 Hello? Okay. So good morning. Thank you so much for waiting so much time. Well, we are happy to be here to share our work with you. This is vulnerability and exploitation. We name it as ghost telephonist. It's about a problem in CS4 back in the LTE network. So let me firstly give a brief self introduction. We will come from the 360 technology. 360 is a leading internet security company in China. And like my coffee and cement tech. And our core protects antivirus security software for personal computers and cell phones. For us, we come from the unicorn team. This team is one research group in 360. And this team was built in 2014. We focus on the security issues in many kinds of wireless systems, wireless telecommunication systems. And our previous works include like GPS proofing in DEF CON 23 the year before last year. Okay. And LTE redirection attack in DEF CON 24. And also the PLC attack in blackheading last year. So this year we bring the work about the vulnerability in 4G LTE in the CS4 back procedure. Okay. So what is CS4 back? Now let me briefly introduce the voice solutions in LTE network. As we all know, different from 2G and 3G. In LTE network, the circuit switch was removed. And only packet switch is left. So now there are mainly three solutions for voice in LTE. The first one is VOLT, voice over IP. This is the final objective for the network evolution. And the second solution is the case we discussed today, CS4 back. Circuit switched for back. It means when subscriber takes voice core, the cell phone has to switch from 4G to 2G or 3G. The third solution is simultaneous voice and LTE. The cell phone keeps two connections simultaneously. One is in 4G and the other is in 3G or 2G. This solution has higher price and more rapid power consumption on the terminal. Because it has two baseband chipsets running. At the beginning of this year we were working on a project about the well-known GSM man in the middle attack and we're debugging some modifications on OsmoCon BB. This is a very famous project for GSM protocol. We tried to send a fake page in response and then we were surprised to find some fake page in response messages were accepted by the network. There is no authentication and the core was successfully built. We think it's quite strange. So we started to have a deep look at it. See the two pictures. This is the signalling log on some engineering mode cell phone. In the part of the red blocks, you can see the left figure, we confirm that in the normal 2G core authentication does exist for every core. You can see here is core confirmed. Here is the authentication, oh sorry. This figure is the authentication request and the response. So in normal 2G core we find aka does exist for every core. But in the 4G network in the CS for back case, the network doesn't require authentication. We found this may be the root of this problem. It was introduced by the CS for back procedure. This slide showed the signalling flow of CS for back mobile terminated core procedure. You can see some network elements here. MME for 4G network and MSE for 2G and 3G network. When there is a core for a UE for one user terminal, the network firstly sends a response on the 4G network from MME to UE. And the 4G nob sends RRC connection release message here. In this message, the network tells the UE which 2G base station it should connect. In this step, there is another vulnerability we presented in last year. That is the LTE redirection attack. This problem is still under discussion in standardization groups and it hasn't been solved until now. When the UE falls back to 2G, it will send a response directly from the UE to MSE. And from this step to the core setup, there is no authentication. The whole principle is like. The network has different doors. For example, the left one is the door for LTE and the right one is the door for GSM. No matter which door the subscriber wants to enter, the door requires the subscriber to show the badge of the store. And once the badge passes the check, the subscriber enters the network space. And now there is one exception. When the subscriber goes out from the door of the LTE, he shouts, be quick. I have a call in GSM. In this urgent case, in this special case, the door of GSM does not check his badge. Okay, so after the discovery of this problem, we started to think about how to exploit it. The direct idea is to send fake page response and then impersonate the victim's cell phone and hijack its link. This picture shows our experiment setting. We use the C118 cell phone where OsmoCon BB layer 1 is running. And the C118 is connected to a laptop which runs OsmoCon BB layer 2 and 3. In this picture, we used two C118 cell phones to improve the attack efficiency. Now let's watch a demo video to know how the attack looks like. And then we explain the tactical details. This video records the whole attack procedure. Okay. We use two cell phones. One is the victim's cell phone. And use the, whoa. So firstly, we check the two cell phones work in the normal mode. We firstly use the victim's cell phone cause a normal cell phone. Okay. So both of them works normally. Whoa. Okay. So during the two calls, we captured the TMSI of the victim's cell phone. And we start the attack. We set the TMSI on this MacBook. Attack this TMSI. This is the victim's cell phone's TMSI. So now we call the victim's cell phone again. Now the call is connected. But the victim's cell phone hasn't response. The call is connected to the telephonist. Next, we open the Gmail Google account web page. We try to reset this account's password by entering the cell phone number. And the Google account will send a verification short message to the cell phone. The telephone has received this verification short message. Now we import the verification code. Okay. Now we can reset the password. Now we create a new password. Signing. Okay. Down. This is my Gmail account. Okay. This video was recorded in March in this year. And in this month, July, we noticed that Google announced its new two factor authentication scheme. The new scheme delivers the verification code through Google's special application on Android cell phones. So maybe this attack does not work to Google now. Okay. So let my colleague Yui to introduce more technical details. Good morning. I'm Yui. Now let me introduce the first exploitation. The same policy is the one. The attacker, we name it as got the telephonist can impose, impersonate the victim's cell phone to receive the call. The attack steps in our experiment are listed here. The first step is listing the pth, the paging channel. And the second is track