0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/319 Thanks! 1 00:00:09,190 --> 00:00:11,289 So it is my great pleasure 2 00:00:11,290 --> 00:00:13,569 to be able to announce our next 3 00:00:13,570 --> 00:00:15,699 speaker for those of 4 00:00:15,700 --> 00:00:17,619 you who have been to previous Congresses 5 00:00:17,620 --> 00:00:20,199 to be, as Angle has been presenting 6 00:00:20,200 --> 00:00:22,329 it, 18 C three on 7 00:00:22,330 --> 00:00:24,729 the short message service protocols 8 00:00:24,730 --> 00:00:26,859 and on twenty five C three 9 00:00:26,860 --> 00:00:29,199 on locating phones with as seven 10 00:00:29,200 --> 00:00:31,449 through SMS routing. 11 00:00:31,450 --> 00:00:33,939 And as Tobias's 12 00:00:33,940 --> 00:00:36,069 an intimate friend and foe 13 00:00:36,070 --> 00:00:37,689 of diverse protocols and their 14 00:00:37,690 --> 00:00:39,789 implementations, I'm much looking 15 00:00:39,790 --> 00:00:42,039 forward to see what he has found today 16 00:00:42,040 --> 00:00:44,109 in his talk as a seven locate, 17 00:00:44,110 --> 00:00:45,319 track and manipulate. 18 00:00:45,320 --> 00:00:47,439 So please join me and give a very 19 00:00:47,440 --> 00:00:48,870 warm welcome to Single. 20 00:00:58,300 --> 00:00:59,269 Thank you. 21 00:00:59,270 --> 00:01:01,599 Um, yeah, so, uh, as Andrea's 22 00:01:01,600 --> 00:01:03,699 already said, I want to talk 23 00:01:03,700 --> 00:01:06,549 about further security issues with 24 00:01:06,550 --> 00:01:09,669 S7 today, so 25 00:01:09,670 --> 00:01:10,659 why should you care? 26 00:01:10,660 --> 00:01:12,969 Everybody who has a phone in his pocket 27 00:01:12,970 --> 00:01:14,920 indirectly uses as a weapon. 28 00:01:16,360 --> 00:01:18,429 And I'm going to talk about how 29 00:01:18,430 --> 00:01:21,369 your every movement can be tracked 30 00:01:21,370 --> 00:01:23,649 all over the world and how 31 00:01:23,650 --> 00:01:26,079 people can intercept your calls 32 00:01:26,080 --> 00:01:27,879 in the middle of them and your short 33 00:01:27,880 --> 00:01:30,039 messages and all of that 34 00:01:30,040 --> 00:01:31,650 only by knowing your phone number. 35 00:01:33,050 --> 00:01:34,610 OK, one thing in advance. 36 00:01:36,290 --> 00:01:38,299 A few weeks ago, Cost contacted me. 37 00:01:38,300 --> 00:01:40,069 He has the talk after this one 38 00:01:41,930 --> 00:01:44,269 and we realized that his company 39 00:01:44,270 --> 00:01:46,489 and I did a lot 40 00:01:46,490 --> 00:01:48,499 of parallel research over this year. 41 00:01:48,500 --> 00:01:50,929 So we kind of split split 42 00:01:50,930 --> 00:01:52,370 up the topics a little bit. 43 00:01:54,290 --> 00:01:57,079 And also, as I was made of, 44 00:01:57,080 --> 00:01:59,269 was was I made aware of only 45 00:01:59,270 --> 00:02:01,519 two days ago, two Russians 46 00:02:01,520 --> 00:02:03,589 say I, Sergei Pruzan cough and Dimitri 47 00:02:03,590 --> 00:02:05,899 Cuba to have already presented 48 00:02:05,900 --> 00:02:07,999 and that on that subject in May 49 00:02:08,000 --> 00:02:10,189 and talked a lot about 50 00:02:10,190 --> 00:02:11,190 the same issues. 51 00:02:12,980 --> 00:02:15,259 So it really seems 2014 52 00:02:15,260 --> 00:02:17,569 is the year of the S7 research. 53 00:02:19,130 --> 00:02:21,319 OK, how did this tour come 54 00:02:21,320 --> 00:02:22,320 together? 55 00:02:23,070 --> 00:02:24,949 Earlier this year, a journalist contacted 56 00:02:24,950 --> 00:02:28,009 me from the Washington Post and 57 00:02:28,010 --> 00:02:29,330 told me that there are 58 00:02:30,650 --> 00:02:32,090 several companies out there 59 00:02:33,380 --> 00:02:35,579 selling, uh, 60 00:02:35,580 --> 00:02:37,669 uh, tracking 61 00:02:37,670 --> 00:02:39,739 for people or tracking of 62 00:02:39,740 --> 00:02:41,360 people. And 63 00:02:42,740 --> 00:02:44,929 so, as you can see, I didn't I didn't 64 00:02:44,930 --> 00:02:47,299 come up with a title of my talk myself. 65 00:02:47,300 --> 00:02:48,379 OK, track, manipulate. 66 00:02:48,380 --> 00:02:50,449 It's actually the subtitle of a brochure 67 00:02:50,450 --> 00:02:53,509 about, uh, Weland on their Skylake 68 00:02:53,510 --> 00:02:54,510 product. 69 00:02:55,580 --> 00:02:58,039 And yet, as it turns out, 70 00:02:58,040 --> 00:03:00,139 companies are selling 71 00:03:00,140 --> 00:03:01,039 that ability. 72 00:03:01,040 --> 00:03:03,259 And as you can see, it's very detailed 73 00:03:03,260 --> 00:03:05,449 tracking down city streets 74 00:03:05,450 --> 00:03:06,559 all over the world. 75 00:03:06,560 --> 00:03:08,959 And all you need is the phone number 76 00:03:08,960 --> 00:03:11,359 two to track these people. 77 00:03:11,360 --> 00:03:13,249 And the journalist asked me how 78 00:03:14,300 --> 00:03:15,770 because I had done 79 00:03:16,850 --> 00:03:19,009 similar work on the subject and 80 00:03:19,010 --> 00:03:20,539 how that would be possible. 81 00:03:20,540 --> 00:03:22,489 And I wanted to find out. 82 00:03:22,490 --> 00:03:23,490 But first. 83 00:03:24,420 --> 00:03:27,299 Let's look at what signaling System seven 84 00:03:27,300 --> 00:03:28,300 is, 85 00:03:30,240 --> 00:03:33,719 it's the protocols used by most 86 00:03:33,720 --> 00:03:35,849 telecom network operators throughout the 87 00:03:35,850 --> 00:03:38,399 world, um, for the switches 88 00:03:38,400 --> 00:03:39,509 to talk to each other. 89 00:03:41,640 --> 00:03:43,379 It was designed a long time ago. 90 00:03:43,380 --> 00:03:45,509 And back then in the 80s, there 91 00:03:45,510 --> 00:03:47,149 were no mobile phones. 92 00:03:47,150 --> 00:03:49,289 Um, it was all just 93 00:03:49,290 --> 00:03:51,299 fixed line phones connected to a socket 94 00:03:51,300 --> 00:03:53,909 in the wall. So there were no privacy 95 00:03:53,910 --> 00:03:54,809 implications. 96 00:03:54,810 --> 00:03:56,939 And also there 97 00:03:56,940 --> 00:03:58,919 were only very few telecom operators, 98 00:04:00,240 --> 00:04:02,759 state controlled big companies 99 00:04:02,760 --> 00:04:04,889 who you trusted, who trusted each 100 00:04:04,890 --> 00:04:05,890 other. 101 00:04:06,540 --> 00:04:08,669 And then came the mobile 102 00:04:08,670 --> 00:04:10,860 phones and. 103 00:04:12,800 --> 00:04:15,109 New features with them, 104 00:04:15,110 --> 00:04:17,299 and so new protocols had 105 00:04:17,300 --> 00:04:18,528 to be added to as a seven. 106 00:04:18,529 --> 00:04:20,028 So now you could take your phone 107 00:04:20,029 --> 00:04:22,429 everywhere you went 108 00:04:22,430 --> 00:04:23,480 to other countries. 109 00:04:24,740 --> 00:04:26,239 So roaming had to be implemented. 110 00:04:26,240 --> 00:04:27,349 You could send text messages. 111 00:04:27,350 --> 00:04:28,849 You have the Internet. 112 00:04:28,850 --> 00:04:30,979 Um, so the mobile 113 00:04:30,980 --> 00:04:32,449 application part map 114 00:04:33,620 --> 00:04:35,239 was added that 115 00:04:36,320 --> 00:04:38,689 does all those things that mobile phones 116 00:04:38,690 --> 00:04:40,850 can do, that fixed line phones cannot do. 117 00:04:42,260 --> 00:04:44,359 Then even later, a new 118 00:04:44,360 --> 00:04:46,729 protocol was added to the application 119 00:04:46,730 --> 00:04:47,869 part, um, 120 00:04:49,640 --> 00:04:52,039 that allows operators to build 121 00:04:52,040 --> 00:04:54,559 custom services that cannot be 122 00:04:54,560 --> 00:04:56,149 that are not possible. With more on that 123 00:04:56,150 --> 00:04:58,339 later, and for 124 00:04:58,340 --> 00:04:59,569 none of these services, any 125 00:04:59,570 --> 00:05:00,689 authentication exists. 126 00:05:00,690 --> 00:05:02,779 So if you are in the Seven Network and 127 00:05:02,780 --> 00:05:03,799 you have a roaming agreement 128 00:05:04,880 --> 00:05:07,009 with other operators, you can simply 129 00:05:07,010 --> 00:05:09,349 use these services and don't 130 00:05:09,350 --> 00:05:10,369 have to authenticate. 131 00:05:13,650 --> 00:05:16,229 Yeah, and getting access to S7 is 132 00:05:17,310 --> 00:05:19,479 becoming easier all the time, 133 00:05:19,480 --> 00:05:21,720 and it can simply be bought from 134 00:05:23,280 --> 00:05:25,409 telecom operators and 135 00:05:25,410 --> 00:05:26,410 network operators, 136 00:05:27,480 --> 00:05:29,819 because if you are, I don't know if 137 00:05:29,820 --> 00:05:32,789 you plan on on some 138 00:05:32,790 --> 00:05:34,739 some servers or something like that, you 139 00:05:34,740 --> 00:05:37,259 might actually need seven exes. 140 00:05:37,260 --> 00:05:39,279 So it can simply be bought. 141 00:05:39,280 --> 00:05:40,280 Um, 142 00:05:41,850 --> 00:05:42,509 usually. 143 00:05:42,510 --> 00:05:45,389 So the seven axis 144 00:05:45,390 --> 00:05:48,059 as it is, is simply like an 145 00:05:48,060 --> 00:05:50,249 Internet access without an IP address. 146 00:05:50,250 --> 00:05:52,469 So you still 147 00:05:52,470 --> 00:05:54,029 need the address. It's called a global 148 00:05:54,030 --> 00:05:54,749 title. 149 00:05:54,750 --> 00:05:55,750 Um, 150 00:05:56,970 --> 00:05:57,970 and. 151 00:05:58,550 --> 00:06:00,439 And you need roaming agreements that 152 00:06:00,440 --> 00:06:01,879 cover that global title so that your 153 00:06:01,880 --> 00:06:03,979 messages get routed usually, but 154 00:06:03,980 --> 00:06:05,689 not always. Sometimes it works with 155 00:06:05,690 --> 00:06:07,849 roaming agreements. And also several 156 00:06:07,850 --> 00:06:10,369 telcos are reselling 157 00:06:10,370 --> 00:06:12,199 global titles that are covered by their 158 00:06:12,200 --> 00:06:13,200 roaming agreements. 159 00:06:14,880 --> 00:06:17,399 Also, network operators 160 00:06:17,400 --> 00:06:19,679 taps that network operators leave their 161 00:06:19,680 --> 00:06:22,169 equipment and on the Internet 162 00:06:22,170 --> 00:06:24,239 and also there have been several 163 00:06:24,240 --> 00:06:26,639 reports of femtocell hacking 164 00:06:26,640 --> 00:06:29,129 and femtocell are an extension 165 00:06:29,130 --> 00:06:30,629 of the core network of the network 166 00:06:30,630 --> 00:06:32,759 operators core network into your home. 167 00:06:32,760 --> 00:06:34,939 So if you can hack femtocell, 168 00:06:36,000 --> 00:06:37,559 there's also a chance that you have 169 00:06:37,560 --> 00:06:38,560 access to it as a seven. 170 00:06:40,620 --> 00:06:42,899 Quick overview of the protocol stack 171 00:06:44,100 --> 00:06:45,609 down there on the left side, empty pill, 172 00:06:45,610 --> 00:06:48,359 everyone that 173 00:06:48,360 --> 00:06:50,459 the physical layout, one or even 174 00:06:50,460 --> 00:06:52,529 lines back in the days 175 00:06:52,530 --> 00:06:54,360 nowadays, it's often 176 00:06:56,790 --> 00:06:58,079 routed over IP. 177 00:07:00,510 --> 00:07:03,149 But this talk focuses on SICP 178 00:07:03,150 --> 00:07:05,579 map kepp the network 179 00:07:05,580 --> 00:07:07,479 layer and the mobile application part 180 00:07:07,480 --> 00:07:09,719 that implements all the features 181 00:07:09,720 --> 00:07:10,720 for mobile phones. 