applause
Karsten Nohl: Great to be back. Thank you
very much, talking once again on mobile
security, taking two very different
angles, though, from what we talked about
the last couple of years. This time we want
to dive into the same topic that Tobias
Engel just did, looking at insecurities
that arise from the interconnect networks
between different operators and we want to
add another angle. And that is how YOU
can start self defending yourself from the
insecurities that many of your operators
have left open for many years, including
the new ones that Tobias and myself talk
about. If you do watch this on a download,
do go back and also watch Tobias's talk,
it's well worth it and also covers a lot
of the basics that I'm just going to skip
over now for the sake of time. Great talk,
by the way. Thank you Tobias. So aside
from. applause Aside from those SS7
based attacks, we want to talk about 3G
insecurities, not too many of them, but
severe as ever, as well as in the last
chapter. Then a few tips, as well as a new
tool to help you start self defending
against these mobile attacks. Now, just
briefly, then, what is the SS7 Network
Tobias has already covered the basics. So
just a quick definition from me. It's this
network that different mobile operators
are connected to, to exchange data among
each other. For instance, text messages
are sent over this network. So without SS7,
you couldn't be using this ancient chatting
technology SMS. Thank you SS7. But also
more security relevant information is
exchanged over SS7. For instance, if you're
using your phone in another country, as
many of you currently do, you still want
this visiting network to be able to use
encryption with your phone, but how is that
network going to know the right encryption
key? So this visiting network, the German
network has to ask your home network for
the correct encryption key and that goes
over SS7. And you can already see if
there's cryptographic information being
exchanged, if the wrong people ask and
still receive an answer, insecurities
arise. More interesting from a security
perspective, though, are messages that are
exchanged within one network over SS7.
So SS7 is often misunderstood as this
technology that's used for worldwide
exchange of information. The same network,
though, is used inside an operator. So
there's no need for interconnect. There's
already SS7 flows going on between those
different mobile switching centers, MSC.
And each mobile switching center covers
one area, let's say a city. So imagine a
situation where you are. You're in a call
and you're traversing from one area to
another. You're crossing, let's say, your
state boundary. So there's new MSC,
doesn't know how to handle your call. It
needs the decryption key for the already
ongoing conversation. So there's another
SS7 message that allows you to query for
the key of a transaction that's currently
going on. OK? And again, you can already
see how if the wrong people send this type
of message and they receive an answer,
insecurities arise. The insecurity that
that has most been talked about in recent
years, again, up until Tobias's talk, was
tracking. And tracking was often understood
as: There's this evil message, the any time
interrogation and The Washington Post
focused a lot an article on just one
message. And it's a it's really evil. It
should not been I have been ever
standardized. And whenever it's used, it's
for evil purposes. There's no
usefulness in this message. And Tobias
quoted a number that I think The
Washington Post found in a lot of
marketing material, 70 percent of mobile
networks respond to this message. Now,
this is information from earlier this year.
A lot of networks, very good news, have
moved to to stop responding to anytime
interrogation message. This evil spying
message is not being responded to by, for
instance, all German networks. You can't
use this message in Germany anymore.
However, this is a very retroactive
approach to securing SS7 because there's a
number of other messages that, consider them
Gadgets, get you to the same place, take a
phone number and take you all the way to
somebody's location. And here's just a
snapshot of of which messages you can use
and Tobias went into a greater level of
detail in how these different messages
come together. So if anybody thinks that
just barring anytime integration, you
solved the tracking problem, they are wrong.
But at the same time, it's not that SS7 is
not secureable. It's just a much larger
challenge that people consider currently
to be. So you see how stringing
together some of these messages get you to
intermediate values that also shouldn't be
public and then all the way to a cell ID.
And up until all these messages or at
least every path that takes you from left
to right is blocked by a network, tracking
to the same accuracy, to cell ID stays
possible. Now, this is just one of many
areas in which SS7 can become an issue.
Here is 4 more, it's an intercept risk.
If people can read your SMS text or listen
to your calls, it's a denial of service
risk. If people cut you off from
phone connectivity for anywhere from an
hour until the next location update or
until your next reboot your phone, so you
can really cut people off badly from it,
from the phone network. This area of fraud
that I don't think many people want to
talk about publicly, certainly I don't.
But there's many fraud risks in SS7
in which you can easily put charges
on somebody else's bill, or more
interestingly, you can remove limits on
your own prepaid cards, basically run up
infinite charges on prepaid cards and, you
know, running up a lot of bills to a two
to premium numbers, for instance. And then
there's the risk of spamming, which from
what I hear is already happening, SS7
based spam attacks. Now, for the sake of
this talk, I want to focus on intercept,
which I consider aside from tracking the
most intrusive and the most relevant for
us, just as a risk, they're more relevant
for the network operators. And if they
don't solve them, well, so be it, as long
as they foot the bill for it. So
intercept. And I want to go into three
possible scenarios in which SS7 assisted
intercept can happen. The first abuses
the exact message, as we looked at in the
introduction, these messages where
different parts of networks ask each other
for encryption information and it's a
pretty straightforward attack. You record
the airwaves. Around somebody in
somebody's vicinity and you record
somebody's encrypted transaction as part of
that, right? So and 3G transaction, for
instance, are pretty well secured, but
they're not very hard to record. In fact,
3G is a little bit easier than 2G because
it doesn't jump around all these
frequencies. So you record, let's say, 3G
data and you have a bunch of transactions.
And all of them encrypted. And you can use
this message over SS7 to decrypt them.
