-
applause
-
Karsten Nohl: Great to be back. Thank you
very much, talking once again on mobile
-
security, taking two very different
angles, though, from what we talked about
-
the last couple of years. This time we want
to dive into the same topic that Tobias
-
Engel just did, looking at insecurities
that arise from the interconnect networks
-
between different operators and we want to
add another angle. And that is how YOU
-
can start self defending yourself from the
insecurities that many of your operators
-
have left open for many years, including
the new ones that Tobias and myself talk
-
about. If you do watch this on a download,
do go back and also watch Tobias's talk,
-
it's well worth it and also covers a lot
of the basics that I'm just going to skip
-
over now for the sake of time. Great talk,
by the way. Thank you Tobias. So aside
-
from. applause Aside from those SS7
based attacks, we want to talk about 3G
-
insecurities, not too many of them, but
severe as ever, as well as in the last
-
chapter. Then a few tips, as well as a new
tool to help you start self defending
-
against these mobile attacks. Now, just
briefly, then, what is the SS7 Network
-
Tobias has already covered the basics. So
just a quick definition from me. It's this
-
network that different mobile operators
are connected to, to exchange data among
-
each other. For instance, text messages
are sent over this network. So without SS7,
-
you couldn't be using this ancient chatting
technology SMS. Thank you SS7. But also
-
more security relevant information is
exchanged over SS7. For instance, if you're
-
using your phone in another country, as
many of you currently do, you still want
-
this visiting network to be able to use
encryption with your phone, but how is that
-
network going to know the right encryption
key? So this visiting network, the German
-
network has to ask your home network for
the correct encryption key and that goes
-
over SS7. And you can already see if
there's cryptographic information being
-
exchanged, if the wrong people ask and
still receive an answer, insecurities
-
arise. More interesting from a security
perspective, though, are messages that are
-
exchanged within one network over SS7.
So SS7 is often misunderstood as this
-
technology that's used for worldwide
exchange of information. The same network,
-
though, is used inside an operator. So
there's no need for interconnect. There's
-
already SS7 flows going on between those
different mobile switching centers, MSC.
-
And each mobile switching center covers
one area, let's say a city. So imagine a
-
situation where you are. You're in a call
and you're traversing from one area to
-
another. You're crossing, let's say, your
state boundary. So there's new MSC,
-
doesn't know how to handle your call. It
needs the decryption key for the already
-
ongoing conversation. So there's another
SS7 message that allows you to query for
-
the key of a transaction that's currently
going on. OK? And again, you can already
-
see how if the wrong people send this type
of message and they receive an answer,
-
insecurities arise. The insecurity that
that has most been talked about in recent
-
years, again, up until Tobias's talk, was
tracking. And tracking was often understood
-
as: There's this evil message, the any time
interrogation and The Washington Post
-
focused a lot an article on just one
message. And it's a it's really evil. It
-
should not been I have been ever
standardized. And whenever it's used, it's
-
for evil purposes. There's no
usefulness in this message. And Tobias
-
quoted a number that I think The
Washington Post found in a lot of
-
marketing material, 70 percent of mobile
networks respond to this message. Now,
-
this is information from earlier this year.
A lot of networks, very good news, have
-
moved to to stop responding to anytime
interrogation message. This evil spying
-
message is not being responded to by, for
instance, all German networks. You can't
-
use this message in Germany anymore.
However, this is a very retroactive
-
approach to securing SS7 because there's a
number of other messages that, consider them
-
Gadgets, get you to the same place, take a
phone number and take you all the way to
-
somebody's location. And here's just a
snapshot of of which messages you can use
-
and Tobias went into a greater level of
detail in how these different messages
-
come together. So if anybody thinks that
just barring anytime integration, you
-
solved the tracking problem, they are wrong.
But at the same time, it's not that SS7 is
-
not secureable. It's just a much larger
challenge that people consider currently
-
to be. So you see how stringing
together some of these messages get you to
-
intermediate values that also shouldn't be
public and then all the way to a cell ID.
-
And up until all these messages or at
least every path that takes you from left
-
to right is blocked by a network, tracking
to the same accuracy, to cell ID stays
-
possible. Now, this is just one of many
areas in which SS7 can become an issue.
-
Here is 4 more, it's an intercept risk.
If people can read your SMS text or listen
-
to your calls, it's a denial of service
risk. If people cut you off from
-
phone connectivity for anywhere from an
hour until the next location update or
-
until your next reboot your phone, so you
can really cut people off badly from it,
-
from the phone network. This area of fraud
that I don't think many people want to
-
talk about publicly, certainly I don't.
But there's many fraud risks in SS7
-
in which you can easily put charges
on somebody else's bill, or more
-
interestingly, you can remove limits on
your own prepaid cards, basically run up
-
infinite charges on prepaid cards and, you
know, running up a lot of bills to a two
-
to premium numbers, for instance. And then
there's the risk of spamming, which from
-
what I hear is already happening, SS7
based spam attacks. Now, for the sake of
-
this talk, I want to focus on intercept,
which I consider aside from tracking the
-
most intrusive and the most relevant for
us, just as a risk, they're more relevant
-
for the network operators. And if they
don't solve them, well, so be it, as long
-
as they foot the bill for it. So
intercept. And I want to go into three
-
possible scenarios in which SS7 assisted
intercept can happen. The first abuses
-
the exact message, as we looked at in the
introduction, these messages where
-
different parts of networks ask each other
for encryption information and it's a
-
pretty straightforward attack. You record
the airwaves. Around somebody in
-
somebody's vicinity and you record
somebody's encrypted transaction as part of
-
that, right? So and 3G transaction, for
instance, are pretty well secured, but
-
they're not very hard to record. In fact,
3G is a little bit easier than 2G because
-
it doesn't jump around all these
frequencies. So you record, let's say, 3G
-
data and you have a bunch of transactions.
And all of them encrypted. And you can use
-
this message over SS7 to decrypt them.
