 So, it is my great pleasure to be able to announce our next speaker. For those of you who have been to previous Congresses, Tobias Engel has been presenting at 18 C3 on the short message service protocols and on 25 C3 on locating phones with SS7 through SMS routing and as Tobias is an intimate friend and foe of diverse protocols and their implementations, I'm much looking forward to see what he has found today in his talk, SS7 locate, track and manipulate, so please join me and give a very warm welcome to Tobias Engel. Thank you. Yeah, so as Andreas already said, I want to talk about further security issues with SS7 today. So, why should you care? Everybody who has a phone in his pocket indirectly uses SS7 and I'm going to talk about how your every movement can be tracked all over the world and how people can intercept your calls, man in the middle of them and your short messages and all of that only by knowing your phone number. Okay, one thing in advance. A few weeks ago, Carsten Null contacted me. He has the talk after this one and we realized that his company and I did a lot of parallel research over this year, so we kind of split up the topics a little bit. And also, as I was made aware of only two days ago, two Russians, Sergei Puzhankov and Dimitri Kulbatov already presented on that subject in May and talked a lot about the same issues. So, it really seems 2014 is the year of the SS7 research. Okay, how did this talk come together? Earlier this year, a journalist contacted me from the Washington Post and told me that there are several companies out there selling tracking for people or tracking of people. And so, as you can see, I didn't come up with a title of my talk myself, Locate, Track, Manipulate. It's actually the subtitle of a brochure by Verand on their Skylock product. And as it turns out, companies are selling that ability and as you can see, it's very detailed tracking down city streets all over the world and all you need is the phone number to track these people. And the journalist asked me how, because I had done similar work on the subject, how that would be possible. And I wanted to find out, but first, let's look at what Singling System 7 is. It's a protocol suit used by most telecom network operators throughout the world for the switches to talk to each other. It was designed a long time ago and back then in the 80s, there were no mobile phones. It was all just fixed line phones connected to a socket in the wall. So there were no privacy implications. And also, there were only very few telecom operators, state-controlled big companies who trusted each other. Then came the mobile phones and new features with them and so new protocols had to be added to SS7. So now you could take your phone everywhere. You went to other countries, so roaming had to be implemented. You could send text messages. You have the Internet. So the mobile application part, MAP, was added that does all those things that mobile phones can do that fixed line phones cannot do. Then even later, a new protocol was added the camel application part that allows operators to build custom services that are not possible with MAP, more on that later. And for none of these services, any authentication exists. So if you are in the SS7 network and you have a roaming agreement with other operators, you can simply use these services and don't have to authenticate. And getting access to SS7 is becoming easier all the time. It can simply be bought from telecom operators, network operators. Because if you are, I don't know, if you plan on doing some SMS service or something like that, you might actually need SS7 access. So it can simply be bought. Usually, so the SS7 access, as it is, is simply like an Internet access without an IP address. So you still need the address. It's called a global title. And you need roaming agreements that cover that global title so that your messages get rooted. Usually, but not always. Sometimes it works without roaming agreements. And also, several telcos are reselling global titles that are covered by their roaming agreements. Also, network operators, it happens that network operators leave their SS7 equipment unsecured on the Internet. And also, there have been several reports of femtosell hacking. And femtosells are an extension of the core network of the network operators core network into your home. So if you can hack femtosells, there's also a chance that you have access to SS7. Quick overview over the protocol stack. Down there on the left side, MTP level one, that's the physical layer T1 or E1 lines back in the days. Nowadays, it's often rooted over IP. But this talk focuses on SCCP, MAP, CAP, the network layer, and the mobile application part that implements all the features for mobile phones. Quick network overview. On the left and on the right, you see the base station subsystem. This is the part our phones talk to with the cell towers, the base station controllers, and so on. This is not the focus of our talk. The focus is the core network of the operator. All the red lines you can see are SS7 connections. So the operator's equipment uses SS7 and also between operators SS7 is being used. One of the most important network elements is the home location register. That's a database containing all information on a subscriber, meaning his phone number, is it a prepaid or postpaid contract, what is he allowed to