summaryrefslogtreecommitdiff
path: root/2013/osmocom-hitcon2013/osmocom-security.tex
blob: 7eed4f462ca595d5d9c4dbde8606f3088685c467 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $

\documentclass{beamer}

\usepackage{url}
\makeatletter
\def\url@leostyle{%
  \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
\makeatother
%% Now actually use the newly defined style.
\urlstyle{leo}


% This file is a solution template for:

% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.



% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice. 


\mode<presentation>
{
  \usetheme{Warsaw}
  % or ...

  \setbeamercovered{transparent}
  % or whatever (possibly just delete it)
}


\usepackage[english]{babel}
% or whatever

\usepackage[latin1]{inputenc}
% or whatever

\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.


\title{osmocom.org - FOSS for mobile comms}

\subtitle
{Free Software Tools for GSM Security Research}

\author{Harald Welte <laforge@gnumonks.org>}

\institute
{osmocom.org\\sysmocom GmbH}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.

\date[] % (optional, should be abbreviation of conference name)
{July 20, HITCON 2013 / Taipei}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
%   yourself) who are reading the slides online

\subject{Communications}
% This is only inserted into the PDF information catalog. Can be left
% out. 



% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:

% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}



% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
%  \begin{frame}<beamer>{Outline}
%    \tableofcontents[currentsection,currentsubsection]
%  \end{frame}
%}


% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command: 

%\beamerdefaultoverlayspecification{<+->}


\begin{document}

\begin{frame}
  \titlepage
\end{frame}

\begin{frame}{Outline}
  \tableofcontents[hideallsubsections]
  % You might wish to add the option [pausesections]
\end{frame}


% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution: 

% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
%   15 and 30 frames, all told.

% - A conference audience is likely to know very little of what you
%   are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
%   enough. Leave out details, even if it means being less precise than
%   you think necessary.
% - If you omit details that are vital to the proof/implementation,
%   just say so once. Everybody will be happy with that.

\section{Introduction}

\subsection{About}

\begin{frame}{About the speaker}
\begin{itemize}
	\item Linux Kernel / bootloader / driver / firmware development since 1999
	\item IT security expert, focus on network protocol security
	\item Former core developer of Linux packet filter netfilter/iptables
	\item Board-level Electrical Engineering
	\item Always looking for interesting protocols (RFID, DECT, GSM)
	\item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN
\end{itemize}
\end{frame}

\begin{frame}{Legal Disclaimer}
\begin{itemize}
	\item GSM operates in licensed spectrum
	\item Operating any transmitter in the GSM frequency bands requires a license from the respective regulatory authority
	\item Interference with commercial cellular operators is often a fellony and punishable as a crime
	\item It is the users responsibility to configure OpenBSC and BTS equipment in a way that complies with the law
\end{itemize}
\end{frame}


\section{Researching communications systems}

\begin{frame}{Telco vs. Internet-driven IT security}
mobile industry today has security practieses and procedures of the 20th century
\begin{itemize}
	\item no proper incident response on RAN/CN
	\item no procedures for quick roll-out of new sw releases
	\item no requirements for software-upgradeability
	\item no interaction with hacker community
	\item no packet filtering / DPI / IDS on signalling traffic
	\item active hostility towards operators who want to do pentesting
	\item attempts to use legal means to stop researchers from publishing their findings
\end{itemize}
this sounds like medieval times. We are in 2012 ?!?
\end{frame}

\subsection{Real-world quotes}

\begin{frame}{Real-world quotes}
The following slides indicate some quotes that I have heard over the
last couple of years from my contacts inside the mobile industry.  They
are not made up!
\end{frame}


\begin{frame}{Quote: Disclosure of Ki/K/OPC}
"we are sending our IMSI+Key lists as CSV files to the SIM card supplier in China"
\end{frame}

\begin{frame}{Quote: RRLP}
"RRLP? What is that? We never heard about it!"
\end{frame}

\begin{frame}{Quote: SIM OTA keys}
"we have no clue what remote accessible (OTA) features our sim cards have or what kind of keys were used during provisioning"
\end{frame}

\begin{frame}{Quote: Malformed}
"we have never tried to intentionally send any malformed message to any of our equipment"
\end{frame}

