 Okay, all of you guys, I'm sure or have a mobile telephone. So this will all be highly relevant We are proud to present castan and Luca Who are talking about the much overlooked defensive side of mobile phones? Take it away guys random applause please for castan and Luca Good evening Honored to be here for the third year on the same topic. I promise it will be the last one But it will be a conclusive one Pleasure to be here with the fabulous Luca Millette who will conduct the technical demos during this talk the last Yes, we Discussed attacks on the much outdated but still very widely used GSM network Supposedly three billion people using this technology right now Today we want to turn to the defenses and Conclude what networks should do or should already have done to protect you and your privacy Much better than they have in the past. Remember. This is a 20 year old technology So a lot of it is broken. However, the people designing this have worked on fixes and now it's time to roll them out so we will focus on how to defend GSM communication from both the network as well as from the phone But we do have one more attack to add there won't be Congress talk without one This new attack slight deviation on on what we presented in the past you may recall that Cracking GSM keys the a5 one keys is pretty trivial these days with Computing power available to gamers and in GPU cards We did use this Capacity in the past to show interception of phone calls as well as SMS But that's not all you can do with it To introduce the new attack, let me show you a related case of in this case fraudulent activity This is some of these Voip bill Note that they seem to have called quite a bit to very strange place This I believe is some some little country in the Caribbean If you look up the details of this this phone bill all these charges are cured within some four hours So over thousand times a call to the same number in the same remote location Clearly this was not in the intent of whoever owns this phone line, but Conducted such that the person doing it get some revenue. So this is a premium number. They call it similar things observed as mobile viruses Premium numbers have equivalent in the SMS well premium SMS Where it will be charged say for two euros on your phone bill and whoever owns the numbers gets one euro out of it the rest of trickles down in the in the in all these different operators that connect the call So there's viruses for instance on Android phones that do send SMS on your behalf to make somebody rich But you don't have to to actually get the virus installed on the phone to do something similar And with that, let me try to do some Connection magic here. There's only one VGA connection this year So hopefully this will now connect the other computer the internet connection isn't working Why don't you just take the key from the phone then I Mean you all believe us that we can crack keys by now, right third year So we'll just extract the key from the phone from the SIM card So this this is all using the Osmo-com software You all have come to probably laugh or hate if you're a mobile network operator A completely programmable mobile phone That was used to intercept data so we could listen to the voice calls and SMS and in this case it again Captures a transaction but not was the goal of actually looking very deeply into the transaction Does this work so each each GSM transaction is authenticated to the network By the equivalent of a username it's called the Tim see temporary identity. It's kind of temporary username And a secret key which acts to decrypt and encrypt all the communications It's equivalent to a password and knowing both this username and the password Of course you could Do fun stuff that we'll get to in a minute, but first we need to crack those of course This is work or should we just skip this demo. Oh, yeah I have a victim victim mobile here and To to get the key and to get the team CD ID of this mobile. I'm going to call this mobile Look, okay, can you can you bump up to font size? Yeah, it'd be great. So now now we are Just analyzing all the traffic in our cell but filtering the traffic just to capture The traffic for this specific mobile phone And now this is kind of an not not to go to jail filter So of course we could from all these other phones also, but we choose not to so the red stuff you see is the the call Going on and unfortunately I think I think the internet is not working. So I have Sorry increase the font size in the only on your terminal. Ah the phone. Sorry So I have here the key Yeah, the key Is It okay So I have a modified version of Osmocom mobile normal application. This is the configuration file and Here there is some settings for the current cell Current a team C and this is the current key. I have here Yes So what I'm going to do note that it didn't change from where we tried to experiment before so This has been the same key for this phone for a while now I'm going to start a Yeah, yeah, yeah, sure I'm going to do it Okay, so the firmware is Okay, and now holding this number, right? This is the mobile. I'm impersonating. So this is this is the phone That was called before and we can just put it aside. So nobody's doing anything with this phone anymore So now I'm going to start a fake Mobile I Unlarge the font here Okay, so this fake mobile Is on service is without any authentication anything. So Everything is here The key the cell and the identity of the other mobile and now I'm going to call My number Decrease the font size I hope this is Working So I start here The call is going on and this is a call from that mobile So yeah, we just impersonated this mobile phone Do you want to send an SMS? Yeah as well. Yeah for completeness This is