Mobile Data Interception from the Interconnection Link

Video thumbnail (Frame 0) Video thumbnail (Frame 3014) Video thumbnail (Frame 5158) Video thumbnail (Frame 7571) Video thumbnail (Frame 9263) Video thumbnail (Frame 11120) Video thumbnail (Frame 16292) Video thumbnail (Frame 17362) Video thumbnail (Frame 19998) Video thumbnail (Frame 22346) Video thumbnail (Frame 23584) Video thumbnail (Frame 26766) Video thumbnail (Frame 31490) Video thumbnail (Frame 34447) Video thumbnail (Frame 35395) Video thumbnail (Frame 38020) Video thumbnail (Frame 40933) Video thumbnail (Frame 43595) Video thumbnail (Frame 44677) Video thumbnail (Frame 46420) Video thumbnail (Frame 47463) Video thumbnail (Frame 48537) Video thumbnail (Frame 50540) Video thumbnail (Frame 51978) Video thumbnail (Frame 54023) Video thumbnail (Frame 55133) Video thumbnail (Frame 57620) Video thumbnail (Frame 58901) Video thumbnail (Frame 71977)
Video in TIB AV-Portal: Mobile Data Interception from the Interconnection Link

Formal Metadata

Mobile Data Interception from the Interconnection Link
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Many mobile network operators rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. The Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks is believed to offer more protection to the network itself and to the end-users. However, also Diameter offers a rich functionality set, which can be also exploited and misused, if the network is not properly protected. We will show in this lecture, how data interception (MiM) can be done via the diameter based interconnection link.
Keywords Security

Related Material

Video is cited by the following resource
Mobile Web Forcing (mathematics) Adaptive behavior Client (computing) Diameter Dijkstra's algorithm Crash (computing) Malware Differenz <Mathematik> Operator (mathematics) Computer network Computer network System programming Software testing Information Fiber bundle Intercept theorem Communications protocol Information security
Mobile Web Point (geometry) Pay television Mobile Web Operator (mathematics) Plastikkarte Computer network Lattice (order) Function (mathematics) System call Internetworking Different (Kate Ryan album) Internetworking Computer network Telecommunication Operator (mathematics) Computer network Computer network Family Physical system Family
Classical physics Android (robot) Greatest element Multiplication sign Authentication Coma Berenices Diameter Connected space Different (Kate Ryan album) Operator (mathematics) Computer hardware Computer network Communications protocol Information security Computing platform Mathematical optimization Physical system Source code Service (economics) Operator (mathematics) Computer network Bit Cartesian coordinate system Connected space Tablet computer Word Verbindungsstruktur Personal digital assistant Finite difference Quicksort Information security Communications protocol
Roundness (object) Computer network Cellular automaton Real number Computer network Operator (mathematics) Core dump Bit Quicksort Data structure Information security Data structure
Point (geometry) Logical constant Greatest element Service (economics) Pay television Closed set Maxima and minima Proper map Hypothesis Power (physics) Estimator Internetworking Military operation Operator (mathematics) Computer network Business model Office suite Traffic reporting Data compression Mobile Web Execution unit Service (economics) Email Mapping Operator (mathematics) Virtualization Bit Hecke operator Line (geometry) Cartesian coordinate system Power (physics) Social engineering (security) Corporate Network Arithmetic mean Angle Personal digital assistant Internet service provider Telecommunication Revision control Hacker (term) Communications protocol Row (database)
Email Presentation of a group Code INTEGRAL Multiplication sign Source code Set (mathematics) Computer network Negative number Vertex (graph theory) Information security Physical system Data integrity Source code Service (economics) Simulation Spyware Firewall (computing) Mereology Facebook Telecommunication Hacker (term) Information security Electric current Trail Mapping Transport Layer Security Firewall (computing) Authentication Letterpress printing Password Exploit (computer security) Spyware Product (business) Latent heat Operator (mathematics) Directed set Communications protocol Message passing YouTube Key (cryptography) Video tracking Operator (mathematics) Plastikkarte Computer network Denial-of-service attack System call Diameter Number Uniform resource locator Hypermedia Password Intercept theorem Communications protocol
Point (geometry) Data management Logic Profil (magazine) Game theory Information security Computer font Rule of inference Communications protocol Diameter
Trail Service (economics) Observational study Source code Password Translation (relic) Similarity (geometry) Mass Tracing (software) Diameter Number Information retrieval Profil (magazine) Military operation Operator (mathematics) Computer network Cuboid Office suite Information security Mobile Web Service (economics) Video tracking Mathematical analysis Non-standard analysis Computer network Hecke operator Bit Database Denial-of-service attack Limit (category theory) System call Diameter Data management Message passing Uniform resource locator Information retrieval Password Computer network Inference Linearization Quicksort Information security Intercept theorem Communications protocol Physical system Local ring Spacetime
Group action Constraint (mathematics) Multiplication sign Vector potential Diameter Crash (computing) Profil (magazine) Operator (mathematics) Computer network Energy level Software testing Communications protocol Information security Mobile Web Constraint (mathematics) Adaptive behavior Cellular automaton Diameter Vector potential Similarity (geometry) Computer network Video game Configuration space Self-organization Moving average Intercept theorem Communications protocol
