[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:19.34,0:00:21.66,Default,,0000,0000,0000,,Herald: Okay, very warm welcome everybody.
Dialogue: 0,0:00:22.54,0:00:24.38,Default,,0000,0000,0000,,It's my great pleasure to announce this next talk
Dialogue: 0,0:00:24.38,0:00:26.56,Default,,0000,0000,0000,,which is going to be called SigOver + alpha
Dialogue: 0,0:00:26.57,0:00:29.52,Default,,0000,0000,0000,,where CheolJun Park and Mincheol Son are going
Dialogue: 0,0:00:29.52,0:00:33.15,Default,,0000,0000,0000,,to be talking about signal overshadowing attacks in LTE
Dialogue: 0,0:00:33.64,0:00:37.14,Default,,0000,0000,0000,,The two of them are researchers at the KIST in Korea,
Dialogue: 0,0:00:37.14,0:00:39.76,Default,,0000,0000,0000,,the Korean Advanced Institute of Science and Technology
Dialogue: 0,0:00:40.34,0:00:45.22,Default,,0000,0000,0000,,and I'm really interested in hearing about the exploits these two found.
Dialogue: 0,0:00:45.23,0:00:49.76,Default,,0000,0000,0000,,Please give them a huge warm welcome with an applause thank you.
Dialogue: 0,0:00:50.27,0:00:53.40,Default,,0000,0000,0000,,[Applause]
Dialogue: 0,0:00:53.54,0:00:59.48,Default,,0000,0000,0000,,Mincheol: Thank you. Good afternoon. Welcome to our talk. The name SigOver + Alpha
Dialogue: 0,0:00:59.51,0:01:05.77,Default,,0000,0000,0000,,what we're talking about is very interesting, realistic and a new attack in LTE.
Dialogue: 0,0:01:06.54,0:01:07.76,Default,,0000,0000,0000,,my name is Mincheol.
Dialogue: 0,0:01:08.44,0:01:13.38,Default,,0000,0000,0000,,I'm a graduate student at System Security Lab at KAIST.
Dialogue: 0,0:01:13.38,0:01:18.16,Default,,0000,0000,0000,,My research interest is in cellular networks and comparison analysis.
Dialogue: 0,0:01:18.54,0:01:20.57,Default,,0000,0000,0000,,CheolJun: Hi, my name is CheolJun
Dialogue: 0,0:01:20.60,0:01:25.57,Default,,0000,0000,0000,,and I'm also a PhD student in security systems security lab in KAIST
Dialogue: 0,0:01:25.94,0:01:28.57,Default,,0000,0000,0000,,My research interest is also cellular
Dialogue: 0,0:01:28.57,0:01:32.36,Default,,0000,0000,0000,,network systems and mobile security analysis.
Dialogue: 0,0:01:33.24,0:01:38.96,Default,,0000,0000,0000,,In this presentation we prepared a lot of interesting attack demo videos
Dialogue: 0,0:01:40.04,0:01:43.46,Default,,0000,0000,0000,,and Mincheol will talk in the first half of the presentation
Dialogue: 0,0:01:43.84,0:01:47.78,Default,,0000,0000,0000,,about some introductions on LTE network and concepts on Sig
Dialogue: 0,0:01:47.78,0:01:52.36,Default,,0000,0000,0000,,over attack and broadcasting message injection using SigOver.
Dialogue: 0,0:01:52.74,0:01:55.01,Default,,0000,0000,0000,,Then I will talk in the remaining part of
Dialogue: 0,0:01:55.02,0:01:58.65,Default,,0000,0000,0000,,the presentation about a little more advanced attack.
Dialogue: 0,0:02:01.84,0:02:03.36,Default,,0000,0000,0000,,Mincheol: Okay, let's start.
Dialogue: 0,0:02:03.84,0:02:08.50,Default,,0000,0000,0000,,First of all what I'm going to talk about is the cellular network.
Dialogue: 0,0:02:08.54,0:02:11.96,Default,,0000,0000,0000,,All of us use our cell phone for voice calls
Dialogue: 0,0:02:11.96,0:02:17.81,Default,,0000,0000,0000,,playing games or watching a video anywhere at any time.
Dialogue: 0,0:02:18.93,0:02:25.23,Default,,0000,0000,0000,,And the mobile phone has been developed from first generation to fourth generation
Dialogue: 0,0:02:25.28,0:02:28.06,Default,,0000,0000,0000,,As shown in the figure on the right
Dialogue: 0,0:02:28.06,0:02:32.12,Default,,0000,0000,0000,,And 5th generation services have now started.
Dialogue: 0,0:02:32.15,0:02:36.90,Default,,0000,0000,0000,,Today we are going to talk about new and powerful attack
Dialogue: 0,0:02:36.91,0:02:40.16,Default,,0000,0000,0000,,techniques that can be used for attacks in LTE.
Dialogue: 0,0:02:41.34,0:02:44.79,Default,,0000,0000,0000,,Also we will explain some examples of attacks
Dialogue: 0,0:02:44.98,0:02:47.06,Default,,0000,0000,0000,,and show demonstrations of them.
Dialogue: 0,0:02:51.24,0:02:53.78,Default,,0000,0000,0000,,To understand the main contents,
Dialogue: 0,0:02:53.84,0:02:56.06,Default,,0000,0000,0000,,we need a background for LTE.
Dialogue: 0,0:02:56.07,0:03:01.55,Default,,0000,0000,0000,,The LTE system is largely composed of UEs such as a smartphone
Dialogue: 0,0:03:01.94,0:03:04.94,Default,,0000,0000,0000,,used by your user for LTE service
Dialogue: 0,0:03:05.14,0:03:10.36,Default,,0000,0000,0000,,and our base station is in charge of transmitting and receiving radio signals.
Dialogue: 0,0:03:11.04,0:03:14.40,Default,,0000,0000,0000,,And our core network for the mobility management,
Dialogue: 0,0:03:14.41,0:03:18.05,Default,,0000,0000,0000,,authentication and data services of the user.
Dialogue: 0,0:03:19.04,0:03:22.46,Default,,0000,0000,0000,,For control messages such as radio connection,
Dialogue: 0,0:03:23.24,0:03:26.96,Default,,0000,0000,0000,,The UE and base station use RRC protocols.
Dialogue: 0,0:03:28.14,0:03:29.83,Default,,0000,0000,0000,,Similarly, the UE
Dialogue: 0,0:03:29.83,0:03:35.25,Default,,0000,0000,0000,,and the core network sent and receive control messages with NAS protocols
Dialogue: 0,0:03:35.94,0:03:40.24,Default,,0000,0000,0000,,The main part of our talk are the UE and the base station.
Dialogue: 0,0:03:40.24,0:03:47.14,Default,,0000,0000,0000,,If so, how does the UE establish a radio connection with the base station
Dialogue: 0,0:03:47.15,0:03:49.77,Default,,0000,0000,0000,,and use the LTE service?
Dialogue: 0,0:03:50.54,0:03:55.46,Default,,0000,0000,0000,,First, the UE has to decide which base station to connect to.
Dialogue: 0,0:03:56.20,0:03:57.51,Default,,0000,0000,0000,,To do this,
Dialogue: 0,0:03:57.52,0:04:03.80,Default,,0000,0000,0000,,the UE scans the LTE frequency band and selects the most stable base station
Dialogue: 0,0:04:03.81,0:04:09.96,Default,,0000,0000,0000,,by considering the frequency priority and signal strength of the base station.
Dialogue: 0,0:04:12.72,0:04:14.46,Default,,0000,0000,0000,,After selecting one base station,
Dialogue: 0,0:04:15.04,0:04:17.56,Default,,0000,0000,0000,,the UEs start the attach procedure
Dialogue: 0,0:04:18.04,0:04:19.85,Default,,0000,0000,0000,,with the base station
Dialogue: 0,0:04:20.24,0:04:22.74,Default,,0000,0000,0000,,First, so UE receives
Dialogue: 0,0:04:23.54,0:04:25.57,Default,,0000,0000,0000,,PSS and SSS signal
Dialogue: 0,0:04:26.19,0:04:27.92,Default,,0000,0000,0000,,sent by the base station.
Dialogue: 0,0:04:28.23,0:04:29.21,Default,,0000,0000,0000,,In turn,
Dialogue: 0,0:04:29.64,0:04:32.66,Default,,0000,0000,0000,,MIB and SIB are decoded.
Dialogue: 0,0:04:33.44,0:04:36.56,Default,,0000,0000,0000,,All three messages are broadcast messages
Dialogue: 0,0:04:36.74,0:04:38.66,Default,,0000,0000,0000,,sent by the base station.
Dialogue: 0,0:04:39.24,0:04:42.56,Default,,0000,0000,0000,,They are used to match time synchronization
Dialogue: 0,0:04:43.04,0:04:46.58,Default,,0000,0000,0000,,to know boundaries or transmission scheme and
Dialogue: 0,0:04:46.58,0:04:49.36,Default,,0000,0000,0000,,to know information about the base station.
Dialogue: 0,0:04:50.14,0:04:52.36,Default,,0000,0000,0000,,After the broadcast message
Dialogue: 0,0:04:53.64,0:04:55.30,Default,,0000,0000,0000,,the UE establishes
Dialogue: 0,0:04:55.48,0:04:56.55,Default,,0000,0000,0000,,a radio connection
Dialogue: 0,0:04:57.24,0:04:58.35,Default,,0000,0000,0000,,with the base station.
Dialogue: 0,0:04:58.84,0:05:04.72,Default,,0000,0000,0000,,This process is done using the RRC protocol messages after which the UE
Dialogue: 0,0:05:04.72,0:05:08.16,Default,,0000,0000,0000,,Proceeds with secret setup for the NAS protocol.
Dialogue: 0,0:05:09.34,0:05:10.66,Default,,0000,0000,0000,,Throughout this process,
Dialogue: 0,0:05:11.14,0:05:14.77,Default,,0000,0000,0000,,the UE and the core network share the key and algorithms
Dialogue: 0,0:05:14.98,0:05:17.16,Default,,0000,0000,0000,,for encryption and integrity check.
Dialogue: 0,0:05:18.04,0:05:21.16,Default,,0000,0000,0000,,The security setup process is also performed
Dialogue: 0,0:05:21.74,0:05:23.66,Default,,0000,0000,0000,,between the UE and the base station.
Dialogue: 0,0:05:25.14,0:05:27.91,Default,,0000,0000,0000,,After this series of procedures the you
Dialogue: 0,0:05:27.91,0:05:32.55,Default,,0000,0000,0000,,can attach successfully and use the LTE service.
Dialogue: 0,0:05:34.14,0:05:37.70,Default,,0000,0000,0000,,And then, what attack is possible against the UE
Dialogue: 0,0:05:37.70,0:05:41.76,Default,,0000,0000,0000,,connected to the network and using the service?
Dialogue: 0,0:05:42.74,0:05:47.96,Default,,0000,0000,0000,,The most widely used method used so far is to use a fake base station.
Dialogue: 0,0:05:48.94,0:05:51.57,Default,,0000,0000,0000,,An attacker could use a fake base station
Dialogue: 0,0:05:51.58,0:05:54.80,Default,,0000,0000,0000,,that behaves like a legitimate base station,
Dialogue: 0,0:05:54.81,0:05:56.54,Default,,0000,0000,0000,,causing the victim UE
Dialogue: 0,0:05:56.85,0:06:03.66,Default,,0000,0000,0000,,to disconnect from the legitimate base station and connect to the fake base station.
Dialogue: 0,0:06:05.04,0:06:07.14,Default,,0000,0000,0000,,This is possible because the UE
Dialogue: 0,0:06:07.14,0:06:11.16,Default,,0000,0000,0000,,preferentially tries to connect to a strong base station.
Dialogue: 0,0:06:12.64,0:06:16.36,Default,,0000,0000,0000,,Several attacks using FBS have been introduced,
Dialogue: 0,0:06:16.84,0:06:17.68,Default,,0000,0000,0000,,including
Dialogue: 0,0:06:18.14,0:06:19.00,Default,,0000,0000,0000,,man in the middle of attack,
Dialogue: 0,0:06:19.42,0:06:22.25,Default,,0000,0000,0000,,denial of services, user identity leak,
Dialogue: 0,0:06:22.84,0:06:24.58,Default,,0000,0000,0000,,fake emergency alert
Dialogue: 0,0:06:24.89,0:06:25.45,Default,,0000,0000,0000,,and so on.
Dialogue: 0,0:06:26.84,0:06:29.28,Default,,0000,0000,0000,,As such, the fake base station attack
Dialogue: 0,0:06:29.28,0:06:32.66,Default,,0000,0000,0000,,using the characteristics of the radio communication
Dialogue: 0,0:06:33.24,0:06:37.46,Default,,0000,0000,0000,,is actively used for research or actual attacks.
Dialogue: 0,0:06:38.54,0:06:42.50,Default,,0000,0000,0000,,And then, here is the questions:
Dialogue: 0,0:06:43.17,0:06:50.95,Default,,0000,0000,0000,,Is the FBS attack the only attack method using the characteristics of LTE radio connection,
Dialogue: 0,0:06:52.14,0:06:57.45,Default,,0000,0000,0000,,or should the victim UEs always be connected to the FBS for wireless attacks?
