Herald: Okay, very warm welcome everybody.
It's my great pleasure to announce this next talk
which is going to be called SigOver + alpha
where CheolJun Park and Mincheol Son are going
to be talking about signal overshadowing attacks in LTE
The two of them are researchers at the KIST in Korea,
the Korean Advanced Institute of Science and Technology
and I'm really interested in hearing about the exploits these two found.
Please give them a huge warm welcome with an applause thank you.
[Applause]
Mincheol: Thank you. Good afternoon. Welcome to our talk. The name SigOver + Alpha
what we're talking about is very interesting, realistic and a new attack in LTE.
my name is Mincheol.
I'm a graduate student at System Security Lab at KAIST.
My research interest is in cellular networks and comparison analysis.
CheolJun: Hi, my name is CheolJun
and I'm also a PhD student in security systems security lab in KAIST
My research interest is also cellular
network systems and mobile security analysis.
In this presentation we prepared a lot of interesting attack demo videos
and Mincheol will talk in the first half of the presentation
about some introductions on LTE network and concepts on Sig
over attack and broadcasting message injection using SigOver.
Then I will talk in the remaining part of
the presentation about a little more advanced attack.
Mincheol: Okay, let's start.
First of all what I'm going to talk about is the cellular network.
All of us use our cell phone for voice calls
playing games or watching a video anywhere at any time.
And the mobile phone has been developed from first generation to fourth generation
As shown in the figure on the right
And 5th generation services have now started.
Today we are going to talk about new and powerful attack
techniques that can be used for attacks in LTE.
Also we will explain some examples of attacks
and show demonstrations of them.
To understand the main contents,
we need a background for LTE.
The LTE system is largely composed of UEs such as a smartphone
used by your user for LTE service
and our base station is in charge of transmitting and receiving radio signals.
And our core network for the mobility management,
authentication and data services of the user.
For control messages such as radio connection,
The UE and base station use RRC protocols.
Similarly, the UE
and the core network sent and receive control messages with NAS protocols
The main part of our talk are the UE and the base station.
If so, how does the UE establish a radio connection with the base station
and use the LTE service?
First, the UE has to decide which base station to connect to.
To do this,
the UE scans the LTE frequency band and selects the most stable base station
by considering the frequency priority and signal strength of the base station.
After selecting one base station,
the UEs start the attach procedure
with the base station
First, so UE receives
PSS and SSS signal
sent by the base station.
In turn,
MIB and SIB are decoded.
All three messages are broadcast messages
sent by the base station.
They are used to match time synchronization
to know boundaries or transmission scheme and
to know information about the base station.
After the broadcast message
the UE establishes
a radio connection
with the base station.
This process is done using the RRC protocol messages after which the UE
Proceeds with secret setup for the NAS protocol.
Throughout this process,
the UE and the core network share the key and algorithms
for encryption and integrity check.
The security setup process is also performed
between the UE and the base station.
After this series of procedures the you
can attach successfully and use the LTE service.
And then, what attack is possible against the UE
connected to the network and using the service?
The most widely used method used so far is to use a fake base station.
An attacker could use a fake base station
that behaves like a legitimate base station,
causing the victim UE
to disconnect from the legitimate base station and connect to the fake base station.
This is possible because the UE
preferentially tries to connect to a strong base station.
Several attacks using FBS have been introduced,
including
man in the middle of attack,
denial of services, user identity leak,
fake emergency alert
and so on.
As such, the fake base station attack
using the characteristics of the radio communication
is actively used for research or actual attacks.
And then, here is the questions:
Is the FBS attack the only attack method using the characteristics of LTE radio connection,
or should the victim UEs always be connected to the FBS for wireless attacks?
The answer is no,
there is a more intuitive and powerful attack methods than FBS.
It is a signal overshadowing attack.
While the previous FBS attack
use the characteristic of selecting a stronger signal base station,
the SigOver attack uses
the characteristic of wireless communication
to decode the stronger signal
when different signals are transmitted as the same frequency.
This is listed by the figure below
the normal base station continuously transmits LTE signals in time and frequency.
The UE then receives and decodes the signal.