Point (geometry) Mobile Web Area Server (computing) Scaling (geometry) Digitizing Internet service provider Operator (mathematics) Database Cartesian coordinate system Field (computer science) Crash (computing) Data management Arithmetic mean Computer network Operator (mathematics) Computer network Energy level Cuboid Error message Form (programming)
Satellite Server (computing) Pay television Service (economics) Direction (geometry) Image resolution Instant Messaging Set (mathematics) Local Group Revision control Direct numerical simulation Array data structure Different (Kate Ryan album) Internetworking Computer network Operator (mathematics) Computer network Core dump Cuboid Configuration space Message passing Metropolitan area network Pressure Vulnerability (computing) Mobile Web Constraint (mathematics) Image resolution Server (computing) Interface (computing) Operator (mathematics) Internet service provider Code Cartesian coordinate system Connected space Personal digital assistant Web service Internet service provider Telecommunication Computer network Interface (computing) Configuration space RWE Dea Pressure Force
Classical physics Focus (optics) Server (computing) Interface (computing) Instant Messaging Operator (mathematics) Cartesian coordinate system Number Subset Digital signal processing User profile Message passing Data acquisition Profil (magazine) Computer network Identity management
Axiom of choice Information retrieval Execution unit Information Personal digital assistant Interface (computing) Interface (computing) Information Endliche Modelltheorie
Point (geometry) Information retrieval Semiconductor memory Profil (magazine) Synchronization Computer network Tap (transformer) Bit Quicksort Wireless LAN
Context awareness Email Service (economics) Pay television Server (computing) Interface (computing) Operator (mathematics) Message passing Profil (magazine) Personal digital assistant Sheaf (mathematics) Computer network Energy level Configuration space Physical system
Point (geometry) Mobile Web Logic Profil (magazine) Interface (computing) Computer network Core dump Electronic mailing list Set (mathematics) RWE Dea Aerodynamics
Constraint (mathematics) Image resolution Multiplication sign Set (mathematics)
Service (economics) Electric generator Public key certificate Key (cryptography) IPSec Multiplication sign Expert system Operator (mathematics) Internet service provider Public key certificate Diameter Root Root Operator (mathematics) Computer network Energy level Vertex (graph theory) Information security Information security
Digital filter IPSec Image resolution Similarity (geometry) Proper map Diameter Direct numerical simulation Goodness of fit Flow separation Velocity Internetworking Computer network Vertex (graph theory) Information security Public key certificate Firewall (computing) Image resolution Block (periodic table) Interface (computing) Operator (mathematics) Internet service provider Computer network Uniform resource locator Root Velocity Order (biology) Interface (computing) Information security Block (periodic table) Address space
Trail Digital filter Scheduling (computing) Statistics Service (economics) Multiplication sign Execution unit Focus (optics) Rule of inference Diameter Independence (probability theory) Array data structure Computer network Operator (mathematics) Computer network Uniqueness quantification Energy level Configuration space Information security Computing platform Routing Mobile app Rule of inference Information Firewall (computing) Computer network Hecke operator Bit Flow separation Diameter Similarity (geometry) Arithmetic mean Message passing Penetrationstest Function (mathematics) Computer network Computing platform Quicksort Procedural programming Information security Metric system Electric current
Satellite Pulse (signal processing) Group action Scheduling (computing) Multiplication sign 1 (number) ACID Set (mathematics) GSM-Software-Management AG Mereology Mathematics Computer configuration Computer network Encryption ARPANET Information security Parsing Electronic mailing list Bit Connected space Type theory Process (computing) Internet service provider Telecommunication System programming Configuration space Summierbarkeit Whiteboard Quicksort Information security Point (geometry) Ocean current Trail Game controller Pay television Service (economics) Firewall (computing) Distance Machine vision Number Product (business) Profil (magazine) Internetworking Operator (mathematics) Cartesian closed category Form (programming) Compact space Default (computer science) Dialect Dependent and independent variables Key (cryptography) Image resolution Chemical equation Operator (mathematics) Core dump Computer network Denial-of-service attack Evolute Uniform resource locator Hypermedia Logic Personal digital assistant Password Computer network Musical ensemble Pressure
to and
and and uh in and he the so our 1st speaker of today is on but to the global months all the has an impressive amount of publicly is lately eyes stop coming at the 45th bundle force going a little in all free impressive but she also most producers because many diffe rent at all the conferences including the blicket conference all and today she's going to speak about almost as settlement diameter and these security aspects of both of these all the protocols this of tort is mobile data interception from the interconnection Lange this will and there were a lot of false have thanks a lot on cohort month work Finocchio ballots that's the research brand of knocking on being knowing mobile security for 17 years so everybody of you sitting here has now the found L and enable phone has as a piece of something I designed in it's it's quite nice feeling actually you an so this but this is not only my work it's also from a colleague any Ekman who looks not testing department was set up test network so that we don't crash accidently operators networks when you make an update so and actually from with our competitor cancer date from adaptive mobile so we have been working to together on this 1 and I'll explain later wrote that has happened so I will talk about malware data interception from the interconnection Inc and