Dialogue: 0,0:06:58.64,0:07:00.26,Default,,0000,0000,0000,,The answer is no,
Dialogue: 0,0:07:01.24,0:07:06.46,Default,,0000,0000,0000,,there is a more intuitive and powerful attack methods than FBS.
Dialogue: 0,0:07:08.14,0:07:10.45,Default,,0000,0000,0000,,It is a signal overshadowing attack.
Dialogue: 0,0:07:11.04,0:07:13.05,Default,,0000,0000,0000,,While the previous FBS attack
Dialogue: 0,0:07:13.54,0:07:18.16,Default,,0000,0000,0000,,use the characteristic of selecting a stronger signal base station,
Dialogue: 0,0:07:18.64,0:07:21.16,Default,,0000,0000,0000,,the SigOver attack uses
Dialogue: 0,0:07:21.94,0:07:24.96,Default,,0000,0000,0000,,the characteristic of wireless communication
Dialogue: 0,0:07:25.34,0:07:27.65,Default,,0000,0000,0000,,to decode the stronger signal
Dialogue: 0,0:07:28.04,0:07:31.96,Default,,0000,0000,0000,,when different signals are transmitted as the same frequency.
Dialogue: 0,0:07:33.34,0:07:36.16,Default,,0000,0000,0000,,This is listed by the figure below
Dialogue: 0,0:07:37.54,0:07:43.75,Default,,0000,0000,0000,,the normal base station continuously transmits LTE signals in time and frequency.
Dialogue: 0,0:07:44.24,0:07:47.96,Default,,0000,0000,0000,,The UE then receives and decodes the signal.
Dialogue: 0,0:07:48.74,0:07:55.23,Default,,0000,0000,0000,,If the attacker can match the time and frequency exactly with the normal signal and
Dialogue: 0,0:07:55.24,0:07:59.44,Default,,0000,0000,0000,,transmit a stronger signal than real signal
Dialogue: 0,0:07:59.45,0:08:03.56,Default,,0000,0000,0000,,the UE will decode the stronger signal.
Dialogue: 0,0:08:04.74,0:08:08.76,Default,,0000,0000,0000,,This is the signal overshadowing attack that overrides the LTE signal.
Dialogue: 0,0:08:09.84,0:08:12.45,Default,,0000,0000,0000,,If the signal overshadowing attack is possible,
Dialogue: 0,0:08:13.03,0:08:15.66,Default,,0000,0000,0000,,then what message can be used to overwrite?
Dialogue: 0,0:08:18.14,0:08:22.76,Default,,0000,0000,0000,,The messages we can overwrite are those with no security protection.
Dialogue: 0,0:08:23.34,0:08:26.56,Default,,0000,0000,0000,,First, there is a broadcast message.
Dialogue: 0,0:08:26.94,0:08:31.65,Default,,0000,0000,0000,,The broadcast messages of base stations and signal for all users
Dialogue: 0,0:08:32.04,0:08:35.62,Default,,0000,0000,0000,,with no consideration for encryption and
Dialogue: 0,0:08:35.62,0:08:38.16,Default,,0000,0000,0000,,integrity checks in LTE specification.
Dialogue: 0,0:08:38.74,0:08:44.45,Default,,0000,0000,0000,,Second, there is a message that can be used for an attack because
Dialogue: 0,0:08:44.84,0:08:50.38,Default,,0000,0000,0000,,it is unprotected among messages transmitted only to a specific user,
Dialogue: 0,0:08:50.39,0:08:52.16,Default,,0000,0000,0000,,not a broadcast message.
Dialogue: 0,0:08:52.74,0:08:57.45,Default,,0000,0000,0000,,One reason that it is not is protected is a bug in the UE implementation.
Dialogue: 0,0:08:58.34,0:08:59.75,Default,,0000,0000,0000,,The other is that
Dialogue: 0,0:09:00.14,0:09:03.26,Default,,0000,0000,0000,,there are several messages in the specification.
Dialogue: 0,0:09:03.64,0:09:07.26,Default,,0000,0000,0000,,There are low [protected?] messages before performing security setup.
Dialogue: 0,0:09:08.04,0:09:12.06,Default,,0000,0000,0000,,The details of the SigOver attack will be discussed one by one.
Dialogue: 0,0:09:13.34,0:09:19.16,Default,,0000,0000,0000,,First, I will explain what to serve in order to perform the SigOver attack
Dialogue: 0,0:09:20.14,0:09:25.12,Default,,0000,0000,0000,,And how the SigOver attack is different from the existing FBS attack
Dialogue: 0,0:09:25.34,0:09:30.16,Default,,0000,0000,0000,,and what kinds of attacks are possible using broadcast messages and SigOver.
Dialogue: 0,0:09:30.64,0:09:35.26,Default,,0000,0000,0000,,Lastly, CheolJun will explain attacks using unicast messages
Dialogue: 0,0:09:35.74,0:09:37.78,Default,,0000,0000,0000,,and then discuss something like
Dialogue: 0,0:09:37.91,0:09:39.46,Default,,0000,0000,0000,,countermeasure and future works.
Dialogue: 0,0:09:41.64,0:09:46.36,Default,,0000,0000,0000,,So first there are some challenges and questions for the SigOver attack.
Dialogue: 0,0:09:47.04,0:09:52.34,Default,,0000,0000,0000,,First, we should consider which part of the signal we override.
Dialogue: 0,0:09:53.14,0:09:55.36,Default,,0000,0000,0000,,If too many signals are overwritten
Dialogue: 0,0:09:55.74,0:10:02.06,Default,,0000,0000,0000,,the UE will now receive no normal signals causing only those effects such as jamming
Dialogue: 0,0:10:02.94,0:10:03.95,Default,,0000,0000,0000,,On the contrary,
Dialogue: 0,0:10:04.28,0:10:06.56,Default,,0000,0000,0000,,if too few signals are covered
Dialogue: 0,0:10:07.14,0:10:10.93,Default,,0000,0000,0000,,the difficulty of the attack increases and the
Dialogue: 0,0:10:10.93,0:10:13.86,Default,,0000,0000,0000,,UE may not be able to decode properly.
Dialogue: 0,0:10:14.84,0:10:18.95,Default,,0000,0000,0000,,The second challenge is how to synchronize time and frequency.
Dialogue: 0,0:10:19.54,0:10:24.76,Default,,0000,0000,0000,,This is the most important challenge in SigOver attack where the attack signal
Dialogue: 0,0:10:24.76,0:10:29.16,Default,,0000,0000,0000,,must be accurately overwritten on the signal of the normal base station.
Dialogue: 0,0:10:29.84,0:10:32.86,Default,,0000,0000,0000,,Finally, how much area is okay,
Dialogue: 0,0:10:33.84,0:10:37.16,Default,,0000,0000,0000,,even if the signal is transmitted like a normal base station,
Dialogue: 0,0:10:37.74,0:10:41.28,Default,,0000,0000,0000,,there may be a slight error in time or frequency.
Dialogue: 0,0:10:41.29,0:10:44.59,Default,,0000,0000,0000,,Therefore it is necessary to know how much
Dialogue: 0,0:10:44.60,0:10:49.46,Default,,0000,0000,0000,,accuracy is required for the UE to properly decode the signal.
Dialogue: 0,0:10:50.84,0:10:54.56,Default,,0000,0000,0000,,I will explain the details of these three challenges and questions
Dialogue: 0,0:10:56.24,0:10:58.36,Default,,0000,0000,0000,,to answer about the first question.
Dialogue: 0,0:10:58.84,0:11:01.45,Default,,0000,0000,0000,,Let's look at the LTE frame structure first.
Dialogue: 0,0:11:02.44,0:11:07.58,Default,,0000,0000,0000,,An LTE frame consists of multiple subframes and a subframe has
Dialogue: 0,0:11:07.58,0:11:11.76,Default,,0000,0000,0000,,multiple symbols and the message is included in our subframe,
Dialogue: 0,0:11:12.84,0:11:16.65,Default,,0000,0000,0000,,meaning that there are various options to be overshadowed.
Dialogue: 0,0:11:18.04,0:11:21.96,Default,,0000,0000,0000,,Symbol overshadowing requires precise synchronization.
Dialogue: 0,0:11:22.44,0:11:25.35,Default,,0000,0000,0000,,So success rate is hard to guarantee
Dialogue: 0,0:11:25.94,0:11:31.76,Default,,0000,0000,0000,,on the other end, frame level overshadowing requires to rewrite multiple subframes
Dialogue: 0,0:11:32.14,0:11:36.85,Default,,0000,0000,0000,,or multiple messages. It can also affect other normal messages.
Dialogue: 0,0:11:37.44,0:11:41.76,Default,,0000,0000,0000,,So it is quite natural to overshadow in the subframe level.
Dialogue: 0,0:11:44.14,0:11:49.26,Default,,0000,0000,0000,,Next, let's look at the time synchronization first along synchronization issues
Dialogue: 0,0:11:49.84,0:11:52.81,Default,,0000,0000,0000,,Attacker's subframe and legitimate subframe
Dialogue: 0,0:11:52.82,0:11:56.26,Default,,0000,0000,0000,,must arrive at the UE simultaneously
Dialogue: 0,0:11:56.74,0:12:00.55,Default,,0000,0000,0000,,in order to override our particular subframe accurately.
Dialogue: 0,0:12:01.34,0:12:07.06,Default,,0000,0000,0000,,For simplicity, let's assume there is no propagation delay for now.
Dialogue: 0,0:12:08.34,0:12:13.65,Default,,0000,0000,0000,,The attacker utilized synchronization signal called PSS and SSS
Dialogue: 0,0:12:14.14,0:12:17.65,Default,,0000,0000,0000,,to get accurate time synchronization as they are sent
Dialogue: 0,0:12:18.24,0:12:21.15,Default,,0000,0000,0000,,periodically from the legitimate base station.
Dialogue: 0,0:12:22.10,0:12:27.33,Default,,0000,0000,0000,,But concretely, first, the attacker issues PSS, SSS
Dialogue: 0,0:12:27.34,0:12:30.50,Default,,0000,0000,0000,,to get frame timing of legitimate base station,
Dialogue: 0,0:12:30.51,0:12:36.36,Default,,0000,0000,0000,,meaning that the attacker can identify the frame timing t0, t1, and t2.
Dialogue: 0,0:12:37.14,0:12:40.48,Default,,0000,0000,0000,,Second, once the attacker runs the timing,
Dialogue: 0,0:12:40.49,0:12:43.86,Default,,0000,0000,0000,,she can predict the timing of the target subframe,
Dialogue: 0,0:12:44.74,0:12:50.06,Default,,0000,0000,0000,,since each subframe has fixed size which is one millisecond.
Dialogue: 0,0:12:51.04,0:12:56.56,Default,,0000,0000,0000,,For example, if the attacker overshadows the second subframe of frame 566
Dialogue: 0,0:12:57.14,0:13:02.66,Default,,0000,0000,0000,,then she can transmit the malicious subframe at t2 plus one millisecond.
Dialogue: 0,0:13:03.24,0:13:07.89,Default,,0000,0000,0000,,Now the attacker signal arrives at the UE simultaneously.
Dialogue: 0,0:13:07.90,0:13:11.76,Default,,0000,0000,0000,,Since we assume that there is no propagation delay.
Dialogue: 0,0:13:13.04,0:13:18.86,Default,,0000,0000,0000,,However in real life there is propagation delay depending on the location,
Dialogue: 0,0:13:19.54,0:13:22.50,Default,,0000,0000,0000,,meaning that the zero will be delayed due
Dialogue: 0,0:13:22.50,0:13:26.05,Default,,0000,0000,0000,,to the propagation delay or PSS and SSS.
Dialogue: 0,0:13:26.74,0:13:31.15,Default,,0000,0000,0000,,Also, if the attacker is located far from the UE,
Dialogue: 0,0:13:31.54,0:13:33.14,Default,,0000,0000,0000,,more delay would be added.
Dialogue: 0,0:13:33.64,0:13:38.02,Default,,0000,0000,0000,,The delay could be compensated if the attacker precisely locate
Dialogue: 0,0:13:38.17,0:13:40.15,Default,,0000,0000,0000,,the UE and the base station.
Dialogue: 0,0:13:40.84,0:13:44.16,Default,,0000,0000,0000,,But it is not realistic in the wild
Dialogue: 0,0:13:46.24,0:13:49.26,Default,,0000,0000,0000,,the delay is up to some maximum value
Dialogue: 0,0:13:49.84,0:13:53.35,Default,,0000,0000,0000,,because they are located within range of the base station.
Dialogue: 0,0:13:54.04,0:13:58.66,Default,,0000,0000,0000,,So in practice there is a delay that cannot be compensated
Dialogue: 0,0:13:59.54,0:14:02.06,Default,,0000,0000,0000,,so subframes cannot be aligned exactly
Dialogue: 0,0:14:02.94,0:14:09.56,Default,,0000,0000,0000,,so then we can count on the LTE UE
Dialogue: 0,0:14:10.24,0:14:15.36,Default,,0000,0000,0000,,LTE is designed to be reliable especially in outdoor environments.
