<i>applause</i>

Karsten Nohl: Great to be back. Thank you
very much, talking once again on mobile

security, taking two very different
angles, though, from what we talked about

the last couple of years. This time we want
to dive into the same topic that Tobias

Engel just did, looking at insecurities
that arise from the interconnect networks

between different operators and we want to
add another angle. And that is how YOU

can start self defending yourself from the
insecurities that many of your operators

have left open for many years, including
the new ones that Tobias and myself talk

about. If you do watch this on a download,
do go back and also watch Tobias's talk,

it's well worth it and also covers a lot
of the basics that I'm just going to skip

over now for the sake of time. Great talk,
by the way. Thank you Tobias. So aside

from. <i>applause</i> Aside from those SS7
based attacks, we want to talk about 3G

insecurities, not too many of them, but
severe as ever, as well as in the last

chapter. Then a few tips, as well as a new
tool to help you start self defending

against these mobile attacks. Now, just
briefly, then, what is the SS7 Network

Tobias has already covered the basics. So
just a quick definition from me. It's this

network that different mobile operators
are connected to, to exchange data among

each other. For instance, text messages
are sent over this network. So without SS7,

you couldn't be using this ancient chatting
technology SMS. Thank you SS7. But also

more security relevant information is
exchanged over SS7. For instance, if you're

using your phone in another country, as
many of you currently do, you still want

this visiting network to be able to use
encryption with your phone, but how is that

network going to know the right encryption
key? So this visiting network, the German

network has to ask your home network for
the correct encryption key and that goes

over SS7. And you can already see if
there's cryptographic information being

exchanged, if the wrong people ask and
still receive an answer, insecurities

arise. More interesting from a security
perspective, though, are messages that are

exchanged within one network over SS7.
So SS7 is often misunderstood as this

technology that's used for worldwide
exchange of information. The same network,

though, is used inside an operator. So
there's no need for interconnect. There's

already SS7 flows going on between those
different mobile switching centers, MSC.

And each mobile switching center covers
one area, let's say a city. So imagine a

situation where you are. You're in a call
and you're traversing from one area to

another. You're crossing, let's say, your
state boundary. So there's new MSC,

doesn't know how to handle your call. It
needs the decryption key for the already

ongoing conversation. So there's another
SS7 message that allows you to query for

the key of a transaction that's currently
going on. OK? And again, you can already

see how if the wrong people send this type
of message and they receive an answer,

insecurities arise. The insecurity that
that has most been talked about in recent

years, again, up until Tobias's talk, was
tracking. And tracking was often understood

as: There's this evil message, the any time
interrogation and The Washington Post

focused a lot an article on just one
message. And it's a it's really evil. It

should not been I have been ever
standardized. And whenever it's used, it's

for evil purposes. There's no
usefulness in this message. And Tobias

quoted a number that I think The
Washington Post found in a lot of

marketing material, 70 percent of mobile
networks respond to this message. Now,

this is information from earlier this year.
A lot of networks, very good news, have

moved to to stop responding to anytime
interrogation message. This evil spying

message is not being responded to by, for
instance, all German networks. You can't

use this message in Germany anymore.
However, this is a very retroactive

approach to securing SS7 because there's a
number of other messages that, consider them

Gadgets, get you to the same place, take a
phone number and take you all the way to

somebody's location. And here's just a
snapshot of of which messages you can use

and Tobias went into a greater level of
detail in how these different messages

come together. So if anybody thinks that
just barring anytime integration, you

solved the tracking problem, they are wrong.
But at the same time, it's not that SS7 is

not secureable. It's just a much larger
challenge that people consider currently

to be. So you see how stringing
together some of these messages get you to

intermediate values that also shouldn't be
public and then all the way to a cell ID.

And up until all these messages or at
least every path that takes you from left

to right is blocked by a network, tracking
to the same accuracy, to cell ID stays

possible. Now, this is just one of many
areas in which SS7 can become an issue.

Here is 4 more, it's an intercept risk.
If people can read your SMS text or listen

to your calls, it's a denial of service
risk. If people cut you off from

phone connectivity for anywhere from an
hour until the next location update or

until your next reboot your phone, so you
can really cut people off badly from it,

from the phone network. This area of fraud
that I don't think many people want to

talk about publicly, certainly I don't.
But there's many fraud risks in SS7

in which you can easily put charges
on somebody else's bill, or more

interestingly, you can remove limits on
your own prepaid cards, basically run up

infinite charges on prepaid cards and, you
know, running up a lot of bills to a two

to premium numbers, for instance. And then
there's the risk of spamming, which from

what I hear is already happening, SS7
based spam attacks. Now, for the sake of

this talk, I want to focus on intercept,
which I consider aside from tracking the

most intrusive and the most relevant for
us, just as a risk, they're more relevant

for the network operators. And if they
don't solve them, well, so be it, as long

as they foot the bill for it. So
intercept. And I want to go into three

possible scenarios in which SS7 assisted
intercept can happen. The first abuses

the exact message, as we looked at in the
introduction, these messages where

different parts of networks ask each other
for encryption information and it's a

pretty straightforward attack. You record
the airwaves. Around somebody in

somebody's vicinity and you record
somebody's encrypted transaction as part of

that, right? So and 3G transaction, for
instance, are pretty well secured, but

they're not very hard to record. In fact,
3G is a little bit easier than 2G because

it doesn't jump around all these
frequencies. So you record, let's say, 3G

data and you have a bunch of transactions.
And all of them encrypted. And you can use

this message over SS7 to decrypt them.
It's called Send ID. And as a as I said on

one of the earlier slides, it's supposed
to be used when you're moving from one MFC

into another MSC, but still within your
own network so that the call doesn't get

disrupted. It's not supposed to be used
when when somebody foreign wants to

query your phone, if they need a new
encryption key, a new call needs to start

anyway. There's no way to hand over a call
from one operator to another operator

without disruption. So this message is
used only for internal purposes. However,

out of the four German operator earlier
this month, all four responded to this

request coming from another country,
another country that doesn't even border

Germany. So there's no way to even
conceptually think a call would be handed

over. So four out of four. And that's not
an anomaly. Most networks require an

international response to an
outside number when asked for the current

decryption key. I'll show you a quick demo
on this at the end of this chapter.

