0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/349 Thanks! 1 00:00:09,510 --> 00:00:11,489 Thank you. Welcome to our talk. 2 00:00:11,490 --> 00:00:13,829 So this is Alex on the elevator 3 00:00:13,830 --> 00:00:14,830 and I'm lonely. 4 00:00:15,960 --> 00:00:18,089 And, um, we are from, uh, 5 00:00:18,090 --> 00:00:20,519 Puan Security presenting about, 6 00:00:20,520 --> 00:00:22,649 uh, the mapping of S7. 7 00:00:22,650 --> 00:00:24,959 So I guess most 8 00:00:24,960 --> 00:00:27,029 of you have seen the talk from 9 00:00:27,030 --> 00:00:29,099 two years earlier and, 10 00:00:29,100 --> 00:00:31,949 uh, from, uh, several Couston. 11 00:00:31,950 --> 00:00:34,139 So this project 12 00:00:34,140 --> 00:00:36,239 is more going massive and, 13 00:00:36,240 --> 00:00:38,519 um, with the different vulnerabilities 14 00:00:38,520 --> 00:00:39,899 that were presented in the past, 15 00:00:39,900 --> 00:00:41,579 including the vulnerabilities presented 16 00:00:41,580 --> 00:00:44,159 today, uh, by Couston and obviously 17 00:00:44,160 --> 00:00:46,409 getting a view of these vulnerabilities 18 00:00:46,410 --> 00:00:48,929 worldwide on, um, 19 00:00:48,930 --> 00:00:51,089 on all the countries and how to make 20 00:00:51,090 --> 00:00:53,339 a map from this to see 21 00:00:53,340 --> 00:00:55,489 what's the exposure worldwide on this 22 00:00:55,490 --> 00:00:56,490 winnability. 23 00:00:57,510 --> 00:01:00,059 So this is, um, appearance, security, 24 00:01:00,060 --> 00:01:01,140 uh, research project. 25 00:01:02,580 --> 00:01:03,580 Um, 26 00:01:05,580 --> 00:01:07,739 and so as you saw the 27 00:01:07,740 --> 00:01:10,259 talk maybe earlier, just to get a view, 28 00:01:10,260 --> 00:01:12,689 who knows how mobile operators 29 00:01:12,690 --> 00:01:14,279 worldwide are interconnected? 30 00:01:14,280 --> 00:01:16,440 Who has an idea? Please raise your hands. 31 00:01:18,330 --> 00:01:21,359 OK, not much, maybe five percent. 32 00:01:21,360 --> 00:01:23,429 OK, so basically 33 00:01:23,430 --> 00:01:25,139 these are two operators 34 00:01:26,460 --> 00:01:29,369 and, um, two mobile operators 35 00:01:29,370 --> 00:01:31,019 in the world. They are interconnected 36 00:01:31,020 --> 00:01:33,239 together by, um, 37 00:01:33,240 --> 00:01:35,519 providers called SICP providers. 38 00:01:35,520 --> 00:01:37,829 And that's how 39 00:01:37,830 --> 00:01:39,539 you are going to be able to make calls 40 00:01:39,540 --> 00:01:40,979 between countries. 41 00:01:40,980 --> 00:01:42,479 It's because they are interconnected. 42 00:01:43,800 --> 00:01:45,659 And so this was proposed for a long time 43 00:01:45,660 --> 00:01:47,729 to be a walled garden, um, 44 00:01:47,730 --> 00:01:49,889 because it's a closed network. 45 00:01:49,890 --> 00:01:51,749 So mobile operators are interconnected 46 00:01:51,750 --> 00:01:52,750 workflows network. 47 00:01:54,720 --> 00:01:56,789 But more and more, as we saw, uh, 48 00:01:56,790 --> 00:01:58,859 many times in previous presentation, it's 49 00:01:58,860 --> 00:02:01,229 not a walled garden anymore, um, 50 00:02:01,230 --> 00:02:03,629 because more and more operators, 51 00:02:03,630 --> 00:02:05,939 more and more third parties are connected 52 00:02:05,940 --> 00:02:07,769 to the ACP providers. 53 00:02:07,770 --> 00:02:09,599 And also some parties are connected 54 00:02:09,600 --> 00:02:12,239 directly to, uh, to an operator, 55 00:02:12,240 --> 00:02:14,129 for example, governance for legal 56 00:02:14,130 --> 00:02:15,299 interception. 57 00:02:15,300 --> 00:02:17,549 Um, operators also 58 00:02:17,550 --> 00:02:19,109 also, uh, of course, connected to 59 00:02:19,110 --> 00:02:21,269 Internet, to Jarek's, 60 00:02:21,270 --> 00:02:24,059 uh, providers, uh, values, 61 00:02:24,060 --> 00:02:25,949 Internet services provided by other 62 00:02:25,950 --> 00:02:28,229 companies. And that is exposure on 63 00:02:28,230 --> 00:02:29,230 the network. 64 00:02:31,400 --> 00:02:34,249 So our 65 00:02:34,250 --> 00:02:36,739 goal here is to make a map 66 00:02:36,740 --> 00:02:39,379 of this world internal 67 00:02:39,380 --> 00:02:41,869 private network like you 68 00:02:41,870 --> 00:02:44,059 have had and, uh, mapping 69 00:02:44,060 --> 00:02:46,069 on Internet here, it's a mapping on the 70 00:02:46,070 --> 00:02:47,070 Seven Network. 71 00:02:48,200 --> 00:02:50,869 So in order to do that, um, 72 00:02:50,870 --> 00:02:53,329 we perform the, um, 73 00:02:53,330 --> 00:02:55,429 we we created partnership with 74 00:02:55,430 --> 00:02:56,430 the operators 75 00:02:57,560 --> 00:03:00,019 in order for them to to help us making 76 00:03:00,020 --> 00:03:02,209 this. So we do it by, 77 00:03:02,210 --> 00:03:04,669 uh, having a 78 00:03:04,670 --> 00:03:06,769 scan inside the network of, 79 00:03:06,770 --> 00:03:09,799 uh, one partner operator. 80 00:03:09,800 --> 00:03:12,019 And then we send 81 00:03:12,020 --> 00:03:14,089 call flows towards other, uh, 82 00:03:14,090 --> 00:03:16,549 operators, and we do that from multiple 83 00:03:16,550 --> 00:03:18,769 operators. And so we get a 84 00:03:18,770 --> 00:03:21,739 view, um, of the network. 85 00:03:21,740 --> 00:03:23,839 What's important to to understand here is 86 00:03:23,840 --> 00:03:25,909 that our, um, s7 87 00:03:25,910 --> 00:03:27,259 map, uh, scan program 88 00:03:28,370 --> 00:03:30,529 is inside the range of the operator, 89 00:03:30,530 --> 00:03:32,299 but is not considered as trusted. 90 00:03:32,300 --> 00:03:35,059 It's not in the roaming agreements lists. 91 00:03:35,060 --> 00:03:37,189 So basically it should not get 92 00:03:37,190 --> 00:03:39,050 answers because it's not a trusted node. 93 00:03:44,420 --> 00:03:46,549 So what we wanted to show, 94 00:03:46,550 --> 00:03:48,829 it's since 95 00:03:48,830 --> 00:03:50,719 the attacks, face of operators are 96 00:03:50,720 --> 00:03:53,179 increasing a lot, a lot of third parties 97 00:03:53,180 --> 00:03:55,549 are interconnected on the operators. 98 00:03:55,550 --> 00:03:58,039 We saw that the time to compromise 99 00:03:58,040 --> 00:04:00,859 for an operator during our mission, it's 100 00:04:00,860 --> 00:04:03,019 like we saw less than when our attempt 101 00:04:03,020 --> 00:04:05,209 to compromise on from Internet 102 00:04:05,210 --> 00:04:07,459 to the IP goal, which is the IP called 103 00:04:07,460 --> 00:04:09,139 supporting the old telecom network. 104 00:04:09,140 --> 00:04:11,119 So if you compromise things like it, 105 00:04:11,120 --> 00:04:13,339 because the Peace Corps, in less than one 106 00:04:13,340 --> 00:04:14,959 hour, you could get to the core network 107 00:04:14,960 --> 00:04:17,239 directly right after. 108 00:04:17,240 --> 00:04:19,319 So the goal is three to 109 00:04:19,320 --> 00:04:20,360 two to show you that 110 00:04:21,500 --> 00:04:22,969 compromising is a seven network. 111 00:04:22,970 --> 00:04:25,099 Even if you don't have access and if 112 00:04:25,100 --> 00:04:27,649 you don't have a collaboration with an 113 00:04:27,650 --> 00:04:28,650 operator 114 00:04:30,230 --> 00:04:32,389 to get seven access 115 00:04:32,390 --> 00:04:34,489 for attackers, it's not 116 00:04:34,490 --> 00:04:36,649 so hard to get one maliciously. 117 00:04:38,820 --> 00:04:41,029 So we built a compromise chain 118 00:04:41,030 --> 00:04:44,039 to show you first how 119 00:04:44,040 --> 00:04:46,549 attackers could use existing assessments, 120 00:04:46,550 --> 00:04:48,720 attacks on existing network elements. 121 00:04:50,650 --> 00:04:53,109 To to be able to send messages 122 00:04:53,110 --> 00:04:55,839 and this could come from Intel, 123 00:04:55,840 --> 00:04:58,209 from William compromise 124 00:04:58,210 --> 00:05:00,639 from a government 125 00:05:00,640 --> 00:05:01,810 that can use also 126 00:05:02,830 --> 00:05:05,739 is interconnected with network elements 127 00:05:05,740 --> 00:05:06,740 for energy purposes. 128 00:05:07,870 --> 00:05:10,119 And as Laura 129 00:05:10,120 --> 00:05:13,089 said, operators, 130 00:05:13,090 --> 00:05:15,069 when they want to interconnect with each 131 00:05:15,070 --> 00:05:17,199 other, are roaming 132 00:05:17,200 --> 00:05:18,819 roaming agreements on this roaming 133 00:05:18,820 --> 00:05:20,919 agreements that define 134 00:05:20,920 --> 00:05:23,529 the define every network elements 135 00:05:23,530 --> 00:05:25,389 that they want to be in this room. 136 00:05:25,390 --> 00:05:26,390 In agreement with 137 00:05:27,460 --> 00:05:29,919 Jessamy, regs are 21 138 00:05:29,920 --> 00:05:32,079 files which contain 139 00:05:32,080 --> 00:05:34,419 all the network elements, 140 00:05:34,420 --> 00:05:36,729 global title, which is IP of 141 00:05:36,730 --> 00:05:37,749 network elements. 142 00:05:37,750 --> 00:05:39,219 So it will be a phone number of 143 00:05:39,220 --> 00:05:41,379 international phone number 144 00:05:41,380 --> 00:05:42,909 that you will be able to on. 145 00:05:42,910 --> 00:05:45,219 You will be able to access through this 146 00:05:45,220 --> 00:05:46,419 global data. 147 00:05:46,420 --> 00:05:48,369 But what is really interesting is this 148 00:05:48,370 --> 00:05:50,379 file. We get it from the Internet, so 149 00:05:50,380 --> 00:05:51,939 this should be completely private. 150 00:05:51,940 --> 00:05:54,439 But on the Internet you can find 151 00:05:54,440 --> 00:05:57,219 are 21 files 152 00:05:57,220 --> 00:05:58,149 publicly available. 153 00:05:58,150 --> 00:06:00,759 So you will find internal gytis 154 00:06:00,760 --> 00:06:02,619 of operators directly accessible from the 155 00:06:02,620 --> 00:06:04,689 Internet. So this is one of 156 00:06:05,710 --> 00:06:06,759 our sources. 157 00:06:06,760 --> 00:06:08,979 And you see also vendors uses 158 00:06:08,980 --> 00:06:10,989 a network, Clokey network location, 159 00:06:10,990 --> 00:06:13,329 networking equipment, location directly. 160 00:06:13,330 --> 00:06:15,399 So it is already useful for 161 00:06:15,400 --> 00:06:17,499 us. But you see also 162 00:06:18,760 --> 00:06:20,889 Asgeirsson, which is on the 163 00:06:20,890 --> 00:06:23,409 packet part of the network 164 00:06:23,410 --> 00:06:25,479 you see is a public ipis 165 00:06:25,480 --> 00:06:28,059 of the Asgeirsson. 166 00:06:28,060 --> 00:06:30,070 So it's not really public, it's 167 00:06:31,270 --> 00:06:33,429 in the ranges of public APIs, but there 168 00:06:33,430 --> 00:06:36,249 are private for Jarek's network. 169 00:06:36,250 --> 00:06:38,469 And this means that you could take this 170 00:06:38,470 --> 00:06:40,869 IP and you could check on 171 00:06:40,870 --> 00:06:42,819 the Internet if they are not reachable, 172 00:06:42,820 --> 00:06:44,439 because normally they should not be 173 00:06:44,440 --> 00:06:46,719 reachable because it's inside a private 174 00:06:46,720 --> 00:06:48,119 network. 175 00:06:48,120 --> 00:06:50,259 But if it's something 176 00:06:50,260 --> 00:06:52,499 Michael figured you could access 177 00:06:52,500 --> 00:06:53,500 a. 178 00:06:53,840 --> 00:06:56,089 And on Sudan, you 179 00:06:56,090 --> 00:06:58,309 can find a lot of Gessen's. 180 00:06:59,550 --> 00:07:01,439 That should not be accessible on the 181 00:07:01,440 --> 00:07:03,779 Internet directly on 182 00:07:03,780 --> 00:07:06,449 this was only aquaria, Jason 183 00:07:06,450 --> 00:07:07,450 on Trudel. 184 00:07:09,140 --> 00:07:10,779 So now let's take a look on 185 00:07:11,810 --> 00:07:14,159 what we can do on what 186 00:07:14,160 --> 00:07:16,249 is inside an operator that 187 00:07:16,250 --> 00:07:17,209 we can do. 188 00:07:17,210 --> 00:07:19,639 So the first thing it's taking a look 189 00:07:19,640 --> 00:07:21,769 to how its address 190 00:07:21,770 --> 00:07:22,909 an operator. 191 00:07:22,910 --> 00:07:25,609 So how is the address and operator? 192 00:07:25,610 --> 00:07:27,769 Usually you will have it will define 193 00:07:27,770 --> 00:07:28,939 a prefix. 194 00:07:28,940 --> 00:07:29,959 So, for example, 195 00:07:31,700 --> 00:07:33,799 on this operator, it will define 196 00:07:35,510 --> 00:07:37,599 like ranges 197 00:07:37,600 --> 00:07:40,619 range only for network elements. 198 00:07:40,620 --> 00:07:42,499 It's always done because they wanted to 199 00:07:42,500 --> 00:07:44,749 have all the network elements into only 200 00:07:44,750 --> 00:07:45,750 one range, 201 00:07:46,820 --> 00:07:49,009 but maybe since they are 202 00:07:49,010 --> 00:07:50,659 adding more and more network elements 203 00:07:50,660 --> 00:07:52,579 that will add all the ranges. 