[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:12.44,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:12.44,0:00:15.94,Default,,0000,0000,0000,,Karsten: Thank you very much\Nand a very good evening.
Dialogue: 0,0:00:15.94,0:00:21.26,Default,,0000,0000,0000,,We're here yet again to talk about mobile\Nnetwork attacks, and we're going to give this talk
Dialogue: 0,0:00:21.26,0:00:23.67,Default,,0000,0000,0000,,a somewhat different spin.
Dialogue: 0,0:00:23.67,0:00:31.83,Default,,0000,0000,0000,,Instead of focusing on giving out new vulnerabilities,\Nand then hinting at how a fix could be,
Dialogue: 0,0:00:31.83,0:00:36.60,Default,,0000,0000,0000,,and suggesting that somebody else would be\Nresponsible for implementing these fixes.
Dialogue: 0,0:00:36.60,0:00:42.53,Default,,0000,0000,0000,,We wanna look at those later stages of the\Nattack evolution today.
Dialogue: 0,0:00:42.53,0:00:50.13,Default,,0000,0000,0000,,And make sure we don't keep re-creating new\Nresults while old ones are not being resolved yet.
Dialogue: 0,0:00:50.13,0:00:53.15,Default,,0000,0000,0000,,Rest assured there will also be new attacks.
Dialogue: 0,0:00:53.15,0:00:56.39,Default,,0000,0000,0000,,We need to deliver on that every year.
Dialogue: 0,0:00:56.39,0:01:05.44,Default,,0000,0000,0000,,But we want to make sure specifically, to introduce\Nsome dynamics that help everybody,
Dialogue: 0,0:01:05.44,0:01:09.42,Default,,0000,0000,0000,,for networks to become more secure.
Dialogue: 0,0:01:09.42,0:01:18.51,Default,,0000,0000,0000,,My primary goal today is to enable all of you to help\Nwith that evolution, and to do some of the research
Dialogue: 0,0:01:18.51,0:01:22.55,Default,,0000,0000,0000,,that we've been doing in Berlin so far, all over the world.
Dialogue: 0,0:01:22.55,0:01:30.100,Default,,0000,0000,0000,,There will be a couple of tool releases, and a\Ncouple of, hopefully, evolution drivers
Dialogue: 0,0:01:30.100,0:01:38.18,Default,,0000,0000,0000,,In the end, for us security researchers to be successful in\Nmaking the world better, we need industry.
Dialogue: 0,0:01:38.18,0:01:45.14,Default,,0000,0000,0000,,As painful as that sounds, we need somebody to put\Nin a fix, and we haven't been very good
Dialogue: 0,0:01:45.14,0:01:50.91,Default,,0000,0000,0000,,about keeping check on those people that need to put\Nin fixes for the research that we've been doing
Dialogue: 0,0:01:50.91,0:01:55.68,Default,,0000,0000,0000,,over the last couple of years, and we're going\Nto complete the picture today.
Dialogue: 0,0:01:55.68,0:02:05.20,Default,,0000,0000,0000,,by talking a little bit about what networks have\Nbeen doing around research in two areas.
Dialogue: 0,0:02:05.20,0:02:12.19,Default,,0000,0000,0000,,SIM card attacks, a topic of this year where networks\Nfound themselves in a critical situation
Dialogue: 0,0:02:12.19,0:02:19.70,Default,,0000,0000,0000,,at risk of large parts of the subscriber base being\Nremotely infected, not in the phone, but in the SIM card.
Dialogue: 0,0:02:19.70,0:02:27.49,Default,,0000,0000,0000,,So there has been fruitful discussion with industry,\Nand lots of responses, but not enough.
Dialogue: 0,0:02:27.49,0:02:32.95,Default,,0000,0000,0000,,Much more so around GSM intercept, a topic that\Nprobably the NSA discussions have moved
Dialogue: 0,0:02:32.95,0:02:38.94,Default,,0000,0000,0000,,into everbodys mind again, but one that was really\Nluring for a decade now, that anybody can
Dialogue: 0,0:02:38.94,0:02:41.94,Default,,0000,0000,0000,,intercept your phonecalls at any time.
Dialogue: 0,0:02:41.94,0:02:46.35,Default,,0000,0000,0000,,and again, here we want to check on the network\Noperators, and make sure that they are
Dialogue: 0,0:02:46.35,0:02:53.38,Default,,0000,0000,0000,,forced into putting in the protection that we deserve.
Dialogue: 0,0:02:53.38,0:03:00.41,Default,,0000,0000,0000,,We first discussed SIM card attacks publicly in August\Nof this year, after a few months of
Dialogue: 0,0:03:00.41,0:03:08.97,Default,,0000,0000,0000,,responsible disclosure, and we found\Na combination of three vulnerabilities,
Dialogue: 0,0:03:08.97,0:03:15.80,Default,,0000,0000,0000,,that led to a potentially terrible situation for networks.
Dialogue: 0,0:03:15.80,0:03:23.64,Default,,0000,0000,0000,,The first fragment that we found was the ability\Nto send binary text messages from one subscriber
Dialogue: 0,0:03:23.64,0:03:30.43,Default,,0000,0000,0000,,to really any other subscriber, so networks\Nallowed traffic that has no place to be routed
Dialogue: 0,0:03:30.43,0:03:36.47,Default,,0000,0000,0000,,through networks, there's no such thing as network\Nneutrality in mobile networks of course,
Dialogue: 0,0:03:36.47,0:03:42.57,Default,,0000,0000,0000,,they shouldn't be routing internal management applications through what basically is
Dialogue: 0,0:03:42.57,0:03:46.78,Default,,0000,0000,0000,,the IP space, or the phone number space of subscribers.
Dialogue: 0,0:03:46.78,0:03:52.69,Default,,0000,0000,0000,,The second thing we found is that the services that\Nthese messages reach on the SIM cards are
Dialogue: 0,0:03:52.69,0:04:01.83,Default,,0000,0000,0000,,often badly protected cryptographically. In particular\Nwe were finding lots of cards that used DES keys
Dialogue: 0,0:04:01.83,0:04:08.56,Default,,0000,0000,0000,,56-bit from the seventies, that has long been\Nphased out in pretty much any other application.
Dialogue: 0,0:04:08.56,0:04:10.89,Default,,0000,0000,0000,,SIM cards still use old keys like that.
Dialogue: 0,0:04:10.89,0:04:17.94,Default,,0000,0000,0000,,And thirdly we found that applications you\Ncould install through those DES keys
Dialogue: 0,0:04:17.94,0:04:24.30,Default,,0000,0000,0000,,can break out of the sandbox of the Java protection\Nparameter, and then access all kinds of data
Dialogue: 0,0:04:24.30,0:04:28.64,Default,,0000,0000,0000,,on the SIM card that no Java was supposed to access.
Dialogue: 0,0:04:28.64,0:04:36.20,Default,,0000,0000,0000,,And combining those three made for a remote\NSIM cloning vector at massive scale.
Dialogue: 0,0:04:36.20,0:04:40.89,Default,,0000,0000,0000,,And networks raced to fix those on at least\Ntwo of the three layers.
Dialogue: 0,0:04:40.89,0:04:48.22,Default,,0000,0000,0000,,They put in filtering so the network, the SMS\Nmessages would not reach the phone any more.
Dialogue: 0,0:04:48.22,0:04:52.12,Default,,0000,0000,0000,,And they upgraded DES keys to triple DES keys.
Dialogue: 0,0:04:52.12,0:04:56.70,Default,,0000,0000,0000,,But most networks left it at that without really\Nthinking through the problem and without really
Dialogue: 0,0:04:56.70,0:05:02.20,Default,,0000,0000,0000,,understanding the root causes of what\Nmade the SIM card so vulnerable.
Dialogue: 0,0:05:02.20,0:05:07.45,Default,,0000,0000,0000,,So I want to go into the first two categories, since\Nthe third one wasn't adressed even until today, and
Dialogue: 0,0:05:07.45,0:05:12.29,Default,,0000,0000,0000,,show how the industry response\Nwas in large part insufficient.
Dialogue: 0,0:05:12.29,0:05:17.52,Default,,0000,0000,0000,,And I shouldn't generalise as I do now, because\Nsome network operators have responded very
Dialogue: 0,0:05:17.52,0:05:23.78,Default,,0000,0000,0000,,responsibly, but by and large networks shrugged\Nus off or put in quick fixes and then moved on to
Dialogue: 0,0:05:23.78,0:05:30.53,Default,,0000,0000,0000,,their daily business of making networks faster\Nand faster and faster, but rarely more secure.
Dialogue: 0,0:05:30.53,0:05:36.58,Default,,0000,0000,0000,,So let's look at filtering first, and what\Ngoes wrong with filtering.
Dialogue: 0,0:05:36.58,0:05:43.81,Default,,0000,0000,0000,,Networks, many networks started filtering at\Naround the time when we presented this publicly,
Dialogue: 0,0:05:43.81,0:05:51.80,Default,,0000,0000,0000,,around Black Hat and OHM camp, and they put in\None specific filtering rule that was not surprisingly
Dialogue: 0,0:05:51.80,0:05:56.74,Default,,0000,0000,0000,,the exact message that we used in demonstrations\Nat Black Hat and at OHM to demonstrate this
Dialogue: 0,0:05:56.74,0:06:04.18,Default,,0000,0000,0000,,class of vulnerabilities, but did not understand\Nhow much broader the vulnerabilty class is.
Dialogue: 0,0:06:04.18,0:06:13.96,Default,,0000,0000,0000,,So to put this in a comparison to computer security,\Nif you tell somebody that they have a problem in a
Dialogue: 0,0:06:13.96,0:06:21.60,Default,,0000,0000,0000,,TCP stack, let's say in the linux implementation,\Nand you demo it by sending packets to the ssh daemon,
Dialogue: 0,0:06:21.60,0:06:27.94,Default,,0000,0000,0000,,the fix that they implemented is to block port 22, not\Nunderstanding that of course this exact same
Dialogue: 0,0:06:27.94,0:06:32.24,Default,,0000,0000,0000,,vulnerability is also present on any\Nother exposed TCP service,
Dialogue: 0,0:06:32.24,0:06:37.80,Default,,0000,0000,0000,,And there's bunches of ways to format\Nan SMS to reach the SIM card.
