GSM security testing: where the action is [LWN.net]

By Jonathan Corbet
September 27, 2010

Over the years, there has been a lot of interest in the security of the TCP/IP protocol suite. But there is another set of protocols - the GSM mobile telephony suite - which is easily as widely deployed as TCP and for which security is just as important, but a lot fewer people have ever taken a deep look at GSM. Harald Welte, along with a small group of co-conspirators, is out to change that; in a fast-paced Linux-Kongress talk (slides [PDF]), he outlined what they have been up to and how far they have gotten.

While they may be hard to find, the specifications for the GSM protocols are available. But the industry around GSM is very closed, Harald says, and closed-minded as well. There are only about four implementations (closed, naturally) of the GSM stack; everybody else licenses one of them. There are also no documents released for GSM hardware - at least, none which have been released intentionally. There are very few companies making GSM or 3G chips, and they buy their software from elsewhere. Only the biggest of handset manufacturers get to buy these chips directly, and even they don't get comprehensive documentation or source code.

On the network side, there are, once again, just a few companies making GSM-related equipment. Beyond the major manufacturers, there are a couple of nano/femtocell companies, and a shadowy group of firms making equipment for law-enforcement agencies. These companies have a small number of customers - the cellular carriers - and the quantities sold are low. So, in other words, prices for this equipment are very high. That means that anybody wanting to do GSM protocol research needs to set up a network dedicated to that purpose, and that is an expensive proposition.

Even the cellular operators don't know all that much about what is going on under the hood; they outsource almost everything they do to others. These companies, Harald says, are more akin to banks than technology companies; the actual operation of the network equipment is outsourced to the companies which sold that equipment in the first place. As a result, there are very few people who know much about the protocols or the equipment which implements them.

This state of affairs has some significant implications. Protocol knowledge is limited to the small number of manufacturers out there. There is almost no protocol-level security research happening; most of what is being done is very theoretical and oriented around cryptographic technology. The only other significant research is at the application level, which is several layers up the stack from the area that Harald is interested in. There are also no open-source protocol implementations, which is a problem: these implementations are needed to help people learn about the protocols. The lack of open reference implementations also restricts innovation in the GSM space to the manufacturers.

So how should an aspiring GSM security researcher go about it? One possibility is to focus on the network side, but, as was mentioned before, that is an expensive way to go. The good news is that the protocols on the network side are relatively well documented; that has helped the OpenBSC and OpenBTS projects to make some progress in this area. If, instead, one wanted to look at GSM from the handset side, there is a different set of obstacles to deal with. The firmware and protocol code used in handset baseband processors is, naturally, closed and proprietary. The layer-1 and signal-processing hardware and software is equally closed. There is also a complete lack of documented interfaces between these layers; we don't even know how they talk to each other. There have been some attempts to make things better - the TSM30 and MADos projects were mentioned - but things are still in an early state.

Nonetheless, the handset side is where Harald and company decided to work. The bootstrap process was a bit painful; it involved wading through over 1000 documents (full documents - not pages) to gradually learn about the protocols and how they interact with each other. Then it's necessary to get some equipment and start messing with it.

Harald gave a whirlwind tour of the protocols and acronyms found in cellular telephony. On the network side, there is the BTS (the cell tower), which talks with the base station controller (BSC), which can handle possibly hundreds of towers. The BSC, in turn, talks to the network subsystem (NSS), which is responsible for making most of the details of mobile telephone work. The protocol for talking with the handsets is called UM. It breaks down into several layers, starting with layer 1 (the radio layer, TS 04.04), up to layer 2 (LAPDm, TS 04.06), and layer 3, with names like "radio resource," "mobility management," and "call control." The layer 3 specification is TS 04.08 - the single most important spec, Harald says, for people interested in how mobile telephony works.

Various people, looking at the specifications, have already turned up a few security problems. There is, for example, no mutual authentication between the handset and the cellular tower, making tower-in-the-middle attacks possible. Cryptographic protocols are weak - and optional at that - and there is no way for the user to know what kind of encryption, if any, is in use. And so on.

