 Great to be back. Thank you very much Talking once again on mobile security taking two very different angles though from what we talked about the last couple of years This time we want to dive Into the same topic that Tobias Engel just did Looking at insecurities that arise from the internet interconnect networks between different operators And we want to add another angle and that is how you can start self defending Yourself from the insecurities that many of your operators have left open for many years Including the new ones that Tobias and myself talk about If you do watch this on a download do go back and also watch Tobias's talk It's well worth it and also covers a lot of the basics that I'm just gonna skip over now For the sake of time great talk by the way. Thank you Tobias so aside from Aside from those SS7 based attacks when I talk about 3g insecurities Not too many of them, but severe as ever as well as in the last chapter then a few Tips as well as a new tool to help you start self defending against these mobile attacks Now just briefly then what is the SS7 network? Tobias already covered the basics. So just a quick definition for me It's this network that different mobile operators are connected to to exchange data amongst each other For instance text messages are sent over this network. So without SS7 You couldn't be using this ancient chatting technology SMS. Thank you SS7 But also more security relevant information is exchanged over SS7 For instance, if you are using your phone in another country as many of you currently do You still want this visiting network to be able to use encryption with your phone But how is that network going to know the right encryption key? So this visiting network the German network has to ask your home network for the correct encryption key and that goes over SS7 And you can already see if there's cryptographic information being exchanged if the wrong people ask and still receive an answer Insecurities arise More interesting from a security perspective though are messages that are exchanged within one network over SS7 So SS7 is often misunderstood as this technology that's used for worldwide exchange of information The same network though is used inside an operator. So with no need for interconnect. There's already SS7 flows going on between those different mobile switching centers MSC and each mobile switching center covers one Area, let's say a city So imagine the situation where you are you're in a call And you're traversing from one area to another you're crossing. Let's say your state boundary So this new MSC doesn't know how to handle your call It needs the decryption key for the already ongoing conversation So there's another SS7 message that allows you to query for the key of a transaction that's currently going on Okay, and again, you can already see how if the wrong people send this type of message and they receive an answer insecurities arise The insecurity that that has most been talked about in recent years, I guess up until Tobias's talk was tracking and tracking was often understood as there's this evil message the anytime interrogation and The washing post focused a lot in the article and is one message and it's a it's really evil It should not been I have been ever standardized And whenever it's used it's for for evil purposes. There's no usefulness in this message And then to be as quoted in number that I think the washing post found in a lot of marketing material 70% of Mobile networks respond to this message now. This is information from earlier this year a lot of networks very good news have moved to Stop responding to the any-time interrogation message. There's evil spying message is not being responded to by For instance, all German networks. You can't use this message in Germany anymore However This is a very retroactive approach to to securing SS7 because there's a number of other messages That consider them gadgets get you to the same place take your phone number and take you all the way to somebody's Location and here's just a snapshot of which messages you can use and to be as went into a greater level of detail in How these different messages come together? So if anybody thinks that by just barring in the time integration you solve the the tracking problem They are wrong, but at the same dime. It's not that SS7 is not secure bill It's just a much larger challenge that people consider it currently to be So you see how how stringing together some of these messages get you to intermediate values That also shouldn't be public and then all the way to to a salary and up until all these messages Or at least every pass that takes you from left to right is blocked by network Tracking to the same accuracy the cell ID says possible Now this is just one of many areas in which SS7 can become an issue Here's four more It's an intercept risk if people can read your SMS text or listen to your calls It's a denial of service risk if people cut you off from from phone connectivity for anywhere from an hour Until the next location update to or till you next reboot your phone So you can really cut people off badly from it from the phone network There's the area of fraud that I don't think many people want to talk about publicly Certainly, I don't but there's many fraud risks in in SS7 in which you can either put charges on somebody else's bill or More interestingly you can remove limits on your own prepaid cards basically run up infinite charges on prepaid cards and You know running up a lot of bills to prepay or to to premium numbers, for instance And then there's the risk of spamming which from what I hear is already happening SS7 they spam attacks now for the sake of this talk. I want to focus on intercept Which I consider aside from tracking the most intrusive and the most relevant for us These are the risk they're more relevant for the network operators And if they don't solve them well, so be it as long as they put the bill for it So intercept and I want to go into three possible scenarios in which SS7 assisted intercept can happen The first abuses the exact messages we looked at in the introduction these messages were different parts of Networks ask each other for for encryption information and it's a pretty straightforward attack you record the airwaves around some of this in some of this vicinity and You record some of these encrypted transaction as part of that, right? So and 3g and Transaction for instance are pretty well secured, but they're not very hard to record. In fact 3g Is a little bit easier than 2g because it doesn't jump around all these