Dialogue: 0,0:06:37.80,0:06:44.51,Default,,0000,0000,0000,,Some have come out of the standard, others are\Njust fragments of wrong implementations on phones.
Dialogue: 0,0:06:44.51,0:06:50.03,Default,,0000,0000,0000,,In particular some recent android phones will\Nroute pretty much anything to the SIM card.
Dialogue: 0,0:06:50.03,0:06:56.36,Default,,0000,0000,0000,,and that's pretty convenient, because the SIM card\Nwill look at the message and then discard it, if it's not
Dialogue: 0,0:06:56.36,0:06:59.52,Default,,0000,0000,0000,,properly formatted for a SIM card.
Dialogue: 0,0:06:59.52,0:07:02.87,Default,,0000,0000,0000,,So the implementor of the android\Nphone took the easy way.
Dialogue: 0,0:07:02.87,0:07:07.50,Default,,0000,0000,0000,,Just put everything to the SIM card, it will\Ndecide what it wants and what it doesn't want.
Dialogue: 0,0:07:07.50,0:07:14.90,Default,,0000,0000,0000,,Of course with a phone like that no level of network\Nfiltering, no filtering whatever TCP port will protect it,
Dialogue: 0,0:07:14.90,0:07:19.48,Default,,0000,0000,0000,,Since normal user messages sometimes\Nget forwarded to the phone.
Dialogue: 0,0:07:19.48,0:07:26.64,Default,,0000,0000,0000,,So the industry response was a bit insufficient here\Nand we'd like to see more testing of networks
Dialogue: 0,0:07:26.64,0:07:34.26,Default,,0000,0000,0000,,and when we talk about tools we will perhaps\Nenable you to do exactly that type of testing,
Dialogue: 0,0:07:34.26,0:07:39.60,Default,,0000,0000,0000,,The second area where the industry response falls\Nway short of understanding the problem,
Dialogue: 0,0:07:39.60,0:07:45.19,Default,,0000,0000,0000,,again I'm generalising here, is that the\Nconfiguration of the SIM cards.
Dialogue: 0,0:07:45.19,0:07:53.36,Default,,0000,0000,0000,,We did discuss the problem with DES keys, that you\Ncan break a 56-bit DES key in a minute or so using
Dialogue: 0,0:07:53.36,0:08:00.16,Default,,0000,0000,0000,,a rainbow table, and that of course, this is terrible\Nif those services are reachable remotely.
Dialogue: 0,0:08:00.16,0:08:06.88,Default,,0000,0000,0000,,And networks then went in to look at\Nconfigurations, and lot of them came out
Dialogue: 0,0:08:06.88,0:08:11.20,Default,,0000,0000,0000,,saying "We made sure everything is\Ntriple-DES on our SIM cards"
Dialogue: 0,0:08:11.20,0:08:19.33,Default,,0000,0000,0000,,or at least a few places there was still DES in older\Nprofiles, we patched them to now be triple-DES.
Dialogue: 0,0:08:19.33,0:08:24.70,Default,,0000,0000,0000,,Again that falls way short of\Nunderstanding the core issue.
Dialogue: 0,0:08:24.70,0:08:29.20,Default,,0000,0000,0000,,Here's a bit of technical background so you can\Nappreciate what's going on in the SIM card.
Dialogue: 0,0:08:29.20,0:08:34.78,Default,,0000,0000,0000,,There's a collection of keys, up to sixteen keysets,\Nand each keyset can have keys for signing and
Dialogue: 0,0:08:34.78,0:08:40.24,Default,,0000,0000,0000,,encryption and so forth, and those keys have\Na specific type, DES or triple-DES for instance,
Dialogue: 0,0:08:40.24,0:08:43.75,Default,,0000,0000,0000,,sometimes even AES on very new cards.
Dialogue: 0,0:08:43.75,0:08:49.52,Default,,0000,0000,0000,,And then there's applications on the SIM card\Nand these applications, there's up to sixteen million
Dialogue: 0,0:08:49.52,0:08:51.45,Default,,0000,0000,0000,,application identifiers.
Dialogue: 0,0:08:51.45,0:08:56.03,Default,,0000,0000,0000,,Of course no sixteen million applications fit on a card,\Nso some of these are present on
Dialogue: 0,0:08:56.03,0:09:03.50,Default,,0000,0000,0000,,every SIM card, and the application gets to\Nchoose which keys get what level of access.
Dialogue: 0,0:09:03.50,0:09:08.29,Default,,0000,0000,0000,,And what seems to have happened in August is that\Nthe networks go through this first application,
Dialogue: 0,0:09:08.29,0:09:14.01,Default,,0000,0000,0000,,the standard application and make sure that triple-DES\Nkeys are required for signature or encryption or
Dialogue: 0,0:09:14.01,0:09:20.10,Default,,0000,0000,0000,,better, even both. And then the DES keys they\Nhad there, they upgraded to triple-DES.
Dialogue: 0,0:09:20.10,0:09:26.45,Default,,0000,0000,0000,,However we find in a surprisingly large number\Nof SIM cards the following situation:
Dialogue: 0,0:09:26.45,0:09:35.20,Default,,0000,0000,0000,,One of the other sixteen million applications says\Nwe use this keyset, but we require none of it.
Dialogue: 0,0:09:35.20,0:09:41.98,Default,,0000,0000,0000,,So you send a command to that SIM TAR specifying\Nthis keyset, and you're not required to do
Dialogue: 0,0:09:41.98,0:09:44.78,Default,,0000,0000,0000,,signatures or encryption.
Dialogue: 0,0:09:44.78,0:09:50.69,Default,,0000,0000,0000,,And at that point it doesn't matter if you use triple-DES\Nor AES or whatever algorithm, this SIM card
Dialogue: 0,0:09:50.69,0:09:54.63,Default,,0000,0000,0000,,will accept any command sent to it.
Dialogue: 0,0:09:54.63,0:09:59.65,Default,,0000,0000,0000,,And again that kind of being obvious to check for\Nwhen you're going through your inventory of
Dialogue: 0,0:09:59.65,0:10:08.29,Default,,0000,0000,0000,,SIM cards, but that requires a deeper level\Nof understanding of these attacks than most
Dialogue: 0,0:10:08.29,0:10:12.62,Default,,0000,0000,0000,,operators seem to have developed for this issue.
Dialogue: 0,0:10:12.62,0:10:19.62,Default,,0000,0000,0000,,So I hope this again helps to carry the point that to\Ndrive the co-evolution of attacks and defenses,
Dialogue: 0,0:10:19.62,0:10:26.88,Default,,0000,0000,0000,,industry is required to think through the attacks and\Nunderstand what exactly the attack parameter is.
Dialogue: 0,0:10:26.88,0:10:40.77,Default,,0000,0000,0000,,To make sure it gets across very visually now, I'd like\Nto get Luca to demo the attack as we think
Dialogue: 0,0:10:40.77,0:10:43.87,Default,,0000,0000,0000,,it would play out in the real world.
Dialogue: 0,0:10:43.87,0:10:50.92,Default,,0000,0000,0000,,and just as one sentence of introduction perhaps,\Nthis is coming from a very recent SIM card
Dialogue: 0,0:10:50.92,0:10:56.72,Default,,0000,0000,0000,,one that we picked up when we started playing\Nwith the iPhone 5 as fingerprint reader.
Dialogue: 0,0:10:56.72,0:11:05.89,Default,,0000,0000,0000,,It's just an US SIM card, and Luca,\Nwhat are you going to do now?
Dialogue: 0,0:11:08.51,0:11:10.61,Default,,0000,0000,0000,,Can you switch on his microphone please?
Dialogue: 0,0:11:10.61,0:11:20.24,Default,,0000,0000,0000,,Luca: Ok, so as Karsten said we found this\Nparticularily interesting SIM card and
Dialogue: 0,0:11:20.24,0:11:28.26,Default,,0000,0000,0000,,the last one we found was very recent, it's a\Nnano SIM and it goes into an iPhone 5.
Dialogue: 0,0:11:28.26,0:11:37.22,Default,,0000,0000,0000,,I'm going to show you what can we do to\Nbypass the filterset operators have now.
Dialogue: 0,0:11:37.22,0:11:56.11,Default,,0000,0000,0000,,So we put it into the phone. I have here a BTS,\Nthat emulates the real operator network.
Dialogue: 0,0:11:56.11,0:12:01.19,Default,,0000,0000,0000,,Karsten: Of course that's a default way to bypass\Nany type of filtering that the real network may be
Dialogue: 0,0:12:01.19,0:12:09.98,Default,,0000,0000,0000,,Luka: So now the mobile is connecting, and I'm trying\Nto show you better, my BTS is sending some SMS's,
Dialogue: 0,0:12:09.98,0:12:18.34,Default,,0000,0000,0000,,as soon as the mobile is close to the BTS, and\Nit tries to register, because it thinks it is
Dialogue: 0,0:12:18.34,0:12:27.98,Default,,0000,0000,0000,,the home network, I send my application, that\Nis completly installed without any warning,
Dialogue: 0,0:12:27.98,0:12:31.21,Default,,0000,0000,0000,,or anything on the iPhone.
Dialogue: 0,0:12:31.21,0:12:34.36,Default,,0000,0000,0000,,{\i1}umm{\i0}
Dialogue: 0,0:12:34.36,0:12:42.82,Default,,0000,0000,0000,,I want to show you something here, so this is the\Nfirst command and it's a delete, since I've already
Dialogue: 0,0:12:42.82,0:12:45.15,Default,,0000,0000,0000,,installed the application many times, I first delete it.
Dialogue: 0,0:12:45.15,0:12:46.93,Default,,0000,0000,0000,,and then I install it again.
Dialogue: 0,0:12:46.93,0:12:50.23,Default,,0000,0000,0000,,Karsten: So this is remote application management.
Dialogue: 0,0:12:50.23,0:12:54.43,Default,,0000,0000,0000,,On a recent SIM card, that requires\Nno security whatsoever, you can put in
Dialogue: 0,0:12:54.43,0:13:00.86,Default,,0000,0000,0000,,whatever Java software you'd\Nlike to run on this SIM card.
Dialogue: 0,0:13:00.86,0:13:05.59,Default,,0000,0000,0000,,Luka: Ok, so it's finished, took a couple\Nof seconds, ten seconds, I dunno.