clean. Well, you can see them if you can hear the sound and if you look here, there is the SMS I sent Sorry, my number is this one We'll come back to that as a computer later What oh So if if any criminals or business case in initiating a thousand calls on one line That same criminal should have an incentive of inters impersonating a thousand cell phones and doing one call each Why stop at a thousand right this extends to whole populations of phones in cities from an elevated position you can Intercept data from some 35 kilometers away So imagine how many phones are currently active in in that range and how much fraud could be conducted So this finally hopefully is an attacker scenario where everybody feels affected Where the the whole intercept a lot of people tell me they never say anything interesting on the phone So intercept doesn't affect them now finally this should so What what did just happen the the real phone? Made a transaction in which of course the Timsy was was was broadcasted and The KC the the secret key was used to protect it all The 10 euro Osmo com phone recorded that data the computer Had we had an internet connection would have broken that key was in a few seconds Revealing that that Timsy included in the transaction and those two Enough to impersonate a phone call to make calls and there's a mess on some much we have but also to circumvent authentication methods voicemail often Authenticates based on on the network level caller ID. So had the news of the world's newspaper Lift to see this they would probably have liked us as a as a new way of Accessing people's voicemail even where the pin numbers are not weakly set All right, this should serve as enough motivation Well, let me let me jump back for a second to ask for more more net protection on the network and Protecting from from this attack is possible in in two ways Completely independent way. So one is sufficient to to prevent it Either you take away people's ability to crack your key That's how a security system should be designed it uses encryption. So kids should not be able to decrypt Things on their gaming machines at home. Now. We're a couple of years Away from from seeing a deployment of a much better encryption cypher. So we need some intermediate Improvement levers to to protect people today and I will talk about a way to To to improve the the encryption quality without changing the cypher a few slides from here But there's a second completely complimentary way of protecting people and That is by requiring a different passport so to speak for each call In fact, the people I talked to that designed GSM the few that are still around in the community They designed it such that you would need a different key a different authentication token in each transactions Now the networks grew faster than the authentication servers And so that changed it to every second every third every fourth in some networks We only see an authentication in one of ten calls in some networks We don't see any authentication ever for calls, but really only when you switch on your phone or change your location to Different location area So the second measure is really trivial Bump up your your authentication system And such that every call can have its own authentication run And in fact, that was one of the five ideas We put on our wish list a year from a year ago from today Where we said it's it's really crucial for networks to change Their key on every transaction as a security measure and we promised a year ago To check on operators this year whether they have actually done this and also done the other four So that's what we're gonna look into next A little bit of background though So you can appreciate why why these different measures are needed and how how effective they could be even short of Changing the encryption function to something much better GSM cracking equipment and I'll tell a little bit of a war story in a minute about some some actual equipment that I got to see GSM cracking equipment Does rely not just on one factor on one weakness this week encryption function, but on two They work in the following way first They intercept a message just as as we did with this phone and then predict what that message was Since this is a stream cipher what comes out of the stream cipher is x odd with a data packet What the crypt analysis works on though is just the key stream So you need to reverse the x or by predicting what the message was and then given a clear Plain tech a clear key stream that then can be used in the crypt analysis Crypt analysis won't be made any harder until we change the encryption function However being able to predict what the message was that can be made much harder In fact to network security people the the notion of being able to predict what's inside An encrypted packet seems ridiculous. Why would you even send a packet? That's fully predictable, right? The other side already knows what what's in it But GSM works a little different You have certain time slots in which you have to send information And if you have nothing to say then you send in a packet that says I have nothing to say Right or at least I acknowledge the receipt of your last message, but I don't have anything to say Please send me your next message so it goes back and forth and there's a lot of Unused space in GSM at least as far as the control messages go So in a little bit more detail, what would it take to to do away with this predictability the one the one factor that These these crypto boxes or decrypto boxes rely on There's there's two types of messages I'll we'll look at an actual trace on the next slide two types of messages that are predictable Some messages are just very short and they are filled with With a filling