing the Mobile T...
Practical Application <ul><li>Nevada Test Site - Black Rock City </li></ul>Aerial view of 2009 Burning Man site: 3 km wide...
Planned Services <ul><li>Auto-provisioning via SMS.  </li></ul><ul><li>Local SMS and speech calls.  </li></ul><ul><li>SMS ...
Hardware Used
Power System
GSM Network
Results <ul><li>Hardware and packaging satisfactory.  </li></ul><ul><li>Coverage slightly better than predictions.  </li><...
Emergency GSM Messaging & Monitoring System for Civil Protection It is proposed as a solution ready-to-deploy in the event...
GSM Messaging & Monitoring System  With the graphical interface, web-based, it is possible to reach all users in a given a...
GSM Triangulation Another service implemented, in case are deployed on the ground, at least 3 BTS, is able to triangulate ...
Conclusions In these few slides we saw how could be simple… develop and deploy a low cost GSM network. Infact OpenBTS give...
Future Projects <ul><li>Trying to turn a USRP hardware into a IMSI Catcher (MITM GSM Attack – No Bruteforcing w/ Rainbow T...
Links <ul><li>http://www.gsmworld.com/index.htm </li></ul><ul><li>http://www.dia.unisa.it/professori/ads/corso-security/ww...
Bongiorni Luca –  http://www.securitycondition.com These slides are written and distributed under Attribution-NonCommercia...
Upcoming SlideShare
Loading in...5
×

OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection

13,060

Published on

Open BTS: Emergency GSM Messaging & Monitoring System for Civil Protection is proposed as a solution ready-to-deploy in the event of natural disaster, in that areas where GSM networks are temporarily down.

Published in: Technology
5 Comments
26 Likes
Statistics
Notes
No Downloads
Views
Total Views
13,060
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
5
Likes
26
Embeds 0
No embeds

No notes for slide

Transcript of "OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection"