while it's that started to practicalities so this is something that's not so visible in public some of you might have been in 2014 here 2008 meant to be a single or cost nor presented their text so for those who have not been there so what we are here and like since you are connected knowledge of otoferlin dutch telecom and Telefonica and a meeting attended to here are international also you will also to you have people from UK connected from usually have a subscription from 3 from from from orange from for that's output from Poland maybe from plus or MTS when they're coming from Russian on from Finland too well and I live nowadays and Finland so my colleagues and family therefore lies KDE our D N a subscription and in the different there's a big difference to credit card system what the credit card will there's 1 big mom some them mother company but for telecommunication operators sees a different legal entities in different countries and still you can just pop up in their networks which your phone on and you can get data or make voice calls or SMS and your charge to hold that in it works so that's actually something to think about because it's not happening automatically
and the reason why this is actually working is is because there's something called interconnection link why peaks network it's not the Internet it has touching points with the internet but it's a private separate network which enables mobile data communication are in general from more the communication on so and actually why this is such an important network because we
all connected to it everybody here with a switched on phone is connected to it and not just your phone so it's also complex with my if they similar enable for example there's a tablet of Android it let's say gene Anchorage there's a connected to scale let's say to their eyes on in US or there we have a common which can connected com which made from telephone a kind of America the bottom you see there are other gas meter from British Telecom which is also Sarai enabled then we have their own and fire alarm from Telstra they might need a fire alarm in case of a bunny platform arrives that surest that there is something that has arrived in our industrial optimization full of assembly lines which might have connective 50 so the connectivity of clause classical phones so you see they're all kind of different operating system all kind of different hardware and they're connected to a local operator and wild that they are connected to the interconnection network so they can be reached from the interconnection network in case something arrives for them and to understand the
security of interconnection we need to go back a bit so much into 1 thing of next network was established between 4 countries Nordic countries and you see there beautiful picture of a mole the mole what bellyful me off the Nordic knock at door commands and the Finns use to say so and it sort of this size in weak weighed about 5 kilograms I didn't bring it is very beautiful piece of hardware and thus a closed and private network so that was the main security feature of the net but it was closed and private and nobody could get into only the people that know each other and it was running the Signaling System No. 7 protocols and that was a huge success and extended and extended that a more more operators look joined lot clearance on Estonia and nowadays we have all kinds of applications using it you get your SMS reminder for dentist or whatever sort of your banking times whatever and now we moved to word CLT damaged protocols and so just to give you an idea
sort of that's how it started properly Finland Sweden Norway Denmark and that's whole they start that probably when togetherness or having some good beer the late let's do it and they managed to do it term that's how it nowadays looks
like sort of more again has grown a bit so we have uh that's
2 G and 2 and a half G then we had 3 gene the 4 gene and now we have all the 5 G so it has gotten a bit more complex cell and it's a sort of organically grown structures and the thing is everything is connected to everything else so you see GSM networks real networks connect LTE networks and the other way round so sometimes they're notes in the middle sometimes not so it's it's very very sort of uh inhomogeneous to call it that way and so so back to security I mean the main security feature of this jungle wars that it's close and private now let's revisit this assumption for the 35 years later and see what has happened is so close and private
and I am afraid to say no they're different angles to close private on the top you see there are some 3 I could have chosen any European operator that's not particularly to 3 it's just in the European Union the European Union wanted to encourage competition so that mobile virtual network operator have very easy to establish their business so for example a supermarket chains are now selling his subscriptions for example in Germany so they rent their services from an traditional operator and all operators in the European Union of forced to rent out the services that they have stem cells which includes roaming to anybody who is basically common asked to spend has a proper business model that may consult a very or it makes it easier for nasty guys to buy the interconnection access in the middle their cellphone reports said deception thesis us from the dark matter from a company called interceptor but there have a horrible service so I wouldn't recommend that company they're not constant e-mail financing but they are claiming to rent all of these kind of services the so the axis can alter gain from the dark matter by just when buying it and he on the bottom we see a screenshot from showed in you see here this G as then you might not know which nodes is this but I can tell you a G G is and has no reason to be on the internet it shouldn't be there I don't know why it is the main it's a honeypots I don't suggest to heck that's so you never know what comes back and then we