 Hello and thank you all for coming. This is awesome. I did not imagine this awesome of a turnout so thank you for being here. And as most of you probably saw this is my first time speaking at DEF CON so I'm super excited to be here. So you might notice this is a really like fun slide. I have this throwback title and these pastel colors. Part of that is because I am going to throw a lot at you in this talk and we're going to try and keep it as fun as possible. So all of the information here is actually public information so hopefully you'll be able to take some things you learn here and learn more outside if you want to. So this talk is actually going to focus more on cellular core networks than radio access networks as much as is reasonable just so you know what we're getting into here. So you might have seen some of you. My Schmuckon talk which is on a similar topic but it does diverge in several ways so you'll still get new content even if you've seen that. So who am I? Well I'm Tracy and I'm clearly very loud. Hold on. I'm a vulnerability researcher at Trenchant formerly known as azimuth security and I previously split my time doing reverse engineering and embedded development. Well most of that was actually telco focused and I have about ten years of experience. So what are we going to cover here? What have you all signed up for? Well just to lay out our plan here I'm going to be talking about network architecture mitigations and public vulnerabilities or attacks for 2G in the form of GSM, GPRS, 3G in the form of UMTS, LTE, 4G and 5G in the form of new radio. So let's talk about this visually. Now I stole this image directly from the Wikipedia page for cellular networks. It's wonderful and it's a great Wikipedia page. But you'll see I've added our path forward here just so you can visualize where we are. Now you see along the bottom we have the year and along the top those are the different generations. Now internally to this graphic you'll see different terms and a lot of times people will actually conflate those terms with the generation but I'm actually going to try my best here to differentiate those two things because internally here we have things like GSM that's actually the implementation of the 2G cellular specification. So first let's cover a few basic cellular concepts. So we have a PSTN which is our public switched telephone network and that's your land line that is made up of copper telephone lines and it's circuit switched initially analog. So when I say circuit switched what do I mean? Well for me again I'm a little bit visual so having this beautiful picture of the Marvelous Mrs. Maisel helps me think about the concept of circuit switched. It's end to end unbroken communication lines. And we have our public data network, our PDN. And that's going to come into play more later on once we have our IP networks start adding to these telco networks. So let's jump in. Let's take a look at where we are in our timeline here. We're in the 90s with our implementation of GSM for 2G. And an interesting thing about this is that 1G actually wasn't dubbed 1G until after 2G started having a specification. So 2G in the form of GSM here but 2G is where we get calls, SMS, yeah we have texting, no data yet. And we have Etsy and GSM standardization. And this is interesting and it's still relevant. So I did want to bring up that for example in the US T-Mobile still uses 2G as their fall back and it's still predominant all over Europe. So let's take a look at our network architecture. We have our mobile station which is really just the device you speak into. It's any mobile device with cellular functionality for 2G. And this is your device. And this is going to feed into our radio access network. Now our radio access network is actually like what most people think about when they think about a cellular network. It has our antennas, our radios, our base band units. And in GSM it's actually the same as our base station subsystem. In our base station subsystem we're going to have our base transceiver station. And a lot of you have probably heard of base stations. Right? Well our base transceiver station communicates with our base station controller. Base station controller is a controller. It's going to communicate with one or more base transceiver stations. And that makes up our front part of our network. From there it's going to hand things off from our radio access network into our core network. So we have our front part which is our user end point. Hand things off to our base transceiver station. Hand things off to our base station controller. Which then communicates on to our mobile switching center. Our mobile switching center is going to handle most of the, well I'd say most of the functionality. Most of the mobility functionality. It contains a bunch of other acronyms. And before I show them on the screen because it's a little bit much. Really the best way to think about it is a bunch of databases that contain information about users. Things like our home location register. And this is just a database of information about a local user. Meaning a non-roaming user. This is going to be things like their activity, status, location, etc. So it makes sense that if we have this for our home location register we're going to have a visitor location register. Right? We need the same information for visiting users. But this is a little bit more temporary. And then we have our authentication center. And our authentication center has things like secret keys for your SIM, your PID, and your puke, etc. We're going to have our EIR, our equipment identity register. And really what this does is says this is a list of valid equipment that can be on this network. So when a device goes from one mobile switching center's territory to another, there's obviously going to be a lot of communication between especially your visitor location register and your home location register. You're roaming and you're non-roaming users. So let's take a look at it all together. Whatever. We're rolling. So the user speaks into