It's called Send ID. And as a as I said on
-
one of the earlier slides, it's supposed
to be used when you're moving from one MFC
-
into another MSC, but still within your
own network so that the call doesn't get
-
disrupted. It's not supposed to be used
when when somebody foreign wants to
-
query your phone, if they need a new
encryption key, a new call needs to start
-
anyway. There's no way to hand over a call
from one operator to another operator
-
without disruption. So this message is
used only for internal purposes. However,
-
out of the four German operator earlier
this month, all four responded to this
-
request coming from another country,
another country that doesn't even border
-
Germany. So there's no way to even
conceptually think a call would be handed
-
over. So four out of four. And that's not
an anomaly. Most networks require an
-
international response to an
outside number when asked for the current
-
decryption key. I'll show you a quick demo
on this at the end of this chapter.
-
But I first finish the enumeration of
all the different possibilities in which
-
3G calls can be intercepted. The second
one, the good old IMSI catchers, which we
-
also wouldn't work on 3G. And I guess for
the most part they don't unless SS7
-
comes to the help. So why don't they
work without SS7? An IMSI catcher
-
pretends to be a base station. And if
it's 2G technology, the phone has no way
-
of knowing the difference between the real
base station and a fake base station. But
-
then 3G, the 3G standard introduced what I
call mutual authentication. So this time
-
the base station has to prove to a phone
that in fact it's legitimate and unless it
-
does that, the phone won't connect. Now,
this only solves part of the IMSI catcher
-
problem. Just taken by the name even the
catching is still possible, IMSI catching
-
in the sense of creating a list of all the
IMSIs in a location. Because there's
-
certain chicken and egg problem.
If you want me as a base station to
-
authenticate to you, you first have to
tell me who you are. There's no such thing
-
as SSL or any type of public key on the
mobile network. It's all symmetric key. So
-
you first have to tell me which key to use
and by that I know who you are. So IMSI
-
catching is always possible. And that's why
if you Google for 3G IMSI catcher, those
-
things exist. But they aren't capable of
recording phone calls or SMS because those
-
then required a mutual authentication. They
aren't capable of doing so unless they ask
-
over SS7 for an authentication key. So
IMSI catchers are back in the 3G world
-
big time, unless we solve these SS7
problems, right? The third possibility of
-
of intercept - this is probably the
scariest because it can happen completely
-
remotely - Boaster once enumerated so far,
you have to be somewhere in the vicinity
-
in the vicinity of somewhere. So the third
possibility, I want to call the rerouting
-
attacks and they work in both directions.
Rerouting is the idea. And to be as
-
touched on this, of taking… of taking
somebodies phone calls and changing
-
the destination number so that, in fact,
you call somebody else unbeknownst to you,
-
of course, as the victim. And this will
expose for incoming calls and outgoing
-
calls, but using very different methods.
So it just kind of accidentally works in
-
both directions. And this part, I just
briefly want to demonstrate to BSN that
-
coordinated on most of this. But this
part, I guess we kind of misunderstood
-
each other as we both showed us. I'll
keep this very brief. And the point I want
-
to get across is that, one, a single SS7
message is already a big intercept
-
problem. Let's see. Connected here. Um, so
I'll try not to make the same mistake as
-
Tobias and try to cut off part of my
number here. So 31C3 demo phone.
-
So I'm calling a a phone that in fact,
accidentally we left in. So … fuck
-
Laughter and applause
Ring-back tone starts
-
So I am calling this number and I don't
know if you can hear it, but it's ringing.
-
And we did leave his phone back in Berlin
accidentally. But for the sake of this
-
demo, that makes no difference. So it's a
it's a phone somewhere in Berlin. Nobody
-
answers to. Here is another phone.
-
Ring-back tone stops
-
So if I if I register what they call a
-
supplementary service to this number. And
that's just fancy language for, for, for
-
call forwarding, if I call this exact same
number again.
-
Ring-back tone starts
-
Phone ringing also starts
-
This phone is ringing.
-
Applause
-
Both ring-back and ring-tone stop
-
Still applause
-
Now, of course, to make this real
intercept, I wouldn't forward it to a
-
phone, I would forward it to a computer
that then is smart enough to very quickly
-
erase the call forwarding and call the
original number and then connect it to so
-
that the phone, the phone call actually
goes to where it was supposed to go. Just
-
I'm sitting in the middle and I'm
receiving a copy of it. OK, so that's the
-
idea in this direction, in the other
direction, the exact same thing works as
-
well. And Tobias already told you how
these services that say, let me rewrite
-
your phone number for you because you
don't know how to dial a phone number when
-
you're on vacation. Right. Those services
can be set by anybody, at least on a lot
-
of networks. And you can see how the exact
same thing works there so that every time
-
you dial a number that just move their own
number in place of that number and then
-
connect those two calls. So, as I said, I
consider those to the scariest type of
-
attacks because they were completely
remotely you don't have to be in the radio
-
vicinity of anybody. And surprisingly,
this still works against a bunch of
-
networks, even against those networks that
move to solve some of the earlier issues.
-
So networks [are] still very retroactive.
So what do what do those mobile networks
-
now have to do to to solve those issues?
Well, as always, of course, the answer:
-
It depends. It depends in this case on the
tech type. Some of the techs can simply be
-
blocked. Like the AnytimeInterrogation,
that earlier this year they said 70% of
-
the networks are vulnerable. Now in
Germany it's zero. So something happened
-
there. And the same is true for the for
the first type of attack that I've shown.
-
The passive intercept I said when we
tested earlier this month for other four
-
networks are vulnerable. Now it's down to
two. So within two weeks, two networks put
-
in a firewall rule that says this message
has no purpose. Traversing our outside
-
network boundary, just block it. The
typical firewall is the same isn't
-
possible for these other two types of
attacks because those messages are
-
actually useful. They do something, at
least in certain circumstances. If you
-
block the second type of query here to
send authentication info, you couldn't be
-
roaming in another country anymore. If you
blocked a third one, you couldn't be
-
changing your your voice mail forwarding
from another country anymore. So these are
-
needed. Still we couldn't, we can't accept
that just anybody who asks over SS7 ...