have on the right-hand side so here I am a G. P. R. S. ASL SL is a big operate young and they seem to have had their GP arrest nodes on the internet and the protocol here is S & M P that's is Simple Network Management Protocol and its use and of above that a tenet locking my personal assumption is that somebody was on called you chief to fix the network and didn't want to go into office so we just set himself up this tenet excess so we could easily configure the stuff from home but these things happen that life through but well of course tended looking you throw a full of past work record the what have at means or it's worth a try the then there this map is a bit older that's from the WikiLeaks from this node and links and it's showing the the countries which the NSA says they have some access to the full network and it's probably no longer up to date if things estimation and in Europe has improved substantially since then and on the top of there's not article from the intercept bear the gchq basically of British spy acts that are common but that was the how and Paris transport protocol so I think it's fair to say that the hour points as a network is no longer that close and private
so same may just ran the service the heck their way in having power in some countries the line between now and government and telecommunication providers not so strict let's call it that way and if the government wants to have access to just get x and of course if the classic the bribing of an employee that always works just amount of compression proble amount of money it you can become an operator are you kind of social engineering that has also be seen but that the quite rare case actually social engineering is not so common but the other 1 of more likely
so let's do a brief recap as the 7 that the old protocol and they were attacks these are the attacks that exists for the old Signaling System No. 7 which is still most commonly used on the interconnection link I we have their location tracking that was published a thing to solve made very coarse gonna ilarity by a to be us then we have dropping fraught denial of service on the user network credentials that other cryptographic keys that are stored also in a SIM card that they used for confidentiality adult education and he data session hijacking but that's not as the 7 that's actually GTP protocol unblocking of stolen phones that is certain implementation-specific attack not from 0 1 notes so I'm happy to say on SMS interception and basically that's pretty risky because of all the one-time password theft because nowadays many um password reset system send you 1 time code and the attacker correctly trigger the setting of the one-time and cold so um depending on the on these system use it's moralist 1 or other to it so and there are even on youtube videos how that works so this is basically a situation for as the 7th and those attacks to the done by P 1 positive technologies so far cost more to be a singer and the sources of some I'm I'm focusing more on on diameter security so that's basically the S 7 the old protocols and that's the
status of the security for the IPX network and the SSM is the most commonly used but things look slowly move forward and the communication is sometimes direct sometimes intermediate mountain involved depending for example we here now in Germany but I don't think there exist a specific cable from Germany let's say 2 to value that Pacific Islands and I think of to some people living there some like that so that they have their own operator and so I don't think there exist 6 came from here to to bear so there's permit some intermediate nodes uh involved if you make a phone call to Tuvalu but some operates also left a direct personal pipes with their most common partners for example in Frankfurt such a B cup and on also nowadays some deploy as the 7th violence I think it was a big achievement of the presentation done here in 2014 at we something happened afterward and the 1st firewall products came up and also operator starts to deploy it so not all have them but it's better now and but there is no form of transport security might be 6 no TLS no TLS Noam up security no source negation on printing confidentiality protection and no integrity that's holidays no fun meant that it takes so that a major
new font no rules no protocol you game everything is better but the point yeah on Lily
better without the endemic that that from 1 company and I'm not going to say with which governing that was that as they need well if have all of
the different if it but they have a different protocols that's doing roughly the same things if the user used to move from a to place b you move from 1 antenna to the next antenna so the logic for handover as subscriber profile management and things like that they're pretty similar they're not exactly the same they're pretty similar so it's possible that something for just of converted let's call it that way the the I'm a
text that reality might see myself some text Kirkwood manically I've been and doing the traces analysis looking at the traces of trying to figure out what the heck is that and there's 1 important question 1 needs are sort of why should protect us stop just because we have a different protocols come on they make money with it that are their governments intelligence communities they silver limit of all you can the data give me all your data they trecvid the I don't know and there are these kind of service companies so basically you have to know that some governments have their own agencies which to stuff and other government they just hire service companies because it's cheaper because the service company said to several Governments that means they can offer poor government the things cheaper all the government budgets so there is this kind of service companies and also there just to entities which make money from it and also military uses uh Mohan but data for target localization for example in the intercepted was published said the high inter-coder drones papers that about 70 per cent of the uh data for target localization and for the drones that they use their drone strikes and I come from or what telephone networks which self I find pretty coming from 10 industry so it's pretty dis mn included obsolete because they were designed for it there were designed for user mobility making phone calls and they're not not a military well but they're used in the aid in the German buddhist bear while observed doing something with of the Afghan phone at work so and so and moving forward