bytes it's predictable filling by then if the message the short message could be I have nothing to say is very short Then the whole packet becomes predictable. There's other messages that are That carry more entropy. However, they're sent encrypted and unencrypted Now of course that makes it very predictable Even though it may change for for every cell or even every call now This reliance seems to much easier to mitigate in fact this can be mitigated with just software updates that Luckily are available now a year a year ago that that looked a little different. It wasn't clear who could supply this software update quickly Now just for completeness a third Vulnerability of of GSM and in particular a 51 that's often quoted in particular in in research papers is Is the fact that it's a bad crypto function? However, though this seems to be not exploited by anybody got some people some nice publications But it seems that no one actually exploit the badness of a 51 beyond its short key size of 64 bits That should get people thinking when moving to a 53 Which also has a 64-bit key? So we're not actually moving to an as great Encryption function, but a block cipher instead of a stream cipher that still only encrypts to 64 bits Just as a side remark So it it doesn't it doesn't get better more than two orders of magnitude and given was most law of course The crackers will catch up that too So it seems that even when moving to a better encryption function fixing this problem is worthwhile Here's an actual GSM trace all the messages sent to the phone from the base station at the beginning of a transaction and You can see basically three different groups of messages there are The ones that are very short and then filled mostly with this to to be by it So this one this one this one and this false one there. They basically just say I acknowledge your message Please send the next one There are other messages that are still filled with with this padding bite because they're not full lengths But they carry entropy so they are not really predictable. They differ per call These two in this case and then our messages that are full These are control messages where the cell broadcasts its neighbors for instance But those are also sent in the clear So there's no point of encrypting them at all and if you do you give a tech surface to to Whoever wants to do the decryption Now those predictable messages the first and the third category Will go away as soon as operators implement two two different Software-level Mitigations the one was standardized a couple of years ago and is now available widely the other one was just standardized Based based on the critique on on GSM this past year, so it's still in the making at the operators So operators ask me a lot how effective these these measures could be in in defeating phone attacks and They're equally worried about hackers using These phones and their home computers as well as professional spy equipment. So at least some operators have a real draw towards Protecting their customers from spy equipment. There's a large market for GSM spy equipment It used to be the domain of law enforcement intelligence, but as prices go down and Sales managers get greedy of course this trickles down to other sales channels where I would imagine criminals now can easily get the hands-on on spy equipment So I did go to this to this spy conference the ISS to to see what what they have on offer and whether this measure would actually defeat them and To our all slug nobody in a professional spying on GSM world seems to be aware of this development and So meaning that at least the entire installed base of GSM spying equipment could be driven out of business Was just implementing these two ideas and then for a few years It would hopefully stay that way of course eventually that would find a way around it But that's exactly the time frame we need to deploy a 5 3 and to make phones well protected on on at least a block cipher Level So the way this will be rolled out is in stages as I said The measures that were deployed that were developed in 2008 are now available from all the major Equipment manufacturers being mostly Nokia Siemens and Ericsson in Europe so you can get software patches from them and upgrade your existing infrastructure to Randomize they call it the padding This will make GSM spy equipment work much less effectively There's still a tech surface Namely These very messages these control messages where there's no red to be to be randomized but the the success rate of Of these of this equipment will go down significantly Even more so when these additional messages are also randomized And that's up to really Nokia and and Ericsson now to develop test and deploy these patches to their customers Finally to fully Make this equipment stop the phone manufacturers not necessarily of this phone, but of more of more modern phones They also need to randomize the data that's sent in the other direction from the phone to the base station It's harder to intercept, but in some cases still interceptable Interestingly enough when we all know how quickly Phones evolve we've only observed a single phone that implements this improvement measure from 2008 so Soon enough once the network deployed the software patches it will the phone will become the weakest link in this security chain But then again it only takes a few years for all the phones to be replaced with with something new so there's hope that Not long from now GSM spy equipment will stop working we Wanted to to know how far down the the the road of improving GSM network operators already are today Basically checking our wish list from last year, which ever since has grown to some 21 items 21 security parameters that we think networks