Author: Martin

Femtospots

These days I was wondering if in the mid-term, femtocells might replace public Wi-Fi hotspots!?

With the rise of 3G USB keys and notebooks with built in 3G connectivity, the popularity of Wi-Fi hotspots, especially paid ones, is likely to degrade over time. Once people have a 3G card anyway and have instantaneous connectivity anywhere, people just won't bother anymore to search for a public Wi-Fi hotspot and go through the manual login process. In addition, femtos remove another shortcoming of public Wi-Fi, the missing air interface encryption which today leaves the door wide open for all kinds of attacks.

With rising demand for Internet access in hotspot areas such as hotels, airports, train stations, etc., HSPA or LTE femtocells might be the ideal replacement for aging Wi-Fi access points which at some point have to be replaced by new equipment anyway. So mobile operators such as T-Mobile, Orange and others, who have a dual 3G / Wi-Fi strategy today could at some point just make such a move if they see that use of their Wi-Fi systems is decreasing and use of their 3G/4G macro base stations in the neighborhoods of their Wi-Fi installations is significantly increasing.

Some 'dual-mode' operators might even have a database with the geographical location of their base stations and their Wi-Fi installations. Together with traffic statistics of both systems an automated system could document changes over time and could be used to help predict when and if a replacement of the Wi-Fi access points for femto cells might make financial sense. After all, femto cells are just as easily connected to a DSL line than a Wi-Fi installation.

Maybe some femto manufacturers even come up with integrated Wi-Fi/Femto boxes for public installations with the Wi-Fi being used to create a wireless mesh between several nodes in locations with only a single backhaul line and for access for those people not yet having 3G connectivity. Agreed, femto vendors today mainly position themselves around the femto base station for home networks but public femtos might be an interesting opportunity as well.

Space Invaders and 2D Barcodes

Do you know Space Invaders and the artist that puts them on walls in many different cities? If not you might want to have a look here. So what does this have to do with mobile and wireless? Looks like somebody has now started to add another dimension to this with 2D barcodes. If you have a mobile phone with a 2D barcode scanner, take a look at this picture, click on "full screen resolution'" to increase the size of the 2D barcode and point your mobile towards the screen for the application to decode the barcode. Very interesting result… 🙂

Found via the Paris picture stream in Jaiku. Social networking at its best!

What happened to Low-Power and High Speed Bluetooth?

It has been very quiet at the Bluetooth front for over a year now. The last time I heard of Bluetooth in the press was when version 2.1 of the standard was released in summer 2007 which promises simpler pairing procedures and updated security protocols and procedures. I haven't seen much of this in practice yet, however. Also, there have been announcements on an ultra low power implementation for very small devices such as sensors and watches by including Nokia's Wibree developments and very fast transmission rates by porting the upper layers of the Bluetooth stack over to Wi-Fi. Both announcements were also made back in the middle of 2007. Since then, no word. Anyone's got an update?

WPA Insecurities

Before Wired Equivalent Pricacy (WEP) encryption mechanism of Wi-Fi was fully broken, the industry acted quickly and pushed out a new Wi-Fi encryption scheme to the market called Wi-Fi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP). WPA had a number of security improvements over WEP and so far was considered to be fully secure. Looks like this is no longer quite the case as Martin Beck and Eric Tews have recently published a paper on how they have partly cracked WPA encryption.

Partly in this case means that under a number of circumstances, all not unrealistic, it is possible to recover the encryption key for the data stream the key STREAM for ONE very short and specific type of packet from the access point to a client device within about 12 minutes plus the key used for generating the message integrity code (MIC). The attack can't recover the key for the reverse direction so the attack can not be used so far to gain full access to the network. The attack is limited to ARP (address resolution protocol) management packets for which most of the content is known in advance.

In practice this means that the attacker can then send up to 7 freely constructed packets (each in one QoS chain) to a client device. It is NOT possible, however, to decrypt other packets with the knowledge gained. Things that could be done with this, however, is to trigger intrusion detection systems or to trick a client into some sort of action and reporting the result to the destination IP address given in the packet, which could be in the Internet. For details see their paper here.

Two remedies are suggested in the paper: One of the requirements for a successful attack is that the timer responsible to force a re-negotiation of the ciphering key is set to a value higher than 12 minutes, which is usually the case. Many access points, however, allow to set the timer to a lower value. Beck and Tews therefore suggest a timer value of 2 to 3 minutes.

Another way to prevent the attack is to use WPA2, which uses CCMP/AES (Advanced Encryption Standard). Most access points and devices sold in the past 12-24 months are capable of this 802.11i compliant authentication and encryption scheme. In my case, I had to update my Windows XP Service Pack 2 with this Microsoft Patch before I could activate WPA2.