Dialogue: 0,0:13:05.59,0:13:12.84,Default,,0000,0000,0000,,and now the SIM card is infected with a malware,\Nthat every five minutes sends the current location of
Dialogue: 0,0:13:12.84,0:13:18.37,Default,,0000,0000,0000,,the user to the attackers number.
Dialogue: 0,0:13:18.37,0:13:26.05,Default,,0000,0000,0000,,Since the iPhone doesn't show anything, I'm\Ngoing to put this SIM card into another phone,
Dialogue: 0,0:13:26.05,0:13:32.17,Default,,0000,0000,0000,,so you can see it better, and you can also\Nhave a proof that it's on the SIM card.
Dialogue: 0,0:13:38.24,0:13:43.50,Default,,0000,0000,0000,,It's not very easy with the nano SIM\Ninto a normal phone.
Dialogue: 0,0:13:43.50,0:13:49.80,Default,,0000,0000,0000,,so this is the other phone, I have a ok..
Dialogue: 0,0:13:52.95,0:13:57.64,Default,,0000,0000,0000,,Karsten: So the virus stays with the SIM\Ncard (when moved to) another phone
Dialogue: 0,0:13:57.35,0:14:02.16,Default,,0000,0000,0000,,Luka:I'm going to turn it on now.
Dialogue: 0,0:14:05.45,0:14:07.52,Default,,0000,0000,0000,,Yeah.
Dialogue: 0,0:14:14.77,0:14:20.53,Default,,0000,0000,0000,,Hopefully it will register to the home network.
Dialogue: 0,0:14:26.29,0:14:28.21,Default,,0000,0000,0000,,Yeah.
Dialogue: 0,0:14:32.28,0:14:34.77,Default,,0000,0000,0000,,Karsten: Is it still set to manual?
Dialogue: 0,0:14:34.77,0:14:37.62,Default,,0000,0000,0000,,Luka: Yeah, it did register.
Dialogue: 0,0:14:43.11,0:14:45.31,Default,,0000,0000,0000,,Yeah,
Dialogue: 0,0:14:45.31,0:14:50.67,Default,,0000,0000,0000,,So we are actually replaying the\Nattack again, just for fun.
Dialogue: 0,0:14:50.67,0:14:53.46,Default,,0000,0000,0000,,Karsten: Oops.
Dialogue: 0,0:14:56.63,0:14:59.95,Default,,0000,0000,0000,,Luka: [sigh]\NKarsten: Bear with us, this is a complex demo
Dialogue: 0,0:14:59.95,0:15:05.11,Default,,0000,0000,0000,,lots of moving parts.\NLuka: What I can do is delete the SMS
Dialogue: 0,0:15:08.56,0:15:13.33,Default,,0000,0000,0000,,Luka: So is it showing someting now?
Dialogue: 0,0:15:19.81,0:15:23.37,Default,,0000,0000,0000,,Ok, I'll just try again.
Dialogue: 0,0:15:25.99,0:15:33.53,Default,,0000,0000,0000,,Oh, actually I have a better idea,\Nso now I stop my fake BTS
Dialogue: 0,0:15:33.53,0:15:36.05,Default,,0000,0000,0000,,Karsten: yeah, better connect to the real network.
Dialogue: 0,0:15:36.05,0:15:40.09,Default,,0000,0000,0000,,Luka: and I let it connect to the real network.
Dialogue: 0,0:15:50.84,0:15:55.22,Default,,0000,0000,0000,,Okay. Let's see.
Dialogue: 0,0:16:02.94,0:16:07.17,Default,,0000,0000,0000,,Karsten: You're confident the virus\Ngot deployed the second time?
Dialogue: 0,0:16:07.17,0:16:12.69,Default,,0000,0000,0000,,Luka: Umm, that's actually a nice...
Dialogue: 0,0:16:12.69,0:16:16.93,Default,,0000,0000,0000,,Okay, yeah that was a.
Dialogue: 0,0:16:16.93,0:16:19.79,Default,,0000,0000,0000,,Karsten: Ok, lets come back to you\Nin a couple of minutes then.
Dialogue: 0,0:16:19.79,0:16:23.36,Default,,0000,0000,0000,,When you've prepared this, but everybody\Ngot the idea roughly right,
Dialogue: 0,0:16:23.36,0:16:29.20,Default,,0000,0000,0000,,what should have happend; He's catching\Nthe phone or any of your phones really,
Dialogue: 0,0:16:29.20,0:16:35.14,Default,,0000,0000,0000,,he can test for vulnerabilities by sending\NSMS, hundreds of them, not sixteen million,
Dialogue: 0,0:16:35.14,0:16:40.23,Default,,0000,0000,0000,,he has to prepare a little bit, know where\Na vulnerability could be, and then once
Dialogue: 0,0:16:40.23,0:16:47.26,Default,,0000,0000,0000,,he finds an unprotected application, he just sends\Na bunch of binary SMSs and combine that Java file.
Dialogue: 0,0:16:47.26,0:16:52.72,Default,,0000,0000,0000,,and that java file installs on the SIM card and\Nit stays installed on the SIM card,
Dialogue: 0,0:16:52.72,0:16:58.58,Default,,0000,0000,0000,,and it will every five minutes send the\Ncurrent location via SMS to his number,
Dialogue: 0,0:16:58.58,0:17:04.45,Default,,0000,0000,0000,,or do any other thing that the Java on\Nthe SIM card is allowed to do.
Dialogue: 0,0:17:04.45,0:17:11.72,Default,,0000,0000,0000,,It could even try to exploit the other parts of the SIM\Ncard through that unpatched Java vulnerability that
Dialogue: 0,0:17:11.72,0:17:17.80,Default,,0000,0000,0000,,a lot of these SIM cards still have.
Dialogue: 0,0:17:17.80,0:17:19.54,Default,,0000,0000,0000,,Installing the virus again?
Dialogue: 0,0:17:19.54,0:17:24.81,Default,,0000,0000,0000,,Luka: It's installing again.
Dialogue: 0,0:17:27.65,0:17:34.17,Default,,0000,0000,0000,,Luka: This was just the best case we found so\Nyou can actually install an application inside the SIM,
Dialogue: 0,0:17:34.17,0:17:41.84,Default,,0000,0000,0000,,in case this is not available, another choice is just\Nreading the current ciphering key from the SIM.
Dialogue: 0,0:17:43.33,0:17:46.44,Default,,0000,0000,0000,,Karsten: Yeah, so there's a lot of these..
Dialogue: 0,0:17:46.44,0:17:50.44,Default,,0000,0000,0000,,Luka: So this is the message I was waiting for.
Dialogue: 0,0:17:50.44,0:17:55.98,Default,,0000,0000,0000,,Karsten: So this older Nokia phone is the only phone\Nwe ever found that asked whether you allow your
Dialogue: 0,0:17:55.98,0:18:02.20,Default,,0000,0000,0000,,SIM card to send anything back to the attacker.\NThe iPhone just does it by default without asking you.
Dialogue: 0,0:18:02.20,0:18:05.28,Default,,0000,0000,0000,,Luka: Press yes.
Dialogue: 0,0:18:05.28,0:18:10.81,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:18:10.81,0:18:13.94,Default,,0000,0000,0000,,Luka: Oh it's a bit small there. I try to copy
Dialogue: 0,0:18:13.94,0:18:16.45,Default,,0000,0000,0000,,Karsten: Did you want to show more Luka?
Dialogue: 0,0:18:16.45,0:18:26.22,Default,,0000,0000,0000,,Luka: Yeah the phone now sent the SMS to me,\Nand I want to show how it looks like, so
Dialogue: 0,0:18:26.22,0:18:28.80,Default,,0000,0000,0000,,{\i1}hmm{\i0} no.
Dialogue: 0,0:18:34.42,0:18:39.43,Default,,0000,0000,0000,,Something like this? Nope
Dialogue: 0,0:18:40.63,0:18:41.30,Default,,0000,0000,0000,,{\i1}sighs{\i0}
Dialogue: 0,0:18:41.30,0:18:49.26,Default,,0000,0000,0000,,I want to enlarge this, so in this little field, there is\Nthe current network, the location area and cell-ID.
Dialogue: 0,0:18:49.26,0:18:55.51,Default,,0000,0000,0000,,So basically it's a very precise location\Ninformation about the user.
Dialogue: 0,0:18:55.51,0:18:58.54,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:18:58.54,0:19:01.00,Default,,0000,0000,0000,,Karsten: thank you.
Dialogue: 0,0:19:01.00,0:19:04.14,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:19:04.14,0:19:10.05,Default,,0000,0000,0000,,Luka: And the best is that this message is not filtered by the operator since it's a normal text SMS.
Dialogue: 0,0:19:10.05,0:19:12.19,Default,,0000,0000,0000,,So it goes through.
Dialogue: 0,0:19:12.19,0:19:18.06,Default,,0000,0000,0000,,Karsten: So a persistant virus on a modern SIM\Ncard, I think that's what was needed to
Dialogue: 0,0:19:18.06,0:19:22.72,Default,,0000,0000,0000,,give the industry another nudge to\Ndeeply understand this.
Dialogue: 0,0:19:22.72,0:19:29.95,Default,,0000,0000,0000,,Now to create some further nudges from you all,\Nand to fulfill that goal that I stated going in,
Dialogue: 0,0:19:29.95,0:19:38.24,Default,,0000,0000,0000,,to enable everybody to do these tests yourself,\Nwe wanna release a tool today that condenses all
Dialogue: 0,0:19:38.24,0:19:43.33,Default,,0000,0000,0000,,the SIM card knowledge that we collected\Nover the last couple of years.
Dialogue: 0,0:19:43.33,0:19:51.18,Default,,0000,0000,0000,,It's an open source tool, written in Java, that was\Nthe easiest to speak to SIM cards with, and it tests
Dialogue: 0,0:19:51.18,0:19:58.54,Default,,0000,0000,0000,,for all the vulnerabilites we discussed in August,\Nincluding things like triple-DES downgrade which
Dialogue: 0,0:19:58.54,0:20:02.51,Default,,0000,0000,0000,,a lot of operators seem to not\Nhave understood quite yet.
Dialogue: 0,0:20:02.51,0:20:07.54,Default,,0000,0000,0000,,But it also detects these more recent vulnerabilities.