If the attacker can match the time and frequency exactly with the normal signal and
transmit a stronger signal than real signal
the UE will decode the stronger signal.
This is the signal overshadowing attack that overrides the LTE signal.
If the signal overshadowing attack is possible,
then what message can be used to overwrite?
The messages we can overwrite are those with no security protection.
First, there is a broadcast message.
The broadcast messages of base stations and signal for all users
with no consideration for encryption and
integrity checks in LTE specification.
Second, there is a message that can be used for an attack because
it is unprotected among messages transmitted only to a specific user,
not a broadcast message.
One reason that it is not is protected is a bug in the UE implementation.
The other is that
there are several messages in the specification.
There are low [protected?] messages before performing security setup.
The details of the SigOver attack will be discussed one by one.
First, I will explain what to serve in order to perform the SigOver attack
And how the SigOver attack is different from the existing FBS attack
and what kinds of attacks are possible using broadcast messages and SigOver.
Lastly, CheolJun will explain attacks using unicast messages
and then discuss something like
countermeasure and future works.
So first there are some challenges and questions for the SigOver attack.
First, we should consider which part of the signal we override.
If too many signals are overwritten
the UE will now receive no normal signals causing only those effects such as jamming
On the contrary,
if too few signals are covered
the difficulty of the attack increases and the
UE may not be able to decode properly.
The second challenge is how to synchronize time and frequency.
This is the most important challenge in SigOver attack where the attack signal
must be accurately overwritten on the signal of the normal base station.
Finally, how much area is okay,
even if the signal is transmitted like a normal base station,
there may be a slight error in time or frequency.
Therefore it is necessary to know how much
accuracy is required for the UE to properly decode the signal.
I will explain the details of these three challenges and questions
to answer about the first question.
Let's look at the LTE frame structure first.
An LTE frame consists of multiple subframes and a subframe has
multiple symbols and the message is included in our subframe,
meaning that there are various options to be overshadowed.
Symbol overshadowing requires precise synchronization.
So success rate is hard to guarantee
on the other end, frame level overshadowing requires to rewrite multiple subframes
or multiple messages. It can also affect other normal messages.
So it is quite natural to overshadow in the subframe level.
Next, let's look at the time synchronization first along synchronization issues
Attacker's subframe and legitimate subframe
must arrive at the UE simultaneously
in order to override our particular subframe accurately.
For simplicity, let's assume there is no propagation delay for now.
The attacker utilized synchronization signal called PSS and SSS
to get accurate time synchronization as they are sent
periodically from the legitimate base station.
But concretely, first, the attacker issues PSS, SSS
to get frame timing of legitimate base station,
meaning that the attacker can identify the frame timing t0, t1, and t2.
Second, once the attacker runs the timing,
she can predict the timing of the target subframe,
since each subframe has fixed size which is one millisecond.
For example, if the attacker overshadows the second subframe of frame 566
then she can transmit the malicious subframe at t2 plus one millisecond.
Now the attacker signal arrives at the UE simultaneously.
Since we assume that there is no propagation delay.
However in real life there is propagation delay depending on the location,
meaning that the zero will be delayed due
to the propagation delay or PSS and SSS.
Also, if the attacker is located far from the UE,
more delay would be added.
The delay could be compensated if the attacker precisely locate
the UE and the base station.
But it is not realistic in the wild
the delay is up to some maximum value
because they are located within range of the base station.
So in practice there is a delay that cannot be compensated
so subframes cannot be aligned exactly
so then we can count on the LTE UE
LTE is designed to be reliable especially in outdoor environments.
In outdoor UE can move with using point or so there is a reflect effect because of buildings.
So we expected that the UE would compensate
such small errors if the subframe is somewhat is synchronized but not exactly.
So the question is how much can the UE tolerate this delay error?
Since it is chipset dependent we measured the max delay tolerance of two COTS smartphones
and result is around 12 and 11 microseconds each
And both results exceed max delay of
the urban base station which is around eight microseconds.
So this means that the attack can succeed
regardless of the location of the base station
and the victim UEs.
In summary, the attacker can be anywhere within the range
of the base station to succeed the attack.