their 2G capable device. And that comprises our mobile station. The mobile station then sends the signal on to our base transceiver station, which then is handled properly by the base station controller. That portion of our network makes up our radio access network. Next it's going to hand things off to our core network in the form of our mobile switching center, which has all of these different registers. And then our global or gateway mobile switching center, which then reaches out to general external networks, things like our PSTF. So let's talk about some fun things. Now we have the basics established. Let's talk about attacks. So GSM does not have mutual authentication. And you probably have heard of things like IMZ catchers, right? So there are lots of things you can do with IMZ catchers. One most important is to understand that you can do a full person in the middle attack. And this is done by means of a rogue base transceiver station. And that is going to keep coming up. So fun fact about the base transceiver station is it actually is the entity that determines the encryption scheme so it can totally be like JK don't use any encryption. And fun fact, everything beyond the base transceiver station is actually sent in clear text anyway. There are also things that you can do like jamming, using a signal generator a specific frequency to interfere with either the user end point or your base transceiver station, as well as known weak encryption schemes. So let's move on to GPRS might be my favorite. Who knows? No, GPRS is great. You see how it doesn't really neatly fit into the timeline. It's got that weird cut out. Well, that's because it's really like 2.5G. And this is interesting because it is general packet radio service. This is where we take our GSM, our circuit switch functionality and add IP functionality. We get things like multimedia messages, push to talk over cellular and we have these two network architectures essentially living in the same network. So let's take a look at what that looks like. We still have our mobile station. You know, the same thing. Sometimes there are different terms applied to it, but we'll stick with mobile station. There's our BSS, our base station subsystem. That's going to remain the same with our base transceiver station and our base station controller. And then we have our MSC. And this functionality is pretty much the same as before. Wonderful. It still feeds into our gateway MSC. So this looks pretty familiar, right? Well, let's take a look at the new part. What's new for this? So we start adding our shiny packet switch features and the whole front end stays the same. But now we get GPRS support nodes. And these are pretty neat. We have things like our serving GPRS support node which has locations, security, access controls, packet routing and transfer, mobility management, authentication, handle signaling packets. And it's doing a lot of heavy lifting here. And it communicates with other serving GPRS support nodes or equivalent in the same network and reaches out to our gateway GPRS support node. Now this is a GGSN. So lots of people, including myself, say things like GPRS gateway support node or gateway GPRS support node. I'll try and be consistent. I make no promises. And it is like a router, firewall, gateway all in one, usually just viewed as a router. And it's our last top before our public data network. It assigns IP addresses for devices internal to that core network. So let's see it all together, right? That top part is going to look the same as before. We have our mobile station, our radio access network which has our base transceiver station, base station controller. And then it hands things off to our circuit switched portion still in our mobile switching center and our global mobile switching center. Now you notice something here that's slightly different though. It's those registers we talked about, right? Well now our circuit switched and our packet switched portions both need to consult those registers. So they're shared between the mobile switching center and the serving GPRS support node. And in our packet switched portion, we have our serving GPRS support node and our gateway GPRS support node. And that makes up our core network. So clearly there should be some lessons learned from 2G GSM. Let's take a look at those. We have some mutual authentication but only for the packet switched portion. We have authentication between the mobile station and the SGSN. So you can see on the network diagram where that lives. Some level of ciphering and some amount of identity verification. You know, there's small amounts of improvements here. Bit by bit we're getting better. There we go. And now let's talk about some fun attack vectors. Now look, we still have that same rogue BTS problem. And then there's this company called P1 Security who I adore and they've done some really neat research on telco networks. And one of the things that they have found is actual implementations of GPRS out in the wild with zero encryption anywhere in the network, most notably in Italy and Denmark. And there's a Nokia GSM attack that was actually pretty slick. It was able to be taken down or restarted, you know, which disrupted the GPRS network connectivity for a whole area of users. So remember where our GGSN sits, right? It's our gateway support node. So it sits right on the edge of this core network and reaches out to the internet. So this was done by sending non-standard IP options in a packet. And it happened by just sending this packet from the internet. It took down this whole area of users. And I will, okay. So I'm not picking on Cisco, I swear. But their threat bulletins were actually excellent in trying to find some of this information. A lot of core network features are not, you know, it's core infrastructure. They don't want to release things, but Cisco actually did a lot. So this gateway GPRS support node of the ASR 5000 series doesn't actually handle wireless session protocol packets correctly. So an attacker could craft a packet such that they