182 00:07:13,700 --> 00:07:14,929 Quick network overview 183 00:07:16,440 --> 00:07:18,169 on the left and on the right, you see the 184 00:07:18,170 --> 00:07:20,359 base station subsistent, this is the part 185 00:07:20,360 --> 00:07:22,639 our phones talk to with the cell towers, 186 00:07:22,640 --> 00:07:24,379 the base station controllers and so on. 187 00:07:24,380 --> 00:07:26,169 This is not the focus of our talk. 188 00:07:26,170 --> 00:07:27,290 The focus is 189 00:07:29,180 --> 00:07:30,769 the core network of the operator 190 00:07:31,940 --> 00:07:34,279 of the red lines. You can see our seven 191 00:07:34,280 --> 00:07:37,249 connections so the operators equipment 192 00:07:37,250 --> 00:07:39,319 uses as a service and also between 193 00:07:39,320 --> 00:07:41,509 operators, as is being 194 00:07:41,510 --> 00:07:43,579 used, one of 195 00:07:43,580 --> 00:07:45,649 the most important network elements 196 00:07:45,650 --> 00:07:47,389 of the home location register. 197 00:07:48,680 --> 00:07:50,839 That's a database containing all 198 00:07:50,840 --> 00:07:52,879 information on a subscriber, meaning his 199 00:07:52,880 --> 00:07:54,829 phone number is a prepaid or postpaid 200 00:07:54,830 --> 00:07:55,939 contract. 201 00:07:55,940 --> 00:07:57,139 What is he allowed to do? 202 00:07:57,140 --> 00:07:58,879 Data, text messages, calls, incoming, 203 00:07:58,880 --> 00:08:00,619 outgoing, are there any call forwarding 204 00:08:00,620 --> 00:08:01,639 set? And so on. 205 00:08:01,640 --> 00:08:03,799 And also the home database, the home 206 00:08:03,800 --> 00:08:06,769 location register knows 207 00:08:06,770 --> 00:08:09,199 which mobile switching 208 00:08:09,200 --> 00:08:11,389 center masc or via our 209 00:08:11,390 --> 00:08:13,549 visitor location register is 210 00:08:13,550 --> 00:08:15,649 currently closest 211 00:08:15,650 --> 00:08:16,650 to a subscriber. 212 00:08:17,620 --> 00:08:20,349 So the visitor location register, it 213 00:08:20,350 --> 00:08:22,569 receives a copy of the subscriber's 214 00:08:22,570 --> 00:08:25,239 data as soon as you switch on your phone 215 00:08:25,240 --> 00:08:26,240 from the car. 216 00:08:28,270 --> 00:08:30,369 And so, for example, there is for 217 00:08:30,370 --> 00:08:31,370 many networks. 218 00:08:32,350 --> 00:08:34,689 So, for example, most networks 219 00:08:34,690 --> 00:08:36,788 will have one switching center or 220 00:08:36,789 --> 00:08:38,389 one model switching center for Hamburg 221 00:08:38,390 --> 00:08:40,479 here. So we are all logged into 222 00:08:40,480 --> 00:08:42,219 the respective network switching centers 223 00:08:42,220 --> 00:08:43,479 for Hamburg right now. 224 00:08:43,480 --> 00:08:45,609 And that received a copy of 225 00:08:45,610 --> 00:08:46,960 your respective 226 00:08:48,130 --> 00:08:49,179 of your subscriber data. 227 00:08:50,680 --> 00:08:52,779 And so Visitor Location Register and 228 00:08:52,780 --> 00:08:54,189 the mobile switching center is actually 229 00:08:54,190 --> 00:08:55,779 rooting for calls. 230 00:08:55,780 --> 00:08:58,479 It's always co-located 231 00:08:58,480 --> 00:08:59,429 with the arrow. 232 00:08:59,430 --> 00:09:00,729 So I put them in one box. 233 00:09:00,730 --> 00:09:02,949 There's two different logical entry 234 00:09:02,950 --> 00:09:05,379 entities, but it's 235 00:09:05,380 --> 00:09:07,809 they also have the same address and it's 236 00:09:07,810 --> 00:09:09,520 mostly the same machine. 237 00:09:10,570 --> 00:09:12,669 Everything is by global title. 238 00:09:13,780 --> 00:09:15,879 Global title look just like 239 00:09:15,880 --> 00:09:17,589 international phone numbers on the left 240 00:09:17,590 --> 00:09:19,269 for German network on the right for US 241 00:09:19,270 --> 00:09:20,089 network. 242 00:09:20,090 --> 00:09:22,269 Um, most 243 00:09:22,270 --> 00:09:24,369 of you, if you have ever come 244 00:09:24,370 --> 00:09:26,619 in contact with a global title for 245 00:09:26,620 --> 00:09:28,539 the SNC back in the days when you still 246 00:09:28,540 --> 00:09:30,969 had to enter the same see 247 00:09:30,970 --> 00:09:33,159 on your phone by hand, then you enter 248 00:09:33,160 --> 00:09:35,249 the the global title for the 249 00:09:35,250 --> 00:09:37,239 Smithee so that you could send for the 250 00:09:37,240 --> 00:09:39,249 short message service center so that you 251 00:09:39,250 --> 00:09:40,660 could send short messages. 252 00:09:41,770 --> 00:09:44,200 OK, so much for the quick overview. 253 00:09:45,550 --> 00:09:47,799 Now to cell level tracking. 254 00:09:47,800 --> 00:09:49,779 So what what those commercial providers 255 00:09:49,780 --> 00:09:51,350 are offering and 256 00:09:53,290 --> 00:09:55,359 the network, of course, needs to 257 00:09:55,360 --> 00:09:56,859 know your position. 258 00:09:56,860 --> 00:09:59,049 It needs to know which base, 259 00:09:59,050 --> 00:10:01,119 station or cell is closest 260 00:10:01,120 --> 00:10:03,429 to you because you want to receive 261 00:10:03,430 --> 00:10:05,349 calls, you want to receive short messages 262 00:10:05,350 --> 00:10:06,350 and so on. 263 00:10:07,030 --> 00:10:09,669 So if somebody can find out the idea 264 00:10:09,670 --> 00:10:11,739 so every every base station in the world 265 00:10:11,740 --> 00:10:12,740 has a unique idea, 266 00:10:13,870 --> 00:10:17,019 somebody can can find out that idea. 267 00:10:17,020 --> 00:10:19,389 Then he can use 268 00:10:19,390 --> 00:10:21,459 that I.D. to look up its geographical 269 00:10:21,460 --> 00:10:22,460 position 270 00:10:23,530 --> 00:10:25,629 in one of several databases on the 271 00:10:25,630 --> 00:10:27,789 Internet. So, for example, Google has a 272 00:10:27,790 --> 00:10:28,790 is a very big 273 00:10:31,030 --> 00:10:32,030 database 274 00:10:33,280 --> 00:10:35,559 and of course, especially in cities 275 00:10:35,560 --> 00:10:38,559 where the cell towers are pretty close. 276 00:10:38,560 --> 00:10:40,779 The position or the location of 277 00:10:40,780 --> 00:10:42,849 the cell tower closest to you is also 278 00:10:42,850 --> 00:10:45,489 a pretty good idea of, 279 00:10:45,490 --> 00:10:47,950 uh, of where you are currently. 280 00:10:51,180 --> 00:10:53,339 So, um, the commercial 281 00:10:53,340 --> 00:10:56,489 providers claim, uh, coverage of 282 00:10:56,490 --> 00:10:58,589 about 70 percent of worldwide 283 00:10:58,590 --> 00:11:00,839 mobile subscribers, meaning 284 00:11:00,840 --> 00:11:02,159 you don't have to be close to that 285 00:11:02,160 --> 00:11:03,869 subscriber, you don't have to know where 286 00:11:03,870 --> 00:11:05,279 he currently is. 287 00:11:05,280 --> 00:11:07,469 You just need to know his phone number. 288 00:11:07,470 --> 00:11:09,479 And some have some non-technical 289 00:11:09,480 --> 00:11:11,429 limitations. So, for example, from the 290 00:11:11,430 --> 00:11:13,769 very brochure, they say you cannot 291 00:11:13,770 --> 00:11:16,199 locate Israeli subscribers in Israel or 292 00:11:16,200 --> 00:11:18,599 U.S. subscribers worldwide. 293 00:11:18,600 --> 00:11:20,399 Verint, by the way, is a US Israeli 294 00:11:20,400 --> 00:11:21,659 company. 295 00:11:21,660 --> 00:11:22,660 Um, 296 00:11:24,120 --> 00:11:27,929 yeah. And so, uh, Skylake 297 00:11:27,930 --> 00:11:29,939 infiltrator, they're all very nice names 298 00:11:29,940 --> 00:11:30,990 for their product. 299 00:11:32,340 --> 00:11:34,219 OK, how does it look on the protocol 300 00:11:34,220 --> 00:11:36,329 level, on 301 00:11:36,330 --> 00:11:37,330 the left, the attacker? 302 00:11:38,520 --> 00:11:40,589 He sends a map any time, 303 00:11:40,590 --> 00:11:42,149 interrogation requests or any time. 304 00:11:42,150 --> 00:11:43,589 Interrogation is exactly for that 305 00:11:43,590 --> 00:11:45,869 purpose, for finding out the 306 00:11:45,870 --> 00:11:47,959 idea of a mobile subscriber. 307 00:11:47,960 --> 00:11:50,099 And it's used for 308 00:11:50,100 --> 00:11:51,209 network internal purposes. 309 00:11:51,210 --> 00:11:52,829 Normally, for example, if you have a 310 00:11:52,830 --> 00:11:54,090 Holmes answer, that you can 311 00:11:55,110 --> 00:11:56,879 make cheaper calls if you're currently at 312 00:11:56,880 --> 00:11:58,619 home and so on. So that's what it's used 313 00:11:58,620 --> 00:12:00,719 for. But it can also be used by 314 00:12:00,720 --> 00:12:03,069 attackers to find out 315 00:12:03,070 --> 00:12:05,009 the cell. So the entertainment 316 00:12:05,010 --> 00:12:06,959 organization goes to the home database of 317 00:12:06,960 --> 00:12:09,179 the subscriber and says, OK, 318 00:12:09,180 --> 00:12:11,819 please let me know the ID. 319 00:12:11,820 --> 00:12:14,039 And if you want if you want 320 00:12:14,040 --> 00:12:16,169 also the army, either the phone 321 00:12:16,170 --> 00:12:18,120 serial number of that subscriber 322 00:12:19,410 --> 00:12:21,509 and the home database doesn't know the 323 00:12:21,510 --> 00:12:23,729 cell idea. It just knows what 324 00:12:23,730 --> 00:12:25,979 switching center is currently serving 325 00:12:25,980 --> 00:12:28,049 that subscriber. So it sends a provide 326 00:12:28,050 --> 00:12:29,969 subscriber info request to the switching 327 00:12:29,970 --> 00:12:32,069 center, the 328 00:12:32,070 --> 00:12:33,719 switch pages. 329 00:12:33,720 --> 00:12:35,819 So the mother 330 00:12:35,820 --> 00:12:36,719 gets paged. 331 00:12:36,720 --> 00:12:38,789 Um, uh, so 332 00:12:38,790 --> 00:12:40,409 that the switch can be sure that it's 333 00:12:40,410 --> 00:12:42,839 really, really got the current, 334 00:12:42,840 --> 00:12:45,329 the current cell and the, uh, information 335 00:12:45,330 --> 00:12:48,119 gets returned to the attacker. 336 00:12:48,120 --> 00:12:50,369 So it's really only meant as a network 337 00:12:50,370 --> 00:12:51,749 Internet service. 338 00:12:51,750 --> 00:12:53,969 Um, but still, as you can see, 339 00:12:53,970 --> 00:12:56,170 this, uh, Wireshark trace of, um, 340 00:12:57,510 --> 00:12:59,939 uh, of, uh, 341 00:12:59,940 --> 00:13:02,249 request we send. And 342 00:13:02,250 --> 00:13:04,439 it still works for for many networks 343 00:13:04,440 --> 00:13:06,869 here. You can see the cell at the bottom. 344 00:13:09,610 --> 00:13:11,709 OK, but, um, many networks, 345 00:13:11,710 --> 00:13:13,269 especially in Europe, most of the 346 00:13:13,270 --> 00:13:15,279 networks actually, or at least in 347 00:13:15,280 --> 00:13:17,199 Germany, all the networks block any time 348 00:13:17,200 --> 00:13:18,489 interrogation by now. 349 00:13:18,490 --> 00:13:20,739 But as we have seen before, the, 350 00:13:20,740 --> 00:13:23,169 um, the 351 00:13:23,170 --> 00:13:24,909 ah, the home database doesn't even know 352 00:13:24,910 --> 00:13:26,620 the idea, so. 353 00:13:27,990 --> 00:13:31,109 We just need to find out the address 354 00:13:31,110 --> 00:13:33,209 of the switching center and 355 00:13:33,210 --> 00:13:34,769 then we can ask the switching center 356 00:13:34,770 --> 00:13:36,179 itself. 