do, data, text messages, calls, incoming, outgoing, are there any call forwarding set and so on. And also the home database, the home location register knows which mobile switching center, MSC or VLR visitor location register, is currently closest to a subscriber. So the visitor location register it receives a copy of the subscriber's data as soon as you switch on your phone from the HLR. And so for example, there is for many networks, so for example, most networks will have one switching center, one mobile switching center for Hamburg here. So we are all logged into the respective network switching centers for Hamburg right now and that received a copy of your respective HLR of your subscriber data. So visitor location register and the mobile switching center is actually routing the calls. It's always co-located with the VLR, so I put them in one box there, so two different logical entities, but they also have the same address and it's mostly the same machine. Addressing is by global title. Global titles look just like international phone numbers on the left for German network, on the right for US network. Most of you, if you have ever come in contact with a global title for the SMSC back in the days when you still had to enter the SMSC on your phone by hand, then you entered the the global title for the SMSC so that you could send for the short message service center, so that you could send short messages. Okay, so much for the quick overview now to cell level tracking, so what those commercial providers are offering. The network of course needs to know your position. It needs to know which base station or cell is closest to you because you want to receive calls, you want to receive short messages and so on. So if somebody can find out the ID, so every base station in the world has a unique ID, somebody can find out that ID, then he can use that ID to look up its geographical position in one of several databases on the internet. So for example, Google has a very big cell ID database. And of course, especially in cities where the cell towers are pretty close, the position or the location of the cell tower closest to you is also a pretty good idea of where you are currently. So the commercial providers claim coverage of about 70% of worldwide mobile subscribers meaning you don't have to be close to that subscriber, you don't have to know where he currently is, you just need to know his phone number. Some have some non-technical limitations, so for example, from the variant brochure they say you cannot locate Israeli subscribers in Israel or US subscribers worldwide. Variant by the way is a US Israeli company. Yeah, and so Skylog infiltrator, they have all very nice names for their products. Okay, how does it look on the protocol level? On the left, the attacker, he sends a map anytime interrogation request. So anytime interrogation is exactly for that purpose, for finding out the cell ID of a mobile subscriber, it's used for network internal purposes normally, for example, if you have a home zone so that you can make cheaper calls if you're currently at home and so on. So that's what it's used for, but it can also be used by attackers to find out the cell ID. So anytime interrogation goes to the home database of the subscriber and says, okay, please let me know the cell ID and if you want also the IMEI, the phone serial number of that subscriber and the home database doesn't know the cell ID, it just knows what switching center is currently serving that subscriber. So it sends a provide subscriber info request to the switching center. The switch pages, the mobile subscriber gets paged so that the switch can be sure that it's really got the current cell and the information gets returned to the attacker. So it's really only meant as a network internal service, but still as you can see, this is a wire shark trace of request we sent and it still works for many networks. You can see the cell ID at the bottom. Okay, but many networks, especially in Europe, most of the networks actually, or at least in Germany, all the networks block anytime interrogation by now, but as we have seen before, the HLR, the home database doesn't even know the cell ID. So we just need to find out the address of the switching center and then we can ask the switching center itself. Also, we need to find out the IMSI, the international mobile subscriber identifier of the subscriber, because internally in the network, not phone numbers are used for routing, but the IMSI. And luckily, there's a request for that. We can just ask the home database, the HLR, please tell me the IMSI and what switching center the subscriber is currently at. That's used for SMS routing normally. So if you want, if you are a different network and want to send a short message to that subscriber, so the information is returned and then the attacker can simply ask the switching center itself and it works just like before. And that works really for a lot of networks, because also, most MSCs or switching centers accept requests from just anywhere and anyone. So you would say, okay, if there's a German subscriber currently at home in his German network, for example, and I don't know, Indonesian network should have no business querying his location. But the MSC or VRR doesn't do any plausibility checks and the request will get answered. Okay. So to demonstrate this better, for about two weeks, we