could bypass a portal page, which means that they wouldn't have to pay to use this carrier. On the same device, it also does not verify or validate, I should say, HTTP traffic properly if there is one or more packets with additional bytes at the end of the packet. If you have specific padding, it just doesn't verify and it can go straight through the GGSN. All right, so let's talk about 3G. We start getting things like video chat. We're moving on to a new signaling method and there's much more internet functionality. Visually, it's kind of weird here, right? Our UMTS implementation is around the same time as GPRS is going on. So they're a little bit in tandem and here is where I'll mention the fact that none of these actual generations are standalone, right? All of these things are being used mostly at the same time. All of these things are still relevant. So let's look at a UMTS network diagram. And we're going to keep most of 2.5G. We still have those registers, our mobile switching centers, and the GPRS support nodes. We still need our base station subsystem, but now our mobile station, it's going to get a little bit rebranded to our user endpoint. This is actually the term that I prefer, so I will continue to use user endpoint here. But it is effectively the same thing as your mobile station. Our RAN, okay, cool. Well, UMTS has to be special, so they're going to apply this term, UMTS terrestrial RAN. It can't just be like every other RAN. And that's also known as our radio network subsystem. We also have our radio network controller. And this is in charge of all of our node bees connected to it. And it handles mobility management, radio management, and adds some encryption. It honestly looks a lot like our base station controller from before, right? And our mobile switching center states it changes functionality slightly, but we're going to sort of gloss over that till we get to something further on. So we have our mobile station which now is our user endpoint. We have our base transceiver station, and this has been now rebranded to our node bee. Our node bee then communicates with our radio network controller, which then hand things on to our core network, which looks pretty much the same. This is our radio access network portion, the previously circuit switched portion, and our packet switched portion. So what are some mitigations? Well, technically, we now have true mutual authentication. So this is mostly an attempt at MZ catcher mitigation. There's literal guidance. I love this. Not to keep the same temporary identifier for long periods of time, but there's not actually like in the specification a definition for that. There's a lot more confidentiality expected in our radio access link portion. And some signaling plate and user plane confidentiality. And security now it gets to be shown to the user. So if I am in 3G and go down to 2G, I should now see that on my phone, usually in like a little icon or something, right? Sorry. I have beautiful nails, but they're totally impractical. So looking at this attack vectors for 3G in the form of UMTS. Well, we still have this rogue node bee, formerly our base transceiver station. That still happens. It's getting a little bit harder, right? It has to be a little bit more targeted now. And there are downgrade attacks. And this downgrade attacks are still pretty relevant and they are going to continue to be relevant. And this is when a rogue node bee forces a device to temporarily downgrade its communication standard to a previous generation. So my example of 3G to 2G earlier could have been that, right? We have remote MZ attacks as well. And this happens because there are integrity keys between our user endpoint and our radio network controller. But those are actually generated in the core network itself. So the core network generates these keys and then hands them off to our radio network controllers unencrypted. And sometimes radio network controllers communicate this unencrypted as well. There's also HLR overloading. This is a neat one. There is a re-synchronization that happens between your user endpoint and your HLR, this home location register. And remember that to get to that HLR, you have to go through these other devices as well. And those devices do some heavy lifting. So what an attacker can do is repeatedly send this sequence value for re-synchronization and in doing so tie up the SGSN. So another thing that an attacker can do with this specific attack is a variant where they get a list of MZs for a particular mobile network operator, from a particular carrier. And then an attacker generates this radio resource control connection request. And that's for each MZ on this list of valid MZs for the specific carrier. Cool. And each request, the HLR, the home location register is going to say, okay, that's valid. So it starts computing some authentication vectors which really is a pretty heavy process for it. That means that nothing that's actually valid can get through to that HLR. And it takes down the functionality for legitimate equipment to reach out to it. Again, there's a Cisco SGSN, actually GGSN in this case, the ASR 5000 series. And it doesn't properly handle TCP packets. So an attacker could reboot the session management on this device on the GPRS gateway support node, causing a denial of service for all communications with this gateway device. Right? Remember that this is the last top between this core network and the wild internet. So let's move on to LTE, long term evolution. And this is in the late odds. So this is fun. I'm going to refer to it kind of as 3.95G. Because initially, you know, these standard committees were like, no, this is not officially 4G. It doesn't meet REL 8 or REL 9. But then after some careful marketing, they were like, okay, fine, we'll consider it 4G. It will just be like 4G LTE. So now 4G but then sometimes things are called real 4G, 4G advanced, things like that. But this is where we get the evolved packet core or system architecture evolution. This, this E in LTE is going to be everywhere. They're