\begin{frame}{Quote: Roaming}
"We are seeing TCAP/MAP related attacks/fraud from Operator XYZ in Pakistan.  However, it is more important that European travellers can roam into their network than it is for Pakistanis to roam into our network.  Can you see while the roaming agreement was only suspended for two days?"
\end{frame}

\begin{frame}{Quote: SIGTRAN IPsec}
"we are unable to mandate from our roaming partners that SIGTRAN links shall always go through IPsec - we don't even know how to facilitate safe distribution of certificates between operators"
\end{frame}

\begin{frame}{Quote: NodeB / IPsec}
"We mandated IPsec to be used for all of the (e)NodeB back-haul in our tender, the supplier still shipped equipment that didn't comply to it.  Do you think the CEO is going to cancel the contract with them for that?"
\end{frame}

\begin{frame}{Quote: Government / independent study}
"Govt: We put out a tender for a study on overal operator network security in our country.  Everyone who put in a bid is economically affiliated or dependent on one of the operators or equipment suppliers, so we knew the results were not worth much."
\end{frame}

\begin{frame}{Quote: Technical Staff}
"15 years ago we still had staff that understood all those details.  But today, you know, those experts are expensive - we laid them off."
\end{frame}

\begin{frame}{Quote: Baseband chip vendor}
"We have no clue what version of our protocol stack with what modifications are shipped in which particular phones, or if/when the phone makers distribute updates to the actual phone population"
\end{frame}


\subsection{The Rolle of FOSS}

\begin{frame}{Research in TCP/IP/Ethernet}
Assume you want to do some research in the TCP/IP/Ethernet
communications area,
\begin{itemize}
	\item you use off-the-shelf hardware (x86, Ethernet card)
	\item you start with the Linux / *BSD stack
	\item you add the instrumentation you need
	\item you make your proposed modifications
	\item you do some testing
	\item you write your paper and publish the results
\end{itemize}
\end{frame}

\begin{frame}{Research in (mobile) communications}
Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms
\begin{itemize}
	\item there is no FOSS implementation of any of the protocols or
		functional entities
	\item almost no university has a test lab with the required
		equipment.  And if they do, it is black boxes that you
		cannot modify according to your research requirements
	\item you turn away at that point, or you cannot work on really
		exciting stuff
	\item only chance is to partner with commercial company, who
		puts you under NDAs and who wants to profit from your
		research
\end{itemize}
\end{frame}

\begin{frame}{GSM/3G vs. Internet}
\begin{itemize}
	\item Observation
	\begin{itemize}
		\item Both GSM/3G and TCP/IP protocol specs are publicly available
		\item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
		\item GSM networks are as widely deployed as the Internet
		\item Yet, GSM/3G protocols receive no such scrutiny!
	\end{itemize}
	\item There are reasons for that:
	\begin{itemize}
		\item GSM industry is extremely closed (and closed-minded)
		\item Only about 4 closed-source protocol stack implementations
		\item GSM chipset makers never release any hardware documentation
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{The closed GSM industry}

\begin{frame}{The closed GSM industry}{Handset manufacturing side}
\begin{itemize}
	\item Only very few companies build GSM/3.5G baseband chips today
	\begin{itemize}
		\item Those companies buy the operating system kernel and the protocol stack from third parties
	\end{itemize}
	\item Only very few handset makers are large enough to become a customer
	\begin{itemize}
		\item Even they only get limited access to hardware documentation
		\item Even they never really get access to the firmware source
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The closed GSM industry}{Network manufacturing side}
\begin{itemize}
	\item Only very few companies build GSM network equipment
	\begin{itemize}
		\item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei
		\item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment
	\end{itemize}
	\item Only operators buy equipment from them
	\item Since the quantities are low, the prices are extremely high
	\begin{itemize}
		\item e.g. for a BTS, easily 10-40k EUR
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The closed GSM industry}{Operator side}
\begin{itemize}
	\item Operators are mainly banks today
	\item Typical operator outsources
	\begin{itemize}
		\item Network planning / deployment / servicing
		\item Even Billing!
	\end{itemize}
	\item Operator just knows the closed equipment as shipped by manufacturer
	\item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance
\end{itemize}
\end{frame}