-
Phone ringing
Nohl sighs
-
You guys!
Laughter
-
Switched this off. We can't accept
that just anybody who asks over SS7
-
receives an answer, at the very least
we would expect networks to only answer to
-
their friends on SS7, and
that is their roaming partners. That's
-
already a lot fewer companies and
especially a lot fewer sketchy companies
-
than everybody else on SS7. We would
then want those networks to do some
-
plausibility checking. Right. So this does
phone in Berlin that just put a
-
supplementary service on. The network
operator knows the phone is in Berlin and
-
I send us from the other end of the world.
Still, they are not on it. Right. Any type
-
of possibility checking what would clearly
see that this is not possible for a phone
-
to be in one country and for this user to
want to change their voicemail setting
-
from somewhere completely different. And
then thirdly, networks need to limit the
-
rate at which this happens. Those services
that The Washington Post talked about is
-
tracking services. These are large
operations. They seem to be tracking
-
thousands of people, constantly. This will
show in logs, you don't allow some random
-
network somewhere else in the world to
constantly interrogate hundreds of your
-
users, right? It's clearly abuse. Has any
network move to put such sensible rules
-
in? I'm not aware of it, but it's
certainly the next step. And I'm not ready
-
to give up on SS7 yet. I've heard one too
many times that SS7 is an old technology
-
built with no security in mind and we just
can't fix it. The Internet also is an old
-
technology built was not secured in mind,
and we did fix it since the 90s, since
-
when you connected to Windows 95 computer
to the Internet, it got infected with the
-
virus right away. We have moved to put in
firewalls. We're not exposing our printer
-
daemon and now file-sharing daemon on the
entire Internet anymore for four billion
-
people to connect to and the same as
possible on SS7. Which is, we we're still
-
in the nineties. Thank you.
Applause
-
Having said that though, let me show you
what what happens if we don't do that,
-
the fun part. So. We argued whether or not
we wanted to show this as a live demo.
-
You'll understand why we don't show it as
a live demo. There is just too much stuff
-
that could go wrong. But here's the setup.
We start with just a phone number
-
and we want to string together a couple of
SS7 gadgets while also having this radio
-
handy that can capture 3G information to
capture yet more information that's not
-
available over SS7. Right. So we start
with a phone number and we send what's
-
called an SRI-for-SM message, which gives
us, if the network is configured answer,
-
the IMSI and the MSI that the subscriber
currently is connected for. Those two are
-
used as parameters into another call.
Called the PSI message, provide
-
subscriber info. And then that call then
gives us the Cell ID. This is just how
-
you get more and more information with
different gadgets. Now the Cell ID tells
-
us where somebody is physically. So imagine
we now move our radio to that
-
location and we again send a PSI. We record
the PSI. We set radio, not the PSI, what
-
happens over the airways when we send the
PSI and the phone gets paged. So when we
-
send the PSI over SS7, the phone receives
some information. Right. This radio plus a
-
little bit GNU radio scripting gives us
that information: Who has been paged
-
during that short window of time that we
that we recorded? Now when we record
-
something on UMTS, we always record for
different cells – they share frequencies.
-
But you see that the one cell with the
Cell ID came back over SS7 is included
-
in our set. So we filter the data for
that cell and we look for which IMSIs are
-
included. And luckily for us, only one
IMSI got paged within those few
-
seconds on that cell. It's the same. Same.
This is now the TMSI that belongs to
-
this phone. This is information we can't
get over SS7. But what you can do over SS7
-
with the TMSI is request a key, so it gets
complicated. But so we have the decryption
-
key now and the next time this phone
receives something, unless it changes the
-
key, in which case we can ask again for
a new key. Next time this phone receives
-
something. And what you don't see in the
video is, somebody is now sending a text
-
message to the phone. We can also record
that right. Again, same radio, the one
-
shown in the picture, now the phone that
received a text message. And there's a few
-
more steps. So the phone received a text
message and we also, again, recorded the
-
airwaves. We again run it through some GNU
radio script. Now, was was UMTS
-
everything? It is kind of complicated, so
there's a different connection, of
-
course, happening all at the same time,
and then they'll get allocated to
-
different channels. So now, in order to to
decode this text message, we're going to
-
find out which channel is used. So this
command gives us the list of which which
-
channels have been allocated. And we got
to find a TMSI from earlier in one of
-
these channel allocations. And Wireshark
is a great help in this. We didn't have to
-
do anything with Wireshark. I just knows
all that 3G stuff right out of the box. So
-
luckily, the first of these five
connecting requests is the right one and
-
scroll all the way down, there's then the
parameters that say which channel this
-
transaction happened on. So those two
numbers, 15 and 48 is the channel. So we,
-
we need to cell frequency, but we need
those those two two numbers, that, that
-
are the channel and the key, you know,
this is only 64 bit. I'll discuss that
-
a little later. And that's all we need to
decrypt an SMS. And there it is.
-
Applause
Thank you.
-
This still works today, but only against
two out of the four German networks. Some
-
of them move to to to stop some of these
messages, of course, most importantly,
-
this SI message that gives you the
decryption key. But even if you block this
-
message, just acquiring somebody's
location can already be intrusive enough.
-
All right. Moving on to 3G security or
rather extending on 3G security since this
-
already touched through 3G in a big way.
You remember the good old days where where
-
you could just intercept all phone calls
was the Osmocon phone. Thank you, by the
-
way, for that open source project that
helped us so much over the years. And you
-
combine that with the kraken software to
decrypt the phone call. So with 20 year
-
old vers of phone and the server you can
listen to anybody's GSM calls as long as
-
they're using the A5/1 cipher. Some
networks recently moved into A5/3.
-
So it doesn't work this way anymore. Now,
how does this now compare to 3G security?