very into evolution. And we get fully IP based. So there's no more separation between our circuit switch portion and our IP portion. So let's take a look at what that actually looks like. We have our user end point. We have our E node B now, right? It's evolved. And our node B pretty much did the same thing. We have our mobility management entity, which is a lot like our radio network controller actually. It does bearer activation and deactivation, paging, authentication with your user end point and directs things to the appropriate other devices. Now we have this HSS. I tried to make it legible. That's what happens. Well, we have our HSS, our home subscriber server. And this is taking that home location register and our authentication register piece and putting them together. We also have our signal gateway, our SGW. And this, you'll notice in the network architecture, it looks a lot like our SGSN did, right? Our serving GPRS support node. It routes and forwards data packets. We also have our PDN gateway now. Our public data network gateway. And again, you'll notice that it looks a lot like our GGSN. It's the exit for outgoing and entry into the cellular network from the outside. It does our policy enforcement, our LI packet filtering, charging support, et cetera. And then right above it, we have this policy and charging rules function. I'm only going to briefly mention it because it really usually is part of that PGW, that PDN gateway. So what are some lessons learned from before that we can apply? Well, still trying at E node B security here. There's now some configuration that has to be authenticated and authorized to radio access elements. The IMEI, your mobile equipment identifier is not sent to the E node B until there is some level of security established now, which is actually a big improvement. There is now mobility management split apart in its own entity. And this is interesting and you'll see this through all of the network diagrams I'm showing. A lot of times things just end up being the same functions and getting reformatted, right? We're taking things like our HLR and our AC and combining them and taking other things and splitting them apart. So what are some attack vectors? Okay, there's this super cool paper called LTE inspector. And I put this here for LTE instead of 4G for obvious reasons. And they detail a lot of attacks. It's a very good paper. One of which is an authentication relay attack wherein someone can impersonate a victim cellular device and reach the core network without possessing any legitimate creds. There's also paging channel hijacking attack. Now paging channel is probably going to come up a few times here. It's a very interesting attack vector. I'm happy to talk about this after, I swear. And what happens here is we use our all time favorite E node B that is malicious, right? This malicious E node B utilizes the same frequency as our legitimate E node B and then broadcasts out these fake or empty paging messages. And this has to be done at the same paging cycle as our user endpoint and at a high frequency. But that's still not like too bad for an attack vector, right? So then a user endpoint, fun fact, only responds to the first message it's received here. So what happens is if that we have that malicious E node B broadcasting out these fake or empty paging messages, a user endpoint can't receive any valid ones from the mobility management entity paging. And from that, let me explain what that means actually. Let me take you along with this. So what that means is they would stop getting any notification of calls or SMS and if fabricated messages could be injected. So the next attack is sort of based on that with this panic attack. So paging messages are pretty important. When there's something important that happens in an area, your phone will reach out and be like, oh hey, like tornado warning, amber alert, things like that, legitimate reasons why your phone would alert you, right? Well, an attacker can inject fake paging messages to arbitrary neighboring user endpoints using these and cause a psychological attack, cause panic in a specific area through these paging channels. There are also some actual implementation errors. So let's dive in with some identifiers. I think I mentioned your IMEI. There are some identifiers, a lot of people in this room are probably familiar with your IMZ or IMEI. Well, internal to the core network, there are a lot of other temporary identifiers that get passed around as well. One of those for LTE is your GUTI, your globally unique temporary identifier. There was an interesting talk at network and distributed system security symposium in 2018 where implementation errors actually led to this supposedly temporary identifier being permanent. So this would allow an attacker to determine other identifiers. There's some great info leaks from this and whether a target user is actually nearby. There is also another Cisco device, I swear, not picking on them. So there's this Cisco public data network gateway, 2200 series and there happen to be maybe some issues here. Let's look at those issues. Well, there's an issue processing malformed header info. Okay. Like SIP headers, general headers. Hmm. Well, there's a problem parsing over long messages. Okay. Well, there's actually a problem processing SIP test request messages. Well, maybe that's okay in a real network. Hmm. They also have a problem handling session attributes and SIP packets in general and MGCP packets. So using any or all of these means what an attacker can do is deny service for the PGW. So what that happens through these means would be that this PDN, this public data network gateway, actually wouldn't establish any new TCP connections and will stop receiving TCP connections. On top of that, no new SIP connections will occur, though current calls won't drop. So a user wouldn't actually necessarily know this until further on. It also fails to connect to other services, things like SSH or HTTP or Telnet, which is often a type of service that would be used to service