 Merci, bienvenue à notre talk, c'est Alexandre de Oliveira et je suis Laurent Guigonis. Nous sommes de la sécurité purée présentant les mappings de l'SS7. Je pense que la plupart de vous ont vu le talk de Tobias et de l'SRL Carsten. Ce projet est plus grand, plus massive. Avec les différentes vulnérabilités qui ont été présentées dans le passé, incluant les vulnérabilités présentées aujourd'hui par Carsten et Tobias, on a un visage de ces vulnérabilités worldwide sur tous les pays et sur comment faire une mappe d'aujourd'hui, pour voir quel est l'exposé worldwide sur ces vulnérabilités. C'est un projet de recherche de la sécurité purée. Comme vous l'avez vu, c'est peut-être un peu plus tard. Juste d'avoir une vue, qui sait comment les opérateurs mobiles sont interconnectés, qui a une idée, s'il vous plaît. Ok, pas beaucoup, peut-être 5%. Basiquement, ce sont deux opérateurs, et deux opérateurs mobiles dans le monde. Ils sont interconnectés ensemble par des propriétaires, et c'est comme ça qu'on va pouvoir faire des morts entre les pays. C'est parce qu'ils sont interconnectés. C'était supposé pour un long temps d'être un garde-garde, parce que c'est une nette fermée, donc les opérateurs mobiles sont interconnectés par une nette fermée. Mais plus et plus, comme on l'a vu beaucoup de fois dans la présentation précédente, ce n'est pas un garde-garde anymore, parce que plus et plus opérateurs, plus et plus autres parties sont connectées avec les propriétaires. Et aussi, certaines parties sont connectées directement à un opérateur, par exemple les gouvernements, pour l'interception légale. Les opérateurs sont aussi connectés à l'Internet, pour les providers de GRX, des services internet, par d'autres entreprises, et cela donne une exposition sur la nette fermée. Donc, notre objectif ici est de faire une map de cette nouvelle nette privée interne. Comme vous avez eu une map sur Internet, ici, c'est une map sur la nette d'SS7. Donc, pour faire cela, nous avons créé une partenariat avec les opérateurs, afin de nous aider à faire cela. Nous faisons cela par avoir une scan probe dans la nette d'un opérateur. Et ensuite, nous avons envoyé des coupes vers d'autres opérateurs, et nous ferons cela par plusieurs opérateurs. Et donc, nous avons un visage de la nette. Ce qui est important de comprendre ici est que notre map SS7 scan probe est à l'intérieur de la range de l'opérateur, mais ce n'est pas considéré comme entré. Ce n'est pas dans la liste des agreements romans. Donc, basiquement, ce n'est pas parce que ce n'est pas un code entré. Donc, ce que nous voulons montrer, c'est que, depuis que les opérateurs ont été attaqués, il y a beaucoup d'opérateurs qui sont interconnectés sur les opérateurs. Nous avons vu que le temps de compromise pour un opérateur durant notre mission, c'est... Nous avons vu moins que notre temps de compromise de l'Internet à l'IP Core, qui est l'IP Core, qui supporte l'ensemble de la nette d'SS7. Donc, si vous compromisez des choses comme l'IP Core ou le PS Core dans moins d'une heure, vous pourrez obtenir la nette de l'Internet directement après. Donc, le but, c'est de vous montrer que compromisez les nette d'SS7, même si vous n'avez pas d'accès et si vous n'avez pas de collaboration avec un opérateur pour obtenir l'accès d'SS7, pour les attaques, ce n'est pas si difficile de obtenir un opérateur. Donc, nous avons vu la chaine de compromise pour vous montrer comment les attaques utilisent les stacks d'SS7 sur les éléments de la nette d'SS7 pour pouvoir envoyer des messages. Et cela peut arriver de l'Internet, de l'OAM, de compromise, des gouvernements qui peuvent aussi l'utiliser et qui sont interconnectés avec les éléments de la nette d'SS7 et comme Laurent a dit, les opérateurs, quand ils veulent interconnecter avec l'autre, ils ont des agreements et ces agreements ils définissent tous les éléments de la nette d'SS7 qu'ils veulent être dans ces agreements avec GSMA, REX, IR21 files qui contiennent tous les éléments de la nette d'SS7, ce qui est l'IP de les éléments de la nette d'SS7 donc ce sera un numéro internet que vous pourrez accéder aux éléments de la nette d'SS7 dans ces éléments de la nette d'SS7 mais ce qui est très intéressant c'est ce file que nous avons obtenu sur l'Internet. Donc, cela devrait être complètement privé mais sur l'Internet, vous pouvez trouver IR21 files publiquement disponibles donc vous trouverez des opérateurs internaux sur l'Internet. Donc, c'est un de nos sources et vous voyez aussi des vendeurs vous voyez la location de l'équipement directement, donc c'est déjà utile pour nous. Mais vous voyez aussi le SGSN, qui est dans la partie de la paquette de la nette d'SS7 vous voyez les opérateurs publics de la SGSN donc ce n'est pas vraiment dans les ranges d'oppérateurs publics mais c'est privé pour la nette d'GRX et cela signifie que vous pouvez prendre ces opérateurs et vous pouvez vérifier sur l'Internet si ils ne sont pas riches parce que normalement, ils ne sont pas riches parce que c'est dans une nette privée mais si c'est quelque chose qui est misconfiguré vous pouvez les accéder et sur le SGSN vous pouvez trouver beaucoup de des