The last one to solve is frequency synchronization.
LTE standard specifies the minimum frequency accuracy that
LTE base station must have as 50 ppb.
So for precise synchronization,
the attacker needs to use a sufficiently accurate frequency
after that, residual frequency error can be compensated by CFO
correction algorithm.
Since the SigOver was wrong on a typical
SDR kit with an inaccurate oscillator, we adopt GPSDO.
To improve its frequency accuracy.
GPSDO guarantees 25 ppb accuracy
without GPS antenna and 1 ppb with GPS antenna.
Lastly we can compensate residual frequency error by
by PSS/SSS-based CFO correction.
Here's the summary
of the main questions and answers.
We overshadows subframe units using PSS/SSS.
for time synchronization and using GPSDO and CFO
correction for frequency synchronization.
Finally, COTS UE is generous enough to cover the entire range of
the urban base station
In short, an attacker located in the range of the base station can
overshadow broadcast messages to any victim within the base station coverage.
Next before examining the difference between SigOver and FBS,
I will explain the process of SigOver attack.
First the attacker collects necessary values by listening to
the broadcast message of the normal base station.
This process is necessary because information about base
station is required to disguise the attacker signal
as that of a normal base station.
Next the attacker creates a subframe
that contains the messages to use for the attack.
And now the attack begins
first the attacker received the PSS and SSS
signals of the normal base station and synchronizes time with the base station
then send the malicious subframe that she made
at the precise timing.
Finally the UE receiving the signal receives a malicious message
by decoding the articles of frames stronger than
the signal of the normal base station.
Here's our test environment to verify the SigOver.
We implement the SigOver by using open source
LTE stack and we used USRP series for radio transmission.
We also such as
iPhone XS or galaxy S9
to verify this attack.
In the remainder of this talk I will talk about performance of
SigOver and attacks that can be launched using SigOver.
Okay, so far
I have shown that SigOver can be used in projects
but both FBS and SigOver can inject malicious broadcast messages to the UEs
So what is the difference between SigOver and FBS?
Or what is the advantage of SigOver?
The basic advantage of SigOver compared with
fake base station comes from the fact that
the SigOver does not need connection establishment to inject the message.
This has multiple implications.
Another advantage is power efficiency.
SigOver does not require so strong power because
the attack signal only needs to be higher enough to cover the original signal
called capture effect.
It shows 98% success rate on 3dB higher power than the legitimate
base station. However, the FBS
requires much stronger power than the SigOver.
This is because the FBS needs to break the
current connection between the victim UE and the legitimate
base station.
Next I'll talk about what we can do with SigOver and broadcast messages.
I have explained that there is no connection between the victim UE
and the SigOver attacker
It means that
the UE can keep communicating with the legitimate
base station or
network during the attack.
For example
the SigOver can inject a malicious message while the UE is on phone
However, the UE cannot communicate with the network
after attaching to the FBS.
So the UE might fall in the denial of services.
Let me show you some possible attacks using SigOver, but
not feasible using FBS.
First one is signaling storm attack
in general signaling storm occurs through a botnet
but the SigOver can launch the attack without using the botnet.
The SigOver exploits a broadcast message called SIB-1
Everyone especially the tracking area code
by changing the tracking area code to new one,
the attacker can trigger tracking area update
procedure of the victim UE
which is sent to the core network.
All UEs in the attack range
may continuously receive fake SIB-1 which caused tracking area update
storm to the core network.
FBS can do the same
but as you expected
the legitimate network would be safe
from this attack because the FBS is not connected to the legitimate core network.
This is the demonstration of signaling storm
the program in this screenshot signaling messages of the UE
first the attacker injecting malicious paging message.
This malicious paging messages required for the UE to receive a SIB-1
Then, the attacker will overshadow malicious SIB-1 message
Then the UE generates signaling
to the network
We evaluated
amplification factor of signaling storm attack
In normal situation a UE send about 45 service request message
corresponding to over 600 signaling messages per hour
Signaling storm using SigOver can generate around
21,000 tracking area request corresponding to around 400,000 signaling messages per hour
In summary, signaling storm can generate 640 times
more signaling messages per UE.