On the handset side, these protocols are handled by a dedicated baseband processor; it is usually some sort of ARM7 or ARM9 processor running a real-time operating system. Evidently L4 microkernels are in use on a number of these processors. The CPU has no memory protection, and the software is written in C or assembly. There are no security features like stack protection, non-executable memory, or address-space layout randomization. It's a huge amount of software running in an unforgiving environment; Harald has written up a description of how this processor works in this document [PDF].

What an aspiring GSM security researcher needs is a baseband processor under his or her control. There are a couple of approaches which could be taken to get one of those, starting with simply building one from generic components. With a digital signal processor and a CPU, one would eventually get there, but it would be a lot of work. The alternative is to use an existing baseband chipset, working from information gained from reverse engineering or leaked documentation. That approach might be faster, but it still leads to working with custom, expensive hardware.

So the OsmocomBB hackers took neither of those approaches, choosing instead the "alternative, lazy approach" of repurposing an existing handset. There is a clear advantage to working this way: the hardware is already known to work. There is still a fair amount of reverse engineering to be done, and hardware drivers need to be written, but the job is manageable. The key is to find the right phone; a good candidate would be as cheap as possible, readily available, old and simple, and, preferably, contain a baseband chipset with at least some leaked information.

The team settled on the TI Calypso chipset, which actually has an open-source GSM stack available for it. Actually, it's not open source, but it did sit on SourceForge for four years until TI figured out it was there; naturally, the code is still available for those who look hard enough. The chipset is past the end of its commercial life, but phones built on this chipset are easy to find on eBay. As an added bonus, the firmware is not encrypted, so there are no DRM schemes to bypass.

With these devices in hand, the OsmocomBB project started in January of 2010 with the goal of creating a GSM baseband implementation from scratch. At this point, they have succeeded, in that they have almost everything required to run the phone. Their current approach involves running as little code as possible on the phone itself - debugging is much easier when the code is running on a normal computer. So the drivers and layer 1 code run on the phone; everything else is on the PC. Eventually, most of the rest of the code will move to the handset, but there seems to be no hurry in that regard.

The firmware load currently has a set of hardware drivers for the radio, screen, and other parts of the phone. The GSM layer 1 code runs with no underlying operating system - there really is no need for one. It is a relatively simple set of event-driven routines. The OsmocomBB develpers have created a custom protocol, called l1ctl, for talking with the layer 1 code. Layers 2 and 3 run on the host computer, using l1ctl to talk to the phone; they handle tasks like cell selection, SIM card emulation, and various "applications" like making calls.

The actual phones used come from the Motorola C1xx family, with the C123 and C155 models preferred for development and testing. One nice feature of these phones is that they contain the same GSM modem as the OpenMoko handset; that made life a lot easier. These phones also have a headset jack which can, under software control, be turned into an RS-232 port; this jack is how software is loaded onto the phone.

At this point, the hardware drivers for this phone are complete; the layer 1-3 implementations are also "quite complete." The OsmocomBB stack is now able to make voice calls, working with normal cellular operators. The user interface is not meant for wider use - tasks like cellular registration and dialing are command-line applications - but it all works. The code is also nicely integrated with wireshark; there are dissectors for the protocols in the wireshark mainline now.

Things which are not working include reading SIM cards, automatic power control (the phone always operates with fixed transmit power), and data transmission with GPRS. Getting GPRS working is evidently a lot of work, and there does not seem to be anybody interested in doing it, so Harald thinks there is "not much of a future" for GPRS support. Also not supported is 3G, which is quite different from GSM and which will not be happening anytime soon. There is also, naturally enough, no official approval for the stack as a whole. Even so, it's a capable system at this point; it is, Harald says, "an Ethernet card for GSM." With OsmocomBB, developers who want to build something on top of GSM have a platform they can work with.

The developers have already discovered a few "wild things" which can be done. It turns out, for example, that there is no authentication of deregistration messages. So it is possible to kick any other phone off the cellular network. There are some basic fuzzing tools available for those who would like to stress the protocols; their usefulness is limited, though, by the fact that the developers can't get any feedback from the cellular carriers.

