 Dr. Holtmann's thanks a lot. I'm quite happy to be here to see so many people interested in mobile phone security So the talk will be basically having two parts Because most of you are actually not from the mobile phone industry So I will explain to you how business is done in mobile phone industry What we are facing there what we are seeing there and the second part of the talk I will talk about really the attack scenarios. We will go into wire shark protocol details and so on so we will have a self-splitted talk Hold on, okay, so I'm in from industrial research Now you might ask, okay, do I see no small advertisement? No, you will not But industrial research has some advantages I went to industrial research and less the Academy because I really wanted to do real stuff and The advantages I get I really get to see the customer data I see the p-cup files and also sort of when I understand the stuff I can go to the product units and tell them. Hey, this is shit. Please do it differently So I really can make an impact and change things The on the downside I cannot go to a talk like this here and say the industry should fix this No way. I will get beaten up I need to come up with all the solutions and solutions that are can be Worth the money. I cannot just say well invent mobile phone networks new So that's that's not an option for a chief financial officer. So I cannot come up with these kind of solutions Also shareholders don't like that. So I have to come back with things how to fix things without sort of really fully breaking them So that's industrial research. So on the one side. There's a bit of plus about on the other side Well, I also have to think about the financial aspect Um, so let's go into the technology a bit So roaming many people here are let's say from Asia So you have subscriptions from China mobile from air tail from mega phone in Russia or Telenoor and Pakistan But you are here in US that means that you're most likely connect to AT&T the rise on T-Mobile or Sprint and I'm from Finland, which means I'm have a subscription from a visa, but they are all to tell you DNA So and the idea is that you switch on your phone you go to another country and it works and It's very Actually surprising that it works even if you don't because I mean these are different business entities I mean they're different countries which don't like each other potentially and still it works anybody can call anybody and it works and This is due to the so-called roaming network or interconnection network It's a big network on the slides. You see the main undersea water cables and It's very very big. There are some hubs for example in Great Britain are some hubs and Frankfurt are some hubs on the west coast And east coast are some hubs So and the routing based through this network is based on pricing so on the money. So the cheapest route wins So this is actually how the network operators communicate with each other When you set up a call an international call or any sort of communication and you can think about it There's no single controlling entity, which is sort of the most interesting point There's not a government agency controlling all of that. They're all independent all different governments Regulations, everybody has its own regulation. So It's a very mixed network So when you switch when I switch on my phone Yeah, it connects probably to some of the antennas I suppose that most of the hotels here have some base stations some antennas on top of it and Then it goes to the local core network of the operator here a big of bunch of servers AT&T or Verizon or wherever I connect to and They don't know me who I am somebody strange from Finland. Okay, can we give that person a service? So what happens then they basically send a message first to UK over this undersea cable and then from this IPX carrier to the Frankfurt most likely and then to Finland and Finland my home network census. Yep Corporate subscription data flat rate don't worry will be paid and also checking the authentication credentials So we're gonna come back to that picture later on when I go about the fraud attack So let's talk a bit about the network This secret network so to understand the security problems that we face there you need to understand basically where this network is coming from and This network was invented in the Nordic countries in Europe and we do business. They are slightly different I will sort of set the business meeting in Finland It's actually from Kalpalächti and it's really a business meeting. It's a young entrepreneur meeting in that case I had the got the copyright for that picture sort of from the nice newspaper that But I'm pretty sure that the first Nordic operator meeting in 1981 was looking like that I'm hundred percent sure or as my colleagues told to to to to close to the truth So Finland Sweden Norway Denmark and Iceland and that pretty serious problems So they had problems like they wanted to talk to each other to exchange vital information like temperature of sauna Is it be already cold so they had really serious issue? So they decided let's set up a that our networks talk to each other and then they were going into some technical problems sort of okay on the water cables are needed and Still worrying about the beer and then there was sort of let's get down to the details I I've been in such meetings myself. So they are