 Good morning everyone Yeah, my name is Adrian Dabrowski my colleague Gabriel Dabrowski. This is work together with Wilfrid Maier and Edgar Weiber We will be talking about decoupling the SIM card from the mobile phone or the modem to get all kinds of fancy measurements and It's called cellular carriers hate district. I will explain it why Using sim panels to travel at light speed So for the motivational example, let's assume we have like three medieval city states and They recently invested Into technology and so they switched from landline to wireless to cellular networks and We have like all this new mobile phone operators popping up like Night mobile or Arthur and Excalibur with the sword in there and dragon phone and all the others and With that we also had like an explosion of new social networks and we'll have something like Royal Tweet and Bartboard and peasant post and All these people are like super hooked on social networks So their mobile phone operators think well, how do we target some demographics that are that? Like social networks, so they come up with this new data plans where there is something already included like video streaming or messaging or social network apps and We have like it's super transformative. It's very addictive. You have all these people Spending hours and hours on end on the social networks and I heard that the king over there is Got actually so much hooked on it. He's Considering buying Royal Tweet and renaming it to the Roman numeral of ten and so this is Archibald he recently switched from alchemy to cellular network research and and He also likes has a few friends abroad and he also already found a few Inconsistencies and and maybe vulnerabilities in his local network But he is a bit a prisoner of his own city states Well, when he is when he can travel he can like do the measurements abroad in another network, but Also when he visiting his friends He actually would like to spend time with the friends and also it's getting very expensive So why is roaming so complex or why is it so interesting? the interesting thing with roaming is that you have your home network operator on one side and That you're visiting mobile network operator that using some interconnection in between Pretend to you as the customer that they're providing a Singular set of services and a consistent set of services Although they're using completely different configurations hardware software manufacturers what not and so At a closer look Or we see that this picture of a consistent service pretty fast falls apart And you might wonder well when I'm abroad how is my traffic actually routed and Are two ways you can have either local breakout or you can have home route or home routing interestingly Depending on the service that you're using it will either use one or the other so for example if you're Using data That's usually home routed So even if you're abroad all your data will exit with an IP address of your home network operator, so you can't use all the fancy geolocked services in another country Unless you connect to the Wi-Fi for other services like voice you have local breakout Back in the 1980s when GSM was specified Or even today voice is considered as an time critical service, so you'd like to Get it out into the public networks as fast as possible with a Route as short as possible. So technically for example voice roaming works By the visit by the visiting network operator issuing you a temporary phone number in that Country that you're visiting and your home network operator then rerout all the incoming calls to this new temporary phone number So you have like all the small differences in roaming And so while archibald likes to travel it's getting very expensive and all this testing can be Quite tedious. Let's look at an example. So whoever Travels in internationally for DEF CON might have received that SMS That's because AT&T doesn't support voice roaming for most European carriers however, does support data and and SMS so you might even get built for voice traffic while in the US without being able to use voice and So you have all the small oddities and let's see can we measure that in our toy example? So let's take one SIM card. We have like one home operator plus Three network operators in one other city-state and in the other however That's just one SIM card. Of course, there are multiple carriers within our home network or home country so we'll have to buy multiple SIM cards and But there are also More than one data plan which might be important because They're support different services So we'll have to multiply by that But then of course you have all the network operators in the other city-states as well And we end up like just in our toy example with 190 combinations so clearly that doesn't scale well and What are the possibilities here for Archibald to Continue his work. Well, he could buy a lot of SIM cards and a lot of modems and position them Everywhere well in the three countries, but Well, the hardware cost the monthly costs and soon after that bankruptcy. So that doesn't work Well, you could have like one modem in each country and then ship SIM cards around but that has like large overhead and the shipping times and a lot of manual labor or What we did is Try to decouple the SIM card from the modem. So usually the SIM card and the modem are like one unit and They communicate with each other But what if we can extend this internal bus? all around the globe and So that's what mobile Atlas does the academic name is geographically