Dialogue: 0,0:20:07.54,0:20:13.55,Default,,0000,0000,0000,,Now scanning these sixteen million possibilites on\Na SIM card, and each sixteen keys for them,
Dialogue: 0,0:20:13.55,0:20:17.37,Default,,0000,0000,0000,,that takes a long time, and some older\Nslower SIM cards up to two weeks.
Dialogue: 0,0:20:17.37,0:20:25.52,Default,,0000,0000,0000,,So one thing the tool does is pre-select these\NTAR's smartly, so it only takes a couple of minutes.
Dialogue: 0,0:20:25.52,0:20:31.56,Default,,0000,0000,0000,,It does run on a normal smart card reader,\NPC/SC interface, as well as the Osmocom phone
Dialogue: 0,0:20:31.56,0:20:33.98,Default,,0000,0000,0000,,awesome opensource project also.
Dialogue: 0,0:20:33.98,0:20:39.12,Default,,0000,0000,0000,,We patched it a little bit to now act as a smartcard\Nreader. So of course it can communicate
Dialogue: 0,0:20:39.12,0:20:40.50,Default,,0000,0000,0000,,with a SIM card.
Dialogue: 0,0:20:40.50,0:20:46.78,Default,,0000,0000,0000,,So if you have any of those; PC/SC reader or an\NOsmocom phone and a couple of minutes of time,
Dialogue: 0,0:20:46.78,0:20:51.27,Default,,0000,0000,0000,,download the software and please run the tests,\Nmake sure you're not affected, and if you are
Dialogue: 0,0:20:51.27,0:20:56.02,Default,,0000,0000,0000,,be very vocal to your network operator and\Ndemand that these things get removed.
Dialogue: 0,0:20:56.02,0:21:03.72,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:21:03.72,0:21:06.67,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:21:06.67,0:21:13.76,Default,,0000,0000,0000,,Looking at similar technology or similar weaknesses,\Nlet's revisit the topic of GSM intercept,
Dialogue: 0,0:21:13.76,0:21:23.20,Default,,0000,0000,0000,,and I'll again try to make the point that networks may\Nbe casually interested in fixing some bugs that
Dialogue: 0,0:21:23.20,0:21:31.01,Default,,0000,0000,0000,,they may not have fully understood, so they only did\Nhalf the fixes or not at all and again I think this is
Dialogue: 0,0:21:31.01,0:21:36.44,Default,,0000,0000,0000,,of high urgency, understanding now how many\Npeople are intercepting our phone calls.
Dialogue: 0,0:21:36.44,0:21:44.24,Default,,0000,0000,0000,,Network operators are supposed to protect us on\Nall the frequencies we use and while 3G and 4G
Dialogue: 0,0:21:44.24,0:21:53.12,Default,,0000,0000,0000,,bring pretty ok cryptography with longer key\Nlengths, most of our calls still go over 2G,
Dialogue: 0,0:21:53.12,0:21:54.87,Default,,0000,0000,0000,,this standard from the eighties.
Dialogue: 0,0:21:54.87,0:22:01.82,Default,,0000,0000,0000,,It's the only technology that can cover large areas,\Nand even in cities where the cell sizes don't
Dialogue: 0,0:22:01.82,0:22:07.16,Default,,0000,0000,0000,,have to be so large, these frequencies have to\Nget used because all frequencies are full.
Dialogue: 0,0:22:07.16,0:22:14.62,Default,,0000,0000,0000,,We have a frequency scarcity, so 2G frequencies are\Ncertainly still used by everybody, almost every day.
Dialogue: 0,0:22:14.62,0:22:20.23,Default,,0000,0000,0000,,and on 2G there are two different encryption\Nstandards that are found in the wild.
Dialogue: 0,0:22:20.23,0:22:27.28,Default,,0000,0000,0000,,There's A5/1, the first encryption cipher, the one\Nthat was originally invented along with GSM, back in
Dialogue: 0,0:22:27.28,0:22:34.64,Default,,0000,0000,0000,,the eighties, and then there's A5/3, a ten year\Nold encryption standard, that's supported by
Dialogue: 0,0:22:34.64,0:22:40.54,Default,,0000,0000,0000,,newer phones, I would say about half the phones\Nin current use support this A5/3 cipher.
Dialogue: 0,0:22:40.54,0:22:44.37,Default,,0000,0000,0000,,where the other ones will always default to A5/1.
Dialogue: 0,0:22:44.37,0:22:50.71,Default,,0000,0000,0000,,And the network would have to support both of them\Nin a secure way or as secure as possible way
Dialogue: 0,0:22:50.71,0:22:54.28,Default,,0000,0000,0000,,to sufficiently protect their customers.
Dialogue: 0,0:22:54.28,0:22:58.56,Default,,0000,0000,0000,,Let's visit each of them in turn.
Dialogue: 0,0:22:58.56,0:23:08.14,Default,,0000,0000,0000,,To break A5/1 with tools like the ones we released\Nsome five years ago now, you have to have
Dialogue: 0,0:23:08.14,0:23:16.95,Default,,0000,0000,0000,,some attack surface. It's not enough to have\Na tool that can break an A5/1 packet, you also
Dialogue: 0,0:23:16.95,0:23:20.58,Default,,0000,0000,0000,,need to know what's inside the A5/1 packet.
Dialogue: 0,0:23:20.58,0:23:26.42,Default,,0000,0000,0000,,So for one of all these packets you have to predict\Nthe content, you break the key from it, and
Dialogue: 0,0:23:26.42,0:23:29.98,Default,,0000,0000,0000,,then you can decrypt the rest of them as well.
Dialogue: 0,0:23:29.98,0:23:33.92,Default,,0000,0000,0000,,So you've got to start somewhere\Nto then break the rest of it.
Dialogue: 0,0:23:33.92,0:23:39.62,Default,,0000,0000,0000,,And I believe no spy agency would have a\Nbetter way of breaking A5/1 over the air.
Dialogue: 0,0:23:39.62,0:23:42.95,Default,,0000,0000,0000,,They also have to rely on some attack surface.
Dialogue: 0,0:23:42.95,0:23:50.19,Default,,0000,0000,0000,,So if everything is unpredicable, it basically\Nbecomes XOR'ing random numbers.
Dialogue: 0,0:23:50.19,0:23:58.61,Default,,0000,0000,0000,,The GSMA and later the 3GPP, the standardisation\Nbodies, that tried to make the mobile world
Dialogue: 0,0:23:58.61,0:24:05.64,Default,,0000,0000,0000,,a little bit more secure, they worked hard\Nsome five years ago to amend standards for
Dialogue: 0,0:24:05.64,0:24:08.04,Default,,0000,0000,0000,,this attack surface to go away.
Dialogue: 0,0:24:08.04,0:24:14.81,Default,,0000,0000,0000,,So in a standard trace as we see it in too many\Nnetworks pretty much everything that is
Dialogue: 0,0:24:14.81,0:24:19.29,Default,,0000,0000,0000,,encrypted is predictable, at least in the call setup.
Dialogue: 0,0:24:19.29,0:24:28.24,Default,,0000,0000,0000,,So the phone starts unencrypted, it receives\Na ciphering mode command and it will then
Dialogue: 0,0:24:28.24,0:24:35.57,Default,,0000,0000,0000,,encrypt every single packet it sends, and also\Nexpect packets it receives to be encrypted,
Dialogue: 0,0:24:35.57,0:24:38.27,Default,,0000,0000,0000,,including some that actually make sense, where it
Dialogue: 0,0:24:38.27,0:24:42.73,Default,,0000,0000,0000,,says, "Here, you phone with that TMSI, have\Nanother TMSI", but also things are
Dialogue: 0,0:24:42.73,0:24:49.19,Default,,0000,0000,0000,,encrypted that carry not content whatsoever, like\Na null frame, that says the network is supposed to
Dialogue: 0,0:24:49.19,0:24:54.99,Default,,0000,0000,0000,,speak now, but it has nothing to say, but also things\Nwith static content, like these system information
Dialogue: 0,0:24:54.99,0:25:02.16,Default,,0000,0000,0000,,messages. This exact same message was sent\Nmaybe a second earlier unencrypted.
Dialogue: 0,0:25:02.16,0:25:08.83,Default,,0000,0000,0000,,And once it switches on encryption the phone\Nexpects this also to be encrypted.
Dialogue: 0,0:25:08.83,0:25:14.39,Default,,0000,0000,0000,,Then there's messages with very little content\Nand again null frames. Things that bascially have
Dialogue: 0,0:25:14.39,0:25:19.30,Default,,0000,0000,0000,,no meaning whatsoever. Assignment to certain\Nfrequencies, there are not many frequencies
Dialogue: 0,0:25:19.30,0:25:25.55,Default,,0000,0000,0000,,to choose from so this is mostly predictable,\Nand all of this is to be considered attack surface.
Dialogue: 0,0:25:25.55,0:25:30.45,Default,,0000,0000,0000,,And there are two standards, padding randomisation,\Nwhich takes shorter messages and
Dialogue: 0,0:25:30.45,0:25:38.28,Default,,0000,0000,0000,,appends random bytes, and SI5 randomisation which\Ntakes longer messages but scrambles that content,
Dialogue: 0,0:25:38.28,0:25:41.53,Default,,0000,0000,0000,,that removes this attack surface almost entirely.
Dialogue: 0,0:25:41.53,0:25:48.64,Default,,0000,0000,0000,,The little bit of attack surface that's left is due\Nto vendor specific communications, and
Dialogue: 0,0:25:48.64,0:25:51.78,Default,,0000,0000,0000,,this needs to be fixed vendor by vendor.
Dialogue: 0,0:25:51.78,0:25:58.79,Default,,0000,0000,0000,,But by just putting in those two standards,\NA5/1 calls should be protected from at least
Dialogue: 0,0:25:58.79,0:26:02.12,Default,,0000,0000,0000,,the tools that we can think of.
