 So, our first speaker of today is Dr. Zerker Holtmans. She has an impressive amount of publications, actually. I stopped counting at the 45th when the list was going on and on and on. Pretty impressive. She also was previously a speaker at many different and other conferences, including the Blackhead Conference. And today she's going to speak about SS7 and diameter and the security aspects of both of these LTE protocols. The title of the talk is Mobile Data Interception from the Interconnection Link. Please welcome her with a lot of applause. Thanks a lot. As I said, my name is Zerker Holtmans. I work for Nokia BellApps. That's a research brand of Nokia. I've been doing mobile security for 17 years. So, everybody of you sitting here who has an LTE phone or LTE-enabled phone has a piece of something I designed in it. That's quite a nice feeling, actually. So, this is not only my work. It's also from my colleague Janne Ekman who works in our testing department who sets up test networks so that we don't crash accidentally operators' networks when we make an update. And actually, with our competitor, Kassel McDade from Adaptive Mobile, so we have been working actually together on this one, I will explain later how that has happened. So I will talk about mobile data interception from the Interconnection Link. And well, let's start with the practicalities. So this is something that's not so visible in public. Some of you might have been in 2014 here or 2008 when Tobias Engel or Carsten Nol presented their attacks. So for those who have not been there, so we are here in Leipzig. You are connected now to Vodafone, Deutsche Telekom or Telefonika. And the meeting attendees here are international. So you will also have people from UK connected from, usually have a subscription from three, from France, from Orange, from Poland, maybe from Plus or MTS when they are coming from Russia. I'm from Finland, well, I live nowadays in Finland. So my colleagues and families, they have Eliza, Talia or DNA subscription. And there is a big difference to credit card system. In the credit card world, there is one big sort of mother company. But for telecommunication operators, these are different legal entities in different countries. Still you can just pop up in the network, switch your phone on and you can get data or make voice calls or SMS and you are charged to your home bell and it works. So that's actually something to think about because it's not happening automatically. And the reason why this is actually working is because there is something called interconnection link or IPX network. It's not the internet. It has touching points with the internet but it's a private, separate network which enables mobile data communication or in general telecommunication. So and actually why this is such an important network because we are all connected to it. Everybody here who has a switched on phone is connected to it and not just your phones. It's also tablets which, if they are cellular enabled, for example, there's a tablet with Android, let's say, to AT&T and Anchorage. There's a connected scale, let's say, to Verizon in US. Or there we have a car which can connect a car which made from telephonic car in South America. In the bottom you see there a gas meter from British Telecom which is also cellular enabled. Then we have their fire alarm from Telstra. I heard they might need a fire alarm in case of a burning platform arrived there at their shores. I heard something like that has arrived there. Our industrial optimization sort of assembly lines which might have connectivity, cellular connectivity and of course classical phones. So you see they're all kind of different operating system, all kind of different hardware and they are connected to a local operator and while that they are connected to the interconnection network. So they can be reached from the interconnection network in case something arrives for them. To understand the security of interconnection we need to go back a bit. So 1981 the interconnection network was established between four countries, Nordic countries. And you see there a beautiful picture of the Nordic mobile telephony of the Nordic Nokia dogman as we used to say. So it's sort of this size and it's about five kilograms so I didn't bring it. Very beautiful piece of hardware. And it was a closed and private network. So that was the main security feature of that network. It was closed and private and nobody could get in. Only the people that know each other. It was running the signalling system number seven protocol. And that was a huge success and they extended and extended it and more and more operators joined Latvia and so on. And nowadays we have all kinds of applications using it. You get your SMS reminder for your dentist or whatever, sort of your banking towns, whatever. And now we move towards the LTDiarmies protocols. And so just to give you an idea sort of that's how it started. Probably Finland, Sweden, Norway, Denmark. And that's how they started. They probably went together in a sauna having some good beer and say, hey, let's do it. And they managed to do it. That's how it nowadays looks like, sort of more has grown a bit. So we have that's 2G and 2.5G, then we add 3G, a bit of 4G. And now we have all the 5G. So it has gotten a bit more complex. So and it's a sort of organically grown structures. And the thing is everything is connected with everything else. So you see GSM