opérateurs publics qui ne sont pas accessibles sur l'Internet et ce n'est pas seulement un query sur le SGSN donc maintenant, let's take a look what we can do what it's inside an operator that we can do so the first thing it's taking a look to how it's address an operator so how it's address an operator usually you will have a very fix so for example on this operator it will define ranges range only for network elements usually it's always done because they wanted to have all their network elements into only one range but maybe since they are adding more and more network elements they will add all the ranges so it's the ranges are so large that if we are not doing this smart approach of trying to understand how it's build the addressing space of an operator you will not be able to find this network elements just to give a little view on this the numbers here are global titles that's how network elements on the SS7 are addressed so the address space is much larger than IPv4 for example so you can't just scan sequentially you have to find tricks like on IPv6 so basically that's why we are going to explain the different address spaces when you take a look to network elements in this address space you will have the HLR which is the main database MSCVLR handling the switching where users are attached IN so intelligent network for postpaid prepaid options testbed again MSCVLR and all of these network elements usually they are well separated and they are packed so if you find one if you start to go incremental you will find others but did you see any problem on this slide I see one, I see the testbed which is directly on the production ranges of the operator on this it's often the case because they wanted to keep always all the network elements inside the same range so put also the testbed into the GT live ranges but the testbed usually it's accessible for testing it's accessible for developing new features for new people inside the company so it's way more accessible than the live network so the thing is if you are able to get into the testbed you will be as the live network able also to send SS7 messages so it's it could be one way so the testbed can be an entry point and what's funny that sometimes the testbed it's the reverse it's more secure than production so it's full of oddities the SS7 network it's really strange and sometimes it's more secure in production they take the testbed they validate and then they need it to be more maintainable quickly because they want it to work so they remove some security features so it's really variable it's special and if you take a look to the addressing evolution so at the beginning of the networks they had like small ranges so small numbers and they increase the length of the digits so every time they increase the length of the digits sometimes you will find all network elements in small ranges even if subscribers have been merged into new ranges the network elements sometimes they are in smaller global titles so smaller prefixes for for all technologies so this one is how the Indian network is built so we remark that the India network was built in circles that means that every region of India has its own SS7 network and they were all interconnected each other so this it's a good point to know because you will know that all the network elements are not sequentially in one only one sequence of digits but there will be one sequence for every region so you will try to find this sequence for all the regions of India so it's really interesting to try to understand how the network is built for the country to be able to to understand how so another thing is when someone buys another telecom operator buys another one it will add more network elements into his pool of network elements so you think that it's always a good thing to take a look to all for example for the major ones they will have operators in all the European countries for example so it's interesting to take a look to because sometimes for example one country will be more vulnerable than another but since it's a huge company they will be directly interconnected so if you are into this into the country less secure but you have a direct interconnection to a more secure country it's not secure anymore telecom regulators because for example for France we had 336 for mobiles and now we have 337 but since 337 it's a new one don't even take a look there will not be any network elements inside these ranges it's new ranges so no network elements something funny on this one during our scans we remarked that when we were trying to send when we were sending a 7 messages to Costa Rica subscribers HLR from Spain was responding to us so this means that the operator from Costa Rica he had a part of his network still in Costa Rica but the HLR was in Spain so maybe for customization to get all the subscribers into only one HLR so yeah so now what we want to do it's send MSUs because we want to be able to send map messages and the first thing that we want it's to try to scan the network so we can do it in two phases the first one we will try to get directly the GT of the HLR and to get the GT of the HLR you have a