 Welcome, everyone. I'd like to welcome Kyle McDade. He is an expert on core mobility network signaling security. So he knows everything about the SS7 network interconnection standard. And his recent achievements include the discovery of the SIM jackable number vulnerability. And that was not the one where you just call your phone company and say, Hey, I lost my SIM card. Please send me a new one. But it was or it is an attack which runs in the background like a silent SMS taking over your account for a short period of time. He works for years and almost decades in the field of telecommunications, messaging and security and is also often a contributor or a guest on different worldwide information. So we will switch over to Ireland in a moment to hear things about how surveillance companies attack mobile networks, not only in Europe, but in many different parts of the world, for example, in the area of South America. And they try to track the location of mobile phone users and also taking different measures to use the phone for a certain amount of time. And within this talk, we are up to analyzing the data being used, enjoy the talk and see you for the questions, questions, answer in the follow up. Good afternoon, everybody. Welcome to the presentation, watching the watchers, how surveillance companies track you using mobile networks. My name is Colin, I am CTO of adaptive mobile security. And what we do is we help mobile operators around the world defend their telecom networks. Today, I'll be taking you through the world of mobile surveillance companies seen from our experience in detecting and blocking them. I'll be playing in what they do, how to do it, how they've changed over time, and what we can expect for them in the future along with plenty of examples. And interestingly, this is actually quite a topic of subject at the moment. Surveillance companies are often in the news. But these three headlines are all from this month, December, which all covered roughly the same area about how surveillance companies are using mobile networks. And there have been many other headlines in the previous months and years for the last few years. But before I jump into details of these surveillance companies, it's worth remembering how we got here in the first place and why we are discussing this. Today, almost every network around the world uses 2G or 2G network protocols and what this and how these networks work is the user protocol called Signin System 7 or SS7. This is the backbone network which allows mobile operators to communicate within their network and between mobile networks. And what allows you to roam when we used to roam, send text messages abroad, make phone calls, be connected and so on. And as you are probably, many of you are aware, there's been a lot of reports of security incidents with this over the last couple of years. And these all stem from one key assumption in development of the SS7 network, simply that assumes trust between every mobile phone operator around the world. The network was designed at a time when everybody assumed that only those who have access should have access, simply a trust model. And as it turns out, this hasn't been the case as there has been some connections which have abused this trust. Interesting enough, the protocol which is replaced to 2G and 3G network in many places, the 4G network also suffers from the same protocol, this protocol or same problem. This protocol is called diameter and the same trust issue exists in that it also assumes that everybody who is connected should have access and will not do anything malicious. So this is one small key takeaway often is described that the problem with the mobile phone networks is its age that because it was developed in the 70s or 80s or 90s, it wasn't designed with security. Well, a protocol designed at 2010s also has the same problem. In fact, it's even slightly worse. So the problem itself isn't so much the technology, it's just the trust and the security assumptions in building the technology at the time. So keeping in mind the security implications, we can now look to see who is actually exploiting this trust model. Well, we see three main types of exploitors. One, the surveillance companies who are speaking about Haitian. Second governments. Here is a screenshot from a report from the Ukrainian regulator. This is from 2014. It was one of the key events in pushing the development of signal and security. This is a report today issued concerning tax or malicious activity which she observed coming in today are networks from what they believe were Russian sources in 2014. And finally, of course, on unexpectedly criminals, criminals we've also seen exploiting these networks. There is some overlap between surveillance companies and governments as you might expect. Governments are often the customers, they want to buy this equipment from surveillance companies. But sometimes governments may try to build this technology themselves rather than rely on surveillance companies. And when they do, they often use some of the same sources as in entry points as surveillance companies. We also see also small overlap between criminal activity and surveillance companies. Again, sometimes there is an overlap in the sources and how they gain access to these networks. Important thing about surveillance companies keep in mind is they have very large resources to get paid a lot for what they do. And these large resources translates into complex attacks and quite sophisticated technologies. And we'll see this as I go in more details about how attacks are executed. So attacks and how they execute it is a very interesting point because it's not always apparent exactly what is an attack over these signal networks. First thing to keep in mind though, is that the industry is very different from 2014. From 2014, we in the industry been recommending ways for mobile operators to protect subscribers and their networks. And the key outputs of this is series of recommendations or standards or documents, if you will. For the 2G and 3G network, which is S7, the key document is a document called FS11. And for the 4G network, which is a protocol called diameter, the key output is a document called FS19. And so what the operators do around the world is they take this information and then they work with mobile security companies like ourselves or other vendors to put in place protection and firewalls and defenses based on these recommendations. One particular thing to keep in mind though, is that this is just a starting block. So when they apply in these recommendations, they find that a vast, vast majority of traffic versus S7 traffic in this case is completely normal. But there's a very small percentage, in this case, 0.04% which we see, which is irregular or suspicious. Very important thing to keep in mind though, is a regular or suspicious does not necessarily equal malicious. When you actually look at this 0.04% traffic, the vast, vast majority of it is just noise. It's misconfigured, nodes around the world, local specific configurations, and so on. The vast majority is not actually malicious. When you investigate this in detail, as you we believe you have to do, you find in a very small percentage of 0.04%, 1.37% is actually malicious. And this is important point, not everything which you an operator may block may actually be regarded malicious. A lot of it just noise which they're blocking, primarily to be safe and to be certain. And it can take a lot of experience, takes a lot of analysis to determine what is malicious versus what is simply irregular. And it can be quite easy to make mistakes. If you sometimes you read headlines