tracked some people who were nice enough to give me their phone number and said, okay, you can track me and let me see if I can show that to you. Yeah, okay, there is somewhere there. Okay, my touchpad is acting weird. Okay, let's start. So that's a Dutch subscriber who was when I started tracking him who was in Seattle. And we can, as you can see down there are the times. And yeah, okay, so he said he didn't use the ferry, so that's on the water there. That was by the location database, gave me back a wrong position, but he said that's very accurately near to where he lives and where he works in Seattle. And so it continued for a few days and then Dutch subscriber for Christmas, as you can see down there, he flew back to the Netherlands. And let's see, we can really see. So here's Skipple and we can really see. So the next tracking was when he was on the train away from Skipple and then through the Netherlands, and yeah, and he asked me to remove the last point of those tracks because he said that was too close to home. Okay, some other, let's see. So here we can see very nicely somebody who lives in Luxemburg. You can actually see him traveling down the Autobahn, then stopping somewhere, then continue traveling, and then after some time taking the plane to Hamburg, wonder what's he doing there. And so, yeah, so you can see how he traveled to the Congress. Also, I think you got the general idea, somebody living in Hanover, Darmstadt, and also you can see pretty good where he took the Autobahn, where he traveled, what route he took also to Hamburg in the end. So, and as you can see, it's really relatively precise. So yeah, this is possible for almost all of us. And I think it's really scary because I mean, you don't have to know somebody, you just have to know his phone number and can track him from the other side of the world. You don't have to be near him, you just need SS7 access. And of course, those companies who are offering those services, they are saying they're only offering those services to government agencies and law enforcement and so on. But I don't know about you, there are many countries in the world whose governments I wouldn't trust with this functionality. Okay, then we talked to one of the big German operators about those problems and they were really shocked finding out about that and started monitoring the network and found a lot of traffic that was carrying people's positions and other stuff. So then after a while, they implemented some filters filtering out the possibility to figure out the IMSI and the current mobile switching center. So as we saw earlier, you need that, you need to find out the IMSI mobile switching center. So they disabled that ability and the traffic, the attack traffic dropped more than 80%. And they started to try and figure out where the traffic came from. So some of the traffic was simply misconfiguration in other networks that was quickly fixed. Then some commercial use cases, for example, a shipping company tracking its vehicles and also SMS provider who provided a service for banks sending mobile transaction numbers, one-time passwords as short messages to phones and they wanted to check if the SIM card had been swapped because a few years ago there was a case where criminals swapped the SIM cards of their victims and got the mobile transaction number and so they wanted to check if the SIM card had been had been changed to prevent that kind but they were using a network internal service for that and that was also switched off then. And some of those network operators that were contacted by the German operator, they either didn't answer or said they didn't know about anything so the German operator believes that those were requests by state actors or by the network, by those other network operators themselves. And some of these attacks still persist meaning those attackers need other information sources. They somehow need to find out the IMSI of the subscribers, maybe they know them from before or they have other resources to find that out and for the switching center they can simply brute force it, they can simply brute force the number range but yeah those attacks still continue. Okay, this very quickly because we don't have so much time. In the US there's a requirement that if you call 911 phones have to be located very precisely so there was a new feature added to map the location services that don't just return the cell ID but an actual latitude and longitude. And they can even return the GPS position of a phone if it has a GPS receiver it can be switched on and then returns its position back to the network. Those emergency services they use the GMLC the gateway mobile location center and that requires authentication thank god. So this is straight from the specification you see up there the police for example is the client and it sends the LCS service request to the GMLC and that requires authentication. But as we have seen before the switching centers they don't care about authentication don't know about authentication so you can again send the provide subscriber location request directly to the switching center. So in practice that works as seen before just ask for the IMSI ask for the switching center then carry the switching center directly. But as I wrote here they implemented some funny kind of sender address verification because they said okay maybe those requests