The GSM industry, Harald says, is making security analysis difficult. So it should not be surprising that the security of existing GSM stacks is quite low. Things are going to have to change in the future; Harald hopes that OsmocomBB will help to drive that change. It is, however, up to the security community to make use of the tools which have been created for them. He hopes that community will step up to the challenge. At this point, TCP/IP security is a boring area; GSM security is where the interesting action is going to be.

Index entries for this article
Conference	Linux-Kongress/2010

to post comments

GSM security testing: where the action is

Posted Sep 27, 2010 5:26 UTC (Mon) by bronson (subscriber, #4806) [Link] (37 responses)

Wow, Harald is a stud.

I keep hoping that phone communication will move to VOIP over HSPA+ or whatever data connection you have. Rather than trying to fix GSM (what looks to be an IMMENSE project), just leave it behind.

Guess that's kind of a long shot.

GSM security testing: where the action is

Posted Sep 27, 2010 6:10 UTC (Mon) by dambacher (subscriber, #1710) [Link]

Well, if Haralt Welte succeeds to show big security problems, maybe this can be earlier than you hope.

GSM security testing: where the action is

Posted Sep 27, 2010 6:13 UTC (Mon) by rahvin (guest, #16953) [Link] (18 responses)

GSM will be around for decades in poor countries. Harold has said his goal is to open this whole thing up and bring the technology for little to no cost to the worlds poor. It's a very noble goal and if he's successful he could bring telecommunications to the worlds poor many years before they would otherwise receive it. By opening this close world up he can also reduce the costs so significantly that the poorest could afford it.

GSM security testing: where the action is

Posted Sep 27, 2010 6:58 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (17 responses)

While I'm awed by Harald Welte, I don't think this project makes a lot of difference.

Cell phone towers are mass-produced and are pretty cheap. You probably can't make anything much cheaper as it is on large scale. On small scale it might be possible, but it'll still probably be cheaper to buy a nanocell.

And while GSM is nice, it's now clear that the 'path forward' is 4G which is going to use VoIP over an IP data network.

GSM security testing: where the action is

Posted Sep 27, 2010 8:21 UTC (Mon) by freddyh (guest, #21133) [Link] (9 responses)

You might be surprised. If Harald succeeds, you might see increased competition (as mentioned in the original article: there are only few companies who make hardware and software). Increased competition is always good, not only for features but also for security and price.

GSM security testing: where the action is

Posted Sep 27, 2010 8:37 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (8 responses)

Cynically speaking, obscurity in this case is good for security. Because not much companies can afford to reverse-engineer the whole stack and create malicious GSM software/hardware.

As for competition, there's enough of it in the hardware cell-tower market. They are produced in millions, and basic GSM cell phone infrastructure (i.e. no GPRS, EVDO, etc.) is now VERY cheap on per-subscriber basis. Use of non-carrier-grade hardware is quite likely to _increase_ costs because of increased maintenance overhead.

No, the next battlefield will be 4G technologies. They have the potential to uproot established telecoms. 4G phones will be simple IPv6 nodes, and calls between them are going to be simple VoIP streams over data network which can be (by design) transmitted over the WiFi and public Internet.

PS: I worked as a network architect in a small cell-phone company.

Viability of open GSM stacks and equipment

Posted Sep 27, 2010 12:39 UTC (Mon) by sladen (guest, #27402) [Link] (6 responses)

Yes, going forward, the number of modems/radio interfaces available for backhaul on a device is seemingly always increasing (GSM/GPRS/EDGE, Bluetooth, W-CDMA/HSDPA, 802.11b/g, LTE...), but on a phone the GSM Um is going to be present for a very long time virtually anywhere in the world (except in Japan).

Instead of thinking about the costs of initial hardware certification, consider instead every business case that you may have encountered (in designing networks) where a mast had been planned but wasn't economically viable based on the threshold of subscribers in that area. Imagine re-evaluating those business cases with potentially 1/10th of the equipment running costs (power, cooling) and 1/10th of the capital equipment costs.

For a small telco such as Telecom Niue (or perhaps yourself) the turning-over-the-tables of current build-out viability is probably quite attractive, and potentially as disruptive as COTS/open-source has been in the rest of the electronics industry. There are people open to the possibility out there name a recent smartphone on the market that isn't now running a BSD/GPL Unixy kernel inside it and then project that same degree of confluence onto the infrastructure side.