lot of messages that as input you have only to put to give a subscriber number a subscriber MSISDN so this messages you give them a subscriber MSISDN you send them to the network and in the routing of the SS7 network the SS7 router will know that okay it's one of my subscribers so I give it to the HLR so the HLR will respond to us even if it's an abort it will respond to us so it's still interesting to know and the second case it's to use as we saw before the IR21 the ITU but even your SMSC public GT this one you have it on your SIM card you will find them on internet the public SMSCs and usually since all the network elements are close together if you take the GT of the SMSC maybe by incrementing you will find the other ones it will not be so complicated so maybe not maybe yes so it's already a good start because it's your first GT that you will have this one it's a T-CAP scan so we scan incrementally the GTs for the SSN which is like the TCP port for HLR and when we got an abort you have 2 cases all you think okay the HLR respond to me or the second one is the SS7 firewall blocked me and he sent me an abort so you have 2 cases but at least usually when it's a firewall it will put as source your own GT so all the MSAs that you inserted as destination so you will know that it's a firewall if you have a different GT which is responding to you you have more chance that it will be a real network element so as we see all this network is full of oddities one network can behave in a way and you will scan another one it will behave completely differently maybe the HLR will not be responding and it will be some firewall in the middle that will not even put its GT so from all of these behaviors we built a scan engine and taking data sources as input as well as private data sources in order to build mobile operator database and then the goal was to check the reality of all this data with the network so we take data from internet from SPC ISPC from ITU from some IR21 also can be good start also from attack reports from operators to put some risk already at the beginning inside the inside our ratings all this we give it to our scan engine that will send the MSUs on the SS7 network and from this we are going to generate mainly these four items so the SS7 map website that we are going to release now ratings per country some part that are private operator security details so we plan to release this publicly in the future so maybe six months, that's what's planned and also threat intelligence on the SS7 network because we want to give operator a chance to first contact us and we will send them directly privately the data of their operator we don't want to give it directly publicly but first give a chance to operators to ask us and we will send them directly this data so what will be released today is only the country level of security from the SS7 roaming infrastructure so in order to make this map we need to send a lot of data and so in order to then start to visualize it see what message work, what doesn't we took we generate some graph we try to understand the network so for example here we send different type of messages that what you see at the bottom so known ones, SRI-SM SRI also interrogate SS PSI that are less common and we see how the network behaves so here I started to we started to list different kind of errors but there are many many kind of errors and it's those audities that will actually give us more insight on how to map the network so on this one what we see mainly is that many countries many operators are answering actually to the request that we send them so there are four lines each time you have these positive answers then you have no answer and then you have two types of errors two different types of errors this is for ATI, this is for SRI-SM SRI and PSI so you see that on this line one dot is drawn every time it matches it means if I have one dot here it means that an SRI had a positive answer so very often the bars of positive answer are quite dense and even on SRI and ATI messages that were discussed by Tobias and Carsten earlier you see that there are very much answers even if they should not be allowed from INAT0 that is the INAT0 means international basically for an operator and at the beginning we should not even have any answer for any of these messages because the GT from where we scan was not in the contexte so one slide on some more audities of SS7 this is the delay depending on the message that we send those are the different colors and the type of result that we get so you see that for example sometimes we get answers 10 minutes after we send a message so on IP you would not even think about that how can a machine after we see some of this sometimes so this was a special case but you see that even if majority of messages are very fast to be answered there is still a big part here that take between 10 seconds and 1 minute to get answers and this depends on the countries so this is also the delay time to fingerprint the network and try to understand it and to map it to see the different behavior and say ok this country is behaving like another one why maybe they