It's called Send ID. And as a as I said on
one of the earlier slides, it's supposed
to be used when you're moving from one MFC
into another MSC, but still within your
own network so that the call doesn't get
disrupted. It's not supposed to be used
when when somebody foreign wants to
query your phone, if they need a new
encryption key, a new call needs to start
anyway. There's no way to hand over a call
from one operator to another operator
without disruption. So this message is
used only for internal purposes. However,
out of the four German operator earlier
this month, all four responded to this
request coming from another country,
another country that doesn't even border
Germany. So there's no way to even
conceptually think a call would be handed
over. So four out of four. And that's not
an anomaly. Most networks require an
international response to an
outside number when asked for the current
decryption key. I'll show you a quick demo
on this at the end of this chapter.
But I first finish the enumeration of
all the different possibilities in which
3G calls can be intercepted. The second
one, the good old IMSI catchers, which we
also wouldn't work on 3G. And I guess for
the most part they don't unless SS7
comes to the help. So why don't they
work without SS7? An IMSI catcher
pretends to be a base station. And if
it's 2G technology, the phone has no way
of knowing the difference between the real
base station and a fake base station. But
then 3G, the 3G standard introduced what I
call mutual authentication. So this time
the base station has to prove to a phone
that in fact it's legitimate and unless it
does that, the phone won't connect. Now,
this only solves part of the IMSI catcher
problem. Just taken by the name even the
catching is still possible, IMSI catching
in the sense of creating a list of all the
IMSIs in a location. Because there's
certain chicken and egg problem.
If you want me as a base station to
authenticate to you, you first have to
tell me who you are. There's no such thing
as SSL or any type of public key on the
mobile network. It's all symmetric key. So
you first have to tell me which key to use
and by that I know who you are. So IMSI
catching is always possible. And that's why
if you Google for 3G IMSI catcher, those
things exist. But they aren't capable of
recording phone calls or SMS because those
then required a mutual authentication. They
aren't capable of doing so unless they ask
over SS7 for an authentication key. So
IMSI catchers are back in the 3G world
big time, unless we solve these SS7
problems, right? The third possibility of
of intercept - this is probably the
scariest because it can happen completely
remotely - Boaster once enumerated so far,
you have to be somewhere in the vicinity
in the vicinity of somewhere. So the third
possibility, I want to call the rerouting
attacks and they work in both directions.
Rerouting is the idea. And to be as
touched on this, of taking… of taking
somebodies phone calls and changing
the destination number so that, in fact,
you call somebody else unbeknownst to you,
of course, as the victim. And this will
expose for incoming calls and outgoing
calls, but using very different methods.
So it just kind of accidentally works in
both directions. And this part, I just
briefly want to demonstrate to BSN that
coordinated on most of this. But this
part, I guess we kind of misunderstood
each other as we both showed us. I'll
keep this very brief. And the point I want
to get across is that, one, a single SS7
message is already a big intercept
problem. Let's see. Connected here. Um, so
I'll try not to make the same mistake as
Tobias and try to cut off part of my
number here. So 31C3 demo phone.
So I'm calling a a phone that in fact,
accidentally we left in. So … fuck
Laughter and applause
Ring-back tone starts
So I am calling this number and I don't
know if you can hear it, but it's ringing.
And we did leave his phone back in Berlin
accidentally. But for the sake of this
demo, that makes no difference. So it's a
it's a phone somewhere in Berlin. Nobody
answers to. Here is another phone.
Ring-back tone stops
So if I if I register what they call a
supplementary service to this number. And
that's just fancy language for, for, for
call forwarding, if I call this exact same
number again.
Ring-back tone starts
Phone ringing also starts
This phone is ringing.
Applause
Both ring-back and ring-tone stop
Still applause
Now, of course, to make this real
intercept, I wouldn't forward it to a
phone, I would forward it to a computer
that then is smart enough to very quickly
erase the call forwarding and call the
original number and then connect it to so
that the phone, the phone call actually
goes to where it was supposed to go. Just
I'm sitting in the middle and I'm
receiving a copy of it. OK, so that's the
idea in this direction, in the other
direction, the exact same thing works as
well. And Tobias already told you how
these services that say, let me rewrite
your phone number for you because you
don't know how to dial a phone number when
you're on vacation. Right. Those services
can be set by anybody, at least on a lot
of networks. And you can see how the exact
same thing works there so that every time
you dial a number that just move their own
number in place of that number and then
connect those two calls. So, as I said, I
consider those to the scariest type of
attacks because they were completely
remotely you don't have to be in the radio
vicinity of anybody. And surprisingly,
this still works against a bunch of
networks, even against those networks that
move to solve some of the earlier issues.
So networks [are] still very retroactive.
So what do what do those mobile networks
now have to do to to solve those issues?
Well, as always, of course, the answer:
It depends. It depends in this case on the
tech type. Some of the techs can simply be
blocked. Like the AnytimeInterrogation,
that earlier this year they said 70% of
the networks are vulnerable. Now in
Germany it's zero. So something happened
there. And the same is true for the for
the first type of attack that I've shown.
The passive intercept I said when we
tested earlier this month for other four
networks are vulnerable. Now it's down to
two. So within two weeks, two networks put
in a firewall rule that says this message
has no purpose. Traversing our outside
network boundary, just block it. The
typical firewall is the same isn't
possible for these other two types of
attacks because those messages are
actually useful. They do something, at
least in certain circumstances. If you
block the second type of query here to
send authentication info, you couldn't be
roaming in another country anymore. If you
blocked a third one, you couldn't be
changing your your voice mail forwarding
from another country anymore. So these are
needed. Still we couldn't, we can't accept
that just anybody who asks over SS7 ...