networks, really old networks, connect to LTE networks and the other way around. So sometimes there are nodes in the middle, sometimes not. So it's very, very sort of inhomogeneous to call it that way. So back to security. I mean the main security feature of this jungle was that it's closed and private. Now let's revisit this assumption sort of 35 years later and see what has happened. It's still closed and private. I'm afraid to say no, there are different angles to close and private. On the top you see there are three. I could have chosen any European operator. That's not particularly to three. It's just in the European Union, the European Union wanted to encourage competition so that mobile virtual network operator have very easy to establish their business. So for example, supermarket chains are now selling here subscriptions, for example, in Germany. So they rent their services from a traditional operator. And all operators in the European Union are forced to rent out the services that they have themselves, which includes roaming, to anybody who is basically come and ask and has a proper business model. That makes it also very, or it makes it easier for nasty guys to buy the interconnection access. In the middle, there are cell phone reports, cell phone interception. These are from the dark net from a company called Interceptor, but they have a horrible service, so I wouldn't recommend that company. They are not answering to emails or anything, but they are claiming to rent out these kind of services. So the access can also gain from the dark net by just rent buying it. Here on the bottom, we see a screenshot from Shoden. You see here this GGSN. You might not know which note this is, but I can tell you GGSN has no reason to be on the internet. It shouldn't be there. I don't know why it is there. Maybe it's a honeypot, so I don't suggest to hack that. So you never know what comes back. Then we have on the right-hand side here a GPRS air cell. Air cell is a big operator in India, and they seem to have their GPRS notes on the internet. The protocol here is SNMP, that's a simple network management protocol, and it's used, and above that there's a telnet login. My personal assumption is that somebody was on call duty to fix the network and didn't want to go into office, so he just set himself up this telnet access so he could easily configure the stuff from home. But these things happen. That's life. But well, of course, telnet login, you throw in a sort of password cracker and see what you have. Admin, admin is always worth a try. Then there, this map is a bit older. That's from the WikiLeaks, from the SnowdenLeaks, and it's showing the countries which the NSA says they have access to the phone network. It's probably no longer up to date. I think the situation, in particular in Europe, has improved substantially since then. And on the top, there's an article from the Intercept where the GCHQ, basically the British spy, hacked belgacom, but that was the GPRS transport protocol. So I think it's fair to say that there are points where the network is no longer that close and private, so hackers, they may just rent a service, they hack their way in. Having power in some countries, the line between government and telecommunication providers, not so strict, let's call it that way. And if the government wants to have access, they just get access. Of course, there's a classical bribing of an employee that always works. Just a amount of question, probably a amount of money. You can become an operator, or you can do social engineering that has also been seen. But that's a quite rare case, actually. Social engineering is not so common. But the other ones are sort of more likely. So let's do a brief recap. As a seven, that's the old protocol. And there are attacks. These are the attacks that exist for the old signaling system number seven, which is still most commonly used on the interconnection link. We have their location tracking that was published, I think, in 2008, very coarse granularity by Tobias. Then we have eavesdropping, fraud, denial of service on the user network. Credential theft that are the cryptographic keys that are stored also in your SIM card that are used for confidentiality and authentication. Data session hijacking, but that's not SS7, that's actually GTP protocol. Unblocking of stolen phones, that is an implementation specific attack, not from our notes, I'm happy to say. SMS interception, basically that's pretty risky, because of all the one-time passwords thefts. Because nowadays, many password reset systems send you a one-time code, and the attacker can actually trigger this sending of the one-time code. So depending on the system used, it's more or less vulnerable to it. And there are even on YouTube videos how that works. So this is basically a situation for SS7. Those attacks were sort of done by P1, positive technologies, cast and all Tobias Engel, and I'm focusing more on diameter security. So that's basically the SS7, the old protocol. And that's the status of the security for the IPX network. The SS7 is still most commonly used, but things slowly move forward. The communication is sometimes direct, sometimes intermediate nodes involved, depending, for example, we are here now in Germany. I don't think there exists a specific cable from Germany, let's say, to Tuvalu, that's a Pacific island. I think of 2,000 people living there, something like that. But they have their own