share some specificities maybe it's a vendor related maybe it's something else maybe there's a problem so from all this data then we built algorithm in order to extract ratings and then ranking for countries and then a map so basically we split our ratings in two main parts so network exposure which is operator related it's about the exposure of the network itself and also privacy leaks privacy leaks it's related to the customer meaning all of us so it means if does my country or my operator really protecting my private data private data can mean location it can mean also authentication vectors because if they are if they can be obtained by someone else then this someone else can impersonate the network for example and then intercept intercept your calls and decrypt them like like Tobias like Carsten presented and so these ratings ok they are a bit complicated we will have blog post for those that are interested link it to the website with explanations deeper on this ok now let's take a look to to the website so ok so this is the SSMAP website which will be realized really soon so what you have you have a global risk which is a a calcule between the privacy leak and the next network exposure so first I will show you on the privacy leak so when we take a look to the privacy leak tab what we see it's ok there is first there is some countries in blank this means that we don't have yet data and since it's an important project we will improve it and we will add more and more data during after the talk so in the next months so for example if we take a look to the United States because they have been like in the center of all the discussions about intercepting calls and all this stuff we are a page so this one will be directly accessible and will be directly public because it's for the country and not for specific operators so we will give on the operators that we have the data that we have been able to score so for example for the privacy what we are testing is we are testing for example if there is some messages disclosing the precise location of a user so the first one will be disclosing MSCs which are less accurate and the second one which is this one will be disclosing cell IDs GPS coordinates PSI, HTI, PSL messages so the other messages so for example the authentication keys for SAI you have prepaid post page subscriber status for interrogate SS and other will be added so for example the routing bypass will be added soon because we are still processing a lot of data that we have and the goal really is to give an overview of the vulnerabilities that we will be able to find in the operator of this country and to really try to get a good vision of the security of the country so yeah, United States are attacking everyone but still not securing so much the network so how we did it for privacy for the privacy leak part first we took messages such as SRI for LCS, SRI, SRI, SM HTI this one they only took as input an MSASDN which is a subscriber number so what we did it's we did web-scraping to get a lot of MSASDN so I don't remember the number of MSASDN that we got but 1000 of them yeah exactly so we get all this MSASDN first we sent the map MSUs for all this for all these messages the only one that needs another entry it's the SRI LCS which needs the GMLC GT this one should be private but sometimes you are able to get it because you can all sometimes it's not filtered properly so they will not filter on the GMLC GT so we saw that on some countries that are giving directly the MSI on the MSI via the SRI LCS so this messages what they will give in output will be the MSI the MSI VLR and MSI GT and the HLR fingerprint we have been able to get to fingerprint HLRs by really analyzing a lot of data we have been able to to directly fingerprint HLRs to be able to say ok this HLR it's from Ericsson this brand we have been able to identify directly the brand of the HLR not exactly the version but at least the brand remotely directly remotely we get the IMZ on the MSI VLR where the subscriber is attached so now we can send another type of messages which are the interrogate SS the send authentication info for the authentication of the subscriber so this will give you the cryptographic key of the subscriber the PSL and the PSI so the PSL will give you directly the GPS coordinate of this subscriber and the PSI will give you as the HCI the cell ID but if you have the cell ID you will be able to get the GPS coordinate also so this is really interesting and this is basically a progress map how can you from only few informations get to the cell ID to give a picture of what's actually inside the scan engine that we have a part of it so yeah only from an MSI SDN getting all these informations so this is a a little recap of all the messages that we have been that we sent on the network and as we can see like HCI, PSI and PSL are the more impact because they are linking directly the location, the precise location of subscribers so this is really interesting for us and also sometimes you have also the cell ID but it's not so often so we took an example so for map HCI for example if we take a look to the specifications