Dialogue: 0,0:14:15.74,0:14:24.00,Default,,0000,0000,0000,,In outdoor UE can move with using point or so there is a reflect effect because of buildings.
Dialogue: 0,0:14:24.01,0:14:27.46,Default,,0000,0000,0000,,So we expected that the UE would compensate
Dialogue: 0,0:14:27.84,0:14:33.45,Default,,0000,0000,0000,,such small errors if the subframe is somewhat is synchronized but not exactly.
Dialogue: 0,0:14:34.44,0:14:39.96,Default,,0000,0000,0000,,So the question is how much can the UE tolerate this delay error?
Dialogue: 0,0:14:40.94,0:14:47.15,Default,,0000,0000,0000,,Since it is chipset dependent we measured the max delay tolerance of two COTS smartphones
Dialogue: 0,0:14:47.84,0:14:53.15,Default,,0000,0000,0000,,and result is around 12 and 11 microseconds each
Dialogue: 0,0:14:53.64,0:14:56.49,Default,,0000,0000,0000,,And both results exceed max delay of
Dialogue: 0,0:14:56.78,0:15:00.75,Default,,0000,0000,0000,,the urban base station which is around eight microseconds.
Dialogue: 0,0:15:01.44,0:15:05.85,Default,,0000,0000,0000,,So this means that the attack can succeed
Dialogue: 0,0:15:05.85,0:15:08.45,Default,,0000,0000,0000,,regardless of the location of the base station
Dialogue: 0,0:15:08.84,0:15:10.25,Default,,0000,0000,0000,,and the victim UEs.
Dialogue: 0,0:15:10.74,0:15:15.18,Default,,0000,0000,0000,,In summary, the attacker can be anywhere within the range
Dialogue: 0,0:15:15.18,0:15:17.96,Default,,0000,0000,0000,,of the base station to succeed the attack.
Dialogue: 0,0:15:20.64,0:15:24.26,Default,,0000,0000,0000,,The last one to solve is frequency synchronization.
Dialogue: 0,0:15:24.94,0:15:29.62,Default,,0000,0000,0000,,LTE standard specifies the minimum frequency accuracy that
Dialogue: 0,0:15:29.63,0:15:33.25,Default,,0000,0000,0000,,LTE base station must have as 50 ppb.
Dialogue: 0,0:15:33.84,0:15:37.47,Default,,0000,0000,0000,,So for precise synchronization,
Dialogue: 0,0:15:37.48,0:15:42.15,Default,,0000,0000,0000,,the attacker needs to use a sufficiently accurate frequency
Dialogue: 0,0:15:42.94,0:15:48.95,Default,,0000,0000,0000,,after that, residual frequency error can be compensated by CFO
Dialogue: 0,0:15:48.97,0:15:50.60,Default,,0000,0000,0000,,correction algorithm.
Dialogue: 0,0:15:53.54,0:15:57.34,Default,,0000,0000,0000,,Since the SigOver was wrong on a typical
Dialogue: 0,0:15:58.15,0:16:03.18,Default,,0000,0000,0000,,SDR kit with an inaccurate oscillator, we adopt GPSDO.
Dialogue: 0,0:16:03.21,0:16:05.90,Default,,0000,0000,0000,,To improve its frequency accuracy.
Dialogue: 0,0:16:06.04,0:16:10.92,Default,,0000,0000,0000,,GPSDO guarantees 25 ppb accuracy
Dialogue: 0,0:16:10.94,0:16:14.86,Default,,0000,0000,0000,,without GPS antenna and 1 ppb with GPS antenna.
Dialogue: 0,0:16:15.94,0:16:19.66,Default,,0000,0000,0000,,Lastly we can compensate residual frequency error by
Dialogue: 0,0:16:19.66,0:16:23.02,Default,,0000,0000,0000,,by PSS/SSS-based CFO correction.
Dialogue: 0,0:16:24.24,0:16:25.61,Default,,0000,0000,0000,,Here's the summary
Dialogue: 0,0:16:25.79,0:16:28.35,Default,,0000,0000,0000,,of the main questions and answers.
Dialogue: 0,0:16:28.74,0:16:33.50,Default,,0000,0000,0000,,We overshadows subframe units using PSS/SSS.
Dialogue: 0,0:16:33.50,0:16:37.55,Default,,0000,0000,0000,,for time synchronization and using GPSDO and CFO
Dialogue: 0,0:16:37.55,0:16:40.05,Default,,0000,0000,0000,,correction for frequency synchronization.
Dialogue: 0,0:16:40.74,0:16:46.50,Default,,0000,0000,0000,,Finally, COTS UE is generous enough to cover the entire range of
Dialogue: 0,0:16:46.61,0:16:48.36,Default,,0000,0000,0000,,the urban base station
Dialogue: 0,0:16:48.84,0:16:53.88,Default,,0000,0000,0000,,In short, an attacker located in the range of the base station can
Dialogue: 0,0:16:53.88,0:16:59.57,Default,,0000,0000,0000,,overshadow broadcast messages to any victim within the base station coverage.
Dialogue: 0,0:17:01.24,0:17:06.35,Default,,0000,0000,0000,,Next before examining the difference between SigOver and FBS,
Dialogue: 0,0:17:06.84,0:17:09.27,Default,,0000,0000,0000,,I will explain the process of SigOver attack.
Dialogue: 0,0:17:10.54,0:17:14.93,Default,,0000,0000,0000,,First the attacker collects necessary values by listening to
Dialogue: 0,0:17:14.93,0:17:17.65,Default,,0000,0000,0000,,the broadcast message of the normal base station.
Dialogue: 0,0:17:18.44,0:17:22.73,Default,,0000,0000,0000,,This process is necessary because information about base
Dialogue: 0,0:17:22.73,0:17:26.96,Default,,0000,0000,0000,,station is required to disguise the attacker signal
Dialogue: 0,0:17:27.49,0:17:29.35,Default,,0000,0000,0000,,as that of a normal base station.
Dialogue: 0,0:17:31.44,0:17:34.38,Default,,0000,0000,0000,,Next the attacker creates a subframe
Dialogue: 0,0:17:34.69,0:17:37.35,Default,,0000,0000,0000,,that contains the messages to use for the attack.
Dialogue: 0,0:17:39.04,0:17:41.17,Default,,0000,0000,0000,,And now the attack begins
Dialogue: 0,0:17:41.84,0:17:45.72,Default,,0000,0000,0000,,first the attacker received the PSS and SSS
Dialogue: 0,0:17:45.72,0:17:51.05,Default,,0000,0000,0000,,signals of the normal base station and synchronizes time with the base station
Dialogue: 0,0:17:52.44,0:17:55.67,Default,,0000,0000,0000,,then send the malicious subframe that she made
Dialogue: 0,0:17:56.64,0:17:57.86,Default,,0000,0000,0000,,at the precise timing.
Dialogue: 0,0:18:00.84,0:18:05.66,Default,,0000,0000,0000,,Finally the UE receiving the signal receives a malicious message
Dialogue: 0,0:18:06.04,0:18:09.38,Default,,0000,0000,0000,,by decoding the articles of frames stronger than
Dialogue: 0,0:18:09.39,0:18:11.56,Default,,0000,0000,0000,,the signal of the normal base station.
Dialogue: 0,0:18:13.74,0:18:16.77,Default,,0000,0000,0000,,Here's our test environment to verify the SigOver.
Dialogue: 0,0:18:17.34,0:18:20.49,Default,,0000,0000,0000,,We implement the SigOver by using open source
Dialogue: 0,0:18:20.49,0:18:25.46,Default,,0000,0000,0000,,LTE stack and we used USRP series for radio transmission.
Dialogue: 0,0:18:25.94,0:18:27.35,Default,,0000,0000,0000,,We also such as
Dialogue: 0,0:18:28.84,0:18:32.05,Default,,0000,0000,0000,,iPhone XS or galaxy S9
Dialogue: 0,0:18:32.11,0:18:34.78,Default,,0000,0000,0000,,to verify this attack.
Dialogue: 0,0:18:35.04,0:18:38.96,Default,,0000,0000,0000,,In the remainder of this talk I will talk about performance of
Dialogue: 0,0:18:38.96,0:18:42.86,Default,,0000,0000,0000,,SigOver and attacks that can be launched using SigOver.
Dialogue: 0,0:18:45.04,0:18:46.77,Default,,0000,0000,0000,,Okay, so far
Dialogue: 0,0:18:47.24,0:18:50.49,Default,,0000,0000,0000,,I have shown that SigOver can be used in projects
Dialogue: 0,0:18:51.34,0:18:58.17,Default,,0000,0000,0000,,but both FBS and SigOver can inject malicious broadcast messages to the UEs
Dialogue: 0,0:18:58.54,0:19:03.01,Default,,0000,0000,0000,,So what is the difference between SigOver and FBS?
Dialogue: 0,0:19:03.02,0:19:06.05,Default,,0000,0000,0000,,Or what is the advantage of SigOver?
Dialogue: 0,0:19:07.24,0:19:10.56,Default,,0000,0000,0000,,The basic advantage of SigOver compared with
Dialogue: 0,0:19:10.57,0:19:13.56,Default,,0000,0000,0000,,fake base station comes from the fact that
Dialogue: 0,0:19:14.04,0:19:19.17,Default,,0000,0000,0000,,the SigOver does not need connection establishment to inject the message.
Dialogue: 0,0:19:19.64,0:19:21.86,Default,,0000,0000,0000,,This has multiple implications.
Dialogue: 0,0:19:24.64,0:19:27.16,Default,,0000,0000,0000,,Another advantage is power efficiency.
Dialogue: 0,0:19:27.74,0:19:31.36,Default,,0000,0000,0000,,SigOver does not require so strong power because
Dialogue: 0,0:19:31.84,0:19:37.45,Default,,0000,0000,0000,,the attack signal only needs to be higher enough to cover the original signal
Dialogue: 0,0:19:37.84,0:19:39.27,Default,,0000,0000,0000,,called capture effect.
Dialogue: 0,0:19:40.64,0:19:46.07,Default,,0000,0000,0000,,It shows 98% success rate on 3dB higher power than the legitimate
Dialogue: 0,0:19:46.20,0:19:49.77,Default,,0000,0000,0000,,base station. However, the FBS
Dialogue: 0,0:19:50.14,0:19:53.67,Default,,0000,0000,0000,,requires much stronger power than the SigOver.
Dialogue: 0,0:19:54.74,0:19:57.98,Default,,0000,0000,0000,,This is because the FBS needs to break the
Dialogue: 0,0:19:57.98,0:20:01.43,Default,,0000,0000,0000,,current connection between the victim UE and the legitimate
Dialogue: 0,0:20:01.57,0:20:03.32,Default,,0000,0000,0000,,base station.
Dialogue: 0,0:20:04.74,0:20:10.05,Default,,0000,0000,0000,,Next I'll talk about what we can do with SigOver and broadcast messages.
Dialogue: 0,0:20:11.94,0:20:15.60,Default,,0000,0000,0000,,I have explained that there is no connection between the victim UE
Dialogue: 0,0:20:16.05,0:20:17.68,Default,,0000,0000,0000,,and the SigOver attacker
Dialogue: 0,0:20:17.89,0:20:18.96,Default,,0000,0000,0000,,It means that
Dialogue: 0,0:20:19.54,0:20:22.72,Default,,0000,0000,0000,,the UE can keep communicating with the legitimate
Dialogue: 0,0:20:22.85,0:20:24.29,Default,,0000,0000,0000,,base station or
Dialogue: 0,0:20:24.40,0:20:25.86,Default,,0000,0000,0000,,network during the attack.
Dialogue: 0,0:20:26.44,0:20:27.27,Default,,0000,0000,0000,,For example
Dialogue: 0,0:20:27.84,0:20:31.95,Default,,0000,0000,0000,,the SigOver can inject a malicious message while the UE is on phone
Dialogue: 0,0:20:33.04,0:20:36.63,Default,,0000,0000,0000,,However, the UE cannot communicate with the network
Dialogue: 0,0:20:36.78,0:20:38.70,Default,,0000,0000,0000,,after attaching to the FBS.
Dialogue: 0,0:20:39.14,0:20:43.66,Default,,0000,0000,0000,,So the UE might fall in the denial of services.
Dialogue: 0,0:20:44.54,0:20:48.56,Default,,0000,0000,0000,,Let me show you some possible attacks using SigOver, but
Dialogue: 0,0:20:49.04,0:20:50.96,Default,,0000,0000,0000,,not feasible using FBS.
Dialogue: 0,0:20:52.54,0:20:55.06,Default,,0000,0000,0000,,First one is signaling storm attack
Dialogue: 0,0:20:55.74,0:20:59.06,Default,,0000,0000,0000,,in general signaling storm occurs through a botnet
Dialogue: 0,0:20:59.74,0:21:03.37,Default,,0000,0000,0000,,but the SigOver can launch the attack without using the botnet.