Phone ringing
Nohl sighs
You guys!
Laughter
Switched this off. We can't accept
that just anybody who asks over SS7
receives an answer, at the very least
we would expect networks to only answer to
their friends on SS7, and
that is their roaming partners. That's
already a lot fewer companies and
especially a lot fewer sketchy companies
than everybody else on SS7. We would
then want those networks to do some
plausibility checking. Right. So this does
phone in Berlin that just put a
supplementary service on. The network
operator knows the phone is in Berlin and
I send us from the other end of the world.
Still, they are not on it. Right. Any type
of possibility checking what would clearly
see that this is not possible for a phone
to be in one country and for this user to
want to change their voicemail setting
from somewhere completely different. And
then thirdly, networks need to limit the
rate at which this happens. Those services
that The Washington Post talked about is
tracking services. These are large
operations. They seem to be tracking
thousands of people, constantly. This will
show in logs, you don't allow some random
network somewhere else in the world to
constantly interrogate hundreds of your
users, right? It's clearly abuse. Has any
network move to put such sensible rules
in? I'm not aware of it, but it's
certainly the next step. And I'm not ready
to give up on SS7 yet. I've heard one too
many times that SS7 is an old technology
built with no security in mind and we just
can't fix it. The Internet also is an old
technology built was not secured in mind,
and we did fix it since the 90s, since
when you connected to Windows 95 computer
to the Internet, it got infected with the
virus right away. We have moved to put in
firewalls. We're not exposing our printer
daemon and now file-sharing daemon on the
entire Internet anymore for four billion
people to connect to and the same as
possible on SS7. Which is, we we're still
in the nineties. Thank you.
Applause
Having said that though, let me show you
what what happens if we don't do that,
the fun part. So. We argued whether or not
we wanted to show this as a live demo.
You'll understand why we don't show it as
a live demo. There is just too much stuff
that could go wrong. But here's the setup.
We start with just a phone number
and we want to string together a couple of
SS7 gadgets while also having this radio
handy that can capture 3G information to
capture yet more information that's not
available over SS7. Right. So we start
with a phone number and we send what's
called an SRI-for-SM message, which gives
us, if the network is configured answer,
the IMSI and the MSI that the subscriber
currently is connected for. Those two are
used as parameters into another call.
Called the PSI message, provide
subscriber info. And then that call then
gives us the Cell ID. This is just how
you get more and more information with
different gadgets. Now the Cell ID tells
us where somebody is physically. So imagine
we now move our radio to that
location and we again send a PSI. We record
the PSI. We set radio, not the PSI, what
happens over the airways when we send the
PSI and the phone gets paged. So when we
send the PSI over SS7, the phone receives
some information. Right. This radio plus a
little bit GNU radio scripting gives us
that information: Who has been paged
during that short window of time that we
that we recorded? Now when we record
something on UMTS, we always record for
different cells – they share frequencies.
But you see that the one cell with the
Cell ID came back over SS7 is included
in our set. So we filter the data for
that cell and we look for which IMSIs are
included. And luckily for us, only one
IMSI got paged within those few
seconds on that cell. It's the same. Same.
This is now the TMSI that belongs to
this phone. This is information we can't
get over SS7. But what you can do over SS7
with the TMSI is request a key, so it gets
complicated. But so we have the decryption
key now and the next time this phone
receives something, unless it changes the
key, in which case we can ask again for
a new key. Next time this phone receives
something. And what you don't see in the
video is, somebody is now sending a text
message to the phone. We can also record
that right. Again, same radio, the one
shown in the picture, now the phone that
received a text message. And there's a few
more steps. So the phone received a text
message and we also, again, recorded the
airwaves. We again run it through some GNU
radio script. Now, was was UMTS
everything? It is kind of complicated, so
there's a different connection, of
course, happening all at the same time,
and then they'll get allocated to
different channels. So now, in order to to
decode this text message, we're going to
find out which channel is used. So this
command gives us the list of which which
channels have been allocated. And we got
to find a TMSI from earlier in one of
these channel allocations. And Wireshark
is a great help in this. We didn't have to
do anything with Wireshark. I just knows
all that 3G stuff right out of the box. So
luckily, the first of these five
connecting requests is the right one and
scroll all the way down, there's then the
parameters that say which channel this
transaction happened on. So those two
numbers, 15 and 48 is the channel. So we,
we need to cell frequency, but we need
those those two two numbers, that, that
are the channel and the key, you know,
this is only 64 bit. I'll discuss that
a little later. And that's all we need to
decrypt an SMS. And there it is.
Applause
Thank you.
This still works today, but only against
two out of the four German networks. Some
of them move to to to stop some of these
messages, of course, most importantly,
this SI message that gives you the
decryption key. But even if you block this
message, just acquiring somebody's
location can already be intrusive enough.
All right. Moving on to 3G security or
rather extending on 3G security since this
already touched through 3G in a big way.
You remember the good old days where where
you could just intercept all phone calls
was the Osmocon phone. Thank you, by the
way, for that open source project that
helped us so much over the years. And you
combine that with the kraken software to
decrypt the phone call. So with 20 year
old vers of phone and the server you can
listen to anybody's GSM calls as long as
they're using the A5/1 cipher. Some
networks recently moved into A5/3.
So it doesn't work this way anymore. Now,
how does this now compare to 3G security?