But I first finish the enumeration of
all the different possibilities in which

3G calls can be intercepted. The second
one, the good old IMSI catchers, which we

also wouldn't work on 3G. And I guess for
the most part they don't unless SS7

comes to the help. So why don't they
work without SS7? An IMSI catcher

pretends to be a base station. And if
it's 2G technology, the phone has no way

of knowing the difference between the real
base station and a fake base station. But

then 3G, the 3G standard introduced what I
call mutual authentication. So this time

the base station has to prove to a phone
that in fact it's legitimate and unless it

does that, the phone won't connect. Now,
this only solves part of the IMSI catcher

problem. Just taken by the name even the
catching is still possible, IMSI catching

in the sense of creating a list of all the
IMSIs in a location. Because there's

certain chicken and egg problem.
If you want me as a base station to

authenticate to you, you first have to
tell me who you are. There's no such thing

as SSL or any type of public key on the
mobile network. It's all symmetric key. So

you first have to tell me which key to use
and by that I know who you are. So IMSI

catching is always possible. And that's why
if you Google for 3G IMSI catcher, those

things exist. But they aren't capable of
recording phone calls or SMS because those

then required a mutual authentication. They
aren't capable of doing so unless they ask

over SS7 for an authentication key. So
IMSI catchers are back in the 3G world

big time, unless we solve these SS7
problems, right? The third possibility of

of intercept - this is probably the
scariest because it can happen completely

remotely - Boaster once enumerated so far,
you have to be somewhere in the vicinity

in the vicinity of somewhere. So the third
possibility, I want to call the rerouting

attacks and they work in both directions.
Rerouting is the idea. And to be as

touched on this, of taking… of taking
somebodies phone calls and changing

the destination number so that, in fact,
you call somebody else unbeknownst to you,

of course, as the victim. And this will
expose for incoming calls and outgoing

calls, but using very different methods.
So it just kind of accidentally works in

both directions. And this part, I just
briefly want to demonstrate to BSN that

coordinated on most of this. But this
part, I guess we kind of misunderstood

each other as we both showed us. I'll
keep this very brief. And the point I want

to get across is that, one, a single SS7
message is already a big intercept

problem. Let's see. Connected here. Um, so
I'll try not to make the same mistake as

Tobias and try to cut off part of my
number here. So 31C3 demo phone.

So I'm calling a a phone that in fact,
accidentally we left in. So … fuck

<i> Laughter and applause</i>
<i> Ring-back tone starts </i>

So I am calling this number and I don't 
know if you can hear it, but it's ringing.

And we did leave his phone back in Berlin
accidentally. But for the sake of this

demo, that makes no difference. So it's a 
it's a phone somewhere in Berlin. Nobody

answers to. Here is another phone.

<i> Ring-back tone stops </i>

So if I if I register what they call a

supplementary service to this number. And 
that's just fancy language for, for, for

call forwarding, if I call this exact same
number again.

<i> Ring-back tone starts </i>

<i> Phone ringing also starts </i>

This phone is ringing.

<i> Applause </i>

<i> Both ring-back and ring-tone stop </i>

<i> Still applause </i>

Now, of course, to make this real
intercept, I wouldn't forward it to a

phone, I would forward it to a computer
that then is smart enough to very quickly

erase the call forwarding and call the
original number and then connect it to so

that the phone, the phone call actually
goes to where it was supposed to go. Just

I'm sitting in the middle and I'm
receiving a copy of it. OK, so that's the

idea in this direction, in the other
direction, the exact same thing works as

well. And Tobias already told you how 
these services that say, let me rewrite

your phone number for you because you 
don't know how to dial a phone number when

you're on vacation. Right. Those services
can be set by anybody, at least on a lot

of networks. And you can see how the exact
same thing works there so that every time

you dial a number that just move their own
number in place of that number and then

connect those two calls. So, as I said, I
consider those to the scariest type of

attacks because they were completely
remotely you don't have to be in the radio

vicinity of anybody. And surprisingly,
this still works against a bunch of

networks, even against those networks that
move to solve some of the earlier issues.

So networks [are] still very retroactive.
So what do what do those mobile networks

now have to do to to solve those issues? 
Well, as always, of course, the answer:

It depends. It depends in this case on the
tech type. Some of the techs can simply be

blocked. Like the AnytimeInterrogation,
that earlier this year they said 70% of

the networks are vulnerable. Now in
Germany it's zero. So something happened

there. And the same is true for the for
the first type of attack that I've shown.

The passive intercept I said when we
tested earlier this month for other four

networks are vulnerable. Now it's down to
two. So within two weeks, two networks put

in a firewall rule that says this message
has no purpose. Traversing our outside

network boundary, just block it. The
typical firewall is the same isn't

possible for these other two types of
attacks because those messages are

actually useful. They do something, at
least in certain circumstances. If you

block the second type of query here to
send authentication info, you couldn't be

roaming in another country anymore. If you
blocked a third one, you couldn't be

changing your your voice mail forwarding
from another country anymore. So these are

needed. Still we couldn't, we can't accept
that just anybody who asks over SS7 ...