should set in certain ways to protect from attacks It turns out that That networks very greatly in security Configuration in fact it seems that that for most networks a few exceptions Parameters that are security relevant are more or less set randomly One being of course the the number of authenticated calls we talked about before which should be hundred percent But then as your as your network population and the number of calls they're making increases This number is often set set down to postpone network upgrades also this as an effect on call setup time which Network operators consider their their core quality indicator and do you care if it takes half a second longer to dial a number? I certainly don't But they they seem to think that's the most important thing their customers want from the network that half a second time safe There are networks, however that don't authenticate any call apparently and that just seems misconfiguration to me At least as long as your VLR HLR that's these these backend systems have capacity this should be Checked now, it's it looks even worse when when looking at the software updates So authentication existed when GSM was first deployed 20 years ago The newer software updates though the ones that now Nokia and Ericsson have on offer are only implemented in very few places and and even Blocking HLR queries you may remember To be as Engels talk from years ago where he criticized you could track users over the internet even Long-running vulnerabilities like that are only mitigate in the fewest of places so there's certainly a Lot of Claim by operators we implement to use technology, but at the same time the 2g network that's still exposing people to vulnerabilities It's kind of a left rotting at the 20 year old level We want to change that we want Each and every one of you plus whoever else is interested in GSM security to keep checking on your operator And to verify that your operator actually deploys security patches that are much needed We did collect for this survey data in in countries mostly surrounding Germany and Let me let me skip over this for a second and put them on an online map That map is far from complete actually try to to access that So here's a map GSM map org Publicly accessible this map is far from complete. So we want everybody's help in filling all the remaining spots on this map and to to make Network security comparable among different countries Make operators within one country and let me just click on Germany here You see how how widely operators differ We want customers to be able to compare different network security and create demand with their feet by Going to where the most security network is for them So this is an online tool for you to use and please to contribute data to all it takes to contribute data from your location is One of these phones and The software you can download under this link And then everything else is automatic takes a couple of minutes after you uploaded the traces But then whatever country you upload data from I'm most interested in these countries down here They spy so much on their citizens. I'm I'm interested in whether they actually protect them from from other countries spying on them Or not so if anybody is down here with one of these phones, please contribute data So That the security for each of these networks is ranked in three Categories so I was the buttons up here and let me was that actually go back to the to the presentation here These three categories and code protection against three different attacks basically the sum of the attacks presented here by different people Today's impersonation attack. How difficult is it to put? To put fraudulent charges on somebody's account to access their voicemail and so forth second attack intercept how difficult is it to to Listening on some of these phone calls or read their SMS and lastly tracking people both globally Through internet leaked information. Where is somebody as in what city as well as locally? tying together Transactions you observe based on the Tim C's So each of these has a number of parameters behind them And we do expect and this is the reference for for this year We do expect the best network the hundred percent network the one I would get a full green circle to Plement all the ideas we see out there. So we're not asking for anything impossible. We see networks that do it already and We would like a network that does all these good ideas at the same time some networks get close But nobody actually matches that so currently each network is vulnerable to these three threats to different degrees We will update the reference every year to keep chasing them and and keep Keep them in a security race that of course an operator will have to run as fast as the hackers do and To my knowledge next year operators will start deploying a 53 So by the end of next year you will have to have a 53 as an operator to again be close to a hundred percent So all the software is online to contribute to this Tutorial as well, so we hope to get to to to to keep To keep the networks busy in improving some already have we were surprised to see that by January this year One of the German networks that had already implemented half of our wish list from December So it must not take long if if a network really wants to improve Switching to to to the to the last of three acts here We so far discussed protections that come from the networks and A little bit from the phone Basically, whoever supplies us with equipment and service should take care of our security This still leaves some attack vectors one one network level. That's most concerning to me since At least from going to this ISS conference. I understand that that this seems to be the bestseller