Dialogue: 0,0:26:02.12,0:26:07.12,Default,,0000,0000,0000,,Now given that this is five years ago that these\Nwere standardised and that there is a lot of
Dialogue: 0,0:26:07.12,0:26:14.87,Default,,0000,0000,0000,,pressure on security these days. You'd imagine\Nthat these fixes, just tiny software fixes,
Dialogue: 0,0:26:14.87,0:26:20.97,Default,,0000,0000,0000,,would be deployed thoroughly, however we\Nrarely see networks that do either of them,
Dialogue: 0,0:26:20.97,0:26:24.27,Default,,0000,0000,0000,,and we've never seen a network\Nthat does both these fixes.
Dialogue: 0,0:26:24.27,0:26:29.73,Default,,0000,0000,0000,,So somewhere along the way, between the\NGSMA and 3GPP who write the standards
Dialogue: 0,0:26:29.73,0:26:33.24,Default,,0000,0000,0000,,and you as a customer, that idea got lost.
Dialogue: 0,0:26:33.24,0:26:38.89,Default,,0000,0000,0000,,And it's not a difficult idea, to throw in some\Nrandom numbers, instead of static values,
Dialogue: 0,0:26:38.89,0:26:45.20,Default,,0000,0000,0000,,or to take a message and scramble its contents.\NThese things should be pretty straight forward to
Dialogue: 0,0:26:45.20,0:26:50.61,Default,,0000,0000,0000,,implement, and we've seen both ideas in the wild,\Nso there is proof that at least some vendors
Dialogue: 0,0:26:50.61,0:26:52.21,Default,,0000,0000,0000,,have implemented these features.
Dialogue: 0,0:26:52.21,0:26:58.03,Default,,0000,0000,0000,,However the networks do not\Nseem to be using them at all.
Dialogue: 0,0:26:58.03,0:27:04.21,Default,,0000,0000,0000,,The same attack surface then would open up for\NA5/3 if somebody had a much bigger computer
Dialogue: 0,0:27:04.21,0:27:08.52,Default,,0000,0000,0000,,to decrypt it. And by much bigger\NI mean about a million dollars.
Dialogue: 0,0:27:08.52,0:27:14.53,Default,,0000,0000,0000,,So A5/3 is now ten years old and ten years\Nago it seemed like a great idea to take
Dialogue: 0,0:27:14.53,0:27:22.16,Default,,0000,0000,0000,,a 64-bit stream cipher and make a 64-bit block\Ncipher out of it, you don't have to mess
Dialogue: 0,0:27:22.16,0:27:27.76,Default,,0000,0000,0000,,with key generation or anything, it becomes\Nmuch more secure, and in fact it did,
Dialogue: 0,0:27:27.76,0:27:31.04,Default,,0000,0000,0000,,two million times more secure.
Dialogue: 0,0:27:31.04,0:27:37.54,Default,,0000,0000,0000,,But guess who's going to spend a million dollars\Nto break your A5/3 encrypted call, this year right.
Dialogue: 0,0:27:37.54,0:27:44.44,Default,,0000,0000,0000,,and not just that one agency, every agency has a\Nspare one million dollar to build an A5/3 cracker.
Dialogue: 0,0:27:44.44,0:27:49.50,Default,,0000,0000,0000,,So industry took ten years to implement\Nthis standard, and now that they do,
Dialogue: 0,0:27:49.50,0:27:54.99,Default,,0000,0000,0000,,in Germany for instance two networks just\Nstarted this past month to roll out A5/3,
Dialogue: 0,0:27:54.99,0:27:57.82,Default,,0000,0000,0000,,now it's already outdated.
Dialogue: 0,0:27:57.82,0:28:03.12,Default,,0000,0000,0000,,Guess what, the next standard was developed\Nfive years ago again. A5/4 it's called,
Dialogue: 0,0:28:03.12,0:28:07.21,Default,,0000,0000,0000,,it blows up the key size to a good 128-bit,
Dialogue: 0,0:28:07.21,0:28:13.48,Default,,0000,0000,0000,,it steals that from the 3G part of the SIM card,\Nbut every SIM card these days is a 3G sim card.
Dialogue: 0,0:28:13.48,0:28:20.70,Default,,0000,0000,0000,,So somehow we are always ten years behind\Nthe state of the art in cryptography, and
Dialogue: 0,0:28:20.70,0:28:28.56,Default,,0000,0000,0000,,ten years behind what even industry describes,\Nprescribes themselves to implement.
Dialogue: 0,0:28:28.56,0:28:35.11,Default,,0000,0000,0000,,We want that to change, and again we want you\Nto help us change that by creating awareness
Dialogue: 0,0:28:35.11,0:28:39.04,Default,,0000,0000,0000,,around where networks put in\Nwhat type of countermeasures.
Dialogue: 0,0:28:39.04,0:28:43.52,Default,,0000,0000,0000,,It's not enough for them to standardise\Npadding randomisation and SI5 randomisation,
Dialogue: 0,0:28:43.52,0:28:49.29,Default,,0000,0000,0000,,It's not enough for them to specify A5/3 and\NA5/4, they actually need to deploy it.
Dialogue: 0,0:28:49.29,0:28:55.72,Default,,0000,0000,0000,,And here's three tools you can\Nuse to create some visibility.
Dialogue: 0,0:28:55.72,0:29:00.42,Default,,0000,0000,0000,,The first two we're releasing today, and the\Nthird one has always been available, there's just
Dialogue: 0,0:29:00.42,0:29:04.01,Default,,0000,0000,0000,,an incremental patch from us today.
Dialogue: 0,0:29:04.01,0:29:09.92,Default,,0000,0000,0000,,First one runs on an android phone and\Nit allows you to record network traces.
Dialogue: 0,0:29:09.92,0:29:15.58,Default,,0000,0000,0000,,Those network traces of course tell you what type\Nof encryption is used, whether keys get rolled over,
Dialogue: 0,0:29:15.58,0:29:22.07,Default,,0000,0000,0000,,whether your temporary identity gets\Nchanged regularly, and so forth.
Dialogue: 0,0:29:22.07,0:29:28.30,Default,,0000,0000,0000,,The second tool is basically the same running on a\Nlinux computer, if you want to have the data for
Dialogue: 0,0:29:28.30,0:29:37.11,Default,,0000,0000,0000,,further analysis, with the xgoldmontool,\NTobias Engel's tool.
Dialogue: 0,0:29:37.11,0:29:41.42,Default,,0000,0000,0000,,And then the third possibility for aquiring\Nthe same data, not just for your own phone, but
Dialogue: 0,0:29:41.42,0:29:48.03,Default,,0000,0000,0000,,basically everybody in the cell you're connected to,\Nis the OsmocomBB open source project.
Dialogue: 0,0:29:48.03,0:29:53.27,Default,,0000,0000,0000,,Sylvain put in a lot of work a few years ago\Nand created this burst_ind branch,
Dialogue: 0,0:29:53.27,0:29:59.52,Default,,0000,0000,0000,,we extended it just a little bit to run much more\Nstable and to really help as a capturing tool.
Dialogue: 0,0:29:59.52,0:30:06.44,Default,,0000,0000,0000,,So any of these tools now helps you to look at\Nwhat configurations your network is using,
Dialogue: 0,0:30:06.44,0:30:11.63,Default,,0000,0000,0000,,and perhaps interpret this yourself, and to\Ncheck whether they are using the latest
Dialogue: 0,0:30:11.63,0:30:13.66,Default,,0000,0000,0000,,encryption and what not.
Dialogue: 0,0:30:13.66,0:30:20.87,Default,,0000,0000,0000,,We'd much appreciate if you shared some of\Nthat information with us, and we could then again
Dialogue: 0,0:30:20.87,0:30:26.99,Default,,0000,0000,0000,,help other by sharing this further and\Ninterpreting the information, and to make that
Dialogue: 0,0:30:26.99,0:30:34.31,Default,,0000,0000,0000,,even easier, we put all these tool in a Live-ISO\Nthat you can put on a USB stick and boot
Dialogue: 0,0:30:34.31,0:30:40.01,Default,,0000,0000,0000,,with it. That has all the tools on it, the network\Nmeasurement tools, it has the SIM tester on it,
Dialogue: 0,0:30:40.01,0:30:47.16,Default,,0000,0000,0000,,it has all the stuff on it, catch-a-catcher to\Nfind IMSI catchers in your vincinity.
Dialogue: 0,0:30:47.16,0:30:54.52,Default,,0000,0000,0000,,It has an option to send data to a website called\Ngsmmap.org and along with all these tools we
Dialogue: 0,0:30:54.52,0:31:02.29,Default,,0000,0000,0000,,are releasing today, a new version of the GSM\Nmap website, much more colourful than before,
Dialogue: 0,0:31:02.29,0:31:05.60,Default,,0000,0000,0000,,but also much more usable we hope.
Dialogue: 0,0:31:05.60,0:31:15.87,Default,,0000,0000,0000,,So here's the new GSM map, and this now\Ninterprets a lot of network traces that many of you
Dialogue: 0,0:31:15.87,0:31:24.99,Default,,0000,0000,0000,,collected over the last couple of years, with Sylvains\Nburst_ind setup, and for those countries where
Dialogue: 0,0:31:24.99,0:31:31.18,Default,,0000,0000,0000,,we have a little bit of data we do estimates,\Nthese are the striped countries here,
Dialogue: 0,0:31:31.18,0:31:40.71,Default,,0000,0000,0000,,and for those networks where we have a lot of data,\Nwe try to track the network security over time.
Dialogue: 0,0:31:40.71,0:31:46.25,Default,,0000,0000,0000,,So this for instance are the four german networks,\Nand you see how over time they actually do change
Dialogue: 0,0:31:46.25,0:31:54.65,Default,,0000,0000,0000,,their security settings. T-Mobile for instance,\Nthe high-flyer here, they had a big drop in
Dialogue: 0,0:31:54.65,0:32:02.41,Default,,0000,0000,0000,,network security, intercept this is, by switching off some\Nof the randomisation, earlier this year, but then
Dialogue: 0,0:32:02.41,0:32:08.64,Default,,0000,0000,0000,,after they did that they started rolling out A5/3,\Nso somehow they're trading in security features,
Dialogue: 0,0:32:08.64,0:32:17.20,Default,,0000,0000,0000,,one for the other. This now on an aggregate level\Ntells you how secure your network currently is,
Dialogue: 0,0:32:17.20,0:32:24.97,Default,,0000,0000,0000,,against intercept, basically spy agencies listening\Nin to your calls, impersonation, that is other
Dialogue: 0,0:32:24.97,0:32:30.75,Default,,0000,0000,0000,,people using your phone identity to conduct\Nsome transaction, and against tracking, that is
Dialogue: 0,0:32:30.75,0:32:36.79,Default,,0000,0000,0000,,somebody following your whereabouts by electronic\Nmeans. Basically information exposed through
Dialogue: 0,0:32:36.79,0:32:39.17,Default,,0000,0000,0000,,HLR queries remotely.