204 00:07:52,580 --> 00:07:54,949 So it's 205 00:07:54,950 --> 00:07:57,109 in the ranges are 206 00:07:57,110 --> 00:07:59,179 so large that if we are not doing 207 00:07:59,180 --> 00:08:01,339 this smart approach 208 00:08:01,340 --> 00:08:03,769 of trying to understand how 209 00:08:03,770 --> 00:08:05,989 it is, build the addressing space 210 00:08:05,990 --> 00:08:07,879 of an operator, you will not be able to 211 00:08:07,880 --> 00:08:08,879 find this network. 212 00:08:08,880 --> 00:08:11,239 So just just to give a little 213 00:08:11,240 --> 00:08:13,249 view on this, the numbers here are global 214 00:08:13,250 --> 00:08:15,829 titles. That's how network elements 215 00:08:15,830 --> 00:08:18,199 on the seven are addressed. 216 00:08:18,200 --> 00:08:20,539 So, um, the address space is 217 00:08:20,540 --> 00:08:22,969 much larger than IP for for example. 218 00:08:22,970 --> 00:08:24,559 So you can just scan sequentially. 219 00:08:24,560 --> 00:08:26,929 You have to find tricks like on IPV six. 220 00:08:26,930 --> 00:08:28,999 So, um, basically that's why we are 221 00:08:29,000 --> 00:08:30,439 going to explain the different terrorist 222 00:08:30,440 --> 00:08:31,440 bases. 223 00:08:34,890 --> 00:08:36,839 And when you take a look to network 224 00:08:36,840 --> 00:08:39,089 elements in this other space, 225 00:08:39,090 --> 00:08:41,219 you will have the HLR, which is the main 226 00:08:41,220 --> 00:08:43,349 database, Moundsville, are 227 00:08:43,350 --> 00:08:45,449 handling the 228 00:08:45,450 --> 00:08:48,029 switching where 229 00:08:48,030 --> 00:08:50,309 users attach I. 230 00:08:50,310 --> 00:08:52,859 N so intelligent network for postpaid 231 00:08:52,860 --> 00:08:54,210 prepaid options 232 00:08:55,530 --> 00:08:56,429 testbed. 233 00:08:56,430 --> 00:08:59,429 Again, the message and all of this 234 00:08:59,430 --> 00:09:01,589 network elements, usually 235 00:09:01,590 --> 00:09:03,599 they are well separated and they are 236 00:09:03,600 --> 00:09:06,389 packed. So if you find one, 237 00:09:06,390 --> 00:09:08,489 if you start to go incremental, you will 238 00:09:08,490 --> 00:09:09,759 find others. 239 00:09:09,760 --> 00:09:11,849 OK, but did you 240 00:09:11,850 --> 00:09:14,009 see any problem on this slide? 241 00:09:14,010 --> 00:09:16,289 I see one. I see a test bed 242 00:09:16,290 --> 00:09:18,629 which is directly on the on the 243 00:09:18,630 --> 00:09:20,729 projection ranges of the 244 00:09:20,730 --> 00:09:21,719 operator on this. 245 00:09:21,720 --> 00:09:24,089 It's often the case because they wanted 246 00:09:24,090 --> 00:09:26,309 to keep always all this network, 247 00:09:26,310 --> 00:09:28,139 the network elements inside the same 248 00:09:28,140 --> 00:09:29,429 Renji range. 249 00:09:29,430 --> 00:09:31,769 So that but also 250 00:09:31,770 --> 00:09:33,059 the test bed into the 251 00:09:35,400 --> 00:09:36,989 gitti live ranges. 252 00:09:36,990 --> 00:09:39,509 So but the test bed 253 00:09:39,510 --> 00:09:42,119 usually is accessible for testing it. 254 00:09:42,120 --> 00:09:44,189 It's accessible for developing new 255 00:09:44,190 --> 00:09:46,319 features for new 256 00:09:46,320 --> 00:09:47,679 people inside the company. 257 00:09:47,680 --> 00:09:50,069 So it's way more accessible than 258 00:09:50,070 --> 00:09:51,539 the life network. 259 00:09:51,540 --> 00:09:53,879 So the thing is, if you are able 260 00:09:53,880 --> 00:09:56,759 to get into the test bed, you will be as 261 00:09:56,760 --> 00:09:58,859 the network able also to send 262 00:10:00,480 --> 00:10:01,949 S7 messages. 263 00:10:01,950 --> 00:10:04,139 So it's it could be one 264 00:10:04,140 --> 00:10:06,369 way so that it can 265 00:10:06,370 --> 00:10:07,709 get the entry point. 266 00:10:07,710 --> 00:10:09,389 And what's funny that sometimes that has 267 00:10:09,390 --> 00:10:10,949 been it's the the reverse. 268 00:10:10,950 --> 00:10:12,399 It's more secure than prediction. 269 00:10:12,400 --> 00:10:13,679 We've seen that also. 270 00:10:13,680 --> 00:10:14,909 So it's full of oddities. 271 00:10:14,910 --> 00:10:16,679 The the Seven Network, it's really 272 00:10:16,680 --> 00:10:18,899 strange and sometimes it's more secure 273 00:10:18,900 --> 00:10:20,999 because in production they take the 274 00:10:21,000 --> 00:10:23,219 test, but they validate and they then 275 00:10:23,220 --> 00:10:25,109 they needed to be more maintainable 276 00:10:25,110 --> 00:10:26,609 quickly because they wanted to work. 277 00:10:26,610 --> 00:10:28,559 So they removed some security features. 278 00:10:28,560 --> 00:10:30,089 So it's really valuable. 279 00:10:30,090 --> 00:10:31,830 It's special. 280 00:10:35,710 --> 00:10:37,719 And if you take a look to the addressing 281 00:10:37,720 --> 00:10:39,669 evolution, so at the beginning of the 282 00:10:39,670 --> 00:10:42,459 networks, they are like small 283 00:10:42,460 --> 00:10:44,889 ranges, so small numbers 284 00:10:44,890 --> 00:10:47,289 and they increase the length 285 00:10:47,290 --> 00:10:49,779 of the digits. 286 00:10:49,780 --> 00:10:51,969 So every time they increase the length 287 00:10:51,970 --> 00:10:54,099 of the digit, sometimes 288 00:10:54,100 --> 00:10:56,259 you will find all network elements 289 00:10:56,260 --> 00:10:58,719 in smaller ranges, even if subscriber's 290 00:10:58,720 --> 00:11:00,580 have been merged into new ranges, 291 00:11:01,720 --> 00:11:03,819 the network and sometimes they are in 292 00:11:03,820 --> 00:11:05,919 smaller in 293 00:11:05,920 --> 00:11:08,259 smaller global titles or smaller 294 00:11:08,260 --> 00:11:09,260 prefixes 295 00:11:10,960 --> 00:11:13,450 for for old technologies. 296 00:11:16,140 --> 00:11:18,609 So this one is how 297 00:11:18,610 --> 00:11:20,669 the Indian network is built, 298 00:11:20,670 --> 00:11:23,039 so we removed that is that 299 00:11:23,040 --> 00:11:25,169 the Indian network was built in 300 00:11:25,170 --> 00:11:27,299 circles, that that means 301 00:11:27,300 --> 00:11:29,369 that every region of India has its 302 00:11:29,370 --> 00:11:31,589 own S7 network 303 00:11:31,590 --> 00:11:33,989 and that we're all interconnected 304 00:11:33,990 --> 00:11:34,919 each other. 305 00:11:34,920 --> 00:11:36,989 So this it's a good 306 00:11:36,990 --> 00:11:39,029 point to know, because you will know that 307 00:11:39,030 --> 00:11:40,559 all the network elements are not 308 00:11:40,560 --> 00:11:42,719 sequentially in one on 309 00:11:42,720 --> 00:11:44,969 one sequence of digits, 310 00:11:44,970 --> 00:11:45,970 but there will be 311 00:11:47,490 --> 00:11:49,439 one sequence for every region. 312 00:11:49,440 --> 00:11:51,629 So you will try to find this sequence for 313 00:11:51,630 --> 00:11:53,459 all the regions of India. 314 00:11:53,460 --> 00:11:55,529 So it's really interesting to try to 315 00:11:55,530 --> 00:11:57,839 understand how the 316 00:11:57,840 --> 00:12:00,059 network is built for the country 317 00:12:00,060 --> 00:12:02,939 to be able to to 318 00:12:02,940 --> 00:12:05,129 to understand it. 319 00:12:05,130 --> 00:12:07,409 So another thing is 320 00:12:07,410 --> 00:12:10,619 when someone buys another 321 00:12:10,620 --> 00:12:12,779 one of those telecom operator buys 322 00:12:12,780 --> 00:12:15,509 another one, it will add more 323 00:12:15,510 --> 00:12:17,640 network elements into his 324 00:12:18,840 --> 00:12:19,819 pool of network. 325 00:12:19,820 --> 00:12:20,820 And so. 326 00:12:21,400 --> 00:12:23,599 And you would think that it's always a 327 00:12:23,600 --> 00:12:25,729 good thing, a good thing to take a look 328 00:12:25,730 --> 00:12:28,759 to all, for example, for 329 00:12:28,760 --> 00:12:31,519 all the major ones that will have 330 00:12:31,520 --> 00:12:33,949 operators in all the 331 00:12:33,950 --> 00:12:35,599 European countries, for example. 332 00:12:35,600 --> 00:12:37,789 So it's it's interesting to take a look 333 00:12:37,790 --> 00:12:40,489 to because sometimes, 334 00:12:40,490 --> 00:12:42,409 for example, one country will be more 335 00:12:42,410 --> 00:12:43,999 vulnerable that than another. 336 00:12:44,000 --> 00:12:46,109 But since it's a huge company, 337 00:12:46,110 --> 00:12:47,899 that will be directly interconnected. 338 00:12:47,900 --> 00:12:50,209 So if you are into 339 00:12:50,210 --> 00:12:52,309 this into 340 00:12:52,310 --> 00:12:54,409 the country, less secure, but you 341 00:12:54,410 --> 00:12:56,539 have a direct connection to a more secure 342 00:12:56,540 --> 00:12:58,449 country, it it's not secure anymore. 343 00:13:00,690 --> 00:13:02,879 Telecom regulators, 344 00:13:02,880 --> 00:13:05,249 this is because, for example, for France, 345 00:13:05,250 --> 00:13:07,499 we are three three six four mobile 346 00:13:07,500 --> 00:13:09,059 phone mobiles and now we have three three 347 00:13:09,060 --> 00:13:10,919 seven. But since three to seven, it's a 348 00:13:10,920 --> 00:13:12,029 new one. 349 00:13:12,030 --> 00:13:14,189 Don't even take a look because there will 350 00:13:14,190 --> 00:13:16,559 not be any network element 351 00:13:16,560 --> 00:13:17,839 inside this Frenchy's. 352 00:13:17,840 --> 00:13:19,869 OK, it's new ringy, so no network 353 00:13:19,870 --> 00:13:20,870 elements. 354 00:13:23,520 --> 00:13:24,929 Something funny on this one, 355 00:13:26,070 --> 00:13:28,919 during our scans, we 356 00:13:28,920 --> 00:13:31,079 we remarked that when we 357 00:13:31,080 --> 00:13:33,269 were trying to send when 358 00:13:33,270 --> 00:13:35,549 we were sending seven messages to 359 00:13:35,550 --> 00:13:38,039 Costa Rica subscribers, HLR 360 00:13:38,040 --> 00:13:40,619 from Spain was responding to us. 361 00:13:40,620 --> 00:13:41,700 So this means that 362 00:13:43,020 --> 00:13:45,359 the operator 363 00:13:45,360 --> 00:13:47,909 from Costa Rica had 364 00:13:47,910 --> 00:13:50,009 the part of his network still in 365 00:13:50,010 --> 00:13:52,139 Costa Rica, but the HLR was Hispan. 366 00:13:53,230 --> 00:13:55,330 So maybe focus on optimization. 367 00:13:56,880 --> 00:13:58,949 To get all the subscriber in to only 368 00:13:58,950 --> 00:14:00,210 one, it should also yeah. 369 00:14:02,850 --> 00:14:05,009 So now what? What we want to do is 370 00:14:05,010 --> 00:14:06,839 send the messages because we want to be 371 00:14:06,840 --> 00:14:08,419 able to send messages. 372 00:14:09,510 --> 00:14:11,669 And the first thing that we want is 373 00:14:11,670 --> 00:14:14,279 to try to scan the network so 374 00:14:14,280 --> 00:14:16,349 we can do it in two 375 00:14:16,350 --> 00:14:17,309 phases. 376 00:14:17,310 --> 00:14:19,439 The first one, we will 377 00:14:19,440 --> 00:14:21,929 try to get directly to the operator 378 00:14:21,930 --> 00:14:23,519 and to get to each of the HLR. 379 00:14:23,520 --> 00:14:25,859 You have a lot of messages that 380 00:14:25,860 --> 00:14:27,959 as input you have only to put 381 00:14:27,960 --> 00:14:30,149 to two to give a 382 00:14:30,150 --> 00:14:31,469 subscriber number. 383 00:14:31,470 --> 00:14:33,689 OK, subscriber, my suggestion. 384 00:14:33,690 --> 00:14:35,879 So this note, this message, you 385 00:14:35,880 --> 00:14:38,609 give them a subscriber messaging, 386 00:14:38,610 --> 00:14:40,799 you send them to the services 387 00:14:40,800 --> 00:14:42,869 of a network and in the rooting 388 00:14:42,870 --> 00:14:45,090 of the network, the 389 00:14:46,230 --> 00:14:48,359 router. This is a router 390 00:14:48,360 --> 00:14:50,219 system and a router will know that, OK, 391 00:14:50,220 --> 00:14:52,079 it's one of my subscribers who I give it 392 00:14:52,080 --> 00:14:53,609 to to the HLR. 393 00:14:53,610 --> 00:14:55,679 So they will respond to us, even if it's 394 00:14:55,680 --> 00:14:57,749 written about it will respond 395 00:14:57,750 --> 00:15:00,449 to us. So it's still interesting to know. 396 00:15:00,450 --> 00:15:02,699 And the second case is to use, as 397 00:15:02,700 --> 00:15:05,199 we saw before I r21 398 00:15:05,200 --> 00:15:07,319 the you, but even your 399 00:15:07,320 --> 00:15:09,899 Esmie SBC public gitti 400 00:15:09,900 --> 00:15:11,729 this one, you have it on your SIM card, 401 00:15:11,730 --> 00:15:13,829 right. You will find them 402 00:15:13,830 --> 00:15:17,299 on the Internet, the public services. 403 00:15:17,300 --> 00:15:19,519 And usually, since all the network 404 00:15:19,520 --> 00:15:22,039 elements are close together, 405 00:15:22,040 --> 00:15:24,279 if you if you take the jobs WWC, 406 00:15:24,280 --> 00:15:26,149 maybe by incrementing, you will find the 407 00:15:26,150 --> 00:15:28,189 other ones, it will not be so 408 00:15:28,190 --> 00:15:29,389 complicated. 