As I've just shown, basically the same
attacks are possible. Instead of the
Osmocom phone, we use a programable radio,
some more software, but again, very
affordable 400 euros or
something. And you combine that using
instead of kraken SS7 queries. So unless
we fix SS7, 3G is no more secure than 2G
and neither is A5/3, the recent
upgrade of GSM because those keys are
again exposed over SS7. Now, some
networks, you don't even need that second
part, so they have bigger things to worry
about and then SS7 attacks and our data
set isn't all that large. Some of you
provided measurements through through a
software release last year. So thank you
very much for that. And we have captures
from maybe 20, 25 countries out of those
five having to use no 3G encryption at
all. Well, four countries. Five network
operators. Right. Which I find shocking.
Some of these even have encryption turned
on on their GSM network and then forgot to
turn it on or deliberately left it out
because it's harder to intercept on the 3G
variant. Right. So those networks, as I
said, have much more, much more worrisome
issues than SS7 attacks. And they really
need to be called out. And we do that with
an extension of a website that we've been
maintaining for a couple of years, gsmmap,
big update of gsmmap launched today
with all the 3G measurements, we, we
collected and you collected over the last
couple of years. Now, some of you may have
used gsmmap before. The idea as to to rank
operators in the three categories. How
hard is it to intercept phone calls and
SMS? Is it easy to impersonate a person
and then put charges on a bill, for
instance, or receive the calls? How hard
is it to track them? And as you see, over
the last years, networks have improved
their security, at least some, as always.
God. And as you also see, these are the 2G
networks, even the best secure 2G network.
And in Germany anyway, in our opinion, is
less secure than the worst secured 3G
networks. These are for 3G networks, still
we want networks to implement all security
features. And as you saw before, some
other countries don't have that luxury of
all 3G secure networks reasonably secure.
Not the first version of our metric is
very crude and we want to improve upon
this over time. But currently how we
calculate the score is we'll give ninety
percent of the points to anybody who
switches on encryption. That's the main
security feature and the remaining 10
percent you earn by changing the TMSI
quickly. TMSI is what we needed for these
SS7 attacks to work well. So if you keep
changing it, it really confuses the that
the person trying to to haunt you also
this makes other types of attacks more
difficult, will factor in a couple of more
values as we collect more data. But this
is it for now. So, yeah, big update on
gsmmap. If you haven't checked it out,
check out your country on gsmmap, read the
country report. So does a six page or so
report, auto generated, that explains what
types of measurements we included into
into these graphs and why we think they
they constitute certain risks. Maybe
forward it to to your network and say if
you're not improving, I'm going to change,
switch to another network. Now, not
everything is on, on gsmmap yet because we
don't have enough data. And there's one
problem in particular that I want to start
warning about, because I really think
we're running into an issue here. And that
is the lengths of encryption key you saw
in the in the capture, in the video data
that I showed that the key that came back
over SS7 was actually only 64bit from this
particular network. And the SIM card that
was there was used in this attack, was
bought that very same week. So we recorded
this video last week. So it's the the most
recent SIM card you can buy from this
network. And still it only uses 64 bit.
And that, in my view, is incompatible with
what we have learned from from recent
Snowden documents that the NSA in 2011,
2012 funded a project to break A5/3.
This is a 64 bit cipher. And we had
estimated at this very conference a year
ago that you'd need about a million
dollars to break A5/3. Now, they
did it a little bit earlier. So Moore's
Law, everything's more expensive and
probably to have overhead, too. But they
spend apparently four billion pounds. I
don't know why pound, not dollars, but it
may have been some GCHQ Corporation. So
for four million pound a couple of years
ago, you could already break 64 bit crypto and
64 bit is more prevalent in mobile
networks than you would have thought when
they upgraded the GSM networks to A5/3.
They didn't actually upgraded it to UMTS
security, as everybody claimed they did.
They upgraded it to the cipher used in
UMTS with a key half the size. When
writing the A5/3 standards though, the
people were smart enough to also put in
the real UMTS cipher with full key size,
they called it A5/4 and it has never
been seen anywhere since. It's written in
the standard. It was released the same day
that A5/3 was released. Nobody has ever
moved to implement that. So GSM for the
time being is and will be vulnerable to
anybody. It was a one million dollar
machine in the basement. Certainly NSA,
but more and more people as we move
forward. And what costs a million dollars
today, thanks to Moore's Law in a couple
of years, anybody can break it on a
computers like we today. Break the A5/1.
If your network uses certain older
SIM cards, differentiation years between a
SIM card and a USIM as a UMTS SIM card.
If your network only uses SIM cards, then
even your 3G transactions are 64 bit
encrypted. So there is no way to generate
more entropy. You could query for two
keys, I guess, but they weren't smart
enough to do that. So 64 bit encryption
for UMTS and that's just not good enough.
And as I said, the network that we did
the demo with we were surprised to see a
64 bit key. We went back in our database
of SIM cards. We found a lot of SIM cards
that have this problem. We want to add
this to gsmmap, but we don't want to be
unfair just because we see one very old SIM
card in the network. We don't want to give
them a low score versus somebody else,
where we only see a new card. So we need
lots and lots of data. Help us collect
those data and we'll make it public.