and that the health status with diameter on from research and when I started looking into interconnection at Texas my manager said S a 7 old stuff don't look at it looks forward to map memory such as for a study 1st OK how would assess a 7 work and then I look forward and and In particularly I looked at the diameter protocol as a successor officer 7 and so on them is looked at some of the uh similarities protects and this study basically with location tracking that sort of relatively easily done and then you have downgrading atexit basically because as a set their old networks and new networks and they have to talk to each other so basically the attacker comes just say hey I'm an old network only speak as the 7 can you please translate the stuff for me and actually then their translation boxes which translate the whole attack influence on you protocol very convenient for an attacker so the attacker doesn't even have to learn the new protocol adjust can that very nice if you have a translator I hope I don't speak too fast for the translators and then we have denial of service attacks and fraud denial-of-service attacks also in that sense very easy because a denial of service attack the attacker can just push um the attack to its networks and he doesn't care if the answer messages correctly routed so he can spoof the origin you can use the origin of partner because again just push the message and doesn't care indices OK things go don't worked and so service attacks are very uh easy in that sense that you can spoof uh and these sources as a mass and one-time password interception is very some because of this kind of past what usage as a mass was just a few bits bit of space in the protocol there was somebody said OK let's use it for texting and it was never designed for security and you know well there we go and then we have subscriber profile modification so the subscriber profile is basically an entry in the database and the main data brace of the operator which states if you have prepaid postpaid if you're G P s if you're allowed to rule on what a phone number what'd entity and so on so that if you meddle with that you can imagine that it can cause quite some hiccups and then there was by positive technologies um on denial of service in in the retrieval and also at the black hat the Hendrick and i Unio presented to now of some something their on hand dining present because Henrik isocapnic oxidant but he OK and and now we are presenting basically data interception for gps society just as a reminder they're usually some restrictions when things work and when they not work so the so that's important all networks of linear but it's very important to understand so 2 of the
talk not to data interceptions and I'm afraid I have to give you a very tiny crash crash-course for editing efforts like between to solve the
acceptable level that thing so the background as a set me this was done together with 1 of our competitors that mobile and did is MAC operate organization which enables basically roaming Our where we also the security group of that we discussed the security in what we can we do to improve it and so on and adaptive molar reported on a EGY purest traffic interception attack that they saw in life network and then I was at the same time I was working with some colleagues on subscriber profile modification uses diameter protocol and then we discuss their thinking OK we could combine those attacks the ideas of cells the text and so and get a potential data interception for LCE so we but be run from of about 2 constraints divorce was clear for us from the beginning that there probably some constraint that it only works in some configurations so what I did then I called my colleagues mean because we have a test networks and has a big network of or never company um we rode all updates for the operators and and this S updates have the tendency sometimes to screw up things we have a test network very basically copy the except network of the operator where we go up to roll of the soft there and the other copy the configurations so yummy knew the configurations so what I typically configurations and so on and then we also tested those attacks and so on there we so figured out what are the constraints so that these attacks could work cell G. purists that
basically how it worked so that the attacker was modifying in the SGZ d the saying some of to the whole network please check if there's a new axis . work and when the user then requests the session what then happens that these great clout their connects to the attacker enough for the axis point it gets us back and then the user connects to the axis point provided so that the basic idea you don't need to understand all the detailed command called site for but that's what the idea so now the crash
cross in Milan it works so that's you've got like your behind that form somewhere you connect to an operator on radio access networks OK you mean you have friends I just gadgets these are your friends and digits are paying you will move from that saved from 1 and 10 I area to another 10 error so you need somebody to take scale field mobility you don't need to remember the whole abrogation just remember and like mobility so this guy's been taking care that you're of tracking your mobility way moves and so on so at the mobility management entity and then we have a database where it's stored prepaid postpaid ordered detail its and the application server the implications of a you need when you want to make Voice over LTE calls and so he a database various subscriber the HSS I put here the HSS because if that thing is down the the whole network is down but the most important box and an operator network the enemy there several of them and they're so for regional level so as anemone goes down from region is affected but if the edges as goes on the whole network is dead meaning that the operator has no income and he's pretty upset and the the at these network has the edge that damn attach notes of the Minh also and then there other