357 00:13:36,180 --> 00:13:38,699 Also, we need to find out the AMSA, 358 00:13:38,700 --> 00:13:40,199 the international mobile subscriber 359 00:13:40,200 --> 00:13:43,109 identifier of the subscriber, 360 00:13:43,110 --> 00:13:44,939 because internally in the network, not 361 00:13:44,940 --> 00:13:47,039 phone numbers are are used for routing, 362 00:13:47,040 --> 00:13:48,270 but the Amazigh. 363 00:13:49,530 --> 00:13:51,869 So and luckily 364 00:13:51,870 --> 00:13:53,979 there's a request for that. 365 00:13:53,980 --> 00:13:56,249 We can just ask the 366 00:13:56,250 --> 00:13:58,499 the home database to ah please 367 00:13:58,500 --> 00:14:00,629 tell me the as 368 00:14:00,630 --> 00:14:02,459 I and what switching center the 369 00:14:02,460 --> 00:14:04,199 subscriber is currently that's used for 370 00:14:04,200 --> 00:14:05,789 some routing normally. 371 00:14:05,790 --> 00:14:07,499 So if you want, if you, if you're in a 372 00:14:07,500 --> 00:14:08,999 different network and want to send a 373 00:14:09,000 --> 00:14:11,069 short message to that subscriber so 374 00:14:11,070 --> 00:14:12,779 the information is returned and then the 375 00:14:12,780 --> 00:14:14,849 attacker can simply 376 00:14:14,850 --> 00:14:17,129 ask the switching center 377 00:14:17,130 --> 00:14:19,289 itself and it works 378 00:14:19,290 --> 00:14:20,279 just like before. 379 00:14:20,280 --> 00:14:22,469 And that works really for 380 00:14:22,470 --> 00:14:23,669 a lot of networks 381 00:14:25,470 --> 00:14:28,469 because also most 382 00:14:28,470 --> 00:14:31,349 masses switching centers 383 00:14:31,350 --> 00:14:33,449 accept requests from just 384 00:14:33,450 --> 00:14:35,339 anywhere and anyone. 385 00:14:35,340 --> 00:14:37,839 So you would say, OK, if if 386 00:14:37,840 --> 00:14:40,409 if there's a German subscriber currently 387 00:14:40,410 --> 00:14:42,419 in at home in his German network, 388 00:14:43,590 --> 00:14:46,169 for example, and I don't know, Indonesian 389 00:14:46,170 --> 00:14:48,389 network should have no business 390 00:14:48,390 --> 00:14:50,189 clearing his location. 391 00:14:50,190 --> 00:14:52,439 But the NSC or 392 00:14:52,440 --> 00:14:54,269 doesn't doesn't do any plausibility 393 00:14:54,270 --> 00:14:56,399 checks and the request will 394 00:14:56,400 --> 00:14:57,400 get answered. 395 00:15:00,190 --> 00:15:01,990 OK, so, um, 396 00:15:03,910 --> 00:15:06,729 so to demonstrate is better, um, 397 00:15:06,730 --> 00:15:09,369 for them for about two weeks, um, 398 00:15:09,370 --> 00:15:11,529 we tracked some people who 399 00:15:11,530 --> 00:15:12,999 are nice enough to give me their phone 400 00:15:13,000 --> 00:15:15,539 number and said, OK, uh, 401 00:15:15,540 --> 00:15:16,779 uh, you can track me 402 00:15:18,040 --> 00:15:20,169 and, uh, let me see if 403 00:15:20,170 --> 00:15:21,970 I can show that to you. 404 00:15:23,830 --> 00:15:25,359 Yeah. OK, they're there somewhere. 405 00:15:25,360 --> 00:15:26,360 They're. 406 00:15:35,610 --> 00:15:36,610 OK. 407 00:15:41,300 --> 00:15:42,300 Let's see. 408 00:15:49,240 --> 00:15:51,339 OK, my touchpads is acting 409 00:15:51,340 --> 00:15:52,989 weird, um. 410 00:15:56,780 --> 00:15:58,159 OK, let's start. 411 00:16:00,890 --> 00:16:01,890 So. 412 00:16:03,110 --> 00:16:05,120 That's a Dutch subscriber who was 413 00:16:06,290 --> 00:16:08,509 when I started tracking 414 00:16:08,510 --> 00:16:10,819 him, who was in Seattle, 415 00:16:10,820 --> 00:16:12,320 and, um, 416 00:16:14,150 --> 00:16:15,150 you can. 417 00:16:16,900 --> 00:16:19,150 As you can see, Don, there are the times 418 00:16:20,200 --> 00:16:21,200 and. 419 00:16:23,140 --> 00:16:24,759 Yeah, OK, so he said he didn't use the 420 00:16:24,760 --> 00:16:26,529 ferry. So that's that's on the water 421 00:16:26,530 --> 00:16:27,789 there. 422 00:16:27,790 --> 00:16:29,949 That was a by 423 00:16:29,950 --> 00:16:32,199 the location database gave me a 424 00:16:32,200 --> 00:16:34,089 wrong position, but he said that very 425 00:16:34,090 --> 00:16:35,409 accurately. 426 00:16:35,410 --> 00:16:37,119 And yet where he lives and where he works 427 00:16:37,120 --> 00:16:38,109 and theater. 428 00:16:38,110 --> 00:16:40,689 And so it continued 429 00:16:40,690 --> 00:16:42,249 for a few days and. 430 00:16:44,160 --> 00:16:46,260 Then that subscriber 431 00:16:48,300 --> 00:16:50,460 for Christmas, as you can see down there, 432 00:16:51,510 --> 00:16:52,890 he flew back to the Netherlands. 433 00:16:57,330 --> 00:16:58,330 And. 434 00:17:04,540 --> 00:17:06,328 And let's see if we can really see. 435 00:17:08,560 --> 00:17:10,689 So he is people and we can 436 00:17:10,690 --> 00:17:12,338 really see so the next tracking was when 437 00:17:12,339 --> 00:17:15,368 he was on the train away from skippable 438 00:17:15,369 --> 00:17:16,369 and 439 00:17:17,500 --> 00:17:19,689 then through the Netherlands 440 00:17:19,690 --> 00:17:20,690 and. 441 00:17:21,800 --> 00:17:23,929 Uh, yeah, and he asked me to remove 442 00:17:23,930 --> 00:17:26,149 the last point of those tracks 443 00:17:26,150 --> 00:17:27,150 because 444 00:17:28,670 --> 00:17:30,979 he said that was too close to home 445 00:17:30,980 --> 00:17:31,980 and. 446 00:17:33,350 --> 00:17:34,520 OK. Uh. 447 00:17:37,920 --> 00:17:39,119 Some other. 448 00:17:42,060 --> 00:17:43,819 Let's see. 449 00:17:43,820 --> 00:17:47,419 So here we can see very nicely 450 00:17:47,420 --> 00:17:48,679 somebody who lives in. 451 00:17:50,210 --> 00:17:52,370 Luxenberg Um. 452 00:17:54,950 --> 00:17:56,689 You can actually see him traveling down 453 00:17:56,690 --> 00:17:59,299 the autobahn, then stopping 454 00:17:59,300 --> 00:18:01,669 somewhere, then continue traveling, 455 00:18:01,670 --> 00:18:03,739 and then, um, 456 00:18:03,740 --> 00:18:05,929 after some time taking the 457 00:18:05,930 --> 00:18:07,999 taking the plane to Hamburg 458 00:18:08,000 --> 00:18:09,649 one, what's he doing there? 459 00:18:09,650 --> 00:18:10,650 And. 460 00:18:13,540 --> 00:18:14,540 Uh. 461 00:18:17,550 --> 00:18:20,009 So, yeah, so you can see 462 00:18:20,010 --> 00:18:22,199 how he traveled to the to the 463 00:18:22,200 --> 00:18:24,749 Congress and also. 464 00:18:26,160 --> 00:18:28,499 I know I think you you got 465 00:18:28,500 --> 00:18:31,469 you got the general idea of 466 00:18:31,470 --> 00:18:33,809 somebody living living in 467 00:18:33,810 --> 00:18:34,810 Hanover. 468 00:18:37,950 --> 00:18:38,950 Our. 469 00:18:44,100 --> 00:18:45,100 Darmstadt. 470 00:18:48,750 --> 00:18:50,220 And also, you can see. 471 00:18:53,530 --> 00:18:55,719 Pretty good where he took 472 00:18:55,720 --> 00:18:58,149 the autobahn, where he traveled, 473 00:18:58,150 --> 00:19:00,289 what route he took, um. 474 00:19:04,020 --> 00:19:06,809 Also to Hamburg in the end, 475 00:19:06,810 --> 00:19:08,879 so and as you can see, it's 476 00:19:08,880 --> 00:19:11,369 really relatively precise. 477 00:19:11,370 --> 00:19:12,420 So, yeah, 478 00:19:13,770 --> 00:19:14,770 um. 479 00:19:16,700 --> 00:19:18,829 This is possible for almost all 480 00:19:18,830 --> 00:19:19,949 of us. 481 00:19:19,950 --> 00:19:20,950 Um. 482 00:19:22,810 --> 00:19:24,010 So let me check. 483 00:19:25,530 --> 00:19:26,530 OK. 484 00:19:28,380 --> 00:19:29,380 Oops. 485 00:19:41,570 --> 00:19:43,279 And I think it's really scary because, I 486 00:19:43,280 --> 00:19:45,109 mean, you don't have to know somebody, 487 00:19:45,110 --> 00:19:46,519 you just have to know his phone number 488 00:19:47,540 --> 00:19:48,540 and 489 00:19:49,730 --> 00:19:51,829 you can track him from the other side of 490 00:19:51,830 --> 00:19:52,189 the world. 491 00:19:52,190 --> 00:19:53,419 You don't have to be near him. 492 00:19:53,420 --> 00:19:54,769 You can. You just need, as I said, an 493 00:19:54,770 --> 00:19:57,199 excess. And, of course, 494 00:19:57,200 --> 00:19:58,639 those companies who are offering those 495 00:19:58,640 --> 00:20:00,859 services, they are saying they're only 496 00:20:00,860 --> 00:20:03,229 offering those services to government 497 00:20:03,230 --> 00:20:04,999 agencies and law enforcement and so on. 498 00:20:05,000 --> 00:20:05,959 But I don't know about you. 499 00:20:05,960 --> 00:20:07,379 There are many countries in the world 500 00:20:07,380 --> 00:20:09,229 world whose governments I wouldn't trust 501 00:20:09,230 --> 00:20:10,400 with this functionality. 502 00:20:19,720 --> 00:20:20,720 OK, then. 503 00:20:23,250 --> 00:20:25,649 We talked to one of the 504 00:20:25,650 --> 00:20:27,869 big German operators to about those 505 00:20:27,870 --> 00:20:29,519 problems, and they were really shocked 506 00:20:29,520 --> 00:20:32,039 finding finding out about that, 507 00:20:32,040 --> 00:20:34,289 um, and started 508 00:20:34,290 --> 00:20:36,539 monitoring the network and 509 00:20:36,540 --> 00:20:38,890 found a lot of traffic 510 00:20:40,680 --> 00:20:42,959 that was carrying people's positions 511 00:20:42,960 --> 00:20:44,039 and other stuff. 512 00:20:45,360 --> 00:20:46,859 So then after awhile, they implemented 513 00:20:46,860 --> 00:20:48,089 some filters, um, 514 00:20:49,920 --> 00:20:52,049 filtering out the possibility to 515 00:20:52,050 --> 00:20:54,369 figure out I am as I and 516 00:20:54,370 --> 00:20:56,489 the current mobile switching center. 517 00:20:56,490 --> 00:20:59,519 So as we saw earlier, you need that. 518 00:20:59,520 --> 00:21:01,289 You need to find out. I am as I was 519 00:21:01,290 --> 00:21:03,809 switching center. So they disable 520 00:21:03,810 --> 00:21:05,220 that ability 521 00:21:06,480 --> 00:21:08,699 and the traffic the attack 522 00:21:08,700 --> 00:21:10,739 traffic dropped more than 80 percent 523 00:21:11,760 --> 00:21:13,949 and they started to try and figure 524 00:21:13,950 --> 00:21:16,079 out what the traffic 525 00:21:16,080 --> 00:21:18,269 where the traffic came from so that 526 00:21:18,270 --> 00:21:19,979 some of the traffic was simply 527 00:21:19,980 --> 00:21:22,199 misconfiguration and other networks 528 00:21:22,200 --> 00:21:23,400 that was quickly fixed. 529 00:21:24,780 --> 00:21:26,429 Then some commercial use cases, for 530 00:21:26,430 --> 00:21:27,929 example, a shipping company tracking its 531 00:21:27,930 --> 00:21:30,059 vehicles and also 532 00:21:32,280 --> 00:21:34,229 some provider who provided a service for 533 00:21:34,230 --> 00:21:36,569 banks sending mobile 534 00:21:36,570 --> 00:21:38,699 transaction numbers, one time passwords, 535 00:21:38,700 --> 00:21:40,649 a short messages to phones. 536 00:21:40,650 --> 00:21:42,449 And they wanted to check if a zoom card 537 00:21:42,450 --> 00:21:45,239 had been swapped because a few years ago 538 00:21:45,240 --> 00:21:47,429 there was a case where criminals 539 00:21:47,430 --> 00:21:49,829 swapped the SIM cards of their victims 540 00:21:49,830 --> 00:21:51,509 and got the mobile transaction number. 