Here is a copy of some slides I wrote for a presentation on security weaknesses within GSM. I used an Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday cage and presented on how these attacks work to better understand them for defensive purposes. I was able to use the E100 as a generic IP-router after I cross-compiled a new kernel with netfilter enabled and also I had to recompile a number of the packages such as Asterisk to enable ODBC and improved SQLite support, I also had to make some changes to Python and its modules. I used GNURadio 3.6.4 and I had to compile a specific version of the OpenBTS code as the recent transceiver application did not function with the E100. I was able to get the E100 to work as a GSM/GPRS router and do real-time call placement etc. I got it to function with real-time support and wrote a small script to provision new devices by watching the syslog and adding to the SQLite database.

I also used osmocom-bb to do things like use gnuplot and graph the channel usage although the code is extremely ugly! I took RSSI measurements over a period of time into images and then tied them together for a movie, it isn't quite realtime but it makes pretty graphs. I mentioned how you could implement the MS side of the GSM stack using the osmocom project and as such am sharing the slides here. 

Just goes to show how mighty things come in small packages! Hope this material is useful to others on the list who may also be trying similar experiments. I ended up creating a firmware image that could be used to dd and boot an E100 but at this time I do not plan on hosting it for download unless there is sufficient interest. If you need it for some reason drop me an e-mail. 

Kind Regards,

Matthew