4G - Who is paying your cellular phone bill?

Video thumbnail (Frame 0) Video thumbnail (Frame 1246) Video thumbnail (Frame 3050) Video thumbnail (Frame 6062) Video thumbnail (Frame 7490) Video thumbnail (Frame 9202) Video thumbnail (Frame 11021) Video thumbnail (Frame 14105) Video thumbnail (Frame 15002) Video thumbnail (Frame 18335) Video thumbnail (Frame 23187) Video thumbnail (Frame 24719) Video thumbnail (Frame 26509) Video thumbnail (Frame 29782) Video thumbnail (Frame 30979) Video thumbnail (Frame 32869) Video thumbnail (Frame 37799) Video thumbnail (Frame 38672) Video thumbnail (Frame 40747) Video thumbnail (Frame 42060) Video thumbnail (Frame 43231) Video thumbnail (Frame 44756) Video thumbnail (Frame 46180) Video thumbnail (Frame 46994) Video thumbnail (Frame 49424) Video thumbnail (Frame 58024) Video thumbnail (Frame 58880) Video thumbnail (Frame 60133)
Video in TIB AV-Portal: 4G - Who is paying your cellular phone bill?

Formal Metadata

4G - Who is paying your cellular phone bill?
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Cellular networks are connected with each other through a worldwide private, but not unaccessible network, called IPX network. Through this network user related information is exchanged for roaming purposes or for cross-network communication. This private network has been breached by criminals and nation states. Cellular networks are extremely complex and many attacks have been already been found e.g. DoS, location tracking, SMS interception, data interception. Many attacks have been seen in practice, but not all attack are understood and not all attack avenues using the IPX network have been explored. This presentation shows how a S9 interface in 4G networks, which is used for charging related user information exchange between operators can be exploited to perform fraud attacks. A demonstration with technical details will be given and guidance on practical countermeasures.
Heegaard splitting User interface Cellular automaton Mereology Information security Communications protocol
Mathematics Computer file Computer configuration Feedback Execution unit Computer network Bit Office suite Quicksort Mereology Product (business)
Mobile Web Point (geometry) Authentication Slide rule Server (computing) Pay television Service (economics) Regulator gene System call Business object Message passing Curvature Software Bit rate Different (Kate Ryan album) Operator (mathematics) Telecommunication Core dump Computer network Charge carrier Quicksort Routing Local ring
User interface Software Personal digital assistant Capillary action Computer network Operator (mathematics) Computer network Bit Lattice (order) Quicksort Information security
Software Telecommunication Computer network Water vapor Lattice (order) Quicksort Communications protocol Information security Number Diameter Physical system
Webcam Context awareness Dot product Expert system Password Incidence algebra Element (mathematics) Message passing Software Different (Kate Ryan album) Personal digital assistant Time evolution Password Telecommunication Operator (mathematics) Computer network Data structure Quicksort Message passing Information security Physical system
Trail Server (computing) Service (economics) Codierung <Programmierung> .NET Framework 1 (number) Password Spyware IP address Product (business) Facebook Different (Kate Ryan album) Hacker (term) Operator (mathematics) Interrupt <Informatik> Metropolitan area network Service (economics) Focus (optics) Key (cryptography) Plastikkarte Computer network Incidence algebra Type theory Uniform resource locator Facebook Software Password Hill differential equation Quicksort Hacker (term) Information security Table (information) Intercept theorem
Service (economics) Logistic distribution Execution unit Port scanner Open set Social engineering (security) Internetworking Operator (mathematics) System on a chip Office suite Communications protocol Service (economics) Trail Operator (mathematics) Virtualization Measurement Social engineering (security) Facebook Internetworking Software Internet service provider Computer network Quicksort Hacker (term) Intercept theorem Hydraulic jump Communications protocol Spectrum (functional analysis)
Service (economics) Software Interface (computing) Operator (mathematics) Core dump Denial-of-service attack Communications protocol Mereology Quality of service Communications protocol Rule of inference Diameter
Gateway (telecommunications) Point (geometry) Ocean current Dataflow Server (computing) Functional (mathematics) Implementation Service (economics) Pay television 1 (number) Rule of inference Emulator Latent heat Computer network Logic Cuboid Software testing Information security Computer architecture Engineering physics Task (computing) Mobile Web Dependent and independent variables Information Interface (computing) Electronic program guide Database Cartesian coordinate system System call Diameter Type theory Data management Emulator Software Computer network Software testing Hill differential equation Quicksort Species Data structure
Interface (computing) Operator (mathematics) Insertion loss Vector potential Diameter Architecture Emulator Connected space Internetworking Computer network Computer network Interface (computing) Quicksort Wireless LAN
Gateway (telecommunications) State transition system Dataflow Game controller Server (computing) Service (economics) Pay television Transport Layer Security Computer-generated imagery Diameter Number Element (mathematics) Emulator Bit rate Operator (mathematics) Canonical commutation relation Physical system Routing Standard deviation Cellular automaton Planning Price index Diameter Message passing Arithmetic mean Process (computing) Software Ring (mathematics) Personal digital assistant Computer network Statement (computer science) Speech synthesis Quicksort Routing Data type