<i> Phone ringing </i>
<i> Nohl sighs </i>

You guys!
<i> Laughter </i>

Switched this off. We can't accept
that just anybody who asks over SS7

receives an answer, at the very least
we would expect networks to only answer to

their friends on SS7, and
that is their roaming partners. That's

already a lot fewer companies and
especially a lot fewer sketchy companies

than everybody else on SS7. We would
then want those networks to do some

plausibility checking. Right. So this does
phone in Berlin that just put a

supplementary service on. The network
operator knows the phone is in Berlin and

I send us from the other end of the world.
Still, they are not on it. Right. Any type

of possibility checking what would clearly
see that this is not possible for a phone

to be in one country and for this user to
want to change their voicemail setting

from somewhere completely different. And
then thirdly, networks need to limit the

rate at which this happens. Those services
that The Washington Post talked about is

tracking services. These are large
operations. They seem to be tracking

thousands of people, constantly. This will
show in logs, you don't allow some random

network somewhere else in the world to
constantly interrogate hundreds of your

users, right? It's clearly abuse. Has any
network move to put such sensible rules

in? I'm not aware of it, but it's
certainly the next step. And I'm not ready

to give up on SS7 yet. I've heard one too
many times that SS7 is an old technology

built with no security in mind and we just
can't fix it. The Internet also is an old

technology built was not secured in mind,
and we did fix it since the 90s, since

when you connected to Windows 95 computer
to the Internet, it got infected with the

virus right away. We have moved to put in
firewalls. We're not exposing our printer

daemon and now file-sharing daemon on the 
entire Internet anymore for four billion

people to connect to and the same as
possible on SS7. Which is, we we're still

in the nineties. Thank you.
<i> Applause </i>

Having said that though, let me show you
what what happens if we don't do that,

the fun part. So. We argued whether or not
we wanted to show this as a live demo.

You'll understand why we don't show it as
a live demo. There is just too much stuff

that could go wrong. But here's the setup.
We start with just a phone number

and we want to string together a couple of
SS7 gadgets while also having this radio

handy that can capture 3G information to
capture yet more information that's not

available over SS7. Right. So we start
with a phone number and we send what's

called an SRI-for-SM message, which gives
us, if the network is configured answer,

the IMSI and the MSI that the subscriber
currently is connected for. Those two are

used as parameters into another call.
Called the PSI message, provide

subscriber info. And then that call then 
gives us the Cell ID. This is just how

you get more and more information with
different gadgets. Now the Cell ID tells

us where somebody is physically. So imagine
we now move our radio to that

location and we again send a PSI. We record
the PSI. We set radio, not the PSI, what

happens over the airways when we send the
PSI and the phone gets paged. So when we

send the PSI over SS7, the phone receives
some information. Right. This radio plus a

little bit GNU radio scripting gives us
that information: Who has been paged

during that short window of time that we
that we recorded? Now when we record

something on UMTS, we always record for
different cells – they share frequencies.

But you see that the one cell with the 
Cell ID came back over SS7 is included

in our set. So we filter the data for
that cell and we look for which IMSIs are

included. And luckily for us, only one
IMSI got paged within those few

seconds on that cell. It's the same. Same.
This is now the TMSI that belongs to

this phone. This is information we can't
get over SS7. But what you can do over SS7

with the TMSI is request a key, so it gets
complicated. But so we have the decryption

key now and the next time this phone
receives something, unless it changes the

key, in which case we can ask again for
a new key. Next time this phone receives

something. And what you don't see in the
video is, somebody is now sending a text

message to the phone. We can also record
that right. Again, same radio, the one

shown in the picture, now the phone that
received a text message. And there's a few

more steps. So the phone received a text
message and we also, again, recorded the

airwaves. We again run it through some GNU
radio script. Now, was was UMTS

everything? It is kind of complicated, so
there's a different connection, of

course, happening all at the same time,
and then they'll get allocated to

different channels. So now, in order to to
decode this text message, we're going to

find out which channel is used. So this
command gives us the list of which which

channels have been allocated. And we got
to find a TMSI from earlier in one of

these channel allocations. And Wireshark
is a great help in this. We didn't have to

do anything with Wireshark. I just knows
all that 3G stuff right out of the box. So

luckily, the first of these five
connecting requests is the right one and

scroll all the way down, there's then the
parameters that say which channel this

transaction happened on. So those two
numbers, 15 and 48 is the channel. So we,

we need to cell frequency, but we need
those those two two numbers, that, that

are the channel and the key, you know,
this is only 64 bit. I'll discuss that

a little later. And that's all we need to
decrypt an SMS. And there it is.

<i> Applause </i>
Thank you.

This still works today, but only against
two out of the four German networks. Some

of them move to to to stop some of these
messages, of course, most importantly,

this SI message that gives you the
decryption key. But even if you block this

message, just acquiring somebody's
location can already be intrusive enough.

All right. Moving on to 3G security or
rather extending on 3G security since this

already touched through 3G in a big way.
You remember the good old days where where

you could just intercept all phone calls
was the Osmocon phone. Thank you, by the

way, for that open source project that
helped us so much over the years. And you

combine that with the kraken software to
decrypt the phone call. So with 20 year

old vers of phone and the server you can
listen to anybody's GSM calls as long as

they're using the A5/1 cipher. Some
networks recently moved into A5/3.

So it doesn't work this way anymore. Now,
how does this now compare to 3G security?