Dialogue: 0,0:32:39.17,0:32:42.87,Default,,0000,0000,0000,,And you see how networks\Ndiffer in these catgories.
Dialogue: 0,0:32:42.87,0:32:48.40,Default,,0000,0000,0000,,This map by the way is where contributions came\Nfrom. So a lot of these of course are collected
Dialogue: 0,0:32:48.40,0:32:50.95,Default,,0000,0000,0000,,by us in Berlin.
Dialogue: 0,0:32:50.95,0:32:55.48,Default,,0000,0000,0000,,But thank you so much to all of you who sent\Nin all these traces from all these places that
Dialogue: 0,0:32:55.48,0:32:58.17,Default,,0000,0000,0000,,none of us have ever been to.
Dialogue: 0,0:32:58.17,0:33:03.06,Default,,0000,0000,0000,,So it's absolutely fabulous to see what\Ncoverage we've gained here.
Dialogue: 0,0:33:03.06,0:33:09.99,Default,,0000,0000,0000,,Still a lot of striped and white countries,\Nso we hope to complete the picture, but
Dialogue: 0,0:33:09.99,0:33:11.52,Default,,0000,0000,0000,,we need everybody's help.
Dialogue: 0,0:33:11.52,0:33:17.55,Default,,0000,0000,0000,,And hopefully with the tools we released\Ntoday it becomes so much easier to push
Dialogue: 0,0:33:17.55,0:33:21.74,Default,,0000,0000,0000,,data up here, that this will\Nsoon be filled a lot more.
Dialogue: 0,0:33:21.74,0:33:27.10,Default,,0000,0000,0000,,Now for those countries that we have a lot of\Ndata, and that is twenty-seven countries total,
Dialogue: 0,0:33:27.10,0:33:36.27,Default,,0000,0000,0000,,we are releasing detailed reports today\Nalso, that interpret these measurements and
Dialogue: 0,0:33:36.27,0:33:42.14,Default,,0000,0000,0000,,rank the networks, but also explain a little bit\Nof how we measure these things, but then give you
Dialogue: 0,0:33:42.14,0:33:48.43,Default,,0000,0000,0000,,detailed technical measurements on what encryption\Nis used, for what types of transactions are
Dialogue: 0,0:33:48.43,0:33:51.18,Default,,0000,0000,0000,,authenticated and so forth.
Dialogue: 0,0:33:51.18,0:33:52.77,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:33:52.77,0:33:53.52,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:33:53.52,0:34:01.01,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:34:01.01,0:34:06.68,Default,,0000,0000,0000,,So if your country is one of the twenty-seven,\Nwe'd love if you read the report.
Dialogue: 0,0:34:06.68,0:34:12.32,Default,,0000,0000,0000,,If it isn't we'd love for you to download the tools\Nand make sure we can publish a report next month.
Dialogue: 0,0:34:12.32,0:34:19.33,Default,,0000,0000,0000,,So these will be refreshed every month, hopefully\Nforever, or until every network fulfills every
Dialogue: 0,0:34:19.33,0:34:22.97,Default,,0000,0000,0000,,security goal imaginable and then we\Nwill shut down our website.
Dialogue: 0,0:34:22.97,0:34:26.48,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:34:26.48,0:34:35.97,Default,,0000,0000,0000,,So that's GSM Map, the new website, and\Nyou saw all the tools that are available now.
Dialogue: 0,0:34:35.97,0:34:42.29,Default,,0000,0000,0000,,You may notice that GSM map does not\Nyet have a security metric on SIM cards.
Dialogue: 0,0:34:42.29,0:34:48.02,Default,,0000,0000,0000,,Just because our measurements are\Ntoo sparse to paint a good picture.
Dialogue: 0,0:34:48.02,0:34:56.63,Default,,0000,0000,0000,,We'd like to start calling out the networks that do\Nbad SIM card security, but again we need your help
Dialogue: 0,0:34:56.63,0:35:02.70,Default,,0000,0000,0000,,to scan your SIM cards, and to make sure we get\Nsome fair comparison among all the networks.
Dialogue: 0,0:35:02.70,0:35:09.20,Default,,0000,0000,0000,,Just as a heads up, we found about in every other\Nnetwork where we have a lot of SIM cards to test,
Dialogue: 0,0:35:09.20,0:35:12.19,Default,,0000,0000,0000,,vulnerabilites like the ones we discussed today.
Dialogue: 0,0:35:12.19,0:35:17.10,Default,,0000,0000,0000,,So there should be a good chance if you have\Ncouple of SIM cards at home, to find at least a few
Dialogue: 0,0:35:17.10,0:35:18.65,Default,,0000,0000,0000,,that are actually vulnerable.
Dialogue: 0,0:35:18.65,0:35:24.28,Default,,0000,0000,0000,,And if you do you can start installing Java\Non them and playing around with them.
Dialogue: 0,0:35:24.28,0:35:34.63,Default,,0000,0000,0000,,Allright, that was everything we wanted to discuss.\NA round of thank you, in particular to Lukas and Linus
Dialogue: 0,0:35:34.63,0:35:40.51,Default,,0000,0000,0000,,who have put in many months of really hard work\Nto get these tools ready for release today,
Dialogue: 0,0:35:40.51,0:35:48.10,Default,,0000,0000,0000,,they were just about ready this morning after many\Nmonths of working on them, so thanks to them.
Dialogue: 0,0:35:48.10,0:35:51.86,Default,,0000,0000,0000,,But thanks to everybody else also, who were\Ninvolved. There's just a long list of people
Dialogue: 0,0:35:51.86,0:35:55.66,Default,,0000,0000,0000,,who contributed a month or two of work.
Dialogue: 0,0:35:55.66,0:36:02.58,Default,,0000,0000,0000,,Thanks to the open technology fund for sponsoring\Nthis research and for helping us fight
Dialogue: 0,0:36:02.58,0:36:10.78,Default,,0000,0000,0000,,bad security in the world and raising awareness\Naround where bad security is implemented.
Dialogue: 0,0:36:10.78,0:36:18.00,Default,,0000,0000,0000,,Thank you to all of you for using our tools to take\Nthis research to places that we could not have imagined.
Dialogue: 0,0:36:18.00,0:36:19.07,Default,,0000,0000,0000,,Thanks.
Dialogue: 0,0:36:19.07,0:36:25.36,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:36:25.36,0:36:30.05,Default,,0000,0000,0000,,Herald: Thank you very much Karsten and Luca.\NSo we have quite some time left, so as always if
Dialogue: 0,0:36:30.05,0:36:36.22,Default,,0000,0000,0000,,you have questions, in the room, please line up\Nbehind the four microphones on the ground floor.
Dialogue: 0,0:36:36.22,0:36:40.06,Default,,0000,0000,0000,,If you have questions from the web, or\Nif you have questions on the streams,
Dialogue: 0,0:36:40.06,0:36:44.62,Default,,0000,0000,0000,,please write them on twitter or on IRC\Nand we will ask them here live in the room.
Dialogue: 0,0:36:44.62,0:36:49.17,Default,,0000,0000,0000,,And I think we'll start with two\Nquestions from the internet please.
Dialogue: 0,0:36:49.17,0:36:51.96,Default,,0000,0000,0000,,Karsten: One quick...\NSignal angel: Okay Herald angel: Wait please.
Dialogue: 0,0:36:51.96,0:36:56.81,Default,,0000,0000,0000,,Karsten: One quick heads-up before the first\Npeople start leaving, if you're interested in playing
Dialogue: 0,0:36:56.81,0:37:02.33,Default,,0000,0000,0000,,with the tools or at least seeing them being\Nplayed with there's a workshop that will start
Dialogue: 0,0:37:02.33,0:37:09.82,Default,,0000,0000,0000,,at six in Saal D, so if you want to see the live-ISO\Nand all its components and perhaps
Dialogue: 0,0:37:09.82,0:37:15.33,Default,,0000,0000,0000,,take a USB stick home, we brought plenty to\Nplay with, saal D is where we'll meet you in a few
Dialogue: 0,0:37:15.33,0:37:18.22,Default,,0000,0000,0000,,minutes. Sorry, go ahead with the questions.
Dialogue: 0,0:37:18.22,0:37:20.90,Default,,0000,0000,0000,,Herald: Okay, two questions\Nfrom the internet now.
Dialogue: 0,0:37:20.90,0:37:29.43,Default,,0000,0000,0000,,Signal angel: So first one: there are still many low\Nhanging fruits, so what about SS7 networks, did you
Dialogue: 0,0:37:29.43,0:37:34.100,Default,,0000,0000,0000,,investigate them and their way of communicating with\Neach other. Can you tell us anything what happened
Dialogue: 0,0:37:34.100,0:37:37.85,Default,,0000,0000,0000,,with the industry in the last year there?
Dialogue: 0,0:37:37.85,0:37:45.34,Default,,0000,0000,0000,,Karsten: Sure, yeah, SS7 is another decades old\Ntechnology that was built with a wrong threat model.
Dialogue: 0,0:37:45.34,0:37:49.86,Default,,0000,0000,0000,,Basically everybody who connects to the network\Nis trusted, but you have to connect to every
Dialogue: 0,0:37:49.86,0:37:56.20,Default,,0000,0000,0000,,other telco in the world to route calls to them,\Nso there's some disagreement in the threat model.
Dialogue: 0,0:37:56.20,0:38:02.20,Default,,0000,0000,0000,,And people find SS7 vulnerabilites wherever\Nthey look, both in the configuration, stuff like,
Dialogue: 0,0:38:02.20,0:38:08.12,Default,,0000,0000,0000,,you know, the SIM filtering, the SMS filtering,\Nthe same kinds of topics come up in SS7,
Dialogue: 0,0:38:08.12,0:38:15.21,Default,,0000,0000,0000,,where of course you want to block unneeded traffic,\Nand networks are really bad at that typically.