Point (geometry) Pay television Pay television Ferry Corsten IP address Interprozesskommunikation Duality (mathematics) Goodness of fit Message passing Software Personal digital assistant Pearson product-moment correlation coefficient String (computer science) Operator (mathematics) Website Configuration space Software testing Wireless LAN Information security
Authentication Message passing Bit Line (geometry) Quality of service Resource allocation Rule of inference Diameter
Installation art Rule of inference Service (economics) Pay television Interface (computing) Motion capture Quality of service Rule of inference Diameter Mathematics Message passing Software Personal digital assistant String (computer science) Hill differential equation
Slide rule Mathematics Message passing Pearson product-moment correlation coefficient Motion capture Figurate number Cartesian coordinate system Rule of inference
Trail Pay television Service (economics) Denial-of-service attack Bit Insertion loss XML Number Type theory Mathematics Message passing String (computer science) Operator (mathematics) Freeware
Dataflow Identifiability Range (statistics) Virtual machine Design by contract Online help Mereology Distance Field (computer science) Number Latent heat Operator (mathematics) Authorization Damping Information security Associative property Form (programming) Identity management Fingerprint Tesselation Interface (computing) Moment (mathematics) Interactive television Expert system Price index Flow separation Diameter Band matrix Degree (graph theory) Message passing Uniform resource locator Software Telecommunication Normal (geometry) Video game Quicksort Chi-squared distribution
Demo (music)
Mobile Web Building Group action Pay television Service (economics) Multiplication sign Denial-of-service attack Front and back ends Mathematics Software Different (Kate Ryan album) Personal digital assistant Computer network Energy level Right angle Quicksort Information security
dr. Holt mints thanks a lot I'm quite happy to be here to see so many people interested in mobile phone security so the talk will be basically having two parts because most of you are actually not from the mobile phone industry so I will explain to you how business is done in mobile phone industry what we are facing there what we are seeing there and the second part of the talk I will talk about really the attack scenarios we will go into Wireshark protocol details and so on so we will have a sort of splitted talk all right okay so army from Industrial Research know you - okay - haven't seen a small advertisement no you will not
but Industrial Research has some advantages I went to Industrial Research and Lester day Academy because I really wanted to do real stuff and the advantages I get I really get to see the customer data I see the peak up files and also sort of when I understand the stuff I can go to the product units and tell them hey this is please do it differently so I really can make an impact and change things on the downside I cannot go to a talk like this here and say the industry should fix this no way I will get beaten up I need to come up with all the solutions and solutions that of can be a worth of money I cannot just say well invent mobile phone networks new so that that's not an option for a chief financial officer so I cannot come up with these kind of solutions also shareholders don't like that so I have to come back with things how to fix things without sort of really fully breaking them so that's Industrial Research so in one part there's a bit of plus of it on the other side well I also have to think about the financial aspects so let's go into the technology
a bit so roaming many people here are
let's say from Asia so you have subscriptions China mobile from Airtel from megaphone in Russia or Telenor and Pakistan but you are here in u.s. that means that you most likely connect to AT&T the rise on t-mobile or Sprint and I'm from Finland which means I'm a subscription from Ibiza but they are all to Thalia DNA so and the idea is that you switch on your phone you go to another country and it works and it's very actually surprising that it works even if you don't because I mean these are different business entities I mean the different countries which don't like each other potentially and still it works anybody can call anybody and it works and this is due to that and so called roaming network or interconnection network it's a big network on the slides you see the main under sea water cables and it's very very big there are some hops for example in Great Britain or some hops and Frankfurt are some hops on the west coast and east coast are some hops so and the routing based through this network is based on pricing so on the money so the cheapest route wins so this is actually how the network operators communicate with each other when you set up a call international call or any sort of communication and you can think about it there's no single controlling entity which is sort of the most interesting point there's not a government agency controlling all of that they are all independent all different governments regulations everyone has its own regulation so it's a very mixed network so when you switch
- switch on my phone yeah it connects probably to swarm of the antennas I suppose that most of the hotels here have some base stations some antennas on top of it and then it goes to the local core network of the operator here a big bunch of servers AT&T or Verizon or whoever I connect to and they don't know me who somebody strange from Finland okay can we give that personal service so what happens then they basically sent a message first to UK over this undersea cable and then from this IP X carrier to the Frankfurt most likely and then to Finland and Finland my home networks and says yep corporate subscription data flat rate don't worry will be paid and also checking the authentication credentials so we've come back to that picture later on when I go about the ferrata check so