of huge attacks, using S7 network, many cases, what's happened here is that the person analyzing may have regarded all this type of traffic malicious, but that isn't the case. It's simply irregular. In this report, in this presentation, we have focused primarily and in fact exclusively on what we regard as malicious types of traffic. So, looking at the traffic itself, let's look to see who generates it. So one question is, I have this question, what do mobile surveillance companies do? In our experience, can you guess a surveillance? And if timely breaks into two main areas, when it comes to S7, mobile surveillance companies spend 60, most of their activity, 60% of their activity, harvesting information, then roughly about half that again, spend about 30% doing the actual tracking. And I'll show you how that ratio often shows up in real life attacks soon. They also spend a certain amount of time as well doing testing, as well as that to spend a small percentage of time doing actually interception of calls and text messages. You may expect that to be larger, but that is in the next case, the vast majority of time surveillance companies are doing tracking, or they're doing information harvesting. And the reason for the information harvesting is simply to help their location tracking. This is, as I mentioned, S7 activity, which is the 3G slash 2G network, but for the 4G network, they also use this protocol called diameter. I haven't shown that in these stats here. Their malicious activity over diameter has been quite small in the past, but we have seen a large increase in it recently. And for one picture of surveillance company, we do see also S7 activity, or sorry, SMS activity, and I'll go into more detail about that soon. So how was location tracking done via S7? Well, first of all, if you want to get more public background information, I really recommend you go to take a look at two XM presentations from an earlier edition of this case community called 31C. And that's from Carson Null and Tobias Engels. And they give a very good overview of how these attacks are executed. But from a high level, there's two different ways of doing this. A direct method, where an attacker will query a node called the HLR, the attacker will send in a phone number, which is a mizzen, and get back a cell ID, or an indirect method, where the attacker will first use the phone number to get some background information, in this case, the mz and an msc, and then uses information to query a node deeper in the network directly to get back the same information as cell ID. These two parts of these attacks, the first part of the main part of method one, and the second part of the method two are the location tracking part. But this part beforehand, the method two is called the information harvesting. Now you may ask, why does an attacker do this at all? Why should you use method two when a method one is more direct? Well, this is because things change. Mobile operators are putting in defenses, and now it's a lot harder to do method one. Surveillance companies have essentially a toolbox of commands that they can use. Then there's three main commands that they can use in the SS7 network, API, PSI and PSL, which stand for the information in the table here. And from their perspective, they're pros and cons in using each of these commands. And their primary pros and cons of decision making point is often down to what's what will work in the operator that they are targeting. And this is mainly based on what defenses the operator has. So to show this directly, we can show this graph here. And here I've plotted out and the axis is two main pieces of information. And the bottom axis is the possibility of this attack to be blocked. And on the left axis, the vertical axis, the amount of information that an attacker needs to have to be successful. And you can see these three previous commands, we spread out like this. This is the shows the amount of information, which an attacker might need on the left. And like I said, on the bottom, the possibility of the attacker to be blocked. Where an attacker really wants to be is in the bottom left segment, because here it's more likely that their attack will be successful or less likely to be blocked, and they need to get less information. So we can see that the API there, the possibility of it if it been blocked is quite high, but the amount of information that the attacker needs is quite low, it just needs a phone number. Whereas the PSI in the top left, the amount of information the attacker needs is high, it needs phone number and more details. But the possibility of the attacker to be blocked is less again. So you can see there's a distribution and there are choices to be made by an attacker. I'll show those choices and how a real life attack actually occurs. Here is the real life attack from March 2018. In this particular case, there are several stages of the attack. First of all, there's an information harvesting part of it. And this point in time, we've seen we saw two attacks, two packets come in from two sources in the UK Channel Islands. These are two operators, Shura Guernsey and Jersey Airtel. And these are used as command called SRISM. This is a standard information harvesting type method. Then there was another information harvesting using two different other types of packets. These, confusingly, look very similar, but they do slightly different things. Again, from the same sources. Then we saw a third series of information harvesting. Again, two SRISMs from the United Kingdom, but one also packet as well from Cameroon. And then finally, at this point, we saw the actual location tracking attack. Here we see four ATIs, one from Jersey Airtel, and then one from Cameroon, Israel now. It's important to note in this particular case that all these attacks were actually blocked by the operator. So no information was retrieved. And the ATIs at the towards the end was more an element of desperation from the attacker. Also, this is all within a five minute period. So you can see the sequence of attacks is relatively quick between all five. In this particular case, the attacker was in quite a hurry. Has wives in a hurry and the actual target? Well, this is actually what occurred. We subsequently learned that the targeted mobile number was associated with this person, Hervé Jobert, who was a French formal naval officer and marine engineer. And the aim, we believe of the attack was to see if the number existed. And if so, location. This is a video of the stromo, a boat, which was being believed this person was on at the time. And there's quite a bit of discussion about on the events, geopolitical events around this case in this article. And for more details, I encourage you to go link to get the complete story of what has actually occurred around this time. So that is the SS7 network. But now let's look at to see how it happens in other networks, particularly the forging network, which uses the diameter protocol. This is very, very similar. Again, there can be a direct method, which case the attacker can use a command called UDR. And then retrieve from the HSLID or an indirect method. And in this case, there's nothing to stop the attacker using an earlier packet from an earlier protocol, in this case, SS7 to get the information, because this is simply the information harvesting part of face. So assuming that they do this, they harvest information using this command at the time, they then use this information using an IDR command, and then retrieve SSLID from the network targeted network. Again, two methods, location tracking is the key part to receive information. But information