541 00:21:51,510 --> 00:21:53,639 And so they they wanted 542 00:21:53,640 --> 00:21:55,349 to check if the SIM card had been had 543 00:21:55,350 --> 00:21:57,089 been changed to prevent that kind. 544 00:21:57,090 --> 00:21:58,979 But they were using a network Internet 545 00:21:58,980 --> 00:22:01,079 service for that. And that was 546 00:22:01,080 --> 00:22:03,299 also switched off then. 547 00:22:03,300 --> 00:22:05,729 And some of those network operators 548 00:22:05,730 --> 00:22:07,019 that were contacted by the German 549 00:22:07,020 --> 00:22:09,329 operator, they either didn't 550 00:22:09,330 --> 00:22:11,159 answer or said they didn't know about 551 00:22:11,160 --> 00:22:13,649 anything. So the German operator believes 552 00:22:13,650 --> 00:22:16,169 that, uh, 553 00:22:16,170 --> 00:22:18,389 those were requests by state actors 554 00:22:18,390 --> 00:22:20,519 then or by the network, 555 00:22:20,520 --> 00:22:22,769 by those other network operators 556 00:22:22,770 --> 00:22:24,119 themselves. 557 00:22:24,120 --> 00:22:27,189 And some of these attacks still persist. 558 00:22:27,190 --> 00:22:29,489 Um, meaning, 559 00:22:29,490 --> 00:22:31,589 um, those 560 00:22:31,590 --> 00:22:33,659 attackers need other information 561 00:22:33,660 --> 00:22:35,939 sources. They somehow need to find out 562 00:22:35,940 --> 00:22:37,439 I Amazigh of the subscribers. 563 00:22:37,440 --> 00:22:39,779 Maybe then they know them from before 564 00:22:39,780 --> 00:22:42,209 or they have other resources 565 00:22:42,210 --> 00:22:43,649 to find to find that out. 566 00:22:43,650 --> 00:22:45,749 And for 567 00:22:45,750 --> 00:22:47,159 the switching center they can simply 568 00:22:47,160 --> 00:22:48,629 brute force if they can simply brute 569 00:22:48,630 --> 00:22:50,249 force the number range. 570 00:22:50,250 --> 00:22:52,739 But yeah, those attacks still continue. 571 00:22:54,710 --> 00:22:55,710 OK, 572 00:22:58,710 --> 00:23:00,839 OK, this very quickly because we 573 00:23:00,840 --> 00:23:02,999 don't have so much time in the 574 00:23:03,000 --> 00:23:05,309 U.S., um, there's a requirement 575 00:23:05,310 --> 00:23:07,409 that if you call nine or one, phones 576 00:23:07,410 --> 00:23:09,629 have to be located very 577 00:23:09,630 --> 00:23:11,759 precisely. So there was a new feature 578 00:23:11,760 --> 00:23:14,309 added to map the location services 579 00:23:14,310 --> 00:23:16,559 that don't just return the cell, but 580 00:23:16,560 --> 00:23:18,929 an actual latitude and longitude. 581 00:23:18,930 --> 00:23:21,389 Um, and they can even 582 00:23:21,390 --> 00:23:23,129 return the GPS position of a phone. 583 00:23:23,130 --> 00:23:24,209 If it has a G.P.S. 584 00:23:24,210 --> 00:23:26,189 receiver, it can be switched on and then 585 00:23:26,190 --> 00:23:28,650 returns its position back to the network. 586 00:23:29,690 --> 00:23:31,889 Um, those emergency 587 00:23:31,890 --> 00:23:34,499 services, they use the GMAC, the Gateway 588 00:23:34,500 --> 00:23:38,159 Mobile Location Center, and 589 00:23:38,160 --> 00:23:40,409 that requires authentication, thank 590 00:23:40,410 --> 00:23:41,410 God. 591 00:23:43,110 --> 00:23:44,159 So this is straight from the 592 00:23:44,160 --> 00:23:46,709 specification you see up there. 593 00:23:46,710 --> 00:23:48,989 The police, for example, is 594 00:23:48,990 --> 00:23:51,329 the client and it, uh, 595 00:23:51,330 --> 00:23:54,059 sensors as a service request to the GMC, 596 00:23:54,060 --> 00:23:55,890 and that requires authentication. 597 00:23:57,290 --> 00:23:58,759 But as we have seen before, 598 00:24:00,230 --> 00:24:02,029 the switching centers, they don't care 599 00:24:02,030 --> 00:24:03,859 about authentication, don't know about 600 00:24:03,860 --> 00:24:05,989 authentication, so you can again 601 00:24:05,990 --> 00:24:08,269 send the provider 602 00:24:08,270 --> 00:24:10,189 subscriber location request directly to 603 00:24:10,190 --> 00:24:11,190 the switching center. 604 00:24:12,050 --> 00:24:14,299 So in practice, 605 00:24:14,300 --> 00:24:16,519 that works as seen before. 606 00:24:16,520 --> 00:24:17,689 Just ask for the AMA's. 607 00:24:17,690 --> 00:24:19,849 I ask for the switching center, then 608 00:24:19,850 --> 00:24:21,339 create the switching center directly. 609 00:24:22,700 --> 00:24:25,309 But as I wrote here, they implemented 610 00:24:25,310 --> 00:24:27,589 some funny kind of sender 611 00:24:27,590 --> 00:24:29,419 address verification because they said, 612 00:24:29,420 --> 00:24:31,399 OK, maybe those requests shouldn't be 613 00:24:31,400 --> 00:24:32,899 allowed from outside the network. 614 00:24:32,900 --> 00:24:34,969 So they wanted to 615 00:24:34,970 --> 00:24:36,890 to verify the sender address. 616 00:24:37,950 --> 00:24:40,169 So the network and destination address 617 00:24:40,170 --> 00:24:42,330 format messages are in the SCC player, 618 00:24:43,560 --> 00:24:45,689 so this is how it looks, calling 619 00:24:45,690 --> 00:24:47,789 party means the equipment 620 00:24:47,790 --> 00:24:50,909 that sends the message and called party, 621 00:24:50,910 --> 00:24:53,099 for example, the calling party 622 00:24:53,100 --> 00:24:54,909 in this case, the other the home location 623 00:24:54,910 --> 00:24:56,340 who just like called party you are. 624 00:24:57,630 --> 00:25:00,029 And the problem is this FCC 625 00:25:00,030 --> 00:25:02,219 player doesn't know who is 626 00:25:02,220 --> 00:25:04,079 allowed to use Web services or not. 627 00:25:06,030 --> 00:25:08,159 So the solution is they 628 00:25:08,160 --> 00:25:10,289 have the sender of the message 629 00:25:10,290 --> 00:25:11,699 put in another copy 630 00:25:12,720 --> 00:25:15,239 of the sender address in the player. 631 00:25:15,240 --> 00:25:17,579 So the sponsors will be 632 00:25:17,580 --> 00:25:19,919 routed to the calling party address 633 00:25:19,920 --> 00:25:21,989 up there, but verify 634 00:25:21,990 --> 00:25:23,940 it will be the address down there, 635 00:25:25,710 --> 00:25:27,849 meaning if you tell the truth, put 636 00:25:27,850 --> 00:25:29,729 in the same address twice, you get back 637 00:25:29,730 --> 00:25:31,379 unauthorized requesting network. 638 00:25:31,380 --> 00:25:33,239 But if you just put in an address that 639 00:25:33,240 --> 00:25:34,859 looks similar to the network so that the 640 00:25:34,860 --> 00:25:36,989 networks thinks it's an Internet address, 641 00:25:36,990 --> 00:25:38,970 it works. So you get back to 642 00:25:40,540 --> 00:25:42,180 the latitude and longitude. 643 00:25:47,570 --> 00:25:49,789 OK, this is obviously not a GPS 644 00:25:49,790 --> 00:25:50,790 position. 645 00:25:51,920 --> 00:25:53,239 I don't know, maybe that person was 646 00:25:53,240 --> 00:25:54,499 somewhere where G.P.S. 647 00:25:54,500 --> 00:25:56,240 was not available or something. 648 00:25:57,590 --> 00:25:59,689 OK, so now we have 649 00:25:59,690 --> 00:26:01,789 seen a lot about how 650 00:26:01,790 --> 00:26:04,369 it's possible to gather information 651 00:26:04,370 --> 00:26:06,919 from the embassy and 652 00:26:06,920 --> 00:26:09,319 but it's also possible to manipulate 653 00:26:10,400 --> 00:26:11,400 information there. 654 00:26:13,040 --> 00:26:13,939 Sorry. 655 00:26:13,940 --> 00:26:14,940 Um. 656 00:26:18,310 --> 00:26:19,630 So, um, you. 657 00:26:22,580 --> 00:26:24,899 OK, so it was it's just right there, OK? 658 00:26:24,900 --> 00:26:27,139 The colors, it's actually colored 659 00:26:27,140 --> 00:26:29,369 here on my display, but yeah, um. 660 00:26:32,340 --> 00:26:35,099 So if you if you remember 661 00:26:35,100 --> 00:26:36,269 back in the beginning, I said when you 662 00:26:36,270 --> 00:26:37,270 switch on your phone, 663 00:26:39,060 --> 00:26:41,169 the home, your home database, there are 664 00:26:41,170 --> 00:26:43,379 transfers, a copy of your subscriber 665 00:26:43,380 --> 00:26:45,509 data to the to the 666 00:26:45,510 --> 00:26:47,579 mercy of your 667 00:26:47,580 --> 00:26:48,749 home. 668 00:26:48,750 --> 00:26:50,999 And the viewer are, from that point on, 669 00:26:51,000 --> 00:26:52,709 controls everything you can do with your 670 00:26:52,710 --> 00:26:55,079 phone. But an attacker can also 671 00:26:55,080 --> 00:26:57,390 play it and send 672 00:26:58,550 --> 00:27:00,659 a send a copy of the 673 00:27:00,660 --> 00:27:02,909 subscriber data as he modifies 674 00:27:02,910 --> 00:27:05,069 it to your current switching 675 00:27:05,070 --> 00:27:06,070 center. 676 00:27:06,720 --> 00:27:08,909 Meaning he can enable or disable 677 00:27:08,910 --> 00:27:11,039 the possibility to make calls, 678 00:27:11,040 --> 00:27:13,259 incoming or outgoing SMS or 679 00:27:13,260 --> 00:27:15,449 DETAT or delete the subscriber 680 00:27:15,450 --> 00:27:17,309 altogether from the arm 681 00:27:19,140 --> 00:27:21,029 came and that. 682 00:27:23,060 --> 00:27:26,019 Another thing, new protocol, 683 00:27:26,020 --> 00:27:28,069 uh, the customized applications for 684 00:27:28,070 --> 00:27:30,139 mobile networks enhanced Lodrick, nobody 685 00:27:30,140 --> 00:27:31,549 ever can remember that. 686 00:27:31,550 --> 00:27:32,550 Um. 687 00:27:34,210 --> 00:27:35,289 It's like an 688 00:27:36,640 --> 00:27:38,889 overlay over the usual 689 00:27:38,890 --> 00:27:41,109 map logic, and it gives 690 00:27:41,110 --> 00:27:43,629 your network operator 691 00:27:43,630 --> 00:27:45,789 the ability to say, OK, for 692 00:27:45,790 --> 00:27:48,099 example, if you are currently 693 00:27:48,100 --> 00:27:49,719 I don't know, you're a German subscriber, 694 00:27:49,720 --> 00:27:51,139 you're currently in France. 695 00:27:51,140 --> 00:27:53,229 Um, your home 696 00:27:53,230 --> 00:27:55,449 network operator can say, hey, every time 697 00:27:55,450 --> 00:27:57,549 that subscriber from my German home 698 00:27:57,550 --> 00:28:00,729 network, um, 699 00:28:00,730 --> 00:28:02,739 wants to make a call, contact the home 700 00:28:02,740 --> 00:28:03,740 network. 701 00:28:04,760 --> 00:28:06,899 It's the service controlled 702 00:28:06,900 --> 00:28:08,969 contact, the service control function and 703 00:28:08,970 --> 00:28:09,970 the home network. 704 00:28:12,220 --> 00:28:13,929 So and the service control function of 705 00:28:13,930 --> 00:28:16,089 the home network then decides if that 706 00:28:16,090 --> 00:28:18,549 call can continue 707 00:28:18,550 --> 00:28:21,189 or if the data will be modified 708 00:28:21,190 --> 00:28:22,389 or if it will be canceled. 