  1. 1. Luca Bongiorni OpenBTS UNIVERSITY OF OSTRAVA Department of Telecommunication
  2. 2. <ul><li>AUC - Authentication center </li></ul><ul><li>BSC - Base Station Controller </li></ul><ul><li>BTS - Base Transceiver Station </li></ul><ul><li>IMSI - International Mobile Subscriber Identity </li></ul><ul><li>HLR - Home Location Register </li></ul><ul><li>MS - Mobile Station </li></ul><ul><li>MSC - Mobile Switching Center </li></ul><ul><li>TMSI - Temporary Mobile Subscirber ISDN Number </li></ul><ul><li>VLR - Visitor Location Number </li></ul><ul><ul><ul><ul><li>IMEI – International Mobile Equipment Identity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>EIR - Equipment Identity Register </li></ul></ul></ul></ul><ul><ul><ul><ul><li>OMC - Operations and Maintenance Center </li></ul></ul></ul></ul>Terminology
  3. 3. What is ?! <ul><li>OpenBTS is an open-source Unix application that uses the Universal Software Radio Peripheral (USRP) to present a GSM air interface (&quot;Um&quot;) to standard GSM handset and uses the Asterisk software PBX to connect calls. </li></ul><ul><li>The combination of the ubiquitous GSM air interface with VoIP backhaul could form the basis of a new type of cellular network that could be deployed and operated at substantially lower cost than existing technologies in greenfields in the developing world. </li></ul>
  4. 4. Advantages <ul><li>Backhaul GSM through any SIP/IAX carrier (Asterisk). </li></ul><ul><li>Replace GSM core network with commodity HW and open source SW. </li></ul><ul><li>Minimum viable network is a single cell. </li></ul><ul><li>Use 5 € refurb handset as a wireless VoIP terminal. </li></ul><ul><li>Installation/management similar to WISP. </li></ul><ul><li>Open source </li></ul>
  5. 5. How GSM works !? Mobile Stations Base Station Subsystem Network Management Subscriber and terminal equipment databases BSC MSC VLR HLR EIR AUC OMC BTS BTS BTS
  6. 6. GSM Mobile Station <ul><ul><li>Mobile Equipment (ME) </li></ul></ul><ul><ul><ul><li>Physical mobile device </li></ul></ul></ul><ul><ul><ul><li>Identifiers </li></ul></ul></ul><ul><ul><ul><ul><li>IMEI – International Mobile Equipment Identity </li></ul></ul></ul></ul><ul><ul><li>Subscriber Identity Module (SIM) </li></ul></ul><ul><ul><ul><li>Smart Card containing keys, identifiers and algorithms </li></ul></ul></ul><ul><ul><ul><li>Identifiers </li></ul></ul></ul><ul><ul><ul><ul><li>K i – Subscriber Authentication Key </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IMSI – International Mobile Subscriber Identity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>TMSI – Temporary Mobile Subscriber Identity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>MSISDN – Mobile Station International Service Digital Network </li></ul></ul></ul></ul><ul><ul><ul><ul><li>PIN – Personal Identity Number protecting a SIM </li></ul></ul></ul></ul><ul><ul><ul><ul><li>LAI – location area identity </li></ul></ul></ul></ul>
  7. 7. Subscriber Identity Protection <ul><li>TMSI – Temporary Mobile Subscriber Identity </li></ul><ul><ul><li>Goals </li></ul></ul><ul><ul><ul><li>TMSI is used instead of IMSI as an a temporary subscriber identifier </li></ul></ul></ul><ul><ul><ul><li>TMSI prevents an eavesdropper from identifying of subscriber </li></ul></ul></ul><ul><ul><li>Usage </li></ul></ul><ul><ul><ul><li>TMSI is assigned when IMSI is transmitted to AUC on the first phone switch on </li></ul></ul></ul><ul><ul><ul><li>Every time a location update (new MSC) occur the networks assigns a new TMSI </li></ul></ul></ul><ul><ul><ul><li>TMSI is used by the MS to report to the network or during a call initialization </li></ul></ul></ul><ul><ul><ul><li>Network uses TMSI to communicate with MS </li></ul></ul></ul><ul><ul><ul><li>On MS switch off TMSI is stored on SIM card to be reused next time </li></ul></ul></ul><ul><ul><li>The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI </li></ul></ul>
  8. 8. Key Management Scheme <ul><li>K i – Subscriber Authentication Key </li></ul><ul><ul><li>Shared 128 bit key used for authentication of subscriber by the operator </li></ul></ul><ul><ul><li>Key Storage </li></ul></ul><ul><ul><ul><li>Subscriber’s SIM (owned by operator, i.e. trusted) </li></ul></ul></ul><ul><ul><ul><li>Operator’s Home Locator Register (HLR) of the subscriber’s home network </li></ul></ul></ul><ul><li>SIM can be used with different equipment </li></ul>
  9. 9. Detection of Compromised Equipment <ul><li>International Mobile Equipment Identifier (IMEI) </li></ul><ul><ul><li>Identifier allowing to identify mobiles </li></ul></ul><ul><ul><li>IMEI is independent of SIM </li></ul></ul><ul><ul><li>Used to identify stolen or compromised equipment </li></ul></ul><ul><li>Equipment Identity Register (EIR) </li></ul><ul><ul><li>Black list – stolen or non-type mobiles </li></ul></ul><ul><ul><li>White list - valid mobiles </li></ul></ul><ul><ul><li>Gray list – local tracking mobiles </li></ul></ul><ul><li>Central Equipment Identity Register (CEIR) </li></ul><ul><ul><li>Approved mobile type (type approval authorities) </li></ul></ul><ul><ul><li>Consolidated black list (posted by operators) </li></ul></ul>