Viability of open GSM stacks and equipment

Posted Sep 27, 2010 13:10 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

>Yes, going forward, the number of modems/radio interfaces available for backhaul on a device is seemingly always increasing (GSM/GPRS/EDGE, Bluetooth, W-CDMA/HSDPA, 802.11b/g, LTE...), but on a phone the GSM Um is going to be present for a very long time virtually anywhere in the world (except in Japan).

Not likely. AMPS/DAMPS died quickly with the advent of GSM/CDMA, for example (oh, sure there were few holdouts). Once we have viable 4G standards, they're going to spread quickly. There are just too many advantages: cheaper roaming, better data integration, more bandwidth, less power consumption, etc.

>Instead of thinking about the costs of initial hardware certification, consider instead every business case that you may have encountered (in designing networks) where a mast had been planned but wasn't economically viable based on the threshold of subscribers in that area.

Almost never happens. Even at $1 ARPU per month it's economically viable to install a tower even with 50 subscribers. You don't really get lower than that. And if you DO get lower, than most of your investment will be spent on getting uplink anyway (usually a microwave link, which requires, you guessed it, a tower for line-of-sight).

Viability of open GSM stacks and equipment

Posted Sep 30, 2010 7:13 UTC (Thu) by Cato (guest, #7643) [Link] (4 responses)

I doubt GSM is going to go away on the handset for at least 10 years, simply because there is so much GSM deployed world-wide and it will be convenient to be able to make voice calls even when visiting the most rural parts of the developing world. Given software radio and DSP technologies, there is very little extra cost to supporting GSM alongside UMTS and LTE.

GSM also has good coverage for rural areas, as a GSM cell can reach up to 35 km (http://en.wikipedia.org/wiki/GSM#Cellular_radio_network ) vs. "over 10km" in theory for UMTS (http://books.google.co.uk/books?id=7m-MnwW_o7AC&lpg=P... ). Even today in a Western European country, the only way I can get UMTS 3G coverage at home is via femtocell, and I'm only 5 km from the nearest 3G base station. The economics of deploying a UMTS or LTE base station closer to me will only stack up if there's a very cheap wireless backhaul technology that can handle the required throughput for multiple 3G/4G subscribers.

Viability of open GSM stacks and equipment

Posted Sep 30, 2010 12:54 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Range of coverage can actually be better in 4G technologies. First, they are going to use more robust and efficient radio modulation technologies. I know that it's being specifically worked on.

For GSM maximum distance is limited to about 40km (by lightspeed so you can't do anything about it). It's quite feasible that 4G technologies will allow 50-70km maximum distance to tower.

UMTS is quite far from ideal here. We've learned a lot since it was first designed.

Viability of open GSM stacks and equipment

Posted Sep 30, 2010 19:42 UTC (Thu) by Jan_Zerebecki (guest, #70319) [Link] (1 responses)

> For GSM maximum distance is limited to about 40km (by lightspeed so you can't do anything about it).

Usually the range is limited to the distance the signal can travel in one timeslot, but it seems you can do something about it if your BTS is modified to allow the signal to arrive in the next timeslot.

Viability of open GSM stacks and equipment

Posted Sep 30, 2010 19:50 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Yes, it's sometimes used. But not all devices will work in this case, and GSM you can get issues with interference.

Viability of open GSM stacks and equipment

Posted Oct 4, 2010 2:24 UTC (Mon) by showell (guest, #2929) [Link]

We have had our GSM cells working out to 121 kms using an Ericsson feature called extended range.

GSM will be with us for along time because the GSM chipsets are still 1/2 the price of the 3G / 4G ones (due mainly to IP payments). GSM handsets sell in poorer markets in massive quantities over 3G.

