OpenBTS (Open Base Transceiver Station) is a software-based GSM access point, allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice over IP (VoIP) networks. OpenBTS is open-source software developed and maintained by Range Networks. The public release of OpenBTS is notable for being the first free-software implementation of the lower three layers of the industry-standard GSM protocol stack. It is written in C++ and released as free software under the terms of version 3 of the GNU Affero General Public License.
Stable release | 4.0
/ March 26, 2014 |
---|---|
Repository | |
Written in | C++ |
Operating system | Unix-like |
Type | GSM protocol stack |
License | GNU Affero General Public License[1] |
Website | OpenBTS |
Open GSM infrastructure
editOpenBTS replaces the conventional GSM operator core network infrastructure from layer 3 upwards. Instead of relying on external base station controllers for radio resource management, OpenBTS units perform this function internally. Instead of forwarding call traffic through to an operator's mobile switching center, OpenBTS delivers calls via SIP to a VOIP soft switch (such as FreeSWITCH or yate) or PBX (such as Asterisk). This VOIP switch or PBX software can be installed on the same computer used to run OpenBTS itself, forming a self-contained cellular network in a single computer system. Multiple OpenBTS units can also share a common VOIP switch or PBX to form larger networks[2]
The OpenBTS Um air interface uses a software-defined radio transceiver with no specialized GSM hardware. The original implementation used a Universal Software Radio Peripheral from Ettus Research, but has since been expanded to support several digital radios in implementations ranging from full-scale base stations to embedded femtocells.
History
editThe project was started by Harvind Samra and David A. Burgess[3] with the aim of the project to drastically reduce the cost of GSM service provision in rural areas, the developing world, and hard to reach locations such as oil rigs.[4] The project was initially conducted through Kestrel Signal Processing, the founders' consulting firm.
On September 14, 2010, at the Fall 2010 DEMO conference, the original authors launched Range Networks as a start up company to commercialize OpenBTS-based products.[5]
In September 2013, Burgess left Range Networks and started a new venture called Legba[6] and started a close collaboration with Null Team SRL, the developers of Yate. In February 2014, Legba and Null announced the release of YateBTS, a fork of the OpenBTS project that uses Yate for its control layers and network interfaces.
Platforms
editA large number of experimental installations have shown that OpenBTS can run on extremely low overhead platforms. These including some CDMA handsets - making a GSM gateway to a CDMA network. Computer security researcher Chris Paget reported [7] that a handheld device, such as an Android phone, could act as a gateway base station to which handsets can connect; the Android device then connects calls using an on-board Asterisk server and routes them to the PSTN via SIP over an existing 3G network.
Security
editAt the 2010 DEF CON conference, it was demonstrated with OpenBTS that GSM calls can be intercepted because in GSM the handset does not authenticate the base station prior to accessing the network.[8]
OpenBTS has been used by the security research community to mount attacks on cellular phone baseband processors.[9][10] Previously, investigating and conducting such attacks was considered impractical due to the high cost of traditional cellular base station equipment.
Field tests
editLarge scale live tests of OpenBTS have been conducted in the United States in Nevada and northern California using temporary radio licenses applied for through Kestrel Signal Processing and Range Networks, Inc.
Burning Man
editDuring the Burning Man festival in August 2008, a week-long live field test was run under special temporary authorization license.[11][12] Although this test had not been intended to be open to Burning Man attendees in general, a number of individuals in the vicinity succeeded in making out-going calls after a mis-configured Asterisk PBX installation allowed through test calls prefixed with an international code.[13] The test connected about 120 phone calls to 95 numbers in area codes over North America.
At the 2009 Burning Man festival, a larger test setup was run using a 3-sector system.[14] For the 2010 festival, an even larger 2-sector 3-carrier system was tested.
