 Go button and then they're halfway into the first question before it actually connects There we go Nope Hello punk, would you haul her at our speaker ups channel saying we're going live? Gotcha. Thank you. Gotta find the channel. Yeah one of many many many many many channels Got it channels. Hey, cool. We're live. So Welcome everyone. I want to thank everybody for coming to join. We're sitting here with Cooper. Oh, what did what's your last name Cooper? I had it up here somewhere Quinton Cooper Quinn Yes, all right. He his presentation was detecting fake 4g base stations in real time So thank you so much for taking the time and effort to put together This death con talk. We're in this brave new world where we all get to do things virtually. So thank you very much Yeah, thanks for having me Absolutely, so we've had a few questions come in already Well, we'll just get you started with this first one from RPTK 2015 who has been watching I think all of the talks for as we're going through this Question if I can see that I'm connected to a fake cell ID. What can I do? Should I just stop using the internet? Yeah, that's a great question and I'll answer it in a couple of parts The the first thing I'll answer is that if you think that you are connected to Or that you know, if you're in a situation where you might be worried about a cell site simulator The best thing you can do is just put your phone on airplane mode and that's that's always a good idea if you're out of protest or if you're if you're Committing a crime. This is not legal advice But if you know if you're doing anything where you don't want to be Tracked by your phone. The best thing you can do is just put it in airplane mode the question though of if you see that you're connected to a Rogue cell like you're usually not going to see that there's the unfortunate thing about how phones work is that it's actually really hard to tell if you're connected to a to a cell site simulator and So you're usually not gonna know And a lot of the things that cells like simulators do are Similar to the things that cell networks do when they enter failure modes So like when a cell crap when it you know be crashes or when there's too many people connected to a cell So you're you're Likely not going to know but if you do have that concern. Yeah, just put your phone in airplane mode Leave it in that until you need to send a text or something airplane mode alright, so there's a been a lot of Conversation in the past about airplane mode doesn't protect you from a lot of stuff Are we thinking that this is still gonna be good enough or is this your situation if you don't bring your phone with you? So, I mean, it depends. I think it depends on your risk model, right? It depends what you are concerned about I think airplane mode is going to be good enough for most cases and situations Because not bringing your phone with you means you can't take pictures of whatever's going on It means that you can't make calls. It means you can't call your friends It means you can't call anybody if you're about to get arrested I don't know like again. I don't know what situation you're planning on taking this out And but I think airplane mode is good enough for most cases and yeah, if you're If you really have high security needs If you you know if you don't want to be displaying any Weird patterns of travel like yeah leave your phone at home and leave it on right? That's That's then it looks like you're just sitting around at home doing that. So Again, not legal advice You know, we had a follow-up that I think a lot of people would find true So I'm interested and what you have to say and that's does a VPN offer any protection from a cell site simulator And also, what does it not protect against for example a GPS data or exploits and pre authentication messages? That's a really great question and yes, exactly It does not there's it does not protect against those two things It doesn't protect against GPS data. It doesn't protect against exploits and pre authentication messages Which is where most cell site simulators happen in the first place and actually there was a really There's a there was a great talk at black hat and a really good paper that's out And I can try to find the link and post it somewhere later about So the attack is called I Think it's called alter Yeah, well, so there's no okay, so there's two attacks one is called a LTE are alter and then the other attack is called Shit, I forgot the name And there's another attack and these are two attacks that allow you in that allow a malicious actor in the pre-authentication stage to manipulate DNS queries Being sent to the tower to send back fake To to or to send back fake answers like to send back malicious DNS answers, right responses, so there's Sorry, so to so to answer the question like a VPN might like It might protect against some eavesdropping attacks, but I don't think it's gonna be good enough but the other thing is that the it seems like at least in the US the primary usage for cell-side simulators is to determine Who is in a specific place or in other words what phones are in a specific place or to locate a Suspects or to locate somebody like down to what apartment they're in or down to you know, what up what building, right and Neither of those attacks Rely on looking at the person's or people's internet traffic They only rely on looking at signals being sent from the phone and a VPN won't do anything about that Interesting That makes sense. So there's there are some things that you can protect yourself with in this way There's some things that are outside the scope of your research in this case Yeah Well that is that the natural follow-up question from that is the one I asked quite a bit further But then what's next in this research space and if you if you had more time or money What could you have done to expand this? Yeah, that's a great question so the thing I would love to have is Transmission data so I mentioned in my talk that like we can't actually connect to the tower and we can't actually Transmit things we can't