Now, that's one reason why we stay on this
ball and progress the research. The other
main reason, and this is really what keeps
us awake at night is this question of
how can we get out of the mess. We've been
producing more and more problems. I should
not say produce, we make you aware of more
and more problems over the years and we
always criticize that at least many
networks do not respond to those. So we
have to stockpile ever growing stockpile
of mobile security issues and nobody seems
to be addressing. And all we do is wait
for our networks to do something
eventually. Now waiting's over for me, at
least I'm impatient. I want to do
something now and I want to address all
these issues all at once. Those issues
that we talked about for several years
now, including the SIM card attacks from
last year, silent SMS based tracking the
SMS, the SS7 abuse discussed today,
IMSI Catcher Vulnerabilities and
insufficiently configured networks, 2G as
well as 3G. All of these problems have one
thing in common. Your phone technically
knows that these attacks are happening and
your phone technically knows that a
network is configured insecurely. But
unfortunately it's buried very deep inside
the phone. It's buried inside the
baseband. So as much as you can program
Android, you don't get access to that
information. At least so we saw it and
then we set out and just took the better
part of this year. We wanted to dig the
information out from these phones. It's
somewhere in there. There must be some way
to hack it out of it. And we found debug
possibilities for Qualcomm chipsets, just
one vendor, but extremely popular. Right
now. There seem to be in every LTE phone
and in a bunch of other phones. And we
found, we found ways of producing exactly
all the data on the right hand side to
make it accessible through an Android
application. And we also wrote an
application for you. So: Release today.
Applause
Thank you, released today, SnoopSnitch
under GPL. A tool that collects all the
baseband information mostly to keep it
on the phone and run some analysis on it,
warn you about, as I said, SIM card
attacks, but also those SS7 attacks that
Tobias and I talked about today. How do
you take those those attacks? Well, by the
pagings, I showed you in the video
that every time we send certain queries to
the phone, to, over SS7, that the phone
actually also receives information useful
for the attacker. Also useful for the
defender. If those empty pagings, we call
them, are received by the phone, strong
evidence that somebody is messing with you
over SS7. Right. So it collects all that
information and it produces warnings. You
can also upload information issues, so you
choose. It's optional of course, it runs,
as I said, on a bunch of Android phones
that are currently popular. It requires a
somewhat recent Android version we haven't
tested was Android 5 yet, but I don't
see why it wouldn't work, though. We just
have to put the time and your phone needs
to be routed. So we have access to a
certain interface that otherwise is not
accessible. And it needs of course, a
Qualcomm chipset, which, as you see by
this list, is in most current flagship
phones. It's on Google Play right now. So
download it if you're interested. Now, how
does this tool work? One example only, of
course, right, read the source code if you
if you want to know the rest. If you, for
instance, IMSI catcher detection. There
have been a bunch of tools so far to do
IMSI catcher detection. The one we released
a couple of years ago was called CatcherCatcher,
but it had two limitations. One
practical, one more bound to experience.
The practical limitation was that it ran
on Osmocom phones and Osmocom phones can't
do most phone functionality. So always
your second phone? And it had to be
connected to a computer. So very unlikely
that you carried this around all the time.
And we wanted to move it onto a real phone
that you can use onto your phone. Right? I
think we succeeded in that. The second
limitation was that we really didn't know
how IMSI catchers behaved or we also
didn't know how real networks behaved. And
thanks to all the data on gsmmap, we think
we have a much better understanding now of
all the weird corner cases, how real
networks behave and created a much better
ruleset for for an Android based catcher
catcher tool now. And the rules go in two
categories. One is the configuration of
the of these different cells. For
instance, the lack of encryption when, you
know, from the gsmmap database that this
network does usually support encryption,
that's a big red flag. Also certain other
configurations. So that's a configuration
of the network, the adjusted behavior and
the IMSI catcher wants to get
information out from you at the very
least, the IMSI, of course, it's in the
name. Right. So that suspicious behavior
now, none of these things taken by
themselves did allow you to detect an
IMSI catcher. So we compute score over
these different events, doing stream
analysis on everything that happens on
your phone and eventually then come out
with a warning. If the score crosses a
certain threshold, there's a bunch more we
would have wanted to include that's even
on a Qualcomm chipset in it's debug mode
not available. So this is still ongoing work
as these chipsets progress and may give
us more information in the future. Now, if
you do find alerts, let's call them alarms
on your phone. We'd be grateful if you
could share them. Now, as I said, this is
optional, right? You get you get the
alerts shown in shown in your little tool
and then you can choose to upload
whichever ones you think should be shared
if we get enough of them and and think
that there's really hot spots of of of
abuse, of course, we'll try to make that
transparent, perhaps even put little dots
on the GSM website so people know where
abuse could be happening around
demonstrations, around embassies, wherever.
Applause
You can also actively choose to
submit data by by running an active test
now usually the phone looks at everything
that you produce, your phone calls, your
SMS that's always stored on the phone.
There's no way to upload that. And you
compute a score for how secure your
network is using the exact same metrics
that we use on gsmmap. So that's all
ported to the phone now. But if you feel
like the score on gsmmap is heavily outdated,
click this button. It runs some benign tests,
has nothing to do with your transactions. I
guess your location where you're currently
connected would be included in the data
and it uploads it to gsmmap. So that
becomes better and better. And we can spot
more networks that, for instance, like any
encryption at all. Yeah, so what's what
what are you what I like you to do, I
think you should do to better protect
yourself from mobile abuse, of course you
could keep waiting for your mobile
networks to fix all these issues, which I
must say more recently, more networks have
moved to fix issues, but still not the
majority. And no network has even started
to address the majority of issues. So it's
just scratching the surface. So what I'd
rather have you do is start defending
yourself. Check out gsmmap, see if you
are on a network that generally protects
things like encryption. You saw the
networks that lack encryption. Don't use
those. And if you really choose to self
defense, download, SnoopSnitch, this new
tool and actively look out for abuse, for
Silent SMS, binary SMS that you receive,
for empty pagings, for IMSI catcher
evidence and help us grow this database of
abuse. Right. Also help us grow the
tool base that we use. This is released
open source and we put in a lot of work to
make the data accessible. But now it is
accessible, right? Just take it as a
library and go wild with it. Do whatever
you always wanted to do with raw baseband
data on 2G, 3G, 4G. I am very much looking
forward to your contributions to this and
all that's left for me to say is thank you
very much.
applause
Herald: Thank you, Karsten, then we will
beginning with the Q&A, please, for
everybody that will be asking questions,
please line up on the microphones in the
room and for people that exit the room,
please do it with no noise and quickly.