operator. So I don't think there exists an explicit cable from here to there. So there are probably some intermediate nodes involved if you make a phone call to Tuvalu. But some operators also have direct personal pipes with their most common partners. For example, in Frankfurt, it's such a big hub. Also nowadays, some deploy SS7 firewalls. I think there was a big achievement of the presentation done here in 2014 that really something happened afterwards. The first firewall products came up and also operators started to deploy it. So not all have them, but it's better now. But there's no form of transport security, no IPsec, no TLS, no DTLS, no MAP security, no source authentication or confidentiality protection, and no integrity. That's how it is. No fun, but that's it. So diameter, new rule, new protocol, new game, everything is better. Let's see. All will be better with LT and diameter. I've heard that from one company. I'm not going to say which company that was. When I was saying, well, all will be different. We have a different protocol, but it's doing roughly the same things. As the user, you still move from A to place B. You move from one antenna to the next antenna. So the logic for handover and subscriber profile management and things like that, they are pretty similar. They're not exactly the same. But they're pretty similar. So it's possible that some things are just sort of converted. Let's call it that way. Attacks that are reality. I've seen myself some attacks quite many, actually. I've been doing traces analysis, looking at the traces. I'm trying to figure out what the heck is that. And there's one important question one needs to ask. Why should attacker stop just because we have a different protocol? Come on. They make money with it. Or they are governments, intelligence communities. This is for them, it's all you can eat data. Give me all your data. They track VIPs. I don't know. And there are these kind of service companies. Basically, you have to know that some governments have their own agencies which do stuff. And other governments, they just hire service companies because it's cheaper. Because a service company sell to several governments, that means they can offer per government the things cheaper. Also, governments have budgets. So there are these kind of service companies. Also, they are just entities which make money from it, fraud. And also, military uses mobile network data for target localization. For example, in The Intercept, it was published that, I think they called it drones paper, that about 70% of the data for target localization for the drones, where they use their drone strikes, comes from mobile telephone networks. Which I find pretty, coming from the telco industry, sort of pretty dis, makes me a bit upset. Because they weren't designed for it. They were designed for user mobility and making phone calls. They are not a military weapon, but they are used for it. Yeah, even the German Bundeswehr was observed doing something with the Afghan phone network. So attacks are moving forward. Let's see how the status is with diameter. I'm from research. And when I started looking into interconnection attacks, my manager said, SS7 is old stuff. Don't look at it. Look forward. OK, I'm research. I look forward. I started first, OK, how would SS7 work? And then I looked forward. In particularly, I looked at the diameter protocol as a successor of SS7. And then we looked at sort of where are similarities for attacks. And we started basically with location tracking. It's sort of relatively easily done. Then you have downgrading attacks that basically, because as I said, they are old networks and new networks. And they have to talk to each other. So basically, the attacker comes just say, hey, I'm an old network. I only speak SS7. Can you please translate the stuff for me? And actually, then there are translation boxes which translate the whole attack into the new protocol. Very convenient for an attacker. So the attacker doesn't even have to learn the new protocol. It's very nice if you have a translator. I hope I don't speak too fast for the translators. Then we have denial of service attacks and fraud. Denial of service attacks are also, in that sense, very easy. Because denial of service attack, the attacker can just push the attack towards the network. And he doesn't care if the answer message is correctly routed. So he can spoof the origin. He can use the origin of a partner. Because he can just push the message and doesn't care and just sees, OK, things go down. Worked. So denial of service attacks are very easy in that sense that you can spoof the sources. SMS and one-time password interception is very some because of this kind of password usage. SMS was just a few bits of space in the protocol that somebody thought, OK, let's use it for texting. And it was never designed for security. And yeah, well, there we go. And then we have subscriber profile modifications. So the subscriber profile is basically an entry in the database, in the main database of the operator, which says if you have prepaid, postpaid, if you are GPUS, if you're allowed to roam, what's your phone number, what's your identity, and so on. So if you meddle with that, you can imagine that it can cause quite some hiccups. Then there was by Positive Technology on denial of service and Imzi retrieval. And also at the Black Hat, Hendrik and Daniel presented denial of service. I think Daniel