frequencies so you record let's say 3g data and You have a bunch of transactions in there all of them encrypted and you can use this message of SS7 to decrypt them. It's called send identification and as I said on one of the earlier slides It's supposed to be used when you are Moving from one MSc into another MSc, but still within your own network so that the call doesn't get disrupted It's not supposed to be used When when somebody foreign wants to query your phone if they need a new encryption key That a new call needs to start anyway There's no way to hand over a call from one operator to another operator without disruption So this message is used only for internal purposes However, out of the four German operator earlier this month all four Responded to this request coming from another country and as a country that doesn't even border Germany So there's there's no way to even conceptually think a call would be handed over so four out of four and That's not an anomaly Most networks required international response to an to an outside number when asked for the current encryption key I'll show you a quick demo on this at the end of this chapter But I first finished the enumeration of all the different possibilities in which 3g calls can be intercepted the second one the good old Imzi catchers Which we all saw it wouldn't work on 3g and I guess for the most part they they don't unless SS7 comes to to the help So why why don't they work without SS7 and Imzi catcher pretends to be a base station And if it's 2g technology the phone has no way of knowing the difference between the real base station And this fake base station But then 3g the 3g standard introduced what I call mutual authentication So this time the base station has to prove to a phone that in fact, it's legitimate and unless it does that The phone won't connect now. Just only solves part of the Imzi catcher problem Just taken by the name Imzi catching is still possible Imzi catching in the sense of Creating a list of all the Imzi's in a location, right? because there's a certain chicken and egg problem if if you want me as a base station to authenticate to you You first have to tell me who you are There's no such thing as SSL or any type of public key in the mobile network. It's all symmetric key So you first have to tell me which key to use and by that I know who you are So Imzi catching is always possible and that's why if you google for 3g Imzi catcher those things exist But they aren't capable of recording phone calls or SMS because those then require the mutual authentication They aren't capable of doing so unless they ask over SS7 for an authentication key So Imzi catchers are back in this 3g world big time unless we solve these SS7 problems, right? The third possibility of Intercept this is probably the scariest Because it can happen completely remotely both the ones I enumerated so far You have to be somewhere in the vicinity in the radio vicinity of someone so the third possibility I want to call the rerouting attacks and their work in both directions rerouting is the idea and to be as touched on this of taking of Taking somebody's phone calls and Changing the destination number so that in fact you call somebody else unbeknownst to you of course as the victim and This works both for incoming calls and outgoing calls, but using very different methods So just kind of accidentally works in both directions and this part. I just briefly want to demonstrate To be as an I coordinated on most of this but this part I guess we kind of misunderstood each other so we'll both show this I'll keep this very brief and the point I want to get across is that one a single SS7 message is already a big Intercept problem. Let's see connected here So I'll try not to make the same mistake as to be as and try to cut off part of my number here So 31 C3 demo phone, so I'm calling a Phone that in fact accidentally we left in So I'm calling this number, and I don't know if you can hear this but it's ringing And we did leave this phone back in Berlin accidentally, but for the sake of this demo that makes no no difference So it's a it's a phone somewhere in Berlin that nobody answers to right here's another phone So if I if I register what they call a supplementary service to this number and That's just fancy language for for for call forwarding if I call this exact same number again This phone is ringing Now of course to make this real intercept I Wouldn't forward it to a phone I would forward it to a computer that then is smart enough to very quickly erase The call forwarding and called original number and then connected to so that the phone action The phone call actually goes to where it was supposed to go Just I'm sitting in the middle, and I'm receiving a copy of it. Okay So that's the idea in this direction in the other direction the exact same thing works as well and to be as I already told you how these services that say Let me rewrite your phone number for you because you don't know how to dial a phone number when you're on vacation right those services can be set by anybody at least on a lot of networks and You can see how the exact same thing works there so that every time you dial a number that just move their own number in Place of that number and then connect those two calls, right? So as I said, I consider those the the scariest type of attacks because they they were completely remotely You don't have to be in the radio vicinity of anybody and surprisingly This all works against a bunch of networks Even against those networks that move to solve some of the earlier issues. So network still very retroactive So what do what do those mobile networks now have to do to to solve those issues Well, as always, of course the answer it depends it depends in this case on the attack type Some of the attacks can simply be blocked Like the anytime interrogation that earlier this year They said 70% of the networks are vulnerable now in Germany. It's zero. So something happened there And the same is true for the for the first type of attack that I've shown that the passive Intercept I said when we tested earlier this month four out of four networks were vulnerable now. It's down to two So within two weeks two networks put in a firewall rule that says this message has No purpose traversing our outside network boundary. Just block it there. It's typical firewall, right? The same isn't possible for these other two types of attacks Because those messages are actually useful. They do something at least in certain circumstances If you block the second type of query here to send