  10. 10. Authentication <ul><li>Authentication Goals </li></ul><ul><ul><li>Subscriber (SIM holder) authentication </li></ul></ul><ul><ul><li>Protection of the network against unauthorized use </li></ul></ul><ul><ul><li>Create a session key </li></ul></ul><ul><li>Authentication Scheme </li></ul><ul><ul><li>Subscriber identification: IMSI or TMSI </li></ul></ul><ul><ul><li>Challenge-Response authentication of the subscriber by the operator </li></ul></ul>
  11. 11. Authentication and Encryption Scheme A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n
  12. 12. Authentication <ul><li>AUC – Authentication Center </li></ul><ul><ul><li>Provides parameters for authentication and encryption functions (RAND, SRES, K c ) </li></ul></ul><ul><li>HLR – Home Location Register </li></ul><ul><ul><li>Provides MSC (Mobile Switching Center) with triples (RAND, SRES, K c ) </li></ul></ul><ul><ul><li>Handles MS location </li></ul></ul><ul><li>VLR – Visitor Location Register </li></ul><ul><ul><li>Stores generated triples by the HLR when a subscriber is not in his home network </li></ul></ul><ul><ul><li>One operator doesn’t have access to subscriber keys of the another operator. </li></ul></ul>
  13. 13. Authentication Sequence
  14. 14. Authentication Sequence
  15. 15. Authentication Sequence
  16. 16. Authentication Features
  17. 17. A5 Encryption Mobile Stations Base Station Subsystem Network Management Subscriber and terminal equipment databases BSC MSC VLR HLR EIR AUC OMC BTS BTS BTS A5 Encryption
  18. 18. A5 Streaming Implementation A5 output is 228 bit for both directions A5 K c (64 bit) F n (22 bit) 114 bit XOR Data (114 bit) A5 K c (64 bit) F n (22 bit) 114 bit XOR Ciphertext (114 bit) Data (114 bit) Mobile Station BTS
  19. 19. SMS Architecture <ul><li>SMS is a &quot;store and forward&quot; message system </li></ul><ul><ul><li>the message is sent from the originator to SMS Center, and then on to the recipient. </li></ul></ul><ul><li>SMS messages can be up to 160 characters length </li></ul><ul><li>Sent in clear (but different formats). </li></ul>
  20. 20. SIM Anatomy <ul><ul><li>Subscriber Identification Module (SIM) </li></ul></ul><ul><ul><ul><li>Smart Card – a single chip computer containing OS, File System, Applications </li></ul></ul></ul><ul><ul><ul><li>Protected by PIN </li></ul></ul></ul><ul><ul><ul><li>Owned by operator (trusted) </li></ul></ul></ul><ul><ul><ul><li>SIM applications can be written with SIM Toolkit </li></ul></ul></ul>
  21. 21. Smart Card Anatomy
  22. 22. Microprocessor Cards <ul><li>Typical specification </li></ul><ul><ul><li>8 bit CPU </li></ul></ul><ul><ul><li>16 K ROM </li></ul></ul><ul><ul><li>256 bytes RAM </li></ul></ul><ul><ul><li>4K EEPROM </li></ul></ul><ul><ul><li>Cost: $5-50 </li></ul></ul><ul><li>Smart Card Technology </li></ul><ul><ul><li>Based on ISO 7816: </li></ul></ul><ul><ul><ul><li>Card size, contact layout, electrical characteristics </li></ul></ul></ul><ul><ul><ul><li>I/O Protocols: byte/block based </li></ul></ul></ul><ul><ul><ul><li>File Structure </li></ul></ul></ul>
  23. 23. USRP/GNU Radio: these unknown… <ul><li>What is… </li></ul><ul><li>How to install… </li></ul><ul><li>How to configure… </li></ul><ul><li>How to use with Asterisk… </li></ul><ul><li>Practical Application… </li></ul>
  24. 24. <ul><li>The USRP is intended to be a comparatively inexpensive hardware device facilitating the building of a software radio. The USRP has an open design with freely available schematics (provided approved tools are used for downloading) and drivers, and free software to integrate with GNU Radio. </li></ul>Universal Software Radio Peripheral It is also designed to be flexible, allowing developers to make their own daughterboards for specific needs with regard to connectors, different frequency bands, etc.It is widely used in hobbyist, academic and commercial.
  25. 25. <ul><li>Very Low Cost </li></ul><ul><li>Open Design </li></ul><ul><li>Interchangeable RF sections </li></ul><ul><li>Wide Bandwidth </li></ul><ul><li>Extreme Flexibility </li></ul><ul><li>Large Community </li></ul><ul><li>Co-developed with GNU Radio </li></ul>Universal Software Radio Peripheral
  26. 26. Features <ul><li>Tansceiver Daughterboards: RFX900 / RFX1800 </li></ul><ul><li>Frequency Range: 750 to 1050 MHz / 1.5 to 2.1 GHz </li></ul><ul><li>Transmit Power: 200mW (23dBm) / 100mW (20dBm) </li></ul>