shouldn't be allowed from outside the network so they wanted to verify the sender address. So the network and destination address for map messages are in the sccp layer. So this is how it looks calling party means the equipment that sends the message and called party for example the calling party in this case the HRR the home location address I called party VRR and the problem is the sccp layer doesn't know who is allowed to use map services or not. So the solution is they have the sender of the message put in another copy of the sender address in the map layer. So responses will be rooted to the calling party address up there but verified will be the address down there. Meaning if we tell the truth put in the same address twice we get back unauthorized requesting network but if you just put in an address that looks similar to the network so that the network thinks it's an internal address it works. So you get back the latitude and longitude okay this is obviously not a gps position I don't know maybe that person was somewhere where gps was not available or something. Okay so now we have seen a lot about how it's possible to gather information from the msc but it's also possible to manipulate information there. So it's just white there okay the colors it's actually colored here on my display but yeah so if you remember back in the beginning I said when you switch on your phone the home your home database the HRR transfers a copy of your subscriber data to the msc or VLR and the VLR from that point on controls everything you can do with your phone but an attacker can also play HRR and send a copy of the subscriber data as he modifies it to your current switching center meaning he can enable or disable the possibility to make calls incoming or outgoing SMS or data or delete the subscriber altogether from the VLR. Okay and that okay another thing new protocol camel the customized applications for mobile networks enhanced logic nobody ever can remember that it's like an overlay over the usual map logic and it gives your network operator the ability to say okay for example if you are currently I don't know you're a german subscriber you're currently in France your home network operator can say hey every time that subscriber from my german home network wants to make a call contact the home network that is the service control function contact the service control function in the home network so and the service control function in the home network then decides if that call can continue or if the data will be modified or if it will be cancelled so on the left we have the home network with the service control function it sends the address of the service control function to the switching center because you as the german subscriber currently in France, so it sends the address of the service control function to the French MSC and says, okay, contact me whenever that subscriber of mine wants to make a call. Okay, then the subscriber wants to make a call and he forgets to add the international country code before the phone number. He just dials it like a German phone number, and usually that wouldn't work because French MSC doesn't know anything about how German phone numbers work. But the service control function gets contacted, says, okay, your subscriber wants to call that number, what should I do with it, and the service control function rewrites it to the international number, and then the call can be set up, and the subscriber doesn't know anything about it. He just dials the number like usually from Germany, and it works. So but if you remember, the address of that service control function, it gets sent to the switch by the home database. So if the attacker can modify data in the MSC, he can simply send a different address to the MSC, his own global title. He can say, okay, every time that subscriber does anything, contact me, and he provides his own address. So now the subscriber there on the left, he wants to dial that number, that subscriber on the right, he dials the number, and the switching center now contacts the attacker. So the attacker now already knows the phone number the subscriber wants to dial. And then he changes that phone number to the number of his recording proxy that he has somewhere, I don't know, it doesn't even have to have SS7 access, it can just be some asterisk box on the internet with a publicly reachable phone number. Okay, the call will be set up to the recording proxy, and it will be bridged to the original subscriber. And then both subscribers can talk to each other while the attacker is the man in the middle and records the whole call. And so just a few days ago I read about that this is actually happening. So I heard of an Ukrainian network operator who found out that several of his subscribers calls had been intercepted and those requests came from a Russian SS7 network. So this is actually happening. Okay, so now we've seen a lot about the switching center and its vulnerabilities, but the home location register also has some vulnerabilities. So first let's look at how what exactly happens if you travel to another region or country. So in this case I said it's a different country, but it's actually the same if you are just traveling, I don't know, from Berlin to Hamburg and you're a German subscriber. So your phone sends a location update request to the switching center and that sends an update location