409 00:15:29,390 --> 00:15:30,379 So maybe not. 410 00:15:30,380 --> 00:15:32,569 Maybe yes. So it's already a good 411 00:15:32,570 --> 00:15:34,999 start because it's your first 412 00:15:35,000 --> 00:15:36,000 Gytis that you will love. 413 00:15:38,240 --> 00:15:40,669 So this one, it's 414 00:15:40,670 --> 00:15:43,189 a tick up, tick up scanner. 415 00:15:43,190 --> 00:15:45,529 So we can incrementally, 416 00:15:45,530 --> 00:15:48,169 as it is for the SSN, 417 00:15:48,170 --> 00:15:50,479 which is like the support 418 00:15:50,480 --> 00:15:51,480 for HLR. 419 00:15:52,460 --> 00:15:53,989 And when we got in about. 420 00:15:55,150 --> 00:15:56,599 You have two kids, all you single. 421 00:15:56,600 --> 00:15:58,899 OK, Rachel, I respond to me 422 00:15:58,900 --> 00:16:00,969 on the second one is OK, it 423 00:16:00,970 --> 00:16:03,609 is the Nexus seven firewall 424 00:16:03,610 --> 00:16:04,539 blocked me on. 425 00:16:04,540 --> 00:16:05,590 You sent me an upvote. 426 00:16:06,610 --> 00:16:08,799 So you are two 427 00:16:08,800 --> 00:16:10,929 cases, but at least usually 428 00:16:10,930 --> 00:16:13,839 when it's when it's a firewall, 429 00:16:13,840 --> 00:16:15,979 it will get will as 430 00:16:15,980 --> 00:16:18,639 a source your own Gitti. 431 00:16:18,640 --> 00:16:20,739 So all the messages that 432 00:16:20,740 --> 00:16:22,929 you inserted as this nation. 433 00:16:22,930 --> 00:16:25,089 So you will know that it's the 434 00:16:25,090 --> 00:16:27,969 firewall if you have a different 435 00:16:27,970 --> 00:16:30,009 gitti which is responding to you. 436 00:16:31,450 --> 00:16:32,829 You have more chance that it will be a 437 00:16:32,830 --> 00:16:34,420 real networking event, so Rachel. 438 00:16:36,660 --> 00:16:38,879 So as we see, all this 439 00:16:38,880 --> 00:16:41,549 network is full of oddities, um, 440 00:16:41,550 --> 00:16:43,739 one network can behave in a way and 441 00:16:43,740 --> 00:16:45,839 you will, uh, scan another one, 442 00:16:45,840 --> 00:16:47,609 it will behave completely differently. 443 00:16:47,610 --> 00:16:49,679 Maybe the HLR will not be responding and 444 00:16:49,680 --> 00:16:52,169 it will be some firewall in the middle 445 00:16:52,170 --> 00:16:54,329 that will, uh, not even put it. 446 00:16:54,330 --> 00:16:56,399 So, um, from all 447 00:16:56,400 --> 00:16:58,469 of these behaviors, uh, we 448 00:16:58,470 --> 00:17:01,859 built, uh, scan engine, um, 449 00:17:01,860 --> 00:17:03,959 and taking taking some, 450 00:17:03,960 --> 00:17:06,059 uh, public data sources as input as well 451 00:17:06,060 --> 00:17:08,279 as private data sources in order 452 00:17:08,280 --> 00:17:10,828 to build, um, kind of, 453 00:17:10,829 --> 00:17:12,509 uh, mobile operator database. 454 00:17:12,510 --> 00:17:14,608 And then the goal was to check 455 00:17:14,609 --> 00:17:16,618 the reality of all this data with the 456 00:17:16,619 --> 00:17:17,608 network. 457 00:17:17,609 --> 00:17:19,828 So we take data from, uh, from 458 00:17:19,829 --> 00:17:22,889 Internet, from, uh, species 459 00:17:22,890 --> 00:17:25,019 ASPCA from a to you from 460 00:17:25,020 --> 00:17:26,969 some a21 or so can be good. 461 00:17:26,970 --> 00:17:29,219 Uh, good start also from, 462 00:17:29,220 --> 00:17:31,259 uh, attack reports from, uh, from 463 00:17:31,260 --> 00:17:33,329 operators in order to to put, 464 00:17:33,330 --> 00:17:35,699 um, some risk already 465 00:17:35,700 --> 00:17:38,309 at the beginning inside the enslaver 466 00:17:38,310 --> 00:17:40,379 ratings or this, we give it to a 467 00:17:40,380 --> 00:17:42,579 scan engine that will, uh, render the 468 00:17:42,580 --> 00:17:44,759 um, send the messages on the axis 469 00:17:44,760 --> 00:17:45,689 of a network. 470 00:17:45,690 --> 00:17:47,909 And from this we are going 471 00:17:47,910 --> 00:17:51,329 to generate, um, mainly, 472 00:17:51,330 --> 00:17:52,619 uh, these four items. 473 00:17:52,620 --> 00:17:54,929 So the seven websites that 474 00:17:54,930 --> 00:17:57,629 we are going to to release now, 475 00:17:57,630 --> 00:17:59,909 uh, ratings per country and 476 00:17:59,910 --> 00:18:02,129 then, um, some 477 00:18:02,130 --> 00:18:04,409 that are private, um, 478 00:18:04,410 --> 00:18:06,059 operator security details. 479 00:18:06,060 --> 00:18:08,249 So we plan to release this 480 00:18:08,250 --> 00:18:09,809 publicly in the future. 481 00:18:09,810 --> 00:18:12,089 So maybe six months that was planned 482 00:18:12,090 --> 00:18:14,669 and also a threat intelligence, um, 483 00:18:14,670 --> 00:18:16,649 on the Seven Network, because we want to 484 00:18:16,650 --> 00:18:19,019 give operators a chance to first, 485 00:18:19,020 --> 00:18:21,299 uh, contact us 486 00:18:21,300 --> 00:18:24,149 and we will send them directly, 487 00:18:24,150 --> 00:18:26,519 uh, privately the status of 488 00:18:26,520 --> 00:18:27,569 the operator. 489 00:18:27,570 --> 00:18:29,699 So we won't we don't want to give 490 00:18:29,700 --> 00:18:32,099 it directly, publicly, but first 491 00:18:32,100 --> 00:18:34,229 give a chance to operators to ask us 492 00:18:34,230 --> 00:18:36,029 and we will send them directly. 493 00:18:36,030 --> 00:18:36,809 This data. 494 00:18:36,810 --> 00:18:39,809 So it will be released today is only, um, 495 00:18:39,810 --> 00:18:41,969 the, uh, the country, uh, 496 00:18:41,970 --> 00:18:44,069 level of security from the 497 00:18:44,070 --> 00:18:45,390 seven remaining infrastucture. 498 00:18:48,120 --> 00:18:50,369 So in order to make this map, 499 00:18:50,370 --> 00:18:52,529 we need to send a lot of data and so 500 00:18:52,530 --> 00:18:54,659 in order to then, uh, start to 501 00:18:54,660 --> 00:18:56,759 visualize it, see what what message 502 00:18:56,760 --> 00:18:57,899 work, what doesn't. 503 00:18:57,900 --> 00:19:00,089 Um, we we 504 00:19:00,090 --> 00:19:02,369 took, uh, we generate some graphs. 505 00:19:02,370 --> 00:19:03,819 We try to understand the networks. 506 00:19:03,820 --> 00:19:07,199 So, for example, here, um, 507 00:19:07,200 --> 00:19:08,819 we send different type of messages that 508 00:19:08,820 --> 00:19:10,889 what you see, um, at the, uh, at 509 00:19:10,890 --> 00:19:13,009 the bottom. So no one wants 510 00:19:13,010 --> 00:19:15,539 a Soraya's MSRA, um, 511 00:19:15,540 --> 00:19:17,879 also interrogators PSA that are less 512 00:19:17,880 --> 00:19:19,979 common and we see how the network 513 00:19:19,980 --> 00:19:21,029 behaves. 514 00:19:21,030 --> 00:19:23,429 So here I 515 00:19:23,430 --> 00:19:25,589 started to we started to list different 516 00:19:25,590 --> 00:19:26,549 kind of errors. 517 00:19:26,550 --> 00:19:28,229 But there are many, many kind of errors. 518 00:19:28,230 --> 00:19:30,809 And it's those oddities that will, uh, 519 00:19:30,810 --> 00:19:33,089 that will actually give us more 520 00:19:33,090 --> 00:19:35,119 insight on how to to map the network. 521 00:19:37,960 --> 00:19:40,089 So on this one, 522 00:19:40,090 --> 00:19:41,090 um, 523 00:19:42,160 --> 00:19:43,900 what we see mainly is that. 524 00:19:45,600 --> 00:19:47,749 Many countries, many operators 525 00:19:47,750 --> 00:19:49,849 are answering actually to the requests 526 00:19:49,850 --> 00:19:50,869 that we send them. 527 00:19:50,870 --> 00:19:53,209 So it's 528 00:19:53,210 --> 00:19:55,699 there are four lines each time 529 00:19:55,700 --> 00:19:57,799 the first one is positive and 530 00:19:57,800 --> 00:19:58,849 then you have no answer. 531 00:19:58,850 --> 00:20:01,409 And then you have two type of errors, 532 00:20:01,410 --> 00:20:02,869 different type of errors. 533 00:20:02,870 --> 00:20:03,829 This is for Etai. 534 00:20:03,830 --> 00:20:06,619 This is a Saroyan PSA. 535 00:20:06,620 --> 00:20:08,839 So you see that on this line, 536 00:20:08,840 --> 00:20:10,939 one that is drawn every time. 537 00:20:10,940 --> 00:20:12,739 Um, it matches. 538 00:20:12,740 --> 00:20:14,419 It means if I have one that here, it 539 00:20:14,420 --> 00:20:16,549 means that, uh, and so I had a positive 540 00:20:16,550 --> 00:20:17,550 answer. 541 00:20:18,710 --> 00:20:21,109 So very often the balance 542 00:20:21,110 --> 00:20:23,329 of positive answer are quite, uh, 543 00:20:23,330 --> 00:20:26,629 quite dense and, um, 544 00:20:26,630 --> 00:20:27,949 even unnecessary. 545 00:20:27,950 --> 00:20:30,199 And messages that were discussed 546 00:20:30,200 --> 00:20:32,509 by, uh, Tobias Angaston earlier. 547 00:20:32,510 --> 00:20:34,129 You see that. 548 00:20:34,130 --> 00:20:36,109 Yeah. The they are very much answers, 549 00:20:36,110 --> 00:20:38,179 even if they should not be allowed in at 550 00:20:38,180 --> 00:20:40,339 zero. That is the um, I Nathuram 551 00:20:40,340 --> 00:20:42,139 in international basically for an 552 00:20:42,140 --> 00:20:43,140 operator. 553 00:20:43,880 --> 00:20:46,039 And at the at the beginning we 554 00:20:46,040 --> 00:20:47,899 should not even have any answer for any 555 00:20:47,900 --> 00:20:49,969 of these messages because the guy from 556 00:20:49,970 --> 00:20:52,199 where we scan was not in the room 557 00:20:52,200 --> 00:20:53,200 in Listing's. 558 00:20:57,040 --> 00:20:59,349 So once and some 559 00:20:59,350 --> 00:21:01,809 more oddities of a seven. 560 00:21:03,670 --> 00:21:06,279 This is the delay, um, depending 561 00:21:06,280 --> 00:21:08,289 on the message that we send. 562 00:21:08,290 --> 00:21:10,029 Those are the different colors and the 563 00:21:10,030 --> 00:21:12,069 type of results that we get. 564 00:21:12,070 --> 00:21:14,409 So you see that, for example, uh, 565 00:21:14,410 --> 00:21:16,779 sometimes we get until 10 minutes after 566 00:21:16,780 --> 00:21:19,029 the, uh, we send the message to an IP. 567 00:21:19,030 --> 00:21:20,769 You would not even think about that. 568 00:21:20,770 --> 00:21:22,959 How can, uh, machine and certainly 569 00:21:22,960 --> 00:21:25,089 not after we see some of this. 570 00:21:26,270 --> 00:21:27,939 Um, sometimes. 571 00:21:27,940 --> 00:21:29,259 So this this was 572 00:21:30,400 --> 00:21:31,719 a special case. 573 00:21:31,720 --> 00:21:33,819 But you see that even 574 00:21:33,820 --> 00:21:35,889 if the majority of messages are very fast 575 00:21:35,890 --> 00:21:38,409 to be answered, there is still a big, 576 00:21:38,410 --> 00:21:40,539 big part here 577 00:21:40,540 --> 00:21:42,279 that take between 10 seconds and one 578 00:21:42,280 --> 00:21:44,229 minute to get answers. 579 00:21:44,230 --> 00:21:46,669 And this depends on the countries. 580 00:21:46,670 --> 00:21:48,939 Um, so this is also the delay 581 00:21:48,940 --> 00:21:51,009 time, uh, way to 582 00:21:51,010 --> 00:21:52,899 to fingerprint the network and try to 583 00:21:52,900 --> 00:21:55,269 understand it and to map it, 584 00:21:55,270 --> 00:21:57,249 to see the different behavior and see, 585 00:21:57,250 --> 00:21:59,319 OK, this country is behaving like 586 00:21:59,320 --> 00:22:00,339 another one. Why? 587 00:22:00,340 --> 00:22:02,379 Maybe they share some specificities. 588 00:22:02,380 --> 00:22:04,449 Maybe it's a vendor related, 589 00:22:04,450 --> 00:22:05,829 maybe it's something else. 590 00:22:05,830 --> 00:22:06,830 Maybe there is a problem. 591 00:22:09,130 --> 00:22:11,799 So from all this data, um, 592 00:22:11,800 --> 00:22:13,869 then we build algorithms 593 00:22:13,870 --> 00:22:15,969 in order to extract 594 00:22:15,970 --> 00:22:18,369 the ratings and then ranking 595 00:22:18,370 --> 00:22:19,880 for countries and then map. 596 00:22:20,980 --> 00:22:23,319 So, um, basically we split 597 00:22:23,320 --> 00:22:25,449 our ratings into two main 598 00:22:25,450 --> 00:22:26,589 parts. 599 00:22:26,590 --> 00:22:28,899 So network exposure, which is operator 600 00:22:28,900 --> 00:22:31,239 related, uh, it's about 601 00:22:31,240 --> 00:22:33,489 the exposure of 602 00:22:33,490 --> 00:22:36,009 the network itself and also prevents 603 00:22:36,010 --> 00:22:38,139 leaks from it's 604 00:22:38,140 --> 00:22:40,359 related to the customer, meaning all 605 00:22:40,360 --> 00:22:40,779 of us. 606 00:22:40,780 --> 00:22:43,719 So it's, um, it means 607 00:22:43,720 --> 00:22:45,909 if, uh, that's my 608 00:22:45,910 --> 00:22:47,739 my country or my operator really 609 00:22:47,740 --> 00:22:49,959 protecting my private data private, that 610 00:22:49,960 --> 00:22:53,169 I can mean, um, location. 