This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Harald Welte laforge at gnumonks.orgHi Johannes,
On Thu, Jul 30, 2009 at 11:47:33PM +0200, Johannes Schmitz wrote:
> Am Donnerstag, den 30.07.2009, 23:16 +0200 schrieb Harald Welte:
> > yes, this is very likely. This is why it is very important how we communicate
> > our work and its result to the public. I actually wnat to build an
> > operational GSM network and an operational GSM mobile phone from open source
> > components. We can show that our work is constructive, that we actually
> > have useful results. Doing nothing else but implementing open specifications
> > in open source software. And among other things, this can be used for security
> > research and to make more engineers familiar with practical aspects of GSM
> > protocols.
>
> But as a matter of fact the GSM standard itself has security
> vulnerabilities. So are we gonna demonstrate this? For example do you
> plan to show that false Basestation attacks are possible within a 1000
> Euro cost range or something like that?
Of course. We have already shown that e.g. at 25C3 last year. Interestingly
no press coverage at all, not even heise.de. I guess they were all busy writing
about the DECT related security issues.
> I think we must be careful with such things and everybody should be
> aware of the fact that openbsc could be abused for criminal purpose.
of course. But is it our fault that the GSM spec was written with almost
no security in mind? Is it our fault that the industry didn'd do anything
to fix those problems for 20 years, despite the problems being very obvious?
The argument 'xyz can be used for criminal purpose' is true for about anything.
You can use a hammer to drive nails into walls, but you can also kill somebody.
You can use a TCP/IP stack to browse the web and send mail, or you can use it
to attack other computers over the network.
You can thus also use a GSM protocol stack for the very same features.
The internet also had things like telnet for remote logins, befor security
evolved and ssh was created. And even today, most e-mail is transferred
unauthenticated and unencrypted. People are more aware of it than the
problems in the GSM world.
Real criminals like organized crime have always had the budget to fund the
development of technology that they used for fraud. We're creating more
awareness in the general technology community (and in the end the public)
about problems that already exist for decades, without any of our doing.
Plus: You can already buy a BTS + GSM network simulator for a five-digit
USD sum, even without OpenBSC. It's commercial off-the-shelf equipment,
after all.
> I see this project as a chance to sensitize the general public of GSM
> security problems and send a message towards industry.
that's what I've always had in mind with most of the security projects that
I've been [even remotely] involved, e.g. OpenPCD and OpenPICC as tools for
practical RFID security analysis, deDECTed.org, ...
Regards,
--
- Harald Welte <laforge at gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)