Dialogue: 0,0:21:04.74,0:21:08.20,Default,,0000,0000,0000,,The SigOver exploits a broadcast message called SIB-1
Dialogue: 0,0:21:08.20,0:21:11.55,Default,,0000,0000,0000,,Everyone especially the tracking area code
Dialogue: 0,0:21:12.04,0:21:15.16,Default,,0000,0000,0000,,by changing the tracking area code to new one,
Dialogue: 0,0:21:15.84,0:21:18.46,Default,,0000,0000,0000,,the attacker can trigger tracking area update
Dialogue: 0,0:21:18.69,0:21:20.87,Default,,0000,0000,0000,,procedure of the victim UE
Dialogue: 0,0:21:22.24,0:21:24.46,Default,,0000,0000,0000,,which is sent to the core network.
Dialogue: 0,0:21:26.24,0:21:28.76,Default,,0000,0000,0000,,All UEs in the attack range
Dialogue: 0,0:21:29.24,0:21:35.09,Default,,0000,0000,0000,,may continuously receive fake SIB-1 which caused tracking area update
Dialogue: 0,0:21:35.09,0:21:36.95,Default,,0000,0000,0000,,storm to the core network.
Dialogue: 0,0:21:39.14,0:21:41.56,Default,,0000,0000,0000,,FBS can do the same
Dialogue: 0,0:21:42.04,0:21:43.84,Default,,0000,0000,0000,,but as you expected
Dialogue: 0,0:21:44.22,0:21:46.36,Default,,0000,0000,0000,,the legitimate network would be safe
Dialogue: 0,0:21:46.84,0:21:53.17,Default,,0000,0000,0000,,from this attack because the FBS is not connected to the legitimate core network.
Dialogue: 0,0:21:55.54,0:21:58.45,Default,,0000,0000,0000,,This is the demonstration of signaling storm
Dialogue: 0,0:22:01.14,0:22:05.06,Default,,0000,0000,0000,,the program in this screenshot signaling messages of the UE
Dialogue: 0,0:22:05.54,0:22:08.36,Default,,0000,0000,0000,,first the attacker injecting malicious paging message.
Dialogue: 0,0:22:09.34,0:22:14.95,Default,,0000,0000,0000,,This malicious paging messages required for the UE to receive a SIB-1
Dialogue: 0,0:22:15.64,0:22:19.05,Default,,0000,0000,0000,,Then, the attacker will overshadow malicious SIB-1 message
Dialogue: 0,0:22:19.74,0:22:21.77,Default,,0000,0000,0000,,Then the UE generates signaling
Dialogue: 0,0:22:22.44,0:22:23.16,Default,,0000,0000,0000,,to the network
Dialogue: 0,0:22:29.64,0:22:31.11,Default,,0000,0000,0000,,We evaluated
Dialogue: 0,0:22:31.23,0:22:34.56,Default,,0000,0000,0000,,amplification factor of signaling storm attack
Dialogue: 0,0:22:35.04,0:22:39.66,Default,,0000,0000,0000,,In normal situation a UE send about 45 service request message
Dialogue: 0,0:22:40.04,0:22:44.66,Default,,0000,0000,0000,,corresponding to over 600 signaling messages per hour
Dialogue: 0,0:22:46.06,0:22:49.39,Default,,0000,0000,0000,,Signaling storm using SigOver can generate around
Dialogue: 0,0:22:49.94,0:22:58.67,Default,,0000,0000,0000,,21,000 tracking area request corresponding to around 400,000 signaling messages per hour
Dialogue: 0,0:22:59.34,0:23:04.77,Default,,0000,0000,0000,,In summary, signaling storm can generate 640 times
Dialogue: 0,0:23:05.14,0:23:07.32,Default,,0000,0000,0000,,more signaling messages per UE.
Dialogue: 0,0:23:09.54,0:23:14.06,Default,,0000,0000,0000,,The second is a selective DoS attack using SIB-2.
Dialogue: 0,0:23:14.64,0:23:18.54,Default,,0000,0000,0000,,In SIB-2 there is a field to prevent access of
Dialogue: 0,0:23:18.55,0:23:23.16,Default,,0000,0000,0000,,the UE for effective data service in a disaster situation.
Dialogue: 0,0:23:24.34,0:23:27.76,Default,,0000,0000,0000,,If we manipulate this field we can prevent
Dialogue: 0,0:23:28.14,0:23:31.46,Default,,0000,0000,0000,,UEs from sending service requests to the base station.
Dialogue: 0,0:23:32.14,0:23:35.25,Default,,0000,0000,0000,,Of course we can also adjust the barring time
Dialogue: 0,0:23:36.04,0:23:36.60,Default,,0000,0000,0000,,furthermore,
Dialogue: 0,0:23:37.14,0:23:42.66,Default,,0000,0000,0000,,In the recent specification, barring service is not only divided into signaling
Dialogue: 0,0:23:42.67,0:23:47.91,Default,,0000,0000,0000,,and data but also divided into details such as voice call,
Dialogue: 0,0:23:47.92,0:23:50.16,Default,,0000,0000,0000,,video calls, and SMS.
Dialogue: 0,0:23:51.14,0:23:53.77,Default,,0000,0000,0000,,Therefore selective DoS is possible.
Dialogue: 0,0:23:54.24,0:23:59.76,Default,,0000,0000,0000,,For example all other services are possible but only voice service.
Dialogue: 0,0:24:00.14,0:24:01.27,Default,,0000,0000,0000,,It's not available.
Dialogue: 0,0:24:02.04,0:24:07.56,Default,,0000,0000,0000,,The selective DoS attack was verified by Galaxy S9 and succeed
Dialogue: 0,0:24:08.54,0:24:10.27,Default,,0000,0000,0000,,this attack is also
Dialogue: 0,0:24:10.64,0:24:12.26,Default,,0000,0000,0000,,only possible with Sigover
Dialogue: 0,0:24:12.94,0:24:17.26,Default,,0000,0000,0000,,Even if the UE connect to the FBS and received the wrong SIB-2.
Dialogue: 0,0:24:17.94,0:24:20.09,Default,,0000,0000,0000,,The FBS cannot make this attack
Dialogue: 0,0:24:20.94,0:24:25.26,Default,,0000,0000,0000,,because the normal SIB-2 is received again
Dialogue: 0,0:24:25.64,0:24:29.06,Default,,0000,0000,0000,,when the UE is connected to the normal base station. Okay,
Dialogue: 0,0:24:31.14,0:24:32.55,Default,,0000,0000,0000,,this is the demonstration.
Dialogue: 0,0:24:36.14,0:24:40.96,Default,,0000,0000,0000,,It would be nice to show a video of selective DoS, but not ready.
Dialogue: 0,0:24:41.34,0:24:43.29,Default,,0000,0000,0000,,So this video is a DoS attack
Dialogue: 0,0:24:43.41,0:24:44.76,Default,,0000,0000,0000,,using excess barring
Dialogue: 0,0:24:45.54,0:24:48.48,Default,,0000,0000,0000,,the UEs can use normal data services
Dialogue: 0,0:24:49.04,0:24:51.46,Default,,0000,0000,0000,,and also voice calls.
Dialogue: 0,0:25:10.74,0:25:11.27,Default,,0000,0000,0000,,Okay.
Dialogue: 0,0:25:12.64,0:25:14.17,Default,,0000,0000,0000,,After the SigOver attack
Dialogue: 0,0:25:14.84,0:25:15.77,Default,,0000,0000,0000,,by the UE
Dialogue: 0,0:25:33.24,0:25:36.06,Default,,0000,0000,0000,,Victim UEs receive malicious paging and
Dialogue: 0,0:25:36.10,0:25:37.46,Default,,0000,0000,0000,,SIB-2 messages.
Dialogue: 0,0:25:38.87,0:25:39.67,Default,,0000,0000,0000,,And uh
Dialogue: 0,0:25:40.64,0:25:41.55,Default,,0000,0000,0000,,the UE
Dialogue: 0,0:25:43.95,0:25:45.76,Default,,0000,0000,0000,,Normal service is not available
Dialogue: 0,0:25:50.04,0:25:52.29,Default,,0000,0000,0000,,even after the attacker program is terminated.
Dialogue: 0,0:25:52.42,0:25:54.56,Default,,0000,0000,0000,,The normal service is not available too
Dialogue: 0,0:26:17.14,0:26:17.86,Default,,0000,0000,0000,,Okay.
Dialogue: 0,0:26:18.54,0:26:21.03,Default,,0000,0000,0000,,The following is an attack using
Dialogue: 0,0:26:21.38,0:26:23.76,Default,,0000,0000,0000,,IMSI paging. In the figure on the left,
Dialogue: 0,0:26:24.14,0:26:26.24,Default,,0000,0000,0000,,a UE that is normally attached.
Dialogue: 0,0:26:26.24,0:26:30.75,Default,,0000,0000,0000,,is released in the idle state by releasing radio connection when
Dialogue: 0,0:26:30.92,0:26:32.45,Default,,0000,0000,0000,,not using LTE data
Dialogue: 0,0:26:33.14,0:26:34.27,Default,,0000,0000,0000,,At this time,
Dialogue: 0,0:26:34.64,0:26:38.27,Default,,0000,0000,0000,,If there is a service request for the UE from the networks,
Dialogue: 0,0:26:38.51,0:26:41.66,Default,,0000,0000,0000,,the base station sends a broadcast message paging
Dialogue: 0,0:26:42.14,0:26:43.46,Default,,0000,0000,0000,,to inform the UE
Dialogue: 0,0:26:44.04,0:26:49.77,Default,,0000,0000,0000,,the identifier used at this time is a temporary ID of the UE called GUTI.
Dialogue: 0,0:26:50.24,0:26:53.90,Default,,0000,0000,0000,,However, if paging is sent using the unique ID
Dialogue: 0,0:26:54.08,0:26:56.27,Default,,0000,0000,0000,,of the UE called IMSI,
Dialogue: 0,0:26:56.74,0:27:00.86,Default,,0000,0000,0000,,The UE will disconnect and reattach according to the behavior
Dialogue: 0,0:27:01.24,0:27:02.67,Default,,0000,0000,0000,,defined in the standard.
Dialogue: 0,0:27:03.64,0:27:08.46,Default,,0000,0000,0000,,This alert, a DoS attack on the UE that is using the LTE service.
Dialogue: 0,0:27:12.64,0:27:14.20,Default,,0000,0000,0000,,This is IMSI paging demo
Dialogue: 0,0:27:15.99,0:27:17.56,Default,,0000,0000,0000,,This is our testbed setup
Dialogue: 0,0:27:18.04,0:27:20.21,Default,,0000,0000,0000,,There is a lot of attacker's PC and USRP.
Dialogue: 0,0:27:28.44,0:27:30.17,Default,,0000,0000,0000,,Victim UE receives
Dialogue: 0,0:27:31.44,0:27:32.45,Default,,0000,0000,0000,,the voice call
Dialogue: 0,0:27:37.84,0:27:41.84,Default,,0000,0000,0000,,the attacker inject a paging message with the victims IMSI
Dialogue: 0,0:27:45.04,0:27:46.27,Default,,0000,0000,0000,,due to the IMSI paging,
Dialogue: 0,0:27:47.34,0:27:48.86,Default,,0000,0000,0000,,the voice call is disconnected.
Dialogue: 0,0:27:54.94,0:28:00.06,Default,,0000,0000,0000,,The final attack I will introduce is a fake emergency alert attack
Dialogue: 0,0:28:00.54,0:28:02.85,Default,,0000,0000,0000,,This attack uses SIB-12,
Dialogue: 0,0:28:02.85,0:28:06.59,Default,,0000,0000,0000,,which is used for a lot of systems in normal networks.
Dialogue: 0,0:28:06.60,0:28:09.77,Default,,0000,0000,0000,,The process of using CMAS is as follows.
Dialogue: 0,0:28:10.54,0:28:11.72,Default,,0000,0000,0000,,Three messages:
Dialogue: 0,0:28:11.85,0:28:14.57,Default,,0000,0000,0000,,SIB-1, SIB-12. and paging
Dialogue: 0,0:28:15.34,0:28:17.35,Default,,0000,0000,0000,,are involved in CMAS process.
Dialogue: 0,0:28:17.94,0:28:19.32,Default,,0000,0000,0000,,based on this process.
Dialogue: 0,0:28:19.56,0:28:21.99,Default,,0000,0000,0000,,The attacker overshadows the SIB-1
Dialogue: 0,0:28:22.35,0:28:24.36,Default,,0000,0000,0000,,SIB-12 and paging messages.
Dialogue: 0,0:28:38.34,0:28:38.64,Default,,0000,0000,0000,,For attack,
Dialogue: 0,0:28:39.94,0:28:42.34,Default,,0000,0000,0000,,victim phone is connected to the legitimate
Dialogue: 0,0:28:42.45,0:28:43.27,Default,,0000,0000,0000,,base station
Dialogue: 0,0:28:43.54,0:28:45.08,Default,,0000,0000,0000,,and attacker
Dialogue: 0,0:28:45.60,0:28:46.79,Default,,0000,0000,0000,,synchronizes
Dialogue: 0,0:28:47.34,0:28:51.06,Default,,0000,0000,0000,,time and frequency with the legitimate base station.