the team C or EMC in the paging messaging. The third step is the case step. Forging a paging response messaging with the captured team C or EMC. After this step, we check whether the network accepts the paging response. If it accepts, it will enter the call setup procedure. If not, we will wait for the next paging messaging. So in this attack, we pick up victim randomly. So we call this method as random hijack. In the random hijack exploitation, the attacker, these things on the 2G paging channel is track teams from the paging request. And then 4G sends the paging response constantly. However, the network send a set. The 4G network should send paging request with F team C. And the F team C has no relation with the 2G team C. So someone may ask, why would the network send paging request on 2G side? Well, the sender said it should send paging on the 4G side. I don't know either. But in fact, we found that they fail all 8. Also receive the 4B paging request on 2G side. So my guess is the operator configured the network to do so in order to optimize the network to decrease the latency or setting up a voice call. Here is the success example. You can say that they all 8 have no same card. But after a fake paging response, we successfully received a call from the number 139. This slide explains the attack signaling. In this figure, UE have a way. Represents the victim. UE have an F. Represents the attacker. When there is an incoming call for the victim, the MSC in 2G network will request the MME in 4G network to transmit paging request. When the victim receives the paging request, it will send to the NB and it sends the service request to ask for a set of 4B to accept the incoming call in 2G. In the normal scenario, after 4B, the victim will send the paging response to establish a connection. But in this attacking scenario, because the attacker is constantly sending paging response with the victim's team's number, so the call is taken over by the attacker. Once the telephone is hijacked and incoming call, what can he do in further? The caller will recognize that calling the voice is abnormal. But the attacker may do something like social engineering. For example, he may say, your friend encountered an accident. He is in the hospital. He needs $2,000 for the rest of the calls. In this scenario, it may generate serious consequences. Anyway, now the attacker only knows the victim's team or team. He doesn't know who is the victim and he doesn't know further information. In order to do further attack, can we know the victim's number? In this picture, we found during one hijacked call, the telephone can make a call out to a phone by sending a message. This doesn't trigger an authentication either. The network will directly respond to the phone. By this way, we can see the victim's phone number on the screen to this phone. We call it as phone number catcher. Here we summarize the attack steps by issuing this signaling flow. Telephone gets the control from here. It sends a page in response. Then the network sends back setup. And the call is conformed. After the call is hijacked, the telephone makes a call out by sending a holding message and then sends a request. We can see the network sends back a setup message. It doesn't require authentication. This picture shows the pick up request. Here are the records captured by or hijacked on laptop that is running on. You can see they hold the message to the end of this call. The network does not require authentication. As long as the telephone doesn't hand up the call, the connection will be maintained. And at the same time, short message can be received or transmitted. We try to make a targeted attack to attack a test phone which gives us the ability to debug and log the signaling. After our investigation, we find a tool way to implement a targeted persistent hijack. First of all, we can send the page in response back constantly using the test phone or e-mail which we can get easily. No matter whether there is a page in request or not. Or we could use the SDN number or the cell phone number. In this case, we know the victim of the phone number. We can call the victim and capture the victim's team in the error. Then we can launch a targeted attack via previous mentioned attack method. Now let's go on to the next slide and introduce the details about how to implement a targeted hijack. Firstly, we can use team C to attack the victim as we discussed. With this attacking method, we could constantly send in page in response to the attack to the network using the victim team C. Once there is a call to the victim, the call procedure will set up. We can directly take over this procedure because we can respond to page in request quicker than the victim. That also means we successfully perform a targeted attack. Secondly, implementing targeted attack with team C basically requires the same steps as using team C. But this method has some potential advantages. The success rate is much lower than using team C. Because when the network that receives the page in request with team C, it needs time to look up the corresponding team C in the network. That's because the link set up increases the latency. But the victim will directly send legal page in response with team C and set up the link quicker than us, while the network is still looking up team C with our team C. Finally, when we have the victim's phone number, we can attack the victim in the following way. We need two C108 and one B104 as shown in this figure. Here is the steps. Firstly, we set up one C108 as a sniffer. Then we use the B104 to call the victim and trigger a regular CS4 back procedure. All sniffer will log the whole procedure including page in response, call set up, et cetera. Please notice the call set up signaling contains caller's phone number. That means we can locate the specific call set up signaling and trace back to find the corresponding page in response and finally extract the victim's team C. Now we have our victim team C. So we can follow the steps we mentioned before to hijack the victim. Now let's watch the demo video. This video shows the targeted attack. We impersonate one victim phone. And furthermore, we can choose the, we can hijack its short message and we can choose which message the victim can receive. First, we use two phones to call each other to verify the phone number. Then we start a count to see how much time it makes to mount the attack. Now, we call the victim. But the call have been hijacked it. So now we have successfully hijacked the voice call. Let's go on to attack short message. So we can successfully hijack short