  27. 27. Hardware Requirements <ul><li>One - Computer (at least Core 2 Duo 2.0 GHz, 2GB RAM, USB port); </li></ul><ul><li>One - USRP-PKG (USRP Package, includes Motherboard, Enclosure, 2 RF Cables, USB Cable, Power Supply, and Hardware Package – 520 Euro); </li></ul><ul><li>Two - RFX900 for GSM 850/900 (800-1000MHz Transceiver, 200 mW output – 200 Euro each); </li></ul><ul><li>Two - RFX1800 for GSM 1800/1900 (1.5-2.1 GHz Transceiver, 100 mW output – 200 Euro each); </li></ul><ul><li>Two - VERT900 (824-960 MHz, 1710-1990 MHz Quad-band Cellular/PCS and ISM Band Vertical Antenna, 3dBi Gain, 9 Inches, Ideal for RFX900 and RFX1800). </li></ul><ul><li>One - SIM Card (preferred for those with possibility to edit network list). </li></ul><ul><li>One - Unlocked cellular phone; </li></ul>OR
  28. 28. Software Requirements <ul><li>At least… </li></ul><ul><li>GNU/Linux – Ubuntu 8.04 - 32 bits; </li></ul><ul><li>OpenBTS 2.3; </li></ul><ul><li>GNURadio 3.1.3; </li></ul><ul><li>C++ Boost 1.37. </li></ul>
  29. 29. GNU Radio <ul><li>A Free Software for rapid prototyping and deployment for softwares radioand for radio research. </li></ul>
  30. 30. Installation of Gnu Radio <ul><li>Installing the dependencies ; </li></ul><ul><li>Getting and installing boost libraries ; </li></ul><ul><li>Getting and installing GNURadio ; </li></ul><ul><li>Adding user permissions to work with the USRP ; </li></ul><ul><li>Testing the USRP. </li></ul>
  31. 31. OpenBTS installation and settings <ul><li>Installing the dependencies ; </li></ul><ul><li>Getting the source code ; </li></ul><ul><li>Installing ; </li></ul><ul><li>Configuring settings. </li></ul>
  32. 32. Configuring Asterisk <ul><li>Getting SIM Card IMSI (International Mobile Subscriber Identity) ; </li></ul><ul><li>Edit the /etc/asterisk/extension.conf ; </li></ul><ul><li>Edit the /etc/asterisk/sip.conf. </li></ul>
  33. 33. Testing the OpenBTS <ul><li>Setting the phone ; </li></ul><ul><li>Execute OpenBTS ; </li></ul><ul><li>Testing the Mobile Terminate call ; </li></ul><ul><li>Testing the Mobile Originate call. </li></ul>
  34. 34. Practical Application <ul><li>Nevada Test Site - Black Rock City </li></ul>Aerial view of 2009 Burning Man site: 3 km wide, 43,000 people, 1 week.
  35. 35. Planned Services <ul><li>Auto-provisioning via SMS. </li></ul><ul><li>Local SMS and speech calls. </li></ul><ul><li>SMS gateways to iNum and e-mail. </li></ul><ul><li>Speech gateways to PSTN. </li></ul><ul><li>Expected service radius of about 1.5 miles within BRC, >10 miles in the open desert. </li></ul>
  36. 36. Hardware Used
  37. 37. Power System
  38. 38. GSM Network
  39. 39. Results <ul><li>Hardware and packaging satisfactory. </li></ul><ul><li>Coverage slightly better than predictions. </li></ul><ul><li>Mobility strategy worked. </li></ul><ul><li>Provisioned ~1,300 users via SMS. </li></ul><ul><li>Connected ~1,000 PSTN calls. </li></ul><ul><li>Delivered ~270 user-to-user SMS (and ~3,800 other non-user SMS). </li></ul>
  40. 40. Emergency GSM Messaging & Monitoring System for Civil Protection It is proposed as a solution ready-to-deploy in the event of natural disaster, in that areas where GSM networks are temporarily down. With the full handvover it also ensures the possibilty, by users, to move they from a BTS cell to another, so as to ensure optimum performance and usability of telephony / messaging system.
  41. 41. GSM Messaging & Monitoring System With the graphical interface, web-based, it is possible to reach all users in a given area and with its database will be possible to operate a feedback system to monitor their actual receipt and act accordingly management of emergency vehicles to be sent in a given area.
  42. 42. GSM Triangulation Another service implemented, in case are deployed on the ground, at least 3 BTS, is able to triangulate the signal from a particular user, with good approximation.
  43. 43. Conclusions In these few slides we saw how could be simple… develop and deploy a low cost GSM network. Infact OpenBTS gives us all we need and as an open source project, we can extend research into all GSM know-how, thanks especially to big community of researchers.
  44. 44. Future Projects <ul><li>Trying to turn a USRP hardware into a IMSI Catcher (MITM GSM Attack – No Bruteforcing w/ Rainbow Tables) </li></ul><ul><li>Create a GSM BTS Firewall with black & white lists </li></ul>
  45. 45. Links <ul><li>http://www.gsmworld.com/index.htm </li></ul><ul><li>http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO-9900/a5/ </li></ul><ul><li>http://www.gsmfordummies.com/index.html </li></ul><ul><li>http://students.ee.sun.ac.za/~gshmaritz / </li></ul><ul><li>http://openbts.sourceforge.net/ </li></ul><ul><li>http://www.isaac.cs.berkeley.edu/isaac/gsm.html </li></ul><ul><li>http://www.ettus.com </li></ul><ul><li>http://www.gnuradio.org/trac </li></ul><ul><li>http://openbts.sourceforge.net </li></ul>
  46. 46. Bongiorni Luca – http://www.securitycondition.com These slides are written and distributed under Attribution-NonCommercial 3.0 Unported Thank you for Attention

×