really like that. It's it's not it's actually no joke So they were discussing then sort of okay protocols are needed. Do we need security? Ah, no, not needed. We are all know each other. We are just five countries And so that's how basically the this network was instantiated That was about 35 years ago and it was built on trust A lot of no stuff in Nordic countries works on trust They had the syncing system number seven protocol and that was used on the communication between the networks And nowadays we move from the system seven to the 4g protocols like diameter for LTE so summary five Nordic operators No It's very mixed Membership so you have for example, this is here from Amazon. That's Where they sent you a one-time password via an SMS. So this is an SMS aggregator. They are called. They send you this messages So Connected to the interconnection network and also the network themselves are very mixed for example, there is Dot TV people probably know that ending it's for to value to value is an island in the Pacific it has telecommunication network and They have 47 employees and 1300 subscribers and are happy probably about everybody who is born there so because then they have one subscriber more on the other hand we have for example China mobile with chess roughly a half a million employees and 873 million subscribers so it's quite different to the Homogeneous structure in the beginning where they were just basically every kind Nordic country has about five to seven million people so we have now a Lot of different Entities in there and I'm pretty sure that the to value telecommunication doesn't have a lot of security experts Maybe one if they are lucky China mobile has probably money for some more So Well and the network itself. It's nowadays a mix a match of everything so as we had in the morning talks or yesterday in the Qualcomm talk and Also in 2014 we had our first major incidents Security awareness basically started then and Now you might think okay, I'm not roaming. I'm not traveling. Why should I give something about it? So well I'm sorry because with all those connected IoT devices and self-driving cars and Webcams and whatever they use cellular stuff so So there we are so we need this kind of thing so also emergency car systems and so on so You are always reachable from the interconnect network just in case somebody wants to call you Somebody's going off your friends is going to a vacation and wants to call you so you're always reachable from this interconnection network So security Let's go first sort of who would hexes network or nobody would hexes network. What why should use the hexes network? Okay, there are sort of different types of hackers in this talk We will fall focus on fraudsters, but the other ones are also sort of in this too so we have Had some in there the first one in the corner is location tracking so something like track your spouse service the one below is where they were Getting one-time password for the bank accounts in Germany Actually that operator was quite quick they within a couple of hours They noted that something fishy is ongoing and managed to stop that but of course It get got into the press and then or some damage was done, but they actually they were quite quick compared to other incidents so then there are Governmental agencies. I think the morning we had a long talk from the NSA that everybody else hacks a mobile phone network arm I'm afraid they also do This is also GCH Q that I see UK agencies, but I also get locks on my table and I've seen many other countries But on the other hand you never know exactly where the attacks are coming from you just see an IP address and you know nothing So and then there are so-called service companies. They are dark net service companies and There are governmental service companies because not every government develops the Offensive stuff themselves They're also very often just buy it from third parties as product at services So these guys you find in the network in that interconnection network So these are the attacks that exist nowadays for SS7 and that's location tracking eavesdropping fraud You know the servers the cryptographic keyseft data session. That's actually GDP and not SS7 and SMS interception is probably most important because that means that these are your one-time passwords for what's up for Not what's up for telegram Facebook and so on So but it's important to understand that not networks are Equal they're not all equal so some have protection measures in place Some have nothing percent in place and some have something in place so You start wondering okay, if that's a close-term private network, how would get those guys actually get in well We saw you can rent it as a service. It's not so expensive. So You just go to the dark net and rent it You can fraud at SMS interception for example or voice interception. You can rent it You can some governments have a very close relationship with the operator You must remember that the government approves a license spectrum So if the government doesn't like the operator the operator doesn't have a license to operate making money so basically it's So some some governments use this to get access to the IPX network or sort of convincing them and The other way is sometimes you see notes mobile telecommunication notes which shouldn't be on the internet, but they are on the internet