message and furthermore, we can choose which short message the victim can receive. So now, welcome my team member, Lin to introduce a more complex attack. Sorry for the video vision. Well, let me continue to explain the first, the first demo video show, the whole procedure. Okay. This is about how to attack the internet accounts. And we know that to simplify the user experience, many internet applications permits login with cell phone number and verification short messages. It doesn't require importing the login password. So if a attacker obtains the victim's cell phone number and verification short messages, he can impersonate the victim to access the application. Another attack path is using the verification short message to reset the password as we show in the first demo video. As we all know, there are some existing explorations which can obtain the verification short messages like the attack we show here. For example, SS7 vulnerability can utilize to hijack both call or short messages. And also some mail wells on the cell phones which can hijack the short messages content. So telephone is the attack is just a new attack method to generate the same consequence. We verify this kind of attack, the password reset on some of the internet applications, for example Facebook and Google account, et cetera. The steps are illustrated here. In first step, we control the victim's link and get the phone number. And in step two here, we use a computer open the web page and request to reset the password with the acquired phone number. In the step three here, the telephonist receives the verification short messages. And finally in the step four, we use this verification code to reset the login password. This picture is the screenshot of the C118's log. And the record in the red rectangle proves that the C118 received verification short messages sent from network. It says CP data network to MS. We investigated the password reset routine of many popular websites and applications, including global and Chinese ones. This table summarized some of them. Facebook, Google account, WhatsApp, and in China, there are Alipay, WeChat, DDNCNR, et cetera. Some of them require sending short messages from internet to cell phone, the inbound ones. And some of them require sending short messages from cell phone to internet, the outbound ones. Well, now, you may think this vulnerability is so dangerous, but we want to emphasize that. Don't worry so much. There are some constraints. In this page, we summarize the constraints to launch the attack. Firstly, the telephonist and the big team cell phone should be in the same pinging area. It may be several base stations coverage. And secondly, the attack is visible only one 2G network is in use and uses A51 or A50 encryption. I want to say here 2G network is in use. That means even the CS4 back makes the cell phone fall back to 3G. As long as 2G network is in use, the attack is feasible. And compared with other known exploitations, telephonist attack has these features. It doesn't need to access the SS7 core network. And this attack doesn't need fake base station. So it's quite easy to launch. The big team keeps online 4G network and is not aware of this attack. As the pictures you don't hear. People may also question that why in every experiment, you make a core to the big team to trigger the CS4 back? Is this necessary for a successful hijack? The answer is no. It depends on the operator's configuration. In some cases, we found we can directly impersonate the big team cell phone to make a mobile originated core. During our tests, we noticed that we got different successful results when we attacked different big team cell phones. Here are the five cell phones we tested. With different chipsets, it is strange that some of them which we marked with a star in the table will get back its control to the connection. After 10 seconds of our successful hijack, this means our attack is failed in this case. So what's the problem? Why does such kind of failure exist? Why do different cells have different behavior? After we tested and analyzed, the major reason we found causing this issue is the fast return procedure. The chipset manufacturers implement fast return in different ways. When a big team cell phone received a pattern message, but it didn't receive this core, it may launch a location area update procedure in 2G. And this action will finally lead the interruption of our hijack link. Here we show two cases. The first one is about Qualcomm chipset. In this figure, the green taxes are 4G signaling and the white taxes are 2G signaling. You can see that Qualcomm chipsets send location update request here. But there is no location update except following. So we doubt whether the chipset really complete the location update request procedure. So in this case, the attack will be succeed because the LAU procedure is not complete. So we can maintain the connection to do something evil. Here's the failure example. We can see the difference. This is case of MTK chipset. When the cell phone failed back to 2G, it didn't get this core. But before we turn into 4G, the signaling was sent out. There is a location update except immediately following. So in this case, our victim will get a new team C. That's why the connection will be interrupted 10 seconds after being successfully hijacked. Okay, does this mean the chipset we marked as star are all immune to this deck? No. For such chipset issue, we can use the jamming to prevent the victim's cell phone sending LAU signaling to the network. Then we could maintain this hijacked link. Okay, we proposed counter-visors to operators and internet providers. We suggest to add the CS4BACA authentication in the CS4BACA procedure. The additional latency is acceptable. And we think the final solution is to speed up the VOLT deployment. And for the internet service provider, and it should be careful that the PSTN authentication is not safe. And ISD guidance already suggested that not use PSTN into factor authentication. Well, finally, I want to thanks to GSMA CVD program. This is a new program launched in this year. This is a program for researchers to report the vulnerability related to standard and protocols. So before this program, we have no good platform to report such vulnerabilities. So we reported this problem to GSMA and we received the first acknowledgement on the mobile security research hall of fame. GSMA also transferred this vulnerability information to every operator. And we know some related operators already fixed and or fixing this problem. Well, that's all. Thank you all for your attention.