The second is a selective DoS attack using SIB-2.
In SIB-2 there is a field to prevent access of
the UE for effective data service in a disaster situation.
If we manipulate this field we can prevent
UEs from sending service requests to the base station.
Of course we can also adjust the barring time
furthermore,
In the recent specification, barring service is not only divided into signaling
and data but also divided into details such as voice call,
video calls, and SMS.
Therefore selective DoS is possible.
For example all other services are possible but only voice service.
It's not available.
The selective DoS attack was verified by Galaxy S9 and succeed
this attack is also
only possible with Sigover
Even if the UE connect to the FBS and received the wrong SIB-2.
The FBS cannot make this attack
because the normal SIB-2 is received again
when the UE is connected to the normal base station. Okay,
this is the demonstration.
It would be nice to show a video of selective DoS, but not ready.
So this video is a DoS attack
using excess barring
the UEs can use normal data services
and also voice calls.
Okay.
After the SigOver attack
by the UE
Victim UEs receive malicious paging and
SIB-2 messages.
And uh
the UE
Normal service is not available
even after the attacker program is terminated.
The normal service is not available too
Okay.
The following is an attack using
IMSI paging. In the figure on the left,
a UE that is normally attached.
is released in the idle state by releasing radio connection when
not using LTE data
At this time,
If there is a service request for the UE from the networks,
the base station sends a broadcast message paging
to inform the UE
the identifier used at this time is a temporary ID of the UE called GUTI.
However, if paging is sent using the unique ID
of the UE called IMSI,
The UE will disconnect and reattach according to the behavior
defined in the standard.
This alert, a DoS attack on the UE that is using the LTE service.
This is IMSI paging demo
This is our testbed setup
There is a lot of attacker's PC and USRP.
Victim UE receives
the voice call
the attacker inject a paging message with the victims IMSI
due to the IMSI paging,
the voice call is disconnected.
The final attack I will introduce is a fake emergency alert attack
This attack uses SIB-12,
which is used for a lot of systems in normal networks.
The process of using CMAS is as follows.
Three messages:
SIB-1, SIB-12. and paging
are involved in CMAS process.
based on this process.
The attacker overshadows the SIB-1
SIB-12 and paging messages.
For attack,
victim phone is connected to the legitimate
base station
and attacker
synchronizes
time and frequency with the legitimate base station.
This is fake emergency alert
message
to sum up briefly,
we have designed and implemented a signal overshadowing attack
Using the fundamental weakness of wireless communication,
the SigOver attack is more powerful than the FBS attack
in terms of power efficiency and the connection between the UE
and the normal base station can perform various attacks.
As an example, I showed demonstrations of four attacks.
Then what can you do with unicast injection attack?
The answer of this question will be explained in detail by CheolJun.
CheolJun: Hi again and thank you Mincheol.
So as Mincheol said,
what else can we do with the unicast SigOver injection attack?
So when we go back to the fake base station attack,
there have been various attacks using fake base station
as an example of an existing FBS attack man in the middle
attack can be used for injecting, stealing or eavesdropping victim's information.
If the fake base station is not an LTE base station but a 3G or 2G base station,
attacker can cause a greater damage to the victim's privacy.
But actually these attacks are quite limited to use
these attacks all assumed that the victim is already connected to the fake base station
but in a static situation
in order for a UE
to pass over to the
fake base station,
The fake base station signal must be about 40 dB
Or 10,000 times larger than the commercial one.
This is because the fake
base station need to break the current connection between victim UE
and legitimate base station
operating
fake base station with a strong signal requires a lot
of resources and increases the chance to be detected.
However SigOver can solve these limitations
by injecting unicast messages attacker can force victims to attach to the
fake base station.
So won't the unique text message.
The RC connection release message is message delivered by the base station to the U.
E.
It is used to command the release of an RC connection.
So when the U. E. Receives this message
it will disconnect from the existing connection
and plus unicorns messages can have additional fields.
One of the additional fields.
The redirected carrying full field is used to indicate the
next frequency where the you we shall connect to.