Dialogue: 0,0:29:06.54,0:29:07.63,Default,,0000,0000,0000,,This is fake emergency alert
Dialogue: 0,0:29:09.24,0:29:09.96,Default,,0000,0000,0000,,message
Dialogue: 0,0:29:12.94,0:29:14.11,Default,,0000,0000,0000,,to sum up briefly,
Dialogue: 0,0:29:14.84,0:29:18.67,Default,,0000,0000,0000,,we have designed and implemented a signal overshadowing attack
Dialogue: 0,0:29:18.68,0:29:22.67,Default,,0000,0000,0000,,Using the fundamental weakness of wireless communication,
Dialogue: 0,0:29:23.44,0:29:27.06,Default,,0000,0000,0000,,the SigOver attack is more powerful than the FBS attack
Dialogue: 0,0:29:27.64,0:29:32.22,Default,,0000,0000,0000,,in terms of power efficiency and the connection between the UE
Dialogue: 0,0:29:32.22,0:29:36.36,Default,,0000,0000,0000,,and the normal base station can perform various attacks.
Dialogue: 0,0:29:37.74,0:29:41.96,Default,,0000,0000,0000,,As an example, I showed demonstrations of four attacks.
Dialogue: 0,0:29:42.34,0:29:47.36,Default,,0000,0000,0000,,Then what can you do with unicast injection attack?
Dialogue: 0,0:29:47.84,0:29:51.65,Default,,0000,0000,0000,,The answer of this question will be explained in detail by CheolJun.
Dialogue: 0,0:29:56.14,0:29:58.06,Default,,0000,0000,0000,,CheolJun: Hi again and thank you Mincheol.
Dialogue: 0,0:29:58.84,0:30:00.48,Default,,0000,0000,0000,,So as Mincheol said,
Dialogue: 0,0:30:00.49,0:30:04.86,Default,,0000,0000,0000,,what else can we do with the unicast SigOver injection attack?
Dialogue: 0,0:30:06.64,0:30:10.17,Default,,0000,0000,0000,,So when we go back to the fake base station attack,
Dialogue: 0,0:30:10.54,0:30:13.27,Default,,0000,0000,0000,,there have been various attacks using fake base station
Dialogue: 0,0:30:14.04,0:30:18.34,Default,,0000,0000,0000,,as an example of an existing FBS attack man in the middle
Dialogue: 0,0:30:18.34,0:30:23.85,Default,,0000,0000,0000,,attack can be used for injecting, stealing or eavesdropping victim's information.
Dialogue: 0,0:30:24.64,0:30:31.27,Default,,0000,0000,0000,,If the fake base station is not an LTE base station but a 3G or 2G base station,
Dialogue: 0,0:30:32.34,0:30:36.45,Default,,0000,0000,0000,,attacker can cause a greater damage to the victim's privacy.
Dialogue: 0,0:30:37.74,0:30:41.16,Default,,0000,0000,0000,,But actually these attacks are quite limited to use
Dialogue: 0,0:30:42.24,0:30:47.85,Default,,0000,0000,0000,,these attacks all assumed that the victim is already connected to the fake base station
Dialogue: 0,0:30:48.54,0:30:50.27,Default,,0000,0000,0000,,but in a static situation
Dialogue: 0,0:30:50.64,0:30:51.77,Default,,0000,0000,0000,,in order for a UE
Dialogue: 0,0:30:52.21,0:30:53.31,Default,,0000,0000,0000,,to pass over to the
Dialogue: 0,0:30:53.48,0:30:54.27,Default,,0000,0000,0000,,fake base station,
Dialogue: 0,0:30:55.02,0:30:58.56,Default,,0000,0000,0000,,The fake base station signal must be about 40 dB
Dialogue: 0,0:30:58.94,0:31:02.36,Default,,0000,0000,0000,,Or 10,000 times larger than the commercial one.
Dialogue: 0,0:31:03.04,0:31:04.24,Default,,0000,0000,0000,,This is because the fake
Dialogue: 0,0:31:04.36,0:31:08.50,Default,,0000,0000,0000,,base station need to break the current connection between victim UE
Dialogue: 0,0:31:09.01,0:31:10.86,Default,,0000,0000,0000,,and legitimate base station
Dialogue: 0,0:31:11.94,0:31:12.77,Default,,0000,0000,0000,,operating
Dialogue: 0,0:31:12.77,0:31:16.30,Default,,0000,0000,0000,,fake base station with a strong signal requires a lot
Dialogue: 0,0:31:16.30,0:31:20.06,Default,,0000,0000,0000,,of resources and increases the chance to be detected.
Dialogue: 0,0:31:20.84,0:31:24.67,Default,,0000,0000,0000,,However SigOver can solve these limitations
Dialogue: 0,0:31:25.34,0:31:30.89,Default,,0000,0000,0000,,by injecting unicast messages attacker can force victims to attach to the
Dialogue: 0,0:31:31.11,0:31:31.76,Default,,0000,0000,0000,,fake base station.
Dialogue: 0,0:31:33.84,0:31:36.55,Default,,0000,0000,0000,,So won't the unique text message.
Dialogue: 0,0:31:36.56,0:31:42.26,Default,,0000,0000,0000,,The RC connection release message is message delivered by the base station to the U.
Dialogue: 0,0:31:42.26,0:31:42.56,Default,,0000,0000,0000,,E.
Dialogue: 0,0:31:43.64,0:31:47.06,Default,,0000,0000,0000,,It is used to command the release of an RC connection.
Dialogue: 0,0:31:47.64,0:31:51.27,Default,,0000,0000,0000,,So when the U. E. Receives this message
Dialogue: 0,0:31:51.64,0:31:54.55,Default,,0000,0000,0000,,it will disconnect from the existing connection
Dialogue: 0,0:31:55.74,0:31:59.36,Default,,0000,0000,0000,,and plus unicorns messages can have additional fields.
Dialogue: 0,0:32:01.34,0:32:02.93,Default,,0000,0000,0000,,One of the additional fields.
Dialogue: 0,0:32:02.94,0:32:06.70,Default,,0000,0000,0000,,The redirected carrying full field is used to indicate the
Dialogue: 0,0:32:06.70,0:32:09.86,Default,,0000,0000,0000,,next frequency where the you we shall connect to.
Dialogue: 0,0:32:11.04,0:32:17.16,Default,,0000,0000,0000,,UE uses this information to select an acceptable base station to camp on.
Dialogue: 0,0:32:18.54,0:32:21.71,Default,,0000,0000,0000,,Also the redirected frequencies can be not only for
Dialogue: 0,0:32:21.71,0:32:24.79,Default,,0000,0000,0000,,lt base stations but also for three G.
Dialogue: 0,0:32:24.80,0:32:28.05,Default,,0000,0000,0000,,Or two G. Base station which is more vulnerable.
Dialogue: 0,0:32:29.94,0:32:34.86,Default,,0000,0000,0000,,And the another additional fields is idle mode mobility control. In full field.
Dialogue: 0,0:32:35.64,0:32:41.46,Default,,0000,0000,0000,,This field is used to provide dedicate sales, election rez election priorities.
Dialogue: 0,0:32:42.44,0:32:44.86,Default,,0000,0000,0000,,When the research is for the base station
Dialogue: 0,0:32:45.24,0:32:47.55,Default,,0000,0000,0000,,it does not check all the frequencies.
Dialogue: 0,0:32:47.94,0:32:52.71,Default,,0000,0000,0000,,Instead it checks only selected frequencies based on frequency
Dialogue: 0,0:32:52.71,0:32:56.85,Default,,0000,0000,0000,,previously connected or frequency received from the network.
Dialogue: 0,0:32:57.94,0:33:02.95,Default,,0000,0000,0000,,So we noticed that when the UE is redirected to a non
Dialogue: 0,0:33:02.95,0:33:07.56,Default,,0000,0000,0000,,searching frequency you we did not redirect it to that frequency.
Dialogue: 0,0:33:08.34,0:33:12.40,Default,,0000,0000,0000,,However when a non non searching frequency was
Dialogue: 0,0:33:12.41,0:33:15.36,Default,,0000,0000,0000,,included in the idle mode mobility controlling fulfilled
Dialogue: 0,0:33:15.84,0:33:19.95,Default,,0000,0000,0000,,you we was redirected. Well even though it was a new frequency,
Dialogue: 0,0:33:22.14,0:33:24.92,Default,,0000,0000,0000,,the figure actually shows that the U. E.
Dialogue: 0,0:33:24.93,0:33:29.87,Default,,0000,0000,0000,,Is redirected to another base station After receiving on RC connection release
Dialogue: 0,0:33:29.88,0:33:32.80,Default,,0000,0000,0000,,message with a redirected carrying fulfilled
Dialogue: 0,0:33:32.81,0:33:35.27,Default,,0000,0000,0000,,and idle mode mobility controlling fulfilled.
Dialogue: 0,0:33:36.14,0:33:37.72,Default,,0000,0000,0000,,You can see that the radio
Dialogue: 0,0:33:37.72,0:33:40.88,Default,,0000,0000,0000,,frequency channel number representing the communication
Dialogue: 0,0:33:40.88,0:33:46.46,Default,,0000,0000,0000,,frequency of the base station has changed from 100 to 2600.
Dialogue: 0,0:33:47.24,0:33:48.10,Default,,0000,0000,0000,,So
Dialogue: 0,0:33:48.21,0:33:51.95,Default,,0000,0000,0000,,if the attacker can inject this message to the victim, Ue
Dialogue: 0,0:33:53.10,0:33:57.36,Default,,0000,0000,0000,,attacker can force victim uE to move to the faith base station
Dialogue: 0,0:34:00.14,0:34:04.04,Default,,0000,0000,0000,,in order to inject this RC connection release message
Dialogue: 0,0:34:04.05,0:34:07.10,Default,,0000,0000,0000,,injected messages should be decoded on the U.
Dialogue: 0,0:34:07.10,0:34:07.46,Default,,0000,0000,0000,,E.
Dialogue: 0,0:34:08.34,0:34:09.36,Default,,0000,0000,0000,,To do this.
Dialogue: 0,0:34:09.74,0:34:14.45,Default,,0000,0000,0000,,More efforts are required than when injecting a broadcast message.
Dialogue: 0,0:34:15.24,0:34:15.96,Default,,0000,0000,0000,,Firstly
Dialogue: 0,0:34:16.34,0:34:18.26,Default,,0000,0000,0000,,when injecting broadcast message,
Dialogue: 0,0:34:18.64,0:34:23.67,Default,,0000,0000,0000,,attacker only had to consider base stations configuration to inject the message
Dialogue: 0,0:34:24.64,0:34:27.61,Default,,0000,0000,0000,,but to inject the unique cast message.
Dialogue: 0,0:34:27.62,0:34:34.65,Default,,0000,0000,0000,,Attacker also have to consider only additional information like us I. D. R. N. T. I.
Dialogue: 0,0:34:34.66,0:34:41.26,Default,,0000,0000,0000,,Which is a temporarily identify rare sequence number message format and so on.
Dialogue: 0,0:34:42.04,0:34:46.39,Default,,0000,0000,0000,,Moreover, the message must be set correctly in the right place.
Dialogue: 0,0:34:47.34,0:34:50.76,Default,,0000,0000,0000,,UE does not decode all the messages over the air,
Dialogue: 0,0:34:51.24,0:34:54.36,Default,,0000,0000,0000,,but only because what it needs to decode.
Dialogue: 0,0:34:55.34,0:34:59.51,Default,,0000,0000,0000,,The location of the broadcast message is common space and every
Dialogue: 0,0:34:59.51,0:35:02.66,Default,,0000,0000,0000,,year we have to decode the message on the common space,
Dialogue: 0,0:35:03.44,0:35:08.96,Default,,0000,0000,0000,,but the location of the unique cast message is a US specific space
Dialogue: 0,0:35:09.34,0:35:09.97,Default,,0000,0000,0000,,and
Dialogue: 0,0:35:10.64,0:35:13.55,Default,,0000,0000,0000,,it is determined according to the R. N. T. I.
Dialogue: 0,0:35:14.04,0:35:14.76,Default,,0000,0000,0000,,So
Dialogue: 0,0:35:15.23,0:35:19.19,Default,,0000,0000,0000,,the message should be decoded at the U. S. Specific space.
Dialogue: 0,0:35:20.24,0:35:25.97,Default,,0000,0000,0000,,With these extra efforts. Unicorns messages can also be injected. Fear sick over
Dialogue: 0,0:35:28.44,0:35:29.20,Default,,0000,0000,0000,,now,
Dialogue: 0,0:35:29.21,0:35:34.05,Default,,0000,0000,0000,,I will introduce attack scenarios using RC connection release message injection
Dialogue: 0,0:35:34.84,0:35:35.86,Default,,0000,0000,0000,,in this attack,
Dialogue: 0,0:35:36.24,0:35:41.25,Default,,0000,0000,0000,,the attacker is assumed to know the M Z or R N T I. Of the victim.