presented it because Hendrik I think had a car accident. But he's OK. And now we are presenting basically data interception for GPS and LTE. Just as a reminder, there are usually some restrictions when things work and when they not work. So that's important. Not all networks are vulnerable. That's very important to understand. So to the talk now, to data interception. And I'm afraid I have to give you a very tiny crash course for LTE networks. But I keep it really to a sort of acceptable level. Let's go that way. So the background, as I said, this was done together with one of our competitors, Adaptive Mobile. And the GSMA is the operator organization, which enables basically roaming, where we also have a security group. And there we discuss the security and what we can do to improve it and so on. And Adaptive Mobile reported on a GPRS traffic interception attack that they saw in live network. And then at the same time, I was working with some colleagues on subscriber profile modification using the diameter protocol. And then we discussed it. I was thinking, hey, we could combine those attacks, the ideas of those attacks, and get a potential data interception for LTE. But we weren't 100% sure about the constraints. But it was clear for us from the beginning that there are probably some constraints that it only works in some configuration. So then I called my colleague, Janne, because we have a test network. As a big network company, we roll out updates for the operators. And as updates have the tendency sometimes to screw up things, we have a test network where we basically copy the exact network of the operator where we go to roll out the software. And we also copy the configurations. So Janne knew the configurations, so what are typically the configurations, and so on. And there we also tested those attacks. So there we figured out what are the constraints so that these attacks could work. So GPRS said basically how it worked, that the attacker was modifying in the SGSN, was saying sort of to the home network, please check if there's a new access point network. And when the user then requests the session, what then happens that this gray cloud there connects to the attacker and asks for the access point. It gets us back, and then the user connects to the access point provided. So that's the basic idea. You don't need to understand all the detailed command codes. But that was the idea. So now a little crash curse in mobile networks. So that's you phone. But you're behind that phone, but somewhere there. You connect to an operator, antenna, radio access network. OK, you have friends, and you have gadgets. These are your friends and gadgets. OK, you move from, let's say, from one antenna area to another antenna area. So you need somebody to take care of your mobility. You don't need to remember the whole abbreviation, just remember M-like mobility. So this guy is basically taking care that you're tracking your mobility, where you move, and so on. So it's a mobility management entity. Then we have a database where it's stored, prepaid, postpaid, all the little details. And the application server. The application server you need when you want to make voice over LTE calls. And here's the database where you're subscriber. DHSS, I put there DHSS, because if that thing is down, then the whole network is down. That's the most important box in an operator network. The MME, there are several of them, and they are for regional level. So if an MME goes down, some region is affected. But if the HSS goes down, the whole network is dead. Meaning that the operator has no income, and he's pretty upset. The network has a H, that's diameter H node, so it's the E in the middle, so. And then there are the operators. That look basically the same. So we make here these assumptions that we have two LTE networks talking to each other. We are not going on all the interworking cases with GFs, GSMN, whatever. So let's keep it easy. That's the easy version, believe me. So as explained with the two-value example, those two network might have a direct cable. Let's say if they are sort of sitting very close to each other, but there might also be one or more of the interconnection providers sitting in between. So now we have all the hardware together, and then there are interfaces, as they are called. So we have the most important and most busy interface is the S6A interface that's between the mobility and the database, because the mobility node needs to know what's allowed to grant to you, what kind of network connectivity you are allowed, are you allowed to use LTE, are you not allowed to use LTE, what are your constraints, what are your credentials, and so on. So there's a lot of data traffic on that one. And then there's the SH interface, which is usually internal, but I come to that. And of course, you also have that enrollment case. So when you are, let's say, here now in, have subscription from, if you have a subscription, let's say, from Germany, and you are then connected to an MME, let's say, in France, then the S6A will be used, for example, to fetch your cryptographic credentials to provide your confidentiality, also while you are traveling in France. Somewhere the French network needs to get your cryptographic keys, so that they can protect your communication on the air interface. The SH interface, in some scenarios, some configuration scenarios, it might also go over the interconnection link, and I will come