611 00:22:53,170 --> 00:22:55,329 It can mean also authentication 612 00:22:55,330 --> 00:22:57,549 vectors. Because if they are uh, 613 00:22:57,550 --> 00:22:59,679 if they can be, uh, obtained by 614 00:22:59,680 --> 00:23:01,839 someone else, then this someone 615 00:23:01,840 --> 00:23:03,219 else can impersonate the network for 616 00:23:03,220 --> 00:23:05,169 example, and then intercept, uh, 617 00:23:05,170 --> 00:23:07,809 intercept your calls and decrypt them 618 00:23:07,810 --> 00:23:11,199 like uh like Tobias um, 619 00:23:11,200 --> 00:23:12,250 like Guston presented. 620 00:23:13,930 --> 00:23:15,919 And so these ratings, OK, they are 621 00:23:15,920 --> 00:23:18,069 complicated. We will post, um, 622 00:23:18,070 --> 00:23:19,809 we will have Blockbuster for those that 623 00:23:19,810 --> 00:23:21,309 are interested, uh, link it to the 624 00:23:21,310 --> 00:23:23,259 website with explanation's deeper on 625 00:23:23,260 --> 00:23:24,260 this. 626 00:23:25,900 --> 00:23:28,349 So, OK, now let's take a look to 627 00:23:28,350 --> 00:23:30,489 to the website. 628 00:23:30,490 --> 00:23:33,039 Um so 629 00:23:33,040 --> 00:23:34,040 OK. 630 00:23:35,590 --> 00:23:37,719 So this is this is 631 00:23:37,720 --> 00:23:39,969 a website which will be relay's 632 00:23:39,970 --> 00:23:40,970 really soon. 633 00:23:41,920 --> 00:23:44,229 So what you have, you have a global 634 00:23:44,230 --> 00:23:45,670 risk, which is 635 00:23:47,590 --> 00:23:49,809 a gulf between 636 00:23:49,810 --> 00:23:51,819 the previous leak and the next network 637 00:23:51,820 --> 00:23:54,669 exposure. So first, I will show you 638 00:23:54,670 --> 00:23:55,809 on the side. 639 00:23:55,810 --> 00:23:57,939 So when we take a look to the 640 00:23:57,940 --> 00:23:58,940 previous tab. 641 00:24:00,040 --> 00:24:02,559 What we see it again 642 00:24:02,560 --> 00:24:04,619 is first there is there 643 00:24:04,620 --> 00:24:06,789 is there is some countries 644 00:24:06,790 --> 00:24:07,769 in blank. 645 00:24:07,770 --> 00:24:10,539 This means that we do not have yet datas 646 00:24:10,540 --> 00:24:12,939 and since it's an in progress 647 00:24:12,940 --> 00:24:15,309 project, we will improve 648 00:24:15,310 --> 00:24:18,189 it and we will add more and more details 649 00:24:18,190 --> 00:24:21,129 during after that talk. 650 00:24:21,130 --> 00:24:23,229 So in the next month or so, for 651 00:24:23,230 --> 00:24:25,599 example, if we take a look to the 652 00:24:25,600 --> 00:24:27,459 United States, because there have been 653 00:24:27,460 --> 00:24:29,679 like in the center of all the 654 00:24:29,680 --> 00:24:30,850 discussions about 655 00:24:31,930 --> 00:24:33,880 intercepting calls 656 00:24:35,050 --> 00:24:36,050 and all this talk 657 00:24:37,600 --> 00:24:38,920 we are giving. 658 00:24:40,730 --> 00:24:43,209 Page. So this one will be directly 659 00:24:43,210 --> 00:24:45,009 accessible and will be directly public 660 00:24:45,010 --> 00:24:47,049 because it's for the country and not for 661 00:24:47,050 --> 00:24:48,160 specific operators. 662 00:24:49,600 --> 00:24:51,729 So we will we 663 00:24:51,730 --> 00:24:52,730 will give 664 00:24:53,800 --> 00:24:56,649 on the operators that we have 665 00:24:56,650 --> 00:24:58,390 the data that. 666 00:25:00,020 --> 00:25:02,419 That we have been able to to 667 00:25:02,420 --> 00:25:05,089 to so, for example, for the presidency, 668 00:25:05,090 --> 00:25:07,159 what we are testing is we are testing, 669 00:25:07,160 --> 00:25:08,929 for example, if there is some message, is 670 00:25:08,930 --> 00:25:12,049 disclosing the precise location 671 00:25:12,050 --> 00:25:13,279 of the user. 672 00:25:13,280 --> 00:25:16,069 So the first one will be disclosing 673 00:25:16,070 --> 00:25:18,739 messages which are like 674 00:25:18,740 --> 00:25:21,439 less accurate. 675 00:25:21,440 --> 00:25:24,529 And the second one, which is this one, 676 00:25:24,530 --> 00:25:26,419 will be disclosing selectees 677 00:25:27,590 --> 00:25:30,170 coordinates for PSAT, PSL 678 00:25:31,250 --> 00:25:32,250 messages 679 00:25:33,560 --> 00:25:35,299 and so on. 680 00:25:35,300 --> 00:25:37,839 You have also all the other messages. 681 00:25:37,840 --> 00:25:39,589 So, for example, the authentication keys 682 00:25:39,590 --> 00:25:41,839 for SETI, you have prepaid 683 00:25:41,840 --> 00:25:43,849 postpaid subscriber status for 684 00:25:43,850 --> 00:25:46,009 interrogators and 685 00:25:46,010 --> 00:25:47,779 other will be added. 686 00:25:47,780 --> 00:25:50,149 So, for example, the voting on watching 687 00:25:50,150 --> 00:25:52,429 bypass will be will be added soon 688 00:25:52,430 --> 00:25:53,929 because we are still processing a lot of 689 00:25:53,930 --> 00:25:55,349 data that we have. 690 00:25:55,350 --> 00:25:58,429 And the goal really is to give 691 00:25:58,430 --> 00:26:00,409 an overview of the vulnerabilities that 692 00:26:00,410 --> 00:26:01,490 we will be able to find 693 00:26:02,630 --> 00:26:05,119 in the operator of this country 694 00:26:05,120 --> 00:26:06,739 and to to really 695 00:26:07,760 --> 00:26:09,889 try to get a good 696 00:26:09,890 --> 00:26:12,439 vision of the security 697 00:26:12,440 --> 00:26:13,440 of the country. 698 00:26:14,460 --> 00:26:16,619 So, yeah, United States are taking 699 00:26:16,620 --> 00:26:19,649 everywhere, everyone, but still 700 00:26:19,650 --> 00:26:21,960 not securing so much as a network. 701 00:26:26,360 --> 00:26:29,299 So how we did it for privacy, 702 00:26:29,300 --> 00:26:31,399 so for the privacy 703 00:26:31,400 --> 00:26:33,499 part, first 704 00:26:33,500 --> 00:26:35,779 we took messages such 705 00:26:35,780 --> 00:26:38,299 as references Azariah, Terrorism, 706 00:26:38,300 --> 00:26:40,579 HCI and sending this 707 00:26:40,580 --> 00:26:42,919 one only the 708 00:26:42,920 --> 00:26:45,559 only took input, the Malaysian, 709 00:26:45,560 --> 00:26:47,179 which is a subscriber number. 710 00:26:47,180 --> 00:26:49,729 So what we did is we did were scrambling 711 00:26:49,730 --> 00:26:51,839 to get a lot of at the end. 712 00:26:51,840 --> 00:26:53,329 So I don't remember the number of 713 00:26:53,330 --> 00:26:55,699 messages that we got, but thousand 714 00:26:55,700 --> 00:26:57,899 of them. Thousands. 715 00:26:57,900 --> 00:27:00,619 Yeah, exactly. And so 716 00:27:00,620 --> 00:27:02,719 the number is we get all 717 00:27:02,720 --> 00:27:05,059 the messages on first. 718 00:27:05,060 --> 00:27:06,199 We sent the 719 00:27:07,510 --> 00:27:08,989 mathematicians for all this 720 00:27:10,580 --> 00:27:11,719 for all these messages. 721 00:27:11,720 --> 00:27:13,879 The only ones that need another entry, 722 00:27:13,880 --> 00:27:16,459 it's the psoriasis which needs 723 00:27:16,460 --> 00:27:17,899 the jemal. 724 00:27:17,900 --> 00:27:19,549 This one should be private. 725 00:27:19,550 --> 00:27:21,769 But sometimes you are able to get 726 00:27:21,770 --> 00:27:23,899 it because you 727 00:27:23,900 --> 00:27:26,179 can. You can or 728 00:27:26,180 --> 00:27:27,770 sometimes it's not 729 00:27:29,270 --> 00:27:30,889 filtered properly. So that will not 730 00:27:30,890 --> 00:27:33,319 filter on the GMC Gitti. 731 00:27:33,320 --> 00:27:35,569 So we saw that on some on some 732 00:27:36,980 --> 00:27:39,169 some countries that are like giving 733 00:27:39,170 --> 00:27:41,809 directly the incident 734 00:27:41,810 --> 00:27:44,179 on the mercy of 735 00:27:44,180 --> 00:27:46,789 SARS. Yes, but OK, 736 00:27:46,790 --> 00:27:49,099 so this message is what they will give in 737 00:27:49,100 --> 00:27:51,329 in output will be the emcee, the 738 00:27:51,330 --> 00:27:53,739 MSE JLR on message 739 00:27:53,740 --> 00:27:55,489 on the HLA fingerprint. 740 00:27:55,490 --> 00:27:57,919 We have been able to get to fingerprint 741 00:27:57,920 --> 00:28:00,559 Etchells through this 742 00:28:00,560 --> 00:28:02,809 bite by really 743 00:28:02,810 --> 00:28:04,729 analyzing a lot of data, as we have been 744 00:28:04,730 --> 00:28:06,410 able to, to directly 745 00:28:07,430 --> 00:28:09,589 fingerprint Etchells, to be 746 00:28:09,590 --> 00:28:12,799 able to say, OK, this HLR it from 747 00:28:12,800 --> 00:28:15,079 Ericsson, this brand, it's like 748 00:28:15,080 --> 00:28:17,209 we are being able to identify there is 749 00:28:17,210 --> 00:28:19,409 a brand of HLR, not exactly 750 00:28:19,410 --> 00:28:21,529 the vision, but at least 751 00:28:21,530 --> 00:28:23,629 a brand remotely, 752 00:28:23,630 --> 00:28:25,969 directly, remotely 753 00:28:25,970 --> 00:28:27,649 so after. 754 00:28:27,650 --> 00:28:30,379 So we get on the message 755 00:28:30,380 --> 00:28:32,239 out where the subscriber is attach. 756 00:28:32,240 --> 00:28:34,489 So now we can send another type 757 00:28:34,490 --> 00:28:36,709 of messages, which 758 00:28:36,710 --> 00:28:39,529 are the interrogator says 759 00:28:39,530 --> 00:28:41,629 the cell phone, send 760 00:28:41,630 --> 00:28:42,919 it on vacation info for the 761 00:28:42,920 --> 00:28:44,809 authentication of the subscriber. 762 00:28:44,810 --> 00:28:46,909 So this will give you the 763 00:28:46,910 --> 00:28:50,299 cryptographic key of the subscriber, 764 00:28:50,300 --> 00:28:52,009 the TSL on the side. 765 00:28:52,010 --> 00:28:54,619 So the PEIRSOL will give you directly the 766 00:28:54,620 --> 00:28:57,379 coordinates of this subscriber 767 00:28:57,380 --> 00:28:59,989 on the PSA will give you, as 768 00:28:59,990 --> 00:29:02,149 the said. But if you are selected, 769 00:29:02,150 --> 00:29:04,129 you will be able to get the GPS 770 00:29:04,130 --> 00:29:05,130 coordinates also. 771 00:29:06,840 --> 00:29:09,039 So this is really interesting. 772 00:29:09,040 --> 00:29:11,409 And this is basically a progress 773 00:29:11,410 --> 00:29:13,359 map, how can you from only a few 774 00:29:13,360 --> 00:29:16,239 informations get to the idea 775 00:29:16,240 --> 00:29:18,729 to give a picture of what's actually 776 00:29:18,730 --> 00:29:20,979 inside the scan engine, that 777 00:29:20,980 --> 00:29:21,980 we have a part of it? 778 00:29:23,430 --> 00:29:25,759 So, yeah, only from 779 00:29:25,760 --> 00:29:27,839 the end getting all this information. 780 00:29:30,620 --> 00:29:31,620 So this is a 781 00:29:33,110 --> 00:29:35,689 little recap of all the messages 782 00:29:35,690 --> 00:29:38,539 that we have been with that we sent 783 00:29:38,540 --> 00:29:40,609 on the network, and as 784 00:29:40,610 --> 00:29:42,739 we can see, like atypia, 785 00:29:42,740 --> 00:29:45,399 say, on Peirsol, are the more 786 00:29:45,400 --> 00:29:47,269 and more impact because they are looking 787 00:29:47,270 --> 00:29:48,859 directly to the locations, the precise 788 00:29:48,860 --> 00:29:50,689 location of subscribers. 789 00:29:50,690 --> 00:29:52,310 So this is really interesting for us. 790 00:29:53,390 --> 00:29:54,569 And also a surprise. 791 00:29:54,570 --> 00:29:56,629 Sometimes you have also slightly, but 792 00:29:56,630 --> 00:29:58,430 it's not so often so. 793 00:30:01,440 --> 00:30:04,199 Oh, we took an example also for 794 00:30:04,200 --> 00:30:06,389 my PTA, for example, 795 00:30:06,390 --> 00:30:08,789 if we take a look to the specifications 796 00:30:08,790 --> 00:30:10,349 or CGP specification, 797 00:30:11,550 --> 00:30:13,949 we see that only 798 00:30:13,950 --> 00:30:16,049 the location management function should 799 00:30:16,050 --> 00:30:17,369 be able to send. 800 00:30:17,370 --> 00:30:19,069 My picture is to the HLR. 801 00:30:20,310 --> 00:30:22,349 This is a local node. 802 00:30:22,350 --> 00:30:24,419 OK, so only the local node, 803 00:30:24,420 --> 00:30:26,459 the management function, local node 804 00:30:26,460 --> 00:30:28,829 should be able to send my pages 805 00:30:28,830 --> 00:30:30,209 to switch it up. 806 00:30:30,210 --> 00:30:32,489 So this is for 2G and 3G usage, but 807 00:30:32,490 --> 00:30:33,640 for 4G is 808 00:30:34,860 --> 00:30:36,209 something else. 809 00:30:36,210 --> 00:30:37,800 So the HSF, which is, 810 00:30:39,390 --> 00:30:41,759 which is replacing the HLR for 811 00:30:41,760 --> 00:30:43,680 4G. So the database for 4G. 812 00:30:45,150 --> 00:30:47,309 Is can be can also 813 00:30:47,310 --> 00:30:48,829 send Matt here is to the. 814 00:30:50,330 --> 00:30:52,499 Always internal that. 815 00:30:54,380 --> 00:30:56,509 And this HCI, as 816 00:30:56,510 --> 00:30:57,920 we say, is giving 817 00:30:59,040 --> 00:31:01,159 at the edge of 818 00:31:01,160 --> 00:31:03,289 the location and the 819 00:31:03,290 --> 00:31:04,290 subscriber's state. 