request to the HLR. What happens then is the HLR saves the address of the mobile switching center because it needs to know where to route your calls, your incoming calls and your incoming short messages. It saves that address and sends, as I said before, a copy of the subscriber data to the switching center. So now for example, somebody wants to send you a short message, they're on the left, the short message service center of that network asks your home location register, the home database, please give me routing information for that phone number and it gets back the address of that switching center there. It can then send the short message to you, but an attacker can also send an update location request in your name. So it will send the update location request to your home database, to your home location register and then the home location register will save the attacker's address. That means that, for example, again, the bank sending a one-time password, mobile transaction number, wants to send you a short message, that short message now gets routed to the attacker without the subscriber knowing about that. So in the case, what I said earlier that there was the case of criminals swapping SIM cards, if they had SS7 access, it would have been even easier for them. They wouldn't even have to switch SIM cards. They could have just said, okay, I'm the subscriber now, send the short message to me. Okay, another thing, USSD codes, those star hash codes you probably know you have to enter in your phone sometime, they can also be executed for other subscribers from an attacker. So not in Germany, but in several countries carriers allow transfer of prepaid credits via USSD codes. So you could just empty victims' prepaid account and send all of the credits to your own number, for example. Also, call forwardings can be set and deleted, meaning if I activate a call forwarding on your phone to, for example, a premium rate number and then call your phone for just the normal fee, you have to pay for the call to the premium rate number. That premium rate number would, of course, also be controlled by the attacker. Okay, so, and you don't even have to, what I showed before, where you tell the home database that subscriber is now in my network, the attacker does that, the subscriber is now being served by me, you don't even have to do that. You can just, if the subscriber is German subscriber at home in his German network, he can stay there, you can, still the German home database will say, okay, I will execute that USSD code for the subscriber or activate that supplementary service for the subscriber call forwarding or something like that. So as you can see here, we queried the balance of a German prepaid card while it was logged into the German network from a network on the other side of the world. Okay, so I guess this one, Carsten is going to talk about, Carsten, are you? Okay, okay, then you have to translate it to English. Okay, so this, I called it hybrid attacks because, okay, so I called it hybrid attacks because you have to hybrid, right, like up there, sorry, is this an actual human doing the translation? Okay, so hybrid attacks meaning you can capture the, so over the air interface, if the network wants to reach you, so now really at the base station, if the network wants to reach you, it sends your paging request to your phone. And for that it uses a temporary mobile subscriber identifier that has been introduced, okay, that identifier has to be transferred unencrypted and that temporary identifier has been introduced so that you cannot find out who is currently making a call. You're not being paged by your phone number or by your IMSI, it's a temporary identifier that should not be possible to de-anonymize it. But as it turns out, if the attacker just captures all the paging requests, all the TMSIs, for example with Osmo-comBB or something like that, he can then simply ask the mobile switching center for give me the IMSI of that subscriber and then you can do an update location request and find out the MSISD and the phone number. So if you do that, I don't know, in Berlin at the seat of the government, I don't know how long it takes until you get Angela Merkel's phone number. Okay, call interception, Carsten is going to talk about that in a minute, I'm sure. LTE, so the SS7 network is used by GSM and UMTS, LTE is using a different protocol, the diameter protocol for the network core, meaning SS7 is becoming a legacy protocol, but a lot of the SS7 design flaws have simply been ported to diameter. So for example, there's still no end-to-end authentication for subscribers. And also GSM and UMTS will still be around for a long time to come. People say about 20 years, SS7 will still be in use and also there are interfaces from diameter to SS7 to be able to make calls from LTE to GSM, UMTS or the other way around. So, yeah, to sum it up, an attacker with only his victim's phone number can track his victim's movements in some networks even with GPS precision, he can intercept his victim's calls and text messages and most likely also data connections, also we didn't try that. This able calls, SMS data, reroute calls at the victim's expense and more. So what the operators can do against that. Network operators, so as I said in the beginning, you have to find out the IMSI and the mobile switching center to be able to manipulate the mobile