OpenBTS

Last updated
Stable release
4.0 / March 26, 2014;10 years ago (2014-03-26)
Repository
Written in C++
Operating system Unix-like
Type GSM protocol stack
License GNU Affero General Public License [1]
Website OpenBTS

OpenBTS (Open Base Transceiver Station) is a software-based GSM access point, allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice over IP (VoIP) networks. OpenBTS is open-source software developed and maintained by Range Networks. The public release of OpenBTS is notable for being the first free-software implementation of the lower three layers of the industry-standard GSM protocol stack. It is written in C++ and released as free software under the terms of version 3 of the GNU Affero General Public License.

Contents

Open GSM infrastructure

OpenBTS replaces the conventional GSM operator core network infrastructure from layer 3 upwards. Instead of relying on external base station controllers for radio resource management, OpenBTS units perform this function internally. Instead of forwarding call traffic through to an operator's mobile switching center, OpenBTS delivers calls via SIP to a VOIP soft switch (such as FreeSWITCH or yate) or PBX (such as Asterisk). This VOIP switch or PBX software can be installed on the same computer used to run OpenBTS itself, forming a self-contained cellular network in a single computer system. Multiple OpenBTS units can also share a common VOIP switch or PBX to form larger networks [2]

The OpenBTS Um air interface uses a software-defined radio transceiver with no specialized GSM hardware. The original implementation used a Universal Software Radio Peripheral from Ettus Research, but has since been expanded to support several digital radios in implementations ranging from full-scale base stations to embedded femtocells.

History

The project was started by Harvind Samra and David A. Burgess [3] with the aim of the project to drastically reduce the cost of GSM service provision in rural areas, the developing world, and hard to reach locations such as oil rigs. [4] The project was initially conducted through Kestrel Signal Processing, the founders' consulting firm.

On September 14, 2010, at the Fall 2010 DEMO conference, the original authors launched Range Networks as a start up company to commercialize OpenBTS-based products. [5]

In September 2013, Burgess left Range Networks and started a new venture called Legba [6] and started a close collaboration with Null Team SRL, the developers of Yate. In February 2014, Legba and Null announced the release of YateBTS, a fork of the OpenBTS project that uses Yate for its control layers and network interfaces.

Platforms

A large number of experimental installations have shown that OpenBTS can run on extremely low overhead platforms. These including some CDMA handsets - making a GSM gateway to a CDMA network. Computer security researcher Chris Paget reported [7] that a handheld device, such as an Android phone, could act as a gateway base station to which handsets can connect; the Android device then connects calls using an on-board Asterisk server and routes them to the PSTN via SIP over an existing 3G network.

Security

At the 2010 DEF CON conference, it was demonstrated with OpenBTS that GSM calls can be intercepted because in GSM the handset does not authenticate the base station prior to accessing the network. [8]

OpenBTS has been used by the security research community to mount attacks on cellular phone baseband processors. [9] [10] Previously, investigating and conducting such attacks was considered impractical due to the high cost of traditional cellular base station equipment.

Field tests

Large scale live tests of OpenBTS have been conducted in the United States in Nevada and northern California using temporary radio licenses applied for through Kestrel Signal Processing and Range Networks, Inc.

Burning Man

During the Burning Man festival in August 2008, a week-long live field test was run under special temporary authorization license. [11] [12] Although this test had not been intended to be open to Burning Man attendees in general, a number of individuals in the vicinity succeeded in making out-going calls after a mis-configured Asterisk PBX installation allowed through test calls prefixed with an international code. [13] The test connected about 120 phone calls to 95 numbers in area codes over North America.

At the 2009 Burning Man festival, a larger test setup was run using a 3-sector system. [14] For the 2010 festival, an even larger 2-sector 3-carrier system was tested.

At the 2011 festival, the OpenBTS project set up a 3-site network with VSAT gateway and worked in conjunction with the Voice over IP services company Voxeo to provide much of the off-site call routing. [15] [16]

"RELIEF" exercises

RELIEF is a series of disaster response exercises managed by the Naval Postgraduate School in California, USA. [17] Range Networks operated OpenBTS test networks at the RELIEF exercises in November 2011 [18] and February 2012. [19]

Niue

In 2010, an OpenBTS system was installed on the island of Niue and became the first installation to be connected and tested by a telecommunication company. Niue is a very small island country with a population of about 1,700 - too small to attract mobile telecommunications providers. The cost structure of OpenBTS suited Niue, which required a mobile phone service but did not have the volume of potential customers to justify buying and supporting a conventional GSM basestation system. [20]

The success of this installation and the demonstrated demand for service helped bootstrap later commercial services. The OpenBTS installation was later decommissioned ~February 2011 by Niue Telecom, a commercial grade GSM 900 network with Edge support was instead launched few months later (3x sites in Kaimiti O2, Sekena S2/2/2 and Avatele S2/2/2) this provided full coverage around the island and around the reef, the installation included a pre-pay system, USSD, Int. SMS and new Int. Gateway.