820 00:31:06,220 --> 00:31:08,379 And what we saw by analyzing all the 821 00:31:08,380 --> 00:31:10,539 data that we got is that 822 00:31:10,540 --> 00:31:12,729 on the map, HCI, only 823 00:31:12,730 --> 00:31:15,629 29 percent of the 824 00:31:15,630 --> 00:31:17,769 of the networks of the 825 00:31:17,770 --> 00:31:19,629 requests that we sent were responding 826 00:31:19,630 --> 00:31:21,979 correctly to the map with the slides 827 00:31:21,980 --> 00:31:23,020 with a real slightly. 828 00:31:24,320 --> 00:31:27,079 But if we take a look to map Malaysia, 829 00:31:27,080 --> 00:31:29,209 which now it's not 830 00:31:29,210 --> 00:31:31,339 so well known, then 831 00:31:31,340 --> 00:31:33,619 Malaysia, because Guston and 832 00:31:33,620 --> 00:31:35,689 Tobias speak about HIV, which 833 00:31:35,690 --> 00:31:37,999 is not well known on all the German 834 00:31:39,800 --> 00:31:42,289 or the German menus, are blocking it. 835 00:31:42,290 --> 00:31:43,900 But if you take a look to PSA, 836 00:31:45,440 --> 00:31:47,629 you have 82 percent of 837 00:31:47,630 --> 00:31:49,939 the requests that we send, 838 00:31:49,940 --> 00:31:52,879 which were responded correctly 839 00:31:52,880 --> 00:31:55,099 with a slide into the PSA. 840 00:31:55,100 --> 00:31:57,289 So this means that, OK, is 841 00:31:57,290 --> 00:31:59,059 it picture? It's not working anymore. 842 00:31:59,060 --> 00:32:01,249 Let's go to PSA and it's always 843 00:32:01,250 --> 00:32:02,809 like that. You will always find new 844 00:32:02,810 --> 00:32:05,779 vulnerabilities on the Seven 845 00:32:05,780 --> 00:32:08,039 Network to get information 846 00:32:08,040 --> 00:32:08,899 from it. 847 00:32:08,900 --> 00:32:11,929 So really, our goal was to get 848 00:32:11,930 --> 00:32:14,179 an overview statistics because 849 00:32:14,180 --> 00:32:16,639 vulnerabilities we have been 850 00:32:16,640 --> 00:32:18,349 exposed them for years. 851 00:32:18,350 --> 00:32:20,719 And it's we wanted 852 00:32:20,720 --> 00:32:23,029 to really get an overview, 853 00:32:23,030 --> 00:32:25,099 a worldwide overview 854 00:32:25,100 --> 00:32:27,039 to see that, OK, my PCI. 855 00:32:28,210 --> 00:32:30,279 It's responding, but not so much, but OK, 856 00:32:30,280 --> 00:32:32,409 let's use maps. 857 00:32:32,410 --> 00:32:35,349 By the way, this one, it shows us 858 00:32:35,350 --> 00:32:38,049 some mentality of the operators is that 859 00:32:38,050 --> 00:32:40,659 it has been discussed much earlier. 860 00:32:40,660 --> 00:32:42,999 So now they are looking it's like, 861 00:32:43,000 --> 00:32:43,989 OK, this message is bad. 862 00:32:43,990 --> 00:32:46,479 We just block it. And sadly, 863 00:32:46,480 --> 00:32:48,549 many did not think wider 864 00:32:48,550 --> 00:32:50,799 and think, OK, maybe we should 865 00:32:50,800 --> 00:32:52,899 take this seriously and see what 866 00:32:52,900 --> 00:32:54,699 are the impact of all the messages and, 867 00:32:54,700 --> 00:32:56,919 um, work together with people doing 868 00:32:56,920 --> 00:32:58,899 research in the domain in order to really 869 00:32:58,900 --> 00:33:00,999 have a clean, uh, filtering 870 00:33:01,000 --> 00:33:03,399 on the perimeter boundaries. 871 00:33:03,400 --> 00:33:05,589 So the evolution is that 872 00:33:05,590 --> 00:33:07,659 maybe, uh, ten years ago, AJ 873 00:33:07,660 --> 00:33:09,489 was answering everywhere. 874 00:33:09,490 --> 00:33:10,869 Now it's much reduced. 875 00:33:10,870 --> 00:33:13,749 But PSA that has been less discussed. 876 00:33:13,750 --> 00:33:15,849 Uh, operators are 877 00:33:15,850 --> 00:33:18,159 still widely, uh, vulnerable. 878 00:33:18,160 --> 00:33:20,259 And, um, so basically, 879 00:33:20,260 --> 00:33:22,629 this is A.T.M., 82 880 00:33:22,630 --> 00:33:25,089 percent of the, um, 881 00:33:25,090 --> 00:33:27,249 the operators worldwide answering, 882 00:33:27,250 --> 00:33:29,499 to be exact. So it's pretty well. 883 00:33:32,510 --> 00:33:34,279 So one of the recommendations that we 884 00:33:34,280 --> 00:33:36,499 give to operators, it's OK, you should 885 00:33:36,500 --> 00:33:38,869 block it from NATO, that 886 00:33:38,870 --> 00:33:41,089 it's pretty 887 00:33:41,090 --> 00:33:43,279 clear now, but you have to type 888 00:33:43,280 --> 00:33:45,619 of defense, you have the first step 889 00:33:45,620 --> 00:33:47,779 of defense which will be blocking it on 890 00:33:47,780 --> 00:33:49,189 your router. 891 00:33:49,190 --> 00:33:51,049 But the second one will be defense in 892 00:33:51,050 --> 00:33:52,699 depth by blocking it directly on your 893 00:33:52,700 --> 00:33:55,819 HLR, because, for example, maybe 894 00:33:55,820 --> 00:33:58,129 you will deploy another FCP with 895 00:33:58,130 --> 00:34:00,199 and you will forget to 896 00:34:00,200 --> 00:34:02,269 put these rules or maybe the 897 00:34:02,270 --> 00:34:04,459 routine will go will come from a 898 00:34:04,460 --> 00:34:06,679 national interconnection and you don't 899 00:34:06,680 --> 00:34:08,809 have this a filtering rule through 900 00:34:08,810 --> 00:34:09,319 it. 901 00:34:09,320 --> 00:34:11,569 So always the best, 902 00:34:11,570 --> 00:34:13,609 not only on the edge of the network to 903 00:34:13,610 --> 00:34:16,158 put your filtering, but also 904 00:34:16,159 --> 00:34:18,259 to put filtering in depth directly 905 00:34:18,260 --> 00:34:19,260 on your HLR. 906 00:34:20,900 --> 00:34:23,839 Because you can bypass filtering 907 00:34:23,840 --> 00:34:25,939 at the edges if it's not well done, 908 00:34:25,940 --> 00:34:28,099 but the 909 00:34:28,100 --> 00:34:30,109 filtering indef, it will be harder to do 910 00:34:30,110 --> 00:34:31,039 it. 911 00:34:31,040 --> 00:34:33,198 And one really interesting things to 912 00:34:33,199 --> 00:34:35,839 do is since we have 913 00:34:35,840 --> 00:34:39,049 ideas, he's also on telecom operators. 914 00:34:39,050 --> 00:34:41,029 We are monitoring Muppet's here is coming 915 00:34:41,030 --> 00:34:41,869 from the international. 916 00:34:41,870 --> 00:34:43,519 And this is really interesting because my 917 00:34:43,520 --> 00:34:45,589 picture is I should never come 918 00:34:45,590 --> 00:34:46,729 from international. 919 00:34:46,730 --> 00:34:48,919 So if you if you see them, 920 00:34:48,920 --> 00:34:51,468 it's like, OK, maybe it's compromise. 921 00:34:51,469 --> 00:34:53,599 Maybe it's coming 922 00:34:53,600 --> 00:34:56,299 from a film that wants to locate 923 00:34:56,300 --> 00:34:59,209 users. So monitoring 924 00:34:59,210 --> 00:35:01,130 my page is really good. 925 00:35:03,970 --> 00:35:06,249 So now 926 00:35:06,250 --> 00:35:07,260 let's take a look. 927 00:35:08,710 --> 00:35:09,880 To the network exposure. 928 00:35:10,930 --> 00:35:14,319 When we take a look to the privacy part. 929 00:35:14,320 --> 00:35:16,389 OK, it's look pretty yellow, but 930 00:35:16,390 --> 00:35:18,189 when we go to network exposure, but. 931 00:35:19,790 --> 00:35:21,919 It's a bit more complicated for four 932 00:35:21,920 --> 00:35:24,379 operators and why, 933 00:35:24,380 --> 00:35:26,089 for example, if we take again the United 934 00:35:26,090 --> 00:35:27,090 States. 935 00:35:28,410 --> 00:35:30,479 Why it's worse than 936 00:35:30,480 --> 00:35:32,669 on network esposa than on 937 00:35:32,670 --> 00:35:34,079 previous rigs. 938 00:35:34,080 --> 00:35:36,509 It's because at the beginning, 939 00:35:36,510 --> 00:35:38,609 a lot of small operators 940 00:35:38,610 --> 00:35:41,009 built the network OK, 941 00:35:41,010 --> 00:35:42,599 but after time. 942 00:35:42,600 --> 00:35:43,600 After time. 943 00:35:45,000 --> 00:35:47,339 One operator bought another and 944 00:35:47,340 --> 00:35:49,769 they grew up like that, but 945 00:35:49,770 --> 00:35:51,839 they like they built a network by buying 946 00:35:51,840 --> 00:35:54,059 other operator in the region 947 00:35:54,060 --> 00:35:56,519 of the United States, but 948 00:35:56,520 --> 00:35:58,799 it's other to to try 949 00:35:58,800 --> 00:36:01,409 to build security when you are 950 00:36:01,410 --> 00:36:03,539 buying new operators than 951 00:36:03,540 --> 00:36:05,159 when you are building your own network 952 00:36:05,160 --> 00:36:06,160 directly. 953 00:36:06,960 --> 00:36:09,119 So it's one reason why 954 00:36:09,120 --> 00:36:11,549 the United States, if you 955 00:36:11,550 --> 00:36:12,779 should take a look to the network 956 00:36:12,780 --> 00:36:15,029 exposure level, you will have 957 00:36:15,030 --> 00:36:17,219 a larger attack surface than 958 00:36:17,220 --> 00:36:18,679 on the previous level. 959 00:36:18,680 --> 00:36:20,909 So and 960 00:36:20,910 --> 00:36:22,799 this it's like you will be able to 961 00:36:22,800 --> 00:36:24,660 directly target network elements. 962 00:36:25,890 --> 00:36:28,109 On the Seven Network 963 00:36:28,110 --> 00:36:30,389 of United States, for example, so 964 00:36:30,390 --> 00:36:32,519 the the idea of this, this 965 00:36:32,520 --> 00:36:35,429 data is for both operators 966 00:36:35,430 --> 00:36:38,039 to see, OK, what's 967 00:36:38,040 --> 00:36:40,349 at first countries to see what the level 968 00:36:40,350 --> 00:36:42,569 of security and also for users 969 00:36:42,570 --> 00:36:44,729 to see, um, for countries 970 00:36:44,730 --> 00:36:45,899 and operators. OK. 971 00:36:45,900 --> 00:36:48,769 Actually, uh, my country is not 972 00:36:48,770 --> 00:36:50,609 my operator is not taking seriously 973 00:36:51,900 --> 00:36:54,209 the um uh 974 00:36:54,210 --> 00:36:55,919 the the notifications from the uh, the 975 00:36:55,920 --> 00:36:58,079 security community saying there are 976 00:36:58,080 --> 00:36:58,589 problems. 977 00:36:58,590 --> 00:36:59,849 And I said seven, you should take this 978 00:36:59,850 --> 00:37:01,739 seriously because it has impacts on our 979 00:37:01,740 --> 00:37:04,349 privacy. People can track us. 980 00:37:04,350 --> 00:37:06,479 And so it's also in order to 981 00:37:06,480 --> 00:37:08,999 to push this, of course, some operators, 982 00:37:09,000 --> 00:37:11,519 they they have done a great job, 983 00:37:11,520 --> 00:37:14,189 um, at filtering, uh, these messages. 984 00:37:14,190 --> 00:37:16,739 And, uh, they have great internal teams 985 00:37:16,740 --> 00:37:18,269 that understand really all these 986 00:37:18,270 --> 00:37:19,769 problems. But sadly, they are still 987 00:37:19,770 --> 00:37:21,629 majority. So that's why we are still 988 00:37:21,630 --> 00:37:22,409 here. 989 00:37:22,410 --> 00:37:24,929 And doing this can to to bring visibility 990 00:37:24,930 --> 00:37:27,209 on this, uh, on this domain, because 991 00:37:27,210 --> 00:37:29,249 on Internet, when you want to see, for 992 00:37:29,250 --> 00:37:31,349 example, um, you have an 993 00:37:31,350 --> 00:37:33,419 IP, you want to see where, 994 00:37:33,420 --> 00:37:35,819 for example, you had an attack from an IP 995 00:37:35,820 --> 00:37:38,399 and you want to know where is it located. 996 00:37:38,400 --> 00:37:40,529 You can wonder who is, uh, you have, 997 00:37:40,530 --> 00:37:42,269 uh, many buttons underneath that are 998 00:37:42,270 --> 00:37:44,519 scanning and that are reporting, okay, 999 00:37:44,520 --> 00:37:46,769 this is part of this and it has been 1000 00:37:46,770 --> 00:37:48,569 a signal for these problems and these 1001 00:37:48,570 --> 00:37:50,069 problems are unnecessary and you don't 1002 00:37:50,070 --> 00:37:52,109 have that. So what we want is to make the 1003 00:37:52,110 --> 00:37:54,239 cartography of the Seven 1004 00:37:54,240 --> 00:37:56,549 Network in order to bring visibility 1005 00:37:56,550 --> 00:37:58,569 to operators to be able to to react 1006 00:37:58,570 --> 00:38:00,149 actually when there is a problem. 1007 00:38:00,150 --> 00:38:01,949 So that's another goal of, uh, of this 1008 00:38:01,950 --> 00:38:02,950 project. 1009 00:38:10,260 --> 00:38:12,869 So now on network exposure, 1010 00:38:12,870 --> 00:38:14,999 we have less messages, but 1011 00:38:15,000 --> 00:38:17,729 we are still like a large part of 1012 00:38:17,730 --> 00:38:18,719 my messages. 