so 3GPP specification we see that only the location management function should be able to send map HCI to the HCI and this is a local node ok so only the local node the low management function local node should be able to send map HCI to the HCI so this is for 2G and 3G usage but for 4G they added something else so the HSS which is replacing the HCI for 4G so the database for 4G is can also send map HCI to the HCI so always internal and this HCI as we say is giving VLR MSGT the cell ID, the age of the location and the subscriber state and what we saw by analyzing all the data that we got is that on the map HCI only 29% of the networks of the request that we sent we are responding correctly to the map HCI with a cell ID with a real cell ID but if we take a look to map PSI which now it's not so well known than map HCI because Karsten and Tobias they speak about HCI which is now well known on all the German all the German MNOs are blocking it but if you take a look to PSI you have 82% of the request that we sent which were responded correctly with a cell ID into the PSI so this means that okay my PTI is not working anymore let's go to PSI and it's always like that you will always find new vulnerabilities on the SS7 network to get information from it so really our goal was to get an overview statistics because vulnerabilities expose them for years and it's we wanted to really get an overview, a worldwide overview to see that okay my PTI it's responding but not so much but okay let's use map PSI by the way this one it shows some mentality of the operators is that map HCI it has been discussed much earlier so now they are blocking it so like okay this message is bad and sadly many didn't think wider and think okay maybe we should take this seriously and see what are the impact of all the messages and work together with people doing research in the domain in order to really have a clean filtering on the perimeter boundaries so the evolution is that maybe 10 years ago ATI was answering everywhere now it's much reduced but PSI that has been less discussed operators are still widely vulnerable and so basically this is 80, meaning 82% of the operators worldwide are answering to PSI so it's pretty bad so yeah one of the recommendations that we give to operators it's okay ATI you should block it from in at 0 that it's pretty clear now you have 2 types of defence you have the first step of defence which will be blocking it on your router but the second one will be defencing by blocking it directly on your HLR because for example maybe you will deploy another STP you will forget to put these rules or maybe the routing will come from a national interconnection and you don't have this filtering rule through it always the best not only on the age of the network to put your filtering but also to put filtering in depth directly on your HLR because you can bypass filtering at the ages if it's not well done but filtering in depth it will be harder to do it and one really interesting things to do it's since we have IDSE also on telecom operators we are monitoring map ATI coming from the international and this it's really interesting because map ATI they should never come from international so if you see them it's like ok this GT maybe it's compromise maybe this GT it's coming from a firm that want to locate users so monitoring map ATI really good so now let's take a look to the network exposure part so when we take a look to the privacy leak part ok it's look pretty yellow but when we go to network exposure part it's a bit more complicated for operators and why for example if we take again united states why it's worse than on network exposure than on privacy leaks it's because at the beginning a lot of small operators build their network but after time after time one operator bought another and they grow up like that but they build the network by buying other operator in other region of united states but it's harder to try to build security when you are buying new operators than when you are building your own network directly so it's one reason why united states if you take a look to the network exposure level you will have a larger attack surface than on the privacy leak level so this it's like you will be able to directly target network elements on the SS7 network of united states for example so the idea of this it's for both operators to see at first countries to see what's the level of security and also for users to see for countries and operators actually my country my operator is not taking seriously the the notifications from the security community saying there are problems on SS7 you should take this seriously because it has impacts on our privacy people can track us and so it's also in order to push this of course some operators they have done a great job at filtering these messages and they have great internal teams that understand really all these problems but sadly they are still majority so that's why we are still here and doing this scan to bring visibility on this domain because on internet to see for example you have an IP you want to see for example you had an attack from an IP and you