UE uses this information to select an acceptable base station to camp on.
Also the redirected frequencies can be not only for
lt base stations but also for three G.
Or two G. Base station which is more vulnerable.
And the another additional fields is idle mode mobility control. In full field.
This field is used to provide dedicate sales, election rez election priorities.
When the research is for the base station
it does not check all the frequencies.
Instead it checks only selected frequencies based on frequency
previously connected or frequency received from the network.
So we noticed that when the UE is redirected to a non
searching frequency you we did not redirect it to that frequency.
However when a non non searching frequency was
included in the idle mode mobility controlling fulfilled
you we was redirected. Well even though it was a new frequency,
the figure actually shows that the U. E.
Is redirected to another base station After receiving on RC connection release
message with a redirected carrying fulfilled
and idle mode mobility controlling fulfilled.
You can see that the radio
frequency channel number representing the communication
frequency of the base station has changed from 100 to 2600.
So
if the attacker can inject this message to the victim, Ue
attacker can force victim uE to move to the faith base station
in order to inject this RC connection release message
injected messages should be decoded on the U.
E.
To do this.
More efforts are required than when injecting a broadcast message.
Firstly
when injecting broadcast message,
attacker only had to consider base stations configuration to inject the message
but to inject the unique cast message.
Attacker also have to consider only additional information like us I. D. R. N. T. I.
Which is a temporarily identify rare sequence number message format and so on.
Moreover, the message must be set correctly in the right place.
UE does not decode all the messages over the air,
but only because what it needs to decode.
The location of the broadcast message is common space and every
year we have to decode the message on the common space,
but the location of the unique cast message is a US specific space
and
it is determined according to the R. N. T. I.
So
the message should be decoded at the U. S. Specific space.
With these extra efforts. Unicorns messages can also be injected. Fear sick over
now,
I will introduce attack scenarios using RC connection release message injection
in this attack,
the attacker is assumed to know the M Z or R N T I. Of the victim.
We also assume that an attacker is located where he can
hear signals from legitimate base station such as victim you.
E
Attack Scenarios can be divided into two.
First situation is when there is a vulnerability on the device
in this case,
I'll take her in this to know M Z or R and T I.
If the victim UE has the vulnerability that accepts
security unprotected message even after the security activation,
the attacker can easily inject the unique last message.
We could found this vulnerability while
developing methods to test devices vulnerability.
The second situation is when there is no vulnerability on the device
in this case
the attacker needs to know the MZ.
Then
the attacker needs to inject message before the
secret activation
for this attack. There need additional technical implementations.
Actually, this implementation is in progress.
Now,
the first scenario is when there is see a vulnerability in the U. E.
This UV has a vulnerability that receives unprotected messages
even in the presence of a security context.
The victim UE is now connected to the
legitimate network and has finished the security process.
So the victim um he has a security context and it is using normal cellular service.
Then
the attacker injects on unprotected RC connection release message on the U. E.
Due to the vulnerability
the U. E. Except
security. Unprotected RC connection release message.
Then the U.
We disconnect the existing connection and is redirected to the
attacker state base station and request for the connection.
The second scenario is when there is no vulnerability on the
the victim, UV.
Is now connected to the legitimate network and he has finished the security process
so the victim um he has a security
context and it only accept security protected messages.
Thus the attacker cannot inject messages for now.
So attacker must delete the user US security context in
order for the victim to receive on our Attackers unprotected messages
to do this.
The attacker injects a mg paging message
According to the three GPP specification.
When you we received the MG patient message,
it should immediately terminate all service
sessions deletes parameters including security key.
So by injecting mg paging message article
can delete the security context of the victim
after you terminate the existing connection.
It's talks over the attached procedure with the base station.
Before the victim usually finishes the security procedure,
the attacker injects on RC connection release message
When there is no security context.
UE is allowed to receive the security unprotected RC connection release message.
Therefore the U.
E processes the Attackers message and sends a
connection request to the attacker's face face station
so far we have introduced a tax that brings target victims to the
base stations
but existing big base station attack can bring all the unspecified us to it
from on FPs Attackers point of view
it may be easier
and better to attach all the um around
then
we need to know
if this takeover attack can do the same thing
in this attack.