operator said look basically the same so making these assumption that we have to LTE networks talking to each other we are not going on all the interworking cases with G of it is a man would render so that's key easy the TV version believe me so as explained with the Tuvalu example those 2 network might have a direct cable let's say the of sitting very close to each other but there might also be 1 or more of the interconnection provider sitting in between so now we have all the harder together and then their interfaces as called so we have the most important and most busy interface if there's 6 a interface that's between the mobility of the database because and the mobility knowledge needs to know what allowed to grant to you what kind of network connectivity you're a lot I allowed to use LTI you're not allowed to use LT what i u constraints what I your credentials and so on so that's most data traffic on that 1 the and then there's interface which usually internal but better come to that and of course you also have that in roaming case so when you're let's say here now in in have subscription from if you have a subscription let's say from Germany I find you're then connected to an MME let's say in the Bronx then the Essex a will be used for example to fetch a cryptographic credentials to provide to confidentiality also while you are traveling from somewhere the French network needs to get you cryptographic keys so that they could predict your communication on the interface and the SAT interface in some scenarios some configurations than ours it might also go over the interconnection thing can I will come back to that so and continue
narration vulnerabilities settings that are not uncommon and have been observed the price pressure on the mole and effort markets it's pretty tough and so what they do operator thus which make the used equipment for different purposes and the opening up interfaces and so on and want to be the scenario is if you have a big operators which has um subside arrays in many countries that by 1st 1 box that tasted in 1 country and then they use it from all countries just to see if the service flies if you use a lot like sit and so on and then if it's Grunting well it's a little too deployed in other networks makes sense business was that make up a perfect sense if it doesn't fly you can just swept 1 server and the investment was not so big so but that also means that they open up the link to the server over the interconnection Inc and that has been seen for applications us and similarly as a problem of the DNS resolution and of course it's cheaper to have 1 box itself tool boxes so we have Internet traffic which is for the core network internal and then we have external traffic like Internet traffic DNS resolution and some operators just put it on the same not because it cheaper but now um all that's not the configuration when our ability but as for the mention that anyway and that's the assumption that the attacker is able to set up and make the PCA and so that's more on some from detector the attack that I'm going to presented has several
steps that step 1 classical data acquisition and this can be quite so done well before it can be done half a year before you don't need to do directly beforehand so you can do it just before it can and do it now and then do it and the attack half later the in the you know each other by phone numbers but the in the is the um the subset bride identity that's used by the telephone network so the phone effort usually doesn't use genocides D N a I might you see in the fall of the messages sold and taken it seems a to get things running
so the focus of the SH interface and there's something called user data requests adjusted to profile back and the profile contains the in the the in PV hold subscriber profile the detail the attacker needs using it's a standard future it just requires that the um yeah take Intel's needs an application about and that tortilla looks like on
where shark so just for your information I'm not going to the details of the Wireshark adopted in case the
z um the you have that S interface model movie can also use the Essex the interface but not many operates actually using that 1 either so the attacker has a choice of uh off attack possibilities and actually these attack works the same way Francis 7 so the attacker might also do basically the same stuff in an S 7 so I presented this detail of that of Paris than may and also the attacker could do other
things as 6 but they also really need the in the and it can make not dedication request this is the most common method show but in the over the interconnection of that you basically for synchronization purposes you memory in city semi subscriber profile need update tool well the network is surmise and this is all possible because there is no sort of 2 cations other way to get the in these then these things uh mes-a-mes attack is for example that you as suitable for space station or a wireless LAN access point and 1 am I K and each speed up a bit sorry so AP and
placing the tech works that you places subscriber profile you fake that IP at 8 PM and then the user connects to it that's the basic idea so it's hard to get the TAP and there 1 way is
again using sh interface profile update requests as network nodes synchronize which each other and there's a message called profile update requests and with that you can update the APN in that case so because you know from the previous step how the subscriber profile looks like that you can update it because you know how it looks like it has changed some values tiny be below yeah