authentication info You couldn't be roaming in another country anymore, right? If you block the third one, you couldn't be changing your your voicemail forwarding from another country anymore. So these are needed Still we couldn't we can't accept that just anybody who asked over SS seven God You guys Switched is off We can't accept that just anybody who asked over SS seven receives an answer at the very least we'd expect networks to only Answer to their friends on SS seven and that is the roaming partners. That's already a lot fewer companies And especially a lot fewer sketchy companies than everybody else on SS seven. We would then Want those networks to do some plausibility checking, right? So this not this phone in Berlin that I just put a supplementary service on the network operator knows the phone is in Berlin and I sent this query from the other end of the world Still they honored it, right? Any type of plausibility checking would would clearly see that this is not possible for a phone to be in one country and For this user to want to change their voicemail setting from somewhere completely different, right? And then thirdly networks need to limit the rate at which this happens those services that the Washington Post talked about these tracking services These are large operations. They seem to be tracking thousands of people Constantly, right? This will show in locks, right? You don't allow some random network somewhere else in the world to constantly interrogate hundreds of your users, right? It's clearly abuse has any network move to put such Sensible rules in I'm not aware, but it's certainly the next step and I'm not ready to give up on SS seven yet I've heard one too many times that SS seven is an old technology built with no security in mind and we just can't fix it The internet also is an old technology built with no security in mind And we did fix it since the 90s since when you connected the Windows 95 computer to the internet It got infected with the virus right away. We have moved to put in firewalls We're not exposing our printer demon and now file sharing demon on the entire internet anymore For four billion people to connect to and the same as possible on SS seven just we're still in the 90s Thank you Having said that though, let me show you what what happens if we if we don't do that the fun part So We argued whether or not we wanted to show this as a live demo you'll understand why we don't show it as a live demo There's just too much stuff that could go wrong But here's the setup we start with just a phone number and we want to string together a couple of SS seven gadgets While also having this radio handy that can capture 3g information to capture yet more information That's not available level over SS seven right so we start with a phone number And we send what's called an SRI for SM message Which gives us if the network is configured to answer the MC and the MSC That the subscriber currently is connected for those two are used as parameters into another call called the PSI message Provide subscriber info And that call then gives us the cell ID. This is how you get more and more information was different Gadgets now the seller details is where somebody is physically so imagine we now move our radio to that location and We again send a PSI if we record the PSI With that radio Not the PSI what happens over the airways when we send the PSI and the phone gets paged So when we send that PSI over SS seven the phone received some information Right just this radio plus a little bit new radio scripting Gives us that information who has been paged during that short window of time that we that we recorded Now when we record something on UMTS we always record for different cells they share frequencies But you see that the one cell where the cell ID came back over SS seven is included in all said So we filter the data for that cell and we look for which MC's are included And luckily for us only one MC got paged within those few seconds on that cell right it's the same same This is now the Timsy that belongs to this phone. This is information. We can't get over SS seven But what we can do over SS seven with the Timsy is request a key So it gets complicated But so we have the decryption key now and the next time this phone received something Unless they change the key in which case we can ask again for a new key Next time this phone receives something and what you don't see in the video somebody's now sending a text message to the phone We can also record that right again same radio the one shown in the picture now the phone did receive the text message And there's a few more steps So the phone received the text message and we also again recorded the airwaves We again run it through some new radio scripts now Was with UMTS everything is kind of complicated So there's a different connections of course happening all at the same time and then they'll get allocated to different channels So now in order to to decode this text message we get a find out which channel is used So this command gives us the list of which which channels have been allocated and we got to find the Timsy from earlier in one of these channel allocations And wireshark is a great help in this we didn't have to do anything with wireshark It just knows all that 3j stuff right out of the box So luckily the first of these five connection requests is the right one and scroll all the way down There's then the parameters that say which channel this transaction happened on so those two numbers 15 and 48 Is the channel so we we need to sell frequency We need those those two two numbers that that is other channel and the key, you know, there's only 64 bit I'll I'll discuss that a little later and that's all we need to decrypt an SMS and There it is This still works today, but only against two out of the four German networks some some of the move to To to stop some of these messages of course most importantly This si message that gives you the decryption key, but even if you block this message Just acquiring somebody's location can already be intrusive enough All right moving on to 3g security or rather extending on 3g security since this already touched 3d 3g in a big way You remember the good old days where we could just intercept all phone calls with the awesome or calm phone Thank you by the way for that open source project that helped us so much over the years and you combine that with the Krakten software To decrypt the phone call so was 20 year old verse of phone and the server You can listen to anybody's gsm calls as long as they're using the a 