-
As I've just shown, basically the same
attacks are possible. Instead of the
-
Osmocom phone, we use a programable radio,
some more software, but again, very
-
affordable 400 euros or
something. And you combine that using
-
instead of kraken SS7 queries. So unless
we fix SS7, 3G is no more secure than 2G
-
and neither is A5/3, the recent
upgrade of GSM because those keys are
-
again exposed over SS7. Now, some
networks, you don't even need that second
-
part, so they have bigger things to worry
about and then SS7 attacks and our data
-
set isn't all that large. Some of you
provided measurements through through a
-
software release last year. So thank you
very much for that. And we have captures
-
from maybe 20, 25 countries out of those
five having to use no 3G encryption at
-
all. Well, four countries. Five network
operators. Right. Which I find shocking.
-
Some of these even have encryption turned
on on their GSM network and then forgot to
-
turn it on or deliberately left it out
because it's harder to intercept on the 3G
-
variant. Right. So those networks, as I
said, have much more, much more worrisome
-
issues than SS7 attacks. And they really
need to be called out. And we do that with
-
an extension of a website that we've been
maintaining for a couple of years, gsmmap,
-
big update of gsmmap launched today
with all the 3G measurements, we, we
-
collected and you collected over the last
couple of years. Now, some of you may have
-
used gsmmap before. The idea as to to rank
operators in the three categories. How
-
hard is it to intercept phone calls and
SMS? Is it easy to impersonate a person
-
and then put charges on a bill, for
instance, or receive the calls? How hard
-
is it to track them? And as you see, over
the last years, networks have improved
-
their security, at least some, as always.
God. And as you also see, these are the 2G
-
networks, even the best secure 2G network.
And in Germany anyway, in our opinion, is
-
less secure than the worst secured 3G
networks. These are for 3G networks, still
-
we want networks to implement all security
features. And as you saw before, some
-
other countries don't have that luxury of
all 3G secure networks reasonably secure.
-
Not the first version of our metric is
very crude and we want to improve upon
-
this over time. But currently how we
calculate the score is we'll give ninety
-
percent of the points to anybody who
switches on encryption. That's the main
-
security feature and the remaining 10
percent you earn by changing the TMSI
-
quickly. TMSI is what we needed for these
SS7 attacks to work well. So if you keep
-
changing it, it really confuses the that
the person trying to to haunt you also
-
this makes other types of attacks more
difficult, will factor in a couple of more
-
values as we collect more data. But this
is it for now. So, yeah, big update on
-
gsmmap. If you haven't checked it out,
check out your country on gsmmap, read the
-
country report. So does a six page or so
report, auto generated, that explains what
-
types of measurements we included into
into these graphs and why we think they
-
they constitute certain risks. Maybe
forward it to to your network and say if
-
you're not improving, I'm going to change,
switch to another network. Now, not
-
everything is on, on gsmmap yet because we
don't have enough data. And there's one
-
problem in particular that I want to start
warning about, because I really think
-
we're running into an issue here. And that
is the lengths of encryption key you saw
-
in the in the capture, in the video data
that I showed that the key that came back
-
over SS7 was actually only 64bit from this
particular network. And the SIM card that
-
was there was used in this attack, was
bought that very same week. So we recorded
-
this video last week. So it's the the most
recent SIM card you can buy from this
-
network. And still it only uses 64 bit.
And that, in my view, is incompatible with
-
what we have learned from from recent
Snowden documents that the NSA in 2011,
-
2012 funded a project to break A5/3.
This is a 64 bit cipher. And we had
-
estimated at this very conference a year
ago that you'd need about a million
-
dollars to break A5/3. Now, they
did it a little bit earlier. So Moore's
-
Law, everything's more expensive and
probably to have overhead, too. But they
-
spend apparently four billion pounds. I
don't know why pound, not dollars, but it
-
may have been some GCHQ Corporation. So
for four million pound a couple of years
-
ago, you could already break 64 bit crypto and
64 bit is more prevalent in mobile
-
networks than you would have thought when
they upgraded the GSM networks to A5/3.
-
They didn't actually upgraded it to UMTS
security, as everybody claimed they did.
-
They upgraded it to the cipher used in
UMTS with a key half the size. When
-
writing the A5/3 standards though, the
people were smart enough to also put in
-
the real UMTS cipher with full key size,
they called it A5/4 and it has never
-
been seen anywhere since. It's written in
the standard. It was released the same day
-
that A5/3 was released. Nobody has ever
moved to implement that. So GSM for the
-
time being is and will be vulnerable to
anybody. It was a one million dollar
-
machine in the basement. Certainly NSA,
but more and more people as we move
-
forward. And what costs a million dollars
today, thanks to Moore's Law in a couple
-
of years, anybody can break it on a
computers like we today. Break the A5/1.
-
If your network uses certain older
SIM cards, differentiation years between a
-
SIM card and a USIM as a UMTS SIM card.
If your network only uses SIM cards, then
-
even your 3G transactions are 64 bit
encrypted. So there is no way to generate
-
more entropy. You could query for two
keys, I guess, but they weren't smart
-
enough to do that. So 64 bit encryption
for UMTS and that's just not good enough.
-
And as I said, the network that we did
the demo with we were surprised to see a
-
64 bit key. We went back in our database
of SIM cards. We found a lot of SIM cards
-
that have this problem. We want to add
this to gsmmap, but we don't want to be
-
unfair just because we see one very old SIM
card in the network. We don't want to give
-
them a low score versus somebody else,
where we only see a new card. So we need
-
lots and lots of data. Help us collect
those data and we'll make it public.