actually like send authentic authentication messages to the tower and see our response We can't look at paging messages, etc. But if we had if we were able to to gain access to Licensed hardware like a like a licensed 4g baseband and program it ourselves or gain access to Lower-level messages then it's possible that we could do them. So that would be that would be an amazing thing to do I think the other thing I would like to do in the future is Get better heuristics involved in crocodile hunters the the heuristics that crocodile hunter uses right now to determine what's a suspicious tower or not They're they're kind of my first pass at that and they think that once we know more about what? What malicious cell towers look like in the wild will be able to get better heuristics to better You know to have less false positives What's suspicious and what's not I don't want to stomp all over the wonderful people putting stuff in chatter here But that is my next follow-up question if it's right into there There are people out here with a lot of time and effort and energy and want to get involved in projects if somebody wants to get involved in this project if they build your rig and Are doing this do you want their data is data from other people helpful? How can people assist? Yeah data from other people is absolutely helpful and there's actually an API Built in the crocodile hunter to allow you to send your data back to us And we have there's documentation on that in the GitHub repository but Yeah, if you if you go do scans even if you don't find anything having that data is super helpful Yeah, so please please go ahead and send it to us and please go ahead and get involved on On the github and you know file bugs and pull requests and stuff We'll probably eventually set up a chat server somewhere if it if the project seems popular enough, so Specific question here like specific to an area so Latin America. Can you talk about the fake antenna pro a fake antenna detection project? Yeah, so I I don't want to put words in their mouth too much. They have a website with it. I think is fadeprojects.org maybe What maybe one of you can confirm that real quick? They're all opposed it later So they have a website. I don't want to put too many words in their mouth but basically this is a group of a group of technologists a group of hackers that are in various countries in Latin America and they had previously done Fake antenna detection with seaglass which is a similar project out of the University of Washington, but focused on 2g towers and they found some really interesting results in Mexico City and I Think in Columbia if I recall So they found some really interesting results a few different places and they're just they're just doing this To see what they can find and to see how widespread the problem of CSS is in Latin America And they're planning on on Doing this with crocodile hunter doing the same research, but next with great You get to see what that's where it takes you when you're traveling in other countries. Um, yeah, yeah, I'm really excited to see what they find Probably some interesting questions as well as what's allowed on the send receive if you are in non US countries so I Am not an international lawyer. I'm not even a national lawyer. I'm not any type of lawyer So I I cannot speak to that if you if you are curious about that you should ask a lawyer in your country As to what's allowed first and receive because it varies from country to country It does like we were looking at some we were looking at doing this in some Middle Eastern countries and the laws there wouldn't even allow us to receive packets for this all-tower There's questions that I saw here that I'd be interested to learn a little bit more and it's you mentioned briefly in your talk that 5g handles pre-autocating pre-autocating. I can't speak today pre-authentication Thank you This never happened Messages similar to 4g do you suspect nearly identical? Cell-site simulator techniques will carry over from 4g to 5g Yeah, unfortunately, I do a lot of the almost all of the attacks that work against 4g still work against 5g there have been There have been some Mitigations put in place in the standard, but unfortunately a lot of those mitigations are marked as optional in the standard and Anything marked as optional means that the phone companies are absolutely not going to do it Because they want to spend as little money as possible effort as possible because phone companies are a giant pile of shit so So So I don't expect that those that those Mitigations will make their way into actual deployment and I think that yeah, I think that a lot of the same techniques that you see it in 4g are gonna still work in 5g All right, that's good to know. I had another question that I think more just shows my ignorance in the subject but so the kit that you've built in order to do like the hardware on this one is It was $500 for the for the radio and you've got a raspberry pi which is relatively inexpensive and yeah around the laptop and all this the the question that comes to mind on this is We all carry around a cell phone that already talks to these devices Yes, I Can cell phones themselves be modified to to do any of this work? Yeah, so that's a great question and I would love it if they could I Have not found a good way to do that so we can't we can't do this in a native app Because for two reasons a we don't get enough low-level data and B We're only going to see the cells that the phone is actually connecting to And the neighbor list of cells that the phone is actually connecting to and I want to All of the cells right I want to be more driving Gt towers not just looking at What the cell phone wants to connect to right? and then the other thing is there's no way there's no API for the base band right like and there's no if there's no I Mean the closest thing to an open source base band is in SRS cell Tee Right, there's no there's no like open source base band programmable base band that runs on an actual license for a chip Right, and that's the open source LTE