51 Cypher Some networks recently moved into a 53 so it doesn't work this way anymore Now how does this now compare to 3g security as I've just shown Basically the same attacks are possible instead of the awesome will come phone We use a programmable radio some more software with us again very affordable 400 years or something and you combine that using instead of Krakten as a seven queries So unless we fix SS7 3g is no more secure than 2g and neither is a 53 the recent upgrade of gsm Because those keys are again exposed over sr7 Now some networks You don't even need that second part so they have bigger things to worry about then Then SS7 attacks and our data set isn't all that large some of you provided Measurements through through a software released last year So thank you very much for that and we have captures from maybe 2025 countries Out of those five have to use no 3g encryption at all Well four countries five network operators Which I find shocking some of these even have encryption turned on on that gsm network And they forgot to turn it on or the Liberty left it out because it's harder to intercept on their 3g variant right, so those networks as I said have much Much much more worried some issues than SS7 attacks and they really need to be called out and We do that With an extension of a website that we've been maintaining for a couple of years gsm app Big update of gsm make launch today With all the 3g measurements we we collected and you collected over the last couple of years Now some of you may have used gsm app before the idea is to to rank operators in in the three categories How hard is it to intercept phone calls in sms? Is it easy to impersonate a person and then put charges on the bill for instance or receive their calls? How hard is it to track them and as you see over the last year's networks have improved their security, right? At least some right as always God And as you also see these are the 2g networks even the best secure 2g network in In Germany anyway in our opinion is less secured and the worst secured 3g networks These are the four 3g networks still we want networks to implement all security features And as you saw before some some other countries don't have that luxury of all 3g secure Networks reasonably secured Now the first version of our metric is very crude and we want to improve up upon this over time But currently how we calculate the score is we'll give 90% of the points to anybody who switches on encryption That's the main security feature and the remaining 10% you earn by changing the Timsy quickly Timsy is what we needed for these SS7 attacks to work. Well, so if you keep changing it It really confuses the that the person trying to to haunt you Also, this makes other types of attacks more difficult. We'll factor in a couple of more values as we collect more data But this is it for now So yeah, big update on gsmf. If you haven't checked it out Check out your country on gsmf read the country reports. It is a six page or so Report order generated That that explains what types of measurements we included into into these graphs And why we think they they constitute certain risks Maybe forward it to to your network and say if you're not improving I'm gonna change Switch to another network Now not everything is on on gsmf yet because we don't have enough data And there's one problem in particular that I want to start warning about Because I really think we're running into an issue here and that is the length of encryption key You saw in the in the capture in the video that I that I showed that the that the key that came back over SS7 was actually only 64 bit from this particular network and The SIM card that was that was using this attack was bought that very same week So we recorded this video last week So it's the the most recent SIM card you can buy from this network and still it only uses 64 bit And that in my view is incompatible with what we have learned from from recent Snowden documents that the NSA in 2011-2012 funded a project to break a 53. This is a 64-bit cipher and We had estimated at this very conference a year ago that you'd need about a million dollars to break a 53 Now they did it a little bit earlier Everything's more expensive and probably they have overhead too, but they spend apparently four billion pound I don't know why pound not dollars, but This may have been some GCH Q corporation So for four million pound a couple of years ago You could already break 64 bit crypto and 64 bit is more prevalent in mobile networks than you would have thought When they upgraded the GSM networks to a 53 that didn't actually upgraded it to UMTS security as everybody claimed that it They upgraded it to the cipher used in UMTS Was a key half the size When writing the a 53 standard though The people was man enough to also put in the real UMTS cipher was full key size. They called it a 54 and It has never been seen anywhere since it's written in the standard It was released the same day that a 53 was released. Nobody has ever moved to implement that So GSM for the time being is and will be Vulnerable to anybody it was a one million dollar machine in the basement, right? Certainly NSA but more and more people as we move forward and what costs a million dollars today Thanks to Moore's law in a couple of years anybody can break it on their computers like we today break the a 51 If your network uses certain older SIM cards Differentiation years between a sim card and they use him as in UMTS sim card if your network only uses sim cards Then even your 3g transactions are 64 bit encrypted So there is no way to generate more entropy you could query for two keys I guess but they weren't smart enough to do that so 64 bit encryption for UMTS and that's just not good enough and as I said the network that we That we did the demo with we were surprised to see a 64 bit key We went back in our database of sim cards We found a lot of sim cards that have this problem We want to add this to GSM map, but we don't want to be unfair just because we see one very old sim card in the network We don't want to give them a low score versus somebody else where we only see a new card So we need lots and lots of data help us collect those data and We'll make it public but that's one reason why we stay on this ball and and progress to the research The other main reason and this is really what what keeps us awake at night It's this question of how can we get out of the mess? we've been Producing more and more problems. I should not say produce we make you aware of more and more problems over the years and We