in the spy world and that is Fake base stations or imsi catcher attacks in which somebody Emulates your local network your voter phone or telecom network and then sets whatever security they want on this And of course, whatever your real network does good or bad at that point doesn't matter anymore so we also Want to create some traction towards defeating this threat and while we cannot completely Mitigated it's just in the design of GSM authentication is missing. We can make it much less likely to occur And with that, let me let me pass back to to Luca To explain how such an such equipment is working and how we could defeat it Yeah, probably, you know the concept of imsi catcher is basically a fake BTS and They are used for different purposes The basic one for example took to collect the identity of users in a certain area At the point one. So you just install a fake BTS with a high high power and all the mobiles See this BTS and they just try to do the location update the BTS the BTS Collects the identity and then rejects the location. So the mobile doesn't care about this. So you can easily collect IDs another way of using an imsi catcher is To of course make the mobile connect to the BTS and then ask the mobile to start a call That is actually not a call So you make the mobile enter a traffic channel and then the mobile waits for the connection establishment, but this connection establishment doesn't arrive and If you are in the nearby you can track the signal since the mobile may be sending at the maximum power So you can actually locate the the the mobile Or even more you can do is an active attack like a man in the middle you can use a fake BTS that allows the mobile to connect and to root the traffic like calls or SMS and Basically, they don't use encryption. So you have some mean to recognize it But normal phones doesn't doesn't care if you are transmitting without encryption and We are Going to analyze all the kind of treats we have in Imsi catchers and for example You can see the evidence the first the first type of Imsi catcher Sends location Rejects so we are going to see if the BTS is sending that Or for example, we monitor the power the transmission power Or for example We see if the siphoning is used Before after and so there are some means to to recognize it, but maybe we are not using all the the features we can and we we started that project and It's still a at the beginning and basic Osmo comes after with some patches to to recognize all these things I said and we can We can start the the demo and yeah, the name is catcher catcher, of course And can we switch here sure yeah So to rephrase that we want to enable Everybody with such a phone to collect evidence that there is Imsi catchers operating in their area Which you saw on the slide networks could have done a long time ago by collecting the evidence visible on their side However, none of them has done so My suspicion is that they just fear to interfere with law enforcement activity Of course Imsi catchers are used by law enforcement But not just by law enforcement and even when it seems that lawful intercept should should be executed on different ways Then then over the air through fake BTS with lots of casualties So while the networks don't do it We want to detect Imsi catchers and other privacy intruding attacks Can you increase the font size? Sorry font size up You don't need no not this one not this one okay, so while What why we didn't bring an Imsi catcher, of course That that would be difficult to operate with with so many people around We want to demo briefly the detection of another type of attack. Yeah, that is not in the slides It's the silent SMS used by low enforcement agencies to To make the mobile answer this SMS and to locate the mobile and a little bit of context on that and in Germany news broke some some two three weeks ago that a Single law enforcement agency here that sent a hundred fifty thousand silent SMS's was in a year To track people's location and the way this works is they have access to Transaction metadata that they're not allowed to look into transactions themselves, but sending a silent SMS to a phone Creates a line in that meta data database from which they can then deduce the location So this happened from a single agent the hundred fifty thousand times in one year So you can extrapolate how how often this really occurs in the real world And go ahead Yeah, what you need is actually the same mobile You know and a SIM card from one of the operators you want to monitor. So this is the software that Used to be a normal mobile software. So this connects to the With the BTS and Now the mobile is Connected I Want to show you from the talent part of the Osmo come what happens? So once the mobile is turned on it looks for the the cell and then is he it establishes a link channel and I'm Monitoring the time I wait Until I get some important data like The service I want then I monitor the algorithm that this is the normal one But it could be no cyphering for example, and I'm also monitor the IME ISV that is important for It's important for cracking actually, but yeah It's also some identity you you are Exposing to the to the network So this is just a transaction what I want to show you is This extra menu I created is really on progress so You have here a summary of what the mobile did so this is some something I transmitted something that BTS asked of me and For example, this is the power Measurement that says if the BTS asked me to transmit at maximum power or too much high power and in this case it's not it's normal BTS and Yeah, this is the log of previous and last algorithm Some this is not correct, but it's current MCC MNC and This is all normal stuff and you can see at the