want to know where is it located you can run a Huiz you have many bots on the net that are scanning and reporting ok this IP it's part of this range it has been a signal for these problems on SS7 you don't have that so what we want is to make the cartography of the SS7 network in order to bring visibility for operators to be able to react actually when there is a problem so that's another goal of this project so now on network exposure we have less messages but we are still like a large part of map messages so SRI for LCS, SRI SRI for SM HTI these 4 messages they will give us the MSC or the RGT interesting to know because you will have already real GTS real GTS inside the ranges of the production network you have map send authentication info why map send authentication info because it's one of the with the most like you get one of the map messages where you get the most the most responses so you are almost sure that when you send a map SAI you will get the HLR GT back ok? and the last one, it's the T-CAP scan so this one we developed it ourselves it's sending specifically crafted T-CAP messages to be able to scan GTS in large ranges by incrementing on the GTS but also on the SSNs because SSNs, they are like TCP ports and for example for the HLR, the SSN is the number 6 for VLR and MSC 7 and 8 so every network element will have his own SSN so if you want to discover all the SSN network you will have to start doing things like that and you will have 2 responses on the T-CAP scan or a T-CAP abort nothing T-CAP abort will mean usually that there is something behind this GT so a little recap also on the network exposure where we got the most responses the T-CAP scanning because it's like we can go for large ranges really useful and now the recap part sorry sorry so as we discussed there has been SS7 is being looked at for many years since 2007 one of the first public presentation up to now 2014 there has been more and more presentations because this year it's 5 presentations on the subject and and it's a 20 years old technology so actually the vision on this network is coming now but it's really an old network and what is happening for example with SCADA before it will be for sure happening with telecom because it's an obscure network but more and more people are discovering it so so we make a quick recap of the last presentation and from all these scans on the net we are able to gather statistics for worldwide exposure of operators to be able to see for example the location of a subscriber worldwide how many percent of operators are vulnerable and for the call interception also how many operators are vulnerable to see how much work needs to be done still and thanks to all these scans we are able to see this and to see the evolution so from now on we have a base of results and with running the scan continuously we'll be able to see what's the evolution of all the roaming infrastructure ecosystem this is really huge because you see that 72% of operators that we scan they were vulnerable to a precise location so it's getting the cell ID or getting the DPRS coordinate of a subscriber so this means that there is a lot of companies doing tracking but if you get any SS7 access even with a non trusted GT not in IR21 ranges you will be able also to do precise location of subscribers on 72% of operators ok and for the call interception like 66% of the operators it's huge because it means that from the international you will be able to intercept the calls of anyone so from our point of view it's good because we see that actually security is bad but from the perspective of the operator because it can see exposure change in the time and see publicly that ok people see that actually things are moving on and things are changing for our security and that so the changes don't go don't go un noticed so this project is still in a research phase so we release a website with only countries there are things that we are going to improve like ratings and also mapping more kind of vulnerabilities we saw that on the maps some are to be announced for example and also giving a vision on the evolution of the security of these networks and of course also what will be very interesting is to develop partnership with operators in order to get more different vision on the network because as we saw the network is very diverse there are many audities so the more point of views we have on the network the more vision and the more quality result will be able to give back then to operators in order to better describe this network basically because now it's very obscure yeah for the moment we have like three interconnections through different operators so it's really interesting already for us to get the differences between the three interconnections but with more interconnections we will get more results since we maybe don't get all the responses because we don't have all the roaming agreements with a good operator so yeah we are open to partnership with new operators then of course so we talked about SS7 now operators are interconnecting for LTE using diameter so the next step is of course a diameter map that will be mapping