always criticize that at least many networks do not respond to those So we have to stockpile ever-growing stockpile of Mobile security issues and nobody seems to be addressing and all we do is wait for our networks to do something eventually Now waiting is over for me at least I'm impatient I want to do something now and I want to address all these issues all at once those issues that we talked about for for Several years now including the sim card attacks from last year Silent SMS based tracking the SMS that the SS7 abuse discussed today In the catcher vulnerabilities and insufficiently configured networks 2g as well as 3g All of these problems have one thing in common your phone Technically knows that these attacks are happening and your phone technically knows that the network is configured Insecurely but unfortunately, it's buried very deep inside the phone. It's buried inside the baseband So as much as you can program Android, you don't get access to that information At least so we saw it and then we set out and this took the better part of this year We wanted to dig the information out from these phones. It's somewhere in there There must be some way to hack it out of it and we found debug possibilities for Qualcomm chipsets Just one vendor but extremely popular right now there seem to be in every LTE phone and in a bunch of other phones and We found we found ways of producing exactly all the data on the right-hand side To make it accessible through an Android application and we also wrote the application for you. So release today Thank you release today snoop snitch on the GPL a Tool that collects all the spaceband information Mostly to keep it on the phone and run some analysis on it warn you about As I said sim card attacks, but also those as a seven attacks that to be as an eye talked about today How do you take those those attacks? Well by the paging's? I showed you in the in the video that every time we send certain queries to the phone To over SS7 that the phone actually also receives information useful for the attacker also useful for the defender If those empty paging's we call them are received by the phone strong evidence that somebody is messing with you over SS7 Right, so it collects all that information and it produces warnings You can also upload Information if you so choose that's optional of course It runs as I said on a bunch of Android phones that are currently popular It requires a somewhat recent Android version. We haven't tested with Android 5 yet But I don't see why it wouldn't work there. We just have to put the time in your phone needs to be rooted so we have Read access to a certain interface that otherwise is not accessible And it needs of course a Qualcomm chipset which as you see by this list is in most current flagship phones It's on Google Play right now. So download it if you're Interested Now how does this tool work one example only of course right read the source code if you if you want to know the rest If you for instance, Imzi catcher detection, there's been a bunch of tools so far to do Imzi catcher Detection the one we released a couple of years ago was called catcher catcher But it had two limitations one practical one more bound to experience the practical limitation was that it ran on osmo-com phones and Osmo-com phones can't do most phone functionality So it was your second phone and it had to be connected to a computer So very unlikely that you carried this around all the time now We wanted to move it onto a real phone that you can use onto your phone, right? I think we succeeded in that the second limitation was that we really didn't know how Imzi catchers behaved or We also didn't know how real networks behaved and thanks to all the data on GSM We think we have a much better understanding now of all the weird corner cases How real networks behave and created a much better rule set for for an Android based catcher catcher tool now and the rules go in two categories One is the configuration of the of these different cells For instance the lack of encryption when you know from the GSM update a base that this network does usually support encryption That's a big red flag also certain other configurations. So that's a configuration of the network. The other is the behavior And Imzi catcher wants to get information out from you at the very least the Imzi of course it's in the name, right? So there's suspicious behavior now none of these things taken by themselves That allow you to detect the names a catcher So we compute a score over these different events doing stream analysis on everything that happens on your phone and eventually then Come out with a warning if the score crosses a certain threshold There's a bunch more we would have wanted to include that's even on a Qualcomm chip set and its debug mode not available So this is still ongoing work as these chip sets progress and may give us more information in the future Now if you do find Alerts, let's call them alarms on your phone We'd be grateful if you could share them now as I said, this is optional, right? You get oops you get the alerts shown in shown in your little tool and then you can choose to upload whichever ones you think should be shared if we get enough of them and And and think that there's really hot spots of Of abuse of course will try to make that transparent perhaps even put little dots on the gsm app website So people know where abuse could be happening around demonstrations around embassies wherever, right? You can also actively choose to submit data by by running an active test Now usually the phone looks at everything that you produce your phone calls your sms. That's always stored on the phone There's no way to upload that and you compute a score For how secure your network is you can using the exact same metrics that we use on gsm So that's all part of to the phone No, but if you feel like the score on gsm app is heavily outdated click this button It runs some benign tests has nothing to do with your transactions I guess your location where you're currently connected would be included in the data and it uploads it to gsm So that becomes better and better and we can We can spot more networks that for instance lack any encryption at all Yeah, so what's what what what are you What what I like you to do I think you should do to better protect yourself from mobile abuse of course you could Keep waiting for your mobile networks to fix all these issues Which I must say more recently more networks have moved to fix issues But still not the majority and no network has even started to address the