At the 2011 festival, the OpenBTS project set up a 3-site network with VSAT gateway and worked in conjunction with the Voice over IP services company Voxeo to provide much of the off-site call routing.[15][16]
"RELIEF" exercises
editRELIEF is a series of disaster response exercises managed by the Naval Postgraduate School in California, USA.[17] Range Networks operated OpenBTS test networks at the RELIEF exercises in November 2011 [18] and February 2012.[19]
Niue
editIn 2010, an OpenBTS system was installed on the island of Niue and became the first installation to be connected and tested by a telecommunication company. Niue is a very small island country with a population of about 1,700 - too small to attract mobile telecommunications providers. The cost structure of OpenBTS suited Niue, which required a mobile phone service but did not have the volume of potential customers to justify buying and supporting a conventional GSM basestation system.[20]
The success of this installation and the demonstrated demand for service helped bootstrap later commercial services. The OpenBTS installation was later decommissioned ~February 2011 by Niue Telecom, a commercial grade GSM 900 network with Edge support was instead launched few months later (3x sites in Kaimiti O2, Sekena S2/2/2 and Avatele S2/2/2) this provided full coverage around the island and around the reef, the installation included a pre-pay system, USSD, Int. SMS and new Int. Gateway.
Defcon 20
editFrom July 26 to July 29, 2012, the Ninja Networks team set up a "NinjaTel Van" in the Vendor[21] area of Defcon 20 (at the Rio Hotel/Casino in Las Vegas.) It used OpenBTS and served a small network of 650 GSM phones with custom SIM cards.[22]
See also
editReferences
edit- ^ "OpenBTS - SVN". Archived from the original on 2012-12-20.
- ^ "RELIEF 12-2 : Actual Event". OpenBTS wiki. Archived from the original on 12 July 2012. Retrieved 11 April 2012.
- ^ Bort, Julie. Burning Man's open source cell phone system could help save the world Archived 2012-01-11 at the Wayback Machine, Network World, August 30, 2010. Retrieved December 6, 2011.
- ^ Naone, Erica. Build Your Own Cellular Network, Technology World, May 2010. Retrieved on December 7, 2011.
- ^ Takahash, Dean DEMO: Range Networks rings in cell-phone service for $2 a month VentureBeat, September 14, 2010. Retrieved December 6, 2011.
- ^ Finley, Klint Out in the Open: This super-cheap cellphone network brings coverage almost anywhere Wired, June 9, 2014.
- ^ Paget, Chris. OpenBTS on Droid Archived 2011-09-12 at the Wayback Machine, Chris Paget's Blog, February 19, 2010. Retrieved Dec. 6 2011.
- ^ Paget, Chris. Practical Cellphone Spying, DEF CON 18, July 30, 2010. Retrieved Dec. 6 2011.
- ^ Stevens, Mike (Feb 19, 2018). "HOW TO INTERCEPT MOBILE COMMUNICATIONS (CALLS AND MESSAGES) EASILY WITHOUT HACKING". Information Security Newspaper.
- ^ Claburn, Thomas. Google Bets $20,000 You Can't Hack Chrome, Information Week, February 04, 2011. Retrieved December 6, 2011.
- ^ Federal Communications Commission, WD9XKN Experimental Special Temporary Authorization, August 24, 2008. Retrieved December 6, 2011.
- ^ Burgess, David. The OpenBTS Project - an open-source GSM base station LWN.net, September 4, 2008. Retrieved December 6, 2011.
- ^ The Unofficial Non-Carrier of Burning Man 2008 OpenBTS website. Retrieved December 6, 2011.
- ^ Burgess, David. OpenBTS Nevada Test Site Astricon 2009, October 13, 2009. Retrieved December 7, 2011.
- ^ Burgess, David. "Papa Legba 2011 - Network". Archived from the original on December 2, 2011.
- ^ Burgess, David. Burning Man 2011 - Yes we were there The OpenBTS Chronicles, September 6, 2011. Retrieved on December 7, 2011.
- ^ "RELIEF". Naval Postgraduate School. Retrieved 11 April 2012.
- ^ "RELIEF 12-1 Quicklook Report" (PDF). Naval Postgraduate School. Retrieved 11 April 2012.
- ^ "RELIEF 12-2 Quicklook Report" (PDF). Naval Postgraduate School. Retrieved 11 April 2012.
- ^ Burgess, David. FAKALOFA LAHI ATU, The OpenBTS Chronicles, March 7, 2010. Retrieved on December 7, 2011.
- ^ "At Defcon, hackers get their own private cell network: Ninja Tel". Ars Technica. 2012-07-28. Retrieved 2012-08-02.
- ^ "A Phone Network Just for Hackers". Wall Street Journal. 2012-07-26. Retrieved 2012-08-02.