Library yeah, yeah, sorry, so that's the open source LTE Sorry, so LTE is the open source LTE library that we use in the back end of crocodile hunter to actually emulate part of the of the user equipment to emulate part of the cell phone and Do the and scan the frequencies and get the Information blocks that we need got you So like we are we are essentially we are emulated phone doing part of what a cell phone does But we're not doing it on cell phone hardware, and it would be great if we could do that on cell phone hardware But I haven't and I am I don't think that that currently exists But it's a good idea and So Seaglass the seaglass project from University of Washington that I was talking about earlier is doing that on a phone using the Osmo Com baseband for 2g or GSM so so that like that does exist for GSM It just doesn't exist for LTE Okay, but it is a good idea and if and when it does exist for LTE it'd be great to to We you know rebuild crocodile hunter using that So you're you're barking up the right tree there for sure What else do we have coming in L. O. Bunk? I can't believe I just used the phrase barking up the right tree. Yeah, he did Back to the alcohol In a coffee cup well done All right, so next question. I was wondering. Oh, sorry You mentioned during you mentioned turning off 2g could help Do you know of any progress to create and enable this feature? I I think that there are people within these companies that really want to see this happen But I think it's going to be I Think it's gonna be an ongoing Battle right like we need I think I think that the the Manufacturers like like Sam or the OS manufacturers Samsung Apple will need to see that there is a consumer demand for it And I mean, they're still they're still not likely to turn 2g off completely or even by default Because it is still used by so many people around the world unfortunately, so But even getting a toggle to turn it off if that's certain Be great, but I think that the company is even though there are people within the companies that really want to see this happen I think the people at the top of those companies need to see consumer demand for it to really make it a priority It's probably a deal all over the place and people The consumer needs to understand that this is the thing that they want before they know how to ask for it Yeah, exactly That a follow-up is so can you sorry I Lost my thing on here. I'm just doing horrible today guys. Sorry. Oh, no, okay It's the day so with disposable phones and burner phones being so readily available Why not buy one of those and give it a try? Yeah, I mean again it I'd say it depends what your threat model is right like I Burger phones are really hard to do properly Like there's a lot of things you've got to take into account Not to actually use a burner phone You have to be able to actually buy it anonymously. You have to call people that you normally call on it You have to stop using it afterwards. There's a lot there Audrey has to come in at the right place and time Yeah, exactly. So it's not it's Actually look even though it's cheap to buy cell phones days It's still not actually I don't think trivial to set up and it and and Again, it depends on what your threat is right if you just don't want the Law enforcement agency in your country to rat a protest, right? I would just put your phone in a plane If you really need to be making a call during that protest, but you really don't want them to know You're there. I mean your chief were we should not be MC catchers. It should be not getting arrested, right? Like it's not I I think that MC catchers should actually be like fairly far down on your list of Threats if you're going to a protest, right? Like and at the top of that should be To your gas and cops beating the shit out of you, right like That it's not it's not like like And and you know and then several other thing like like the police taking your phone and doing a forensic analysis of it after you get Arrested and then MC catchers, right? Like so I don't know. I don't think I Think I think using a burner phone is kind of engineering the solution there I think you should just put your phone in airplane mode Or if you really need to be doing a lot of comms like yeah You know then but you need to be anonymous then think about That but also think about facial recognition and also make tattoos recovered. I'm sure you don't have hair, right? Make sure that nobody can find your t-shirt on Etsy, but exactly exactly make sure you're not wearing a custom mask And over we're kind of coming up to the end we still have you know more time But a great one is any suggestions on research avenues for others to looking to build off this project on Most of this project in the past seems to be around 2g and 3g based So it'd be great to see a project, you know catching up to the latest protocol That's so that is what we're doing That is in fact the whole point of the project Is that the all the past research has been focused on 2g and 3g and we're specifically focused on 4g And what the latest iterations of cell sizing motors like the hail storm and the crossboat Specifically is how they can give back, you know research more Okay, I'm sorry. I understand. I misunderstood the Yep, that was the talk Yeah, so how you can give back, I mean Like we're we're we would love people to get involved with the project right and if you you know We have we have theories about how these things work based on our Based on based on our research based on reading the academic papers, right? And again a big shout out to Yamna She you know me and her spent two years reading all of that kind of fine ability a lot I think you probably back here. We had some cutouts. Okay. Oh, sorry. Yeah, so me and Yamna spent a long time reading all Yamna wrote a really excellent paper detailing all that we know about the 4g and Yeah, I mean, but you know further further research rate and you know new new theories about how they might work I mean for your quest right getting like we there was a really excellent set of manual for the sting rate, right