harvesting is really the prerequisite piece of information that needs to happen when the attack when the targets network starts putting in protection. So again, there's a toolbox of commands that the subscriber can use. And as you can guess, each one of these commands also has pros and cons of whether it can be used successfully or not. So to show that again visually, with the same graph, and I recreate again, the tree commands which you saw earlier for SS7. If I plot these tree diameter commands, we can actually see that they occupy someone the same or similar positions as the SS7 commands, the two in the bottom right, PLR, UDR, these type of attacks that an attacker would want to use an ideal world because they require less information. But these are much more likely that an operator will successfully block from the start. So in many cases, what the attacker ends up having to use is a command called an IDR, which is in the top left, they need a lot more information for this to be successful, but it's harder for an operator to actually block this. So what these look like in real life. So this is a real IDR command, which we saw actually just a few weeks ago. And in this particular case, the command is insert subscriber data IDR. And where does this coming from? Just to keep the team going. This is actually originated from a network, this originated from Jersey Air Thrill Network again. And the destination of this is a, first of all, a subscriber, a username, and a destination network somewhere in this region, this is in mobile country called Geography region five is Asia Pacific region. And in this particular case, they're requesting the current location. So there is no reason why a network in the channelisans should be requesting the sell ID of a subscriber who is in one of these networks. But this is what we actually see in this case. And this is a location tracking request over diameter. I'm showing again, the channelisans, but there's multiple networks for sources of these attacks, which can happen as we see over diameter. So one important thing to know is that I've shown you 3G and shown you 4G, but this surveillance companies don't necessarily think in the world that way, they see mobile technology as the tool, not as a patch. So the recap of surveillance company, they want to target their targets, obviously. So what we've seen over time is that they can execute SS7 attacks using the 3G protocol. What can happen then is the mobile operator will start putting in place protection, and they'll put in firewalls to prevent these actual types of attacks. Then over time, the surveillance company might switch to 4G to use the diameter protocol. And again, what will happen eventually is the mobile operator put in place defenses to block these types of attacks. So what you might expect in the future then is maybe that the surveillance company might use variants of these attacks, different ways of doing it, or eventually might use to move to the 5G protocol. And again, our mobile operator will put in place firewalls and we just got a protective wall to protect us. Now it will be brilliant if the world worked like this, but surveillance companies don't think in a linear patch. From their perspective, all they care about is the target. They don't care what technology they use, and they are not beholden to development plans and technology schedules. They just want to get information on the target. So in this particular case, what happens if they can get sources of their attacks within the network, then that becomes a very valuable thing for them to aim for and a very valuable tool for them to use. And this is what we've seen with this next type of attack, which we've seen the attackers use. This is an attack we call SIM Jacker, and this is why it's so valuable in that allowed them to essentially bypass the plans and the tar processes of the industry in defending against surveillance companies using mobile technologies. So to step back a moment, what exactly is SIM Jacker? It's essentially a vulnerability, which we reported last year, 2019. And what it is is uses a vulnerability in a SIM card library. In the SIM card library, it's called the SAP browser that's pronounced as SAT or SAP browser. And the problem with the SAP browser is it did not validate or authorize any source SMS that it received. So this vulnerability then could be exploited by text messages. And once a text message was sent with SAP browser commands in it, it then was allowed access to a subset of what are called SIM toolkit commands, which are on the mobile device. We issued a very detailed report, and it's an over 40 page technical report, which is free online from www.simjacker.com, which I recommend you to read. But we found when we analyzed this that this vulnerability was present at several hundred million SIM cards around the world. And we could see, and I'll show you examples that was actively exploited in these three countries in Latin America. We shared a CVD, a coordinated vulnerability disclosure within the mobile industry mid last year. We reported some information 2019 before giving more technical information in October 2019. That staggered approach was to give time for mobile operators to put in place defenses and to see if they were actually affected or not. And the key thing about SIM Jacker is one, it was a huge increase in complexity. It was the first recorded spyware actually sent within an SMS. There has been some rumors and reports from leaks from the NSA of this type of capability, but this has never actually been seen before in real life. But as well as this, it was also huge increase in capability and allowed one surveillance company in particular to do a lot more than what they have been doing in the past and possibly to achieve a lot more results and to offer new services to their customers. So the flow of how this actually works. So in this particular case, as friends company to do a SIM Jacker attack, they don't need SS7 access. They don't need to buy expensive commitment. They don't need to buy links. All they need is a mobile device. They send this mobile device, they are sorry, they take this mobile device and they just simply send a text message with a series of commands in it to their target. This text message is then forwarded onto the target and is received by the device. When the device receives that text message, it actually gives it to the SIM card within the device. And then the SIM card takes over, and this is where the term SIM Jacker came from. The SIM card will then instruct the device to provide information. In this particular case, cell ID and this information is sent back to the SIM card. The SIM card also requests a bunch of other information as well, such as a type of device and more attributes. But once all this information is received, the SIM card will then instruct the device to send out a text message. This case then, the device will send this text message directly back to the surveillance company and their mobile handset. So there is a seven used in the fact that all S, but there's no need for expensive access. There's no need to try to gain or try to avoid SS7 firewalls or diameter firewalls. They're simply using text messages here to initiate and do the attacks. So this is the location tracking part of the part of the command. But in fact, the whole the whole sequence from start to finish is a whole location tracking phase. Again, if you want more information about this, I really encourage you to check out the paper on simjacker.com because it goes in far more detail about this. I've shown here, this is a method one sent from handset extractor handset. The surveillance