end. There is a flag that is indicating whether the BTS is Trusted not so trusted or you have to to turn off the mobile because you're you have been tracked So I'm going to to show you what happens if I send a silent SMS as Kastin was saying before They are not shown but normal phones Yeah, they're processed in the phone and even responded to but never shown to the user So nobody really understands why this feature exists on phones, but law enforcement likes it a lot Yeah, so this is the notification. This is my hidden number and And this is the same Log and you can see the flag now is yellow because it's not so good to receive a silent SMS and Then yeah, it's still on progress. So I hope somebody can contribute because we couldn't try it with a Commercial MCC catcher. We have just some equipment, but not a commercial one Yeah, so we implemented all the puzzle pieces to detect MCC catchers However, nobody wants to loan us one Saxon or buying yeah We did implement a long list of measures actually and now ask you as the community to continue this project or help us continue So these are all the all the pieces of evidence currently implemented in the software And this being just a derivative of Osmo-com, of course, everybody can continue this research Both through helping us understand how actual MCC catchers work We have good suspicions or also talk to people that have built them in the past. However, what we're lacking is actual testing so we envision people that that suspect they're being in a In an MCC catcher location or being tracked through silent SMS to protect sim card in Osmo-com phone and let this run for a couple of Hours collect evidence and then know whether they're being attacked or not Eventually, maybe we can even start the network of such phones that automatically report in the catch activity I would suspect them for instance close to major embassies in any capital Where you know they just harvest information from wherever they can and if you think about where the Bundestag is in Germany And what embassies are rounded they could easily attract all the phone phones from from our parliament, right? I'd like to create transparency around that whether that actually happens now that the network operators haven't done so and was that We we come to the end of this hopefully last iteration of of Criticizing GSM networks for being too insecure is from now on you can take up that task and Start creating demand You now have an attack scenario that really everybody should be should sympathize with that Of course, they don't want to look through their phone bill every month for premium SMS charges and so forth You have an online tool to compare different networks and to criticize the weak ones Still criticizing the secure ones. Nobody implements all the the good ideas If a way of filling this online tool was one of these phones to create More transparency in in reach all the corners of the world that we don't get to go to as well as Over time networks that do improve insecurity of course should Should be signaled as such through that tool and finally you have a software running on the Osmo comm to Self-defend yourself from attacks your your network is not really responsible for so with all of this Hopefully we can start an evolution in GSM security and make this 20-year-old technology Finally become secure. We have a historical chance of driving all this spy equipment out of business At least for a couple of years, so we get really good encryption. So please help us with this and thank you very much We have I think we've got about 10 15 minutes here for questions and apparently we have a lot of questions from the internet If you have a question to ask can you please line up between using the microphones in the aisles here and What I'll do is we'll start with some questions from the internet And then we'll move to questions from the room. Okay So there were quite a handful of questions on the IRC First of all, can you spoof phones on? What kind of spoof any cell phone or just cell phones if this booth phone was logged in a short time ago You can I can you guys keep it down, please because we are having a question and answer session here Please be polite and just be quiet Okay, again, I'm sorry Can you spoof and a cell phone or can you on the spoof phones which were locked in the short time ago? Well, yeah, you need to to be in the same location area That means some kilometer I mean, I was in Berlin some in meter and it was the same cell same cell location area. So Same city we say late same city you can spoof another user Spoofing spoofing works as long as the phone is where it was when you attacked it as in location area So location areas are really big cities usually have only a couple of them It still needs to be in the same location area and it must not have changed this key If somebody it does a lot of transaction and you only Correct an early one it may well be that it already moved on to another key, but other than that Most phones are affected Let me sort a bit sorry Where's the bottleneck in the provider companies that prevents the improvement in security is the made of the management Or it's also the technical department. Sorry, sorry Well Each of each of these countermeasures has has a different bottleneck Sometimes it seems just testing time to deploy a Nokia patch. Sometimes it's actually buying a new HLR VLR system Maybe for half a million that then Rams up the capacity of your authentication system to where you need it and then was an a 53 deployment the new The the new encryption function oftentimes a complete new GSM network is needed Swisscom The Swiss operator this week announced that they are actually Creating a whole new GSM network. So it does happen