and if we could If somebody just similar for your request and God was for the hail storm, I suppose like yeah, that would be excellent So well, this is a fantastic time for us to put in here a couple of Bits so you work for the EFF Everybody here should know what the EFF is But if you are brand new to the info set community give us just a blurb on the EFF sure so EFF or the Electronic Frontier Foundation is an organization that Defends civil liberties as they intersect with technology or as we say when you get online your rates come with you Don't lose your rights. You don't lose your human rights You don't use your civil liberties freedom of speech the right to privacy free expression Just because you're working with technology and so we we defend that and we defend that through a combination of legal strategy grassroots activism and technology like what I work So we've been doing this for 30 years now 30 years this year. We started in 1990 but our first case was defending Steve Jackson games when they had put out a RPG a pen and paper RPG called cyberpunk Which the FBI decided was a manual for hacking and they rated Steve Jackson games and took all of the copies of cyber We're teaching kids how to hack And and we defended them and got their books back and because this is a clear freedom of speech issue And so that was our first case and we've been taking on cases ever since then So I work I work at EF work specifically in EFF threat lab Well, I guess you watched my talk where I talked pretty extensively about that So I won't I won't dig into the EFF threat lab But that's what EFF is we're a nonprofit we're members supported Over half of our annual budget comes from individual donations from our members members like you Well, Cooper if I if I have a little bit of extra money and I wanted to give it to the EFF how would I do that? Yeah, so you can buy EFF swag here at DEF CON in fact We even have a special DEF CON safe mode EFF shirt that you can only buy during safe mode buy it right now And that's at our website EFF.org and There's a I think there's a there's a donate a link up there There's a shop link there you can go find all of our all of our Branded swag and all of our DEF CON swag or you can just donate us money Directly from there if you like we're also taking donations in Zcash, I think during DEF CON So if you want to donate truly anonymously you can donate to us through that. I have no idea how that works so but you can drop into the Vendors channel and message that EFF account set you up Well, and I also heard a little bit that you are involved in some other things at DEF CON here So would you like to talk a little bit about what you have going on later on? Yeah, I am so Civic time I guess I lost it again. Oh shoot I said at five o'clock tonight 1700 Vegas time We're running the EFF tech trivia event. So I will be the quiz master and We will we'll be asking trivia questions. You can sign up for a team right now if you go to the discord channel Under contests and events it's EFF Triv And you can sign up for a team and we'll ask a bunch of questions and the winning winning teams will Get some free EFF swag Great. All right, so I'm sure that with all of the stuff that you've been talking about here There are people who are interested in reaching out and doing more of this work with you. So we'll have you At the end here post whatever sort of contact information you would like for people to reach out to you with Yeah, do you want me to post that in the talks channel? Sure, we'll put that in the talks channel and Yeah If there's anybody who has one additional question that you'd like to hit or if I look punk. Did you find anything? Are you sitting on something? Maybe so maybe I was having so much fun listening to that So I did post links for the shirt and more information on EFF in the grid chat. So Awesome. Thank you. I look like so. Do you have a final call to action for the people who are listening here? Something would like them to take away I do my my final call to action. It's just to Get involved with what's going on in your local communities, right? Like as As hackers, there's a lot we can do There's a lot of problems that we can solve in our smart hackers way We don't always have to solve it through making a new app A lot of a lot of people working in your community just need help setting up a mailing list, right? Or just need help setting up a simple static website, right? But there's also there's also more creative Like I think the thing about using leaf blowers to blow away tear gas is a is a very much in the hacker spirit, right? It's such a such a great thing to see. So I think that there's there's a lot of ways to get involved You can also get involved with other EFF-minded people in your community by checking out the electronic frontier alliance which is a group of EFF affiliated Subchapters in local region. This is sort of the like way to act locally And you can check that out at EFF dot org slash EFA It's a perfect question to end on here is yes all the project documentation on get hub or any information about a paper being published Yeah, all the project documentation I have not published a paper. I hate writing. So I may publish a paper eventually, but all of the documentation such as it is which Boy open source and documentation. It's always it's always great, right? But yeah, most of the documentations in my headation that exists is on the github and I'm happy to answer questions and I'm I'm happy to take it upon myself to improve the documentation that people are actually using this That's where you're sharing all of your spreadsheets, huh? Yes, yes All right. Yeah hacking is just spreadsheets Thank you everyone for coming to join. This was a wonderful presentation I like you know, you appreciate your willingness to come spend your time with us So if anyone has additional questions, we will make sure that the contact information is available here in the track one Otherwise have a great rest of your convention and we hope to see more from you soon Thanks. Bye everybody. Bye You