Fortunately, most access points allow WPA/TKIP/RC4 and WPA2/CCMP/AES to run simultaneously. Thus, WPA and WPA2 capable devices can be used in the same network and a WPA device, while itself being vulnerable, does not compromise the security of WPA2 devices.

Since only the data flow from an access point to a device can be broken this way, Since only single ARP packets can be decrypted and only short packets can be injected the usefulnes of the attack is quite limited for the moment, unless, of course, somebody figures out how to open up the reverse direction. another loophole like triggering an IDS system or to exploit an OS vulnerability with the few short packets that can be sent without knowing the key. 

Dongle Upgrade Incentives

Here's a thought experiment about whether and how operators should encourage users to upgrade their 3G dongles to a newer model:

Most HSPA dongles currently 'in the wild' are are HSDPA category 6, i.e. they are capable of theoretical speeds of up to 3.6 MBit/s. Category 7 dongles with a maximum theoretical speed of 7.2 MBit/s are now also available and currently going over the counter. The speed increase between the two is mainly due to an increase of the number of spreading codes the device can handle simultaneously. In other words, from an overall network capacity point of view it does not matter a lot whether most of the devices used for high speed Internet access are category 6 or 7. In the future however, this is going to change.

Pretty soon, higher speeds in HSPA networks will be mainly achieved by more sophisticated 3G devices and networks. Receive diversity with several antennas helps during weak signal conditions (this Ericsson paper is a good starting point for further research) and MIMO while reception is good. In addition, more sophisticated mathematical approaches to separate noise from useful data will also help to increase data speeds. From a network point of view, this means that the more of those newer devices are in the network compared to the number of older devices, the higher the overall throughput of the network.

So should it be in the opreators interest to encourage users to upgrade to newer devices? And if so, how could that be done best? Is the higher speed achived with those devices incentive enough or should the base station scheduler also take the UE category into account to further boost data rates of newer devices? I could also imagine to offer a reduced rate to users with newer hardware as they use the air interface more economically than users with older hardware. Kind of a similar approach to taxing older cars with higher emissions higher than new cars (don't take the analogy too far…). Or maybe this is all overkill and the normal equipment replacement cycle of 2-4 years will do the job anyway!?

Three Italy won’t sell me a Prepaid SIM

Things can be simple when it comes to prepaid SIMs. You walk into a supermarket, get a
SIM and 2 minutes later you are set. Not so with mobile operator '3' in
Italy.

When I wanted to buy a prepaid SIM card from them this week they refused to sell me one. In the first store I went to at Roma Termini station, the shop assistant first doubted that it would work in my non Italian mobile phone. Once we cleared that they refused to accept my German identity card, which by the way is good enough for customs and for boarding airplanes as a valid identity. Hm, but not for buying a SIM card!? Ridiculous.

So in the afternoon, I went to another store in downtown Rome which was on my way, this time equipped with my passport. Just to make sure. Here, the same story again but I made it up to the Italian tax number, which they say is also required. I have one so I gave it to them. However, they insisted that they would only accept it on an official document. Again, no SIM card from me.  Ridiculous.

I have to say I am baffled. I could have understood one shop assistant being a bit difficult, but two in two different stores!? Note that this is a only a '3 Italy' attitude. Some days ago I got a SIM card from mobile operator WIND, my id card was good enough and no Italian tax number was required. Same with Vodafone Italia just three months ago just around the corner from the 3 store and I was not the only foreigner buying a prepaid SIM card while being there. As a matter of fact, I had to take a number and stand in line. Guess where the money is going.

Anybody in '3 Italy' reading this blog? Hello! Wake-up! How many millions of visitors are coming to your country each year who could be your customers!? Hm, but maybe that's one of the reasons why your market share is below 10%…

Virtual GSM in the Future?

While HSPA+ and LTE drive data rates higher and higher and have network operators and vendors discussing which is the right way to go, GSM for voice and low bandwidth data applications is unlikely to go away anytime soon. I've speculated in the past about when GSM would be switched off in Europe and elsewhere and wondered if maybe at some point Software Defined Radio (SDR) technology would allow to fold all radio access technologies into the same hardware and into a single digital and a single radio module in the base station.The more I think about it the more interesting such a combined option looks like to me.