The attacker constantly monitors down like messages from
the commercial base station to acquire are.
NT I from RC connection setup message.
Once the attacker gets the R. N. T.
I, attacker injects the RC connection release message,
attacker can repeat the entire process until he brings the all the US around.
To verify this attack. We used galaxy s. four.
The Galaxy S four is the one of the vulnerable device that
receives an unprotected message even in the presence of a security context.
This vulnerability was discovered while
studying methods to test devices vulnerability
in this case we could inject on RC connection release message to the U.
E without deleting the security context
to inject the RC collection release message.
We used free open source LT software, S R S L. T and U S. R. P X. 310.
When the U. E. Is normally connected to the cellular network.
We injected crafted message to redirect the victim
UE to the attacker state base stations,
frequency 363.
Okay.
The injected message contains the redirected carrying
fulfilled and idle mode mobility control.
In fulfilled.
Redirected carrying full field is set to the lT frequency type
And contains 363
the frequency of fake face station.
The idle mode mobility control and fulfilled contains a list
of normal base stations frequency and an attacker's frequency.
At this time
the priority of Attackers frequency is set to the highest to
ensure that the victim's definitely passes over the fake face station.
Here is the demonstration of the attack.
Mhm.
So at the first time
the
Victim's phone is connected to the alleged to make base station
100
And Autocracies Operating
Base Station 3 6 3.
Then the attacker injects the message.
And as you can you could see at the monitor the signal
was injected and the injected message has the contents of as follows.
And this is same with what I said before.
And then as you can see at the
base stations, monitor the victim's phone is connected to the
base station.
And if you see the package during the attack
do you?
That one is the injected message.
After that the victim's phone makes a new connection with the fake base station.
So it moved from 100 to the 363.
So after this attack we could do anything like me in the middle attack and so on.
So in the previous previous demo the victim you we was connected to a commercial
base station and then moved to a faith base station that had never been connected.
Let's sum up the big base station attack using sick over
first. This attack requires much less power and it's easier than
the traditional fake base station attacks.
As a result,
the chance to be detected decreases and the effective
range increases
2nd. The attacker can choose victim to move to the big base station
since the attacker injector unicorns message only the targeted um is affected.
Therefore the chance to be detected also reduced.
And it allows the attacker to definitely forced the
target to attach to a big base station.
Finally,
The attack was fake.
Base station can be not only LT base station but also a 3G or two G base station.
As the 3G or 2G base stations are more vulnerable.
Attacker can perform more severe attacks
and now I'm going to talk about some countermeasures.
Discussion conclusion and future. Works
for future. Works
to make this attack possible for all the U. S.
Actually, additional implementations or needed
first issued to be implemented to find out the identity of the victim using MZ.
An attacker can do this by monitoring the RC connection,
settle message after sending the MG paging.
Actually it is already possible but it must
be optimized with injecting techniques in real time.
Second,
it should be made implemented to inject message before the security process ends
to do this. There is a little time to inject messages. As you can see at the figure
hardware optimizations are necessary,
although there are some things that need to be implemented.
We expect that this attack will be possible on every U. E.
If the hardware is fully optimized.
And for the countermeasures for this attack,
the secure solution against sick over attack on
the message is to use digital signature.
Currently
only a single injected message can cause a long term denial of service.
Once the message is protected with a digital signal signature,
it it can prevent the attacks introduced so far.
Plus
the attack cost would be increased.
This is because the attacker have to inject wrong message continuously
to cause denial service in the presence of the digital signature.
Moreover,
it becomes possible to detect the presence of the attack.
Actually, this is possible because from the 5G
operators public key will be stored in the using
In fact three GPP.
is recently studying the FPs problem and
lack of integrated protection of broadcasting information
and since Ho jin first published sick over attack on broadcast message.
In last august we have received many requests to request release the code.
Attack code as an open source.
However, we have some reasons that we can't.
The first reason is that according to
the GSM A on organization for cellular carriers
said the GSM a have no objection to any security research being open sourced where
there is a clear security benefit and there is no risk posed to innocent users
releasing this code clearly has some security benefits.