an AP and detail so let me say you can change the AP ends for GP arrests for all 4 levels of POPs Pickard Corey PC
that's how this kind of some update looks like in BioShock
and also you can use the S 6 a interface which is a big although some because you cannot stop the SH interface but there's 6 8 interface you can there's list of little trick if the edges as has a reset then to avoid that somebody needs to manually all update all access points network after intercessory reset and it basically the enemy's can update the CAPM data so what they should only do that after reset so that's the logic behind that how you could detect this kind of attack an so this is what a possible so the attacker likely set of possibilities and also you can update the subscriber profile in the MME that's mobility note so there's SemRep point so you can update the profile and then the user core neck so
what that have yeah so user
connects at the EUI that's the user could then that 3 to be terminal mandate it attaches to the edges as update occasion and then we follow Fulton chronization attacks the attacker basically try narrow you don't know and then if he has updated basically edges as the MME what happens then that the L and MME connects the user 2 with the fake APN and this only works for 1 of the constraints on explained before and after you say hey have maybe and fitting my phone wise not that not used well it comes from the old times when you still have to configure your APN settings manually so the enemy just assume to make the title and you're wrong now these earlier the stuff so of pops up so as it
does to research I can adjust complained this this bad and I'll
have to fix it you from the IT community most of Europe but hey let's see the let's use IP secondly of solvent everybody's happy and I want him issue with this so easy at the 2nd Summer busted I diameter but and it's not all IP we have you run performances assert Transport Protocol SSCP but now we still have it like living there and that's a political question we talk about an international network all across the world who would be trustworthy enough to host a root certificate and key generation worldwide I know who bank of a all the a half as is it I mean you name 1 kind DNA be another country that's a small mobile along so no way we're going to have a mainly get something on a regional level 1 day that that's possible and then there are operators in the just don't have the money or exercise in Tuvalu at which I mentioned before this 147 employs they don't have a security expert approaches maybe they have 1 I don't know also still have and it's no protection against full of their time governments are renting out the service companies like no other things like that but I
be step would still be a good idea if there's not already a secure pipe in place it is also important the partners have similar understanding on hardening and so on so that also for this specific detector the
SAG interface it's an internal network interfaces shouldn't put it open it up on the interconnection and at the nodes in between you can also filter orders H terrific if you really need to do it secured properly DNS proper Internet extra resolution and for the update locations stuff the a 6 a um potentially block or velocity check so how fast user can and nearly done
countermeasures on general level monitor what's going on pen-testing network it's not very common that's more the phonetic serpentis at and 10 and monitoring what are those small whether to operates really doing a network do you really know statistic a service lick units look like this I accept it and then you just hope they do what they're supposed to do and she experiences that a bit critical because metric of arrays always afraid that they might get into trouble with the license so in that is close they have been sort of some whole heck there always be different sort of OK that but does that mean for my license next year and so on and some things can already be done with business rules so if you have pop does the schedule of bet messages you might want to increase of peace for those partners so something that can be done of business rules on the edge of the of on the network side on Signal info SMS home rotting not everybody's doing that uh hope the operator knows which 1 I mean and the specific 1 then mind and then we have the DSM a documents which describe explicitly what you can do and layout security from user level so that don't maxillary issue that the pipe is secure if you can add some security on top of it do it I mean if you have at a security even if it's not good might have somewhat and no timing procedures they exist so let's use them the summary this and
networks are detected by MS also but more likely vulnerable from a bit more some of the less detect a reality but still mostly as a 7 but diameter so the popping up slowly it's independent of all the platform and the deception detected a presented depend strongly on whole what XTs reconfigured in the network and how it works but there are networks that a wearable and on general questions of diameters better worse and Kneser 7 if nothing is done well it's bad but I think I think we have no unique opportunity to do things better and i think now that actually on the on the right track so so I know that last week several operators called I peaks provide and asking do you for test-H traffic so this conference here we did some improvement to the security fell to all of