You can't find them in shodan if you know what you look for you can find those note on shodan Somebody just put him on the internet because they wanted to put a web server on it Or they wanted to work remotely from home and want want to have some convenient access because they didn't want to be 24 hours in the office So Another way is to become an operator. That's a pretty cool thing You go to an operator to an existing operator and say hey, I want to have I want to become a virtual network operator for logistic fleets let's say Let's say hearts or sort of some rental car agency hats or something and you want to be a sort of service provider in Europe they have to give you the access then because it's else it's anti-competitive This anti-trust thingy. So because for competitive reasons they have to give you access So and then of course the classical ways you can be bribing an employee. You can do social engineering and so on so Well, you might say okay, this is all press and this is not true And oh, that's the stuff but actually this year. I found very interesting that was I did that as you see in June That's from shown and that's a scanner that crawled through the internet and looking for other nodes that talk GDP Now you need to know that GDP gprs tunneling protocol. It's really just a telco protocol It's really only spoken in telco. Nobody else in internet speaks GDP. So And it has a lot of ports open like that. So I've been discussing with my colleagues if there's a legitimate reason they can think of why this thing you would be in the internet and We couldn't come up with an idea might be maybe somebody has a smart idea, but well at least nobody in our Unit had a good idea why this would be on the internet Okay, now we move to from the old protocol as a seven to the new protocol and You can ask okay new protocol everything is better. We no longer have any problems and new protocol diameter LTE And in this talk we will focus on the fraud part But it can be very easily used for denial of service because if you improve somebody's service You can easily the same way put it down When I switch on my phone I said I Connect to the antenna and then the local operator here in US wants to know Basically if I pay my bills what kind of services are I'm allowed. I'm allowed to have 4g or not and So what they do then they contact over the s9 interface the my home operator and ask for the Quality of service rules that I have and for the policy and charging rules so Now you see a mobile core network don't be too afraid of it. It looks awful So so what you only will use those notes, which I just highlight here My colleague Isha who's not able to come today. She will talk you through it in a minute. So these are the notes and The other ones we will not talk about just ignore them So they're sorry you have still quite some notes there But mobile networks are extremely complex and this is only 4g now imagine that you have all the other types of network also plugged into it So this is actually the network we use also for testing So as I said I work for a company and we cannot just roll out software to our customers If we screw up their network, they don't make money and they are very unhappy with us if they don't make money So what we have we have internal test networks And this is some software of it that we use for testing software rollouts So that we are sure that we don't screw up our customers networks So and that we used also for for testing of this attack so So this is here the LTE emulator and my code Software implementation of LTE network designed by Nokia as per 3GPP specifications This is the basic architecture of EPS where UV user equipment is connected to the EPC over EU tram the evolved Node B as the base station for LTE radio MME as the mobility management entity handles Signaling related to mobility and security for the EU tram access HSS home subscriber server as the database that contains user related and subscriber related information S gateway serving gateway serves the UE by routing the incoming and outgoing IP packets PDN gateway is the point of interconnection between the EPC and the external IP network PCRF policy and charging rules function Supposed service data flow detection policy enforcement and flow based Charging diameter S9 interface is between HPCRF and VPCRF responsible for PCC route Installation modification and removal Okay, to make it less painful My suggestion will be is you focus on the S9 and the PCRF the PCRS is basically everything Sort of related to policy and charging. So that's a policy and charging rule functions This thing this box controls basically What you are allowed to do or not to do in your network. So basically it interprets the rules on on what kind of Activities and services you can use with your With your subscription all the other nodes in there. They also have tasks like database mobility and IP assignment and so on so Basically, you can just ignore them for now. So Focus on the PCRF. That's with regard to charging and So Sorry It shouldn't start again. So basically you can think about the ipx and all those networks with their Nice infrastructure connect to each other via this ipx and using the s9 interface To communicate these kind of charging related things with each other So this is currently diameters currently rolled out in this ipx networks And s9 is not the most