\begin{frame}{GSM is more than phone calls}
Listening to phone calls is boring...
\begin{itemize}
	\item Machine-to-Machine (M2M) communication
	\begin{itemize}
		\item BMW can unlock/open your car via GSM
		\item Alarm systems often report via GSM
		\item Smart Metering (Utility companies)
		\item GSM-R / European Train Control System
		\item Vending machines report that their cash box is full
		\item Control if wind-mills supply power into the grid
		\item Transaction numbers for electronic banking
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Security implications}

\begin{frame}{The closed GSM industry}{Security implications}
The security implications of the closed GSM industry are:
\begin{itemize}
	\item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers
	\item No independent research on protocol-level security
	\begin{itemize}
		\item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis)
		\item Or on application level (e.g. mobile malware)
	\end{itemize}
	\item No open source protocol implementations
	\begin{itemize}
		\item which are key for making more people learn about the protocols
		\item which enable quick prototyping/testing by modifying existing code
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{The closed GSM industry}{My self-proclaimed mission}
Mission: Bring TCP/IP/Internet security knowledge to GSM
\begin{itemize}
	\item Create tools to enable independent/public IT Security community to examine GSM
	\item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks
	\begin{itemize}
		\item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified}
		\item No proper incident response strategies!
		\item No packet filters, firewalls, intrusion detection on GSM protocol level
		\item General public assumes GSM networks are safer than Internet
	\end{itemize}
\end{itemize}
\end{frame}

\section{Bootstrapping Osmocom}

\begin{frame}
To actually do research on GSM, we need
\begin{itemize}
	\item detailed knowledge on the architecture and protocol stack
	\item suitable hardware (there's no PHY/MAC only device like
		Ethernet MAC)
	\item a Free / Open Source Software implementation of at least
		parts of the protocol stack
\end{itemize}
\end{frame}

\begin{frame}{Bootstrapping GSM Research}{How would you get started?}
If you were to start with GSM protocol level security analysis, where and
how would you start?
\begin{itemize}
	\item On the handset side?
	\begin{itemize}
		\item Difficult since GSM firmware and protocol stacks are closed and proprietary
		\item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too
		\item Publicly known attempts
		\begin{itemize}
			\item The TSM30 project as part of the THC GSM project
			\item mados, an alternative OS for Nokia DTC3 phones
		\end{itemize}
		\item none of those projects successful so far
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Bootstrapping GSM research}{How would you get started?}
If you were to start with GSM protocol level security analysis, where and
how would you start?
\begin{itemize}
	\item On the network side?
	\begin{itemize}
		\item Difficult since equipment is not easily available and normally extremely expensive
		\item However, network is very modular and has many standardized/documented interfaces
		\item Thus, if BTS equipment is available, much easier/faster progress
	\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}{Bootstrapping GSM research}{The bootstrapping process}
\begin{itemize}
	\item Read GSM specs (> 1000 PDF documents, each hundreds of pages)
	\item Gradually grow knowledge about the protocols
	\item Obtain actual GSM network equipment (BTS)
	\item Try to get actual protocol traces as examples
	\item Start a complete protocol stack implementation from scratch
	\item Finally, go and play with GSM protocol security
\end{itemize}
\end{frame}

\section{The Osmocom project}

\begin{frame}{Osmocom / osmocom.org}
\begin{itemize}
	\item Osmocom == Open Soruce Mobile Communications
	\item Classic collaborative, community-driven FOSS project
	\item Gathers creative people who want to explore this
		industry-dominated closed mobile communications world
	\item communication via mailing lists, IRC
	\item soure code in git, information in trac/wiki
	\item http://osmocom.org/
\end{itemize}
\end{frame}