However, unfortunately
the proposed attack can affect a large number of innocent users around.
So it might be hard to release the arctic coat.
And another reason is the quality of the codes.
Thank you.
Mm hmm.
Currently
the code we made is not well organized to make it open source.
In conclusion,
we presented single over attack physically overwriting specific self frames.
Seek over is a new exploit on unpatched an insecure channel on LT network
Comparing two attacks using fake face stations.
Sick over is way cheaper and healthier.
Also, we found new attacks on physical channel
by injecting broadcast messages.
We could cause denial of service access
borrowing signaling stone and fake emergency alert.
And by injecting unique cast message we could force
targeted victim to move to the fake base station.
Finally,
I expect this sick over attack will be used in the wild.
Therefore
not only cellular networks but all the systems based on the cellular networks
such as equal to everything can be affected
in the future. Mobile communication technologies such as five G and six G R.
Developed
So more secure systems should be made
by considering the security of the physical layer
which was not considered before.
Therefore,
I strongly suggest three TPP to use digital
signatures for physical channel despite its difficulty.
Thank you.
And for the last we have responsibly disclosed
these attacks to the GSM A and Qualcomm.
Thank you for listening And if you're having any questions please let us know.
And if you're having any long questions,
please email us through the emails on the slide
and
the photo is our left photo and my supervisor is younger kim.
Maybe some of you would have heard about him
because he's doing a lot of researches about security.
So
anyway, thank you.
All right, thanks you too. So far we have around 10 minutes for questions.
So if you have questions for the speakers, please go to one of the room mix.
And well for let you ask your question,
do we already have people lined up?
Let's start with a question from the signal angel.
-- There's one question
-- are these methods similar
or the same use
-- by law
-- enforcement and the user mentioned stingray for an example.
Ah pardon please?
Where where are you? Can you raise your hands? I can say okay.
-- How can you say the
-- question from the internet. So
-- are
-- these methods similar?
The same used by the law enforcement,
Low enforcement police.
Yeah, maybe
it might be possible.
But actually it is as I know using the frequency
that legitimate basis stations is already like illegal to use.
So
I think that cannot be the solution.
Alright. I actually don't see anybody yet but there is one at Mike three Please.
Yes. So you show us sub frame what you replace it?
Why can't your hash
the values for integrity.
So the replacements will be kind of hard to do.
Maybe that also can be your problem and solution, but using hash right,
I said probably.
-- So
-- just to check some the full frame, so if you replace the suffering,
that should be involved.
Yeah, but that can be a solution,
but I think we have to think about how
to connect a secure connection at the first time.
If we don't have anything between like
U e and D network,
maybe sending some hash also will be challenged maybe
is that can be a solution to your question.
There you go.
-- Yes, so I'm not
-- sure if I understood, so, you know that I could
Have,
let's say 10 frames,
-- can you replace
-- suffering too?
Right,
yep,
-- yes, So if all
-- The 10 frames will be harsh,
your replacement will be detected.
Is it possible on multi level
-- to change the
-- standard to have some hashing or integrity?
Yeah, maybe that will be possible,
but I think we need another way to transfer the hash value to check the connection.
Well, I think that can also be another solution.
Alright, let's go to mike wanda.
-- Um I would like to know if you know what
-- your personal
opinion and feeling
-- is um if this will
-- be mitigated
-- by the vendors and the standard
-- bodies,
I mean, will they fix it?
Ah in the future. Right.
-- Of course. In the future they cannot fix it in
-- the past. Right?
Yeah, so
maybe as I said before,
like Jessamy is already like considering these
attacks and they have some regular meetings,
Maybe the last meeting was in Nevada in november. And maybe in the future they will
but not for now. So
maybe you have to ask
If there is any person from three g. p. p.
Okay.
Okay. Alright. Thanks.
Does the Signal angel have any other questions? No.
-- Then I think this concludes the question and answer section. Thanks
-- again.
Thank you.
Yeah.
Mm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm.
Yeah.
Okay.
Thank you.
Mm hmm
mm hmm.
Okay.