As I've just shown, basically the same
attacks are possible. Instead of the

Osmocom phone, we use a programable radio,
some more software, but again, very

affordable 400 euros or
something. And you combine that using

instead of kraken SS7 queries. So unless
we fix SS7, 3G is no more secure than 2G

and neither is A5/3, the recent
upgrade of GSM because those keys are

again exposed over SS7. Now, some
networks, you don't even need that second

part, so they have bigger things to worry
about and then SS7 attacks and our data

set isn't all that large. Some of you
provided measurements through through a

software release last year. So thank you
very much for that. And we have captures

from maybe 20, 25 countries out of those
five having to use no 3G encryption at

all. Well, four countries. Five network
operators. Right. Which I find shocking.

Some of these even have encryption turned
on on their GSM network and then forgot to

turn it on or deliberately left it out
because it's harder to intercept on the 3G

variant. Right. So those networks, as I 
said, have much more, much more worrisome

issues than SS7 attacks. And they really
need to be called out. And we do that with

an extension of a website that we've been
maintaining for a couple of years, gsmmap,

big update of gsmmap launched today
with all the 3G measurements, we, we

collected and you collected over the last
couple of years. Now, some of you may have

used gsmmap before. The idea as to to rank
operators in the three categories. How

hard is it to intercept phone calls and
SMS? Is it easy to impersonate a person

and then put charges on a bill, for
instance, or receive the calls? How hard

is it to track them? And as you see, over
the last years, networks have improved

their security, at least some, as always.
God. And as you also see, these are the 2G

networks, even the best secure 2G network.
And in Germany anyway, in our opinion, is

less secure than the worst secured 3G
networks. These are for 3G networks, still

we want networks to implement all security
features. And as you saw before, some

other countries don't have that luxury of
all 3G secure networks reasonably secure.

Not the first version of our metric is
very crude and we want to improve upon

this over time. But currently how we
calculate the score is we'll give ninety

percent of the points to anybody who
switches on encryption. That's the main

security feature and the remaining 10
percent you earn by changing the TMSI

quickly. TMSI is what we needed for these
SS7 attacks to work well. So if you keep

changing it, it really confuses the that
the person trying to to haunt you also

this makes other types of attacks more
difficult, will factor in a couple of more

values as we collect more data. But this
is it for now. So, yeah, big update on

gsmmap. If you haven't checked it out,
check out your country on gsmmap, read the

country report. So does a six page or so
report, auto generated, that explains what

types of measurements we included into
into these graphs and why we think they

they constitute certain risks. Maybe
forward it to to your network and say if

you're not improving, I'm going to change,
switch to another network. Now, not

everything is on, on gsmmap yet because we
don't have enough data. And there's one

problem in particular that I want to start
warning about, because I really think

we're running into an issue here. And that
is the lengths of encryption key you saw

in the in the capture, in the video data
that I showed that the key that came back

over SS7 was actually only 64bit from this
particular network. And the SIM card that

was there was used in this attack, was
bought that very same week. So we recorded

this video last week. So it's the the most
recent SIM card you can buy from this

network. And still it only uses 64 bit.
And that, in my view, is incompatible with

what we have learned from from recent
Snowden documents that the NSA in 2011,

2012 funded a project to break A5/3.
This is a 64 bit cipher. And we had

estimated at this very conference a year
ago that you'd need about a million

dollars to break A5/3. Now, they
did it a little bit earlier. So Moore's

Law, everything's more expensive and
probably to have overhead, too. But they

spend apparently four billion pounds. I
don't know why pound, not dollars, but it

may have been some GCHQ Corporation. So
for four million pound a couple of years

ago, you could already break 64 bit crypto and
64 bit is more prevalent in mobile

networks than you would have thought when
they upgraded the GSM networks to A5/3.

They didn't actually upgraded it to UMTS
security, as everybody claimed they did.

They upgraded it to the cipher used in
UMTS with a key half the size. When

writing the A5/3 standards though, the 
people were smart enough to also put in

the real UMTS cipher with full key size, 
they called it A5/4 and it has never

been seen anywhere since. It's written in 
the standard. It was released the same day

that A5/3 was released. Nobody has ever
moved to implement that. So GSM for the

time being is and will be vulnerable to
anybody. It was a one million dollar

machine in the basement. Certainly NSA,
but more and more people as we move

forward. And what costs a million dollars
today, thanks to Moore's Law in a couple

of years, anybody can break it on a
computers like we today. Break the A5/1.

If your network uses certain older
SIM cards, differentiation years between a

SIM card and a USIM as a UMTS SIM card.
If your network only uses SIM cards, then

even your 3G transactions are 64 bit
encrypted. So there is no way to generate

more entropy. You could query for two
keys, I guess, but they weren't smart

enough to do that. So 64 bit encryption
for UMTS and that's just not good enough.

And as I said, the network that we did 
the demo with we were surprised to see a

64 bit key. We went back in our database
of SIM cards. We found a lot of SIM cards

that have this problem. We want to add
this to gsmmap, but we don't want to be

unfair just because we see one very old SIM 
card in the network. We don't want to give

them a low score versus somebody else,
where we only see a new card. So we need

lots and lots of data. Help us collect 
those data and we'll make it public.