-
Now, that's one reason why we stay on this
ball and progress the research. The other
-
main reason, and this is really what keeps
us awake at night is this question of
-
how can we get out of the mess. We've been
producing more and more problems. I should
-
not say produce, we make you aware of more
and more problems over the years and we
-
always criticize that at least many
networks do not respond to those. So we
-
have to stockpile ever growing stockpile
of mobile security issues and nobody seems
-
to be addressing. And all we do is wait
for our networks to do something
-
eventually. Now waiting's over for me, at
least I'm impatient. I want to do
-
something now and I want to address all
these issues all at once. Those issues
-
that we talked about for several years
now, including the SIM card attacks from
-
last year, silent SMS based tracking the
SMS, the SS7 abuse discussed today,
-
IMSI Catcher Vulnerabilities and
insufficiently configured networks, 2G as
-
well as 3G. All of these problems have one
thing in common. Your phone technically
-
knows that these attacks are happening and
your phone technically knows that a
-
network is configured insecurely. But
unfortunately it's buried very deep inside
-
the phone. It's buried inside the
baseband. So as much as you can program
-
Android, you don't get access to that
information. At least so we saw it and
-
then we set out and just took the better
part of this year. We wanted to dig the
-
information out from these phones. It's
somewhere in there. There must be some way
-
to hack it out of it. And we found debug
possibilities for Qualcomm chipsets, just
-
one vendor, but extremely popular. Right
now. There seem to be in every LTE phone
-
and in a bunch of other phones. And we
found, we found ways of producing exactly
-
all the data on the right hand side to
make it accessible through an Android
-
application. And we also wrote an
application for you. So: Release today.
-
Applause
-
Thank you, released today, SnoopSnitch
under GPL. A tool that collects all the
-
baseband information mostly to keep it
on the phone and run some analysis on it,
-
warn you about, as I said, SIM card
attacks, but also those SS7 attacks that
-
Tobias and I talked about today. How do
you take those those attacks? Well, by the
-
pagings, I showed you in the video
that every time we send certain queries to
-
the phone, to, over SS7, that the phone
actually also receives information useful
-
for the attacker. Also useful for the
defender. If those empty pagings, we call
-
them, are received by the phone, strong
evidence that somebody is messing with you
-
over SS7. Right. So it collects all that
information and it produces warnings. You
-
can also upload information issues, so you
choose. It's optional of course, it runs,
-
as I said, on a bunch of Android phones
that are currently popular. It requires a
-
somewhat recent Android version we haven't
tested was Android 5 yet, but I don't
-
see why it wouldn't work, though. We just
have to put the time and your phone needs
-
to be routed. So we have access to a
certain interface that otherwise is not
-
accessible. And it needs of course, a
Qualcomm chipset, which, as you see by
-
this list, is in most current flagship
phones. It's on Google Play right now. So
-
download it if you're interested. Now, how
does this tool work? One example only, of
-
course, right, read the source code if you
if you want to know the rest. If you, for
-
instance, IMSI catcher detection. There
have been a bunch of tools so far to do
-
IMSI catcher detection. The one we released
a couple of years ago was called CatcherCatcher,
-
but it had two limitations. One
practical, one more bound to experience.
-
The practical limitation was that it ran
on Osmocom phones and Osmocom phones can't
-
do most phone functionality. So always
your second phone? And it had to be
-
connected to a computer. So very unlikely
that you carried this around all the time.
-
And we wanted to move it onto a real phone
that you can use onto your phone. Right? I
-
think we succeeded in that. The second
limitation was that we really didn't know
-
how IMSI catchers behaved or we also
didn't know how real networks behaved. And
-
thanks to all the data on gsmmap, we think
we have a much better understanding now of
-
all the weird corner cases, how real
networks behave and created a much better
-
ruleset for for an Android based catcher
catcher tool now. And the rules go in two
-
categories. One is the configuration of
the of these different cells. For
-
instance, the lack of encryption when, you
know, from the gsmmap database that this
-
network does usually support encryption,
that's a big red flag. Also certain other
-
configurations. So that's a configuration
of the network, the adjusted behavior and
-
the IMSI catcher wants to get
information out from you at the very
-
least, the IMSI, of course, it's in the
name. Right. So that suspicious behavior
-
now, none of these things taken by
themselves did allow you to detect an
-
IMSI catcher. So we compute score over
these different events, doing stream
-
analysis on everything that happens on
your phone and eventually then come out
-
with a warning. If the score crosses a
certain threshold, there's a bunch more we
-
would have wanted to include that's even
on a Qualcomm chipset in it's debug mode
-
not available. So this is still ongoing work
as these chipsets progress and may give
-
us more information in the future. Now, if
you do find alerts, let's call them alarms
-
on your phone. We'd be grateful if you
could share them. Now, as I said, this is
-
optional, right? You get you get the
alerts shown in shown in your little tool
-
and then you can choose to upload
whichever ones you think should be shared
-
if we get enough of them and and think
that there's really hot spots of of of
-
abuse, of course, we'll try to make that
transparent, perhaps even put little dots
-
on the GSM website so people know where
abuse could be happening around
-
demonstrations, around embassies, wherever.
Applause
-
You can also actively choose to
-
submit data by by running an active test
now usually the phone looks at everything
-
that you produce, your phone calls, your
SMS that's always stored on the phone.
-
There's no way to upload that. And you
compute a score for how secure your
-
network is using the exact same metrics
that we use on gsmmap. So that's all
-
ported to the phone now. But if you feel
like the score on gsmmap is heavily outdated,
-
click this button. It runs some benign tests,
has nothing to do with your transactions. I
-
guess your location where you're currently
connected would be included in the data
-
and it uploads it to gsmmap. So that
becomes better and better. And we can spot
-
more networks that, for instance, like any
encryption at all. Yeah, so what's what
-
what are you what I like you to do, I
think you should do to better protect
-
yourself from mobile abuse, of course you
could keep waiting for your mobile
-
networks to fix all these issues, which I
must say more recently, more networks have
-
moved to fix issues, but still not the
majority. And no network has even started
-
to address the majority of issues. So it's
just scratching the surface. So what I'd
-
rather have you do is start defending
yourself. Check out gsmmap, see if you
-
are on a network that generally protects
things like encryption. You saw the
-
networks that lack encryption. Don't use
those. And if you really choose to self
-
defense, download, SnoopSnitch, this new
tool and actively look out for abuse, for
-
Silent SMS, binary SMS that you receive,
for empty pagings, for IMSI catcher
-
evidence and help us grow this database of
abuse. Right. Also help us grow the
-
tool base that we use. This is released
open source and we put in a lot of work to
-
make the data accessible. But now it is
accessible, right? Just take it as a
-
library and go wild with it. Do whatever
you always wanted to do with raw baseband
-
data on 2G, 3G, 4G. I am very much looking
forward to your contributions to this and
-
all that's left for me to say is thank you
very much.