decoupling cellular measurements and exploitation and With that we can now like solid-state travel we can connect SIM cards to different places all around to our modems all around the world and Pretend To the network operators that we are in that country and do our measurements there and tests So what were our goals with the project? Well, of course scalability Automatability, but also important point is control the background noise if you use like a off-the-shelf Cellular phone then you have a like a full-blown operating system on it with all kinds of background tasks and That will it might interfere with the measurements you are doing or with the exploits you are testing depending on what What you're precisely doing and we also would like to have like the full feature spectrum so For those who know ripe Atlas So our name mobile Atlas basically is a homage to ripe Atlas ripe Atlas is a probe system developed and maintained by the European Internet authorities or administration and They have like the probes and you can do pings and trace routes between different autonomous systems However in a cellular world we have more than just an internet or data connection We also have like phone calls. We have ussd's we have text messaging So we would like to ideally do tests or have a test system that works on all these features So here short diagram traditional combinatorial explosion you put in probes in different countries and Replicate all the sim cards or you have something where you can tunnel the sim cards to one place and Save a lot of on on costs So basically that's what we did We decoupled the sim card where we can have a sim card reader Connected to a computer and we have done an TCP tunnel to our measurement probes and replicate the sim card there And so like at a management on top of it and you end up with a system Like on the left side you have the probes on the right So you have the sim cards and you have a sim provider Which is basically just a piece of software that connects to a PCSC or serial or or even an Android phone and Routes the sim card traffic to the probes It needs to be an online connection because the sim cards produce all the Cryptographic material that we need on the network side to authenticate and to encrypt the traffic there So This has been a project for Ongoing for five years now. So we have like you can see our left probe which Looks very crude. So we put in we had like a raspberry pi and a USB adapter and then M2 modem attached to this adapter and because everything was very loose in the box We put in like this yellow piece of foam in there to like hold everything in place But the current version looks much more professional It's a shield on top of the raspberry pi And so then you're also the only other thing you need as an ethernet connection for the uplink and So on one side we have the sim provider, which is basically just this piece of software that works with All the usual sim provider Sim card readers you can use the more expensive PCS-C readers or the very cheap Chinese sim readers that only speak a very crude serial protocol or you can even use Android phone. Oh We didn't have the picture Okay, or maybe it's they are maybe it's later in our slides. So I briefly want to talk about The challenges that we faced and like have to pick like two because of time so Let's talk about the sim interface and the sim protocol So the sim card protocol is basically a smart card protocol, but it's now 40 years old So you have a lot of different options voltages speeds And and all kinds of that and also it was designed to be To work within one device. So with very low latencies when we stretch that over half of the globe We need a few techniques to Cope with the latency So you can see for example, this is how we connected it to the GP with a sim Slot of the modem to the GPI opens of the raspberry pi We just made a very small simple adapter that we slot in our first version was actually directly sold it in And you can see just one component on it and that's a shot kid you know Why is that? Because the sim card I open is actually an open collector bus so on the Raspberry Pi side we need a shot kid diode to split up the send and to receive channels for the u-word and The pull-up resistor is already provided by the modem Luckily for us This reduces a lot of complexity for us We can negotiate speeds and voltages and other parameters Independently on the sim provider side and on the modem side. We don't have to pass it one One on one so that's eases much of the problems We can also add waiting time extensions and we tested it for latencies up to 1,000 milliseconds so this should be actually be good enough even for like star link connections and Future work. We'd like to also locally emulate some of the files that are not necessary For the for the modem or for the measurements to work the second problem that I like to mention is a traffic metering and We need a way to control the background traffic. So Let's step back. So some of the tests we want to do is test the accounting the data accounting of network operators So we need very precise measurements on What we are sending to the network and what is then accounted and so the background traffic? Is something that will mess up with these measurements and the other thing is that the call data records? Often are shown in the on the operator website With a large delay so domestically this can be like ours, but internationally this can be something around around days and Also, there is no like standardised