Karsten: Now, before getting into the
question, let me give you one reason to
actually do leave now. There's a workshop
happening right now or in a few minutes
that will explain how this tool works and
what it can all do. We'll have an IMSI
catcher there a day or so. You can tell us
how that feels like being connected to an
IMSI catcher. It's happening in room C,
which is when you exit here one floor
down and to this end.
Herald: And additional information, the
workshop that's Karsten says start at
nineteen forty five.
K: And now to your questions.
distant noise
K: Sure.
Herald: OK, microphone number two and
please, before before we before you can
start number two, please do it with no
noise that we hear the question from the
audience. OK, number two, please.
Mic 2: Thank you. Can you quickly say a
few words about why it wouldn't work on
custom ROMs? Because we could just install
it into cyanogen phones and apparently
installed and it seems to work.
K: Oh, OK. So the way I understood custom
ROMs is that they first remove a bunch of
stuff from the phone and then put a bunch
of stuff on it. Part of what we need are
these proprietary Qualcomm libraries and
at least on the phones where we tried
cyanogen mod and what they are being
removed. So if cyanogen mod could stop
doing that, it would work beautifully.
It's not that we need anything additional.
We just need less to be deleted.
Mic 2: OK, thank you.
Herald: OK. Microphone number …, will you
ask. OK, are there some questions from the
IRC?
K: I think we have a bunch of questions.
Signal Angel: Actually, there is five
questions, so I will just ask one or two
for starting. The first one is, can all
these shown attacks that you proved on
your speech be mitigated by… by higher
protocols levels, like encrypted VoIP or
TextSecure, things like that? And what
will be the residual risks?
K: Mm, yeah. A good question. So how much
can you protect yourself by using the
mobile network less on using it as a dumb
pipe, I guess is the question, what if you
use just apps to call and send text? Well,
obviously your calls and texts won't be
intercepted anymore if they are encrypted
one more time in a way that's not
breakable. However, this does not solve
the location tracking. It does not solve
the fraud. It does not solve the denial of
service. It does not solve the spamming.
So you are tied to a mobile network and it
has a lot of control over you, your
location and your phone bill. None of that
is going to go away.
Herald: Another question from the IRC, one.
Signal Angel: Yeah, um, the second one is:
Wouldn't it be easier to design from
scratch a new mobile mobile network than
trying to find all flaws from actual
networks, which is an endless task?
K: Or I don't know where you would even
start designing everything from scratch
completely? The closest that I can think
of designing the mobile network from
scratch is LTE in the name of long term
evolution. It really wants to change
everything, but gives it a couple of years
but as Tobias pointed out, those
issues we pointed out today, they are
again included in LTE. Diameter is the
interconnect protocol. So we already
missed a chance to to remove much of this
issues by just upgrade. We'll have to fix
it through firewalls and monitoring like
we never got to update the Internet.
Herald: OK, microphone number four,
please.
Mic 4: Yet just a short thing. Could you
just provide a list of those libraries
you need from the stock images? So I think
it's pretty easy to copy them to this
cyanogen mod images.
K: Ok
Mic 4: OK, and if the app is open source,
maybe you can put it on fdroid?
K: Oh absolutely. Yes. Thank you.
applause
Herald: The microphone number two, please.
Mic 2: Got two questions, if I understood
correctly, you need to be inside the
operator network to actually
perform those SS7 queries, right?
K: Um, well, I would I would like for this
to be the case. But currently, does
anybody in the world connected to SS7 can
send his queries.
Mic 2: OK, so my question is that what was
your hook point for actually doing this
test?
K: I think I'll quote Tobias here by
saying I would rather not say anything
about that.
Mic 2: OK, so the second question is about
the case you mentioned it's if I am not
mistaken, is the session key. Right? It's and
it should involve that nonce value, right?
K: Yeah.
Mic 2: So if it is, it already has the nonce
value. So in order the attack to work, we
also need to intercept the initial
messages, the nonce exchange between the
target and the basis station. Is that
correct?
K: No, the nonce is… as as they are. So
the SIM card knows which key to produce.
Yes. But it helps the phone to find the
right encryption key. We are not the
phone. We don't have the SIM card. Right.
If you just give us the encryption key,
we don't need the nonce.
Mic 2: Yes. So what you're saying is that
the query you're sending there, it
actually sends you not only the encryption
key, but also the nonce that is required..
K: It doesn't send us the nonce and we
don't need the nonce. We can take that
offline now, explain how everything works.
Thank you.
Herald: To microphone number three,
please.
Mic 3: First of all, thank you for a very
good presentation and very impressive work
you've done here.
applause
K: Thank you.
Mic 3: The question I have might be a
little naive, but have you also, besides
taking a look at this closing this whole
issue technically wise, also been taking a
look into how what measures can be taken
legally, at least in Germany and some
countries in Europe now that we have
disclosed that basically certain rules /
laws have not been fulfilled, that we can
enforce the operators to implement this
stuff on legal ways?