LTE and VoIP

Posted Sep 30, 2010 6:57 UTC (Thu) by Cato (guest, #7643) [Link]

It's not quite true to say that all 4G calls will be VoIP - true for WiMAX if you count that as 4G, but with LTE (successor to UMTS/GSM), it's still not clear exactly how voice will be handled. Some LTE operators will use "circuit switch fall back" to 3G for voice, some will use VoLGA ( http://findarticles.com/p/articles/mi_m0FGI/is_6_20/ai_n3... ), and others will go IMS (VoLTE), implying VoIP calls - http://www.pcworld.com/businesscenter/article/189339/mobi... and http://www.networkworld.com/news/2010/021510-gsma-one-voi... have some discussion, but IMS is notoriously complex to deploy (it's been the "next thing" for about 10 years now).

Basically, 3G voice fallback has issues with the time to switch networks, while VoLTE is the long term solution (but has had to add SMS support to IMS), while VoLGA is the interim solution using GAN (Generic Access Network, aka UMA) - essentially circuit switch calls over an IP infrastructure, also used today by mobile phones that switch between GSM/3G and WiFi while on the same call (e.g. Blackberry and some Nokias), bypassing the need for femtocells in some cases.

Ultimately it looks like everyone will use VoIP with LTE, but it will take a few years given that some of the VoLTE standards aren't yet finalised.

GSM security testing: where the action is

Posted Sep 27, 2010 8:40 UTC (Mon) by rahvin (guest, #16953) [Link] (4 responses)

Depends on your definition of cheap. Where the average yearly income is less than $2000 a year the build out costs of a tower network can be so astronomical that it's not possible to recoup the investment and at the same time offer affordable service at the rates the average citizen can afford. The major costs in this equation are the equipment and what makes that equipment expensive is the software IP behind it all and the astronomic amounts charged for the back-end equipment that runs the network. Costs that are almost entirely software as the physical hardware is quite cheap.

The kicker is that even when the patents expire, or in countries where they aren't valid the closed ecosystem prevents operators from offering service at locally affordable rates without paying the IP tax. The ultimate goal (at least from my perspective) of all these FOSS GSM projects is to break open the closed ecosystem and crack the security that enforces it so that software isn't an expense in the equation. This relegates the costs to construction, towers, power and general purpose equipment with FOSS on top. Without the "software" costs the systems can be erected cheaper, maybe even to the point where people making less than $2000 a year can afford service. At the least it's definitely going to lower the break point where more people can afford cellular service. Even if it takes 5 years or more to crack open, GSM is going to have a long lifespan in areas with low average incomes.

Most people in the west don't realize it, but cellular phones are the primary means of access to information in large areas of the world. Not just voice, but the primary internet access as well. These efforts to crack this closed ecosystem and the security that enforces it are vital to free access to information.

Harold's role in this is critical as the security is a key component to building a cellular service. Not only that but the benefits to those of us in the west as he could find security holes that right now only the government and criminals are aware of.

GSM security testing: where the action is

Posted Sep 27, 2010 8:50 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

I live in a country with $2500-$3000 nominal GDP per capita (Ukraine, if anyone is interested).

We have like 80% of coverage for the whole country, with many competing independent cell networks. I can literally travel everywhere and get a good phone signal (even in Chernobyl).

GSM security testing: where the action is

Posted Sep 29, 2010 8:31 UTC (Wed) by mfedyk (guest, #55303) [Link]

I imagine it's different in many parts of africa and some parts of asia and south america.

GSM security testing: where the action is

Posted Oct 7, 2010 7:46 UTC (Thu) by gat3way (guest, #47864) [Link]

Same here (Bulgaria, nominal GDP/capita ~ $6000). Our three operators have >95% coverage since at least 6-7 years ago. Also, the bills are not at all expensive for the average person (Bulgaria is EU's poorest member). They were in the end of the 90s but that was mostly due to the fact that we had just one operator then.

3G did develop practically in the last 3-4 years and it was incredibly expensive in the beginning, now you can get postpaid plans with unlimited traffic for about $15-$20/month. Lots of people switched off from ADSL to the mobile telcos in the rural areas as it costs almost the same (and the national ADSL provider is notorious for its poor support).

Yet as the nice new Android smartphones and the iphones are quite expensive here, GSM is here to stay for at least a couple of years.