switching center. And the main reason for network operators to give out that kind of information to external networks is for SMS routing. So there has been a new way around for quite some time now called SMS home routing where the network operator uses an SMS router in the subscriber's home network so that it doesn't have to give out the actual address, the global title of the switching center, but just the address of the SMS router. So some of the German networks, for example, already use SMS home routing so it becomes a lot harder to figure out that kind of information than some don't yet, I hope they will soon. And also another source of that information is the send routing information request for voice calls. But if the network operators don't use optimal routing, they can also simply disable that for external networks. Some of the German networks again already did, some didn't do it. So you as the subscriber cannot really do anything because this works for all phones which are connected to the network, no matter if it's a smart phone, a feature phone, you can't do anything because it's happening in the network. Okay, so now I've prepared a small demo. Let me just get that back to my screen here. Okay, I hope it works and I hope you can see something. If you can switch to the... Yeah, thank you. Oh, it's... Oh, okay. Okay, so I'm... So this is a subscriber in a German network and I'm going to... He wants to call his friend on this phone. So, and as you can see, it works. The other phone rings as expected. So, well, yeah, a phone call. It worked. Great. That wasn't the demo. Yeah, very funny. Yeah, I know everybody has the number now. Okay, now I do some SF7 magic. So I sent an insert subscriber data. I try the same thing again. I have the same number and let me see if you can hear that. Can you hear that? You can't, right? Okay, it says for the dial number, call bearing has been activated. So if you could just stop for a second calling that number. The call simply doesn't go through anymore. So it won't work. I can also switch it back on again if I dial again. Yeah. As you can see, it works now. So, and another thing. So the friend wants to call back. So he dials the number. Guys, stop calling for a second. So he's calling food test. Oh, the call forwarding is still activated. Okay, so the call arrives on that phone. I will switch it off. So, and I do the call again. Okay, so the original phone rings like it should. I will show you again because that was, of course, now the wrong way around. I will show you. Can you read that? Okay, so there's no call forwarding activated. So if I activate it now and do the same request again. Okay, now you can see the number for a call forwarding that has been activated. Okay. Yeah, that's it for the demo. That's it for me. Thank you very much. Everyone, if you have any questions, please do line up at the microphones. If you're planning to leave, please do so now. Get up quietly and leave the room to make room for people who want to enjoy the next talk. Right now you're only allowed to leave. So please do this now quickly and quietly. So we have a question from microphone number two. Thank you for the talk. In the beginning you said that government agencies would be using SS7 for so-called lawful interception. And you said you wouldn't trust the governments of some countries. Just for completeness, could you name a country you would trust? I'm afraid I can't. Thank you. If you're leaving, please do so quietly so we can still record the questions and answers. Thank you. Microphone number one, please. How did you gain access to the SS7 network for the demo? I rather not say. Actually, so it's an access that has been borrowed to us for the purpose of security research. Microphone number four, please. Hello. Thank you for the talk. My question goes into the finding out the location. The cell location probably is at no cost to the operator to give that information out. But about the triangulation, is there a cost? Can this be done at scale for lots of subscribers? I don't really know how many were you thinking. But of course it's been implemented for emergency services. So I guess there's always a lot of emergency calls coming in. And I think it can be done for a lot of customers. I don't know what would happen if you would do it for all the subscribers, but I think it can be done for a lot of subscribers. We also have a few questions from our signal angel relay and questions from IRC. Signal angel, please. Test? Okay. So the first question is how much would a whole setup cost to track somebody's phone? Well, I would say a few hundred euros for the SS7 access if you buy it. And then you need somebody to code the software or you write it yourself. And if you write the software yourself and somehow, I don't know, find somebody who hacked SS7 access via a femtocell or something like that, it wouldn't even cost a thing. Another question from our signal angel, please. Okay. That's a question. If you require direct SS7 access, or would it be enough to have a hacked baseband, mobile device, something? No. So SS7 is really only used in the core network, meaning the phones don't have anything to do with SS7. So the phones use the radio network and that isn't SS7. It's only used in the core network, meaning the switching centers, HLR, SMSC, GMLC, and so on. They use SS7. Microphone number two, please. Thank