let's talk a bit about the network this secret network what so to understand the security problems that we face there you need to understand basically where this network is coming from and this network was invented in the Nordic countries in Europe and we do business they are slightly different I will sort of that
the business meeting in Finland it's actually from capillarity and it's really a business meeting it's a young entrepreneur meeting in the case I had a Coptic copyright for that pictures were from the nice newspaper that and but I'm pretty sure that the first Nordic operate a meeting in 1981 was looking like that I'm hundred percent sure or as melancholic so true - - too close to the truth so Finland Sweden Norway Denmark and Iceland and that pretty serious problems so they had problems like they wanted to talk to each other to exchange vital information like temperature of sound it'd be already cold so they had really serious issue so they decided let's set up that our networks talk to each other and then they were going into some technical problem sort of ok on the
water cables were needed and still worrying about beer and then I were to
look let's get down to the details I've been in such meetings myself so they are really like that it's not it's actually no joke so they were discussing then sort of ok protocols are needed do we need security not needed we all know each other we are just five countries and so that's how basically the this network was instantiated there was about 35 years ago and it was built on trust a lot of not stuff in Nordic countries works on trust they had the signalling system number seven protocol and that was used on the communication between the network's and 13 and nowadays we move from being system 7000 for G protocols like diameter party so summary
five knowledge operators company Oh and it's very mixed membership so you have for example this is here from Amazon that's where they send you a one-time password wire on SMS so this is an SMS aggregate as they are called they send users messages so connected to the interconnection network and also the network themselves are very mixed for example there is dot TV people probably know that ending it's fro Tuvalu Tuvalu is an island in the Pacific it has telecommunication network and they have 47 employees and 1300 subscribers and are happy probably about everybody who is born there so because then they have one subscriber more on the other hand we have for example China Mobile which s roughly half a million employees and 873 million subscribers so it's quite different to the homogeneous structure in the beginning where they were just basically every kind nor the country has about 5 to 7 million people so we have now a lot of different entities in there and I'm pretty sure that the Tuvalu telecommunication doesn't have a lot of security experts maybe one if they are lucky China Mobile has probably money for some more so well and the network itself it's nowadays a mix-and-match of everything so as we had in the morning talks or yesterday in the Qualcomm talk and also in 2014 we had our first major incidents security awareness basically started then and now you might think ok I'm not roaming I'm not traveling why should I give something about it so well I'm sorry
because with all those connected IOT devices and self-driving cars and webcams and whatever they use cellular stuff so so there we are so we need this kind of thing so also emergency clock systems and so on so you are always reachable from the interconnect Network just in case somebody wants to call you somebody's going off your friends is going to a vacation and wants to call you so you're always reachable from this interconnection network so security let's go first sort
of who would hack this network all nobody would hack this network what why should you is the excess network okay there are a lot of different types of hackers in this talk we will four focus on fraudsters but the other ones are also sort of industry so we have had some in there the first one in the corner is location tracking so something like track your spouse service the one below is where they were getting one-time password for the banking cards in Germany actually that operator was quite quickly within a couple of hours they noticed that something fishy is ongoing and managed to stop that but of course it could get got into the press and then some damage was done but actually they were quite quick compared to other incidents so then there are governmental agencies I think in the morning we had a long talk from the NSA that everybody else hacks the mobile phone network I'm afraid they also do this is also GCHQ that AC UK agencies but I also get locks on my table and I've seen many other countries but on the other hand you never know exactly where the attacks are coming from you G seen IP address and you know nothing so and then they are also called service companies there are dark net service companies and there are governmental service companies because not every government develops the offensive stuffs themselves they also very often just buy it from third parties as product at services so these guys you find in the network in that interconnection network so these are the attacks that exist nowadays for ss7 and that's location tracking eavesdropping fraud you know the servers a cryptographic key safe data session that's actually GDP and not ss7 and SMS interceptions probably most important because that means that these are you one-time passwords for what's up for my man not what's up for a telegram Facebook and so on so but it's important