company use many different methods. Sometimes they extract it to an SS7 node. Sometimes they sent from other types of links and use multiple methods to try to avoid the fences. But this is in his most basic shows you how they actually executed this attack. Again, toolbox of commands that the attacker actually use. The great thing from the attacker's perspective here, their pros, they don't require any SS7 access. All they required is a phone number, the phone number of the target. Now the con also from their perspective is that they needed to have the destination, the victims handset to have a SIM card with this browser on it. Your SIM cards, vast majority European SIM cards, don't have this this library on their on their SIM card. It was a certain percentage when we analyze it was several hundred million. That's a conservative number, but not every SIM card around the world has this. A vulnerable library on it. So that was a particular con that they have and also sometimes, not often, but sometimes some operators put in place security around that. So the default deployment of this of the library was vulnerable, but sometimes some operators have made some changes to make it non-vulnerable. So this is a con from obviously from the operator, from the attacker's perspective in that not every mobile device around the world had this library present. So if I'm to take my grid again and the deployment and sorry the distribution of these attacks, if I can say that SS7 is distributed this way and then diameter is distributed this way, one way of visualizing a SIM Jacker attack is very much in the bottom left quadrant because the possibility for it to be blocked was actually quite low. It requires specific logic and algorithms which most operators may not have had in place. And the amount of information that it required was very, very low. Again, all it required is a phone number. That aspect is of course though on the presumption that the targeted number had a SIM card which had a SAP browser present on it. So if there was no SAP browser present in the target SIM, then it wouldn't be valid. So now I'm going to go into details about a particular attack. I just want to know before going on examples in this one, the vast majority of SIM Jacker attacks which we saw were sent from a handset to another handset. As in I would target, attacker would target you and once your phone registered it, it would send it back to a handset which would be normally within that network. But sometimes what we saw is that they would try to extract via a SS7 address. And this is the case I'm showing here. But essentially this is an attack we saw a few months ago. The destination is a Mexican phone number. It is calming. The message has been sent from a Mexican mobile as well. So this is a mobile to a mobile, our handset to a handset type of attack. And here we can see the actual payload. The SDK protocol indicates this is the SAP browser payload and within it is requesting a series of information. To one that I've highlighted here is requesting location information but there's also requesting IMEI information which is the exact type of the actual handset. Once all this information is received, there's a concatenate command you see there and that means it all puts into a blob and then this blob is sent outwards and it send outwards using the send short message commands. So this command instructs the handset to send out another text message with all the information which has been received. And this information will be sent to a SS7 address which is again is registered in insurer currency and for those keeping track that's actually the same as seven addresses we call it a global title as the attack which I showed in the SS7 example. And this type of information is quite useful for us sometimes to do correlation and association of different types of attacks. You can probably see this looks quite complex and it's a certainly a more sophisticated type of attack than what we see over SS7 or even diameter and a lot of work a lot of effort has gone into putting together these types of attacks. What it does do is it really opens up the the avenues for the attacker because like I said they don't need SS7 access for this. In my particular case once we reverse engineered these types of attacks it was quite a sobering concept to realize that I was able to I had the ability myself to track potentially several hundred million people using text messages just by just by using text messages and this is before these mobile operators put in place detection and blocking of these attacks. So it's certainly a very very powerful technique. So stepping back a moment and going back to to generalities I've shown you the simjacker type of attack. Well we ask ourselves how does simjacker rate to SS7? So this is data from the end of 2019 and a start of 2020 the second half of 2019 the start of 2020 and it's from specific operators between 8 to 10 mobile operators we've taken data from and these by the way are all attacks which have been blocked but we can see that the vast majority of attacks we've seen have been using SS7 roughly two-thirds and then one-thirds of surveillance types of tracking attacks we've seen using simjacker type techniques. Now like I said according to our intelligence only one surveillance company uses simjacker but the but the reason why the simjacker volumes is actually so high is that we've one or two specific operators where the volumes are huge where the volumes of simjacker attacks are huge and these are skewing somewhat or overall statistics. To show you this if we were to show you the stats from one particular operator or I call it operator A in that particular case the vast vast majority of location tracking attacks which we see have been executed using simjacker which is sms and only a small percentage 15 percent has been executed uses SS7 and believe it or not this is much smaller number of simjacker attacks now than it was in the past prior to public announcement and prior to us put in place active detection and blocking of these attacks the ratio was much much higher many many times higher in that the volumes of location tracking attacks using simjacker were absolutely enormous was many many times higher. The diameter attacks might be surprising but we see quite a small very small percentage up until the last six months of diameter attacks but somewhat surprising to me and possibly a shape of things going on the last six months being a large escalation of diameter attacks and I haven't shown ever attacks in these stats but in future reports we can show them. So coming back to the simjacker versus SS7 distribution we and I'll show you why a work in theory that we have behind this obviously mismatch between certain operators is that they're different we believe that there's different end users there are different types of end users for these surveillance companies and this could be best probably shown with the following graph so we're all aware unfortunately due to COVID of rates per 100 000s so to build on this what I've done here is to try to show a distribution of location tracking attempts per 100 000 subscribers in in one year so this is a way to show an easy reference the rate of tracking per operator because some operators are much bigger than others and as a result if we show the exact volumes the actual numbers become very skewed but you can actually see here it's actually quite standard I've shown nine operators here and the SS7 location tracking activity normally ranges between 150 to maybe 50 location tracking attempts per 100 000 subscribers so this seems quite standard and it seems like quite well or quite