Now, that's one reason why we stay on this
ball and progress the research. The other

main reason, and this is really what keeps
us awake at night is this question of

how can we get out of the mess. We've been
producing more and more problems. I should

not say produce, we make you aware of more
and more problems over the years and we

always criticize that at least many
networks do not respond to those. So we

have to stockpile ever growing stockpile
of mobile security issues and nobody seems

to be addressing. And all we do is wait
for our networks to do something

eventually. Now waiting's over for me, at
least I'm impatient. I want to do

something now and I want to address all
these issues all at once. Those issues

that we talked about for several years
now, including the SIM card attacks from

last year, silent SMS based tracking the
SMS, the SS7 abuse discussed today,

IMSI Catcher Vulnerabilities and
insufficiently configured networks, 2G as

well as 3G. All of these problems have one
thing in common. Your phone technically

knows that these attacks are happening and
your phone technically knows that a

network is configured insecurely. But
unfortunately it's buried very deep inside

the phone. It's buried inside the
baseband. So as much as you can program

Android, you don't get access to that
information. At least so we saw it and

then we set out and just took the better
part of this year. We wanted to dig the

information out from these phones. It's
somewhere in there. There must be some way

to hack it out of it. And we found debug
possibilities for Qualcomm chipsets, just

one vendor, but extremely popular. Right
now. There seem to be in every LTE phone

and in a bunch of other phones. And we
found, we found ways of producing exactly

all the data on the right hand side to
make it accessible through an Android

application. And we also wrote an
application for you. So: Release today.

<i>Applause</i>

Thank you, released today, SnoopSnitch
under GPL. A tool that collects all the

baseband information mostly to keep it
on the phone and run some analysis on it,

warn you about, as I said, SIM card
attacks, but also those SS7 attacks that

Tobias and I talked about today. How do
you take those those attacks? Well, by the

pagings, I showed you in the video
that every time we send certain queries to

the phone, to, over SS7, that the phone
actually also receives information useful

for the attacker. Also useful for the
defender. If those empty pagings, we call

them, are received by the phone, strong
evidence that somebody is messing with you

over SS7. Right. So it collects all that
information and it produces warnings. You

can also upload information issues, so you
choose. It's optional of course, it runs,

as I said, on a bunch of Android phones
that are currently popular. It requires a

somewhat recent Android version we haven't
tested was Android 5 yet, but I don't

see why it wouldn't work, though. We just
have to put the time and your phone needs

to be routed. So we have access to a
certain interface that otherwise is not

accessible. And it needs of course, a
Qualcomm chipset, which, as you see by

this list, is in most current flagship
phones. It's on Google Play right now. So

download it if you're interested. Now, how
does this tool work? One example only, of

course, right, read the source code if you
if you want to know the rest. If you, for

instance, IMSI catcher detection. There
have been a bunch of tools so far to do

IMSI catcher detection. The one we released
a couple of years ago was called CatcherCatcher,

but it had two limitations. One
practical, one more bound to experience.

The practical limitation was that it ran
on Osmocom phones and Osmocom phones can't

do most phone functionality. So always
your second phone? And it had to be

connected to a computer. So very unlikely
that you carried this around all the time.

And we wanted to move it onto a real phone
that you can use onto your phone. Right? I

think we succeeded in that. The second
limitation was that we really didn't know

how IMSI catchers behaved or we also
didn't know how real networks behaved. And

thanks to all the data on gsmmap, we think
we have a much better understanding now of

all the weird corner cases, how real
networks behave and created a much better

ruleset for for an Android based catcher
catcher tool now. And the rules go in two

categories. One is the configuration of
the of these different cells. For

instance, the lack of encryption when, you
know, from the gsmmap database that this

network does usually support encryption,
that's a big red flag. Also certain other

configurations. So that's a configuration
of the network, the adjusted behavior and

the IMSI catcher wants to get
information out from you at the very

least, the IMSI, of course, it's in the
name. Right. So that suspicious behavior

now, none of these things taken by
themselves did allow you to detect an

IMSI catcher. So we compute score over
these different events, doing stream

analysis on everything that happens on
your phone and eventually then come out

with a warning. If the score crosses a
certain threshold, there's a bunch more we

would have wanted to include that's even 
on a Qualcomm chipset in it's debug mode

not available. So this is still ongoing work
as these chipsets progress and may give

us more information in the future. Now, if
you do find alerts, let's call them alarms

on your phone. We'd be grateful if you
could share them. Now, as I said, this is

optional, right? You get you get the
alerts shown in shown in your little tool

and then you can choose to upload
whichever ones you think should be shared

if we get enough of them and and think
that there's really hot spots of of of

abuse, of course, we'll try to make that
transparent, perhaps even put little dots

on the GSM website so people know where
abuse could be happening around

demonstrations, around embassies, wherever.
<i>Applause</i>

You can also actively choose to

submit data by by running an active test
now usually the phone looks at everything

that you produce, your phone calls, your
SMS that's always stored on the phone.

There's no way to upload that. And you
compute a score for how secure your

network is using the exact same metrics
that we use on gsmmap. So that's all

ported to the phone now. But if you feel
like the score on gsmmap is heavily outdated,

click this button. It runs some benign tests, 
has nothing to do with your transactions. I

guess your location where you're currently
connected would be included in the data

and it uploads it to gsmmap. So that
becomes better and better. And we can spot

more networks that, for instance, like any
encryption at all. Yeah, so what's what

what are you what I like you to do, I
think you should do to better protect

yourself from mobile abuse, of course you
could keep waiting for your mobile

networks to fix all these issues, which I
must say more recently, more networks have

moved to fix issues, but still not the
majority. And no network has even started

to address the majority of issues. So it's
just scratching the surface. So what I'd

rather have you do is start defending
yourself. Check out gsmmap, see if you

are on a network that generally protects
things like encryption. You saw the

networks that lack encryption. Don't use
those. And if you really choose to self

defense, download, SnoopSnitch, this new
tool and actively look out for abuse, for

Silent SMS, binary SMS that you receive,
for empty pagings, for IMSI catcher

evidence and help us grow this database of
abuse. Right. Also help us grow the

tool base that we use. This is released
open source and we put in a lot of work to

make the data accessible. But now it is
accessible, right? Just take it as a

library and go wild with it. Do whatever
you always wanted to do with raw baseband

data on 2G, 3G, 4G. I am very much looking
forward to your contributions to this and

all that's left for me to say is thank you
very much.

