22 Jul
2009
22 Jul
'09
6:38 p.m.
Hi David,
On Wed, Jul 22, 2009 at 09:22:57AM -0700, David A. Burgess wrote:
One thing we plan do at Burning Man is run an
auto-provisioning system
via SMS, using the BTS itself as a SIM reader. When a handset first
tries to register, we will accept the location updating attempt and then
send a text message saying "If you want experimental service, please
reply with your telephone number." The reply to the text message then
goes into a function that creates a new entry in the provisioning
database based on the originating IMSI and the content of the message.
Then we will respond with something like "Thanks for joining our test.
This is an experimental network. WE DO NOT SUPPORT EMERGENCY CALLS. To
quit the test, reply to this message." In the US, at least, the part
about emergency calls is really important.
I realize you don't have a lot of time left to get ready for HAR,
though. This may or may not be a simple hack, depending on the state of
your SMS software. But if it works, it will be a lot faster than
provisioning phone by hand.
Yes, I was thinking about something similar, but more restrictive:
* let an unknown imsi perform location update
* send a SMS that this is a test network, include IMSI plus some
authentication token in the SMS
* send a authentication request to the phone
* reject the authentication irrespective of the response
This way the phone cannot stay on our network until somebody has gone to a web
browser and entered imsi + auth code from that SMS. Still it's not foolproof,
since anyone with airprobe could just get that imsi + auth code off the air
and authenticate for somebody else :(
Oh, and of course, only do that entire procedure onec for every given IMSI,
so next time the location update request is rejected without any SMS,
unless the auth code has been entered on the web site.
I'm not sure if I can manage to implement this, but it would be the
solution I would hope for. On the other hand, having to manually enter people
keeps the number of users smaller and more controllable. If there's one
volunteer who can take care of that, it should be fine.
Regards,
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)