evenly distributed but the interesting thing if I start to add in simjacker activity we see in one particular operator that the amount of observed simjacker location tracking is huge it brings it up to roughly about 400 times and this is actually with us doing this detecting and blocking so when we go and detect and block these attacks we actually disturb the system it's not like Schrodinger's cat but it's basically our act of observing and blocking this has caused the system to go out of equilibrium we believe from our estimates from analysis prior to doing this detection and blocking that this was the extent of the simjacker type activity up to over 1200 location tracking attempts for 100 000 subscribers and we've less regular evidence but something we're trying to firm up in fact we believe in another operator it was actually even higher it was even up to around 2000 or possibly 2000 above location tracking attempts for 100 000 subscribers so we can see that the actual usage of it was much much higher in these operators in this bigger operator and the reason why we think and what this gives us a few conclusions is that we could say at least from what we've observed is that s7 the 3g 2g 3g protocol is not normally used for books for subscriber tracking at least by surveillance companies but certainly simjacker was or is it was a technology which was developed and used to bulk tracking off subscribers and this was one key reason as to why we found simjacker why we thought simjacker was so important in that it really introduced a new way for surveillance companies to and new use cases for them to potentially offer so something that we also see other trends over time this is probably also interesting for some this is the trends of s7 location tracking commands over time so we can see in 2016 ati which if you can remember is the blue color that's the one that we said that it's probably the easiest one for the surveillance companies but it's also easier one for mobile operators a block so the volumes of data decreased a lot from 2016 and then other commands psl which sort of midway that had a a growth in popularity between 2016 2017 and now it's really drowned off around 2019 psi on the other hand is increased and has been quite a steady and as the one that is hardest for the for the attacker to use they would certainly prefer not to use it because it doesn't always work but it's the one which only ones which they may have any success with anymore or they feel they have any success like I said these are all blocked commands one interesting point is you may see two new colors here um this is one called ati and provide psi and you may say this is the exact same command well what actually is happening here is that the attackers have done a variant they've tried to basically disguise these commands they're trying to give these commands a new lease of life and they're using a a new sort of potential vulnerability called global upcode if you want more information this I also recommend you check out this presentation from positive technologies from hack in the box in may 2019 but essentially what the attackers do is that they try to bypass protection in place and if this works this gives them a new lease of life in the ati command because then they come back to using their favorite ati command and this time he may try to be able to bypass any defenses that are in place so one question I we often get asked is how do these surveillance companies gain access to the s7 network sometimes that is closely followed by and how do I gain access to the s7 network which is I being the person who is asking me this question so there's multiple methods and a lot of this comes down to intelligence and research but primarily there's three main methods which are the most common and one as you can guess is that they pay for the link and this can be quite nebulous and very hard sometimes to track down but often they will have a they will set up these friends companies might set up a front company who then negotiate access to other companies who may resell access to mobile operators so there might be multiple links here multiple layers of who is sending access to whom this is still not guaranteed to work for them but it often works best for them in in jurisdictions or areas which may have poor regulations or oversight are our companies who may not investigate too thoroughly what these companies are doing once they get access many cases they may get access to use for one technique or for legitimate services and then after a month or two start to switch to use other services which are malicious the second method which they may use to gain access is use big rotor governments like I said are the customers of these surveillance solutions so what they may do is they mandate the system might be installed in the captive operator or else add directly onto the link bypassing the operator completely in this case then the operator may have has very little say in a matter they've been told they install the system or in some a lot of countries around the world the operators might have direct connections to the to the backbone network and they can add directly onto link this is less common than paying for the link method but it can actually happen and finally something that's quite rare nowadays at least is all legacy connections default companies whose access not completely removed this is much rare because on the s7 network every every packet has to be paid by somebody so it's very unusual to have access to a network and nobody's charging you for it it's also less of an issue in diameter than s7 but it was present in the past and it happened there's also less common ways that operators may already surveillance companies may get access but I'm not going to go into detail in this presentation one particular thing though is quite interesting is that first of all as you can guess the pricing of the access is not very opaque but from our analysis we can see that normally between costs between two to 10 cent per message message signal unit that are sent but it's very much that the more connections the more access that that a surveillance company has over the s7 diameter network the much more valuable it is because this means if somebody's get blocked or get detected it still has backups still have different ways to send attacks so it's very much in these surveillance companies interest to have as many as much access as possible as distributed as possible this also leads to some rather bizarre business cases when you come across these this here is a graph from an s7 tracking company or purported s7 tracking company and the prices that they advertised on the web and this is really much the opposite of what you would expect for an if you were an economic student because there was no economies of scale here they were actually charging more the more you try to track and not less which is quite unusual but then it makes sense if you consider what they're doing the more that you try to track the more that you will be drawing attention to yourself and therefore the more likely that the link will be disconnected and they would lose their entire business so from their perspective it's worth more to charge you more because they are taken higher and higher risk and not charge you less even though you're using up you're actually paying for more so it's a sort of an inverse what you would expect and like I said not really economies of scale type approach so this is surveillance companies today but also we want to talk about 5G and mobile surveillance companies now I can guarantee you the 5G networks will be targeted for use by these mobile