way to check your account balance so some operators use an app or web application some can use or support ussd codes or SMS inquiries So to eliminate background traffic with basically Use Linux and the network spaces. That's the same thing that docker does so our measurement process is Put into a separate namespace that's then connected to The modem and only that one talks to the modem So all the traffic from the that process groups is routed through the modem and all the other things like the management Suite is all over the VPN They're completely separated. How do we they deal with delayed traffic accounting? Well, we came up with a binary encoding so What we do is like for example the first test Is what like one megabyte in size the second test is two megabyte the third one is four and And the fourth test is eight and so on So one of these also will be a control group So that at the end like maybe a day later when it finally shows up on the accounting balance We can then distinguish exactly which test was accounted and which wasn't like which traffic group You might ask well, you do all this thing to like tunnel Physical SIM cards across the globe. What's about eSims? The problem with eSims even though for example in the US. They're pretty relevant They are not widely available everywhere and also it's usually tends to only cover some part of some data plans and not all and They're not always easy transferable between devices so what we actually can do is we can use Bluetooth our sub protocol to connect to a Android phone that then shares the SIM card Over Bluetooth to our system does sim access profile was a we was actually delivered Developed somewhere in the 90s To allow cars to connect to your phone and then use the sim card on your phone and the modem from the car But today this is rarely actually used So the only thing you need to do on an Android is make the eSIM your primary SIM card and then you get the screen and you Allow the usage In the title we said carriers hate this trick That might be a little bit controversial. Why do we think carriers hate this trick? Well, SIM tunneling isn't exactly new. It has already been used for over-the-top bypass fraud so that's when you use batteries of sims or sim banks to Terminate international travel or international calls within a country because usually local core rates are cheaper than international interconnect fees However, we do actually the opposite. We are tunneling from domestic to abroad To test all the other networks So this might also hint why this might be an opportunity for carriers to have such a system because Nowadays carriers have to rely on their roaming partners to deliver the services the way that they wanted to for their customers but with With a system like this their carriers can actually verify the services and especially things like voice over LT roaming which lacks a good auto configuration protocol and it causes a lot of troubles in internationally This might actually help to test the different configurations So what have we learned during the implementation of our system? And a few Well, surprise some surprising results first if you like read like Almost any book on cellular networks They will basically say something among the lines that the Imzi is basically the unique identifier of a SIM card And that's they're also used to like find your home operator and stuff like that However, even in our small tests that we found several examples of SIM cards that can actually update the SIM the Imzi over the air or Change it dynamically. This is usually used for in for for selecting a roaming network, so it's not like you're not selecting the The network that you're using as a visitor you're selecting someone that will then that has all the Contracts in place with all the operators in the different country so that They have just one like one place to do their accounting and to work with another thing that we've learned is that Theoretically there is a 127 device limit on USB, but practically it's hard to get over 20 or 30 that has to do with lousy hardware weak drivers the power consumption even if you use Active hubs and we've tried Several things here are the pictures. So like on the left you can see like the bar We bought like a box of a hundred SIM card readers in on Ali express and then we tried to run them like naively on on all the single USB hubs that Turned out to be very error-prone And then we also tried this professional USB hubs that are used by or have been used by miners for like this USB FPGA boards But this also didn't work. Well Where do we stand today? So now our system is deployed to 10 European countries and to North American You can see Canada isn't fully covered that has to do with That in Canada not all the bare metal operators Are available in all the provinces our current Probe in Canada is in the Yukon territory So that's why it's just half green ethical considerations So there are some ethical considerations. We have to talk about you might for example ask Why don't why do we use modems and don't use software defined radios? I mean one on the one side software defined radios give you much more capabilities on the radio side on the other side All the open source implementations usually only focus on one access technology so you cannot get like a GSM implementation or you can get an LTE implementation, but you cannot get like One implementation that covers all the access technologies and the other thing is that it's Regulatory minefield so we give out or we