K: We have not looked into it. Of course,
we consider the possibility as soon as
somebody has an overview of where these
attacks happen. And that seems to be the
issue right now. There's zero attack
transparency. Nobody is looking for these
issues. And partly that's to the to their
own disbenefit, because as soon as they do
look for this issue, some of these attack
patterns are very easy to stop, as I said,
two German networks, mitigated them within
two weeks. And these issues had been open
for 20 years. Had they ever looked into
their own data, that would have seen this
going on. So I'm not very confident that
anybody in Germany at least has an
overview of where abuse would come from.
And as soon as it does, I don't think
there's much point in litigating. Let's
just stop the possibility of abuse. Right,
instead of complaining about it happening.
But I'm with you. If there's corner cases
in which abuse just can't be stopped,
let's fight it legally, of course. Right.
And if all of you contribute information
through SnoopSearch, does the empty
pagings, if we can find patterns of
abuse, of course, we'll aggregate them and
try to move against them.
Herald: OK, microphone number four,
please.
Mic 4: You said you can buy your way into
the SS7 Network, but how easy is it
actually to get your access? And what do
you estimate: How many players are
there in the network? Can you give any
estimation?
K: I have absolutely no idea. I know that
there's some 800 companies who who are
legally allowed to access SS7 and then
those, of course, have subcontractors,
legal and illegal, and some people who
bribe them. Yet other people who hack
their systems or the systems of the
subcontractors, it's very hard to
estimate. No idea. But definitely too many
to trust all of them.
Mic 4: And would it be possible for me to
get access to this without any operator
stuff or. I don't want to operate a phone
network, but I want to have access because
I want to provide a service, some service?
K: Well, I wish the answer was no, but of
course, right of to be as an I and a bunch
of other people can get access. You should
be able to get that too. But I'm not going
to tell you how.
laughter and applause
Herald: Yet another question from the IRC.
Signal Angel: We're about nine questions,
so no problem for me. First one, what
about Windows phones, jail breaked
iPhones, or something like this will the
app in the end [be] on this phones?
K: Our app doesn't run on anything other
than Android, but the chipsets are, of
course, the same. So if you can speak to a
chipset through a jail broken iPhone, for
instance, you could create a similar
application. We just wanted to target the
biggest population of phones, and that
seems to be Android phones.
Herald: Then number two, please.
Mic 2: One further thought on self-defense
as self-defense has don't has to be
proportionate, I think, and identities are
not secure in the digital sphere. How
about developing some proactive, as we
heard the word defense tools?
K: Proactive as in hack the networks,
until they have no chance but to fix?
Mic 2: That's what you understood, but.
But, I support that. laughter
K: I'm not going to say that I dislike the
idea. But you won't see me here next year
explaining how I did it.
Mic 2: Thank you.
Herald: Microphone number three, please.
OK. When did you check the other two
German networks didn't fix the identifier
and the issue.
K. Which network do you work for?
Mic 2: I'm Holger. We talked last week.
K: Yeah. So yeah. Maybe you fixed it too.
We didn't, we didn't check.
Mic 2: We fixed it within 24 hour, 24
hours after our call.
K: Wow. OK.
Mic 2: On both networks.
applause
Thank you. Better late than never. Thank
you.
Mic 2: That's right.
K: OK, so that's three out of four now,
that fix one out of 100 problems.
Mic 2: No, it's… I know that's why we
don't go to the press and don't tell that
SS7 is fixed and we know we still have
problems also. It's all four. I work for
Telefonica, which is O2 and eplus.
K: Oh yeah. Well, congratulations. Sorry.
Sorry for spoiling your Christmas.
laughter
Herald: Microphone number two, please.
Mic 2: I'd like to know why these empty
pagings occur in the context of the
location tracking, I thought, as soon as
the phone registers in the network, the
base station, which is this connected to,
is known in the network anyway. Is that
the case?
K: That's a very good question. And let me
let me go back to one earlier slide to to
explain that, one second, so that the
empty pagings do not occure when you send
these creepy AnytimeInterrogation
messages. They are just there for spying
and there's no way to page the customer.
But since this got blocked and Tobias went
into great level of detail explaining
this, you need a couple of other messages
to now track some of this location and
these messages when meant for location
tracking them and ment for other purposes.
For instance, as I provide subscriber info
that however you reach it is always the
last message you need. This does do a
paging and then to provide subscriber info
really makes no sense unless you send
something afterwards also, deliver an SMS
connect to call or whatever. So the paging
is already sent in anticipation that an
SMS will come or that the call will come.
But if you're only the creepy guy tracking
it, they're going to send it SMS and
that's where the empty paging comes from.
Mic 2: OK, but still also in these cases
where something follows the paging, isn't
it a type of double checking whether it's
really there or I mean, the location info
itself should already be present and the
network, isn't it?
K: Yeah, yeah. It just reconfirms that the
subscriber is really there. So it's
basically saying: Somebody you just
interrogated your location because they
want to send you something. Let's check
that you're really still there because
otherwise we'll tell them something wrong.
But Tobias do you want to comment on that.
Tobias: Yeah. OK, so the empty paging is
not anticipation or something that's
coming after. It's to get the current cell
that you are located at, because when you
are moving around in your location area
and the area that is covered by the
switching center that you're currently
being served by, your phone doesn't
necessarily contact the base station. So
it could be that that the networks last
position of you is somewhere you received
an SMS or text or call, and then you moved
to a completely different area if your
phone didn't have network contact in the
meantime, the network would still only
know the last point of contact. So that's
why the why the empty paging happens so
that the that the network knows the base
station that's actually currently closest
to you. That's also why the law
enforcement uses a lot of Silent SMS so
that that they can get the last position
in the network. And it's also an option if
you send provide subscriber information,
you can just send it and get back the last
known position without a paging or you can
set the current location flag and provide
subscriber information. And only then the
subscriber gets paged and you will receive
the current location.