surveillance companies and again like I said at start you know ages number and this took the case newer does not always equal better the 5G network does solve many security problems on mobile networks especially on the radio side and does make improvements on some of the core network side but it also introduces new risks and new potential problems well for a start it's more complex and anything that's more complex inevitably may have more potential vulnerabilities to show you how much more complex here's a graph of the 4G network first the 5G network and it comes to protocol complexity and see it's many multiples of times more complex both on the number of messages which could be sent that's on the bottom axis and within those messages how many different elements and if you consider each one of those elements may have to be individually inspected and checked this can make things much more complex when it comes to trying to defend these networks so as at the 5G networks have new concepts like slicing mixed networks 5G networks talking to 4G networks talking to 3G networks so there's a lot of moving parts which could mean which will mean and our areas at mobile surveillance companies will try to exploit so one good thing at least this time is that unlike 3G and 4G within the industry we are now defining security from the start for the 5G networks it's always much easier to put in place security from the start than try to reverse engineer insecurity but one key thing we have to keep thinking to keep in mind there's a difference between IT and mobile network security we already know in 3G and 4G that the vast majority of attacks come from no legitimate entities they come in from the SS7 network so unlike possibly IT where you can just block off certain IP addresses or sources there's no way one operator can block off another content or off in another country so you do have to accept that you are going to be targeted and attacked and so you need to put in place defenses to detect within those flows what's going on and for a good discussion about this and why 5G in itself won't solve a lot of those issues please see this blog I wrote within the GSMA which covered the issuance of a new document a new series of recommendations within the GSMA and 5G internet security so finally the 2 box and 5G starts to get very very complicated for commands here I won't go into too much details again there's going to be pros and cons for the attacker unfortunately is when as well they also get multiple new ways to get location they can sign up for events and subscriptions so it's going to get quite complex and there's going to be a lot of work required to detect and block these attacks and try to stop these various companies again with this grid of my previous attacks 3G, 2G, 3G, 4G and Simjacker if I add in the 5G commands things get quite complicated but these are my estimations of the distribution of these some of these commands are quite interesting especially GMLC on a score PL but time will tell if these distributions are correct and how often are what the attackers will try to use them and how when they will try to use them so I've covered a huge amount of information here in this presentation and thank you we've come to the end of it but there's a few key takeaways I want you to take and some key conclusions that we could take from this presentation as you can guess and as I shown you surveillance companies they do exploit mobile signal networks today but they're not static they adjust technique space and defenses and end users if you start to read articles about S7 that can be wide open that is not the case for the vast majority operators operators are doing things and it's also at the same time the surveillance companies are also making change as well to also avoid these defenses that are put in place another key point in 5G networks is that they are not invulnerable if somebody says that 5G networks is fully secured and that is not true there will be opportunities for surveillance companies and they will definitely try to use it like I said surveillance companies don't care about the technology path they care about the well they don't care about the target but they care about getting information about the target and they will use whatever technologies that they can and again mobile operators they can and many do detect and block attacks and the key to do this is intelligence from our perspective the key thing is that like many types of security you can't just press a button and walk away from it you have to actually look after it look use your intelligence investigate because these surveillance companies have huge resources and they will make efforts to bypass and go around any type of defenses that you have in place and then comes back to the team of this presentation you know why are we doing this analysis well the reason we do this type of analysis is because if you cannot see what is going on you kind of can see if we stop it in the future so watching the watchers as well as being interesting is also critical from a security perspective because the more you know about what they are doing the better you are able to detect them and block them thank you very much for listening to this presentation I've only scratched the surface of surveillance companies and their use of mobile networks but I hope you found this information useful and I look forward to taking your questions now yeah welcome back from this presentation so far large thanks to Karhal here for this talk and there are already like lots of questions which came in for you the first best thing about is what a great talk a lot of information and very well presented we have to thank you for that and there are a couple of questions still on it is there a list of these surveillance companies available thanks very much for that excellent question that's a good question I want to I'd like to know the answer myself I could really use that list so to be more serious there's some journalists who've done some research on this and a lot of them have have done some put up some lists about there there is no definitive lists I mean everybody knows probably the more the names that you've heard about such as NSO or Circles Circles is the division of NSO which does this there's other companies like Rayzone, Verrents the companies like that so there's no definitive list although journalists have looked at this one thing to keep in mind though about these companies is a lot of them we found I think some of them actually might resell each other or work with each other so it's often quite difficult to say that's one particular company it was different companies sometimes they do have a bit of a coordination or relationship with each other but there's been some good articles on Forbes on this some articles recently in The Guardian and some other information which is out there which is probably the closest basis we all any of us have to any kind of list and do any companies sell historical geolocation data coupled to mobile phone numbers I these surveillance companies per se I don't think that's the business that they're in they're more fulfilling a request response type of business selling historical information is probably not what these surveillance companies try to do we've all heard about these other companies though which are building up information on subscribers maybe taking it for apps and so on so possibly they may sell it but these surveillance companies don't think that that is the business they're in they're more into filling direct requests from their customers at the time so how long is the information gathered during the information gathering phase