-
applause
-
Herald: Thank you, Karsten, then we will
beginning with the Q&A, please, for
-
everybody that will be asking questions,
please line up on the microphones in the
-
room and for people that exit the room,
please do it with no noise and quickly.
-
Karsten: Now, before getting into the
question, let me give you one reason to
-
actually do leave now. There's a workshop
happening right now or in a few minutes
-
that will explain how this tool works and
what it can all do. We'll have an IMSI
-
catcher there a day or so. You can tell us
how that feels like being connected to an
-
IMSI catcher. It's happening in room C,
which is when you exit here one floor
-
down and to this end.
Herald: And additional information, the
-
workshop that's Karsten says start at
nineteen forty five.
-
K: And now to your questions.
distant noise
-
K: Sure.
Herald: OK, microphone number two and
-
please, before before we before you can
start number two, please do it with no
-
noise that we hear the question from the
audience. OK, number two, please.
-
Mic 2: Thank you. Can you quickly say a
few words about why it wouldn't work on
-
custom ROMs? Because we could just install
it into cyanogen phones and apparently
-
installed and it seems to work.
K: Oh, OK. So the way I understood custom
-
ROMs is that they first remove a bunch of
stuff from the phone and then put a bunch
-
of stuff on it. Part of what we need are
these proprietary Qualcomm libraries and
-
at least on the phones where we tried
cyanogen mod and what they are being
-
removed. So if cyanogen mod could stop
doing that, it would work beautifully.
-
It's not that we need anything additional.
We just need less to be deleted.
-
Mic 2: OK, thank you.
Herald: OK. Microphone number …, will you
-
ask. OK, are there some questions from the
IRC?
-
K: I think we have a bunch of questions.
Signal Angel: Actually, there is five
-
questions, so I will just ask one or two
for starting. The first one is, can all
-
these shown attacks that you proved on
your speech be mitigated by… by higher
-
protocols levels, like encrypted VoIP or
TextSecure, things like that? And what
-
will be the residual risks?
K: Mm, yeah. A good question. So how much
-
can you protect yourself by using the
mobile network less on using it as a dumb
-
pipe, I guess is the question, what if you
use just apps to call and send text? Well,
-
obviously your calls and texts won't be
intercepted anymore if they are encrypted
-
one more time in a way that's not
breakable. However, this does not solve
-
the location tracking. It does not solve
the fraud. It does not solve the denial of
-
service. It does not solve the spamming.
So you are tied to a mobile network and it
-
has a lot of control over you, your
location and your phone bill. None of that
-
is going to go away.
Herald: Another question from the IRC, one.
-
Signal Angel: Yeah, um, the second one is:
Wouldn't it be easier to design from
-
scratch a new mobile mobile network than
trying to find all flaws from actual
-
networks, which is an endless task?
K: Or I don't know where you would even
-
start designing everything from scratch
completely? The closest that I can think
-
of designing the mobile network from
scratch is LTE in the name of long term
-
evolution. It really wants to change
everything, but gives it a couple of years
-
but as Tobias pointed out, those
issues we pointed out today, they are
-
again included in LTE. Diameter is the
interconnect protocol. So we already
-
missed a chance to to remove much of this
issues by just upgrade. We'll have to fix
-
it through firewalls and monitoring like
we never got to update the Internet.
-
Herald: OK, microphone number four,
please.
-
Mic 4: Yet just a short thing. Could you
just provide a list of those libraries
-
you need from the stock images? So I think
it's pretty easy to copy them to this
-
cyanogen mod images.
K: Ok
-
Mic 4: OK, and if the app is open source,
-
maybe you can put it on fdroid?
K: Oh absolutely. Yes. Thank you.
-
applause
Herald: The microphone number two, please.
-
Mic 2: Got two questions, if I understood
correctly, you need to be inside the
-
operator network to actually
perform those SS7 queries, right?
-
K: Um, well, I would I would like for this
to be the case. But currently, does
-
anybody in the world connected to SS7 can
send his queries.
-
Mic 2: OK, so my question is that what was
your hook point for actually doing this
-
test?
K: I think I'll quote Tobias here by
-
saying I would rather not say anything
about that.
-
Mic 2: OK, so the second question is about
the case you mentioned it's if I am not
-
mistaken, is the session key. Right? It's and
it should involve that nonce value, right?
-
K: Yeah.
Mic 2: So if it is, it already has the nonce
-
value. So in order the attack to work, we
also need to intercept the initial
-
messages, the nonce exchange between the
target and the basis station. Is that
-
correct?
K: No, the nonce is… as as they are. So
-
the SIM card knows which key to produce.
Yes. But it helps the phone to find the
-
right encryption key. We are not the
phone. We don't have the SIM card. Right.
-
If you just give us the encryption key,
we don't need the nonce.
-
Mic 2: Yes. So what you're saying is that
the query you're sending there, it
-
actually sends you not only the encryption
key, but also the nonce that is required..
-
K: It doesn't send us the nonce and we
don't need the nonce. We can take that
-
offline now, explain how everything works.
Thank you.
-
Herald: To microphone number three,
please.
-
Mic 3: First of all, thank you for a very
good presentation and very impressive work
-
you've done here.
applause
-
K: Thank you.
Mic 3: The question I have might be a
-
little naive, but have you also, besides
taking a look at this closing this whole
-
issue technically wise, also been taking a
look into how what measures can be taken
-
legally, at least in Germany and some
countries in Europe now that we have
-
disclosed that basically certain rules /
laws have not been fulfilled, that we can
-
enforce the operators to implement this
stuff on legal ways?