the roaming infrastructure but not the SS7 one but the LTE one LTE it's a bit better than SS7 but still there is a lot of vulnerabilities that have been put from SS7 to LTE and this work it's still in progress for us we are doing a lot of work on LTE so we will announce during this year new things on LTE yeah because one thing that we see that all the people that learned from all this roaming kind of culture in the operators sometimes they are not put new roaming teams that are handling the operational side of the LTE roaming so that it's more IP guys that are put with diameter protocols ok but the guys that learned a lot from SS7 roaming they are not transferring the knowledge to the diameter to the guys that will handle the diameter then and all the logical aspects of SS7 are kind of transferred to diameter so the attacks logically many attacks are logically the same so yeah that's one bad point already that we saw but it's another subject ok thank you for your attention SS7 map is online right now at this URL and if you have questions we have a mailing list also available t'as vu les messages oui si tu as des questions s'il te plait de l'enclencher sur les microphones que nous avons ici ce que je sais que nous avons une question de notre signal angel de questions de l'IRC signal angel s'il te plait je n'ai pas de problème microphone? ok on a une question sur le remarque de l'IRC maintenant c'est un très bon travail vous avez mentionné que votre probe était en partenariat avec un opérateur quelles sont vos stratégies pour ouvrir de nouvelles ou d'expansions existantes peut-il vous répéter? s'il vous plait s'il vous plait s'il vous plait d'abord ils m'ont dit que vous avez fait un très bon travail et ils m'ont dit que vous avez fait vos propres en coopération avec un opérateur si vous avez des plans ou des stratégies pour obtenir de nouvelles partnerships ou d'expansion de votre coopération pour exprimer notre coopération c'est le meilleur moyen d'y faire, c'est comme les opérateurs veulent être plus sécurisés et ce que nous offerts à eux c'est de travailler avec eux dans une partenariat réelle d'aider eux à avoir plus de sécurité et d'aider nous à scanner les réseaux nous aide eux aussi par donner eux les informations que nous obtenons de la scan pour augmenter leur sécurité par exemple, quand ils ont un soucis et qu'ils ont un gt qu'ils ont identifié comme source d'attaque nous pouvons venir et voir peut-on trouver ce gt dans ces scans et puis nous développons et nous réagissons et aussi si ils sont en partenariat avec nous nous allons et validons tout ce probe qui est envoyé des messages et nous voyons comment ça fonctionne et comment ça va augmenter leur vision sur leurs réseaux et sur les réseaux mondiaux parce que normalement c'est déjà un grand step pour eux quand on leur donne une map de leur propre réseau oh mon réseau ressemble à ça ok, ils ménagent le réseau mais ils ne savent pas comment ça ressemble sur une vraie map parce qu'il n'y a pas de tools ce n'est pas l'IP comme vous pouvez faire une map de la réseau ici vous devez avoir des tools custom parce que les protocoles, tout est custom donc c'est vraiment quelque chose que nous nous donnons nous nous donnons ok, merci pour votre réponse très détaillante microphone numéro 4, s'il vous plaît vous avez dit sur la réseau GRX que vous pouvez trouver les ranges de l'IP dans l'internet public donc vous pouvez les scanner et peut-être trouver des vulnérabilités quand j'ai travaillé pour Telco dans notre cas ce range était utilisé pour les customers 3G c'était la même chose que pour le GRX donc c'était tout de même routé donc même si vous scannez ce GRX pseudo GRX network vous avez juste scanné nos customers et vous n'avez pas obtenu des données de vulnérabilité donc juste à noter et nous avons décidé peut-être que c'est une meilleure idée de ne pas utiliser ce range pour nos customers et vous avez donné les données de votre scan pour 3G pour les Telcos ? pour les Telcos nous avons donné des statistiques sur leur propre réseau mais pas trop de données nous pouvons parler de ça avec eux directement pour leur donner plus de détails pas de problème mais pour votre remarque par exemple quand vous voyez le talk de KPN ils ont déclosé un scan du GRX et ils ont trouvé 1000 portes d'IP sur les TCP des maires des services DNS sur l'IP des IP de GRX les IP de GRX donc peut-être que votre réseau vous le faites bien mais beaucoup de réseaux ne le faites pas bien une dernière question vous le savez déjà sur les GTS les sources malèches de ce scan ? oui c'est principalement du feedback des opérateurs parce que quand vous scanz actuellement vous ne verrez pas les GTS qui attaquent parce que c'est un scan actif donc c'est des reports d'attaques des opérateurs, donc c'est différent de la map de l'SS7 il y a aussi des IDS en télécom qui nous donnent des feedbacks, comme l'ATIs d'internationales donc ce sera plus positif mais ce n'est pas pour la map de l'SS7 la direction des GTS qui sont malèches microphone numéro 2, s'il vous plaît juste une petite question vous pouvez nous donner un preview ou quelque chose l'USA est assez intéressant dans un