OpenBTS uses the usrp on one side and Asterisk on the SIP world side.
From Asterisk perspective every mobile phone changes into a SIP
endpoint with the username IMSI<imsi number> with a sip entry in /etc/
asterisk/sip.conf. But there is no security involved (no use of a
secret like secret=34_&adfadf in the sip entry in sip.conf) and when
OpenBTS is used as an integrated part of a telephone solution this
might cause serious problems if the IMSI-numbers aren't kept and
treated as highly qualified secured info. The IMSI numbers are saved
in log files and pass by on the screen if the verbose level is set
above 3. If there is no connection to the network and the internet and
the OpenBTS is a network on its own there is no risk but as soon as
there is a connection with the network, taken the risks involved with
using SIP entries without a secret/password becomes important.
Every SIP phone that accepts registration without a password can make
use of the sip entry and, if there is interconnection with the regular
phone network (PSTN), make, within the bounderies of the permissions
set, outbound phonecalls. It all depends on the setup but if you
allow registration from outside and enable nat traversal in Asterisk
be aware that the not protected SIP entries can be used by anyone who
knows an IMSI number of the SIM cards used, and leaves you with a sky
rocket high phonebill. Everybody walking around with a mobile phone
mend for use with an OpenBTS solution can find out his or her IMSI
A solution can be to add the secret used by the registration as a
variable in OpenBTS.config.
and use this value during the registration process
\Erik de Wild
Get latest updates about Open Source Projects, Conferences and News.