709 00:28:27,160 --> 00:28:29,229 So on the left, we have the home network 710 00:28:30,910 --> 00:28:33,069 with the service control function, it 711 00:28:33,070 --> 00:28:35,469 sends the address of the service control 712 00:28:35,470 --> 00:28:37,119 function to the switching center because 713 00:28:37,120 --> 00:28:38,889 you see the German subscriber currently 714 00:28:38,890 --> 00:28:41,289 in France. So it sends the address 715 00:28:41,290 --> 00:28:43,629 of the service control function 716 00:28:43,630 --> 00:28:46,269 to the French embassy 717 00:28:46,270 --> 00:28:48,699 and says, OK, contact me whenever 718 00:28:48,700 --> 00:28:50,349 that subscriber of mine wants to make a 719 00:28:50,350 --> 00:28:51,350 call. 720 00:28:56,080 --> 00:28:58,329 OK, then the subscriber wants 721 00:28:58,330 --> 00:29:00,549 to make a call and he forgets to add 722 00:29:00,550 --> 00:29:02,619 the International Country Court 723 00:29:02,620 --> 00:29:04,569 before the phone number, he just dials 724 00:29:04,570 --> 00:29:06,819 like just outside like a German phone 725 00:29:06,820 --> 00:29:08,619 number. And usually that wouldn't work 726 00:29:08,620 --> 00:29:10,839 because of French or 727 00:29:10,840 --> 00:29:12,999 French switching center 728 00:29:13,000 --> 00:29:14,889 doesn't know anything about how German 729 00:29:14,890 --> 00:29:17,529 phone numbers work, but 730 00:29:17,530 --> 00:29:18,819 the servers control function gets 731 00:29:18,820 --> 00:29:20,799 contact. It says, OK, your subscriber 732 00:29:20,800 --> 00:29:22,119 wants to call that number, what should I 733 00:29:22,120 --> 00:29:23,709 do with it? And the service control 734 00:29:23,710 --> 00:29:25,209 function rewrites it because the 735 00:29:25,210 --> 00:29:27,669 international number and then the call 736 00:29:27,670 --> 00:29:28,670 can be set up 737 00:29:29,740 --> 00:29:31,389 and the subscriber doesn't know anything 738 00:29:31,390 --> 00:29:33,549 about it. You just dial the number like 739 00:29:33,550 --> 00:29:35,109 usually from Germany and it works. 740 00:29:38,280 --> 00:29:40,739 So but if you remember the address 741 00:29:40,740 --> 00:29:42,809 of that service control function, it gets 742 00:29:42,810 --> 00:29:43,890 sent to the switch 743 00:29:45,030 --> 00:29:46,140 by the home database. 744 00:29:47,880 --> 00:29:48,900 So if the attacker. 745 00:29:50,000 --> 00:29:52,549 Can modify data in the MSE, 746 00:29:54,170 --> 00:29:56,239 he can simply send a different address 747 00:29:56,240 --> 00:29:58,399 to the message of his own, 748 00:29:58,400 --> 00:29:59,539 his own global title. 749 00:29:59,540 --> 00:30:01,669 You can say, OK, every 750 00:30:01,670 --> 00:30:02,930 time that subscriber 751 00:30:04,310 --> 00:30:06,769 does anything, contact me. 752 00:30:06,770 --> 00:30:08,329 And he provides his own address. 753 00:30:13,410 --> 00:30:15,509 So now the subscriber there on the left, 754 00:30:15,510 --> 00:30:16,799 he wants to dial that number, the 755 00:30:16,800 --> 00:30:17,800 subscriber on the right, 756 00:30:19,460 --> 00:30:21,989 who he the number and 757 00:30:21,990 --> 00:30:24,299 the switching center now contacts 758 00:30:24,300 --> 00:30:25,139 the attacker. 759 00:30:25,140 --> 00:30:27,209 So the attacker now already knows 760 00:30:27,210 --> 00:30:28,799 the phone number of the subscriber wants 761 00:30:28,800 --> 00:30:29,800 to dial. 762 00:30:33,940 --> 00:30:36,369 And then he changes that phone number 763 00:30:36,370 --> 00:30:38,769 to number to the number of his recording 764 00:30:38,770 --> 00:30:41,319 proxy that he has somewhere, 765 00:30:41,320 --> 00:30:43,059 I don't know it can be it doesn't even 766 00:30:43,060 --> 00:30:45,309 have to have as as a seven X as it can 767 00:30:45,310 --> 00:30:47,499 just be some asterisk 768 00:30:47,500 --> 00:30:49,629 box on the Internet with with 769 00:30:49,630 --> 00:30:51,630 a publicly reachable phone number. 770 00:30:54,600 --> 00:30:57,609 OK, the call will be set up to the 771 00:30:57,610 --> 00:30:59,829 to the recording proxy and 772 00:30:59,830 --> 00:31:01,299 will be bridged to the original 773 00:31:01,300 --> 00:31:02,300 subscriber 774 00:31:03,370 --> 00:31:05,019 and then both subscribers can talk to 775 00:31:05,020 --> 00:31:07,119 each other while the attacker is the man 776 00:31:07,120 --> 00:31:09,249 in the middle and records the whole call. 777 00:31:20,380 --> 00:31:22,479 So just a few days ago, I read about 778 00:31:22,480 --> 00:31:24,669 that this is actually happening, 779 00:31:24,670 --> 00:31:27,399 so I heard of an 780 00:31:27,400 --> 00:31:29,769 Ukrainian network operator 781 00:31:29,770 --> 00:31:32,089 who found out that, um, 782 00:31:32,090 --> 00:31:34,599 that several of his subscribers 783 00:31:34,600 --> 00:31:36,579 calls had been intercepted. 784 00:31:36,580 --> 00:31:39,189 And those requests, um, 785 00:31:39,190 --> 00:31:41,019 came from, uh, Russian. 786 00:31:41,020 --> 00:31:42,020 It's a seven network. 787 00:31:43,360 --> 00:31:44,589 So this is actually happening. 788 00:31:49,480 --> 00:31:50,739 OK, so, um. 789 00:31:52,980 --> 00:31:55,309 Now, we've seen a lot about, um, 790 00:31:57,180 --> 00:31:59,279 the switching 791 00:31:59,280 --> 00:32:00,749 center and their abilities. 792 00:32:02,290 --> 00:32:04,809 But the home location register. 793 00:32:04,810 --> 00:32:05,810 Uh. 794 00:32:07,350 --> 00:32:09,659 Also has some vulnerabilities. 795 00:32:09,660 --> 00:32:11,819 So first, let's look at how, 796 00:32:11,820 --> 00:32:14,009 um, what 797 00:32:14,010 --> 00:32:16,559 exactly happens if you travel 798 00:32:16,560 --> 00:32:18,299 to another region or country? 799 00:32:18,300 --> 00:32:19,679 So in this case, I said it's a different 800 00:32:19,680 --> 00:32:21,719 country, but it's it's actually the same 801 00:32:21,720 --> 00:32:23,849 if you are just traveling, 802 00:32:23,850 --> 00:32:25,609 I don't know, from Berlin to Hamburg and 803 00:32:25,610 --> 00:32:27,719 and you are a German subscriber. 804 00:32:27,720 --> 00:32:29,909 So your phone sends the location 805 00:32:29,910 --> 00:32:32,279 update and request to the to the 806 00:32:32,280 --> 00:32:33,299 to the switching center. 807 00:32:33,300 --> 00:32:35,699 And that sends an update location request 808 00:32:35,700 --> 00:32:36,700 to the. 809 00:32:44,870 --> 00:32:47,069 And what happens then is the aid 810 00:32:47,070 --> 00:32:48,949 receives the address of the mother 811 00:32:48,950 --> 00:32:50,569 switching center because it needs to know 812 00:32:50,570 --> 00:32:52,069 where to hold your calls or incoming 813 00:32:52,070 --> 00:32:54,019 calls and your incoming short messages 814 00:32:54,020 --> 00:32:56,299 taste that errors and sends, 815 00:32:56,300 --> 00:32:57,829 as I said before, a copy of the 816 00:32:57,830 --> 00:32:59,930 subscriber data to the switching center. 817 00:33:02,170 --> 00:33:04,779 So now, for example, some 818 00:33:04,780 --> 00:33:06,129 somebody wants to send you a short 819 00:33:06,130 --> 00:33:08,289 message there on the left, a short 820 00:33:08,290 --> 00:33:10,209 message service sent off that network 821 00:33:10,210 --> 00:33:12,309 asks your home location, had to sell 822 00:33:12,310 --> 00:33:13,689 the home database. 823 00:33:13,690 --> 00:33:15,849 Please give me routing 824 00:33:15,850 --> 00:33:16,850 information 825 00:33:17,980 --> 00:33:20,199 for that phone number and it gets 826 00:33:20,200 --> 00:33:22,269 back the address of 827 00:33:22,270 --> 00:33:24,399 that switching center there. 828 00:33:24,400 --> 00:33:26,499 And the can then send 829 00:33:26,500 --> 00:33:28,209 the short message to you. 830 00:33:32,990 --> 00:33:35,179 But an attacker can also send 831 00:33:35,180 --> 00:33:37,029 an update location request in your name. 832 00:33:38,380 --> 00:33:40,209 So it will send the update location 833 00:33:40,210 --> 00:33:42,279 request to your home database, 834 00:33:42,280 --> 00:33:44,679 to your home location register 835 00:33:44,680 --> 00:33:46,869 and then the home location register, 836 00:33:48,460 --> 00:33:50,799 um, will save the attack US address. 837 00:33:55,180 --> 00:33:57,579 That means that, for example, 838 00:33:57,580 --> 00:33:59,859 can the bank sending 839 00:33:59,860 --> 00:34:02,349 a one time password mobile transaction 840 00:34:02,350 --> 00:34:04,479 number wants to 841 00:34:04,480 --> 00:34:05,560 send you a short message. 842 00:34:07,540 --> 00:34:09,549 That short message now gets routed to the 843 00:34:09,550 --> 00:34:11,888 attacker without a subscriber 844 00:34:11,889 --> 00:34:12,889 knowing about that. 845 00:34:16,040 --> 00:34:18,619 So in the case, what I said earlier, that 846 00:34:18,620 --> 00:34:21,499 there was the case of a criminal's 847 00:34:21,500 --> 00:34:23,908 swapping SIM card, if they have had 848 00:34:23,909 --> 00:34:25,459 seven exos, that would have been even 849 00:34:25,460 --> 00:34:26,479 easier for them. 850 00:34:26,480 --> 00:34:28,908 They wouldn't even have to have 851 00:34:28,909 --> 00:34:30,138 to switch SIM cards. 852 00:34:30,139 --> 00:34:31,968 They could have just said, OK, I'm a 853 00:34:31,969 --> 00:34:32,869 subscriber now. 854 00:34:32,870 --> 00:34:34,179 Sends a short message to me. 855 00:34:46,780 --> 00:34:48,939 OK, another thing, US decodes 856 00:34:48,940 --> 00:34:51,158 those star hash codes, you probably 857 00:34:51,159 --> 00:34:52,928 know you have to enter in your phone 858 00:34:52,929 --> 00:34:53,929 sometime. 859 00:34:56,150 --> 00:34:58,339 They can also be executed 860 00:34:58,340 --> 00:35:01,339 for other subscribers from an attacker. 861 00:35:01,340 --> 00:35:03,499 So not in Germany, but in several 862 00:35:03,500 --> 00:35:05,689 countries, carriers allow 863 00:35:05,690 --> 00:35:08,569 Trents transfer of prepaid credit 864 00:35:08,570 --> 00:35:09,780 via US courts. 865 00:35:10,910 --> 00:35:13,729 So you could just empty 866 00:35:13,730 --> 00:35:16,549 a victim's prepaid 867 00:35:16,550 --> 00:35:18,739 account and send 868 00:35:18,740 --> 00:35:20,989 all of his credit to to your own number, 869 00:35:20,990 --> 00:35:23,179 for example, or to call 870 00:35:23,180 --> 00:35:24,899 forwarding can be set and deleted. 871 00:35:24,900 --> 00:35:27,049 Meaning if I 872 00:35:27,050 --> 00:35:29,119 activate a call forwarding on your 873 00:35:29,120 --> 00:35:31,309 phone to, for example, the premium 874 00:35:31,310 --> 00:35:33,589 rate number and then 875 00:35:33,590 --> 00:35:36,589 call your phone for just the normal fee, 876 00:35:36,590 --> 00:35:38,359 you have to pay for the call to the 877 00:35:38,360 --> 00:35:39,949 premium rate number. 878 00:35:39,950 --> 00:35:41,299 That premium rate number would, of 879 00:35:41,300 --> 00:35:43,009 course, also be controlled by the 880 00:35:43,010 --> 00:35:44,010 attacker. 881 00:35:45,920 --> 00:35:46,920 Yeah. 882 00:35:51,700 --> 00:35:53,979 OK, so, um, and 883 00:35:53,980 --> 00:35:55,959 you don't even have to what I wrote 884 00:35:55,960 --> 00:35:58,299 before, where you tell the, uh, the 885 00:35:58,300 --> 00:36:00,159 home data base that subscriber is not in 886 00:36:00,160 --> 00:36:02,229 my network, the attacker does that. 887 00:36:02,230 --> 00:36:03,489 The subscriber is not being served. 888 00:36:03,490 --> 00:36:05,389 I mean, you don't even have to do that. 889 00:36:05,390 --> 00:36:07,599 You can just, uh, if 890 00:36:07,600 --> 00:36:09,759 the subscriber is a subscriber at home 891 00:36:09,760 --> 00:36:11,379 and a German network, you can stay there. 