so far we gave out these probes to friends and family in different countries and We cannot like Subject them to the risk of having a software defined radio and all the radio Radioregulatory problems that might come with that so we rather opt for unmodified globally certified Modems that are safe to use in all the countries The second thing that I want to mention is We do not enrich ourselves with our with our tests for example with the traffic accounting tests So we made sure that at the end of the month we let expire at least that amount of traffic that wasn't accounted in our tests and With that I'll switch over to Gabriel who will talk about The results and what you can actually do with our system Yeah, thank you. So I would say let the games begin. So let's take a look at What we can do with this fancy platform? I'll walk you through a few showcases of course our platform has very versatile capabilities But the first one will be an internet Related measurement case so it will be about serrating measurements It will be billing measurements and also after presenting the measurements We will show some some proof of concept how you could abuse this serrating Offers or how an attacker could abuse this to to gain some free internet traffic So what is serrating actually there are some? providers that offers the that offers this kind of Programs and offers usually they provide several groups for Applications so in this screenshot example there is a group for messaging application for social media applications and also for video so for example for Netflix and Yeah, they offer this the customers can can buy a package and then they can gain By buying this package they gain unmetered access to to this kind of applications Of course from a career perspective This data traffic all the data traffic that passes their provider needs to be classified so they need to be It needs to be separated and needs to be classified into build traffic and also serrating traffic And let's take a look at which possibilities they are for for the cellular Carrier so which metrics could be used for the classification a very old metric that Has been used back in the days to classify and to then block bit torrent traffic was the TCP or UDP port Nowadays, it's mainly used in conjunction with some other metrics Because it's kind of vague Most of the traffic anyway is web traffic, so it might be using port for for free And yeah, you could easily like fake this port thereby, it's not that reliable However, the IP address is kind of accurate Especially for all those big services like WhatsApp Usually the IP address of the services is pretty static. So it's a reliable classification metric Some provider might use some some cloud hosting so some applications But yeah, usually if it's a big application, it's it's pretty stable. So it's a good classification metric Also, some operators use the packet inspection. So this is when the classification mechanism doesn't Only look at the packet header, but also at the content of the packets So the classifier needs to be protocol aware. It needs to understand what the fields of the protocol mean And yeah, this is also commonly used Also for our measurements, we focused on IP address and on the packet inspection classification For the packet inspection, we mainly focused on host name-based classification But also there are some other metrics. So some operators, for example, classify by the time to live to to detect or to block mobile hotspots and Since yeah, this is kind of popular with any problem. There are also some people throwing machine learning at it Yeah, let's take a look for the packet inspection So this is a deep packet inspection. So this is an example for host name-based classification If the traffic is just HTTP free, it's pretty straightforward because we do not have any encryption So the classifier can simply take a look at the host header of the protocol If it's an encrypted connection like HTTPS or HTTP free The classifier actually has to take a look at the TLS handshake and thereby Take a look at the clientel or message that contains the server name indication But yeah, it's again pretty similar. So just the host name is extracted and thereby the traffic is classified Yeah, within our study, we've bought some SIM cards. We've measured seven operators of three different countries and within those SIM cards, we've analyzed available Applications, urating applications, and we figured that WhatsApp, Snapchat and Facebook and Facebook Messenger were the most popular applications They are like any Android or iOS application. They are heavily communicating via web APIs, via web endpoints We got some traffic dumps from from those applications and also reverse engineered applications and Yeah, we found some some endpoints that we could use of our measurements to to probe this kind of web servers and For the selected web endpoints We found that they support HTTP, HTTPS and HTTP free and also they are hosted via dual stack so you could communicate to them via IPv4 or IPv6 Yeah, we've had two measurement campaigns and Yeah, we've measured with with executed measurements in the domestic case, but also during roaming conditions Basic methodology for these kind of serrating measurements was to get the credits then to execute some experiments and then wait for the data to be built and again Yeah, get the credit and calculate the delta And within the experiment we had some payload that was potentially serrated and afterwards as Adrian already explained We also