common interface the most common interface. This is the s6a interface But still s9 is a roaming interface and it's critical in the sense that if something goes wrong there Then it directly relates to monetary aspects and potential loss of money Sorry So basically here's a sort of summary of it and we will talk about here about this s9 where we talk to the rest of the world That's how the emulator looks like. Nisha will briefly show you the emulator and the different nodes Which the most important is the pcrf These are the highlighted LTE emulator nodes UE control plane process UE user plane process ENB control plane ENB user plane MME s gateway hss pcrf p gateway UE is connected to ENB Through the attach statement as soon as we attach We can see the mz number of the UE on all the nodes and hss pcrf on p gateway As well as on the s gateway So that's basically the emulator we used with all the virtual nodes in there And this is actually the normal message flow. Remember the picture with the with the flex so Basically first the visited network in this case, it would be us would we asking my home network sort of okay Does she have credit? Yes or no? And what kind of service is this person allowed to use? This is then in the ccr message It's a credit control request and then the credit control answer These are standardized public documents. Everybody can read them there on sweet gpp servers um Then the home network can do it's optional. It doesn't need to but it can send a re-authentication request And basically this is for example useful in the case that my subscription has been cancelled because I've been laid off because I gave a speech to Defcon um So for this case the home network can give a re-authentication request and say ha cancel the subscription So this is the purpose of the message. That's how it was supposed to work But we will show now how we basically can tweak that into a fraud attack so What is a pcc? It's a policy and charging control. It's everybody in this room has a pcc um It defines everything about your subscription the data types the data rate what kind of seller services you use or not For example for kids. They might have a subscription without data or things like that That's all in this pcc nicely defined and for example. I work for a company So I'm a quite generous subscription. I work for phone come mobile phone company or not mobile phone company, but a supplier of it so Well, they pay my bills so no matter how much data I use so basically I have a flat rate And this is very attractive for an attacker. So because well Company policies are complex things. So if they steam my subscription, basically Uh, it probably takes a while to pop up in the system till somebody rings somebody and saying here's something fishy if they notice at all Um, but before we go into the attack, I will explain something about diameter routing because diameter routing there are two ways to route and basically if an attacker stamps something um And basically pretends to be the home network And puts in the origin realm. Let's say my finished operator and sends it to us Then it goes via these hops And actually the answer there are two ways for the answer to be routed either It's routed by origin realm and origin host Which is sort of slightly more complicated because all the intermediate nodes have to configure it Or what also sometimes happen that's around by hop by hop body Which means that basically the origin realm and so is completely ignored Meaning that somebody can very easily impersonate the home network And no, there's no tls and no ip sec just to avoid the question. So it's not there So it's very easy If the routing is done hop by hop to spoof messages it's so Um, the attack what we will do we will steal a subscription from a subscription good subscription like my subscription The pcc that's a string And once we know this string this key string We will update another subscription with this string. So basically that means we upgrade the other subscription to a Nokia subscription So suddenly Nokia is an employee more. I'm not sure they're happy about that but So that's how it goes Um, remember ipx was designed without security And we have two possibilities. So Once we post as a home network So if there's no proper configuration there, which is sometimes the case Yes, um, you can post as a home network and send messages to My home network the attacker. So and for that you need the imzi the imzi I will not go into details how to catch the imzi, but you might have heard of stingrays I think they're commonly used in us Then there's a possibility to get them from a wireless line exit point that was shown in blackhead 2016 Or you can request them also from this interconnection network In with an sms trick basically basically you claim you have an sms that you want to deliver and then you get the imzi So there are some ways to get the imzi. So we will not go into that how you get Actually for the tests we actually had a false base station in in Helsinki And uh, we're testing it. It works nicely. Um before any questions come it's legal Nokia has even an operator. So So just to avoid questions. So we just did it on site on our test site Um, so what we will do we send and re out education request with the imzi And then we will basically say we want to have the pcc And here's how it works U is attached When vpcrf triggers