\subsection{Osmocom sub-projects}

\begin{frame}{OpenBSC}
\begin{itemize}
	\item first Osmocom project
	\item Implements GSM A-bis interface towards BTS
	\item Supports Siemens, ip.access, Ericsson, Nokia and sysmocom BTS
	\item can implement only BSC function (osmo-bsc) or a fully
		autonomous self-contained GSM network (osmo-nitb) that
		requires no external MSC/VLR/AUC/HLR/EIR
	\item deployed in > 200 installations world-wide, commercial and
		research
\end{itemize}
\end{frame}

\begin{frame}{OpenBSC test installation}
\begin{figure}[h]
\centering
\includegraphics[width=60mm]{bts_tree_full.jpg}
\end{figure}
\end{frame}

\begin{frame}{OsmoSGSN / OpenGGSN}
\begin{itemize}
	\item extends the OpenBSC based network from GSM to GPRS/EDGE by
		implementing the classic SGSN and GGSN functional
		entities
	\item OpenGGSN existed already, but was abandoned by original
		author
	\item Works only with BTSs that provides Gb interface, like
		ip.access nanoBTS
	\item Suitable for research only, not production ready
\end{itemize}
\end{frame}

\begin{frame}{OsmocomBB}
\begin{itemize}
	\item Full baseband processor firmware implementation of a mobile phone (MS)
	\item We re-use existing phone hardware and re-wrote the L1, L2,
		L3 and higher level logic
	\item Higher layers reuse code from OpenBSC wherever possible
	\item Used in a number of universities and other research contexts
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[width=50mm]{c123_pcb.jpg}
\end{figure}
\end{frame}

\begin{frame}{OsmocomTETRA}
\begin{itemize}
	\item SDR implementation of a TETRA radio-modem (PHY/MAC)
	\item Rx is fully implemented, Tx only partial
	\item Can be used for air interface interception
	\item Accompanied by wireshark dissectors for the TETRA protocol
		stack
\end{itemize}
\end{frame}

\begin{frame}{OsmocomGMR}
\begin{itemize}
	\item ETSI GMR (Geo Mobile Radio) is "GSM for satellites"
	\item GMR-1 used by Thuraya satellite network
	\item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx)
	\item Partial wireshark dissectors for the protocol stack
	\item Reverse engineered implementation of GMR-A5 crypto
	\item Speech codec is proprietary, still needs reverse engineering
\end{itemize}
\end{frame}

\begin{frame}{OsmocomDECT}
\begin{itemize}
	\item ETSI DECT (Digital European Cordless Telephony) is used in
		millions of cordless phones
	\item deDECTed.org project started with open source protocol
		analyzers and demonstrated many vulnerabilities
	\item OsmocomDECT is an implementation of the DECT hardware
		drivers and protocols for the Linux kernel
	\item Integrates with Asterisk
\end{itemize}
\end{frame}

\begin{frame}{OsmocomOP25}
\begin{itemize}
	\item APCO25 is Professional PMR system used in the US
	\item Can be compared to TETRA in Europe
	\item OsmocomOP25 is again SDR receiver + protocol analyzer
\end{itemize}
\end{frame}

\begin{frame}{OsmoSDR}
\begin{itemize}
	\item small, low-power / low-cost USB SDR hardware
	\item higher bandwidth than FunCubeDonglePro
	\item much lower cost than USRP
	\item Open Hardware
	\item Board available to developers only (Firmware not finished)
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[width=70mm]{osmosdr.jpg}
\end{figure}
\end{frame}

\begin{frame}{OsmocomSIMTRACE}
\begin{itemize}
	\item Hardware protocol tracer for SIM - phone interface
	\item Wireshark protocol dissector for SIM-ME protocol (TS 11.11)
	\item Can be used for SIM Application development / analysis
	\item Also capable of SIM card emulation and man-in-the-middle attacks
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[width=60mm]{simtrace_and_phone.jpg}
\end{figure}
\end{frame}

\begin{frame}{osmo-e1-xcvr}
\begin{itemize}
	\item Open hardware project for interfacing E1 lines with
		microcontrollers
	\item So far no software/firmware yet, stay tuned!
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[width=60mm]{osmo-e1-xcvr.jpg}
\end{figure}
\end{frame}

\begin{frame}{osmo-bts-amp}
\begin{itemize}
	\item Open hardware project for a 2W PA, LNA and ceramic
		duplexer to amplify small BTSs like ip.access nanoBTS
	\item 2W may sound little, but from 200mW it's a factor of 10
	\item Still much less than a regular macro cell, but more than a
		picocell for indoor coverage
	\item Scheamtics and Gerber files for the hardware available openly
	\item small and compact form factor compared to large/bulky cavity duplexers
\end{itemize}
\end{frame}