892 00:36:11,380 --> 00:36:13,649 You can, uh, there's still 893 00:36:13,650 --> 00:36:15,999 the German home database will say, 894 00:36:16,000 --> 00:36:18,429 OK, I will execute that USG 895 00:36:18,430 --> 00:36:20,499 code for the subscriber or activated 896 00:36:20,500 --> 00:36:21,909 that supplementary service for the 897 00:36:21,910 --> 00:36:23,409 subscriber call forwarding or something 898 00:36:23,410 --> 00:36:25,599 like that. So as you can see 899 00:36:25,600 --> 00:36:27,879 here, uh, we 900 00:36:27,880 --> 00:36:29,949 clarridge the balance of 901 00:36:29,950 --> 00:36:32,119 a German prepaid card, 902 00:36:32,120 --> 00:36:34,509 um, while it was logged into the German 903 00:36:34,510 --> 00:36:36,909 network from a network on 904 00:36:36,910 --> 00:36:37,989 the other side of the world. 905 00:36:47,630 --> 00:36:50,149 So I guess this one's 906 00:36:50,150 --> 00:36:52,429 Castner's going to talk about 907 00:36:52,430 --> 00:36:53,700 Kosner, are you 908 00:36:57,260 --> 00:36:58,270 hopeful, oswin 909 00:36:59,840 --> 00:37:00,840 ok. 910 00:37:05,360 --> 00:37:06,469 OK then. 911 00:37:18,320 --> 00:37:19,889 You have to translated to English. 912 00:37:24,380 --> 00:37:26,599 OK, so I 913 00:37:26,600 --> 00:37:29,719 call it hybrid tax because, um, 914 00:37:29,720 --> 00:37:30,720 uh. 915 00:38:01,720 --> 00:38:04,779 OK, so I call it hybrid optics, because 916 00:38:04,780 --> 00:38:06,729 you have two hybrid, 917 00:38:09,790 --> 00:38:12,039 right, like like up there. 918 00:38:12,040 --> 00:38:13,040 Sorry. 919 00:38:18,020 --> 00:38:19,579 Is this an actual human doing the 920 00:38:19,580 --> 00:38:20,580 translation or. 921 00:38:32,390 --> 00:38:33,390 And. 922 00:38:35,260 --> 00:38:37,359 OK, so I read the text, 923 00:38:37,360 --> 00:38:39,489 meaning you can capture the 924 00:38:39,490 --> 00:38:41,559 sort of 925 00:38:41,560 --> 00:38:43,599 the air interface if the network wants to 926 00:38:43,600 --> 00:38:45,699 reach you. So now really 927 00:38:45,700 --> 00:38:47,919 at the base station, if the network wants 928 00:38:47,920 --> 00:38:49,329 to reach you, it sends your paging 929 00:38:49,330 --> 00:38:50,769 request to your phone. 930 00:38:50,770 --> 00:38:53,469 And for that, it uses a temporary 931 00:38:53,470 --> 00:38:55,659 mobile subscriber identifier that has 932 00:38:55,660 --> 00:38:57,859 been introduced. 933 00:38:57,860 --> 00:39:00,069 OK, that 934 00:39:00,070 --> 00:39:01,839 identifier has to be transferred 935 00:39:01,840 --> 00:39:04,029 unencrypted and the 936 00:39:04,030 --> 00:39:06,009 temporary identifier has been introduced 937 00:39:06,010 --> 00:39:08,229 so that you cannot find out who 938 00:39:08,230 --> 00:39:09,999 is currently making a call. 939 00:39:10,000 --> 00:39:12,009 So there's not being you're not being 940 00:39:12,010 --> 00:39:14,859 paged by your phone number or by your 941 00:39:14,860 --> 00:39:15,789 Amazigh. 942 00:39:15,790 --> 00:39:17,499 It's a temporary identifier. 943 00:39:17,500 --> 00:39:19,539 That should not be that. 944 00:39:19,540 --> 00:39:22,119 There should not be possible to anonymize 945 00:39:22,120 --> 00:39:24,279 it. But as it turns out, if 946 00:39:24,280 --> 00:39:26,650 the attacker just captures 947 00:39:28,420 --> 00:39:30,669 captures all the pattern requests all the 948 00:39:30,670 --> 00:39:32,929 time, as is, for example, with Osmo 949 00:39:32,930 --> 00:39:35,059 B or something like that, um, 950 00:39:36,490 --> 00:39:37,490 he can then. 951 00:39:39,510 --> 00:39:41,579 Simply ask the mother switching center 952 00:39:41,580 --> 00:39:44,069 for, um, give me the 953 00:39:44,070 --> 00:39:45,899 I am as I of that subscriber and then you 954 00:39:45,900 --> 00:39:47,639 can do an update location request and 955 00:39:47,640 --> 00:39:50,039 find out the ISDN, 956 00:39:50,040 --> 00:39:50,999 the phone number. 957 00:39:51,000 --> 00:39:53,249 So if you do that, I don't know, 958 00:39:53,250 --> 00:39:55,349 in Berlin at the seat of 959 00:39:55,350 --> 00:39:57,539 the government, I don't know how long 960 00:39:57,540 --> 00:40:00,869 it takes until you get Angela Merkel's 961 00:40:00,870 --> 00:40:01,870 phone number. 962 00:40:03,420 --> 00:40:04,919 OK, contraception. 963 00:40:04,920 --> 00:40:06,839 Castner's going to talk about that in a 964 00:40:06,840 --> 00:40:08,069 minute, I'm sure. 965 00:40:08,070 --> 00:40:10,409 Um, LTE 966 00:40:10,410 --> 00:40:12,839 so, um, the Seven 967 00:40:12,840 --> 00:40:15,089 Network is used by GSM and, 968 00:40:15,090 --> 00:40:16,559 uh, UMTS. 969 00:40:16,560 --> 00:40:18,659 Um, LTE is using a 970 00:40:18,660 --> 00:40:20,309 different protocol, uh, the diameter 971 00:40:20,310 --> 00:40:22,529 protocol for the for the network 972 00:40:22,530 --> 00:40:23,849 for um. 973 00:40:25,600 --> 00:40:27,760 Meaning S7 is becoming a legacy protocol. 974 00:40:29,020 --> 00:40:30,159 But a lot of the 975 00:40:31,180 --> 00:40:33,579 S7 design flaws have simply been ported 976 00:40:33,580 --> 00:40:35,169 to diameter. 977 00:40:35,170 --> 00:40:36,669 So, for example, there are still no end 978 00:40:36,670 --> 00:40:38,409 to end authentication for subscriber's. 979 00:40:39,960 --> 00:40:41,730 And also, GSM and UMTS 980 00:40:43,050 --> 00:40:44,819 will still be around for a long time to 981 00:40:44,820 --> 00:40:45,759 come. 982 00:40:45,760 --> 00:40:47,849 Um, people say about 20 983 00:40:47,850 --> 00:40:49,949 years S7 will still be 984 00:40:49,950 --> 00:40:52,139 in use and also 985 00:40:52,140 --> 00:40:54,269 there are interfaces from 986 00:40:54,270 --> 00:40:56,399 diameter to S7 to be able 987 00:40:56,400 --> 00:40:58,559 to make calls from LTE to 988 00:40:58,560 --> 00:41:00,300 GSM or the other way around. 989 00:41:03,790 --> 00:41:05,889 So, yeah, to sum it 990 00:41:05,890 --> 00:41:06,890 up. 991 00:41:08,630 --> 00:41:10,369 An attacker with only his victims phone 992 00:41:10,370 --> 00:41:12,769 number can track his victims movements 993 00:41:12,770 --> 00:41:15,149 in some networks, even with precision 994 00:41:15,150 --> 00:41:16,150 precision, 995 00:41:17,300 --> 00:41:19,219 he can intercept his victims calls and 996 00:41:19,220 --> 00:41:20,870 text messages and 997 00:41:22,430 --> 00:41:23,929 most likely also data connections. 998 00:41:23,930 --> 00:41:26,209 Also, we didn't try that this way because 999 00:41:26,210 --> 00:41:28,189 of some data reroute calls at the 1000 00:41:28,190 --> 00:41:30,349 victim's victim's expense 1001 00:41:30,350 --> 00:41:31,350 and more. 1002 00:41:35,290 --> 00:41:36,340 So, um. 1003 00:41:38,520 --> 00:41:41,219 Well, the operators can do against it. 1004 00:41:41,220 --> 00:41:43,469 Network operators, so 1005 00:41:43,470 --> 00:41:45,539 as I said 1006 00:41:45,540 --> 00:41:47,699 in the beginning, you have to find out 1007 00:41:47,700 --> 00:41:49,769 the Amazigh and the mobile switching 1008 00:41:49,770 --> 00:41:51,959 center to be able to manipulate 1009 00:41:51,960 --> 00:41:53,729 the mobile switching center. 1010 00:41:53,730 --> 00:41:55,889 And the 1011 00:41:55,890 --> 00:41:58,019 main reason for network operators to give 1012 00:41:58,020 --> 00:42:00,119 out that kind of information to 1013 00:42:00,120 --> 00:42:02,040 external networks is 1014 00:42:03,270 --> 00:42:04,649 for some routing. 1015 00:42:04,650 --> 00:42:07,379 So there has been a new 1016 00:42:07,380 --> 00:42:09,689 well, yeah, new way 1017 00:42:09,690 --> 00:42:11,669 around for quite some time now called 1018 00:42:11,670 --> 00:42:13,919 Smith's Home Reporting, where the 1019 00:42:13,920 --> 00:42:16,619 network operator uses an astrologer 1020 00:42:16,620 --> 00:42:19,079 in the subscribers home network 1021 00:42:19,080 --> 00:42:20,699 so that it doesn't have to give out the 1022 00:42:20,700 --> 00:42:22,979 actual address, the global 1023 00:42:22,980 --> 00:42:26,189 title of the switching center, but just 1024 00:42:26,190 --> 00:42:27,749 the address of the astrologer. 1025 00:42:30,210 --> 00:42:32,519 So some of the German 1026 00:42:32,520 --> 00:42:34,079 networks, for example, already use them 1027 00:42:34,080 --> 00:42:36,499 as home routing. So it's, uh, it 1028 00:42:36,500 --> 00:42:38,729 becomes a lot harder to figure 1029 00:42:38,730 --> 00:42:41,669 out that kind of information then some 1030 00:42:41,670 --> 00:42:42,479 don't yet. 1031 00:42:42,480 --> 00:42:43,889 I hope they will soon. 1032 00:42:43,890 --> 00:42:44,890 Um. 1033 00:42:46,260 --> 00:42:48,630 And also another another 1034 00:42:50,100 --> 00:42:52,349 source of that information is the central 1035 00:42:52,350 --> 00:42:54,619 information request for for voice calls. 1036 00:42:54,620 --> 00:42:56,819 Um, but if the network operators 1037 00:42:56,820 --> 00:42:59,069 don't use optimal routing, they can 1038 00:42:59,070 --> 00:43:00,989 also simply disable it for external 1039 00:43:00,990 --> 00:43:03,059 networks, which some of the 1040 00:43:03,060 --> 00:43:04,829 German networks, again, already did. 1041 00:43:04,830 --> 00:43:06,140 Some didn't do it. 1042 00:43:08,120 --> 00:43:09,120 So. 1043 00:43:10,630 --> 00:43:12,689 US, the subscriber, cannot really do 1044 00:43:12,690 --> 00:43:15,389 anything because this works for, um, 1045 00:43:15,390 --> 00:43:16,390 uh, 1046 00:43:17,610 --> 00:43:20,189 works for all phones 1047 00:43:20,190 --> 00:43:21,539 which are connected to the network no 1048 00:43:21,540 --> 00:43:23,579 matter what smart phone feature phone. 1049 00:43:24,690 --> 00:43:26,039 You can't do anything because it's 1050 00:43:26,040 --> 00:43:27,600 happening in the network. 1051 00:43:30,280 --> 00:43:32,349 OK, so now I have prepared 1052 00:43:32,350 --> 00:43:34,150 a small demo. 1053 00:43:40,640 --> 00:43:43,039 Let me just get that back to my screen 1054 00:43:43,040 --> 00:43:44,040 here. 1055 00:43:45,700 --> 00:43:47,229 OK, I hope it works and I hope you can 1056 00:43:47,230 --> 00:43:49,629 see something if you can switch to the. 1057 00:43:49,630 --> 00:43:50,630 Thank you. 1058 00:43:51,750 --> 00:43:53,080 Oh, it's OK. 1059 00:43:55,020 --> 00:43:56,020 That's. 1060 00:44:02,350 --> 00:44:03,350 So. 1061 00:44:14,470 --> 00:44:15,690 OK, so I'm, 1062 00:44:17,800 --> 00:44:20,019 um, so this is a 1063 00:44:20,020 --> 00:44:22,329 subscriber in a German network, and 1064 00:44:22,330 --> 00:44:24,969 I'm going to 1065 00:44:24,970 --> 00:44:26,469 he wants to call his friend on this 1066 00:44:26,470 --> 00:44:27,470 phone. 1067 00:44:37,550 --> 00:44:40,459 So and as you can see, it works, 1068 00:44:40,460 --> 00:44:42,320 the other phone rings as expected, 1069 00:44:43,520 --> 00:44:44,520 so so. 1070 00:44:51,690 --> 00:44:53,800 He had a phone call, it's worked great. 1071 00:44:54,970 --> 00:44:55,989 That wasn't the demo. 1072 00:44:57,670 --> 00:44:58,670 Yeah, very funny. 1073 00:45:01,600 --> 00:45:02,600 And 1074 00:45:05,980 --> 00:45:07,779 yeah, I know everybody has the number 1075 00:45:07,780 --> 00:45:08,780 now. 1076 00:45:12,340 --> 00:45:13,340 OK. 1077 00:45:16,100 --> 00:45:18,509 Now, I do some F7 magic, 1078 00:45:18,510 --> 00:45:20,569 so I sent an 1079 00:45:20,570 --> 00:45:21,889 email subscriber data. 1080 00:45:24,220 --> 00:45:25,479 I tried the same thing again. 