majority of issues, right? So it's it's just stretching the surface. So what I'd rather have you do is start defending yourself Check out gsm app. See if you are on a network that generally protects things like encryption. You saw the networks that lack encryption Don't use those and if you really choose to self-defend download snoop snitch this new tool and actively look out for abuse for Silent SMS binary SMS that you receive for empty paging for in the catcher evidence and help us grow this database of abuse, right? Also help us grow the Tool base that we use this is released open source and we put in a lot of work to make the data Accessible but now it is accessible right just take it as a library and go wild with it Do whatever you always want it to do with raw baseband data on 2g 3g 4g I'm very much looking forward to your contributions to this And all that's left for me to say is thank you very much Thank you, Karsten Then we will beginning with Q&A Please for everybody that will be asked questions Please line up on the microphones in the room and for people that Exit to room please do it with no No noise and Quickly now before getting into the question. Let me give you one reason to actually do leave now There's a workshop happening right now or in a few minutes that will explain how this tool Works and what it can all do we'll have an imzi catcher there so you can test how that feels like being connected to an imzi catcher It's happening in room C, which is when you exit here one floor down and to this end and For as additional information the word drops that's Karsten says starts at 1945 and now to your questions sure Okay, the microphone number two and Please before before we are before you can start number two, please do it with no noise That we hear the question from from the audience Okay, number two, please. Thank you Can you quickly say say a few words about why it wouldn't work on custom ROMs because we could just install it into Cyanogen phones and it apparently installed and it seems to work. Oh Okay So the way I understood custom ROMs is that they first remove a bunch of stuff from the phone And then I put a bunch stuff on it part of what we need are these proprietary Qualcomm libraries and at least on the phones where we tried Cyanogen mod. They are being removed Right. So if Cyanogen match could stop doing that it would work beautifully It's not that we need anything Additionally, we just need less to be deleted Okay, thank you Okay, damn Microphone number will do ask, okay Are there some questions from the IRC? Think we have a bunch of questions actually there is five questions. So I will just ask one or two for starting The first one is Kane all the shown attacks that you Proved on your speech be mitigated by by your protocols levels like Encrypted vYP or tech secure things like that and what will be the residual risks? Mm-hmm. Yeah, good question So how much can you protect yourself by using the the mobile network less or using it as a dump pipe? I guess is the question. What if you use just apps to call and send text? Well, obviously your calls and your texts won't be Intercepted anymore. If they are encrypted one more time in a way that's not breakable However, this does not solve the location tracking. It does not solve the fraud It does not solve the denial of service. It does not solve the spamming So you are tied to mobile network and then there's a lot of control over you your location and your phone bill None of that is gonna go away Another question from the IRC one. Yeah The second one is would it be easier to Design from scratch a new mobile mobile network then trying to find all flows from actual networks Which is and then less tasks I don't know where you would even start designing everything from scratch completely The closest that I can think of designing mobile networks on scratch is LTE. It's in the name long-term evolution It really wants to change everything but gives it a couple of years But as to be has pointed out those issues we pointed out today. They are again included in LTE Diameter is the interconnect protocol. So we already missed a chance to to remove much of these issues by just upgrade We'll have to fix it through firewalling and monitoring like we never got to update the internet Okay microphone number four, please Yeah, just short thing. Could you just provide a list of those libraries you need from the stock? Images, so I think it's pretty easy to copy them to this. You are no good. It's we are no getting more images Okay, and if the app is open source, maybe you can put it on after it. Oh, absolutely. Yes Thank you The microphone number two, please Got two questions if I understood correctly you need to be Inside the operator network to actually perform those SS7 queries, right? Well I would I would like for this to be the case but currently just anybody in the world connected to SS7 can send these queries Okay, so my question is that what was your hook point for actually doing this test? I think I'll quote to be us here by saying I'd rather not say anything about that Okay, so the second question is about the KC you mentioned it's if I am not mistaken It's the session key, right? It's And it should involve that nonce value, right? Yeah, so if it is it already has the nonce value So in order that act to work, we also need to intercept the initial Missages the nonce exchange between the target and the base station. Is that correct? No, the nonce is as they are so the sim card knows which key to produce Yes, but it's it helps the the the phone to find the right encryption key We are not the phone. We don't have the sim card, right? So just give us the encryption key. We don't need the nonce Yes, so what you're saying is that the query you're sending there it actually Sends you not only the encryption key, but also the nonce that is required doesn't send us the nonce and we don't need the nonce We can take that offline. I'll explain how everything works. Thank you the microphone number three, please Yeah, first of all, thank you for a very good presentation and the very impressive work you've done here um Thank you The question I have might be a little naive But have you also besides taking a look at this closing this whole issue technically wise Also been taking a look into a how what measures can be taken legally at least in Germany and some countries in Europe Now that we have disclosed that basically certain law rule rule law sets of rules have not been fulfilled That we can enforce the operators to implement this stuff on legal ways We have not looked into