1013 00:38:18,720 --> 00:38:21,689 So as a result, yes, 1014 00:38:21,690 --> 00:38:24,029 as a referendum here, 1015 00:38:24,030 --> 00:38:26,099 this four messages 1016 00:38:26,100 --> 00:38:27,100 that will give us. 1017 00:38:28,320 --> 00:38:30,689 The messenger 1018 00:38:30,690 --> 00:38:32,849 of your logic is so 1019 00:38:32,850 --> 00:38:34,349 interesting to know, because you will 1020 00:38:34,350 --> 00:38:36,569 have already a real 1021 00:38:36,570 --> 00:38:39,269 justice, real justice 1022 00:38:39,270 --> 00:38:41,369 inside the ranges of the production 1023 00:38:41,370 --> 00:38:42,370 network. 1024 00:38:43,190 --> 00:38:45,319 You have my office, send it 1025 00:38:45,320 --> 00:38:47,419 on vacation for Winmar, send it on 1026 00:38:47,420 --> 00:38:48,770 vacation in full because. 1027 00:38:49,810 --> 00:38:52,389 It's one of those with the 1028 00:38:52,390 --> 00:38:54,639 most like you 1029 00:38:54,640 --> 00:38:57,549 get you get one of the messages 1030 00:38:57,550 --> 00:38:59,909 where you get the most of 1031 00:38:59,910 --> 00:39:00,910 the 1032 00:39:02,290 --> 00:39:03,309 most responses. 1033 00:39:03,310 --> 00:39:05,529 So you are almost sure that 1034 00:39:05,530 --> 00:39:07,659 when you send a essay, you 1035 00:39:07,660 --> 00:39:09,110 will get Rachel LGT back. 1036 00:39:10,310 --> 00:39:12,659 OK, and the last one is 1037 00:39:12,660 --> 00:39:13,639 the CAT scan. 1038 00:39:13,640 --> 00:39:15,769 So this one, it's we 1039 00:39:15,770 --> 00:39:18,079 we develop it ourselves. 1040 00:39:18,080 --> 00:39:21,349 It's sending specifically 1041 00:39:21,350 --> 00:39:23,539 crafted to get messages to be 1042 00:39:23,540 --> 00:39:26,079 able to to scan 1043 00:39:26,080 --> 00:39:28,399 GYTIS in large ranges 1044 00:39:28,400 --> 00:39:30,649 by incrementing on the Gytis, but 1045 00:39:30,650 --> 00:39:32,869 also on the essence because it 1046 00:39:32,870 --> 00:39:35,389 sends are like teapots 1047 00:39:35,390 --> 00:39:37,159 and for example, folds, which allows us 1048 00:39:37,160 --> 00:39:39,499 to send the number six for VLA 1049 00:39:39,500 --> 00:39:41,149 on Mzee seven and eight. 1050 00:39:41,150 --> 00:39:43,309 So every network element will have 1051 00:39:43,310 --> 00:39:45,529 its own SSN. So if you want to discover 1052 00:39:45,530 --> 00:39:47,779 all, then it is a seven network. 1053 00:39:47,780 --> 00:39:49,999 You will have to to to start doing 1054 00:39:50,000 --> 00:39:52,069 things like that and you 1055 00:39:52,070 --> 00:39:54,289 will have two responses on the CAT scan 1056 00:39:54,290 --> 00:39:56,899 or to get a boat or nothing 1057 00:39:56,900 --> 00:39:58,759 to get about, which means usually that 1058 00:39:58,760 --> 00:40:00,429 there is something behind the. 1059 00:40:03,920 --> 00:40:06,649 So a little recap also 1060 00:40:06,650 --> 00:40:08,749 on the on the network 1061 00:40:08,750 --> 00:40:11,479 exposure, where we got 1062 00:40:11,480 --> 00:40:13,549 the most responses that she kept 1063 00:40:13,550 --> 00:40:15,619 scanning because it's 1064 00:40:15,620 --> 00:40:18,229 like we can go for large ranges, 1065 00:40:18,230 --> 00:40:19,230 really useful. 1066 00:40:22,290 --> 00:40:23,290 And now. 1067 00:40:25,030 --> 00:40:27,459 Erico Bond is 1068 00:40:27,460 --> 00:40:30,669 I'm sorry. 1069 00:40:30,670 --> 00:40:32,739 So, um, as 1070 00:40:32,740 --> 00:40:34,899 we, uh, as we discussed, there has 1071 00:40:34,900 --> 00:40:36,999 been, um, I mean, 1072 00:40:37,000 --> 00:40:39,279 it's a seven is, uh, is is 1073 00:40:39,280 --> 00:40:41,409 being looked at for many years, uh, 1074 00:40:41,410 --> 00:40:43,149 since 2007. 1075 00:40:43,150 --> 00:40:45,579 Um, one of the first public presentation 1076 00:40:45,580 --> 00:40:47,949 up to now, 2014, there 1077 00:40:47,950 --> 00:40:49,869 has been a more and more presentation 1078 00:40:49,870 --> 00:40:52,559 because this year it's a presentation 1079 00:40:52,560 --> 00:40:55,059 on the subject and um 1080 00:40:56,620 --> 00:40:58,929 and it's the twenty years of technology. 1081 00:40:58,930 --> 00:41:00,099 So, um, 1082 00:41:01,900 --> 00:41:04,809 the the actually the 1083 00:41:04,810 --> 00:41:06,879 division on this network is coming now, 1084 00:41:06,880 --> 00:41:08,589 but it's really an old network. 1085 00:41:08,590 --> 00:41:10,749 Um, and what is happening, for 1086 00:41:10,750 --> 00:41:12,550 example, we scatter before. 1087 00:41:14,570 --> 00:41:17,029 It will be foreshortening with Tillicum 1088 00:41:17,030 --> 00:41:19,529 because it's an upscale network, 1089 00:41:19,530 --> 00:41:21,469 but more and more people are discovering 1090 00:41:21,470 --> 00:41:22,470 it. So. 1091 00:41:24,320 --> 00:41:26,569 So we make a quick recap of the of 1092 00:41:26,570 --> 00:41:29,059 the various presentation, um, 1093 00:41:29,060 --> 00:41:31,159 and from all the on the 1094 00:41:31,160 --> 00:41:33,709 net were able to together statistics, 1095 00:41:33,710 --> 00:41:35,839 um, for 1096 00:41:35,840 --> 00:41:38,330 worldwide exposure of operators 1097 00:41:39,350 --> 00:41:42,079 to be able to see, for example, 1098 00:41:42,080 --> 00:41:44,299 the location of a subscriber worldwide, 1099 00:41:44,300 --> 00:41:46,369 uh, how many percent of operators of 1100 00:41:46,370 --> 00:41:48,559 mineable and, uh, for the 1101 00:41:48,560 --> 00:41:50,399 call interception. 1102 00:41:50,400 --> 00:41:52,699 Um, also how many operators 1103 00:41:52,700 --> 00:41:54,889 are able to see how much work 1104 00:41:54,890 --> 00:41:56,809 needs to be done still. 1105 00:41:56,810 --> 00:41:58,879 And uh, thanks to 1106 00:41:58,880 --> 00:42:00,949 all this, can we are able to 1107 00:42:00,950 --> 00:42:03,569 to see this and to see the evolution. 1108 00:42:03,570 --> 00:42:06,019 Um, so from now on we have a base 1109 00:42:06,020 --> 00:42:07,099 of results. 1110 00:42:07,100 --> 00:42:09,709 And with, uh, 1111 00:42:09,710 --> 00:42:11,899 with running the scan continuously, we'll 1112 00:42:11,900 --> 00:42:13,969 be able to see what's the evolution 1113 00:42:13,970 --> 00:42:16,249 of all the, um, the the roaming 1114 00:42:16,250 --> 00:42:17,749 infrastructure ecosystem. 1115 00:42:17,750 --> 00:42:20,089 And this is really huge because 1116 00:42:20,090 --> 00:42:22,159 you see that 72 1117 00:42:22,160 --> 00:42:24,379 percent of operators that we scale, that 1118 00:42:24,380 --> 00:42:26,659 we scan, they were vulnerable 1119 00:42:26,660 --> 00:42:28,279 to precise location. 1120 00:42:28,280 --> 00:42:30,469 So it's getting the same idea or getting 1121 00:42:30,470 --> 00:42:33,289 rid of a subscriber. 1122 00:42:33,290 --> 00:42:35,389 So this means that there 1123 00:42:35,390 --> 00:42:38,269 is a lot of companies doing, um, 1124 00:42:38,270 --> 00:42:39,289 doing tracking. 1125 00:42:39,290 --> 00:42:41,659 But if you get any, uh, 1126 00:42:41,660 --> 00:42:44,689 S7 access, even with an interest, 1127 00:42:44,690 --> 00:42:47,479 not in a R21 1128 00:42:47,480 --> 00:42:50,599 ranges, you will be able also 1129 00:42:50,600 --> 00:42:52,849 to do precise location of subscriber 1130 00:42:52,850 --> 00:42:55,009 on seventy two percent 1131 00:42:55,010 --> 00:42:56,420 of operators. 1132 00:42:57,440 --> 00:42:59,929 OK. And for the good interception, 1133 00:42:59,930 --> 00:43:02,389 like 66 percent of the operators, 1134 00:43:02,390 --> 00:43:04,579 it's huge because it means that from 1135 00:43:04,580 --> 00:43:06,439 the international you will be able to 1136 00:43:06,440 --> 00:43:08,030 intercept records of anyone. 1137 00:43:09,910 --> 00:43:11,529 So from our point of view, it's good 1138 00:43:11,530 --> 00:43:13,449 because we see that actually security is 1139 00:43:13,450 --> 00:43:14,829 bad, that from the perspective of the 1140 00:43:14,830 --> 00:43:16,899 operator, it's good also because it can 1141 00:43:16,900 --> 00:43:18,999 see the explosion change in 1142 00:43:19,000 --> 00:43:21,609 the time and see publicly that, 1143 00:43:21,610 --> 00:43:23,259 OK, people see that actually things are 1144 00:43:23,260 --> 00:43:25,509 moving on and things are changing for our 1145 00:43:25,510 --> 00:43:26,319 security. 1146 00:43:26,320 --> 00:43:28,810 And that sort of changes don't go 1147 00:43:30,520 --> 00:43:31,520 then go unnoticed. 1148 00:43:33,280 --> 00:43:35,409 So this project is still 1149 00:43:35,410 --> 00:43:37,029 in the research phase. 1150 00:43:37,030 --> 00:43:38,799 So we really a website with only 1151 00:43:38,800 --> 00:43:39,909 countries. 1152 00:43:39,910 --> 00:43:41,559 There are things that we are going to to 1153 00:43:41,560 --> 00:43:43,929 improve, um, like 1154 00:43:43,930 --> 00:43:46,839 ratings and 1155 00:43:46,840 --> 00:43:49,509 also mapping more kind of abilities. 1156 00:43:49,510 --> 00:43:50,829 We saw that on the map. 1157 00:43:50,830 --> 00:43:54,009 Some are to be announced, for example, 1158 00:43:54,010 --> 00:43:56,709 and also giving a vision on the evolution 1159 00:43:56,710 --> 00:43:58,779 on, uh, of the security of these 1160 00:43:58,780 --> 00:44:00,129 networks. 1161 00:44:00,130 --> 00:44:02,319 And of course, also what will be very 1162 00:44:02,320 --> 00:44:04,329 interesting is to develop partnership 1163 00:44:04,330 --> 00:44:06,639 with the operators in order to get more 1164 00:44:06,640 --> 00:44:08,769 different vision on the network, 1165 00:44:08,770 --> 00:44:11,049 because as we saw, the network is very 1166 00:44:11,050 --> 00:44:13,419 diverse. There are many oddities. 1167 00:44:13,420 --> 00:44:15,519 So the more, um, point 1168 00:44:15,520 --> 00:44:18,129 of views we have on the network, 1169 00:44:18,130 --> 00:44:20,229 the more vision and the 1170 00:44:20,230 --> 00:44:22,359 more quality result will be able to to 1171 00:44:22,360 --> 00:44:25,759 give back then to operators in order to 1172 00:44:25,760 --> 00:44:27,909 to better describe this network, 1173 00:44:27,910 --> 00:44:30,729 basically, because, uh, now 1174 00:44:30,730 --> 00:44:32,889 it's very upscale for 1175 00:44:32,890 --> 00:44:33,039 them. 1176 00:44:33,040 --> 00:44:35,509 And we have like three interconnections 1177 00:44:35,510 --> 00:44:36,519 through different operate. 1178 00:44:36,520 --> 00:44:38,679 Also, it's really interesting already 1179 00:44:38,680 --> 00:44:41,199 for us to to get the differences between 1180 00:44:41,200 --> 00:44:43,689 the, uh, the three interconnections, 1181 00:44:43,690 --> 00:44:45,819 but with more interconnections, we will 1182 00:44:45,820 --> 00:44:48,219 get more results since we 1183 00:44:48,220 --> 00:44:50,499 maybe don't get all the responses 1184 00:44:50,500 --> 00:44:52,089 because we don't have all the roaming 1185 00:44:52,090 --> 00:44:53,739 agreements with a good 1186 00:44:54,940 --> 00:44:56,289 operator also. 1187 00:44:56,290 --> 00:44:58,359 Yet we are open to partnership with 1188 00:44:58,360 --> 00:44:59,360 new operators. 1189 00:45:01,210 --> 00:45:03,609 And, uh, then, of course, 1190 00:45:03,610 --> 00:45:06,129 so we talked about the seven uh, 1191 00:45:06,130 --> 00:45:08,559 now operators are interconnecting 1192 00:45:08,560 --> 00:45:11,019 Falchi using, um, 1193 00:45:11,020 --> 00:45:12,249 using diameter. 1194 00:45:12,250 --> 00:45:14,529 So the next 1195 00:45:14,530 --> 00:45:16,689 step is, of course, a diameter map that 1196 00:45:16,690 --> 00:45:18,549 will be mapping the roaming 1197 00:45:18,550 --> 00:45:20,619 infrastructure, but not just a seven one, 1198 00:45:20,620 --> 00:45:22,929 but the LTE one 1199 00:45:25,180 --> 00:45:26,439 and LTE. 1200 00:45:26,440 --> 00:45:27,440 LTE is it. 1201 00:45:28,340 --> 00:45:30,529 It's a bit better 1202 00:45:30,530 --> 00:45:32,929 than a seven, but still there is a lot of 1203 00:45:32,930 --> 00:45:35,179 beaches that have been pushed from seven 1204 00:45:35,180 --> 00:45:37,669 to eight, and 1205 00:45:37,670 --> 00:45:40,459 this work, it's still, uh, 1206 00:45:40,460 --> 00:45:42,229 it's still in progress for us. 1207 00:45:42,230 --> 00:45:44,359 And we are doing a lot of, uh, 1208 00:45:44,360 --> 00:45:45,799 a lot of work on algae. 1209 00:45:45,800 --> 00:45:47,989 So we will we will announce 1210 00:45:47,990 --> 00:45:50,029 during this hearing you use things on 1211 00:45:50,030 --> 00:45:52,099 algae because, uh, 1212 00:45:52,100 --> 00:45:54,259 one thing that we see on that, 1213 00:45:54,260 --> 00:45:56,059 all the people that learned from all 1214 00:45:56,060 --> 00:45:58,279 these roaming, uh, kind 1215 00:45:58,280 --> 00:46:01,369 of culture, uh, in the operators, 1216 00:46:01,370 --> 00:46:03,799 sometimes they are not put in the new 1217 00:46:03,800 --> 00:46:06,019 Romine, uh, teams 1218 00:46:06,020 --> 00:46:07,729 that are handling the, uh, the 1219 00:46:07,730 --> 00:46:09,799 operational, uh, side of the 1220 00:46:09,800 --> 00:46:12,079 the Altiero so that 1221 00:46:12,080 --> 00:46:14,279 it's more IP guys that are put with the 1222 00:46:14,280 --> 00:46:15,929 diameter protocols. 