<i>applause</i>

Herald: Thank you, Karsten, then we will
beginning with the Q&amp;A, please, for

everybody that will be asking questions,
please line up on the microphones in the

room and for people that exit the room,
please do it with no noise and quickly.

Karsten: Now, before getting into the
question, let me give you one reason to

actually do leave now. There's a workshop
happening right now or in a few minutes

that will explain how this tool works and
what it can all do. We'll have an IMSI

catcher there a day or so. You can tell us
how that feels like being connected to an

IMSI catcher. It's happening in room C,
which is when you exit here one floor

down and to this end.
Herald: And additional information, the

workshop that's Karsten says start at
nineteen forty five.

K: And now to your questions.
<i> distant noise </i>

K: Sure.
Herald: OK, microphone number two and

please, before before we before you can
start number two, please do it with no

noise that we hear the question from the
audience. OK, number two, please.

Mic 2: Thank you. Can you quickly say a
few words about why it wouldn't work on

custom ROMs? Because we could just install
it into cyanogen phones and apparently

installed and it seems to work.
K: Oh, OK. So the way I understood custom

ROMs is that they first remove a bunch of
stuff from the phone and then put a bunch

of stuff on it. Part of what we need are
these proprietary Qualcomm libraries and

at least on the phones where we tried
cyanogen mod and what they are being

removed. So if cyanogen mod could stop
doing that, it would work beautifully.

It's not that we need anything additional.
We just need less to be deleted.

Mic 2: OK, thank you.
Herald: OK. Microphone number …, will you

ask. OK, are there some questions from the
IRC?

K: I think we have a bunch of questions.
Signal Angel: Actually, there is five

questions, so I will just ask one or two
for starting. The first one is, can all

these shown attacks that you proved on
your speech be mitigated by… by higher

protocols levels, like encrypted VoIP or
TextSecure, things like that? And what

will be the residual risks?
K: Mm, yeah. A good question. So how much

can you protect yourself by using the
mobile network less on using it as a dumb

pipe, I guess is the question, what if you
use just apps to call and send text? Well,

obviously your calls and texts won't be
intercepted anymore if they are encrypted

one more time in a way that's not
breakable. However, this does not solve

the location tracking. It does not solve
the fraud. It does not solve the denial of

service. It does not solve the spamming.
So you are tied to a mobile network and it

has a lot of control over you, your
location and your phone bill. None of that

is going to go away.
Herald: Another question from the IRC, one.

Signal Angel: Yeah, um, the second one is:
Wouldn't it be easier to design from

scratch a new mobile mobile network than
trying to find all flaws from actual

networks, which is an endless task?
K: Or I don't know where you would even

start designing everything from scratch
completely? The closest that I can think

of designing the mobile network from
scratch is LTE in the name of long term

evolution. It really wants to change
everything, but gives it a couple of years

but as Tobias pointed out, those
issues we pointed out today, they are

again included in LTE. Diameter is the
interconnect protocol. So we already

missed a chance to to remove much of this
issues by just upgrade. We'll have to fix

it through firewalls and monitoring like
we never got to update the Internet.

Herald: OK, microphone number four,
please.

Mic 4: Yet just a short thing. Could you
just provide a list of those libraries

you need from the stock images? So I think
it's pretty easy to copy them to this

cyanogen mod images.
K: Ok

Mic 4: OK, and if the app is open source,

maybe you can put it on fdroid?
K: Oh absolutely. Yes. Thank you.

<i>applause</i>
Herald: The microphone number two, please.

Mic 2: Got two questions, if I understood
correctly, you need to be inside the

operator network to actually
perform those SS7 queries, right?

K: Um, well, I would I would like for this
to be the case. But currently, does

anybody in the world connected to SS7 can
send his queries.

Mic 2: OK, so my question is that what was
your hook point for actually doing this

test?
K: I think I'll quote Tobias here by

saying I would rather not say anything 
about that.

Mic 2: OK, so the second question is about
the case you mentioned it's if I am not

mistaken, is the session key. Right? It's and
it should involve that nonce value, right?

K: Yeah.
Mic 2: So if it is, it already has the nonce

value. So in order the attack to work, we
also need to intercept the initial

messages, the nonce exchange between the
target and the basis station. Is that

correct?
K: No, the nonce is… as as they are. So

the SIM card knows which key to produce.
<i>Yes.</i> But it helps the phone to find the

right encryption key. We are not the
phone. We don't have the SIM card. <i>Right.</i>

If you just give us the encryption key, 
we don't need the nonce.

Mic 2: Yes. So what you're saying is that
the query you're sending there, it

actually sends you not only the encryption
key, but also the nonce that is required..

K: It doesn't send us the nonce and we
don't need the nonce. We can take that

offline now, explain how everything works.
Thank you.

Herald: To microphone number three,
please.

Mic 3: First of all, thank you for a very
good presentation and very impressive work

you've done here.
<i>applause</i>

K: Thank you.
Mic 3: The question I have might be a

little naive, but have you also, besides
taking a look at this closing this whole

issue technically wise, also been taking a
look into how what measures can be taken

legally, at least in Germany and some
countries in Europe now that we have

disclosed that basically certain rules /
laws have not been fulfilled, that we can

enforce the operators to implement this
stuff on legal ways?