Dialogue: 0,0:38:15.21,0:38:21.80,Default,,0000,0000,0000,,But also people find implementation bugs on\Nboxes that are connected to SS7 and those are
Dialogue: 0,0:38:21.80,0:38:23.97,Default,,0000,0000,0000,,really, really hard to research.
Dialogue: 0,0:38:23.97,0:38:29.49,Default,,0000,0000,0000,,The boxes are very expensive, so you can't just\Nresearch it in isolation, and everybody who is
Dialogue: 0,0:38:29.49,0:38:36.48,Default,,0000,0000,0000,,running a box like that, will probably put you\Nin jail if you ever attempted to break them,
Dialogue: 0,0:38:36.48,0:38:39.66,Default,,0000,0000,0000,,if you started to do some fuzz testing on them.
Dialogue: 0,0:38:39.66,0:38:47.18,Default,,0000,0000,0000,,So SS7 unfortunately isn't really prime for open\Nresearch. It actually requires what I showed
Dialogue: 0,0:38:47.18,0:38:53.21,Default,,0000,0000,0000,,on the first slide, kind of a co-evolution where\Nthe networks let the hackers in, so that they
Dialogue: 0,0:38:53.21,0:38:57.83,Default,,0000,0000,0000,,then learn what other hackers could have\Ndone to them, and I don't see many networks
Dialogue: 0,0:38:57.83,0:39:00.58,Default,,0000,0000,0000,,to be ready for that yet.
Dialogue: 0,0:39:00.58,0:39:06.92,Default,,0000,0000,0000,,Definitely a topic with lots of low hanging fruit,\Nbut no easy way to research it.
Dialogue: 0,0:39:06.92,0:39:09.47,Default,,0000,0000,0000,,Signal angel: Okay, thank you.
Dialogue: 0,0:39:09.47,0:39:12.46,Default,,0000,0000,0000,,Signal Angel: Should we go on with the second one?\NKarsten: Yes
Dialogue: 0,0:39:12.46,0:39:18.05,Default,,0000,0000,0000,,Signal Angel:Has there been any testing using\Nparallel application only SIM card overlay
Dialogue: 0,0:39:18.05,0:39:23.33,Default,,0000,0000,0000,,to block apps on the primary SIM card\Nso that's probably a strange question,
Dialogue: 0,0:39:23.33,0:39:28.75,Default,,0000,0000,0000,,but the MuVuCo? project is mentioned here, or\Ndid you investigate any other simple way to block
Dialogue: 0,0:39:28.75,0:39:31.27,Default,,0000,0000,0000,,the Java card bits?
Dialogue: 0,0:39:31.27,0:39:37.28,Default,,0000,0000,0000,,Karsten: So I think I understood the question as,\Nis there any easy way of putting in another layer
Dialogue: 0,0:39:37.28,0:39:42.80,Default,,0000,0000,0000,,of protection just in front of your SIM card? I guess\Nwe can't ask the person asking the question right?
Dialogue: 0,0:39:42.80,0:39:48.22,Default,,0000,0000,0000,,But if that were the question then the answer is,\Nof course you can put all kinds of proxy stuff
Dialogue: 0,0:39:48.22,0:39:54.31,Default,,0000,0000,0000,,in between your phone and your SIM card, there's\Na nice open source project called SIMtrace,
Dialogue: 0,0:39:54.31,0:39:58.96,Default,,0000,0000,0000,,That then means you carry a little computer next\Nto your phone whenever you use it and of course
Dialogue: 0,0:39:58.96,0:40:04.88,Default,,0000,0000,0000,,that's impractical, so that would be a forensic tool\Nperhaps to investigate what people are currently
Dialogue: 0,0:40:04.88,0:40:08.52,Default,,0000,0000,0000,,doing to your SIM card, when you already have\Na suspicion that something is going on, but
Dialogue: 0,0:40:08.52,0:40:14.92,Default,,0000,0000,0000,,there's no practical way to get a phone to give\Nyou that level of access, even on android, the part of
Dialogue: 0,0:40:14.92,0:40:24.14,Default,,0000,0000,0000,,the operating system, the system that speaks with\Nthe SIM card is usually more baseband than android
Dialogue: 0,0:40:24.14,0:40:32.87,Default,,0000,0000,0000,,or at the very least a proprietary device driver type.\NSo I can't think of any usable phone where
Dialogue: 0,0:40:32.87,0:40:38.69,Default,,0000,0000,0000,,you could easily implement a SIM card firewall\Nfor instance, but I'd love to learn about them
Dialogue: 0,0:40:38.69,0:40:41.75,Default,,0000,0000,0000,,if they do exist.
Dialogue: 0,0:40:41.75,0:40:45.33,Default,,0000,0000,0000,,Herald: Okay we take a question from microphone four.
Dialogue: 0,0:40:45.33,0:40:49.73,Default,,0000,0000,0000,,Question: Did you investigate any upstream\Nvulnerabilities from or to the baseband
Dialogue: 0,0:40:49.73,0:40:56.44,Default,,0000,0000,0000,,or to the average phone OS, so for instance\Nif you have infiltrated the SIM card can you do
Dialogue: 0,0:40:56.44,0:40:59.64,Default,,0000,0000,0000,,any stuff to an iPhone or something?
Dialogue: 0,0:40:59.64,0:41:05.76,Default,,0000,0000,0000,,Karsten: Good question, and no we haven't and\NI wouldn't think that that would be the most
Dialogue: 0,0:41:05.76,0:41:11.18,Default,,0000,0000,0000,,fruitful vector, because the interface between\Na SIM card and a phone is pretty defined,
Dialogue: 0,0:41:11.18,0:41:17.80,Default,,0000,0000,0000,,very narrow channel. So I'd think that a phone\Nbaseband is much easier exploited like Ralph did it
Dialogue: 0,0:41:17.80,0:41:23.78,Default,,0000,0000,0000,,a couple of years ago, emulating a network and\Nsending commands, that interface is much wider
Dialogue: 0,0:41:23.78,0:41:28.77,Default,,0000,0000,0000,,and has many more protocols running that\Ncould potentially be exploit targets.
Dialogue: 0,0:41:28.77,0:41:30.68,Default,,0000,0000,0000,,Good question though, thank you.
Dialogue: 0,0:41:30.68,0:41:33.49,Default,,0000,0000,0000,,Herald: Okay, number three please.
Dialogue: 0,0:41:33.49,0:41:38.68,Default,,0000,0000,0000,,Question: You showed the map broken down by\Ncountry, would it make sense to look at smaller
Dialogue: 0,0:41:38.68,0:41:44.38,Default,,0000,0000,0000,,districts or regions, do we have differences\Nwithin one country for example the US.
Dialogue: 0,0:41:44.38,0:41:49.66,Default,,0000,0000,0000,,Karsten: That's a good question, and we have\Noccasionally come across a country where
Dialogue: 0,0:41:49.66,0:41:54.34,Default,,0000,0000,0000,,there's configuration differences in different\Nparts of the country, like for instance in Germany
Dialogue: 0,0:41:54.34,0:42:00.42,Default,,0000,0000,0000,,right now, two of the network operators are\Nrolling out A5/3, but they go location by location.
Dialogue: 0,0:42:00.42,0:42:07.54,Default,,0000,0000,0000,,So there's two zones right now, but those are\Ngoing away over time because the goal of course is
Dialogue: 0,0:42:07.54,0:42:13.78,Default,,0000,0000,0000,,to implement the security feature everywhere.\NThere are networks though where they
Dialogue: 0,0:42:13.78,0:42:18.20,Default,,0000,0000,0000,,purchase one part of the country from one vendor\Nand another part from another vendor, and
Dialogue: 0,0:42:18.20,0:42:23.35,Default,,0000,0000,0000,,where security patches just don't get deployed\Neverywhere, and we would like to track that
Dialogue: 0,0:42:23.35,0:42:28.88,Default,,0000,0000,0000,,more accurately. Currently it's just averaged.\NWhat we need to track it more accurately is
Dialogue: 0,0:42:28.88,0:42:34.81,Default,,0000,0000,0000,,constant measurements from more places. So\Ncurrently what our metric does is try to fairly
Dialogue: 0,0:42:34.81,0:42:40.13,Default,,0000,0000,0000,,combine information from different location\Nand then average them even though for instance
Dialogue: 0,0:42:40.13,0:42:46.78,Default,,0000,0000,0000,,in Germany, of course Berlin is dominating in\Nour measurement set, and some other locations
Dialogue: 0,0:42:46.78,0:42:52.78,Default,,0000,0000,0000,,I think, thank you CCC Munich, are contributing\Ntoo, but if there were somewhere in
Dialogue: 0,0:42:52.78,0:42:59.17,Default,,0000,0000,0000,,the middle of Germany, some extra security\Nfeature, we would not learn about it for a long time.
Dialogue: 0,0:42:59.17,0:43:08.15,Default,,0000,0000,0000,,You see this route? This is from last years trip from Hamburg\Nto Berlin, when everybody came to the CCC. {\i1}laughter{\i0}
Dialogue: 0,0:43:08.15,0:43:13.85,Default,,0000,0000,0000,,So we are not distinguishing by country yet,\Nbut if the information is ever there to see
Dialogue: 0,0:43:13.85,0:43:17.30,Default,,0000,0000,0000,,a clear border we'll definitely do that.
Dialogue: 0,0:43:17.30,0:43:20.00,Default,,0000,0000,0000,,Herald: Question from number four please.
Dialogue: 0,0:43:20.00,0:43:25.84,Default,,0000,0000,0000,,Question: Yes, I wanted to ask, you showed that\Nyou were simulating a BTS somewhere around
Dialogue: 0,0:43:25.84,0:43:31.97,Default,,0000,0000,0000,,the middle of the talk, and I was wondering where\Nyou using any of the known OpenBTS or OsmoBTS
Dialogue: 0,0:43:31.97,0:43:35.22,Default,,0000,0000,0000,,solutions or anything else?
Dialogue: 0,0:43:35.22,0:43:44.79,Default,,0000,0000,0000,,Luca: It's a patched version of OpenBSC. It's just\Na few lines, there is a nice function that triggers
Dialogue: 0,0:43:44.79,0:43:50.54,Default,,0000,0000,0000,,the software to send the SMS on queue for a\Nuser as soon as the user logs in, and as soon as
Dialogue: 0,0:43:50.54,0:43:55.79,Default,,0000,0000,0000,,the user does this I put a lot of SMS's\Nin the queue, so I can send it.