K: And that's that's one good example for
how SS7, which is supposed to be
so insecure we can never fix it, can
easily be fixed. There's an option that
says we're using this as normal feature
that's absolutely needed. And we have this
creepy extension to also ask for the
location. And some networks choose to not
answer that. The answer was zero zero zero
zero and nothing broke. Right. So you can
just ignore the insecure parts of SS7 and
do whatever you think is right. And for
the most part, it continues to work. But
I think we're well beyond answering
your question now right?
Mic 2: No, but from your answers. Thank
you very much. But another question
arises, because if it's actually to locate
your phone and to find out which cell
you're actually in, then it implies that
it's not only one base station that since
the paging call, but a whole bunch of base
stations. Do you know something about the
algorithm? I mean, how many around the
last known location are paging everybody
nationwide or how does..
K: Everybody can implement this as they
wish? And I don't have much insights into
how 3G does it, but in 2G typically is:
There's one paging send in the last cell
that saw you. You don't respond. It's send
in a larger area. You don't respond. It's
sent for the whole location area. And then
some networks, you don't respond. They
send it in the entire country. But that's
rare. Right?
Mic 2: Thank you very much.
Herald: Okay. Questions from the IRC?
Signal Angel: Did SnoopSnitch allow you to
reveal any kind of attack in countries.
Not special name in mind.
K: Does it allow you to detect attacks in
countries? Yeah, yeah, some kind of
Tapsell. I think the answer is yes. Its
whole purpose is to detect attacks. And it
also works in countries…
laughter
Herald: Did you succeed in detecting attacks.
K: Did we succeed in
detecting. Yes, we did. And if you go down
to the Saal C, Room C, you can see how it's
currently people are being attacked and
currently they detect that. Ok
Herald: OK microphone number five, please.
Mic 5: Yes, thanks, it's going back to SS7
basics. Can you quickly explain how SS7 is
implemented? Is this a VPN on the public
Internet through the providers? What's the
technical reality of transport?
K: That's a very good question. Of course,
that's a very good question. And I only
have half of the information, too. I keep
learning. But so it seems that it was
implemented initially as a network between
Western European telcos and their run
cables, dedicated cables for SS7.
SIGTRAN they called this and then a couple
more networks connected to it. And each
of them had to run the cable to one of the
other telcos. But eventually they changed
that and then introduced what I call
routing providers. So telcos are not
connected to each other usually, but
through a routing provider like on the
Internet and those routing providers, they
typically don't run a cable to your house
anymore. If you are a new telco, they give
you a VPN over the Internet. So it's
diverse. I'm sure there's still some
dedicated lines between Germany and
France, say, and there's some others
connecting and these big clouds that are
routing providers. And it's actually
really difficult to get your address
routed everywhere in the world. So even if
you connect to SS7, all you're connected
to is one routing provider and that
routing provider knows that you own these
addresses. Now it's up to you to convince
every other of the big seven or nine,
depending on how you count routing
providers that you are that guy with those
addresses. So the BGP equivalent of SS7 is
to get nine roaming agreements signed with
people on these other nine operators and
then fax those roaming agreements to
everybody else involved. So they type it
into your computer, into their computers,
very manual and very hard to grow the
network. But for the most part, it doesn't
change, of course-
Mic 5: So that the low level transport is
not really an attack surface from the
public Internet.
K: It can be the low level transport can
be an attack surface if people just
stupidly leave open their local networks.
But it's rare. It's much more common,
speaking about our talk next year,
hopefully on the other interconnect
networks, there's one interconnect network
for data roaming. It's called GRX. And
since everything is IP anyway on data
roaming, people sometimes do leave it out
on the Internet or just do it unencrypted
over the Internet. And it does seem to
become more popular also with the SS7
replacement Diameter, which again is pure
IP. So there's no dedicated thing that you
first have to encapsulate in a VPN before
you can route it over the Internet. You
can run Diameter over the open Internet if
you want. It's stupid, but people seem to
do it anyway.
Herald: OK, the microphone number six,
please.
Mic 6: OK, my question is, if you could
comment why these message were put in the
protocol at the first place, it they are
so easy to block and to fix. And the other
question is, if all the other problems
that you pointed out are as easy to fix
for the network operators.
K: So I don't have an answer to your first
question. Why do you put a tracking
message in the standard and then call it
AnytimeInterrogation, gosh, like that
invokes feelings for me,
interrogation room and all. I mean, this
is spy stuff, right? And there's no
practical, purposeful but. Right. Who
wrote SS7 standard? Western European
governments being afraid of the Russians,
of their own citizens, who knows? Right. I
don't know why they put every single
message in, though. So your second
question was what again?
Mic 6: If the other vulnerabilities are as
easy as to fix? Or just blocking messages.
K: No they're not. And I tried to point
that out in one of the slides that… that
AnytimeInterrogation can be fixed, as can,
for instance, as does SendIdentification
message, right. You just block that has no
purpose, routing this internationally. But
the other queries on this page, at least
you need those internationally, at least
to enable roaming. So the best you can do
is, as I said, first block these queries
from anybody who's not your roaming
partner, right? Don't respond to those
people and then do some plausibility
checking, secondly, make sure that if a
subscriber is actually in your own network,
that you don't honor requests from another
country. Right. And that should remove most
of the issues because most abuse comes from
other countries. It's just more likely if
there's 800 parties connected to this
network that the one doing the abuse is
not yours. Good question. Thanks.
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!