it Of course we consider the possibility as soon as somebody has an overview of where these attacks happen And that seems to be the issue right now. There's zero attack transparency nobody is looking for these issues and partly that's to the to their own Disbenefit because as soon as they do look for this issue some of these attack patterns are very easy to stop as I said to German Networks Mitigated them within two weeks and these issues had been open for 20 years Had they ever looked into their own data that would have seen this going on So I'm I'm not very confident that anybody in Germany at least has an overview of where abuse would come from and as soon as it Does I don't think there's much much point in litigating? Let's just stop the possibility of abuse right instead of complaining about it happening Right, but I'm with you if there's corner cases in which abuse just can't be stopped Let's fight it legally of course right and if all of you contribute information snooze noob stitch There's the empty pageings if we can find patterns of abuse, of course will aggregate them and try to move against them Okay microphone number four, please You said your you can buy your way into the SS7 network but how easy is it actually to get your access and What do you estimate how many players are there in the network? Can you give any? estimation I have absolutely no idea. I know that there's some 800 companies who have who are Legally allowed to access SS7 and then those of course have subcontractors legal and illegal and Some people who bribe them yet other people who hack their systems or the systems of the subcontractors It's very hard to estimate no idea But definitely too many to trust all of them and would it be possible for me to get access to this without any operation operator Stuff for I don't want to operate a phone network But I want to have to have access because I want to provide a service some service Well, I wish the answer was no, but of course right if to be as an eye and a bunch of other people can get access You should be able to get that too But I'm not gonna tell you how Yet another question from the IRC We're about nine questions, so no problem for me First one. What about Windows phones jail breaks iPhones or something like this will the app in the end on this phones our app doesn't run on anything other than Android, but the The chipsets are of course the same. So if you can speak to a chipset Through a jail broken iPhone for instance, you could create a similar application We just wanted to target the the biggest population of phones and that seems to be Android phones Number two, please Yeah, one further thought on self-defense as Self-defense has don't has to be proportionate. I think and Identities are not secure in the digital sphere. How about developing some Proactive as we heard the word Defense tools Proactive as in hectic networks until they have no chance, but to fix That's what you understood, but I support that I'm not gonna say that I dislike the idea But you won't see me here next year explaining how I did it Thank you Microphone number three, please. Okay. When did you check the other two German networks didn't fix the scent identifier? Issue which network do you work for? I'm I'm whole we talked last week. Oh, yeah So, yeah, maybe you fixed it too. We didn't we didn't check we fix it It was in 24 hours 24 hours after our call. Wow Okay on both networks Thank you better late than never Thank you, right? Yeah, okay, so it's three out of four now that fix one out of hundred problems No, it's yeah, I know that that's why we don't go to the press and don't tell That's as a seven is fixed and we know we still have problems. Also. It's all for I know Work for telephonica, which is o2 and a plus. Oh, yeah. Well, congratulations Sorry, sorry for spoiling your Christmas Microphone number two, please I Like to know why these empty pagings occur in the context of the location tracking I thought as soon as the phone registers in the network and Base station which is this connected to is known in the network. Anyway, isn't that the case? That's a very good question and let me let me go back to to one earlier slide to explain that one second so That the empty pagings do not occur when you send these creepy anytime interrogation messages They are just there for spying and there's no way to page the customer But since this get got blocked and Tobias went into great level of detail explaining this You need a couple of other messages to now track some of these location and these messages when meant for location tracking They're meant for other purposes for instance is PSI provide subscriber info That however, you reach it is always the last message you need This does do a paging and then the provide subscriber info really makes no sense unless you send something afterwards also Deliver an SMS connect the call whatever so the paging is already sent in anticipation That an SMS will come or that a call will come But if you're only the creepy guy tracking you're not gonna send that SMS and that's where the empty paging comes from Okay, but still also in this cases where something follows the paging isn't it the type of double checking whether it's really there Or I mean the the location Info itself should already be present in the network. Isn't it? Yeah. Yeah. Yeah It just reconfirms that the subscribers really there So it's basically saying somebody just interrogated your location because they want to send you something Let's check that you're really still there because otherwise will tell them something wrong But to be as you wanted to comment on that. Yeah okay, so The empty paging is not in anticipation of something that's coming after it's to get the current cell that you are located at because When you are moving around in your location area in the area that is covered by the switching center that you are currently being served by your phone doesn't necessarily Contact the base station. So It could be that that the networks last position of you is somewhere you received an SMS or text Or call and then you moved to a completely different area if your phone didn't have network contact in the meantime The network would still only know the last point of contact. So that's why the why the empty paging happens So that the that the network knows the base station. That's actually currently Closest to you. That's also the Why the why law enforcement uses a lot of silent SMS so that they that they can get the last position In in the network and it's also an option if you send provide subscriber information