Dialogue: 0,0:43:55.79,0:44:03.57,Default,,0000,0000,0000,,Karsten: Yeah there are OpenBSC, OpenBTS,\NOsmocomBB project, they are an enormous help in
Dialogue: 0,0:44:03.57,0:44:09.34,Default,,0000,0000,0000,,our research, we could have done none of this,\Nhad we had to implement all of this in open source.
Dialogue: 0,0:44:09.34,0:44:14.83,Default,,0000,0000,0000,,So they're very, very useful, and thank you\Nto everybody who've contributed to them.
Dialogue: 0,0:44:14.83,0:44:17.23,Default,,0000,0000,0000,,Herald: Another question from number four please.
Dialogue: 0,0:44:17.23,0:44:22.73,Default,,0000,0000,0000,,Question: Banks and other organisations love\Nto send one-time tokens via SMS, from what I
Dialogue: 0,0:44:22.73,0:44:32.66,Default,,0000,0000,0000,,understand the talk, would it be in the range of the\Nregular criminal to exploit this and steal those tokens?
Dialogue: 0,0:44:32.66,0:44:39.100,Default,,0000,0000,0000,,Karsten: With GSM intercept yes, you can read\Nother people's SMS when they're A5/1 encrypted,
Dialogue: 0,0:44:39.100,0:44:47.27,Default,,0000,0000,0000,,however you have to be close to them, in a\Nproximity of let's say two kilometers, and it's probably
Dialogue: 0,0:44:47.27,0:44:52.96,Default,,0000,0000,0000,,unlikely that the person who infected your online\Nbanking credentials, stole them from your infected
Dialogue: 0,0:44:52.96,0:44:59.54,Default,,0000,0000,0000,,computer, is also your neighbour. Those two\Ngroups seem to overlap in locations.
Dialogue: 0,0:44:59.54,0:45:03.97,Default,,0000,0000,0000,,With the SIM card vulnerabilities though,\Nyou can do lots of stuff, you can send SMS,
Dialogue: 0,0:45:03.97,0:45:09.25,Default,,0000,0000,0000,,you can redirect calls, you can steal decryption\Nkeys, the only thing you can't do is read people's
Dialogue: 0,0:45:09.25,0:45:14.51,Default,,0000,0000,0000,,incoming SMS. So banks got lucky there.
Dialogue: 0,0:45:14.51,0:45:19.58,Default,,0000,0000,0000,,Q: Thanks\NHerald: We have another question from the internet.
Dialogue: 0,0:45:19.58,0:45:26.52,Default,,0000,0000,0000,,Q: Wouldn't it be easier to just reinvent maybe a more\Nnerd driven mobile network from scratch, than
Dialogue: 0,0:45:26.52,0:45:32.61,Default,,0000,0000,0000,,to mess around with all this industry stuff\Nthat has piled up for years now?
Dialogue: 0,0:45:32.61,0:45:39.26,Default,,0000,0000,0000,,Karsten: Well, that's interesting, things do not\Nreally pile up as people imagine them, so the
Dialogue: 0,0:45:39.26,0:45:45.15,Default,,0000,0000,0000,,One of the big drivers of the OpenBSC project\NI understand was the availability of really cheap
Dialogue: 0,0:45:45.15,0:45:49.45,Default,,0000,0000,0000,,base stations. Why were they available? Because\Npeople threw them away and replaced
Dialogue: 0,0:45:49.45,0:45:53.86,Default,,0000,0000,0000,,them with newer base stations, and they do\Nthat every time they add a new technology.
Dialogue: 0,0:45:53.86,0:45:58.51,Default,,0000,0000,0000,,So when they added 3G they threw away the 2G\Nbase stations, and replaced them with combined
Dialogue: 0,0:45:58.51,0:46:02.21,Default,,0000,0000,0000,,2G/3G base stations, same with 4G now.
Dialogue: 0,0:46:02.21,0:46:07.69,Default,,0000,0000,0000,,So as 4G is being rolled out all over Germany,\Neverything gets thrown away and
Dialogue: 0,0:46:07.69,0:46:14.05,Default,,0000,0000,0000,,replaced. There isn't so much legacy in terms of\Ninstalled boxes, the legacy is more the protocol,
Dialogue: 0,0:46:14.05,0:46:21.52,Default,,0000,0000,0000,,so if you throw away one end of the connection\Nand not the other you maintain the old protocol,
Dialogue: 0,0:46:21.52,0:46:26.68,Default,,0000,0000,0000,,but then when you throw away the other side,\Nyou again maintain it because it's kind of the logical
Dialogue: 0,0:46:26.68,0:46:36.92,Default,,0000,0000,0000,,legacy. So I don't think there's an easy fix to that.\NThis is just very high-scalability engineering where
Dialogue: 0,0:46:36.92,0:46:43.96,Default,,0000,0000,0000,,things have to work in extreme corner cases, and I\Nthink all the tools are there for the existing networks
Dialogue: 0,0:46:43.96,0:46:50.52,Default,,0000,0000,0000,,to get fixed, it's just a question of priority. At the\Ninvestment that a 4G network costs, a single one,
Dialogue: 0,0:46:50.52,0:46:56.70,Default,,0000,0000,0000,,you can probably make the entire world use\NA5/3 and upgrade to secure SIM cards.
Dialogue: 0,0:46:56.70,0:47:01.96,Default,,0000,0000,0000,,So the money is there, it's just a question of\Npriority that keeps the networks away from
Dialogue: 0,0:47:01.96,0:47:04.22,Default,,0000,0000,0000,,deploying these software patches.
Dialogue: 0,0:47:04.22,0:47:07.72,Default,,0000,0000,0000,,In the end it's single lines of code.
Dialogue: 0,0:47:07.72,0:47:11.49,Default,,0000,0000,0000,,Herald: Ok, we have another question in\Nthe room from microphone number three.
Dialogue: 0,0:47:11.49,0:47:17.54,Default,,0000,0000,0000,,Q: Quick question, for tools that you are offering\Ncan they work with some kind of passive recording
Dialogue: 0,0:47:17.54,0:47:25.46,Default,,0000,0000,0000,,device, for example can you collect data for gsmmap\Nusing the OsmoSDR tools? The ones that use
Dialogue: 0,0:47:25.46,0:47:30.96,Default,,0000,0000,0000,,the simple DVB-tuners to listen to the spectrum.
Dialogue: 0,0:47:30.96,0:47:36.63,Default,,0000,0000,0000,,Harald: Luca, do you know OsmoSDR?\NLuca: Yeah, I think that's more focused on being
Dialogue: 0,0:47:36.63,0:47:42.82,Default,,0000,0000,0000,,a BTS than a sniffer device, but I think you can use\Nit as a sniffer device, it's just that then you need
Dialogue: 0,0:47:42.82,0:47:49.43,Default,,0000,0000,0000,,to process the data in a different way, really the\Neasiest is to use the Osmocom mobile phone,
Dialogue: 0,0:47:49.43,0:47:55.36,Default,,0000,0000,0000,,and it does this and it's what we use for the\NLive-ISO. There are many models actually, so.
Dialogue: 0,0:47:55.36,0:47:59.92,Default,,0000,0000,0000,,Karsten: What would you consider the\Nadvantage of using an OsmoSDR?
Dialogue: 0,0:47:59.92,0:48:04.86,Default,,0000,0000,0000,,Q:It's mostly because it doesn't require a phone\Nor a SIM card or anything, The question is can it
Dialogue: 0,0:48:04.86,0:48:08.32,Default,,0000,0000,0000,,work passively without being,\Nwithout sending anything?
Dialogue: 0,0:48:08.32,0:48:13.13,Default,,0000,0000,0000,,Karsten: Yeah, the phone he just held up,\Nthat captures traffic with no SIM card and
Dialogue: 0,0:48:13.13,0:48:21.20,Default,,0000,0000,0000,,without connecting to a network, it does so passively\Nby latching on to a cell, passively, just hearing what
Dialogue: 0,0:48:21.20,0:48:27.96,Default,,0000,0000,0000,,is happening on the broadcast channel, and as soon\Nas the cell starts communicating with another phone
Dialogue: 0,0:48:27.96,0:48:33.91,Default,,0000,0000,0000,,it jumps to that frequency and also listens to\Nthe traffic. So that's already a passive setup.
Dialogue: 0,0:48:33.91,0:48:40.17,Default,,0000,0000,0000,,And the C139 I think is the most available Osmocom\Nphone, you can still get that for twelve dollars
Dialogue: 0,0:48:40.17,0:48:46.98,Default,,0000,0000,0000,,in China. So I don't think there's any reason to\Nreimplement that for any other platform if there's
Dialogue: 0,0:48:46.98,0:48:49.18,Default,,0000,0000,0000,,already a twelve dollar solution.
Dialogue: 0,0:48:49.18,0:48:53.61,Default,,0000,0000,0000,,Q: Thank you.\NHerald: And we take another question from the internet
Dialogue: 0,0:48:53.61,0:48:57.90,Default,,0000,0000,0000,,Q: Actually some people are complaining that\Nthey have no signal in this room, could that be
Dialogue: 0,0:48:57.90,0:49:02.42,Default,,0000,0000,0000,,caused by you, or is the range not that large?
Dialogue: 0,0:49:02.42,0:49:08.64,Default,,0000,0000,0000,,Karsten: Well, we add choices for signal, we don't\Ntake them away, so this is just an additional BTS.
Dialogue: 0,0:49:08.64,0:49:10.14,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:49:10.14,0:49:12.14,Default,,0000,0000,0000,,Q: Okay, thank you.
Dialogue: 0,0:49:12.14,0:49:18.03,Default,,0000,0000,0000,,Herald: Ok, are there any other questions,\Nnow is the time to ask. If not I ask you again
Dialogue: 0,0:49:18.03,0:49:21.78,Default,,0000,0000,0000,,for a warm round of applause for Karsten and Luca
Dialogue: 0,0:49:21.78,0:49:24.92,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:49:24.92,0:49:33.53,Default,,0000,0000,0000,,subtitles created by c3subtitles.de