to understand that note networks are equal they are not all equal so some have protection measures in place some have nothing percent in place and some have something in place so so you start wondering okay if that's a closed and private network how to get those guys
actually get in well we saw you can rent it as a service it's not so expensive so you just go to the darknet and rent it you can fraud in SMS interception for example or voice interception you can rent it you can some governments have a very close relationship with the operator you must remember that the government approves the license spectrum so if the government doesn't like the operator the operator doesn't have a license to operate making money so basically it's so some some governments use this to get access to the IPX network or sort of convincing them and the other way is sometimes you see notes mobile telecommunication notes which shouldn't be on the internet but they are on the internet you can find them in shodhan if you know what you look for you can find those no don't shodhan somebody just put him on the internet because they wanted to put a webserver on it or they wanted to work remotely from home and want to have some convenient access because I didn't want to be 24 hours in the office so another way is to become an operator that's a pretty cool thing you go to an operator to an existing operator and say hey I want to have I want to become a virtual network operator for mmm logistic fleets let's say let's say hearts or sort of some rental car agency hats or something and you want to be a sort of service provider in Europe they have to give util access then because it's else it's anti-competitive this antitrust seeing is so because for competitive reasons they have to give you access so and then of course the classical ways you can be bribing an employee you can do social engineering and so on so well you might say ok this is all press and this is not true and all success but actually this year I found very interesting that was I did that SOC in June that's from shodhan and that's a scanner that crawled through the internet and looking for other nodes that talked gtp now you need to know that gtp GPRS tunneling protocol it's really just a telco protocol it's really only spoken in telco nobody else in Internet speaks gtp so and it has a lot of ports open like that so I've been discussing with my colleagues so look if there's a legitimate reason they can think of why this thing you would be in the Internet and we couldn't come up with an idea might be maybe somebody has a smart idea but well at least nobody in our unit had a good idea why this would be on the internet ok now we move to
from the old protocol as a 7 which is a new protocol and you can ask ok new protocol everything is better we no longer have any problems and new protocol diameter LTE and in this talk we will focus on the fraud part but it can be very easily used for denial of service because if you improve somebody's service you can easily the same way put it down when I switch on my
phone I said I connect to this antenna and then the local operator in u.s. wants to know basically if I pay my bills what kind of services are I'm allowed I'm allowed to have 4G or not and so what I do then they contact over the s9 interface the my home operator and ask for the quality of service rules that I have and for the policy and charging rules so now a CMO a core network don't be too afraid of it it
looks awful so so but you me only will use those notes which I just highlight here my colleague issue who's not able to come today she will talk you through it in a minute so these are the notes and the other ones we will not talk about just ignore them so there sorry you have still quite some notes there but mobile networks are extremely complex and this is only for G now imagine that you have all the other types of network also plugged into it so this actually the network we use also for testing so as I said I work for a company and we cannot just roll out software to our customers if we screw up their network they don't make money and they are very unhappy with us if they don't make money so what we have we have internal test networks and this is some software of it that we use for testing software rollouts so that we are sure that we don't screw up our customers networks so and that we used also for for testing of this attack so so this is
here the LTE emulator and my call indicia implementation of LTE network designed by Nokia as per 3gpp specifications this is the basic architecture of EPs PLU we usually permit is connected to the BC or implants the affordable node B as the base station for MDE radio mm as the mobility management entity handles signaling related to mobility and security for the EU current axis I just says home subscriber server as the database that contains user related and subscriber related information SKT serving gateway serves the UE by routing the incoming and outgoing IP packets PD and Gateway is the point of interconnection between the EPC and the external IP network PCRF policy and charge rules function suppose service data flow detection policy enforcement and flu waste charger a diameter s my interface is between HP CRF and vp CRF responsible for PCC hood installation modification angering avoid okay to make it less painful my suggestion would be is you focus on the s9 and the PCRF specie RS it's basically everything sort of related to policy and charging so that the policy and charging rule functions is this thing this box controls basically what you are allowed to do or not to do in your network so basically it interprets the rules on on what kind of activities and services you can use with your with your subscription all the other nodes in there they also have tasks like database mobility and IP assignment and so on so basically you can just ignore them for now so focus on the PC RF that's where regard to charging and so sorry