You can just send it and get back the last known position Without a paging or you can set the current location flag and provide subscriber information And only then the subscriber gets paged and you will receive the the current location and that's that's one good example for how SS7 which is supposed to be so insecure we can never fix it can easily be fixed There's an option that says we're using this this normal feature That's absolutely needed and we have this creepy extension to also ask for the location and some networks choose to not answer that They answer with zero zero zero zero and nothing broke Right so you can just ignore the insecure parts of SS7 and do whatever you think is right and for the most part It it continues to work, but I think we're well beyond answering your question. All right. No, but from your answers. Thank you very much but another Question arises because if it's actually to to locate your phone and to find out which cell you're actually in Then it implies that it's not only one base station that sends the paging call But a whole bunch of base stations Do you know something about the algorithm? I mean how many around the last known location are paging my nationwide or how does it everybody can implement this as they wish and I don't have much insight into how 3g does it but in 2g typically is there's one paging send in the last cell that saw you you don't respond It's sent in a larger area. You don't respond It's sent for the whole location area and then some networks you don't respond They send it in an entire country right, but that's rare Thank you very much Okay questions from the IRC Did snoop stitch I know you to Reveal any kind of attack in countries Not special name in mind Does it allow you to detect the text in countries? Yeah, yeah some kind of tabs I think the the answer is yes its whole purpose is to to detect the text and it also works in countries Did you succeed in detecting attacks? Did we succeed in detecting attacks? Yes, we did and if you go down to the salt sea room see You can see how it's currently people are being attacked and currently they detect that Okay Okay, microphone number five, please Yes, thanks going back to SS7 basics Can you quickly explain how SS7 is implemented? Is this a VPN on the public internet through the providers? What's the technical reality the transport? Yeah, that's a very good question of course. That's a very good question and See I only have half of the information to I keep learning But so it it seems that it it was implemented initially as a network between Western European telcos and they ran cables dedicated cables for SS7 Zigtran they called this and Then a couple more networks connected to it and each of them had to run a cable to one of the other telcos But eventually they changed that and then introduced what I call routing providers So telcos are not connected to each other usually but through a routing provider like on the internet And those routing providers they typically don't run a cable to your house anymore if if you're a new telco They give you a VPN over the internet, right? So it's diverse I'm sure there's still some dedicated lines between Germany and France say and there's some others connecting in these big clouds That are routing providers and it's actually really difficult to get your address routed everywhere in the world So even if you connect to SS7 All you're connected to is one routing provider and that routing provider knows that you own these addresses now It's up to you to convince every other of the big seven or nine depending on how you count routing providers That you are that guy was those addresses. So the BGP equivalent of of SS7 is to get nine roaming agreements signed with people on these other nine Operators and then fax those roaming agreements to everybody else involved So they type it into your computer into their computers, right? Very manual and very hard to grow the network, but for the most part it doesn't change of course So that the low-level transport is not really an attack surface from the public internet It can be the low-level transport can be an attack surface if people just stupidly leave open Their local networks, but it's rare. It's much more common speaking about our talk next year Hopefully on the other interconnect networks. There's one interconnect network for for data roaming. It's called GRX and Since everything is IP anyway on data roaming People sometimes do leave it out on the internet or just do it unencrypted over the internet And it does seem to become more popular also was the SS7 replacement Diameter which again is pure IP So there's no the dedicated thing that you first have to encapsulate in a VPN before you can route it over the internet You can run diameter over the open internet if you want. It's stupid, but people seem to do it anyway Okay, the microphone number six, please Okay, my question is if you could comment why these Messages were put in the protocol at the first place if they are so easy to block and to fix and the other question is if all the other Problems that you pointed out are as easy to fix for the network operators So I don't have an answer to your first question Why do you put a tracking message in the standard and then call it anytime? Interrogation gosh like that that invokes feelings for me interrogation room and all I mean This is spy stuff, right? And there's no practical purpose for it But right who wrote the SS7 standard Western European governments being afraid of the Russians or of their own citizens Who knows right? I don't know why they put every single message in though So your second question was what again? If the other vulnerabilities are as easy as to fix no Locking they're not and I tried to point that out in one of the slides That that that anytime interrogation can be fixed as can For instance this scent identification message, right? You just blocked that as no purpose routing this internationally But the other queries on this page at least you need those internationally at least to enable roaming So the best you can do is as I said first block these queries from anybody who's not your roaming partner Don't respond to those people and then do some plausibility checking secondly right make sure that if a subscriber is actually in your own network That you don't honor requests from another country Right and that should remove most of the issues because most abuse comes from other countries It's just more likely if there's 800 parties connected to this network that the one doing the abuse is not yours Good question