back to that, so. Configuration vulnerability is settings that are not uncommon and have been observed. The price pressure on the mobile network market, it's pretty tough. And so what they do, operators, which make, they use equipment for different purposes, and they're opening up interface, and so on. And one typical scenario is if you have a big operator, which has subsidiaries in many countries, they buy a first one box. They place it in one country, and then they use it from all countries. Just to see if the service flies, if the user likes it, and so on. And then if it's running well, it's sort of all to deploy it in other networks. Makes sense. Business-wise, that makes perfect sense. If it doesn't fly, it can just swap one server, and the investment was not so big. So, but that also means that they open up the link to this server over the interconnection link. And that has been seen for application servers. And similar, there's a problem with the DNS resolution. Of course, it's cheaper to have one box instead of two boxes. So we have internal traffic, which is for the core network internal. And then we have external traffic, like internet traffic DNS resolution. And some operators just put it on the same node because it's cheaper. Yeah. Also, actually, that's not the configuration vulnerability, but I thought I mentioned that anyway. There's the assumption that the attacker is able to set up an EPC APN. So that's more an assumption on the attacker. The attack that I'm going to present has several steps. Step one, classical data acquisition. This can be quite sort of done well before, it can be done half a year before. You don't need to do it directly beforehand. So you can do it just before, can it do it now and then do it in the attack half a year later. The IMZ, you know each other by phone numbers, but the IMZ is the subscriber identity that's used by the telephone network. So the phone network usually doesn't use the MS-ISDN, your phone number, it use the IMZ for all the messages. So the attacker needs the IMZ to get things running. So we focus on the SH interface. There's something called user data request. It just gives you a profile back. And the profile contains the IMZ, the MP, the whole subscriber profile, all the details the attacker needs, easy. It's a standard feature, it just requires that the attacker impersonates an application server. And that's actually how it looks like on Wireshark. So just for your information, I'm not going to the details of the Wireshark. In case the SH interface not open, we can also use the S6C interface, but not many operators actually using that one either. So the attacker has choice of attack possibilities and actually this attack works the same way for SS7. So the attacker might also do basically the same stuff in SS7. So I presented the details of that in Paris, something may. And also the attacker can do other things, S6A, but they also already need the IMZ. It can make an update location request. This is the most common message over the interconnection that you basically for synchronization purposes, you impersonate an MME and say, please send me a subscriber profile, I need an update. Well, the network is so nice. And this is all possible because there's no source authentication. Other way to get the IMZ then this SMS attack is for example, that you set up a false base station or a wireless LAN access point and one aim. It's okay, I need to speed up a bit, sorry. So APN placing, the attack works that you place in subscriber profile, your fake bad APN and then the user connects to it. That's the basic idea. So how to get the APN there? One way is again using SH interface, profile update requests. This is a network node synchronize with each other. And there's a message called profile update request. And with that you can update the APN in that case. So because you know from the previous step how the subscriber profile looks like, then you can update it because you know how it looks like. You just change some values, tiny bit value. APN details, let me say you can change the APNs for GPRS or for Evolve Packet Core EPC. That's how this kind of update looks like in Wireshark. And also you can use the S6A interface which is a bit bothersome because you cannot stop the SH interface but S6A interface. You can, there's a sort of little trick. If the HSS has reset, then to avoid that somebody needs to manually all update all access points network after HSS reset, it basically the MMEs can update the APN data. So what they should only do that after reset. So there's a logic behind that how you could detect this kind of attack. So this is also possible. So the attackers actually set of possibilities. And also you can update the subscriber profile in the MME that's a mobility node. So there are several points where you can update the profile and then the user connects. So how does that happen? So user connects that's the UEs, that's the user equipment, that's 3GP terminal. It attaches to the HSS, update location and then before without synchronization. That has the attacker basically try an error. You don't know. And then if he has updated basically in the HSS and the MME, what happens then that the MME connects the user to the fake APN. And this only works for one of the constraints I explained before. And actually you say, hey, I have an APN setting in my phone. Why is that not used? Well, that comes from the old times when you still had to