\begin{frame}{OsmoCOS}
\begin{itemize}
	\item Smartcards such as SIM/USIM cards, but actually any type
		of chip/smartcards you can normally buy are proprietary
		and closed, as chip makers never release manuals
	\item Even if you write your own Card Operating System (COS),
		normally you would have to put it in mask ROM, requiring
		six or seven digit quantities as it basically would be
		your own version of the silicon.
	\item Thus, so far, all Smart Cards (even the OpenPGP Smart
		Card) run proprietary software inside
\end{itemize}
\end{frame}

\begin{frame}{OsmoCOS}
\begin{itemize}
	\item We found a Chinese smarcard chip maker (ChipCity) that
		provided the programming manual to their chip without
		NDA.  It has no ROM, but 256 kByte Flash and a known
		ARM7TDMI core.
	\item We started to write some low-level code like hardware
		drivers and can now work on our own Card Operating
		System
	\item Progress is slow, due to many other projects and few
		contributors
\end{itemize}
\end{frame}


\begin{frame}{osmo\_ss7, osmo\_map, signerl}
\begin{itemize}
	\item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP)
	\item Sigtran variants (M2PA, M2UA, M3UA and SUA)
	\item Enables us to interface with GSM/UMTS inter-operator core network
	\item Already used in production in some really nasty
		special-purpose protocol translators (think of NAT for
		SS7)
\end{itemize}
\end{frame}

\subsection{Non-osmocom projects}

\begin{frame}{The OpenBTS Um - SIP bridge}
\begin{itemize}
	\item OpenBTS is a SDR implementation of GSM Um radio interface
	\item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC
	\item suitable for research on air interface, but very different
		from traditional GSM networks
	\item work is being done to make it interoperable with OpenBSC
\end{itemize}
\end{frame}

\begin{frame}{airprobe.org}
\begin{itemize}
	\item SDR implementation of Um sniffer
	\item suitable for receiving GSM Um downlink and uplink
	\item predates all of the other projects
	\item more or less abandoned at this point
\end{itemize}
\end{frame}

\begin{frame}{sysmocom GmbH}{systems for mobile communications}
\begin{itemize}
	\item small company, started by two Osmocom developers in Berlin
	\item provides commercial R\&d and support for professional
		users of Osmocom software
	\item develops its own producst like sysmoBTS (inexpensive,
		small-form-factor, OpenBSC compatible BTS)
	\item runs a small webshop for Osmocom related hardware like
		OsmocomBB compatible phones, SIMtrace, etc.
\end{itemize}
\end{frame}


\subsection{Future projects}

\begin{frame}{Where do we go from here?}
\begin{itemize}
	\item Dieter Spaar has been working with 3G NodeBs (Ericsson,
		Nokia) to be able to run our own RNC
	\item Research into intercepting microwave back-haul links
	\item Research into GPS simulation / transmission / faking
	\item Port of OsmocomBB to other baseband chips
	\item Low-level control from Free Software on a 3G/3.5G phone
	\item Re-using femtocells in creative ways
	\item Proprietary PMR systems
\end{itemize}
\end{frame}

\begin{frame}{Call for contributions}
\begin{itemize}
	\item Don't you agree that classic Internet/TCP/IP is boring and
		has been researched to death?
	\item There are many more communications systems out there
	\item Never trust the industry, they only care about selling
		their stuff
	\item Lets democratize access to those communication systems
	\item Become a contributor or developer today!
	\item Join our mailing lists, use/improve our code
	\item for OsmocomBB you only need a EUR 20 phone to start
\end{itemize}
\end{frame}

\begin{frame}{Thanks}
I'd like to thank the many Osmocom developers and contributors,
especially
\begin{itemize}
	\item Dieter Spaar
	\item Holger Freyther
	\item Andreas Eversberg
	\item Sylvain Munaut
	\item On-Waves e.h.f
	\item NETZING AG
\end{itemize}
\end{frame}


\begin{frame}{Thanks}
Thanks for your attention.  I hope we have time for Q\&A.
\end{frame}


\end{document}
personal git repositories of Harald Welte. Your mileage may vary