Dialogue: 0,0:35:42.14,0:35:45.72,Default,,0000,0000,0000,,We also assume that an attacker is located where he can
Dialogue: 0,0:35:45.72,0:35:50.12,Default,,0000,0000,0000,,hear signals from legitimate base station such as victim you.
Dialogue: 0,0:35:50.12,0:35:50.96,Default,,0000,0000,0000,,E
Dialogue: 0,0:35:51.84,0:35:54.56,Default,,0000,0000,0000,,Attack Scenarios can be divided into two.
Dialogue: 0,0:35:55.44,0:35:59.67,Default,,0000,0000,0000,,First situation is when there is a vulnerability on the device
Dialogue: 0,0:36:00.14,0:36:01.06,Default,,0000,0000,0000,,in this case,
Dialogue: 0,0:36:01.44,0:36:05.06,Default,,0000,0000,0000,,I'll take her in this to know M Z or R and T I.
Dialogue: 0,0:36:05.84,0:36:09.92,Default,,0000,0000,0000,,If the victim UE has the vulnerability that accepts
Dialogue: 0,0:36:09.93,0:36:14.47,Default,,0000,0000,0000,,security unprotected message even after the security activation,
Dialogue: 0,0:36:14.94,0:36:18.05,Default,,0000,0000,0000,,the attacker can easily inject the unique last message.
Dialogue: 0,0:36:18.93,0:36:21.31,Default,,0000,0000,0000,,We could found this vulnerability while
Dialogue: 0,0:36:21.31,0:36:24.96,Default,,0000,0000,0000,,developing methods to test devices vulnerability.
Dialogue: 0,0:36:26.33,0:36:30.55,Default,,0000,0000,0000,,The second situation is when there is no vulnerability on the device
Dialogue: 0,0:36:31.23,0:36:32.16,Default,,0000,0000,0000,,in this case
Dialogue: 0,0:36:32.63,0:36:34.66,Default,,0000,0000,0000,,the attacker needs to know the MZ.
Dialogue: 0,0:36:35.93,0:36:36.54,Default,,0000,0000,0000,,Then
Dialogue: 0,0:36:36.69,0:36:39.47,Default,,0000,0000,0000,,the attacker needs to inject message before the
Dialogue: 0,0:36:39.57,0:36:40.75,Default,,0000,0000,0000,,secret activation
Dialogue: 0,0:36:41.73,0:36:45.75,Default,,0000,0000,0000,,for this attack. There need additional technical implementations.
Dialogue: 0,0:36:46.23,0:36:49.05,Default,,0000,0000,0000,,Actually, this implementation is in progress.
Dialogue: 0,0:36:51.13,0:36:51.66,Default,,0000,0000,0000,,Now,
Dialogue: 0,0:36:52.03,0:36:56.65,Default,,0000,0000,0000,,the first scenario is when there is see a vulnerability in the U. E.
Dialogue: 0,0:36:57.73,0:37:02.57,Default,,0000,0000,0000,,This UV has a vulnerability that receives unprotected messages
Dialogue: 0,0:37:02.58,0:37:05.74,Default,,0000,0000,0000,,even in the presence of a security context.
Dialogue: 0,0:37:06.73,0:37:09.57,Default,,0000,0000,0000,,The victim UE is now connected to the
Dialogue: 0,0:37:09.58,0:37:13.96,Default,,0000,0000,0000,,legitimate network and has finished the security process.
Dialogue: 0,0:37:14.93,0:37:21.74,Default,,0000,0000,0000,,So the victim um he has a security context and it is using normal cellular service.
Dialogue: 0,0:37:24.03,0:37:24.66,Default,,0000,0000,0000,,Then
Dialogue: 0,0:37:25.10,0:37:30.25,Default,,0000,0000,0000,,the attacker injects on unprotected RC connection release message on the U. E.
Dialogue: 0,0:37:31.53,0:37:32.96,Default,,0000,0000,0000,,Due to the vulnerability
Dialogue: 0,0:37:33.33,0:37:34.75,Default,,0000,0000,0000,,the U. E. Except
Dialogue: 0,0:37:34.88,0:37:38.34,Default,,0000,0000,0000,,security. Unprotected RC connection release message.
Dialogue: 0,0:37:38.83,0:37:39.89,Default,,0000,0000,0000,,Then the U.
Dialogue: 0,0:37:39.89,0:37:44.12,Default,,0000,0000,0000,,We disconnect the existing connection and is redirected to the
Dialogue: 0,0:37:44.12,0:37:47.95,Default,,0000,0000,0000,,attacker state base station and request for the connection.
Dialogue: 0,0:37:51.03,0:37:55.25,Default,,0000,0000,0000,,The second scenario is when there is no vulnerability on the
Dialogue: 0,0:37:56.33,0:37:57.28,Default,,0000,0000,0000,,the victim, UV.
Dialogue: 0,0:37:57.29,0:38:02.96,Default,,0000,0000,0000,,Is now connected to the legitimate network and he has finished the security process
Dialogue: 0,0:38:03.73,0:38:06.37,Default,,0000,0000,0000,,so the victim um he has a security
Dialogue: 0,0:38:06.37,0:38:11.35,Default,,0000,0000,0000,,context and it only accept security protected messages.
Dialogue: 0,0:38:11.73,0:38:15.96,Default,,0000,0000,0000,,Thus the attacker cannot inject messages for now.
Dialogue: 0,0:38:18.22,0:38:23.87,Default,,0000,0000,0000,,So attacker must delete the user US security context in
Dialogue: 0,0:38:23.87,0:38:29.04,Default,,0000,0000,0000,,order for the victim to receive on our Attackers unprotected messages
Dialogue: 0,0:38:29.82,0:38:30.81,Default,,0000,0000,0000,,to do this.
Dialogue: 0,0:38:30.95,0:38:34.65,Default,,0000,0000,0000,,The attacker injects a mg paging message
Dialogue: 0,0:38:35.62,0:38:38.74,Default,,0000,0000,0000,,According to the three GPP specification.
Dialogue: 0,0:38:39.22,0:38:42.25,Default,,0000,0000,0000,,When you we received the MG patient message,
Dialogue: 0,0:38:42.62,0:38:45.71,Default,,0000,0000,0000,,it should immediately terminate all service
Dialogue: 0,0:38:45.71,0:38:49.54,Default,,0000,0000,0000,,sessions deletes parameters including security key.
Dialogue: 0,0:38:50.52,0:38:54.65,Default,,0000,0000,0000,,So by injecting mg paging message article
Dialogue: 0,0:38:54.65,0:38:58.34,Default,,0000,0000,0000,,can delete the security context of the victim
Dialogue: 0,0:39:00.62,0:39:03.06,Default,,0000,0000,0000,,after you terminate the existing connection.
Dialogue: 0,0:39:03.62,0:39:07.15,Default,,0000,0000,0000,,It's talks over the attached procedure with the base station.
Dialogue: 0,0:39:09.42,0:39:12.84,Default,,0000,0000,0000,,Before the victim usually finishes the security procedure,
Dialogue: 0,0:39:13.52,0:39:16.94,Default,,0000,0000,0000,,the attacker injects on RC connection release message
Dialogue: 0,0:39:17.62,0:39:20.01,Default,,0000,0000,0000,,When there is no security context.
Dialogue: 0,0:39:20.02,0:39:26.14,Default,,0000,0000,0000,,UE is allowed to receive the security unprotected RC connection release message.
Dialogue: 0,0:39:26.82,0:39:28.18,Default,,0000,0000,0000,,Therefore the U.
Dialogue: 0,0:39:28.18,0:39:31.79,Default,,0000,0000,0000,,E processes the Attackers message and sends a
Dialogue: 0,0:39:31.79,0:39:34.74,Default,,0000,0000,0000,,connection request to the attacker's face face station
Dialogue: 0,0:39:36.92,0:39:41.82,Default,,0000,0000,0000,,so far we have introduced a tax that brings target victims to the
Dialogue: 0,0:39:42.03,0:39:43.04,Default,,0000,0000,0000,,base stations
Dialogue: 0,0:39:43.82,0:39:50.15,Default,,0000,0000,0000,,but existing big base station attack can bring all the unspecified us to it
Dialogue: 0,0:39:51.02,0:39:53.65,Default,,0000,0000,0000,,from on FPs Attackers point of view
Dialogue: 0,0:39:54.12,0:39:55.30,Default,,0000,0000,0000,,it may be easier
Dialogue: 0,0:39:55.50,0:39:58.34,Default,,0000,0000,0000,,and better to attach all the um around
Dialogue: 0,0:39:59.22,0:39:59.72,Default,,0000,0000,0000,,then
Dialogue: 0,0:39:59.98,0:40:00.75,Default,,0000,0000,0000,,we need to know
Dialogue: 0,0:40:01.22,0:40:03.83,Default,,0000,0000,0000,,if this takeover attack can do the same thing
Dialogue: 0,0:40:06.12,0:40:07.14,Default,,0000,0000,0000,,in this attack.
Dialogue: 0,0:40:07.52,0:40:11.10,Default,,0000,0000,0000,,The attacker constantly monitors down like messages from
Dialogue: 0,0:40:11.10,0:40:14.35,Default,,0000,0000,0000,,the commercial base station to acquire are.
Dialogue: 0,0:40:14.35,0:40:17.24,Default,,0000,0000,0000,,NT I from RC connection setup message.
Dialogue: 0,0:40:18.21,0:40:20.14,Default,,0000,0000,0000,,Once the attacker gets the R. N. T.
Dialogue: 0,0:40:20.14,0:40:23.82,Default,,0000,0000,0000,,I, attacker injects the RC connection release message,
Dialogue: 0,0:40:24.61,0:40:29.74,Default,,0000,0000,0000,,attacker can repeat the entire process until he brings the all the US around.
Dialogue: 0,0:40:32.81,0:40:36.44,Default,,0000,0000,0000,,To verify this attack. We used galaxy s. four.
Dialogue: 0,0:40:37.11,0:40:40.35,Default,,0000,0000,0000,,The Galaxy S four is the one of the vulnerable device that
Dialogue: 0,0:40:40.36,0:40:45.93,Default,,0000,0000,0000,,receives an unprotected message even in the presence of a security context.
Dialogue: 0,0:40:47.11,0:40:49.62,Default,,0000,0000,0000,,This vulnerability was discovered while
Dialogue: 0,0:40:49.62,0:40:52.93,Default,,0000,0000,0000,,studying methods to test devices vulnerability
Dialogue: 0,0:40:54.11,0:40:58.71,Default,,0000,0000,0000,,in this case we could inject on RC connection release message to the U.
Dialogue: 0,0:40:58.72,0:41:02.14,Default,,0000,0000,0000,,E without deleting the security context
Dialogue: 0,0:41:03.21,0:41:05.95,Default,,0000,0000,0000,,to inject the RC collection release message.
Dialogue: 0,0:41:05.96,0:41:12.83,Default,,0000,0000,0000,,We used free open source LT software, S R S L. T and U S. R. P X. 310.
Dialogue: 0,0:41:14.11,0:41:18.07,Default,,0000,0000,0000,,When the U. E. Is normally connected to the cellular network.
Dialogue: 0,0:41:18.08,0:41:21.92,Default,,0000,0000,0000,,We injected crafted message to redirect the victim
Dialogue: 0,0:41:21.92,0:41:24.62,Default,,0000,0000,0000,,UE to the attacker state base stations,
Dialogue: 0,0:41:24.62,0:41:26.64,Default,,0000,0000,0000,,frequency 363.
Dialogue: 0,0:41:27.51,0:41:27.74,Default,,0000,0000,0000,,Okay.
Dialogue: 0,0:41:29.11,0:41:31.72,Default,,0000,0000,0000,,The injected message contains the redirected carrying
Dialogue: 0,0:41:31.72,0:41:34.47,Default,,0000,0000,0000,,fulfilled and idle mode mobility control.
Dialogue: 0,0:41:34.48,0:41:35.23,Default,,0000,0000,0000,,In fulfilled.
Dialogue: 0,0:41:36.68,0:41:41.24,Default,,0000,0000,0000,,Redirected carrying full field is set to the lT frequency type
Dialogue: 0,0:41:41.61,0:41:43.74,Default,,0000,0000,0000,,And contains 363
Dialogue: 0,0:41:44.11,0:41:46.14,Default,,0000,0000,0000,,the frequency of fake face station.
Dialogue: 0,0:41:47.61,0:41:51.32,Default,,0000,0000,0000,,The idle mode mobility control and fulfilled contains a list
Dialogue: 0,0:41:51.32,0:41:55.64,Default,,0000,0000,0000,,of normal base stations frequency and an attacker's frequency.
Dialogue: 0,0:41:56.61,0:41:57.44,Default,,0000,0000,0000,,At this time
Dialogue: 0,0:41:57.81,0:42:02.55,Default,,0000,0000,0000,,the priority of Attackers frequency is set to the highest to
Dialogue: 0,0:42:02.55,0:42:06.83,Default,,0000,0000,0000,,ensure that the victim's definitely passes over the fake face station.
Dialogue: 0,0:42:08.81,0:42:11.14,Default,,0000,0000,0000,,Here is the demonstration of the attack.