configure your APN settings manually. So the MME just assumes you made the typo and you are wrong. These are the legacy stuff, so it sometimes pops up. So as industrial research, I cannot just complain this is bad. I also have to fix it. You're from the IT community most of your, let's, hey, it's easy. Let's use IPsec and we have source authentication. Everybody's happy. Well, I wish it would be so easy. IPsec is even standardized for diameter, but it's not all IP. We have, who remembers his third transport protocol, SCCP? Yeah, we still have it living there. And there's the political question. We talk about an international network all across the world. Who would be trustworthy enough to host the root certificate and the key generation worldwide? I know who, Banco Vaticano. Seriously, I mean, you name one country, I name you another country that says no, no, no, no, no. So no way we are going to have, maybe we get something on a regional level one day that's possible. And then there are operators in, that just don't have the money or expertise in two value, which I mentioned before, they have something 47 employees. They don't have a security expert, I'm pretty sure. Maybe they have one, I don't know. Also still, it's no protection against some governments or renting out the service companies or hack nodes or things like that. But IPsec would still be a good idea if there's not already a secure pipe in place. But it's also important that the partners have a similar understanding on hardening and so on. So that's also. For this specific attack, the SH interface, it's an internal network interface. You shouldn't put it, open it up on the interconnection. At the nodes in between, you can also filter out SH traffic. If you really need to do it, secure it properly. DNS, proper internal, external resolution. And for the update location stuff, the SXA potentially block or velocity check, so how fast the user can travel. I'm nearly done. Counter measures on general level. Monitor what's going on. Pen test the network. It's not very common that mobile phone networks are pen tested. Tenant monitoring. What are those mobile virtual operators really doing in your network? Do you really know? Do they stick to the service? You know, it's like this, I accept. And then you just hope they do what they're supposed to do. Share your experiences, that's a bit critical because network operators are always afraid that they might get into trouble with their license. So when they're this close, they have been sort of somehow hacked. They're always a bit afraid, sort of, okay, what does that mean for my license next year and so on. Some things can already be done with business rules. So if you have partners which send you a lot of bad messages, you might want to increase the fees for those partners. So some stuff can be done with business rules. Filter, filter, filter on the network side. Signaling file on SMS home routing, not everybody is doing that. I hope the operator knows which one, I mean. A very specific one there in mind. Then we have the GSMA documents which describe explicitly what you can do and layered security from user level. So don't necessarily assume that the pipe is secure if you can add some security on top of it, do it. I mean, if you have app-based security, even if it's not good, it might help somewhat. And note hardening procedures, they exist, so let's use them. Summary. All networks are attacked that I ever saw, so but not all are equally vulnerable. Some are a bit more, some are a bit less. The attacks are reality, but still mostly as a seven, but diameter is sort of popping up slowly. It's independent of phone or platform. The interception attacks that are presented depends strongly on what actually is really configured in the network and how it works. But there are networks that are vulnerable. On the general question, if diameter is better or worse than as a seven, if nothing is done, well, it's bad, but I think we have now a unique opportunity to do things better, and I think now it's actually on the right track, so I know that last week, several operators called the IPX provider and asking, do your filter SH traffic? So this conference here really did some improvement to the security. So to all of you and also to the people here and to all these guys working here, so thank you a lot. This really sort of kicked off something in the operator community. So basically, questions on the floor. Thank you for the very nice talk. I think we can actually give that thank you back for some more applause. Thanks a lot. All right, we have lots of time for questions. Please lie upon the microphones. If you have a question, microphone number one. Hi. Are there any other legitimate uses of remote arrays of HSS profiles? I guess it's like setting cold bearing and cold waiting options, but are there legitimate options? What updates are used for them from hearing partners? In the subscriber profiles, everything relates to your subscription. There is also cold bearing. There is special services, which you're allowed to use. If you have postpaid, if you have prepaid, if your phone number is there. If you have proximity security, which beerers you are allowed to use. So there's all kind of technical details in there. But basically, you can do easy denial of service. You can do fraud with meddling there. So the subscriber profile offers a lot of opportunities. Let's call it that way for our attackers. So