had some control traffic That was acting as a marker. So we knew when all the data units were built and For the serrating experiments We had three experiments The first one was to verify that actual that the web endpoints that we selected are actually serrating serrated and The other two were to kind of learn more about the classification So the to detect IP based the host name-based classification methods. So this is a chart for the very first experiment We have our mobile Atlas measurement probe on the left side and we have some web endpoints on the right side So in this case, we are probing WhatsApp so we are just repeatedly querying or retrieving some some web endpoints until our specified data Units were retrieved and afterwards we do the same with some control traffic that usually is bigger And when the control traffic Is built we know That the experiment is finished and we can say whether the first traffic was subtracted from our data quota or whether or not To detect IP based classification the test case was pretty similar. So the actors didn't change but we Just spoofed the host header. So the data packets were still going to the WhatsApp web server But the host header didn't match the WhatsApp endpoint anymore. And so if for this case the packets still were serrated we knew that most probably some IP based classification is in place And we did a similar thing to detect host name-based classification But we needed to introduce another actor So in this test case, we automatically spin up an AWS instance that just forwards all the necessary ports to the WhatsApp application so to the to the WhatsApp web server and thereby the host header didn't change because the content of the data packets was exactly the same But the IP address changed. So when the traffic classifier is watching the data packets is inspecting the data packets the host header is still WhatsApp, but the IP address is the IP address of our AWS instance and thereby if the traffic is still serrated in this case We knew again that some host name-based classification is used So let's come to some results Yeah, as you can see we found that operators are using both IP based and host name-based classification Sometimes they even combine it. So in these cases they serrated the traffic when either one of the rules applied and interestingly for two operators actually we were not able to verify serrating. So all the the tested packets were fully built although this operator promoted and sold some serrating packages to their customers We were very surprised by this and to make sure that this isn't just a quirk of our measurement methodology, we also simulated this on our smartphone So we we just verified it. We downloaded the Facebook application We plucked our sim cards the corresponding sim cards and we again did some measurements And we could verify that a huge portion So over 90% of the actual application traffic was wrongfully built Yeah, additionally some operators turned off serrating during roaming. So this already was challenged by the national regulators in some countries and Yeah, nevertheless, we found some operators still doing this Additionally we found one operator that was a billing traffic when the endpoint was Retrieved by IPv6. So when IPv6 was used The packets again were wrongfully built similarly for HTTP free. So when we were accessing the relevant endpoints relevant application by HTTP free again the traffic was fully built and Interestingly for one operator as I showed earlier We had two measurement campaigns for one operator actually the packets got built in the first period But then it got fixed and in the second period it was fine Yeah So Archie is a security researcher. So he is not only interested in how those things work But also how he or he an attacker could exploit these kind of things Yeah, we have two cases. So the first one is if hostname-based classification was used in this case For HTTP, it's pretty straightforward. You just would need to write some relaying script that fakes the host header Sometimes the provider during the classification even just uses a simple reg X for the host string If HTTPS was used it's maybe a little more complex, but still this is just content of the packets So you can you can spoof that you can change that and you could maybe like implement something on the top of OpenVPN and spoof the SNI to to kind of pretend to be What's a traffic for example? So this is similar to to domain fronting this technique if it's for TLS connections For IP-based classification this however is a little more complex So you would need to have a server where you could spoof IP addresses Also, it would only work for the downlink because if the client sends some packets to some Spotify P Obviously or some some whatsapp IP. Obviously the packets will just Yeah, land at Spotify or at WhatsApp, but for the downlink. This is a feasible thing to do. So you could simply Replace the the source IP address at your relay point at your VPN maybe and then pretend to be Spotify and then the packets will be classified as serrated packets and and you can get Some some free internet or an attacker could do that Yeah for TCP it might be a little more complex because we have this connection-based approach and we have the freeway handshake But for UDP this is totally feasible. So and and this is what we did We had a sim card with Spotify with free Spotify We set up a VPN with wireguards on the server where we could spoof the packets and Yeah, then we wrote the kernel module a