28C3: New attacks on GSM mobiles and security measures shown (The H)

It's rather easy to get a license for testing purposes of network devices. But it usually come with string attached. Typically indoor use, with limited power. I have several such tests system in the building I'm in for example.

For devices, it's a different story. If it's on a dedicated test network it's fine, but such tests are usually driven by certification authorities and not widely open.

If it's with a test (or hacked) devices in an operational network, it's very hard and you can only get the authorization from the operator. Who will never give it without some pre-certification (to make sure the device is at least nor harmful). With the cost involved, it's only for business reasons.

Otherwise, in Europe for 3GPP standards and in most countries a device must at least be GCF certified to be legally used (http://www.globalcertificationforum.org).
The GCF certification only is actually quite open, as the operator has no say: it can't refuse a certified device. In other places it's different. In the US you need the operator approval for the big guys for example.
The GCF certification covers both hardware and firmware, with the software version locked. You can have reduced testing for small changes, with justification.
The cost of certification is such that only a business can afford it. First, in order to pass in a reasonable time and cost envelope, you must be able to pre-certify in your own lab with a good coverage. This is already hundreds of k€ minimum (in the millions more typical). Then you have to pay the certification lab.
It's an expensive business, because there's a lot of work. But it's not "locked" in Europe at least: anyone with deep pockets could get its own custom device certified and legally use it. And all the specs are public at www.3gpp.org.
Now I'm not a lawier, so please don't ask me about law references.