basically the question is, is there any legitimate uses for visiting networks to update your profile at home? Yes, of course, of course. I mean, if you, for example, are in the foreign network and want to change your subscription or your location update, it also changes your subscriber profile. But actually, not the visited network doesn't need your whole subscriber profile. And that's the point, yeah. At least it shouldn't change your APN, for example. Yeah, it might be that you want to have local connectivity, because it might be better. So there might be a good reason for giving you this new APN so that your traffic doesn't need to re-route it over the ocean and back. So there are good reasons for doing it. But you might want to keep a control of who is doing what on your network. All right, thank you. Mike for number two, your question. Hey, there's a bit of a gap in public knowledge about SS7 attacks in the wild. Can you just talk about how frequently you see these attacks and in what parts of the world? They're everywhere in the world. So we are doing as a company, we also do sort of assessments of network. And we see operates all the world under attack. It's not bound to a geographical region. Some regions have this type of attack a bit more. Some others have a bit other types of attack a bit more. But they all, the most commonly observed attack is usually location tracking followed by credential theft. So these are everywhere in the world. But not as said, we see them at the border of the network. And they are filtered then out. So not all of those attacks, usually when people monitor it, they also filter in the same go. So you see them all over the world. And every operator has some chunk of attack traffic. But I've been noted that actually, that operators that deploy signaling firewalls have much less malicious traffic, for example, than operators that just look the first time into that traffic. Let's call it that way. So also attackers seem to sort of more or less, I wouldn't say give up, but well. So filtering really helps in several levels. And there is one question from the IRC. Yes, thank you. The IRC wants to know, how many years do you expect will be needed to prevent these attacks? Well, the internet's not safe today. I think mobile networks are going through the same evolution process as the internet went. So I mean, the beginning with the internet was the ARPA network, where you have username password. I knew it then you were in. And I think this network is basically rushing through the same steps. So how to say? I mean, I just do what I can. And it's also an investment question. I mean, security costs money. And obviously, everybody expects security to come for free and also users. So there has to be a balance somewhere. So I don't think, for example, that these 2,000 people in Tuvalu are willing to pay, let's say, 50 bucks more for their subscription per month. That's just not feasible. And still, people there want to be able to call out. So we must find solutions also for these kind of cases. So it's been pretty hard, if you face reality in that sense, that you also have to think about budgets and so on. So I don't think we will ever have 100% secure networks. As we don't have 100% secure internet, even with HTTPS and whatever we have, IP second. Microphone number six, what's your question? I see that there's a big problem of backward compatibility. Do you have a schedule when you will turn off old GSM infrastructure, like 2G, or doesn't it exist? Well, mobile network nodes, for example, from countries which are more progressive, which roll out newest technologies, these nodes are sometimes not scrapped, those radio towers that you see in the roofs. They are sometimes sold, for example, to Africa, second-hand equipment. There's a big second-hand equipment market. And because they look at how much an African subscriber can pay for their subscription per month, so the infrastructure is just not allowed to cost much money. So the GSM will live for a while. It will continue for a while. Also, there are operators which see GSM as a very cheap way to offer IoT connectivity, because if you have to pay as much for a subscription for, let's say, your tablet, for your scale, your car, and so on, you don't want to pay for everything of that, let's say, 30 bucks per month. So these should have a cheaper subscription. But how can you offer as an operator cheaper subscription, which basically means you reuse your old stuff? Especially if it's not time-critical communication. So you recycle your GSM return of investment as much as possible. That's just business logic on both sides. So I suppose we will live with GSM for a while. Microphone number four, what's your question? Are there practical documentation and configuration examples for smaller providers who might not have the resources you have, which are publicly accessible? We discussed in GSM A how to do things for them, and one that the IPX providers might take more responsibility, because very often those very tiny eye-lens are shown. They're connected to one satellite operator, and then it basically goes into the IPX network. And basically, if you just have this link then from this IPX provider, and the IPX provider, then takes care of the security. Security has a service, basically. Thank you. Okay, I'm seeing no one else line up anymore. So thanks for answering all the questions. Yeah, thanks. And thanks for your time.