1081 00:45:27,220 --> 00:45:28,540 I do have the same number. 1082 00:45:32,260 --> 00:45:33,760 And let me see if you can 1083 00:45:35,230 --> 00:45:38,299 get rid 1084 00:45:38,300 --> 00:45:40,389 it or can you 1085 00:45:40,390 --> 00:45:41,390 share that? 1086 00:45:43,630 --> 00:45:45,789 The Kondrat, OK, 1087 00:45:45,790 --> 00:45:47,739 it says for the for the diet, no 1088 00:45:48,880 --> 00:45:50,319 call baring has been activated. 1089 00:45:50,320 --> 00:45:52,869 So we call if you could 1090 00:45:52,870 --> 00:45:54,639 just stop for a second calling that 1091 00:45:54,640 --> 00:45:55,640 number, 1092 00:45:57,220 --> 00:45:58,569 the call simply doesn't go through 1093 00:45:58,570 --> 00:45:59,570 anymore. 1094 00:46:10,660 --> 00:46:12,939 So, um, 1095 00:46:14,200 --> 00:46:15,200 I can also. 1096 00:46:16,820 --> 00:46:18,440 Switch it back on again if I. 1097 00:46:21,970 --> 00:46:22,970 If I died again, 1098 00:46:24,970 --> 00:46:25,970 yes. 1099 00:46:28,910 --> 00:46:31,159 Yeah, as 1100 00:46:31,160 --> 00:46:32,899 you can see, it works, it works now, 1101 00:46:34,520 --> 00:46:36,890 so and another thing. 1102 00:46:39,470 --> 00:46:40,940 So the friend wants to call back, 1103 00:46:42,070 --> 00:46:43,070 wants to call back. 1104 00:46:45,270 --> 00:46:46,619 So he dials the number. 1105 00:46:52,620 --> 00:46:53,939 Guys, stop calling for a certain. 1106 00:47:08,510 --> 00:47:10,369 So he's calling footrest. 1107 00:47:14,120 --> 00:47:16,129 And the of the phone call forwarding is 1108 00:47:16,130 --> 00:47:17,599 still activated. OK, so the 1109 00:47:19,820 --> 00:47:21,559 call arrives on that phone. 1110 00:47:30,630 --> 00:47:31,630 OK. 1111 00:47:35,230 --> 00:47:37,389 I will switch it off, OK, so and 1112 00:47:37,390 --> 00:47:38,390 I do the call again. 1113 00:47:44,210 --> 00:47:46,099 Oh, really? 1114 00:47:57,470 --> 00:47:58,470 OK, so 1115 00:47:59,930 --> 00:48:02,510 the phone rings nicotrol. 1116 00:48:07,140 --> 00:48:08,140 And. 1117 00:48:11,320 --> 00:48:14,259 I will I will show you again, because 1118 00:48:14,260 --> 00:48:16,569 that was, of course, no the the 1119 00:48:16,570 --> 00:48:18,129 wrong way around. 1120 00:48:18,130 --> 00:48:19,130 I will show you. 1121 00:48:22,700 --> 00:48:23,700 Can you read that? 1122 00:48:25,410 --> 00:48:26,410 And. 1123 00:48:27,770 --> 00:48:29,900 OK, so there's no call forwarding. 1124 00:48:36,340 --> 00:48:38,559 Activated, so if I activate it now 1125 00:48:43,090 --> 00:48:45,219 and to the same 1126 00:48:45,220 --> 00:48:46,299 request again. 1127 00:48:52,280 --> 00:48:54,199 OK, now you can see the number four call 1128 00:48:54,200 --> 00:48:55,609 forwarding that has been activated. 1129 00:49:06,990 --> 00:49:07,990 OK. 1130 00:49:11,860 --> 00:49:13,270 Yeah, that's it for the demo. 1131 00:49:14,440 --> 00:49:15,729 That's it for me. 1132 00:49:15,730 --> 00:49:16,730 Thank you very much. 1133 00:49:31,000 --> 00:49:33,189 Everyone, if you have any questions, 1134 00:49:33,190 --> 00:49:35,979 please do line up at the microphones. 1135 00:49:35,980 --> 00:49:38,319 If you're planning to leave, 1136 00:49:38,320 --> 00:49:39,249 please do so. 1137 00:49:39,250 --> 00:49:41,529 Now, get up quietly and leave 1138 00:49:41,530 --> 00:49:43,809 the room to make room for people 1139 00:49:43,810 --> 00:49:45,099 who want to enjoy the next talk. 1140 00:49:46,810 --> 00:49:48,999 Right now, you're only allowed to leave. 1141 00:49:49,000 --> 00:49:51,129 So please do this now quickly 1142 00:49:51,130 --> 00:49:52,479 and quietly. 1143 00:49:52,480 --> 00:49:54,759 So we have a question from microphone 1144 00:49:54,760 --> 00:49:55,760 number two. 1145 00:49:57,220 --> 00:49:59,259 Thank you for the talk. 1146 00:49:59,260 --> 00:50:01,269 In the beginning, you said that 1147 00:50:01,270 --> 00:50:04,369 government agencies will be using 1148 00:50:04,370 --> 00:50:05,440 S7 1149 00:50:06,610 --> 00:50:08,949 for so-called lawful 1150 00:50:08,950 --> 00:50:09,950 interception. 1151 00:50:12,340 --> 00:50:14,649 And you said you wouldn't trust 1152 00:50:14,650 --> 00:50:17,259 the governments of some countries 1153 00:50:17,260 --> 00:50:18,379 just for completeness. 1154 00:50:18,380 --> 00:50:19,929 Could you name the country, you country 1155 00:50:19,930 --> 00:50:20,930 you would trust? 1156 00:50:22,570 --> 00:50:24,250 I'm afraid I can't. 1157 00:50:25,540 --> 00:50:26,540 Thank you. 1158 00:50:28,820 --> 00:50:31,249 If you're leaving, please do so quietly 1159 00:50:31,250 --> 00:50:33,169 so we can still record the questions and 1160 00:50:33,170 --> 00:50:34,579 answers. Thank you. 1161 00:50:34,580 --> 00:50:36,210 Microphone number one, please. 1162 00:50:37,670 --> 00:50:40,009 How did you gain access 1163 00:50:40,010 --> 00:50:42,229 to this as a seven at four p.m.? 1164 00:50:44,840 --> 00:50:47,459 I guess I'd rather not say. 1165 00:50:47,460 --> 00:50:49,549 OK, well, no, it's actually so 1166 00:50:49,550 --> 00:50:51,829 it's a yeah, 1167 00:50:51,830 --> 00:50:53,899 it's an exercise 1168 00:50:53,900 --> 00:50:56,359 that has been brought to us for 1169 00:50:56,360 --> 00:50:58,759 the purpose of of security 1170 00:50:58,760 --> 00:50:59,760 research. 1171 00:51:02,950 --> 00:51:04,630 Microphone number four, please. 1172 00:51:06,040 --> 00:51:08,529 Hello, thank you for the talk. 1173 00:51:08,530 --> 00:51:11,409 My question goes into the 1174 00:51:11,410 --> 00:51:13,249 finding out the location. 1175 00:51:13,250 --> 00:51:15,579 I mean, the cell location probably is 1176 00:51:15,580 --> 00:51:18,639 at no cost to the operator to 1177 00:51:18,640 --> 00:51:20,259 give that information out. 1178 00:51:20,260 --> 00:51:23,379 But about the triangulation. 1179 00:51:23,380 --> 00:51:24,579 Is there a cost? 1180 00:51:24,580 --> 00:51:26,829 Can this be done at scale for 1181 00:51:26,830 --> 00:51:28,960 lots of subscribers or. 1182 00:51:30,970 --> 00:51:33,399 I don't really know how many how many 1183 00:51:33,400 --> 00:51:34,709 are you thinking, but. 1184 00:51:34,710 --> 00:51:37,539 Well, of course, it's 1185 00:51:37,540 --> 00:51:39,819 so it's been implemented for 1186 00:51:39,820 --> 00:51:40,899 emergency services. 1187 00:51:40,900 --> 00:51:42,969 So I guess there's always a lot 1188 00:51:42,970 --> 00:51:45,249 of emergency calls coming in. 1189 00:51:45,250 --> 00:51:47,349 And I think it can be 1190 00:51:47,350 --> 00:51:49,569 done for for a lot of customers. 1191 00:51:49,570 --> 00:51:50,919 I don't know what would happen if you do 1192 00:51:50,920 --> 00:51:53,049 it, if 1193 00:51:53,050 --> 00:51:54,789 all the subscribers, if you would do it 1194 00:51:54,790 --> 00:51:55,779 for all the subscribers. 1195 00:51:55,780 --> 00:51:57,459 But I think it can be done for a lot of 1196 00:51:57,460 --> 00:51:58,460 subscribers. 1197 00:51:59,470 --> 00:52:01,479 We also have a few questions from our 1198 00:52:01,480 --> 00:52:03,969 Signal Angel relaying questions from Iasi 1199 00:52:03,970 --> 00:52:06,519 Signal Angel, please test. 1200 00:52:06,520 --> 00:52:08,619 OK, so the first question 1201 00:52:08,620 --> 00:52:10,809 is how much would the 1202 00:52:10,810 --> 00:52:13,239 whole setup cost to track somebody's 1203 00:52:13,240 --> 00:52:14,240 phone? 1204 00:52:15,320 --> 00:52:16,320 Um, 1205 00:52:17,800 --> 00:52:19,989 well, I would say a few hundred 1206 00:52:19,990 --> 00:52:22,059 euros for the S7 access if 1207 00:52:22,060 --> 00:52:24,429 you buy it and 1208 00:52:24,430 --> 00:52:26,619 then you need somebody to 1209 00:52:26,620 --> 00:52:28,030 call it the software or 1210 00:52:29,370 --> 00:52:31,329 you write it yourself and if you write 1211 00:52:31,330 --> 00:52:33,489 the software yourself and 1212 00:52:33,490 --> 00:52:35,769 somehow I don't know, find somebody 1213 00:52:35,770 --> 00:52:38,349 who hacked S7 access 1214 00:52:38,350 --> 00:52:40,299 with wire femtocell or something like 1215 00:52:40,300 --> 00:52:41,909 that, it wouldn't even cause to think. 1216 00:52:44,080 --> 00:52:46,299 Another question from our signal angel, 1217 00:52:46,300 --> 00:52:46,989 please. 1218 00:52:46,990 --> 00:52:49,569 OK, that's a question. 1219 00:52:49,570 --> 00:52:51,999 If you require direct S7 access, 1220 00:52:52,000 --> 00:52:54,099 are would it be like enough to 1221 00:52:54,100 --> 00:52:56,439 have like a hacked base then mobile 1222 00:52:56,440 --> 00:52:58,959 device, something, you know, so 1223 00:52:58,960 --> 00:53:01,269 S7 is really only used 1224 00:53:01,270 --> 00:53:03,549 in the core network, so 1225 00:53:03,550 --> 00:53:05,649 meaning the phones don't have anything 1226 00:53:05,650 --> 00:53:08,049 to do with S7, so 1227 00:53:08,050 --> 00:53:10,119 the phones use the radio network and 1228 00:53:10,120 --> 00:53:11,709 that that isn't S7. 1229 00:53:11,710 --> 00:53:13,089 It's only used in the core network, 1230 00:53:13,090 --> 00:53:15,999 meaning the switching centers are 1231 00:53:16,000 --> 00:53:17,349 S.A.C. 1232 00:53:17,350 --> 00:53:19,449 GMT and so they use a 1233 00:53:19,450 --> 00:53:21,849 seven microphone 1234 00:53:21,850 --> 00:53:22,879 number to please. 1235 00:53:22,880 --> 00:53:23,919 Thank you. 1236 00:53:23,920 --> 00:53:26,109 So I have another question regarding us 1237 00:53:26,110 --> 00:53:28,269 D then you were saying 1238 00:53:28,270 --> 00:53:30,969 it's completely possible to spoof 1239 00:53:30,970 --> 00:53:32,979 users to messages as they are always 1240 00:53:32,980 --> 00:53:35,019 targeted directly towards the. 1241 00:53:35,020 --> 00:53:36,880 Ah, so 1242 00:53:38,350 --> 00:53:40,839 from what I dimly remember about that, 1243 00:53:40,840 --> 00:53:43,570 there are two different 1244 00:53:44,920 --> 00:53:47,039 fields that actually carry the the 1245 00:53:47,040 --> 00:53:50,169 the request issue. 1246 00:53:50,170 --> 00:53:52,659 Can you spoof the entire message. 1247 00:53:52,660 --> 00:53:55,099 Like can you spoof all fields. 1248 00:53:55,100 --> 00:53:57,159 Um, I'm not really 1249 00:53:57,160 --> 00:53:58,210 sure, but 1250 00:53:59,380 --> 00:54:01,809 uh, you don't need an answer back. 1251 00:54:01,810 --> 00:54:03,789 You can spoof anything you like. 1252 00:54:03,790 --> 00:54:05,949 So that's that's also a thing for 1253 00:54:05,950 --> 00:54:07,959 all the for all the messages. 1254 00:54:07,960 --> 00:54:09,999 Very modify something where you just 1255 00:54:10,000 --> 00:54:11,469 don't want data back. 1256 00:54:11,470 --> 00:54:13,569 You can put em in any sender you 1257 00:54:13,570 --> 00:54:15,639 like because you don't need the 1258 00:54:15,640 --> 00:54:17,859 answer back. And the the new data 1259 00:54:17,860 --> 00:54:19,359 gets activated or the request gets 1260 00:54:19,360 --> 00:54:21,479 executed as soon as 1261 00:54:21,480 --> 00:54:24,209 it arrives at its destination. 1262 00:54:24,210 --> 00:54:26,319 I'm not asking because of 1263 00:54:26,320 --> 00:54:27,399 protocol compliance. 