K: We have not looked into it. Of course,
we consider the possibility as soon as

somebody has an overview of where these
attacks happen. And that seems to be the

issue right now. There's zero attack
transparency. Nobody is looking for these

issues. And partly that's to the to their
own disbenefit, because as soon as they do

look for this issue, some of these attack
patterns are very easy to stop, as I said,

two German networks, mitigated them within
two weeks. And these issues had been open

for 20 years. Had they ever looked into
their own data, that would have seen this

going on. So I'm not very confident that
anybody in Germany at least has an

overview of where abuse would come from.
And as soon as it does, I don't think

there's much point in litigating. Let's
just stop the possibility of abuse. Right,

instead of complaining about it happening.
But I'm with you. If there's corner cases

in which abuse just can't be stopped,
let's fight it legally, of course. Right.

And if all of you contribute information
through SnoopSearch, does the empty

pagings, if we can find patterns of
abuse, of course, we'll aggregate them and

try to move against them.
Herald: OK, microphone number four,

please.
Mic 4: You said you can buy your way into

the SS7 Network, but how easy is it
actually to get your access? And what do

you estimate: How many players are 
there in the network? Can you give any

estimation?
K: I have absolutely no idea. I know that

there's some 800 companies who who are
legally allowed to access SS7 and then

those, of course, have subcontractors,
legal and illegal, and some people who

bribe them. Yet other people who hack
their systems or the systems of the

subcontractors, it's very hard to
estimate. No idea. But definitely too many

to trust all of them.
Mic 4: And would it be possible for me to

get access to this without any operator
stuff or. I don't want to operate a phone

network, but I want to have access because
I want to provide a service, some service?

K: Well, I wish the answer was no, but of
course, right of to be as an I and a bunch

of other people can get access. You should
be able to get that too. But I'm not going

to tell you how.
<i>laughter and applause</i>

Herald: Yet another question from the IRC.
Signal Angel: We're about nine questions,

so no problem for me. First one, what
about Windows phones, jail breaked

iPhones, or something like this will the
app in the end [be] on this phones?

K: Our app doesn't run on anything other
than Android, but the chipsets are, of

course, the same. So if you can speak to a
chipset through a jail broken iPhone, for

instance, you could create a similar
application. We just wanted to target the

biggest population of phones, and that
seems to be Android phones.

Herald: Then number two, please.
Mic 2: One further thought on self-defense

as self-defense has don't has to be
proportionate, I think, and identities are

not secure in the digital sphere. How
about developing some proactive, as we

heard the word defense tools?
K: Proactive as in hack the networks,

until they have no chance but to fix?
Mic 2: That's what you understood, but.

But, I support that. <i> laughter </i>
K: I'm not going to say that I dislike the

idea. But you won't see me here next year
explaining how I did it.

Mic 2: Thank you.
Herald: Microphone number three, please.

OK. When did you check the other two
German networks didn't fix the identifier

and the issue.
K. Which network do you work for?

Mic 2: I'm Holger. We talked last week.
K: Yeah. So yeah. Maybe you fixed it too.

We didn't, we didn't check.
Mic 2: We fixed it within 24 hour, 24

hours after our call.
K: Wow. OK.

Mic 2: On both networks.
<i>applause</i>

Thank you. Better late than never. Thank
you.

Mic 2: That's right.
K: OK, so that's three out of four now,

that fix one out of 100 problems.
Mic 2: No, it's… I know that's why we

don't go to the press and don't tell that
SS7 is fixed and we know we still have

problems also. It's all four. I work for
Telefonica, which is O2 and eplus.

K: Oh yeah. Well, congratulations. Sorry.
Sorry for spoiling your Christmas.

<i> laughter </i>

Herald: Microphone number two, please.
Mic 2: I'd like to know why these empty

pagings occur in the context of the
location tracking, I thought, as soon as

the phone registers in the network, the
base station, which is this connected to,

is known in the network anyway. Is that
the case?

K: That's a very good question. And let me
let me go back to one earlier slide to to

explain that, one second, so that the
empty pagings do not occure when you send

these creepy AnytimeInterrogation
messages. They are just there for spying

and there's no way to page the customer.
But since this got blocked and Tobias went

into great level of detail explaining
this, you need a couple of other messages

to now track some of this location and
these messages when meant for location

tracking them and ment for other purposes.
For instance, as I provide subscriber info

that however you reach it is always the
last message you need. This does do a

paging and then to provide subscriber info
really makes no sense unless you send

something afterwards also, deliver an SMS
connect to call or whatever. So the paging

is already sent in anticipation that an
SMS will come or that the call will come.

But if you're only the creepy guy tracking
it, they're going to send it SMS and

that's where the empty paging comes from.
Mic 2: OK, but still also in these cases

where something follows the paging, isn't
it a type of double checking whether it's

really there or I mean, the location info
itself should already be present and the

network, isn't it?
K: Yeah, yeah. It just reconfirms that the

subscriber is really there. So it's
basically saying: Somebody you just

interrogated your location because they
want to send you something. Let's check

that you're really still there because
otherwise we'll tell them something wrong.

But Tobias do you want to comment on that.
Tobias: Yeah. OK, so the empty paging is

not anticipation or something that's
coming after. It's to get the current cell

that you are located at, because when you
are moving around in your location area

and the area that is covered by the
switching center that you're currently

being served by, your phone doesn't
necessarily contact the base station. So

it could be that that the networks last
position of you is somewhere you received

an SMS or text or call, and then you moved
to a completely different area if your

phone didn't have network contact in the
meantime, the network would still only

know the last point of contact. So that's
why the why the empty paging happens so

that the that the network knows the base
station that's actually currently closest

to you. That's also why the law
enforcement uses a lot of Silent SMS so

that that they can get the last position
in the network. And it's also an option if

you send provide subscriber information,
you can just send it and get back the last

known position without a paging or you can
set the current location flag and provide

subscriber information. And only then the
subscriber gets paged and you will receive

the current location.
K: And that's that's one good example for

how SS7, which is supposed to be
so insecure we can never fix it, can

easily be fixed. There's an option that
says we're using this as normal feature

that's absolutely needed. And we have this
creepy extension to also ask for the

location. And some networks choose to not
answer that. The answer was zero zero zero

zero and nothing broke. Right. So you can
just ignore the insecure parts of SS7 and

do whatever you think is right. And for
the most part, it continues to work. But

I think we're well beyond answering 
your question now right?