Defcon 20

From July 26 to July 29, 2012, the Ninja Networks team set up a "NinjaTel Van" in the Vendor [21] area of Defcon 20 (at the Rio Hotel/Casino in Las Vegas.) It used OpenBTS and served a small network of 650 GSM phones with custom SIM cards. [22]

See also

Related Research Articles

<span class="mw-page-title-main">GSM</span> Cellular telephone network standard

The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. GSM is also a trade mark owned by the GSM Association. GSM may also refer to the Full Rate voice codec.

<span class="mw-page-title-main">SMS</span> Text messaging service component

Short Message Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text messages. An intermediary service can facilitate a text-to-voice conversion to be sent to landlines.

The Universal Mobile Telecommunications System (UMTS) is a third generation mobile cellular system for networks based on the GSM standard. Developed and maintained by the 3GPP, UMTS is a component of the International Telecommunication Union IMT-2000 standard set and compares with the CDMA2000 standard set for networks based on the competing cdmaOne technology. UMTS uses wideband code-division multiple access (W-CDMA) radio access technology to offer greater spectral efficiency and bandwidth to mobile network operators.

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for voice calls for the delivery of voice communication sessions over Internet Protocol (IP) networks, such as the Internet.

<span class="mw-page-title-main">Base station subsystem</span> Section of cellular telephone network

The base station subsystem (BSS) is the section of a traditional cellular telephone network which is responsible for handling traffic and signaling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of speech channels, allocation of radio channels to mobile phones, paging, transmission and reception over the air interface and many other tasks related to the radio network.

A base transceiver station (BTS) or a baseband unit (BBU) is a piece of equipment that facilitates wireless communication between user equipment (UE) and a network. UEs are devices like mobile phones (handsets), WLL phones, computers with wireless Internet connectivity, or antennas mounted on buildings or telecommunication towers. The network can be that of any of the wireless communication technologies like GSM, CDMA, wireless local loop, Wi-Fi, WiMAX or other wide area network (WAN) technology.

<span class="mw-page-title-main">Asterisk (PBX)</span> PBX software

Asterisk is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints such as customary telephone sets, destinations on the public switched telephone network (PSTN) and devices or services on voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing.

<span class="mw-page-title-main">Business telephone system</span> Telephone system typically used in business environments

A business telephone system is a telephone system typically used in business environments, encompassing the range of technology from the key telephone system (KTS) to the private branch exchange (PBX).

<span class="mw-page-title-main">Mobile phone tracking</span> Identifying the location of a mobile phone

Mobile phone tracking is a process for identifying the location of a mobile phone, whether stationary or moving. Localization may be affected by a number of technologies, such as the multilateration of radio signals between (several) cell towers of the network and the phone or by simply using GNSS. To locate a mobile phone using multilateration of mobile radio signals, the phone must emit at least the idle signal to contact nearby antenna towers and does not require an active call. The Global System for Mobile Communications (GSM) is based on the phone's signal strength to nearby antenna masts.

An international mobile subscriber identity-catcher, or IMSI-catcher, is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack. The 3G wireless standard offers some risk mitigation due to mutual authentication required from both the handset and the network. However, sophisticated attacks may be able to downgrade 3G and LTE to non-LTE network services which do not require mutual authentication.

<span class="mw-page-title-main">Wi-Fi calling</span> Protocol that extends mobile voice, data and multimedia applications over IP networks

Wi-Fi calling, also called VoWiFi, refers to mobile phone voice calls and data that are made over IP networks using Wi-Fi, instead of the cell towers provided by cellular networks. Using this feature, compatible handsets are able to route regular cellular calls through a wireless LAN (Wi-Fi) network with broadband Internet, while seamlessly change connections between the two where necessary. This feature makes use of the Generic Access Network (GAN) protocol, also known as Unlicensed Mobile Access (UMA).

Mobile VoIP or simply mVoIP is an extension of mobility to a voice over IP network. Two types of communication are generally supported: cordless telephones using DECT or PCS protocols for short range or campus communications where all base stations are linked into the same LAN, and wider area communications using 3G or 4G protocols.

<span class="mw-page-title-main">Linphone</span> Voice over IP software

Linphone is a free voice over IP softphone, SIP client and service. It may be used for audio and video direct calls and calls through any VoIP softswitch or IP-PBX. Linphone also provides the possibility to exchange instant messages. It has a simple multilanguage interface based on Qt for GUI and can also be run as a console-mode application on Linux.