this device. So let's move on, let's cut that device a break and move on to 20 teens. It's finally time for 4G, for like real 4G. So this is LTE Advanced or LTE Advanced Pro. We get IPv6 expansions, adaptive modulation, time varying channels, Volte, and something you might have heard of, this IP multimedia sub system. Let's look at the network architecture and it looks the same, right? We have the same from LTE. We have our user endpoint, our EnodeB, our mobility management entity, our home subscriber server, our signaling gateway, our public data network gateway, and our policy and charging rules function. So let's move on to some mitigations. Clearly we've had some lessons learned from all of these things, right? Well, now all radio interface data shall be encrypted. Previously, the specification said that it should be, now it must be. There's also this aka procedure. This is an authentication and keying procedure. And this happens in order to have that mutual authentication between our user endpoint and our evolved packet core. There are different session keys between things. There are additional mitigations that your mobile network operator may implement or should implement based on the standard. So some attack vectors. Look, we still have this risk of IMZ catchers and this Cisco ASR 5000 PDN gateway. Now, there is a pre-auth remote attack that can stop ICMP traffic because of vector packet processing. What an attacker can do is send a malformed encapsulating security payload packet and stop all of ICMP over IPsec. It also handles GTP headers improperly. So GTP, I love, but it's this GPRS tunneling protocol. It's pretty key to a lot of the internal communications of that core network. And this PDN gateway doesn't actually validate it properly. So sending a crafted GTP packet to this Cisco PGW will target the session manager and the session manager can get restarted unexpectedly and deny service to a bunch of users. And again, I'm going to shout out to P1 security. They gave a talk at Hackbox and noted that some vendor that they won't disclose has MME keys that are just hard coded and they don't change regardless. They also found that there is an MML interface on a PDN gateway. So again, our last hop before the wild internet that is just totally exposed to the wide internet, this whole MML interface. So again, I highly recommend reading their research. It's very cool. So let's move on to 5G, right? Like this is now, it matters, everyone's interested. Let's talk about this change. This is where our network architecture is going to change significantly. A lot of times up until now we've seen things get shifted around, but it mostly does the same functionality. This is where things change because we get network function virtualization. And that happens because a lot of these functions are running on cot servers. So we also have this management and orchestration that is needed in the core network. So it's officially part of our core network. And this happens because we have all these things virtualized. We're just sending API calls and we need some kind of driver and that's this orchestration piece. We also have the concept of network slicing. And this is just creating logical networks over the same physical infrastructure. So a lot of that arises from the need that in 5G we no longer expect everything to be IP based. So we have different types of devices all converging in the same network. So we need different quality of service for these different devices. So network slicing allows us to have things like your smart meter, your car, your voice call, which all have different user expectations and network demands to be able to have those. OPS also our A node B becomes our G node B. So here is where we are in our timeline again. Shiny new radio. Let's take a look at this network architecture. Well first let me explain. There's a lot of new acronyms. We mostly have that E node B becoming our G node B. We also have access and mobility management function. Our AMF. And this is similar to our mobility management entity. Does subscriber mobility registration, some security. We have our SMF, our session management function. And this does session management. We have data network profiles, user plane function selection. If it is IP based, it will determine it's IP. Our user plane function and this also would have been part of our MME, our mobility management entity. And it is our anchor point for NG RAM, which is this version of RAM. It's just the same radio access network with a new label. We have our UDM, our unified data management. This is going to do a lot of that orchestration that I mentioned. It has access authorization, registration, mobility management, some data network profiles as well. And it mostly communicates with that AMF, the access and mobility management function. And our SMF, our session management function to determine what users can do or access. We also have our policy control function. Now this is slightly different than our PCRF before. This does dynamic policy decisions and conditions. Are there things in the network that affect the user conditions in the network or what can the user do? So visually, let's step through this. Because some parts of this are still the same. We still have our user end point. And now we have our G node B, but it's still, you know, receiving that signal from the phone. We have our user plane function at the end of that row. We have mobility and quality of service flow, policy enforcement. Above that we have our AMF, our access and mobility management function. We have our SMF. We have our SMF doing session management, communicating with that AMF. We also have our PCF, our policy control function. And above that we have our UDM, our unified data management. And you'll see that it communicates below with our AMF and our SMF, our access and mobility management function and our session management function. So it communicates a lot determining what users can do or access or a different quality of services. Oh also, our public data network is now often just referred to as our data network. And sometimes our radio access network is also just referred to as our access network. So what are some mitigations? 