kernel extension that rewrites the peer-dress of the outgoing packets and Yeah for the provider these kind of packets look like Spotify and We already came up with a nice name for for this proof of concept and I hope you like it as well So we called it spoofify Okay, now let's continue with some other showcases. So the second one is some privacy-related showcase. It's Location tracking with ringback tones. So what is the ringback tone? The ringback tone is the tone that you hear when you call somebody and when you basically wait for them to to pick up So it's this audio feedback that you get The interesting thing is that this is issued by the terminating operator. So in case of roaming this is issued by the roaming partner and The interesting thing as well is that we have different ringback tones for different regions So for example in the US operators use this dual ringing of 440 and 480 Hertz and in Europe most operators use something around 425 Hertz so for these two cases you could even hear the difference with your bare ear But also we found that within Europe when operators use very similar settings. It's totally feasible to Record this tone and to differentiate between operators. So I'll show you some examples This is from Vodafone in Romania. We have a peak frequency of 430 Hertz This is the spectrum and also at the left. We see the amplitude if we compared to a German provider We see that another different at different frequencies used and also that the amplitude differs So it's louder for the German provider And if we compared to another German provider, we see that the Frequency stays the same, but the amplitude change and also like the signal is less clear there are some side lobes some yeah, and We did this for all the available operators and then we printed a scatter plot with the Amplitude and with the frequency and as you see this is kind of nice scattered nice divided across the diagram the figure so Yeah, you can easily take those two metrics and and Determine the the operator that terminated the call and yeah, you can use this to Kind of find out the country of the person that you could just called So you just need one test call and then you know that the country where the person is in Also, you could of course use some some other metrics like the overtones. I just showed you Or some some duty cycle. We also had differences in this Or you could also use some other call progress stones to to fingerprint And this is also interesting from a techer perspective for sim swapping because you could also use this to Find out the responsible home operator and then you know Yeah, whom you need to call to swap the sim card. Maybe Yeah, now, let's come to the last showcase. So this is some Projective sim communication showcase Since we tunnel all this sim communication. We have full access to the to the communication to the payload that is sent Between the modem and the sim card and sim cards are kind of mighty and powerful microcontrollers So they can even run some Java they can there is this instruction set of projective sim commands Where the sim basically can take over control and can tell the smartphone what to do So it the sim could tell the smartphone to send an SMS message to display some some text on the on the handset And yeah, since we have all this Communication of our measurements we can analyze it and for measured sim cards we found two sim cards that were phoning home so that were covertly sending some binary SMS messages and This is pretty scary actually because it happens totally in the in the background the user the smartphone user doesn't know of it Interestingly also we had some cases where this kind of binary SMS Were also built by the operator. So during roaming these SMSes were even built That's pretty shit from a user perspective Yeah, we tried to analyze the content of this binary SMS and we found out that there is some Information about the user equipment. So for example the EMI but also from the sim card So ECCC ID and MC were in there Yeah, if you're interested in getting some more insights, we've published two papers So the first one is about serrating measurements It's called serrating one big mess and the second one is basically the white paper of our platform It was just presented at the USNICS conference some days ago So for conclusion Archibald can now like when he's traveling Spend more times with his friends because with for all the measurements like longitudinal measurements or Explored testing and development. He can now use a platform to do this from the comfort of his home We find Roaming especially interesting because it's this special case where two operators with completely different setup have to cooperate and Pretend to be one and we showed you a few use cases You find more in in our paper from two days ago from USNICS security About like how to hide and dress up traffic As one of the free services, so you don't have to pay for it how you can locate other Subscribers based on the ringback tone and some internals such as proactive sim communication We'd like to thank all these institutions like an L net University of Vienna Technical University of Vienna SBA research sysbar and the SSL laboratory from UCI For supporting us over this five years you find The URL and our contact information up here the whole project is open sourced If you are from an country that you think that is interesting to us to host a probe Please get in contact with us We have actually brought some probes here to Defcon and yes Thank you a lot