oftentimes to get the network ready for LTE So within this wave will see a lot of a 53 deployment But not in networks that just stick with with the old paid-down equipment Okay. Hi. Hi Jake. Great talk. That was really great. I know some places where there's some MC catchers If you'd like to come over to my house or to the bail mansion One way that you can catch MC catchers I've heard is that it's possible to When say US law enforcement comes to Europe to surveil people They forget to switch the country code and the mobile network operator So your phone asks if you want to roam And they've turned off all the other cell phone towers So you'll join their MC catcher and so if the phone is trying to roam it actually in places where it's not That's another vector for detecting it. Yeah Our our threshold was a little higher detecting MC catcher with stupid operators It's possible without much technology, but we want to go as far as detecting MC catchers That do encrypt so there are MC catchers that do real-time cracking of keys And then initiate transaction in both directions with encryption and they're pretty hard to catch But there's still a few things that they have to do to operate correctly that a normal network would not do And the list is online One one interesting thing here is that I've noticed that the MC catcher at my house Just the one One of them only seems to activate itself for my particular IMEI and So it's a little I mean come on. It's like not even hard to figure out who's doing that But an interesting problem here is that in detecting them. There's selective targeting of targets So is it possible for the Osmo-com phone to Pretend to be my Android's IMEI I'm asking that in the most legally ambiguous way possible sure that that's possible I don't think it's it's possible for the for the MC catcher to be perfectly selective So it has to get in touch with all the other phones to reject them first and this reject Of course is observable and very atypical for GSM And another vector is if you call 911 a lot of these will actually kick you off of the MC catcher and Allow you to associate with the tower nearby so that the 911 call won't go through the MC catcher So there'll be no trail that leads to law enforcement in looking at other law enforcement agencies that that's missing on the list Yeah, so don't forget when when in doubt call 911. Thank you Okay, you're next Hey, you mentioned that some phones support these handheld encryption improvements Would you like to tell us which? manufacturers are doing that and if there's anything that we as consumers can do to encourage more manufacturers to do that sure yeah so modern phones Pretty much all support a 53 cipher that only started some two years ago though So a lot of deployed phones don't understand a 53 There's one phone however that claims to be supporting a 53 and if you try to initiate a transaction with it it can't because it Was never implemented like some if else was was switched around now this phone This very one phone is responsible for at least two operators to hold back the a 53 trials because those Users of this phone would stop having servers. So there's a little bit of confusion The the manufacturer of that phone supposedly now pays for the patches so that Nokia and Ericsson can detect this phone and know It doesn't understand that it takes a few more months The second security improvement that phones desperately need even before a 53 deployment Is the the uplink randomization and the only phone where we have ever observed this is the latest blackberry bold 9900 I think the number is Every other phone even though this is a three-year-old idea does not implement that Now I would be surprised to find that the blackberry bold has a chipset that no other phone uses So at least Qualcomm or one of these chip manufacturers must have implemented it all the other phone companies just forgot to switch it on So US customers can demand that as a feature Not saying you should buy blackberry, but at least tell Apple that you also want that Okay, we have time for one more question from the internet, but this gentleman here first if you spoofed a Wicked James mobile phone is it also possible to intercept incoming phone calls for example by answering faster than the original phone? Yeah, the problem is right You have to be quicker than the normal user, but you can actually I tested it and Unfortunately Osmo commies a little slower So you don't have to be faster as in pressing the button faster the phone actually has to be faster and acknowledging the incoming call and Osmo con isn't faster than any phone right now Okay, um one more one last question from the internet Yep How much security does implementing a 5 3 actually give us and what about 3G? Well, this is a different different question because 3G is already present on all these phones. We impersonate well most of them anyway We can still spoof it on a 2g network. So adding a secure network Doesn't always help as long as you don't remove the insecure network a 5 3 the encryption cipher that's already used in in in 3g was a longer key size though potting that back to GSM of course greatly improved the resistance Against impersonation and intercept, but only for phones that support it These will be most newer phones, but there's a lot a lot of deployed base out there that that will never get a 5 3 anymore So protecting those also requires all the other measures even if we could have a 5 3 overnight But given that this this one phone now holds back the if I have three deployment Implementing all the other measures is worthwhile anyway Okay, it looks like you've successfully managed to batter the internet into submission and the room as well So can we have a big hand please for