1223 00:46:15,930 --> 00:46:18,049 OK, but, uh, the guys that learned 1224 00:46:18,050 --> 00:46:20,119 a lot from excessive and roaming, they 1225 00:46:20,120 --> 00:46:22,129 are not, uh, transferring the knowledge 1226 00:46:22,130 --> 00:46:24,229 to the diameter to the guys that 1227 00:46:24,230 --> 00:46:26,079 will handle the emitter then. 1228 00:46:26,080 --> 00:46:28,309 And, uh, all the logical aspects 1229 00:46:28,310 --> 00:46:30,599 of a seven are kind of transfer 1230 00:46:30,600 --> 00:46:32,749 to diameter. So the attacks logically 1231 00:46:32,750 --> 00:46:34,819 are the many attacks are 1232 00:46:34,820 --> 00:46:36,089 logically the same. 1233 00:46:36,090 --> 00:46:38,359 So that's one 1234 00:46:38,360 --> 00:46:40,459 bad point that we know 1235 00:46:40,460 --> 00:46:41,840 that it's another subject. 1236 00:46:43,640 --> 00:46:45,409 OK, thank you for your attention. 1237 00:46:45,410 --> 00:46:47,869 Uh, so this map is online, 1238 00:46:47,870 --> 00:46:49,459 uh, right now at this. 1239 00:46:49,460 --> 00:46:51,629 ULLE And if you have questions, we have, 1240 00:46:51,630 --> 00:46:54,529 um, mailing list, um, 1241 00:46:54,530 --> 00:46:55,530 also available 1242 00:46:56,590 --> 00:46:58,030 access, but. 1243 00:47:06,770 --> 00:47:09,049 If you have any questions, please do line 1244 00:47:09,050 --> 00:47:11,059 up at the four microphones that we have 1245 00:47:11,060 --> 00:47:12,060 here. 1246 00:47:12,860 --> 00:47:15,019 What I know for sure, we have at 1247 00:47:15,020 --> 00:47:17,539 least one question from our signal in 1248 00:47:17,540 --> 00:47:19,669 relaying questions from Iasi Signal 1249 00:47:19,670 --> 00:47:20,670 Angel, please. 1250 00:47:23,060 --> 00:47:25,789 Microphone. Yeah. OK, so, um, 1251 00:47:25,790 --> 00:47:27,459 we have one questions. 1252 00:47:27,460 --> 00:47:30,259 Last remark from the Arazi right now. 1253 00:47:30,260 --> 00:47:32,089 First I say it's very good work. 1254 00:47:32,090 --> 00:47:34,159 You mentioned earlier that your probe, 1255 00:47:34,160 --> 00:47:36,529 um, was in partnership with an operator. 1256 00:47:36,530 --> 00:47:38,569 Um, what are your strategies for opening 1257 00:47:38,570 --> 00:47:40,550 new or expanding existing partnerships? 1258 00:47:41,570 --> 00:47:43,699 So we can you can you repeat, please, 1259 00:47:43,700 --> 00:47:45,889 if you leaving right now, please do 1260 00:47:45,890 --> 00:47:47,929 so quietly. 1261 00:47:47,930 --> 00:47:50,179 Yeah. First they said that 1262 00:47:50,180 --> 00:47:51,649 you did really good work. 1263 00:47:51,650 --> 00:47:54,709 Um, thanks. Then they ask, um, 1264 00:47:54,710 --> 00:47:56,899 you did your probes in cooperation 1265 00:47:56,900 --> 00:47:59,209 with some operator and if 1266 00:47:59,210 --> 00:48:01,609 you have any plans or strategies for 1267 00:48:01,610 --> 00:48:03,679 getting new partnerships, are 1268 00:48:03,680 --> 00:48:05,390 extending your collaboration 1269 00:48:06,590 --> 00:48:08,779 to expand our collaboration is the best 1270 00:48:08,780 --> 00:48:09,469 way to do it. 1271 00:48:09,470 --> 00:48:11,629 It's like operators. 1272 00:48:11,630 --> 00:48:14,689 They want to be more secure on what we 1273 00:48:14,690 --> 00:48:16,699 what we are offering to them. 1274 00:48:16,700 --> 00:48:19,609 It's to to work with them 1275 00:48:19,610 --> 00:48:21,679 in a real partnership to allow 1276 00:48:21,680 --> 00:48:24,479 them to get more secure and, 1277 00:48:24,480 --> 00:48:26,809 uh, by by 1278 00:48:26,810 --> 00:48:28,909 helping us to scan the 1279 00:48:28,910 --> 00:48:31,969 network, we help them also 1280 00:48:31,970 --> 00:48:34,039 by, like, giving 1281 00:48:34,040 --> 00:48:36,049 them the information that we get from the 1282 00:48:36,050 --> 00:48:38,179 scan to improve their security, 1283 00:48:38,180 --> 00:48:40,519 for example, when they have an issue 1284 00:48:40,520 --> 00:48:42,739 and they have one that they don't find 1285 00:48:42,740 --> 00:48:46,399 as a source of an attack, um, 1286 00:48:46,400 --> 00:48:48,829 we can come and help and see 1287 00:48:48,830 --> 00:48:51,139 can we find this in the 1288 00:48:51,140 --> 00:48:52,909 in this in the scans. 1289 00:48:52,910 --> 00:48:55,249 And then we develop uh, we discuss 1290 00:48:55,250 --> 00:48:57,169 with us and we react on this. 1291 00:48:57,170 --> 00:48:59,479 And also then if they are 1292 00:48:59,480 --> 00:49:01,669 OK to partnership with, uh, 1293 00:49:01,670 --> 00:49:03,799 with us, we go and validate all 1294 00:49:03,800 --> 00:49:06,589 this probe that is sending messages 1295 00:49:06,590 --> 00:49:08,509 with them and we show how it works and 1296 00:49:08,510 --> 00:49:11,299 how it will improve their vision 1297 00:49:11,300 --> 00:49:13,549 on their own network and on the 1298 00:49:13,550 --> 00:49:15,769 network worldwide, because usually it's 1299 00:49:15,770 --> 00:49:18,259 already a huge step for them. 1300 00:49:18,260 --> 00:49:20,539 When we give them 1301 00:49:20,540 --> 00:49:22,639 a map of their own network, 1302 00:49:22,640 --> 00:49:24,289 they're like, oh, my networks look like 1303 00:49:24,290 --> 00:49:26,449 that. Um, OK. 1304 00:49:26,450 --> 00:49:28,279 They are managing the network, but they 1305 00:49:28,280 --> 00:49:30,379 don't even know how it looks 1306 00:49:30,380 --> 00:49:32,769 like on a real map 1307 00:49:32,770 --> 00:49:34,609 there because there are no tools. 1308 00:49:34,610 --> 00:49:36,679 It's not like IP, uh, like you 1309 00:49:36,680 --> 00:49:39,049 can run and mapping the network 1310 00:49:39,050 --> 00:49:41,179 here. You need to have some tools because 1311 00:49:41,180 --> 00:49:42,619 the protocols, everything is custom. 1312 00:49:42,620 --> 00:49:45,049 So it's really uh, it's really 1313 00:49:45,050 --> 00:49:48,259 some stuff that we, we uh 1314 00:49:48,260 --> 00:49:49,260 we we give 1315 00:49:51,260 --> 00:49:53,599 we provide to operators. 1316 00:49:53,600 --> 00:49:55,369 OK, thank you for your very detailed 1317 00:49:55,370 --> 00:49:56,509 answer. 1318 00:49:56,510 --> 00:49:59,029 Microphone number four, please. 1319 00:49:59,030 --> 00:49:59,809 Uh, hello. 1320 00:49:59,810 --> 00:50:01,879 Uh, you said about the Jarek's Network 1321 00:50:01,880 --> 00:50:04,249 that, uh, you can find, 1322 00:50:04,250 --> 00:50:06,499 um, IP ranges in the public 1323 00:50:06,500 --> 00:50:08,629 Internet, so, uh, then you 1324 00:50:08,630 --> 00:50:10,489 can scan them and maybe find some 1325 00:50:10,490 --> 00:50:11,879 vulnerabilities. 1326 00:50:11,880 --> 00:50:14,059 Uh, when I work for 1327 00:50:14,060 --> 00:50:16,279 a telco, in our case, this range was 1328 00:50:16,280 --> 00:50:18,439 used for 3G customers and, 1329 00:50:18,440 --> 00:50:20,539 uh, renge it was the 1330 00:50:20,540 --> 00:50:22,579 same as for the Jarek's. 1331 00:50:22,580 --> 00:50:24,649 So it was like grouted, different 1332 00:50:24,650 --> 00:50:26,989 thing. So even if you scan this 1333 00:50:26,990 --> 00:50:29,509 Durex, you know, 1334 00:50:29,510 --> 00:50:31,909 Jarek's network, you are just scanning 1335 00:50:31,910 --> 00:50:33,979 our customers and you're not 1336 00:50:33,980 --> 00:50:36,349 getting any real, uh, vulnerability 1337 00:50:36,350 --> 00:50:37,249 data. 1338 00:50:37,250 --> 00:50:39,649 So just to notice and 1339 00:50:39,650 --> 00:50:42,049 we decided maybe it's a better idea to 1340 00:50:42,050 --> 00:50:44,239 to not not to use this range 1341 00:50:44,240 --> 00:50:46,279 for our customers. 1342 00:50:46,280 --> 00:50:48,469 And, uh, are you providing 1343 00:50:48,470 --> 00:50:50,569 the data from your scan for free 1344 00:50:50,570 --> 00:50:52,129 to the telcos? 1345 00:50:52,130 --> 00:50:53,869 Ah, to the telcos? 1346 00:50:53,870 --> 00:50:56,059 We are giving, uh, statistics 1347 00:50:56,060 --> 00:50:58,249 on their own network, but not through 1348 00:50:58,250 --> 00:51:00,349 data. We can discuss about that with 1349 00:51:00,350 --> 00:51:02,479 them directly to to to 1350 00:51:02,480 --> 00:51:03,889 give to give them more details. 1351 00:51:03,890 --> 00:51:05,929 No problem about that. 1352 00:51:05,930 --> 00:51:08,509 But through to for your remark, 1353 00:51:08,510 --> 00:51:10,579 for example, uh, when you see 1354 00:51:10,580 --> 00:51:12,799 the KPN talk, I keep 1355 00:51:12,800 --> 00:51:15,259 the books I sell them this year 1356 00:51:15,260 --> 00:51:17,779 they disclosed, uh, scanning 1357 00:51:17,780 --> 00:51:19,879 of the Jarek's Network and they found 1358 00:51:19,880 --> 00:51:22,029 like thousands of, uh, 1359 00:51:22,030 --> 00:51:24,229 of IP ports 1360 00:51:24,230 --> 00:51:26,379 open like a major, 1361 00:51:26,380 --> 00:51:28,609 uh, DNS 1362 00:51:28,610 --> 00:51:30,829 servers, IP 1363 00:51:30,830 --> 00:51:32,779 of this Jarek's public. 1364 00:51:32,780 --> 00:51:34,789 Uh, yeah. It's a generic public APIs. 1365 00:51:34,790 --> 00:51:37,629 So maybe your network, your doing 1366 00:51:37,630 --> 00:51:39,739 you are doing it properly, but 1367 00:51:39,740 --> 00:51:41,719 a lot of networks are not doing it 1368 00:51:41,720 --> 00:51:42,529 properly. 1369 00:51:42,530 --> 00:51:44,259 Uh, one one last question. 1370 00:51:44,260 --> 00:51:46,549 Do you know about malicious gytis 1371 00:51:46,550 --> 00:51:49,099 already like the malicious sources 1372 00:51:49,100 --> 00:51:51,199 of this scanning? 1373 00:51:51,200 --> 00:51:52,399 Uh, yes, we are. 1374 00:51:52,400 --> 00:51:54,709 Uh, so this is mainly from, uh, 1375 00:51:54,710 --> 00:51:56,749 feedback from operators, because when you 1376 00:51:56,750 --> 00:51:58,939 can actively you won't see 1377 00:51:58,940 --> 00:52:00,829 it is that are attacking because it's, 1378 00:52:00,830 --> 00:52:03,049 uh, it's an active scan. 1379 00:52:03,050 --> 00:52:05,779 So this data, the. 1380 00:52:05,780 --> 00:52:07,679 It's from attack reports from abroad. 1381 00:52:07,680 --> 00:52:09,259 So this is different from a sense of 1382 00:52:09,260 --> 00:52:10,129 humor. 1383 00:52:10,130 --> 00:52:12,619 Thank you. And we have also and I guess, 1384 00:52:12,620 --> 00:52:14,719 uh, Entercom running, which 1385 00:52:14,720 --> 00:52:17,239 is giving us, uh, feedback, 1386 00:52:17,240 --> 00:52:18,859 like, for example, attacks coming from 1387 00:52:18,860 --> 00:52:19,639 international. 1388 00:52:19,640 --> 00:52:20,989 So this will be more fitted. 1389 00:52:20,990 --> 00:52:23,029 But this is not for this one. 1390 00:52:23,030 --> 00:52:25,399 The direction of, uh, of 1391 00:52:25,400 --> 00:52:26,510 it is that our malicious 1392 00:52:27,980 --> 00:52:29,419 microphone number two, please. 1393 00:52:29,420 --> 00:52:31,219 Yeah, just a short one. 1394 00:52:31,220 --> 00:52:32,869 Do you have the German data set with you? 1395 00:52:32,870 --> 00:52:34,639 Could you could you give us a sneak 1396 00:52:34,640 --> 00:52:36,079 preview maybe or something. 1397 00:52:36,080 --> 00:52:38,359 But yours is quite interesting, 1398 00:52:38,360 --> 00:52:40,309 but I'm more interested in actually a 1399 00:52:40,310 --> 00:52:41,839 European country or something. 1400 00:52:41,840 --> 00:52:42,840 Of course. 1401 00:52:43,400 --> 00:52:44,400 Thank you. 1402 00:52:46,880 --> 00:52:49,159 So for Germany, 1403 00:52:49,160 --> 00:52:51,319 for example, we 1404 00:52:51,320 --> 00:52:53,899 got four Brito's. 1405 00:52:53,900 --> 00:52:56,179 So this is the coverage that 1406 00:52:56,180 --> 00:52:57,949 we have. Sometimes we don't scan all the 1407 00:52:57,950 --> 00:53:00,559 operators of the of the country 1408 00:53:00,560 --> 00:53:02,489 here. We have all of them. 1409 00:53:04,190 --> 00:53:06,649 So for the privacy part, 1410 00:53:06,650 --> 00:53:07,650 it was pretty good. 1411 00:53:08,840 --> 00:53:10,670 But the network exposure, 1412 00:53:11,980 --> 00:53:14,359 it was it is there is still 1413 00:53:14,360 --> 00:53:15,859 improvement to do so. 1414 00:53:15,860 --> 00:53:18,139 Privacy bugs are blocking a lot of, uh, 1415 00:53:18,140 --> 00:53:19,459 a lot of messages. 