GSM security testing: where the action is

Posted Sep 27, 2010 11:28 UTC (Mon) by marcH (subscriber, #57642) [Link]

I visited Niger, one of the poorest countries in the world; its GDP has never been above $500 per capita. There are three different GSM operators and decent coverage. Every working person has a GSM phone.

They can easily transfer credit from one account to another, sometimes using phone credit as mere pocket money.

Price of GSM/3G base stations

Posted Sep 30, 2010 6:44 UTC (Thu) by Cato (guest, #7643) [Link] (1 responses)

You may be right - the main costs probably can't be avoided, such as amplifiers, power supply, etc. According to this research a few years ago, a UMTS 3G base station (presumably a macrocell, i.e. a normal "cell phone tower" for GSM-family 3G) costs $24,000: http://mobilesociety.typepad.com/mobile_life/2007/02/the_...

The test would be whether WiMAX base stations are cheaper, as they are built in a more "commodity" way - if GSM becomes more open it would be possible to build GSM base stations like that.

UMTS femtocells are very cheap (there are few if any GSM femtocells) with a consumer price of $70-$150 - I bought mine for $70 new off eBay.

Price of GSM/3G base stations

Posted Sep 30, 2010 12:26 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Let's say, that $24000 is way too high for a small cell phone tower (to provide coverage in a small village) somewhere in Niger. Especially, if you are willing to trade some reliability for price.

GSM security testing: where the action is

Posted Sep 27, 2010 8:48 UTC (Mon) by nhippi (subscriber, #34640) [Link] (16 responses)

It is already specified as IMS (IP multimedia system), and it is requirement for the "next generation" phone standard, LTE. However, I don't see how that is going to make life better security-wise that GSM voice. SIP is notoriously insecure protocol (hello please route phonecalls unencrypted to this IP, trust me because here is my password in plaintext). Also reliability and battery life is worse, so there is valid questioning in the industry on "why bother?".

GSM security testing: where the action is

Posted Sep 27, 2010 11:31 UTC (Mon) by marcH (subscriber, #57642) [Link]

Oh, and also do not forget to pause bittorrent when using VoIP.

GSM security testing: where the action is

Posted Sep 27, 2010 11:59 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (11 responses)

LTE is going to use H.323 family of standards for audio/video data. It's fiendishly complex, but pretty powerful and certainly is secure.

As for pausing bittorrents - that's what QoS is for.

GSM security testing: where the action is

Posted Sep 27, 2010 15:50 UTC (Mon) by i3839 (guest, #31386) [Link]

"fiendishly complex" and "secure" are mutually exclusive.

I hope the security part is simple and separate from the complex rest.

GSM security testing: where the action is

Posted Sep 27, 2010 22:10 UTC (Mon) by marcH (subscriber, #57642) [Link] (5 responses)

Scalability issues aside, IP QoS usually falls into a chicken and egg problem where each potential IP bottleneck postpones implementation of QoS until other bottlenecks do it first.

Yes designing a brand new network is a nice opportunity but... seeing is believing.

GSM security testing: where the action is

Posted Sep 28, 2010 11:40 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

QoS on cell phone providers' networks is not hard to do. They'll probably just do it per-protocol.

On the wide Internet it's probably not going to make much difference, anyway. Voice traffic is fairly narrow-band, even high-quality codecs do not require more than 64Kbit.

GSM security testing: where the action is

Posted Sep 28, 2010 15:44 UTC (Tue) by marcH (subscriber, #57642) [Link]

> On the wide Internet it's probably not going to make much difference, anyway. Voice traffic is fairly narrow-band, even high-quality codecs do not require more than 64Kbit.

Narrow band does not grant immunity from occasional packet loss and high latencies. Only QoS helps in such cases.

GSM security testing: where the action is

Posted Sep 30, 2010 7:18 UTC (Thu) by Cato (guest, #7643) [Link] (2 responses)

Talking to a local expert in mobile technology, I get a lot of scepticism about QoS for mobile - although it's enabled in the 3GPP UMTS standards, nobody seems to have enabled this. The radio link is critical and very variable - however it may be that IP QoS gets turned on for the mobile backhaul link from base station up to the core network, as this is turning into something of a bottleneck. Making QoS work does require quite a big investment in policy server infrastructure, adapting your use of network planning tools, and so on, but this is probably paid back if you are using it to stop very large downloaders and ensure that VoIP and video are usable.