you and also look people here and so that all these guys working here so think a lot of this release of kicked off something and operate the community the movement so the and David pressures of your view of and thank you for always being told them all other advantages that figure but the sum all pulse thank you thank all of you have lots of questions all these mobile wonderful if you have a question my phone number 1 a of of the of the of the users cultural resources which is so slow profiles like just like you said coal-bearing and call waiting options but there are other like legitimate options so what what would the use for them from the partners and in the sense that provides everything related subscription there is also and the there's called bearing various are special services which allow to use if you post postpaid if you prepay your phone number is here if few of proximity security which URIs you used a lot he uses all kind of technical details in there so but basically you can do easy denial of service you kind of fraud with meddling there's so so there's subscribe profile of a lot of opportunities sex call it that they fall off her attackers of this group with the music of the question is is the list of users for throughfall visiting the cost of the your profile of of course of course uh I mean if you for example are in for network and wanted to changes of encryption or are you the location updates it also changed the subscriber profile so but making up the visited method doesn't need your whole topscorer approach and that's the point that users should choose uropean forms are not there might be that you want to have local connectivity because that might be than that better so there might be a good reason for giving you this new AP so that you don't need to get traffic doesn't need to rear altered over the ocean aspects of so there are good reasons for doing it but you might want make the the control so before we share doing what a you network the only 2 of my phone number to the question that is a bit of a gap in public knowledge of OWL S S 7 attacks in the wild can you just talk about how frequently you see these attacks and in what part of the what possible world and they're everywhere in the world so we're we're doing a company also use of them assessment of network and uh we see operates all the world under attack is not bound to together you graphical regions some regions have this type of detected more or some other things that other types of detected more but they all the most commonly observed to take it's usually location tracking and followed by a credential set so these are everywhere in the world but not as sets of we see them on the board of network and acid at the knowledge so not all of those attacks believe it when people monetary sales of future in the same go so and so we see them all over the world so and every every operator has some chance of attack traffic but I've been noted that actually that operators that deploy signaling firewalls and have much less I mean malicious traffic for example the operator that just look the 1st time into the traffic let's call it that way so so so also attackers seem to sort of more if and when up but in well so so filtering we have several levels of and there's 1 question from the ICT yes thank you on the others wants to know how many years do you expect will be needed to prevent these attacks while the Internet's not safe today off I think mobilenetworks us going through the same evolution process as the Internet Wentzel in beginning with the internet was the Arpanet where you have a username password and you then you are in in a single this network is basically rushing from the same steps so how to say I mean I just do what I can and it's also investment question I'm insecurity cost money and it I mean obviously everybody expects security to come for free and also uses so there's to be a balance somewhere so that I think don't think for example that these 2 some people in Tuvalu are willing to pay let's say 50 bucks more for their subscription commands the chest not feasible so and still people there want to be able to quality so we must find solution also for these kind of cases so that it's been pretty hot so if you should face reality in that sense that you don't have to think about budgets and so on so I don't think we'll ever have 100 per cent secure networks and as we don't have time represent secure Internet even with H 2 pairs and whatever we have 5 B 2nd can my phone numbers so it's what question and I see that there is a big problem of backwards compatibility and do you have a schedule when you will turn off all the GSM infrastructure like to achieve on doesn't it exists well and no note for example from countries which are more progressive which will all to use technologies these notes are sometimes not scrapped those radio source cities in the roofs there sometimes sold for example to Africa second-hand equipment a big second-hand equipment market and because there look at how much an African subscriber can paid for the subscription common ones so the infrastructures just on the large cost much money so the key is and will therefore was to continue for while also their operators which tedious and it's a very cheap way to off IOTC IOT productivity because if you have to pay as much for subscription for you to let's say your let free of you skin you currents on you don't want to pay for everything of that let's say 30 bucks for months so these should have a chief subscription but how can you offer as an operator cheaper subscription which basically means you reuse your old stuff so especially if it's not time critical communication so you agree psychology return of investment as much as possible let's just business logic on both sides the so I suppose we will introduce them for a while all went from defaulted questions other practical book to document vision and configuration examples for smaller the providers who might not have the resources you have and which are publicly accessible and discuss and yesterday how to do things for them and 1 and that the peaks providers might take more responsibility because very often those great 1 tiny islands of Sun they're connected to 1 satellite operator and then basically goes into the act in its network and basically if you just have this link them from the side peaks provided the diacritics providers and takes care of security security as a service basically thank you yeah the 1st thing 1 of 1 of the more all so thankful for anything all the questions next that there's a world of thanks be to what it is
that the is it and and the if and it took the the the cut the