1416 00:53:19,460 --> 00:53:21,739 So, for example, I said Guston 1417 00:53:21,740 --> 00:53:23,119 and and Antonia's. 1418 00:53:23,120 --> 00:53:25,959 But all the messages are not working then 1419 00:53:25,960 --> 00:53:29,029 and yet that, 1420 00:53:29,030 --> 00:53:31,069 uh, it's important to keep in mind that 1421 00:53:31,070 --> 00:53:34,389 it's still in progress, uh, 1422 00:53:34,390 --> 00:53:36,899 in progress. Um, uh, project. 1423 00:53:36,900 --> 00:53:39,049 So we will improve our scanner 1424 00:53:39,050 --> 00:53:40,129 on all hours. 1425 00:53:40,130 --> 00:53:42,439 Canonge. So the goal is to bypass 1426 00:53:42,440 --> 00:53:44,599 all the protections also because we learn 1427 00:53:44,600 --> 00:53:46,469 every time how they protect the network. 1428 00:53:46,470 --> 00:53:48,859 So we try to bypass it to get 1429 00:53:48,860 --> 00:53:51,059 vulnerabilities on the networks 1430 00:53:51,060 --> 00:53:52,069 on. Yep. 1431 00:53:52,070 --> 00:53:54,109 So we here quickly here, the number two, 1432 00:53:55,190 --> 00:53:57,559 for example, it means two different 1433 00:53:57,560 --> 00:53:58,569 messages. 1434 00:53:58,570 --> 00:54:00,769 We are allowing an 1435 00:54:00,770 --> 00:54:03,229 attacker to to get subscriber 1436 00:54:03,230 --> 00:54:04,459 location. 1437 00:54:04,460 --> 00:54:07,609 So this means that in Germany, um, 1438 00:54:07,610 --> 00:54:09,739 their operators there is a mean of 1439 00:54:09,740 --> 00:54:11,929 two messages that allows someone 1440 00:54:11,930 --> 00:54:14,029 to to get the location of, 1441 00:54:14,030 --> 00:54:16,519 uh, of the subscribers of the operators. 1442 00:54:16,520 --> 00:54:17,989 So that's not good. 1443 00:54:17,990 --> 00:54:19,159 That's why it's in red. 1444 00:54:19,160 --> 00:54:21,259 So we have a color, uh, 1445 00:54:21,260 --> 00:54:22,339 clause on this. 1446 00:54:22,340 --> 00:54:23,929 So when it's ready, it means pretty bad. 1447 00:54:23,930 --> 00:54:26,419 When it's, uh, yellow, it means 1448 00:54:26,420 --> 00:54:28,729 it's bad, but, uh, 1449 00:54:28,730 --> 00:54:30,199 it's not uh. 1450 00:54:30,200 --> 00:54:32,419 So of course, the ratings are 1451 00:54:32,420 --> 00:54:33,949 relative to other operators. 1452 00:54:33,950 --> 00:54:36,109 We could not put everyone in, uh, 1453 00:54:36,110 --> 00:54:37,129 in red, which is bad. 1454 00:54:37,130 --> 00:54:38,869 So it's kind of adaptive. 1455 00:54:38,870 --> 00:54:40,519 And we are waiting also for feedback. 1456 00:54:40,520 --> 00:54:42,289 But I trust 1457 00:54:43,500 --> 00:54:45,229 the data that that you're here. 1458 00:54:45,230 --> 00:54:47,689 We can discuss it if you're, uh, 1459 00:54:47,690 --> 00:54:48,690 if you have also 1460 00:54:49,850 --> 00:54:51,859 microphone number four, please. 1461 00:54:51,860 --> 00:54:54,079 Hello. Um, uh, you talked 1462 00:54:54,080 --> 00:54:56,629 about, uh, exposure of subscriber 1463 00:54:56,630 --> 00:54:58,699 data, but 1464 00:54:58,700 --> 00:55:01,099 it's also, uh, exposure 1465 00:55:01,100 --> 00:55:03,199 of network data, like, could 1466 00:55:03,200 --> 00:55:05,479 you, um, count 1467 00:55:05,480 --> 00:55:06,929 the number of subscribers? 1468 00:55:06,930 --> 00:55:07,930 Uh. 1469 00:55:09,590 --> 00:55:11,899 So there is exposure of, uh, 1470 00:55:11,900 --> 00:55:14,329 network topology that 1471 00:55:14,330 --> 00:55:16,609 so, uh, when 1472 00:55:16,610 --> 00:55:18,739 we when I talk to about the 1473 00:55:18,740 --> 00:55:20,779 ratings, I talk to about two main 1474 00:55:20,780 --> 00:55:22,909 categories, privacy level that 1475 00:55:22,910 --> 00:55:25,519 is here and network exposure level 1476 00:55:25,520 --> 00:55:26,389 that is here. 1477 00:55:26,390 --> 00:55:29,899 So those are the two main categories. 1478 00:55:29,900 --> 00:55:32,029 And then you have scores 1479 00:55:32,030 --> 00:55:33,709 so far, network exposure level. 1480 00:55:33,710 --> 00:55:35,809 We have the SICP 1481 00:55:35,810 --> 00:55:37,840 attack phase, which is, um, 1482 00:55:38,990 --> 00:55:41,089 which is the, um, basically 1483 00:55:41,090 --> 00:55:42,829 the number of network elements that we 1484 00:55:42,830 --> 00:55:43,830 are able to discover 1485 00:55:45,080 --> 00:55:47,149 and then the fact that whether we 1486 00:55:47,150 --> 00:55:49,339 were able to fingerprint it or not. 1487 00:55:49,340 --> 00:55:50,420 So that's the second one. 1488 00:55:51,660 --> 00:55:54,079 And then we have potential change 1489 00:55:54,080 --> 00:55:57,109 of, uh, prepaid postpaid status. 1490 00:55:57,110 --> 00:55:58,069 That means that. 1491 00:55:58,070 --> 00:55:59,899 And here it's, uh, it's quite low. 1492 00:55:59,900 --> 00:56:01,969 So it's good this these 1493 00:56:01,970 --> 00:56:04,249 rates, the fact that someone can 1494 00:56:04,250 --> 00:56:06,709 modify data, uh, 1495 00:56:06,710 --> 00:56:09,289 on the on the infrastructure, 1496 00:56:09,290 --> 00:56:11,659 on the subscriber plan directly. 1497 00:56:11,660 --> 00:56:14,179 So passing from example from, uh, 1498 00:56:14,180 --> 00:56:16,279 from prepaid to postpaid. 1499 00:56:16,280 --> 00:56:17,869 So this is a vulnerability for the 1500 00:56:17,870 --> 00:56:19,639 network, of course. 1501 00:56:19,640 --> 00:56:21,739 But, um, in the protocol there 1502 00:56:21,740 --> 00:56:23,959 aren't any extensions for um 1503 00:56:23,960 --> 00:56:24,889 um. 1504 00:56:24,890 --> 00:56:25,369 Oh. 1505 00:56:25,370 --> 00:56:27,050 To see aren't 1506 00:56:28,370 --> 00:56:30,859 attached that offer um 1507 00:56:30,860 --> 00:56:33,019 to get the routing or something like they 1508 00:56:33,020 --> 00:56:35,239 are uh they are extensions uh 1509 00:56:35,240 --> 00:56:37,489 for protocols uh for the seven 1510 00:56:37,490 --> 00:56:40,099 protocols like map extensions 1511 00:56:40,100 --> 00:56:42,499 and um this data we 1512 00:56:42,500 --> 00:56:44,569 still do not have it processed 1513 00:56:44,570 --> 00:56:46,429 in a normalized in a way that we can 1514 00:56:46,430 --> 00:56:48,619 display its core because there is much 1515 00:56:48,620 --> 00:56:50,389 steps before getting this call from the 1516 00:56:50,390 --> 00:56:51,409 raw data of this kind. 1517 00:56:51,410 --> 00:56:52,369 So this is coming. 1518 00:56:52,370 --> 00:56:54,439 This is the the, uh, the work in progress 1519 00:56:54,440 --> 00:56:55,459 that we are doing. 1520 00:56:55,460 --> 00:56:57,409 But for now, that's what we get, uh, we 1521 00:56:57,410 --> 00:56:59,689 can present for our country because 1522 00:56:59,690 --> 00:57:02,149 we are sure of the data and we clean or 1523 00:57:02,150 --> 00:57:04,279 everything what which was suspicious. 1524 00:57:04,280 --> 00:57:06,589 So there was a 1525 00:57:06,590 --> 00:57:07,189 yeah. 1526 00:57:07,190 --> 00:57:09,769 The goal was to give a good overview on 1527 00:57:09,770 --> 00:57:11,839 a view which was, 1528 00:57:11,840 --> 00:57:14,449 uh, not not with 1529 00:57:14,450 --> 00:57:16,130 with good data or it's. 1530 00:57:18,410 --> 00:57:20,089 So we still are missing also some 1531 00:57:20,090 --> 00:57:22,249 countries, for example, but 1532 00:57:22,250 --> 00:57:23,749 this will come and there are countries 1533 00:57:23,750 --> 00:57:26,389 where we have, uh, 1534 00:57:26,390 --> 00:57:28,249 less, uh, less answers. 1535 00:57:28,250 --> 00:57:29,479 So there are countries where we are more 1536 00:57:29,480 --> 00:57:31,699 confident this this will, 1537 00:57:31,700 --> 00:57:34,849 uh, move on and will, uh, 1538 00:57:34,850 --> 00:57:37,039 we get a full map with a full view on 1539 00:57:37,040 --> 00:57:39,289 this network and then in six 1540 00:57:39,290 --> 00:57:41,389 months will be after discussions 1541 00:57:41,390 --> 00:57:43,409 with operators will be able to to release 1542 00:57:43,410 --> 00:57:44,720 appropriate rating. 1543 00:57:48,400 --> 00:57:50,039 Do we have any more questions? 1544 00:57:52,110 --> 00:57:54,209 There's one on microphone 1545 00:57:54,210 --> 00:57:56,159 number two, please. 1546 00:57:56,160 --> 00:57:58,319 I suppose I have 1547 00:57:58,320 --> 00:57:59,489 a Dutch subscription 1548 00:58:00,660 --> 00:58:02,849 and I'm in Germany right now. 1549 00:58:04,500 --> 00:58:06,599 How do I interpret your your 1550 00:58:06,600 --> 00:58:08,819 risks and abilities, 1551 00:58:08,820 --> 00:58:10,919 your funds? I assume that the worst 1552 00:58:10,920 --> 00:58:12,650 of both will apply to me tomorrow. 1553 00:58:14,730 --> 00:58:16,139 So I go back to the Germany 1554 00:58:17,640 --> 00:58:19,049 country. 1555 00:58:19,050 --> 00:58:21,869 So this means that, um. 1556 00:58:21,870 --> 00:58:23,519 So you are a subscriber, so you take a 1557 00:58:23,520 --> 00:58:25,739 look on me on the privacy, 1558 00:58:25,740 --> 00:58:27,899 the what will affect directly 1559 00:58:27,900 --> 00:58:29,819 the subscriber which we which will be 1560 00:58:29,820 --> 00:58:31,949 will be the prejudicially clever 1561 00:58:31,950 --> 00:58:32,950 mainly. 1562 00:58:33,550 --> 00:58:36,059 And OK, you can see that 1563 00:58:36,060 --> 00:58:39,059 locating you is possible 1564 00:58:39,060 --> 00:58:41,129 because, uh, German 1565 00:58:41,130 --> 00:58:43,679 operators are not predicting, 1566 00:58:43,680 --> 00:58:45,809 for example, uh, for one 1567 00:58:45,810 --> 00:58:47,969 of the messages that 1568 00:58:47,970 --> 00:58:50,099 is giving the location, uh, 1569 00:58:50,100 --> 00:58:52,319 with, uh, like a street level 1570 00:58:52,320 --> 00:58:55,259 accuracy so slightly. 1571 00:58:55,260 --> 00:58:57,329 Um, but still 1572 00:58:57,330 --> 00:58:59,579 you can we can locate you in the region 1573 00:58:59,580 --> 00:59:01,829 point of view, because the two 1574 00:59:01,830 --> 00:59:04,469 so the first line, this one is 1575 00:59:04,470 --> 00:59:06,629 for a region point point of view. 1576 00:59:06,630 --> 00:59:08,909 And, uh, so even 1577 00:59:08,910 --> 00:59:11,279 if they are not the worst ones, 1578 00:59:11,280 --> 00:59:13,529 uh, we will be able to to 1579 00:59:13,530 --> 00:59:15,599 locate you, to get, 1580 00:59:15,600 --> 00:59:17,759 uh, to get your statuses 1581 00:59:17,760 --> 00:59:20,249 on postpaid, uh, postpaid 1582 00:59:20,250 --> 00:59:22,439 prepaid, uh, and maybe to change you 1583 00:59:22,440 --> 00:59:24,509 up, your subscriber plan, things 1584 00:59:24,510 --> 00:59:26,579 like that. So this will like changing the 1585 00:59:26,580 --> 00:59:28,139 subscriber plan will lead to fraud. 1586 00:59:30,120 --> 00:59:32,399 And actually that's, uh, what, uh, 1587 00:59:32,400 --> 00:59:34,649 Tobias Shodan, uh, his presentation, 1588 00:59:34,650 --> 00:59:36,959 uh, like he was tracking, uh, 1589 00:59:36,960 --> 00:59:38,669 someone around, uh, around the world. 1590 00:59:38,670 --> 00:59:40,979 And the guy came to Germany and 1591 00:59:40,980 --> 00:59:42,989 it was, uh, I mean, he's, uh, his 1592 00:59:42,990 --> 00:59:45,139 messages were working. 1593 00:59:45,140 --> 00:59:47,699 Yeah. I assume there's also any 1594 00:59:47,700 --> 00:59:49,379 film ability's in the Dutch telecom 1595 00:59:49,380 --> 00:59:51,509 system that I'm a customer with 1596 00:59:51,510 --> 00:59:52,799 still. Yeah, yeah. 1597 00:59:52,800 --> 00:59:54,389 That's that's a good question. 1598 00:59:54,390 --> 00:59:56,489 So this when, 1599 00:59:56,490 --> 00:59:58,049 uh, when we are speaking about Germany, 1600 00:59:58,050 --> 01:00:00,119 this applies to customers 1601 01:00:00,120 --> 01:00:02,939 of German operators, not to visitors. 1602 01:00:02,940 --> 01:00:04,979 Uh, visitors. It will be, uh. 1603 01:00:04,980 --> 01:00:06,749 So when we'll have more, uh, more 1604 01:00:06,750 --> 01:00:08,909 statistics on, 1605 01:00:08,910 --> 01:00:11,579 um, on the security 1606 01:00:11,580 --> 01:00:13,769 of visited country, uh, 1607 01:00:13,770 --> 01:00:15,839 we show it, but for now it's for home 1608 01:00:15,840 --> 01:00:18,359 network, meaning if I'm, uh, 1609 01:00:18,360 --> 01:00:20,669 French in a French country, then 1610 01:00:20,670 --> 01:00:22,769 the security of related to my, 1611 01:00:22,770 --> 01:00:24,989 um, my sim will 1612 01:00:24,990 --> 01:00:26,099 be the one for France. 1613 01:00:27,990 --> 01:00:28,990 Thank you. 1614 01:00:29,600 --> 01:00:30,710 Any more questions? 1615 01:00:32,210 --> 01:00:34,159 No, please give a warm round of applause 1616 01:00:34,160 --> 01:00:35,809 to Alexandra Lau. 1617 01:00:35,810 --> 01:00:36,810 Thank you.