With backhaul already converging to IP for GSM, HSPA and LTE, there will be nothing standing in the way from that side of the network in just a couple of years from now. From a handset perspective, GSM might also be the least costly and best technology for the foreseeable future for voice only devices. When I look at my 3.5G mobile stuffed with the latest technology and compare it to the simple GSM phone I use for voice calls only I can not only see a significant difference in size but also in price. After all, a 3G handset does not only have to contain more hardware but the license/patent fees are much higher than for 3G phones. And LTE will further increase the hardware and royalty costs, so there is no break from this perspective, either.

And while LTE and HSPA+ might be optimized for speed, they are definitely not optimized for voice and power consumption when compared to GSM.

A single digital / radio module in the base station would also have another interesting benefit: When only little capacity for GSM voice and GPRS/EDGE data is required in a region the base station could automatically reconfigure itself and use more of the bandwidth for LTE. During busy hour, when voice calls over GSM come close to the capacity of the current configuration, the LTE carrier bandwidth could be reduced and additional narrow band GSM carriers could be fired up within a few seconds. Currently, LTE bandwidths are defined at 1.25, 2.5, 5, 10, 15 and 20 MHz. Maybe not yet fine grained enough but that could be changed in future versions of the standard.

In the backhaul, everything will have converged on IP right up to the MSC Media Gateway and from there the phone call is also sent through the network over IP connections. The H.248 protocol between the Media Gateway and the MSC Call Server is also based on IP, as well as the link to the Home Location Register and all other equipment in the core network. In effect, the once circuit switched GSM network has become fully IP based and only higher layer protocols such as DTAP and MAP are still remaining from the original protocol stack to preserve the super efficient GSM air interface technology for voice.

Unconventional ideas, but who knows what the future holds.

Carnival of the Mobilists #150 at Mippin

Cotm-button
Scott over at the Mippin blog is hosting the Carnival of the Mobilists this week. As always, lots of interesting posts from various blogs from all over the world on wireless topics. Scott has selected Andrew Grill's "Ask, don't tell: The golden rule for mobile advertising 2.0" as best post of the week. Good choice, I can't wait to be asked 🙂 For this and more, head over and enjoy.

8 SIM Cards and 3 Operators

In the days of prepaid SIMs and multiple phones many people carry, counting the Average Revenue Per User (ARPU) based on SIM cards has pretty much become irrelevant. I am the best example that this approach doesn't work anymore. Let's make it simple and only take a look at how I use mobile networks in a single country, Germany:

  • The 'currently used prepaid SIM card' in my primary phone which has good rates for telephony and small screen mobile Internet access. Network: T-Mobile, MVNO: Congstar.
  • My 'I always stay the same' prepaid SIM who's phone number is known by all my friends and via
    which they can reach me no matter in which country I am at the moment.
    When I am in Germany, I forward all incoming calls to the currently used SIM card since the price for Internet access is too high. Network: T-Mobile, MVNO: Simplytel.
  • My business SIM card, the only one that is postpaid. Network: T-Mobile
  • The prepaid SIM card in my car. I have a block heater which is connected to a GSM module. In the morning and evening, I call the car to switch on the heater so my windows are de-frosted and the interior is warm by the time I arrive. Network: T-Mobile, MVNO: Simplytel.
  • The prepaid SIM for notebook Internet access. I can activate 200 MB for 10 euros or 5 GB for 20 euros. Network: O2/Telefonica.
  • Two prepaid SIMs for notebook Internet access in Germany (€4.95 a day) or when I travel abroad and no local offer is available (€14.95 a day). Network: Vodafone. I have two so I can lend one to guests or colleagues traveling abroad.
  • One prepaid SIM to use in the mobile phone abroad for small screen web browsing and mobile e-mail in countries where I don't have a local SIM card. 19 cents for 100 kB is not exactly cheap but does the job well for mobile only use. Network: E-Plus, MVNO: Alditalk.

Altogether that's 8 SIMs and 3 mobile operators. Have fun calculating the ARPU! From a technical point of view all this is quite uneccessary, one sim card for the mobile phone, one sim card for the 3G USB notebook dongle, and one for the block heater in the car is all I would need.

3G Coverage on a Train Ride to Vienna

A1-on train
Recently I took the train from Linz to Vienna and I was quite surprised that Mobilkom Austria (A1) must have put a more or less dedicated 3G coverage alongside the railway track even in very rural areas. I've had 3G coverage for most parts of the trip and in the few places 3G coverage was lost, their EDGE network kicked in. I've reported on my experiences with non-optimized 3G HSDPA coverage on board of trains before (here and here), but this time, the experience was even better. The connection I established was maintained throughout the trip and high speed data transfers taking several minutes were performing very well as shown on the image on the left. I even dared to launch my IM client as connectivity was simply always there. I stepped out of the train very impressed by what is possible when operators decide to do a proper network planing and deployment.