the rar that is re authentication request message The hpcrf replies with rar That is re authentication answer the message can be captured and viewed through wireshark Okay, and that's an Okay, yeah Yes wireshark part on wireshark we can see diameter packets The array are consists of quality of service and charging rules for the respective uv Okay, I see that's a bit small Um, actually just above the blue line the The one that's moving right now The highlighted are the pcc rules for uv1 Which can be seen on the diameter captured packets also So what we basically know then we know the key string that's behind basically describing my subscription That's all the yellow marked strings. So these strings define actually what services i'm allowed to be Use or not to use so these strings are the key strings And we don't actually know what's behind them, but we don't need to know because we just know, okay company employee they pay so And the next step is then to push these strings to another subscription and basically upgrade their subscriptions And that's how you up upgrade it So what you do is over the s9 interface you say quality of service rule install And the answer you don't even need this diameter routing trick because you just want to push something and want the receiving network to install the stuff And that's what it's due. It's supposed to do that So as I explained this message is usually for the case that my subscription is cancelled or something or something on my subscription Changes and the home network wants to inform the other network that the service has been changed So it's it's supposed to do that so And there's another one Where you can go if you are abroad So that in the network when you go abroad There's a mess your quality of service or your services are changed. That's the other trick So there are two scenarios basically for the attack one way in the home networks The stuff is changed and one way on the visitor network is stuff is changed And that's how it looks like After changing the pcc rules for the ue one when vpcrf figures the rar message again Now we can see the changed pcc rules Through the capture wire shark And here's a wire shark where you basically can more not sure you can see it. Well, let's see Here we have captured the latest RAA message packet And we can see the changed pcc rules Here we have captured the latest RAA message. Okay. Sorry. That was the application slide. So basically that's an um A screenshot of the of the change in the in the top. You see that the numbers are differently And the bottom which set them all the same. So actually that's what should be more a denial of service type of attack So but we can switch it one way or the other way. It doesn't matter basically We just need to know what the strings are looking like and we can sort of put them to any subscription as we like So if we can do denial of service or we can upgrade and subscription whatever we want to do so So what does it mean? The attacker he can offer better services. So in the sense that he upgrades basically somebody else subscription And shifting the cost to somebody else and letting somebody else potentially pay for the phone bill There's also this reselling opportunity as I said if somebody goes abroad And you can tell basically free data for somebody going abroad In europe, this is not so interesting but in let's say between us and canada I heard or let's say to the carabine where the costs are sometimes very higher for romas That's might be interesting or if you go on a cruise they are famous for robbing people um So for users that might be that you're built for something that you actually didn't do so And particularly for company subscriptions This is very critical because they have often large Amounts of people and they might not be able to keep track of everybody So that's that's an issue till this is found for the operator. That means there could be bill disputes loss of corporate customers And also remember this way the messages were routed through UK and Germany and so on each of those guys in between get the bit of the cake So each one of them gets a bit of money for for messages and so on and for data traffic also So if there's a fraudulent data traffic usage Those guys in the middle. They still want to get their money. Believe me so It's really bad in the sense that you might lose really money on it Um counter measures as said in the beginning. Um, I don't have the luxury of saying hey So I cannot say No, I cannot I cannot say switch it off or build the network from scratch. That doesn't work So this is a huge network. It's cost hell of a lot of money and Also, they just have to Acknowledge the realities. There's this to value operator with 47 employees. I cannot expect those guys to 1,300 Employees subscribers. I cannot expect those guys to pay a lot of money for a very specific security feature And also, there's no central authority which could regulate the everything us is regulating somewhat in form of recommendations But in the morning, for example the dhs talk we heard already basically a plea for help Where because they don't Well, these are privately owned companies and for them it's a risk question between risk how much Something worse and how much they have to spend on the money So but on the other hand, there are some counter measures which sort of kill a lot might not