it shouldn't start again so basically you can think about the IP said all those networks with their nice infrastructure connect to each other wireless IP X and using the s9 interface to communicate these kind of charging related things with each other so this is currently diameters currently rolled out in this IP x networks and s9 is not the most common interface the most common interface is s6 a interface but still s9 is roaming interface and it's critical in the sense that if something goes wrong there and then directly relates to monetary aspects and potential loss of money sorry Thanks
so basically here's the sort of summary of it and we will talk about here about this s9 where we talk to the rest of the world that's how the emulator looks like Nisha will briefly show you the emulator and the different nodes which the most important is a pcrf these are the
highlighted a little nodes UE control brain process UE user brain process can be controlled plane a and B you simply Mme as gateway HSS ecrf be gateway UE is connected to EMV through the attach statement as soon as we attach we can see the NZ number of the UE on all the nodes and HSS PCRF on P gateway as well as on the so that's basically the emulator we use with all the brought or notes in there and this is actually the normal message
flow remember the picture with the Flex so basically first see visited Network in this case it would be us what we asking my home network sort of okay does she have credit yes or no and what kind of service is this person allowed to use this is then in the ccr message it's a credit control request and then the credit coral answer these are standardized public documents everybody can read them they're on 3gpp servers then then the whole network can do its optional it doesn't need to but it can send a Rio Dental patient why quest and basically this is for example useful in the case that my subscription has been canceled because I've been laid off because I gave a speech to Def Con so for this case the home network can give a readout indication request and say ha cancelled as a switch so this is a purpose of the message that's how it's supposed to work but we would show now how we basically can tweak that into a fraud attack so what is a PC see that's a policy and charging control it's everybody in this room has a PC see it defines everything about your subscription the data types the data rate what kind of cellular services you use or not for example for kids they might have a subscription without data or things like that that's all in this PCC nicely defined and for example I work for a company so I'm a quite generous subscription I work for colca mobile phone company or not mobile phone company matters fly out of it so well they pay my bills so no matter how much data I use so basically I have a flat rate and this is very attractive for an attacker so because well company policies are complex things so if they see in my subscription basically it probably takes a while to pop up in the system to somebody ring somebody and saying here's something fishy if they notice at all but before we go into the attack I will explain something about diameter routing because diameter routing there are two ways to route and basically if an attacker Sam something and basically pretends to be the home network and puts in the origin realm let's say my finish operator and sends it to us then it goes via these hops and actually the answer there are two ways for the answer to be routed either it's routed by origin realm and origin host which is sort of slightly more complicated because all the intermediate nodes have to configure it or what also sometimes happen that around by hop by hop by D which means that basically the origin R elements was completely ignored meaning that somebody can very easily impersonate the whole network I know there's no TLS I know IPSec just to avoid the question so it's not there so it's very easy if the routing is done hop by hop to spoof message assets so the attack what we
will do we will steal a subscription from a subscription good subscription like my subscription it's a PCC that's a string and once we know this string this key string we will update in other subscription with this string so basically that means we upgrade the other subscription to the Nokia subscription so suddenly knock yes an employee more I'm not sure they're happy about that but so that's how it goes remember IPS was designed without security and we have two possibilities so once we post as a home network so if
there's no proper configuration there which is sometimes the case yes you can post as a home network and send messages to my home network the attacker so and for that you need the in Z the MZ I will not go into details how to catch TMZ but you might have heard stingrays I think they are commonly used in us then there's the possibility to get them from a wireless LAN exit point that was shown in black hat 2016 or you can request and also from this interconnection network in with an SMS trick basically basically you claim you have an SMS that you want to deliver and then you get the MU Z so there are some ways to get the MU Z so we will not go into that how you get actually for the tests we actually had a false base station in in Helsinki and we're testing it it works nicely before any questions come it's legal not yes even an operator so so just to what questions so we just did it on site on our test site so what we will do we send an re out education request with the MZ and then we will basically say we want to have the PCC and here's how it works