you. So I have another question regarding USSD. Yeah. You were saying it's completely possible to spoof USSD messages as they are always targeted directly towards the HLR. So from what I dimly remember about that, there are two different fields that actually carry the request issue. Can you spoof the entire message? Like, can you spoof all fields? I'm not really sure, but as you don't need an answer back, you can spoof anything you like. So that's also a thing. For all the messages where you modify something, where you just don't want data back, you can put in any center you like, because you don't need the answer back and the new data gets activated, or the request gets executed as soon as it arrives at its destination. I'm not asking because of protocol compliance. I'm asking because of verification, because from what I know, USSD is not only used for your own subscriber account credit level, but it's also used for payment solutions. And there, I'd really see a massive problem if you could spoof the entire message. Yeah, yeah. Okay. Thanks for that. If it's really done over USSD, I think so, yeah. Question number one, please. I have two questions. The first one was when you did locations through PSI, HTI for the Washington Post guy, it was done from an access that you paid, like an access website that you paid to do it, or your own access. And if it was your own access, it was a trusted GT. Trusted GT contained into the RAX IR21 list? It was not in IR21. Okay. So it was your own GT that you controlled, but it was not into the RAX IR21 list? Exactly. So IR21, by the way, is a set of documents by the GSMA, the GSM association, that every operator puts this document there that lists all his global titles, all the addresses, where to route traffic, where the HRs are, and so on, and so on. And so usually you would say, or would think that if a global title or a sender address is not listed in the IR21, then you could simply discard it if you received messages from it. But in practice, that's not the case. So most of the time, requests get also rooted and answered if your address is not in the IR21 document. Okay. Thanks. Microphone number four, please. Hi. Hi. Thank you for your talk. I want to be interested. Did you look also in the modified versions for emergency calls when I don't have an MZ like a SIM in my phone or for the upcoming E-Call, which is used in cars? Does that tie up some amplifications to that as well? Is there trackable or something? I didn't look into that. I don't know. Okay. Thanks. Another question from our signal angel on IRC? Yeah. Actually, I have quite a few questions, so I don't know. But one question is if there are any numbers about which countries are doing the most tracking? Which countries do the most tracking? Yeah. That was a question. If you have any numbers about that. No, I don't. I also would be very interested in those numbers. If anybody has them, I would be very interested. Microphone number two, please. Yeah. I have the question. If I have a working base transceiver station, which worked for a GSM network, is the SS7 assess information in this base transceiver station? No. No. So that's in the base station subsystem, and that's not SS7. Okay. SS7 will only be used from the switching center on inward to the core network. Okay. Thank you. Microphone number four, please. Hello. Did your summary slide with the TMSI requesting also say that you could decrypt the sniffed message, the sniffed phone call? Sorry, I did not understand that. One of your summary slides was about how you could request an IMSI after you present a TMSI that you sniffed of the air. Yeah. Did that also say you could then decrypt the whole phone call by sniffing the air? Yeah. Yeah. But Karsten is going to talk about that in a minute in the next talk. So stay for the next talk and you will learn more about that. Okay. We have time for two more questions. Microphone number five, please. Hi. Thank you for your talk. I don't know if you have any virtual operators in Germany, but do they have access to the SS7? If so, does the blocking that you mentioned in your talk also apply to them? Sorry, again, please. Virtual operators. Yeah. Okay. Do they have access to SS7? Yes. Well, if there are real MVNOs, then they do have access to SS7. If they are just resellers, then not. For example, I think one of the very few MVNOs in Germany is Zipgate or Zimquadrat and they, for example, operate their own HLR. Microphone number six, please. Do you see this as an possible vector to trigger the phone to update the baseband firmware? Well, as you saw in the beginning, you cannot only request the cell ID. You can also request the IMEI of the phone, so the serial number. So you can also figure out what type of phone somebody is using, if it's an iPhone or a Galaxy or something. I don't know. So if you want to remotely install and exploit on the phone, that's, of course, also easier if you already know what type of phone the person, your victim is using. But are you aware of any API functions that are maybe part of MAP or Camel that can be used to directly instruct the phone to pull firmware from there or there? No, I think that would happen on a different layer, not in SS7. Thank you. Okay, that's it. If you have any further questions for Tobias, please catch up with him after the talk. Please give a warm round of applause to Tobias Engel.