be 100 full proof, but Already help a lot. So actually the operators themselves and the gsm a that's the operator association They have thought about these things at least to some degree so In particular to this attack As nine interface. Well, you can use ipsec diameter runs on top of ip So you can use it with Trusted partners directly and not with all these hop by hop thingies So at least very useful for partners which have a lot of interaction I suppose that there's a lot of interaction between us and canada for example or us and mexico For those communications. It's quite worthwhile to have set up this ipsec tunnel I'm not sure it's worthwhile setting up an ipsec tunnel to tovalu That's probably not worth the effort. So for there's those kind you might just say, okay I take the risk Then as nine interface it should only be open if it's really needed Might be obvious to it people but for for telcos. That's not so It we are still sort of learning a lot. Let's put it that way Then on the routing part so to make the attackers life hard The routing should be by origin realm and origin host not by hop by hop ID Then there are things that are more telco specific imzi range remember imzi is the User identity in the mobile network. It's not your phone number. It's imzi And each operator has assigned a range Which is he's supposed to use so you can basically check if this is really from that operator or not this Avoid for example these kind of governmental attacks makes it harder Um one important thing is also to check that you don't get messages which can't seem to come from your own notes um other one Logic at separation in the notes of your visited incoming romers and your home subscribers so To have them separated and not just a request comes in and you just execute it With no feeling if it makes sense or not And then there's a location distance check where you can basically Check if somebody can physically be here So if i've been two minutes ago, I had the last location update in in finland. I cannot have five minutes later Charging message here in us that just not feasible So and then there is sort of more advanced stuff like fingerprinting partners So you can take the traffic throw it into very nice machine learning sort of magic magic And sort of because each partner has a specific way to send messages to configure them which PHSA support and so on and by that you can sort of fingerprint the traffic And these flows you can easily then sort of identify and see if there are something strange in there and that moment you can sort of raise some flex So this is not rocket science And but it helps a lot and it can be put on a running network without sort of two big costs For normal users check your bill and keep an eye on the news. That's my best suggestion For corporate users In general, I think security should be something like bandwidth or coverage Because it's a quality thingy security doesn't come for free I'm paid most of you are somehow paid So we don't work for free. We are experts in our fields And it's the same with bandwidth people which blow up the bandwidth and invented 5g the radio part. They get also paid so I think it's a quality indicator And it should be part of business contracts Because if something goes wrong it usually costs money so This is something very important to understand And also sort of with things go wrong So that there's also some punishments For not investing properly into security And the gsm a there are recommendations more details if operators are interested in it And that's basically the end of my talk. So this has been partially funded by the u They do this kind of research and that's it Thanks a lot So I I can take some questions This gentleman there Okay, that is so not going to work Come Um, hi, I was wondering about the billing So you mentioned that this uh, this could potentially build be built to the company or to a user different subscriber But it looked like the only thing that was being changed was the level of service given to a different user, right? Yeah, uh, so how does it affect the billing of someone else? um So the question was about sort of how it affects the um bill of somebody else if you have in the case you have group subscriptions Like corporates have then um, it affects somebody else bill But it can also sort of I could upgrade your or downgrade your subscription basically to a denial of service attack So that's the other way around but for somebody else bill that would be the corporate case And the individual case would be denial of service basically so I could basically downgrade you to 2g forever Yep Uh, I was just curious, um, hope Okay, hold on. Excuse me Yeah, yeah, okay. I was curious. Um, how persistent is that changed? Like when would that get reset? The question was how persistent is that change? Um, let me think For the visited case it would be persistent for the time that you are brought And Yeah, the time in the handset is on registered on the network in the foreign network for the home network That's a good question. It Yeah, yeah, yeah, it would be needed sort of to distribute through the network to be persistent. Yes It is sort of quite a pain Yeah Yeah, what's the fastest mobile network speed you've seen on a phone or just In general, I don't measure the network speed honestly. So looking more at the security at the back end. So Thanks a lot