useful for the attacker will it update when the victim changes the mobile seller is it constrained by time somehow uh that's a good question so in the information gathering phase what they're trying to do is gain things like what's the what's the IMZ per demission and that really doesn't change too much whoever then they need to know at what rough area the subscribers register that that could be the msc or the mme in diameter that information can change but not too much so it does have a lifespan of possibly a few hours days at least part of part of the information of lifespan of that the IMZ information might last for longer but the information gathering phase is not just for for use for direct location tracking sometimes they also use to see if this number actually exists sometimes surveillance companies they're not fully aware if if it's a race company trying to track somebody they may only have partial digits of the number they don't actually have the full number so they're trying to see well they know the first eight digits are this and then they try to cycle through all the different digits to see what numbers actually exist so from from that perspective if they do this sort of attack then they can then figure out if those numbers exist or not then also that information has a very long fairly long lifespan so do they only want to get information on the target or do they things like psychological warfare lawfare trauma-based mind control as well mind control would be a bit difficult but um the vast majority of surely want to grasp the vast majority of activity that they do is is location tracking it's their it's their bread and butter it's the main thing that they try to do and the information harvesting part of it is is often directly related to it but there is a certain percentage of time that they do other activities such as we have seen attempt this interception of phone calls or text messages but that doesn't seem to be their primary goal in doing this so you could conceivably do if you did interception of text messages or phone calls you know get that information but it's it doesn't seem to be their primary function and what they're doing the primary function is to try to track the locations of people and I imagine from their customer's perspective that's what they need to know or want to know most of the time and then if they do want to get more information they don't just rely on s7 or diameter they could they may have other methods to try to get information from the handset or who's talking to whom but for location tracking this is probably their main niche that they see using these technologies for and that is probably they think it's one of the better ways of doing it because it's sort of independent of operating system our our location in the world all right I just said location tracking we have here another question can the sim jacker also be used to locate a lost or stolen cell phones or other sim using devices like a lot of cars up to this times or the new bikes and is there restriction in the distance that's a good question so like I said the sim jacker attack depended on a specific library being present on the actual sim card that library isn't present in the vast majority of the world's operators it's mostly in again there's a map in that report but basically south central and parts of North America and then parts of Europe and Asia so let's say you were in a country that did have the library distributed you you can it's not just cell ID we did cover an report you can actually request a sort of differential cell ID you can get a sort of better location wouldn't be exactly the same as gps but it will be rare reasonably accurate however you know this is the problem with sim jacker is that you know who's to say that you're tracking your own bike or your own car I mean you could be tracking somebody else's bike or somebody else's car and at point 10 you're you're doing location tracking so so it's it's something then I don't know if they what the long term that they plan to do with these libraries in these countries a lot of them are trying to they put in place security so now they can't actually detect or nobody can send these messages anymore but so it will be an option but it's it's location tracking as a service wouldn't be something ob2 happy with this even sold commercially is there a way to check if my sim card is vulnerable to a sim jacker yes there is the good folks in in sr labs they actually updated and released an application called sim tester that's free and it's it's open source you can download that and you can check that against your your sim card and that will tell you what type of sim card applications are on the device and what's their security settings from that you'll be able to sell then if if they receive the text message we'll use whether it actually run against it or not I'm back the question was by using this new jacker attack with stk command is it possible to extract keys contained on the sim card so the individual subscriber authentication key welcome back it's no it's not possible via that method because that isn't you don't actually have access to the sim you only have access to a subset of stk commands and that's actually the that's actually kind of related to a previous unrelated vulnerability which was discovered in sim cards when a person mentioned again carcinol he did some research in 2013 and he was able to get access by sending pictures to get access to the sim the actual key to the sim card and when you have this access sim to that key you're able to access all the stk commands so the good thing about the sim jacker attack is you didn't actually need the sim key to get access to to a subset of commands but via the sim jacker you wouldn't actually have access to that key although i say that in doing some of our attacks and doing some protesting we were actually able to potentially exceed the boundary of the sandbox for the SAP browser library because we were able to break the phone and different or break the sim card at different occasions so there was some a bit of leakiness so it's highly highly unlikely you get access but if perhaps sort of proprietary sim card an old priority sim card it may be possible to somehow escape the the sandbox further and try to get access but I highly doubt it so let's see if we go from here what data is or which data are the sources for your plots that's a good question I mean that's the plots is really from from our experiences it's not too empiric the the vertical axis is really about the amount of information that's required and the bottom axis is really from our experience and really work with operators to see how easy it is and from their perspective to detect and block these so it's more of just a rough guide it's it's based on our experience what we see it's more a way just to easily visualize the type of attacks the choices that operators have or sorry the choices that attackers have when they go to do these types of attacks and then and then because you can see evolution over time the attackers they much much prefer to use the simplest thing and they often have access to a person's full number far easier than have access to an MZ and their their serving cell address or the serving MSC address so they would much rather prefer to do those types of attacks all the time so we've only forced them to do other types of attacks because of pressure and but if they get a chance to go back to original attacks which I showed when they use a sort of global opcode variant they will go back to it if they can but not every operator moves at the same speed not every operator has the same levels of protection