-
K: We have not looked into it. Of course,
we consider the possibility as soon as
-
somebody has an overview of where these
attacks happen. And that seems to be the
-
issue right now. There's zero attack
transparency. Nobody is looking for these
-
issues. And partly that's to the to their
own disbenefit, because as soon as they do
-
look for this issue, some of these attack
patterns are very easy to stop, as I said,
-
two German networks, mitigated them within
two weeks. And these issues had been open
-
for 20 years. Had they ever looked into
their own data, that would have seen this
-
going on. So I'm not very confident that
anybody in Germany at least has an
-
overview of where abuse would come from.
And as soon as it does, I don't think
-
there's much point in litigating. Let's
just stop the possibility of abuse. Right,
-
instead of complaining about it happening.
But I'm with you. If there's corner cases
-
in which abuse just can't be stopped,
let's fight it legally, of course. Right.
-
And if all of you contribute information
through SnoopSearch, does the empty
-
pagings, if we can find patterns of
abuse, of course, we'll aggregate them and
-
try to move against them.
Herald: OK, microphone number four,
-
please.
Mic 4: You said you can buy your way into
-
the SS7 Network, but how easy is it
actually to get your access? And what do
-
you estimate: How many players are
there in the network? Can you give any
-
estimation?
K: I have absolutely no idea. I know that
-
there's some 800 companies who who are
legally allowed to access SS7 and then
-
those, of course, have subcontractors,
legal and illegal, and some people who
-
bribe them. Yet other people who hack
their systems or the systems of the
-
subcontractors, it's very hard to
estimate. No idea. But definitely too many
-
to trust all of them.
Mic 4: And would it be possible for me to
-
get access to this without any operator
stuff or. I don't want to operate a phone
-
network, but I want to have access because
I want to provide a service, some service?
-
K: Well, I wish the answer was no, but of
course, right of to be as an I and a bunch
-
of other people can get access. You should
be able to get that too. But I'm not going
-
to tell you how.
laughter and applause
-
Herald: Yet another question from the IRC.
Signal Angel: We're about nine questions,
-
so no problem for me. First one, what
about Windows phones, jail breaked
-
iPhones, or something like this will the
app in the end [be] on this phones?
-
K: Our app doesn't run on anything other
than Android, but the chipsets are, of
-
course, the same. So if you can speak to a
chipset through a jail broken iPhone, for
-
instance, you could create a similar
application. We just wanted to target the
-
biggest population of phones, and that
seems to be Android phones.
-
Herald: Then number two, please.
Mic 2: One further thought on self-defense
-
as self-defense has don't has to be
proportionate, I think, and identities are
-
not secure in the digital sphere. How
about developing some proactive, as we
-
heard the word defense tools?
K: Proactive as in hack the networks,
-
until they have no chance but to fix?
Mic 2: That's what you understood, but.
-
But, I support that. laughter
K: I'm not going to say that I dislike the
-
idea. But you won't see me here next year
explaining how I did it.
-
Mic 2: Thank you.
Herald: Microphone number three, please.
-
OK. When did you check the other two
German networks didn't fix the identifier
-
and the issue.
K. Which network do you work for?
-
Mic 2: I'm Holger. We talked last week.
K: Yeah. So yeah. Maybe you fixed it too.
-
We didn't, we didn't check.
Mic 2: We fixed it within 24 hour, 24
-
hours after our call.
K: Wow. OK.
-
Mic 2: On both networks.
applause
-
Thank you. Better late than never. Thank
you.
-
Mic 2: That's right.
K: OK, so that's three out of four now,
-
that fix one out of 100 problems.
Mic 2: No, it's… I know that's why we
-
don't go to the press and don't tell that
SS7 is fixed and we know we still have
-
problems also. It's all four. I work for
Telefonica, which is O2 and eplus.
-
K: Oh yeah. Well, congratulations. Sorry.
Sorry for spoiling your Christmas.
-
laughter
-
Herald: Microphone number two, please.
Mic 2: I'd like to know why these empty
-
pagings occur in the context of the
location tracking, I thought, as soon as
-
the phone registers in the network, the
base station, which is this connected to,
-
is known in the network anyway. Is that
the case?
-
K: That's a very good question. And let me
let me go back to one earlier slide to to
-
explain that, one second, so that the
empty pagings do not occure when you send
-
these creepy AnytimeInterrogation
messages. They are just there for spying
-
and there's no way to page the customer.
But since this got blocked and Tobias went
-
into great level of detail explaining
this, you need a couple of other messages
-
to now track some of this location and
these messages when meant for location
-
tracking them and ment for other purposes.
For instance, as I provide subscriber info
-
that however you reach it is always the
last message you need. This does do a
-
paging and then to provide subscriber info
really makes no sense unless you send
-
something afterwards also, deliver an SMS
connect to call or whatever. So the paging
-
is already sent in anticipation that an
SMS will come or that the call will come.
-
But if you're only the creepy guy tracking
it, they're going to send it SMS and
-
that's where the empty paging comes from.
Mic 2: OK, but still also in these cases
-
where something follows the paging, isn't
it a type of double checking whether it's
-
really there or I mean, the location info
itself should already be present and the
-
network, isn't it?
K: Yeah, yeah. It just reconfirms that the
-
subscriber is really there. So it's
basically saying: Somebody you just
-
interrogated your location because they
want to send you something. Let's check
-
that you're really still there because
otherwise we'll tell them something wrong.
-
But Tobias do you want to comment on that.
Tobias: Yeah. OK, so the empty paging is
-
not anticipation or something that's
coming after. It's to get the current cell
-
that you are located at, because when you
are moving around in your location area
-
and the area that is covered by the
switching center that you're currently
-
being served by, your phone doesn't
necessarily contact the base station. So
-
it could be that that the networks last
position of you is somewhere you received
-
an SMS or text or call, and then you moved
to a completely different area if your
-
phone didn't have network contact in the
meantime, the network would still only
-
know the last point of contact. So that's
why the why the empty paging happens so
-
that the that the network knows the base
station that's actually currently closest
-
to you. That's also why the law
enforcement uses a lot of Silent SMS so
-
that that they can get the last position
in the network. And it's also an option if
-
you send provide subscriber information,
you can just send it and get back the last
-
known position without a paging or you can
set the current location flag and provide
-
subscriber information. And only then the
subscriber gets paged and you will receive
-
the current location.