Dialogue: 0,0:42:14.71,0:42:14.94,Default,,0000,0000,0000,,Mhm.
Dialogue: 0,0:42:20.50,0:42:21.73,Default,,0000,0000,0000,,So at the first time
Dialogue: 0,0:42:23.20,0:42:23.92,Default,,0000,0000,0000,,the
Dialogue: 0,0:42:24.40,0:42:27.32,Default,,0000,0000,0000,,Victim's phone is connected to the alleged to make base station
Dialogue: 0,0:42:27.70,0:42:28.42,Default,,0000,0000,0000,,100
Dialogue: 0,0:42:29.10,0:42:30.92,Default,,0000,0000,0000,,And Autocracies Operating
Dialogue: 0,0:42:31.27,0:42:33.02,Default,,0000,0000,0000,,Base Station 3 6 3.
Dialogue: 0,0:42:35.40,0:42:37.73,Default,,0000,0000,0000,,Then the attacker injects the message.
Dialogue: 0,0:42:44.80,0:42:48.59,Default,,0000,0000,0000,,And as you can you could see at the monitor the signal
Dialogue: 0,0:42:48.59,0:42:54.12,Default,,0000,0000,0000,,was injected and the injected message has the contents of as follows.
Dialogue: 0,0:42:54.13,0:42:56.62,Default,,0000,0000,0000,,And this is same with what I said before.
Dialogue: 0,0:43:07.90,0:43:09.65,Default,,0000,0000,0000,,And then as you can see at the
Dialogue: 0,0:43:09.76,0:43:12.96,Default,,0000,0000,0000,,base stations, monitor the victim's phone is connected to the
Dialogue: 0,0:43:13.10,0:43:13.81,Default,,0000,0000,0000,,base station.
Dialogue: 0,0:43:16.50,0:43:19.92,Default,,0000,0000,0000,,And if you see the package during the attack
Dialogue: 0,0:43:21.10,0:43:21.52,Default,,0000,0000,0000,,do you?
Dialogue: 0,0:43:22.10,0:43:24.32,Default,,0000,0000,0000,,That one is the injected message.
Dialogue: 0,0:43:25.10,0:43:29.72,Default,,0000,0000,0000,,After that the victim's phone makes a new connection with the fake base station.
Dialogue: 0,0:43:30.30,0:43:33.51,Default,,0000,0000,0000,,So it moved from 100 to the 363.
Dialogue: 0,0:43:34.20,0:43:39.81,Default,,0000,0000,0000,,So after this attack we could do anything like me in the middle attack and so on.
Dialogue: 0,0:43:43.70,0:43:49.12,Default,,0000,0000,0000,,So in the previous previous demo the victim you we was connected to a commercial
Dialogue: 0,0:43:49.12,0:43:54.73,Default,,0000,0000,0000,,base station and then moved to a faith base station that had never been connected.
Dialogue: 0,0:43:56.00,0:43:58.93,Default,,0000,0000,0000,,Let's sum up the big base station attack using sick over
Dialogue: 0,0:43:59.60,0:44:04.55,Default,,0000,0000,0000,,first. This attack requires much less power and it's easier than
Dialogue: 0,0:44:04.67,0:44:07.01,Default,,0000,0000,0000,,the traditional fake base station attacks.
Dialogue: 0,0:44:07.80,0:44:08.85,Default,,0000,0000,0000,,As a result,
Dialogue: 0,0:44:09.08,0:44:12.57,Default,,0000,0000,0000,,the chance to be detected decreases and the effective
Dialogue: 0,0:44:12.76,0:44:14.12,Default,,0000,0000,0000,,range increases
Dialogue: 0,0:44:14.90,0:44:19.61,Default,,0000,0000,0000,,2nd. The attacker can choose victim to move to the big base station
Dialogue: 0,0:44:20.19,0:44:26.22,Default,,0000,0000,0000,,since the attacker injector unicorns message only the targeted um is affected.
Dialogue: 0,0:44:27.09,0:44:30.38,Default,,0000,0000,0000,,Therefore the chance to be detected also reduced.
Dialogue: 0,0:44:30.39,0:44:33.50,Default,,0000,0000,0000,,And it allows the attacker to definitely forced the
Dialogue: 0,0:44:33.50,0:44:36.30,Default,,0000,0000,0000,,target to attach to a big base station.
Dialogue: 0,0:44:37.49,0:44:38.21,Default,,0000,0000,0000,,Finally,
Dialogue: 0,0:44:38.59,0:44:39.55,Default,,0000,0000,0000,,The attack was fake.
Dialogue: 0,0:44:39.55,0:44:45.72,Default,,0000,0000,0000,,Base station can be not only LT base station but also a 3G or two G base station.
Dialogue: 0,0:44:46.39,0:44:50.33,Default,,0000,0000,0000,,As the 3G or 2G base stations are more vulnerable.
Dialogue: 0,0:44:50.34,0:44:53.61,Default,,0000,0000,0000,,Attacker can perform more severe attacks
Dialogue: 0,0:44:56.29,0:44:59.46,Default,,0000,0000,0000,,and now I'm going to talk about some countermeasures.
Dialogue: 0,0:44:59.47,0:45:01.81,Default,,0000,0000,0000,,Discussion conclusion and future. Works
Dialogue: 0,0:45:02.59,0:45:03.70,Default,,0000,0000,0000,,for future. Works
Dialogue: 0,0:45:04.99,0:45:07.95,Default,,0000,0000,0000,,to make this attack possible for all the U. S.
Dialogue: 0,0:45:07.96,0:45:11.22,Default,,0000,0000,0000,,Actually, additional implementations or needed
Dialogue: 0,0:45:11.59,0:45:17.22,Default,,0000,0000,0000,,first issued to be implemented to find out the identity of the victim using MZ.
Dialogue: 0,0:45:18.19,0:45:21.70,Default,,0000,0000,0000,,An attacker can do this by monitoring the RC connection,
Dialogue: 0,0:45:21.70,0:45:24.72,Default,,0000,0000,0000,,settle message after sending the MG paging.
Dialogue: 0,0:45:26.19,0:45:29.30,Default,,0000,0000,0000,,Actually it is already possible but it must
Dialogue: 0,0:45:29.31,0:45:32.91,Default,,0000,0000,0000,,be optimized with injecting techniques in real time.
Dialogue: 0,0:45:33.89,0:45:34.84,Default,,0000,0000,0000,,Second,
Dialogue: 0,0:45:34.85,0:45:40.72,Default,,0000,0000,0000,,it should be made implemented to inject message before the security process ends
Dialogue: 0,0:45:41.29,0:45:46.30,Default,,0000,0000,0000,,to do this. There is a little time to inject messages. As you can see at the figure
Dialogue: 0,0:45:46.69,0:45:49.42,Default,,0000,0000,0000,,hardware optimizations are necessary,
Dialogue: 0,0:45:50.49,0:45:53.82,Default,,0000,0000,0000,,although there are some things that need to be implemented.
Dialogue: 0,0:45:53.83,0:45:58.76,Default,,0000,0000,0000,,We expect that this attack will be possible on every U. E.
Dialogue: 0,0:45:58.77,0:46:01.41,Default,,0000,0000,0000,,If the hardware is fully optimized.
Dialogue: 0,0:46:04.09,0:46:06.91,Default,,0000,0000,0000,,And for the countermeasures for this attack,
Dialogue: 0,0:46:07.69,0:46:10.69,Default,,0000,0000,0000,,the secure solution against sick over attack on
Dialogue: 0,0:46:10.69,0:46:13.60,Default,,0000,0000,0000,,the message is to use digital signature.
Dialogue: 0,0:46:14.39,0:46:15.15,Default,,0000,0000,0000,,Currently
Dialogue: 0,0:46:15.26,0:46:20.41,Default,,0000,0000,0000,,only a single injected message can cause a long term denial of service.
Dialogue: 0,0:46:21.38,0:46:25.49,Default,,0000,0000,0000,,Once the message is protected with a digital signal signature,
Dialogue: 0,0:46:26.28,0:46:29.79,Default,,0000,0000,0000,,it it can prevent the attacks introduced so far.
Dialogue: 0,0:46:30.78,0:46:31.34,Default,,0000,0000,0000,,Plus
Dialogue: 0,0:46:31.47,0:46:33.41,Default,,0000,0000,0000,,the attack cost would be increased.
Dialogue: 0,0:46:34.08,0:46:38.64,Default,,0000,0000,0000,,This is because the attacker have to inject wrong message continuously
Dialogue: 0,0:46:38.65,0:46:43.10,Default,,0000,0000,0000,,to cause denial service in the presence of the digital signature.
Dialogue: 0,0:46:44.08,0:46:45.01,Default,,0000,0000,0000,,Moreover,
Dialogue: 0,0:46:45.21,0:46:48.91,Default,,0000,0000,0000,,it becomes possible to detect the presence of the attack.
Dialogue: 0,0:46:50.28,0:46:54.41,Default,,0000,0000,0000,,Actually, this is possible because from the 5G
Dialogue: 0,0:46:54.78,0:46:58.29,Default,,0000,0000,0000,,operators public key will be stored in the using
Dialogue: 0,0:46:59.48,0:47:01.22,Default,,0000,0000,0000,,In fact three GPP.
Dialogue: 0,0:47:01.22,0:47:04.36,Default,,0000,0000,0000,,is recently studying the FPs problem and
Dialogue: 0,0:47:04.36,0:47:07.91,Default,,0000,0000,0000,,lack of integrated protection of broadcasting information
Dialogue: 0,0:47:10.18,0:47:14.28,Default,,0000,0000,0000,,and since Ho jin first published sick over attack on broadcast message.
Dialogue: 0,0:47:14.29,0:47:20.23,Default,,0000,0000,0000,,In last august we have received many requests to request release the code.
Dialogue: 0,0:47:20.24,0:47:22.09,Default,,0000,0000,0000,,Attack code as an open source.
Dialogue: 0,0:47:22.88,0:47:25.60,Default,,0000,0000,0000,,However, we have some reasons that we can't.
Dialogue: 0,0:47:26.38,0:47:28.53,Default,,0000,0000,0000,,The first reason is that according to
Dialogue: 0,0:47:28.53,0:47:32.66,Default,,0000,0000,0000,,the GSM A on organization for cellular carriers
Dialogue: 0,0:47:32.67,0:47:39.30,Default,,0000,0000,0000,,said the GSM a have no objection to any security research being open sourced where
Dialogue: 0,0:47:39.68,0:47:45.71,Default,,0000,0000,0000,,there is a clear security benefit and there is no risk posed to innocent users
Dialogue: 0,0:47:47.23,0:47:51.15,Default,,0000,0000,0000,,releasing this code clearly has some security benefits.
Dialogue: 0,0:47:51.58,0:47:53.29,Default,,0000,0000,0000,,However, unfortunately
Dialogue: 0,0:47:53.78,0:47:59.09,Default,,0000,0000,0000,,the proposed attack can affect a large number of innocent users around.
Dialogue: 0,0:47:59.58,0:48:02.91,Default,,0000,0000,0000,,So it might be hard to release the arctic coat.
Dialogue: 0,0:48:04.18,0:48:06.79,Default,,0000,0000,0000,,And another reason is the quality of the codes.
Dialogue: 0,0:48:09.28,0:48:10.80,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:48:12.78,0:48:13.12,Default,,0000,0000,0000,,Mm hmm.
Dialogue: 0,0:48:15.09,0:48:15.93,Default,,0000,0000,0000,,Currently
Dialogue: 0,0:48:16.50,0:48:20.40,Default,,0000,0000,0000,,the code we made is not well organized to make it open source.
Dialogue: 0,0:48:23.07,0:48:24.00,Default,,0000,0000,0000,,In conclusion,
Dialogue: 0,0:48:24.37,0:48:29.08,Default,,0000,0000,0000,,we presented single over attack physically overwriting specific self frames.
Dialogue: 0,0:48:29.67,0:48:35.49,Default,,0000,0000,0000,,Seek over is a new exploit on unpatched an insecure channel on LT network
Dialogue: 0,0:48:36.57,0:48:39.41,Default,,0000,0000,0000,,Comparing two attacks using fake face stations.
Dialogue: 0,0:48:39.44,0:48:42.39,Default,,0000,0000,0000,,Sick over is way cheaper and healthier.
Dialogue: 0,0:48:43.67,0:48:46.85,Default,,0000,0000,0000,,Also, we found new attacks on physical channel
Dialogue: 0,0:48:47.97,0:48:50.14,Default,,0000,0000,0000,,by injecting broadcast messages.
Dialogue: 0,0:48:50.15,0:48:53.15,Default,,0000,0000,0000,,We could cause denial of service access
Dialogue: 0,0:48:53.15,0:48:57.39,Default,,0000,0000,0000,,borrowing signaling stone and fake emergency alert.
Dialogue: 0,0:48:58.37,0:49:01.73,Default,,0000,0000,0000,,And by injecting unique cast message we could force
Dialogue: 0,0:49:01.73,0:49:04.79,Default,,0000,0000,0000,,targeted victim to move to the fake base station.