pays européen ou quelque chose merci donc pour le GEM par exemple nous avons 4 opérateurs donc c'est le coverage que nous avons parfois nous ne scanons pas tous les opérateurs de ce pays ici nous avons tous donc pour la partie privée c'était bien l'exposé du réseau c'était il y a encore un improvement donc la partie privée ils sont bloquant beaucoup de messages donc l'ATIs par exemple comme Carsten et Tobias mais tous les messages ne sont pas bloqués et mais c'est important de garder en compte que c'est encore un progrès un progrès projet donc nous allons improving notre scanner notre scan engine donc le but c'est de bypasser les protections parce que nous avons apprécié chaque fois comment ils protègent les réseaux donc nous essayons de bypasser pour obtenir des vulnérabilités sur les réseaux mais donc ici rapidement, ici le numéro 2 par exemple ça veut dire 2 messages différents qui permettent un attaqueur pour obtenir une location de subscriber donc c'est pas bon c'est pourquoi c'est en bleu donc nous avons des couleurs couleurs sur ça donc quand c'est bleu, c'est pas mal quand c'est bleu, c'est pas mal mais c'est pas... donc, bien sûr, les ratings sont relative à d'autres opérateurs on ne pouvait pas mettre tout le monde en bleu c'est pas mal donc c'est un peu adaptif et nous espérons aussi des feedbacks mais je crois que vous êtes ici on peut discuter si vous avez aussi microphone numéro 4, s'il vous plaît bonjour vous avez parlé de l'exposition de subscriber d'auteur d'exposition de subscriber mais est-ce aussi une exposition d'exposition de netwerk data pour que vous puissiez raconter le nombre de subscribers ou... donc il y a une exposition d'exposition de netwerk topologie data donc quand j'ai parlé de les ratings, j'ai parlé de 2 catégories de niveau privé, qui est ici et de niveau exposition de netwerk qui est ici donc ces sont les 2 catégories et puis vous avez les subscores donc pour le niveau d'exposition de netwerk nous avons la surface qui est qui est le nombre de éléments de netwerk que nous pouvons découvrir et puis le fact que si nous pouvons le fingerprinter ou pas, c'est le second et puis nous avons un changement potentiel de post-paid status c'est-à-dire que... et ici c'est assez low, donc c'est bon ça rate le fait que quelqu'un peut modifier le data sur l'infrastructure sur le plan de subscriber directement, donc passant d'exemple, de pre-paid à post-paid donc c'est la vulnérabilité pour la netwerk ici bien sûr, mais dans le protocole, il n'y a pas d'extensions pour je ne sais pas d'attachée ou pour de la routière ou quelque chose il y a d'extensions pour les protocoles les 7 protocoles, comme les extensions de map et ces données ne sont pas processées et normalisées de façon dont nous pouvons poursuivre, parce qu'il y a beaucoup de procès avant d'avoir un score de la route de la scan, donc ça vient c'est le travail en progrès que nous faisons mais pour maintenant, c'est ce que nous pouvons présenter par contre parce que nous sommes sûrs de la data et nous crenons tout tout qui était spécifique donc le but était vraiment de donner une bonne overview qui n'était pas avec bonne data tout le monde donc nous sommes encore en train de perdre des pays par exemple, mais ça va arriver et il y a des pays où nous avons moins d'answer donc il y a des pays où nous sommes plus confiants ce sera et nous allons obtenir un full map avec un full view sur cette route et puis, dans 6 mois, après des discussions avec les opérateurs il y a des rateurs opérateurs Est-ce qu'il y a plus de questions ? Il y a un sur microphone n°2, s'il vous plaît Je suppose que j'ai une subscription d'un dutch et je suis en germanie maintenant Comment j'interprète vos risques et vos réalisations j'assume que le worst d'eux va s'appliquer à moi c'est bon donc je retourne au pays germanie donc ça signifie que vous êtes un subscriber donc vous prenez une vue sur la privacy ce qui affectera directement le subscriber qui sera le niveau de privacy principalement et ok vous pouvez voir que pour vous, c'est possible parce que les opérateurs germains n'ont pas d'exemple pour l'un des messages de map qui donne la location avec un niveau de la privacy donc l'ID mais encore vous pouvez vous situer au point de vue de la région parce que les deux, la première ligne c'est pour au point de vue de la région donc même si ce n'est pas le worst on va pouvoir vous locuer pour prendre votre status sur post-paid et peut-être pour changer votre plan de subscriber donc ce qui va changer le plan de subscriber il va falloir qu'il fasse et c'est ce que Toby a fait et sa présentation il était en train de aller à Germany et c'était son message j'assume que il n'y a pas de filmabilité dans le système d'hérex que j'ai un client c'est une bonne question donc en parlant de Germany cela apprécie pour les opérateurs germains pas pour les visiteurs donc quand nous avons des statistiques sur sur la sécurité des pays visiteurs on le montre mais pour maintenant c'est pour la réseau de maison c'est-à-dire si je suis en pays français puis la sécurité pour mes cimes sera la seule pour les amis merci plus de questions non, s'il vous plaît merci