Unified communications (UC) is a business and marketing concept describing the integration of enterprise communication services such as instant messaging (chat), presence information, voice, mobility features, audio, web & video conferencing, fixed-mobile convergence (FMC), desktop sharing, data sharing, call control and speech recognition with non-real-time communication services such as unified messaging. UC is not necessarily a single product, but a set of products that provides a consistent unified user interface and user experience across multiple devices and media types.

Iristel is a Canadian provider of telecommunication services that is a competitive local exchange carrier (CLEC). The company was founded in 1999 and is headquartered in Markham, Ontario.

Private GSM solutions appeared after the deregulation of the DECT guard band in some countries, allowing users and businesses to reduce their costs without impacting their performance, and to offer a number of value-added services. These benefits arose from the ability to create private mobile GSM networks, enabling mobile phone users to access the same services and features as users of a PBX extension.

SunComm Technology is a Taiwan multinational computer technology and GSM Voice over IP gateway manufacturer. The main products in 2010 focused on GSM VoIP gateways & IP surveillance camera devices. Core members have been engaging in the communication & networks industry since 1977.

Range Networks, Inc. is a U.S. company that provides open-source software products used to operate cellular networks. Founded in 2011, Range Networks is headquartered in San Francisco, CA, with satellite offices worldwide.

Osmocom is an open-source software project that implements multiple mobile communication standards, including GSM, DECT, TETRA and others.

References

  1. "OpenBTS - SVN". Archived from the original on 2012-12-20.
  2. "RELIEF 12-2 : Actual Event". OpenBTS wiki. Archived from the original on 12 July 2012. Retrieved 11 April 2012.
  3. Bort, Julie. Burning Man's open source cell phone system could help save the world Archived 2012-01-11 at the Wayback Machine , Network World, August 30, 2010. Retrieved December 6, 2011.
  4. Naone, Erica. Build Your Own Cellular Network, Technology World, May 2010. Retrieved on December 7, 2011.
  5. Takahash, Dean DEMO: Range Networks rings in cell-phone service for $2 a month VentureBeat, September 14, 2010. Retrieved December 6, 2011.
  6. Finley, Klint Out in the Open: This super-cheap cellphone network brings coverage almost anywhere Wired, June 9, 2014.
  7. Paget, Chris. OpenBTS on Droid Archived 2011-09-12 at the Wayback Machine , Chris Paget's Blog, February 19, 2010. Retrieved Dec. 6 2011.
  8. Paget, Chris. Practical Cellphone Spying, DEF CON 18, July 30, 2010. Retrieved Dec. 6 2011.
  9. Stevens, Mike (Feb 19, 2018). "HOW TO INTERCEPT MOBILE COMMUNICATIONS (CALLS AND MESSAGES) EASILY WITHOUT HACKING". Information Security Newspaper.
  10. Claburn, Thomas. Google Bets $20,000 You Can't Hack Chrome, Information Week, February 04, 2011. Retrieved December 6, 2011.
  11. Federal Communications Commission, WD9XKN Experimental Special Temporary Authorization, August 24, 2008. Retrieved December 6, 2011.
  12. Burgess, David. The OpenBTS Project - an open-source GSM base station LWN.net, September 4, 2008. Retrieved December 6, 2011.
  13. The Unofficial Non-Carrier of Burning Man 2008 OpenBTS website. Retrieved December 6, 2011.
  14. Burgess, David. OpenBTS Nevada Test Site Astricon 2009, October 13, 2009. Retrieved December 7, 2011.
  15. Burgess, David. "Papa Legba 2011 - Network". Archived from the original on December 2, 2011.
  16. Burgess, David. Burning Man 2011 - Yes we were there The OpenBTS Chronicles, September 6, 2011. Retrieved on December 7, 2011.
  17. "RELIEF". Naval Postgraduate School. Retrieved 11 April 2012.
  18. "RELIEF 12-1 Quicklook Report" (PDF). Naval Postgraduate School. Retrieved 11 April 2012.
  19. "RELIEF 12-2 Quicklook Report" (PDF). Naval Postgraduate School. Retrieved 11 April 2012.
  20. Burgess, David. FAKALOFA LAHI ATU, The OpenBTS Chronicles, March 7, 2010. Retrieved on December 7, 2011.
  21. "At Defcon, hackers get their own private cell network: Ninja Tel". Ars Technica. 2012-07-28. Retrieved 2012-08-02.
  22. "A Phone Network Just for Hackers". Wall Street Journal. 2012-07-26. Retrieved 2012-08-02.