Dialogue: 0,0:49:06.07,0:49:06.88,Default,,0000,0000,0000,,Finally,
Dialogue: 0,0:49:07.06,0:49:11.20,Default,,0000,0000,0000,,I expect this sick over attack will be used in the wild.
Dialogue: 0,0:49:11.97,0:49:12.74,Default,,0000,0000,0000,,Therefore
Dialogue: 0,0:49:12.92,0:49:17.94,Default,,0000,0000,0000,,not only cellular networks but all the systems based on the cellular networks
Dialogue: 0,0:49:18.35,0:49:21.29,Default,,0000,0000,0000,,such as equal to everything can be affected
Dialogue: 0,0:49:22.57,0:49:27.77,Default,,0000,0000,0000,,in the future. Mobile communication technologies such as five G and six G R.
Dialogue: 0,0:49:27.77,0:49:28.59,Default,,0000,0000,0000,,Developed
Dialogue: 0,0:49:29.27,0:49:32.39,Default,,0000,0000,0000,,So more secure systems should be made
Dialogue: 0,0:49:32.40,0:49:35.20,Default,,0000,0000,0000,,by considering the security of the physical layer
Dialogue: 0,0:49:35.57,0:49:38.00,Default,,0000,0000,0000,,which was not considered before.
Dialogue: 0,0:49:39.07,0:49:39.90,Default,,0000,0000,0000,,Therefore,
Dialogue: 0,0:49:39.91,0:49:43.19,Default,,0000,0000,0000,,I strongly suggest three TPP to use digital
Dialogue: 0,0:49:43.19,0:49:47.20,Default,,0000,0000,0000,,signatures for physical channel despite its difficulty.
Dialogue: 0,0:49:53.77,0:49:54.40,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:49:55.07,0:49:58.52,Default,,0000,0000,0000,,And for the last we have responsibly disclosed
Dialogue: 0,0:49:58.53,0:50:01.40,Default,,0000,0000,0000,,these attacks to the GSM A and Qualcomm.
Dialogue: 0,0:50:03.07,0:50:07.47,Default,,0000,0000,0000,,Thank you for listening And if you're having any questions please let us know.
Dialogue: 0,0:50:07.48,0:50:10.40,Default,,0000,0000,0000,,And if you're having any long questions,
Dialogue: 0,0:50:10.40,0:50:13.20,Default,,0000,0000,0000,,please email us through the emails on the slide
Dialogue: 0,0:50:13.97,0:50:14.59,Default,,0000,0000,0000,,and
Dialogue: 0,0:50:15.17,0:50:20.08,Default,,0000,0000,0000,,the photo is our left photo and my supervisor is younger kim.
Dialogue: 0,0:50:20.66,0:50:23.70,Default,,0000,0000,0000,,Maybe some of you would have heard about him
Dialogue: 0,0:50:23.70,0:50:26.55,Default,,0000,0000,0000,,because he's doing a lot of researches about security.
Dialogue: 0,0:50:26.55,0:50:26.87,Default,,0000,0000,0000,,So
Dialogue: 0,0:50:27.05,0:50:28.07,Default,,0000,0000,0000,,anyway, thank you.
Dialogue: 0,0:50:29.16,0:50:38.75,Default,,0000,0000,0000,,All right, thanks you too. So far we have around 10 minutes for questions.
Dialogue: 0,0:50:38.75,0:50:42.91,Default,,0000,0000,0000,,So if you have questions for the speakers, please go to one of the room mix.
Dialogue: 0,0:50:42.92,0:50:46.38,Default,,0000,0000,0000,,And well for let you ask your question,
Dialogue: 0,0:50:47.56,0:50:49.33,Default,,0000,0000,0000,,do we already have people lined up?
Dialogue: 0,0:50:49.34,0:50:51.33,Default,,0000,0000,0000,,Let's start with a question from the signal angel.
Dialogue: 0,0:50:52.76,0:50:56.31,Default,,0000,0000,0000,,-- There's one question\N-- are these methods similar
Dialogue: 0,0:50:56.31,0:50:57.31,Default,,0000,0000,0000,,or the same use
Dialogue: 0,0:50:57.31,0:51:03.08,Default,,0000,0000,0000,,-- by law\N-- enforcement and the user mentioned stingray for an example.
Dialogue: 0,0:51:06.16,0:51:07.99,Default,,0000,0000,0000,,Ah pardon please?
Dialogue: 0,0:51:08.76,0:51:11.74,Default,,0000,0000,0000,,Where where are you? Can you raise your hands? I can say okay.
Dialogue: 0,0:51:11.75,0:51:14.64,Default,,0000,0000,0000,,-- How can you say the\N-- question from the internet. So
Dialogue: 0,0:51:14.65,0:51:16.97,Default,,0000,0000,0000,,-- are\N-- these methods similar?
Dialogue: 0,0:51:16.97,0:51:19.38,Default,,0000,0000,0000,,The same used by the law enforcement,
Dialogue: 0,0:51:19.76,0:51:21.98,Default,,0000,0000,0000,,Low enforcement police.
Dialogue: 0,0:51:22.56,0:51:23.97,Default,,0000,0000,0000,,Yeah, maybe
Dialogue: 0,0:51:25.06,0:51:26.08,Default,,0000,0000,0000,,it might be possible.
Dialogue: 0,0:51:26.08,0:51:30.78,Default,,0000,0000,0000,,But actually it is as I know using the frequency
Dialogue: 0,0:51:30.78,0:51:36.22,Default,,0000,0000,0000,,that legitimate basis stations is already like illegal to use.
Dialogue: 0,0:51:36.23,0:51:36.99,Default,,0000,0000,0000,,So
Dialogue: 0,0:51:37.76,0:51:39.99,Default,,0000,0000,0000,,I think that cannot be the solution.
Dialogue: 0,0:51:45.06,0:51:49.98,Default,,0000,0000,0000,,Alright. I actually don't see anybody yet but there is one at Mike three Please.
Dialogue: 0,0:51:51.06,0:51:56.07,Default,,0000,0000,0000,,Yes. So you show us sub frame what you replace it?
Dialogue: 0,0:51:56.86,0:51:58.77,Default,,0000,0000,0000,,Why can't your hash
Dialogue: 0,0:51:59.36,0:52:01.69,Default,,0000,0000,0000,,the values for integrity.
Dialogue: 0,0:52:02.06,0:52:04.34,Default,,0000,0000,0000,,So the replacements will be kind of hard to do.
Dialogue: 0,0:52:05.96,0:52:13.28,Default,,0000,0000,0000,,Maybe that also can be your problem and solution, but using hash right,
Dialogue: 0,0:52:15.82,0:52:16.69,Default,,0000,0000,0000,,I said probably.
Dialogue: 0,0:52:17.62,0:52:23.21,Default,,0000,0000,0000,,-- So\N-- just to check some the full frame, so if you replace the suffering,
Dialogue: 0,0:52:23.33,0:52:25.06,Default,,0000,0000,0000,,that should be involved.
Dialogue: 0,0:52:27.05,0:52:28.96,Default,,0000,0000,0000,,Yeah, but that can be a solution,
Dialogue: 0,0:52:28.96,0:52:31.54,Default,,0000,0000,0000,,but I think we have to think about how
Dialogue: 0,0:52:31.54,0:52:36.29,Default,,0000,0000,0000,,to connect a secure connection at the first time.
Dialogue: 0,0:52:36.30,0:52:38.48,Default,,0000,0000,0000,,If we don't have anything between like
Dialogue: 0,0:52:38.85,0:52:40.77,Default,,0000,0000,0000,,U e and D network,
Dialogue: 0,0:52:41.25,0:52:45.06,Default,,0000,0000,0000,,maybe sending some hash also will be challenged maybe
Dialogue: 0,0:52:47.15,0:52:49.88,Default,,0000,0000,0000,,is that can be a solution to your question.
Dialogue: 0,0:52:51.50,0:52:51.98,Default,,0000,0000,0000,,There you go.
Dialogue: 0,0:52:52.45,0:52:56.22,Default,,0000,0000,0000,,-- Yes, so I'm not\N-- sure if I understood, so, you know that I could
Dialogue: 0,0:52:56.22,0:52:56.61,Default,,0000,0000,0000,,Have,
Dialogue: 0,0:52:56.62,0:52:57.76,Default,,0000,0000,0000,,let's say 10 frames,
Dialogue: 0,0:52:58.25,0:53:00.17,Default,,0000,0000,0000,,-- can you replace\N-- suffering too?
Dialogue: 0,0:53:00.75,0:53:01.22,Default,,0000,0000,0000,,Right,
Dialogue: 0,0:53:01.37,0:53:02.37,Default,,0000,0000,0000,,yep,
Dialogue: 0,0:53:02.95,0:53:06.48,Default,,0000,0000,0000,,-- yes, So if all\N-- The 10 frames will be harsh,
Dialogue: 0,0:53:07.95,0:53:10.54,Default,,0000,0000,0000,,your replacement will be detected.
Dialogue: 0,0:53:11.85,0:53:14.37,Default,,0000,0000,0000,,Is it possible on multi level
Dialogue: 0,0:53:15.66,0:53:18.69,Default,,0000,0000,0000,,-- to change the\N-- standard to have some hashing or integrity?
Dialogue: 0,0:53:20.45,0:53:22.47,Default,,0000,0000,0000,,Yeah, maybe that will be possible,
Dialogue: 0,0:53:22.47,0:53:30.98,Default,,0000,0000,0000,,but I think we need another way to transfer the hash value to check the connection.
Dialogue: 0,0:53:31.55,0:53:34.48,Default,,0000,0000,0000,,Well, I think that can also be another solution.
Dialogue: 0,0:53:37.65,0:53:39.52,Default,,0000,0000,0000,,Alright, let's go to mike wanda.
Dialogue: 0,0:53:41.05,0:53:44.68,Default,,0000,0000,0000,,-- Um I would like to know if you know what\N-- your personal
Dialogue: 0,0:53:44.68,0:53:46.16,Default,,0000,0000,0000,,opinion and feeling
Dialogue: 0,0:53:46.16,0:53:49.41,Default,,0000,0000,0000,,-- is um if this will\N-- be mitigated
Dialogue: 0,0:53:49.42,0:53:51.97,Default,,0000,0000,0000,,-- by the vendors and the standard\N-- bodies,
Dialogue: 0,0:53:53.85,0:53:55.32,Default,,0000,0000,0000,,I mean, will they fix it?
Dialogue: 0,0:53:56.45,0:53:58.07,Default,,0000,0000,0000,,Ah in the future. Right.
Dialogue: 0,0:53:58.95,0:54:01.99,Default,,0000,0000,0000,,-- Of course. In the future they cannot fix it in\N-- the past. Right?
Dialogue: 0,0:54:02.21,0:54:03.87,Default,,0000,0000,0000,,Yeah, so
Dialogue: 0,0:54:05.15,0:54:07.55,Default,,0000,0000,0000,,maybe as I said before,
Dialogue: 0,0:54:07.56,0:54:10.12,Default,,0000,0000,0000,,like Jessamy is already like considering these
Dialogue: 0,0:54:10.12,0:54:13.27,Default,,0000,0000,0000,,attacks and they have some regular meetings,
Dialogue: 0,0:54:13.65,0:54:19.56,Default,,0000,0000,0000,,Maybe the last meeting was in Nevada in november. And maybe in the future they will
Dialogue: 0,0:54:20.15,0:54:21.88,Default,,0000,0000,0000,,but not for now. So
Dialogue: 0,0:54:23.15,0:54:24.07,Default,,0000,0000,0000,,maybe you have to ask
Dialogue: 0,0:54:24.45,0:54:26.67,Default,,0000,0000,0000,,If there is any person from three g. p. p.
Dialogue: 0,0:54:29.15,0:54:29.57,Default,,0000,0000,0000,,Okay.
Dialogue: 0,0:54:30.05,0:54:31.76,Default,,0000,0000,0000,,Okay. Alright. Thanks.
Dialogue: 0,0:54:32.61,0:54:36.38,Default,,0000,0000,0000,,Does the Signal angel have any other questions? No.
Dialogue: 0,0:54:37.35,0:54:41.74,Default,,0000,0000,0000,,-- Then I think this concludes the question and answer section. Thanks\N-- again.
Dialogue: 0,0:54:41.75,0:54:42.38,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:54:43.45,0:54:44.16,Default,,0000,0000,0000,,Yeah.
Dialogue: 0,0:54:49.25,0:54:51.88,Default,,0000,0000,0000,,Mm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm hmm.
Dialogue: 0,0:54:56.05,0:54:59.37,Default,,0000,0000,0000,,Yeah.
Dialogue: 0,0:55:00.65,0:55:00.88,Default,,0000,0000,0000,,Okay.
Dialogue: 0,0:55:01.45,0:55:01.68,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:55:02.65,0:55:03.08,Default,,0000,0000,0000,,Mm hmm
Dialogue: 0,0:55:05.85,0:55:06.27,Default,,0000,0000,0000,,mm hmm.
Dialogue: 0,0:55:10.35,0:55:10.68,Default,,0000,0000,0000,,Okay.