and so as a result then they've got different choices different places but that source comes from our experience previously it had been suggested that it's easy to find unsecure SS7 endpoints on the internet is this not a source of connectivity anymore? it's very much much rarer now than it has been in the past they probably never say never they probably do exist to get access nowadays like I said it's those three options and a lot of it does come down to paying for access because like I said it's a money-based system and anybody involved in transporting any type of sizable communication any sort of sizable interconnect traffic is going to try to charge you for it so it's getting access is the easiest way from there from those for surveillance company's perspective and the most regular way which is also important is normally try to pay for it and what they try to do is to set up like I said some sort of front company or they partner via a different company and then they work with a company who does something like IOT type services or SMS type services they do something legitimate for a month or two and then they might start to do auto types of traffic so just finding a unscured ink it's quite quite rare these days how is it possible not only to identify the types of attacks but actually also the actual entities or surveillance companies with a lot of work we work with our with our customers so a lot of research that's it's a very good question how do you know the intent behind it and how do you then put a name to that source it doesn't come easy but a lot of work I mean we have our intelligence they have their intelligence like I talked to you earlier it's very likely somebody were on this call and watching this presentation but we look at the type of people we talk with our customers they look at some of the sources of information we try to talk back to original sources we try to talk back to original where they come from and then they try to see who they sold access to sometimes this information is for coming and sometimes it isn't and doing that then we can sort of put together a sort of a framework of what type of companies may have originally been granted access and then who they work with so it's a bit of forensics and then trying to figure out I mean who's talking to whom like I said some surveillance companies resell access to each other like things get really confusing then at that stage but it's with a lot of work so we don't it's not something we do lightly and it can take take quite about the time to to pin down and especially as they change but that's it's just within it with its research and intelligence and do you notify people you found are being tracked we don't notify people obviously we notify our customers for the mobile operators then they may go ahead and notify people and that takes me to our point as well as also sometimes the sources as well where there's the tax coming from notifying them is sometimes a really unusual experience sometimes you can answer sometimes you don't get an answer many cases like I said some of these operators may not be aware of this and that can cause some unusual conversations if attack the activities come from the network they're not aware of sometimes they may be aware of it and just not able to do anything about it but from the people who've been tracked side we would notify our operators or who are our customers and then they would take that forward whether they would actually do anything about it like I said in many cases these are attacks that are actually blocking so the information hasn't been retrieved the person hasn't location hasn't been tracked so in that particular situation then they'll make a decision themselves about what to do next all right so is there anything that can be done to protect oneself from this surveillance I mean could I just use my old cell phone rather than a smartphone or is there anything else I can do except for the app you said for the SIM card checking unfortunately on the mobile network side not really you can decide not to use text messages or phone calls but it doesn't make a difference you still have to register in the mobile network at some stage that data has been recorded and this is what the surveillance companies are targeting and that's somewhat that's some of the more frustrating things I mean the most best thing you could do possibly ask your operator sorry do they have protection by sort of looking for this this this also get a bit confusing though as well because it's when somebody would have covered about more time when mobile operators make a decision on protecting their network most operators around the world are protecting their network at least they're protecting their own subscribers things get more complicated then when it comes to possibly roam the subscribers so you could roam from Germany to America Russia or somewhere like that and those operators there then they have a decision to make whether they have to protect this person who came in particularly because they don't have all the information about your network and they may think that oh he's come from Germany and now there's a message coming in from Italy and maybe they have some sort of arranging with each other and so every operator around the world may not notice and so this is why like most things in life it's quite gray when you see a report of this this person's being attacked over S7 well that that may not be a case that the mobile operator is trying to protect it's definitely trying to protect his own subscribers but it may not be able to try to protect or may not have all the information protectors and in fact some of that activity may actually be legitimate and to block it could actually cause serious problems with it with the subscribers roaming Instagram network so come back to original question notice not to much you can do personally disinformation is stored but the main thing is to to ask your mobile operator what are they doing and what type of protection they have in place and do does the SMS exchange show up on the monthly bill from the operator so can I can I see by the bill that these SMS have gone back and forth on the sim jacker attack well first of all very few people actually check their multi bills for SMS anymore in that particular case they actually had a variant which is the one I showed on the wire shark that they actually try to send it out the message that is sent outwards via this global title this SS70 that was in the channel islands and because that wouldn't be acknowledged successfully it wouldn't actually show up in your billing records so that's we believe one of the reasons is that it was that there would be no possibility that that would show up in your billing records the vast majority of networks nowadays don't have any billing for reception of text messages so those receiving messages will not show up any bills yes if you send out a message in those places that was in Mexico for example it may show up but that again most people have all you eat bills all you can eat type bills they're not even going to see this all right so that would be the last question for now I don't see any other message incoming so thanks for our signal angel Vanny she did a great job in sorting the questions and providing me here with a real good support thank you back on all the people from the video operation and of course thank you for this really interesting talk I had a really interesting hour here together with you so Cajal let me thank you also on my behalf and I hope to see you again thanks very much on this topic and I think there's still more to come thanks very much thanks for let me speak