1264 00:54:27,400 --> 00:54:29,379 I'm asking because of verification, 1265 00:54:29,380 --> 00:54:31,569 because from what I know, users d 1266 00:54:31,570 --> 00:54:34,359 not only use for, like, 1267 00:54:34,360 --> 00:54:36,759 you know, your own, uh, 1268 00:54:36,760 --> 00:54:38,889 subscriber account 1269 00:54:38,890 --> 00:54:41,049 of credit level, but 1270 00:54:41,050 --> 00:54:43,059 it's also used for payment solutions. 1271 00:54:43,060 --> 00:54:45,309 And I really see a massive 1272 00:54:45,310 --> 00:54:46,779 problem. If you could spoof the entire 1273 00:54:46,780 --> 00:54:47,780 message. 1274 00:54:48,340 --> 00:54:50,019 Um, yeah. 1275 00:54:50,020 --> 00:54:51,339 Yeah, yeah. 1276 00:54:51,340 --> 00:54:53,409 OK, thanks 1277 00:54:53,410 --> 00:54:54,099 for that. 1278 00:54:54,100 --> 00:54:55,599 It's really done over users. 1279 00:54:55,600 --> 00:54:57,069 Yeah I think so, yeah. 1280 00:54:57,070 --> 00:54:59,199 Microphone number one please. 1281 00:54:59,200 --> 00:55:01,389 Uh, I have to question the first 1282 00:55:01,390 --> 00:55:03,549 one was, uh, when 1283 00:55:03,550 --> 00:55:06,159 you did location through PSA 1284 00:55:07,690 --> 00:55:09,819 for The Washington 1285 00:55:09,820 --> 00:55:12,459 Post, it was done, uh, 1286 00:55:12,460 --> 00:55:14,769 from an access that you paid, 1287 00:55:14,770 --> 00:55:16,899 like an access to websites that you paid 1288 00:55:16,900 --> 00:55:19,089 for to do it on your own access. 1289 00:55:19,090 --> 00:55:21,399 And if it was your own accessed, it was 1290 00:55:21,400 --> 00:55:22,569 addressed. 1291 00:55:22,570 --> 00:55:25,089 I mean, trusted, 1292 00:55:25,090 --> 00:55:27,699 contained into the, uh, regs. 1293 00:55:27,700 --> 00:55:29,889 Uh, I r21 1294 00:55:29,890 --> 00:55:32,169 list on it was it was not 1295 00:55:32,170 --> 00:55:33,339 in twenty one. 1296 00:55:33,340 --> 00:55:36,139 OK, so it was your own 1297 00:55:36,140 --> 00:55:38,499 that you control, but it was not into 1298 00:55:38,500 --> 00:55:40,929 the regs I ultimately to twenty 1299 00:55:40,930 --> 00:55:42,039 one list. 1300 00:55:42,040 --> 00:55:44,109 Exactly. So I had twenty 1301 00:55:44,110 --> 00:55:45,960 one by the way is a 1302 00:55:47,890 --> 00:55:50,529 set of documents by the GSM, a 1303 00:55:50,530 --> 00:55:53,199 um the GSM Association, 1304 00:55:53,200 --> 00:55:55,269 um that um 1305 00:55:55,270 --> 00:55:57,399 every operator puts this document 1306 00:55:57,400 --> 00:55:59,799 there that lists all 1307 00:55:59,800 --> 00:56:01,589 his global titles, all the. 1308 00:56:01,590 --> 00:56:03,759 Addresses to traffic where 1309 00:56:03,760 --> 00:56:05,939 the arrows are and so on and so on, 1310 00:56:05,940 --> 00:56:08,249 and so usually you would say 1311 00:56:08,250 --> 00:56:10,560 or would think that if an 1312 00:56:11,720 --> 00:56:13,859 if a global title or a senator address is 1313 00:56:13,860 --> 00:56:15,599 not listed in the age of 21, then you 1314 00:56:15,600 --> 00:56:17,549 could simply discarded if you receive 1315 00:56:17,550 --> 00:56:19,229 messages from it. 1316 00:56:19,230 --> 00:56:21,419 But in practice, that's not 1317 00:56:21,420 --> 00:56:23,339 the case for most. 1318 00:56:23,340 --> 00:56:25,439 Most of the time, requests 1319 00:56:25,440 --> 00:56:26,819 get also routed and answered. 1320 00:56:26,820 --> 00:56:28,919 If your address is not in 1321 00:56:28,920 --> 00:56:31,079 the area 21 document 1322 00:56:31,080 --> 00:56:32,399 things. 1323 00:56:32,400 --> 00:56:34,439 Microphone number four, please. 1324 00:56:34,440 --> 00:56:36,929 Right. I thank you for your talk. 1325 00:56:36,930 --> 00:56:39,479 And I want to be interested 1326 00:56:39,480 --> 00:56:41,459 that you looked also in the modified 1327 00:56:41,460 --> 00:56:44,069 versions for 1328 00:56:44,070 --> 00:56:46,139 emergency calls when I don't have 1329 00:56:46,140 --> 00:56:47,339 an M.C. 1330 00:56:47,340 --> 00:56:49,229 like a zoom in my phone or for the 1331 00:56:49,230 --> 00:56:51,719 upcoming Ekwall, which is used in cars. 1332 00:56:53,100 --> 00:56:55,619 Does that tie have some amplifications 1333 00:56:55,620 --> 00:56:56,969 to that as well? 1334 00:56:56,970 --> 00:56:59,519 Is there a trick or something? 1335 00:56:59,520 --> 00:57:00,549 I didn't look into that. 1336 00:57:00,550 --> 00:57:01,529 I don't know. 1337 00:57:01,530 --> 00:57:02,879 OK, thanks. 1338 00:57:02,880 --> 00:57:04,949 Another question from our signal Angel 1339 00:57:04,950 --> 00:57:05,909 on Iasi. 1340 00:57:05,910 --> 00:57:07,289 Yeah, actually for quite a bit. 1341 00:57:07,290 --> 00:57:09,209 A few questions, so I don't know. 1342 00:57:09,210 --> 00:57:11,399 But one question is if there are 1343 00:57:11,400 --> 00:57:13,949 any numbers about which countries 1344 00:57:13,950 --> 00:57:15,929 are like doing the most tracking 1345 00:57:18,300 --> 00:57:19,829 which which countries do the most 1346 00:57:19,830 --> 00:57:21,959 tracking. Yeah, that's a question 1347 00:57:21,960 --> 00:57:23,279 if you have any numbers about that. 1348 00:57:23,280 --> 00:57:24,479 No I don't. 1349 00:57:24,480 --> 00:57:26,339 I also would be very interested in those 1350 00:57:26,340 --> 00:57:28,139 numbers. If anybody has them. 1351 00:57:28,140 --> 00:57:29,229 I would be very interested. 1352 00:57:30,690 --> 00:57:32,039 Microphone number two, please. 1353 00:57:32,040 --> 00:57:33,629 Yeah, I'm I have the question. 1354 00:57:33,630 --> 00:57:35,789 If I have a working based 1355 00:57:35,790 --> 00:57:38,009 transceiver station which 1356 00:57:38,010 --> 00:57:40,169 worked for and a 1357 00:57:40,170 --> 00:57:42,309 GSM network, is the 1358 00:57:42,310 --> 00:57:44,519 S7 assess information 1359 00:57:44,520 --> 00:57:46,799 in this based transceiver station? 1360 00:57:46,800 --> 00:57:49,049 No, no. So that's in the base 1361 00:57:49,050 --> 00:57:50,879 station subsystem. And that's that's not 1362 00:57:50,880 --> 00:57:53,099 S7 seven will only 1363 00:57:53,100 --> 00:57:55,799 be used from the 1364 00:57:55,800 --> 00:57:58,319 switching center on inward 1365 00:57:58,320 --> 00:57:59,679 to the core network. 1366 00:57:59,680 --> 00:58:01,229 OK, thank you. 1367 00:58:01,230 --> 00:58:03,119 Microphone number four, please. 1368 00:58:03,120 --> 00:58:05,279 Hello. Uh, did your summary 1369 00:58:05,280 --> 00:58:08,039 slide with, uh, TMJ 1370 00:58:08,040 --> 00:58:10,199 requesting also show that you 1371 00:58:10,200 --> 00:58:13,109 could decrypt the sniffs 1372 00:58:13,110 --> 00:58:15,090 message, the phone call? 1373 00:58:16,440 --> 00:58:18,599 Sorry, I didn't understand that. 1374 00:58:18,600 --> 00:58:20,789 Uh, one of your summary slides was 1375 00:58:20,790 --> 00:58:22,919 about how you could, uh, request 1376 00:58:22,920 --> 00:58:25,049 an EMT after you present the 1377 00:58:25,050 --> 00:58:26,819 time that you sniffed off the air. 1378 00:58:26,820 --> 00:58:29,099 Yeah. Yeah. Uh, did that also 1379 00:58:29,100 --> 00:58:31,679 say you could then, uh, decrypts 1380 00:58:31,680 --> 00:58:33,839 the whole phone call by 1381 00:58:33,840 --> 00:58:35,699 sniffing? Yeah, yeah, yeah, yeah. 1382 00:58:35,700 --> 00:58:37,649 But, uh, Castner's going to talk about 1383 00:58:37,650 --> 00:58:39,479 that in a minute and the next talk, so 1384 00:58:39,480 --> 00:58:41,549 stay for the next talk and you will 1385 00:58:41,550 --> 00:58:43,289 learn more about that. 1386 00:58:43,290 --> 00:58:44,939 OK, we have time for two more questions. 1387 00:58:44,940 --> 00:58:47,159 Microphone number five, please. 1388 00:58:47,160 --> 00:58:49,539 Hi. Uh, thank you for your talk. 1389 00:58:49,540 --> 00:58:51,209 Uh, I don't know if you have any virtual 1390 00:58:51,210 --> 00:58:53,819 operators in Germany, but 1391 00:58:53,820 --> 00:58:55,589 do they have access to the SS seven? 1392 00:58:55,590 --> 00:58:56,590 And if so, 1393 00:58:57,720 --> 00:58:59,849 does the blocking that you mentioned 1394 00:58:59,850 --> 00:59:01,650 in your talk also apply to them? 1395 00:59:02,820 --> 00:59:04,079 Sorry again, please. 1396 00:59:05,100 --> 00:59:06,699 Uh, virtual operators. 1397 00:59:06,700 --> 00:59:07,769 Yeah, OK. 1398 00:59:07,770 --> 00:59:09,179 Do they have access to a seven. 1399 00:59:09,180 --> 00:59:09,569 Yes. 1400 00:59:09,570 --> 00:59:11,729 Uh, well, if they are 1401 00:59:11,730 --> 00:59:13,799 real, uh, Maggiano's, then 1402 00:59:13,800 --> 00:59:15,659 they do have access to as I said, even if 1403 00:59:15,660 --> 00:59:17,879 they are just resellers then they're 1404 00:59:17,880 --> 00:59:20,129 not. But, um, for example, 1405 00:59:20,130 --> 00:59:22,859 I think one of the very few, uh, 1406 00:59:22,860 --> 00:59:25,139 Ambien in Germany is, uh, zip code 1407 00:59:25,140 --> 00:59:27,659 them quite hard and they, for example, 1408 00:59:27,660 --> 00:59:29,189 operate their own. 1409 00:59:29,190 --> 00:59:30,190 Ah. 1410 00:59:31,790 --> 00:59:33,290 Microphone number six, please. 1411 00:59:34,430 --> 00:59:36,949 Do you see this as a possible 1412 00:59:36,950 --> 00:59:39,289 vector to trigger a phone to update 1413 00:59:39,290 --> 00:59:40,340 the basement firmware? 1414 00:59:41,810 --> 00:59:43,939 Well, as you saw 1415 00:59:43,940 --> 00:59:46,339 in the beginning, you cannot only request 1416 00:59:46,340 --> 00:59:47,389 the I.D. 1417 00:59:47,390 --> 00:59:49,789 You can also request IMEI 1418 00:59:49,790 --> 00:59:52,219 of the phone. So the serial number, so 1419 00:59:52,220 --> 00:59:54,619 you can you can also figure out 1420 00:59:54,620 --> 00:59:56,629 what type of phone somebody is using, if 1421 00:59:56,630 --> 00:59:59,089 it's an iPhone or a 1422 00:59:59,090 --> 01:00:00,199 galaxy as something. 1423 01:00:00,200 --> 01:00:02,659 I don't know. So if you want to 1424 01:00:02,660 --> 01:00:05,029 install a remotely install 1425 01:00:05,030 --> 01:00:07,399 and exploit on the phone, 1426 01:00:07,400 --> 01:00:09,529 that's of course also easier 1427 01:00:09,530 --> 01:00:11,599 if you already know what type of phone 1428 01:00:11,600 --> 01:00:13,639 the person your victim is using. 1429 01:00:13,640 --> 01:00:15,799 But are you aware of any API 1430 01:00:15,800 --> 01:00:17,929 functions that 1431 01:00:17,930 --> 01:00:20,209 are maybe part of Map or Camil 1432 01:00:20,210 --> 01:00:22,189 that can be used to directly instruct the 1433 01:00:22,190 --> 01:00:24,259 phone to call firmware from 1434 01:00:24,260 --> 01:00:25,579 from there or there? 1435 01:00:25,580 --> 01:00:28,009 Uh, no. I think that would happen 1436 01:00:28,010 --> 01:00:29,949 on a different layer. Not not in as a 1437 01:00:29,950 --> 01:00:30,629 seven. 1438 01:00:30,630 --> 01:00:31,630 Thank you. 1439 01:00:32,900 --> 01:00:33,919 OK, that's it. 1440 01:00:33,920 --> 01:00:35,389 If you have any further questions for 1441 01:00:35,390 --> 01:00:37,309 Tobias, please catch up with him after 1442 01:00:37,310 --> 01:00:38,310 the talk. 1443 01:00:39,050 --> 01:00:40,819 Please give a warm round of applause to 1444 01:00:40,820 --> 01:00:41,820 Toby Azango.