K: And that's that's one good example for
-
how SS7, which is supposed to be
so insecure we can never fix it, can
-
easily be fixed. There's an option that
says we're using this as normal feature
-
that's absolutely needed. And we have this
creepy extension to also ask for the
-
location. And some networks choose to not
answer that. The answer was zero zero zero
-
zero and nothing broke. Right. So you can
just ignore the insecure parts of SS7 and
-
do whatever you think is right. And for
the most part, it continues to work. But
-
I think we're well beyond answering
your question now right?
-
Mic 2: No, but from your answers. Thank
you very much. But another question
-
arises, because if it's actually to locate
your phone and to find out which cell
-
you're actually in, then it implies that
it's not only one base station that since
-
the paging call, but a whole bunch of base
stations. Do you know something about the
-
algorithm? I mean, how many around the
last known location are paging everybody
-
nationwide or how does..
K: Everybody can implement this as they
-
wish? And I don't have much insights into
how 3G does it, but in 2G typically is:
-
There's one paging send in the last cell
that saw you. You don't respond. It's send
-
in a larger area. You don't respond. It's
sent for the whole location area. And then
-
some networks, you don't respond. They
send it in the entire country. But that's
-
rare. Right?
Mic 2: Thank you very much.
-
Herald: Okay. Questions from the IRC?
Signal Angel: Did SnoopSnitch allow you to
-
reveal any kind of attack in countries.
Not special name in mind.
-
K: Does it allow you to detect attacks in
countries? Yeah, yeah, some kind of
-
Tapsell. I think the answer is yes. Its
whole purpose is to detect attacks. And it
-
also works in countries…
laughter
-
Herald: Did you succeed in detecting attacks.
K: Did we succeed in
-
detecting. Yes, we did. And if you go down
to the Saal C, Room C, you can see how it's
-
currently people are being attacked and
currently they detect that. Ok
-
Herald: OK microphone number five, please.
Mic 5: Yes, thanks, it's going back to SS7
-
basics. Can you quickly explain how SS7 is
implemented? Is this a VPN on the public
-
Internet through the providers? What's the
technical reality of transport?
-
K: That's a very good question. Of course,
that's a very good question. And I only
-
have half of the information, too. I keep
learning. But so it seems that it was
-
implemented initially as a network between
Western European telcos and their run
-
cables, dedicated cables for SS7.
SIGTRAN they called this and then a couple
-
more networks connected to it. And each
of them had to run the cable to one of the
-
other telcos. But eventually they changed
that and then introduced what I call
-
routing providers. So telcos are not
connected to each other usually, but
-
through a routing provider like on the
Internet and those routing providers, they
-
typically don't run a cable to your house
anymore. If you are a new telco, they give
-
you a VPN over the Internet. So it's
diverse. I'm sure there's still some
-
dedicated lines between Germany and
France, say, and there's some others
-
connecting and these big clouds that are
routing providers. And it's actually
-
really difficult to get your address
routed everywhere in the world. So even if
-
you connect to SS7, all you're connected
to is one routing provider and that
-
routing provider knows that you own these
addresses. Now it's up to you to convince
-
every other of the big seven or nine,
depending on how you count routing
-
providers that you are that guy with those
addresses. So the BGP equivalent of SS7 is
-
to get nine roaming agreements signed with
people on these other nine operators and
-
then fax those roaming agreements to
everybody else involved. So they type it
-
into your computer, into their computers,
very manual and very hard to grow the
-
network. But for the most part, it doesn't
change, of course-
-
Mic 5: So that the low level transport is
not really an attack surface from the
-
public Internet.
K: It can be the low level transport can
-
be an attack surface if people just
stupidly leave open their local networks.
-
But it's rare. It's much more common,
speaking about our talk next year,
-
hopefully on the other interconnect
networks, there's one interconnect network
-
for data roaming. It's called GRX. And
since everything is IP anyway on data
-
roaming, people sometimes do leave it out
on the Internet or just do it unencrypted
-
over the Internet. And it does seem to
become more popular also with the SS7
-
replacement Diameter, which again is pure
IP. So there's no dedicated thing that you
-
first have to encapsulate in a VPN before
you can route it over the Internet. You
-
can run Diameter over the open Internet if
you want. It's stupid, but people seem to
-
do it anyway.
Herald: OK, the microphone number six,
-
please.
Mic 6: OK, my question is, if you could
-
comment why these message were put in the
protocol at the first place, it they are
-
so easy to block and to fix. And the other
question is, if all the other problems
-
that you pointed out are as easy to fix
for the network operators.
-
K: So I don't have an answer to your first
question. Why do you put a tracking
-
message in the standard and then call it
AnytimeInterrogation, gosh, like that
-
invokes feelings for me,
interrogation room and all. I mean, this
-
is spy stuff, right? And there's no
practical, purposeful but. Right. Who
-
wrote SS7 standard? Western European
governments being afraid of the Russians,
-
of their own citizens, who knows? Right. I
don't know why they put every single
-
message in, though. So your second
question was what again?
-
Mic 6: If the other vulnerabilities are as
easy as to fix? Or just blocking messages.
-
K: No they're not. And I tried to point
that out in one of the slides that… that
-
AnytimeInterrogation can be fixed, as can,
for instance, as does SendIdentification
-
message, right. You just block that has no
purpose, routing this internationally. But
-
the other queries on this page, at least
you need those internationally, at least
-
to enable roaming. So the best you can do
is, as I said, first block these queries
-
from anybody who's not your roaming
partner, right? Don't respond to those
-
people and then do some plausibility
checking, secondly, make sure that if a
-
subscriber is actually in your own network,
that you don't honor requests from another
-
country. Right. And that should remove most
of the issues because most abuse comes from
-
other countries. It's just more likely if
there's 800 parties connected to this
-
network that the one doing the abuse is
not yours. Good question. Thanks.
-
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!