GSM security testing: where the action is

Posted Sep 30, 2010 13:03 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Yeah, nobody uses QoS. It's not needed for data services (cell phone providers do not care if your Skype works badly if Youtube video is playing on your phone) and voice traffic goes over links with guaranteed bandwidth.

Quite often voice and data backbones also use separate circuits, so QoS is not used even there.

GSM security testing: where the action is

Posted Oct 6, 2010 9:39 UTC (Wed) by marcH (subscriber, #57642) [Link]

> and voice traffic goes over links with guaranteed bandwidth. Quite often voice and data backbones also use separate circuits, so QoS is not used even there.

This is actually some simple, manual, very coarse form of QoS when you think about it. Simple => works.

GSM security testing: where the action is

Posted Sep 29, 2010 8:43 UTC (Wed) by mfedyk (guest, #55303) [Link] (1 responses)

both sip and h.323 use rtp as their media transport for audio/video. can you be more specific as to what in lte is similar to h.323?

GSM security testing: where the action is

Posted Sep 29, 2010 9:04 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

LTE is (currently) going to use H.323 for signaling on end-user devices. Which is kinda logical, because H.323 is most widely used in telecoms.

GSM security testing: where the action is

Posted Sep 29, 2010 19:25 UTC (Wed) by nhippi (subscriber, #34640) [Link] (1 responses)

LTE is going to use H.323 family of standards for audio/video data

Can you provide some reference for this claim? Every source I know refers LTE being based on IP Multimedia System, Where SIP is the protocol to handle voice (and video) calls.

GSM security testing: where the action is

Posted Sep 30, 2010 19:10 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Ah. You're right, I asked a person who is directly involved in development of LTE standards.

H.323 is not going to be used on end-user devices. Which is a saner decision then what I expected from committees. It was still on the table last time I inquired about it, so I'm sorry for misinformation.

GSM security testing: where the action is

Posted Sep 27, 2010 13:15 UTC (Mon) by tzafrir (subscriber, #11501) [Link] (2 responses)

Plain text password in SIP?

GSM security testing: where the action is

Posted Oct 2, 2010 16:36 UTC (Sat) by job (guest, #670) [Link] (1 responses)

I guess it's allowed by the standards but I've never seen it in practice.

There's a lot of guesswork going on in this discussion thread.

GSM security testing: where the action is

Posted Oct 7, 2010 9:08 UTC (Thu) by marcH (subscriber, #57642) [Link]

Not very surprising considering how obscure is this industry.

GSM security testing: where the action is

Posted Sep 27, 2010 18:06 UTC (Mon) by XTerminator (subscriber, #59581) [Link] (2 responses)

Excellent article, however, there's no mention here anywhere about where the SMPP, or UCP protocols, or even the CIMD protocol come into play. I would have liked to know if the handsets actually deal with these protocols, or if those are just for communication between content providers and Telecom providers.

GSM security testing: where the action is

Posted Sep 27, 2010 22:09 UTC (Mon) by mato (guest, #964) [Link] (1 responses)

All of the protocols you mention are used only for communication with an SMSC at the application level, for example an application connecting to the SMSC via a TCP transport.

Handsets use some random ETSI TS spec (part of the GSM specifications) to send SMS over the air.

GSM security testing: where the action is

Posted Sep 28, 2010 8:23 UTC (Tue) by XTerminator (subscriber, #59581) [Link]

Thanks for shining some light on that.

What GSM security?

Posted Sep 28, 2010 3:39 UTC (Tue) by ncm (guest, #165) [Link] (1 responses)

I don't understand. When last I heard, there was no GSM security at all. If I recall correctly, that is, the claim was that any apparent security had been deliberately compromised, by design, at every level of the stack. What is to analyze?

What GSM security?

Posted Sep 28, 2010 13:28 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

No, it's more like security was not a consideration when the protocol was designed. That, and also the fact that GSM was designed by a committee.

It's an open secret that GSM cells (if not networks) can be brought down by faulty devices.