5G obviously has had a lot of eyes on it. And a lot of folks even considering security up front, I should say. So instead of just our MZ, now for 5G, we have our Suki and our Suppy. Our Suppy is our subscription permanent identifier. Another 15 decimal string. And we have our Suki, our subscription of subscriber concealed identifier. So these two identifiers combined are what get partially what get handed around through the network. But this was a means to defeat MZ catchers and not just rely on that one identifier being compromised. There's security and mobility separated in the core network. Larger keys. There are additional means to protect user messages. There is a counter to mitigate replay attacks. And there's this security anchor function. Now I didn't put that in the diagram because it's often actually co-located with your access and mobility management function. But it also allows for devices to move between different networks without having to renegotiate the full AKA, that full authentication and keying procedure. Now I know that sounds like maybe that's not the best idea. But part of this came about, if you think about our HLO, our overloading where we could have that start creating these authentication vectors and that would tie up a whole device, this was actually a mitigation to help prevent things like that. So some fun attack vectors. No key is head of product management security. Patrick Rude actually said at a talk that because there are so many different types of devices connected to 5G networks, there are 200 times more attack vectors than 4G. I think we're going to find out. So let's talk about this specific attack and I have so, so many references and I realize that these slides are being released, I swear. There is this very interesting attack where an attacker can sniff this AKA procedure. So this authentication and keying protocol, it's actually transmitted in plain text over the air. So this can be used by an attacker to determine the target subscriber's presence in a specific cell. How that happens is there is, we place a sniffing tool and monitor for an authorization request. From that, there's this response with this RAND and an AUT, right, these two values. From that value, an attacker can craft a message, putting those together, broadcast that out. And what happens is it's going to broadcast that out to a whole area. When it's not, the target user end point, it's going to fail some MAC checks, makes sense. But what happens when it actually hits the target victim's user end point is it'll pass that MAC check and it'll fail a sequence number. So it doesn't sound very sexy, but what you get from that is knowing whether a specific user is actually in a specific cell. Some more fun attacks. So there is a attach request injection. It's not, there are these attach requests that are sent unencrypted to the network. It's not integrity protected. And there's a point in the registration process that can be tampered with because registration process is actually not stopped if there is a failure, if there's an integrity verification failure. So the attach request can pretty easily be modified along the way. There's a battery draining attack and this is, I believe this is also a paging channel. So there are power saving mode, operation, like messages that can be sent from your mobility management entity, which here is our AMF, our access and mobility management function. So that would be a valid use. What an attacker can do is actually turn that option off and say that that can't go through. So then your mobility management entity, here are access mobility management function, can't send through a message that says turn power saving mode on, which means that the battery then drains five times faster. It's being used for things like signaling measurements and other modem activity. Yes, sending out form packets can still trigger crashes in the core. There are some fun stream reuse attacks where an attacker can masquerade as a valid network function, send multiple TCP streams and lead to stream ID exhaustion. Can also send a malicious stream close identifier in that same connection and cause a server crash still. And this is a fun one. It is documented pretty heavily in a paper I have in my references. There was this paper that did a bunch of processing of standard specification documentation with machine learning to find and end to end vulnerabilities and they found some very interesting things. One thing was some issues with paging, this attached procedure and some service requests. And what they found was that there were some issues with this mobility management entity, those specific messages and there was a confirmation by China Unicom that this has, this is a real concern. It's not just theoretical. Maybe it definitely happened. This was documented on CNVD and CNNVD at some point apparently, but it's very hard to find. So I encourage you to go find more. There's also some interesting recommended reading on this with piercer and torpedo if you're interested. So I know that was a whole lot. We have covered far and wide a lot of cellular technology. There are a lot of acronyms and I tried my best to break this down for you. But it's a lot. There's no way around it. We've covered 2G in the form of GSM. We covered GPRS, 3G in the form of UMTS, LTE, we covered 4G, we covered 5G in the form of new radio. We have done a lot here and I recognize that. So please if you guys want to have any future conversations with me, I highly recommend it. These slides will be out there. I do happen to have a 65 minute version of this talk that I also will probably be putting out there if you're interested, which you'll have a little bit more on the radio access network portion. Yeah. Here are some references. I don't actually know. Yeah. I'm about to get the hook. So I don't think we have time for questions. But I appreciate your time. Yeah.