Mic 2: No, but from your answers. Thank
you very much. But another question

arises, because if it's actually to locate
your phone and to find out which cell

you're actually in, then it implies that
it's not only one base station that since

the paging call, but a whole bunch of base
stations. Do you know something about the

algorithm? I mean, how many around the
last known location are paging everybody

nationwide or how does..
K: Everybody can implement this as they

wish? And I don't have much insights into
how 3G does it, but in 2G typically is:

There's one paging send in the last cell
that saw you. You don't respond. It's send

in a larger area. You don't respond. It's
sent for the whole location area. And then

some networks, you don't respond. They
send it in the entire country. But that's

rare. Right?
Mic 2: Thank you very much.

Herald: Okay. Questions from the IRC?
Signal Angel: Did SnoopSnitch allow you to

reveal any kind of attack in countries.
Not special name in mind.

K: Does it allow you to detect attacks in
countries? <i>Yeah,</i> yeah, <i>some kind of</i>

<i>Tapsell.</i> I think the answer is yes. Its
whole purpose is to detect attacks. And it

also works in countries…
<i> laughter </i>

Herald: Did you succeed in detecting attacks.
K: Did we succeed in

detecting. Yes, we did. And if you go down
to the Saal C, Room C, you can see how it's

currently people are being attacked and
currently they detect that. <i>Ok</i>

Herald: OK microphone number five, please.
Mic 5: Yes, thanks, it's going back to SS7

basics. Can you quickly explain how SS7 is
implemented? Is this a VPN on the public

Internet through the providers? What's the
technical reality of transport?

K: That's a very good question. Of course,
that's a very good question. And I only

have half of the information, too. I keep
learning. But so it seems that it was

implemented initially as a network between
Western European telcos and their run

cables, dedicated cables for SS7.
SIGTRAN they called this and then a couple

more networks connected to it. And each
of them had to run the cable to one of the

other telcos. But eventually they changed
that and then introduced what I call

routing providers. So telcos are not
connected to each other usually, but

through a routing provider like on the
Internet and those routing providers, they

typically don't run a cable to your house
anymore. If you are a new telco, they give

you a VPN over the Internet. So it's
diverse. I'm sure there's still some

dedicated lines between Germany and
France, say, and there's some others

connecting and these big clouds that are
routing providers. And it's actually

really difficult to get your address
routed everywhere in the world. So even if

you connect to SS7, all you're connected 
to is one routing provider and that

routing provider knows that you own these
addresses. Now it's up to you to convince

every other of the big seven or nine,
depending on how you count routing

providers that you are that guy with those
addresses. So the BGP equivalent of SS7 is

to get nine roaming agreements signed with
people on these other nine operators and

then fax those roaming agreements to
everybody else involved. So they type it

into your computer, into their computers,
very manual and very hard to grow the

network. But for the most part, it doesn't
change, of course-

Mic 5: So that the low level transport is
not really an attack surface from the

public Internet.
K: It can be the low level transport can

be an attack surface if people just
stupidly leave open their local networks.

But it's rare. It's much more common,
speaking about our talk next year,

hopefully on the other interconnect
networks, there's one interconnect network

for data roaming. It's called GRX. And
since everything is IP anyway on data

roaming, people sometimes do leave it out
on the Internet or just do it unencrypted

over the Internet. And it does seem to
become more popular also with the SS7

replacement Diameter, which again is pure
IP. So there's no dedicated thing that you

first have to encapsulate in a VPN before
you can route it over the Internet. You

can run Diameter over the open Internet if
you want. It's stupid, but people seem to

do it anyway.
Herald: OK, the microphone number six,

please.
Mic 6: OK, my question is, if you could

comment why these message were put in the
protocol at the first place, it they are

so easy to block and to fix. And the other
question is, if all the other problems

that you pointed out are as easy to fix
for the network operators.

K: So I don't have an answer to your first
question. Why do you put a tracking

message in the standard and then call it
AnytimeInterrogation, gosh, like that

invokes feelings for me,
interrogation room and all. I mean, this

is spy stuff, right? And there's no
practical, purposeful but. Right. Who

wrote SS7 standard? Western European
governments being afraid of the Russians,

of their own citizens, who knows? Right. I
don't know why they put every single

message in, though. So your second
question was what again?

Mic 6: If the other vulnerabilities are as
easy as to fix? Or just blocking messages.

K: No they're not. And I tried to point
that out in one of the slides that… that

AnytimeInterrogation can be fixed, as can,
for instance, as does SendIdentification

message, right. You just block that has no
purpose, routing this internationally. But

the other queries on this page, at least
you need those internationally, at least

to enable roaming. So the best you can do
is, as I said, first block these queries

from anybody who's not your roaming
partner, right? Don't respond to those

people and then do some plausibility 
checking, secondly, make sure that if a

subscriber is actually in your own network, 
that you don't honor requests from another

country. Right. And that should remove most 
of the issues because most abuse comes from

other countries. It's just more likely if
there's 800 parties connected to this

network that the one doing the abuse is
not yours. Good question. <i>Thanks.</i>

Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!