Yui is attached then be pcrf triggers the re that is reallocation request message the HP CRF replies with Rea that is every authentication concern the message can be captured and viewed Wireshark okay and that's and you are
okay yeah yes Wireshark pot on Wireshark we can see diameter packets the body or promises of quality of service and charging rules folder respectively you need okay I see that's a bit small actually just above the blue line the the one that's moving right now the highlighted
are the VCC rules for UE one which can be seen of the diameter capture that gets also so what we basically know then we know the key string that's behind basically subscribing my subscription that all the yellow marked Springs so these strings define actually what services I'm allowed to be you use or not to use so these strings are the key strings and we don't actually know what's behind them but we don't need to know because you just know okay a company employee they pay so and the next step is then to push these strings tuned as a subscription and basically upgraded subscriptions and that's how you are upgraded so what you do is over
the s9 interface you say quality of service rule install and the answer you don't even need this diameter routing trick because you just want to push something and wants a receiving network to install the stuff and that's what it's do it's supposed to do that so as I explain this message is usually for the case that my subscription is cancered or something or something on my subscription changes and the whole network wants to inform the other network that the service has been now changed so it's it's supposed to do that so and there's another one yeah you can go if you are abroad so that in the network when you go abroad there the mess your quality of service or your services are changed that's the other trick so there are two scenarios basically for the attack one way in the home network the stuff is change and one when the visitor network is stuff has changed and that's how it looks like
after changing the PCC rules for the UE one then vp0 figures that re our message again see the change to PCC rules through the capture Wireshark and here's
a very short where you basically can't know much where you can see it well let's see here we have the latest airing a message packet and we can see the changed pcc rules here we have captured the latest REM message okay sorry that was an application slide
so basically that's an a screenshot of the of the change in the in the top you see that the numbers are differently and the button we set them all the same so actually that's what to be more denial-of-service type of a check so but we can switch it one way or the other way it doesn't matter basically we just need to know what the strings are looking like and we can sort of put them to any subscription as we like so we can do denial of service or we can upgrade in subscription whatever we want to do so so what does it mean the attacker he
can offer better services so in the sense that he upgrades basically somebody had subscription and shifting the cost to somebody else and letting somebody else potentially pay for the phone bill there's also this reselling opportunity as I said if somebody goes abroad and you can tell basically free data for somebody going abroad in Europe this is not so interesting but in let's say between US and Canada I heard or let's say to the Caribbean where the costs are sometimes very high up for Roma's that's might be interesting or if you go on a cruise they are famous for robbing people so for users that might be that you're built for something that you actually didn't do so and particularly for company subscriptions this is very critical because they have often large amount of people and they might not be able to keep track of everybody so that's that's an issue until this is found for the operator that means that could be Bill disputes loss of corporate customers and also remember this way the messages were routed through UK and Germany and so on each of those guys in between gets a bit of the cake so each one of them gets a bit of money for four messages and so on and for data traffic also so if there's a fraudulent data traffic usage those guys in the middle they still want to get their money believe me so it's really bad in the sense that you might really money on it
countermeasures I said in the beginning I don't have the luxury of saying hey so I cannot say mmm I cannot I cannot say
switch it off or built a network from scratch that doesn't work so this is a huge network it's caused hell of a lot of money and also they just have to acknowledge the realities this is tuvalu operator with 47 employees I cannot expect those guys to or thought 1300 employees subscribers I cannot expect those guys to pay a lot of money for a very specific security feature and also there is no central authority which could regulate the everything u.s. is regulating somewhat in form of recommendations but in the morning for example the DHS talk we heard already basically a plea for help where because I don't all these are privately owned companies and for them it's a risk question between risk how much something was and how much they have to spend on the money so but on the other hand there are some countermeasures which sort of kill a lot might not be hundred percent foolproof but already helped a lot so actually the operators themselves in the GSMA that's the operator Association they have thought about these things at least to some degree so in particular to this attack as nine interface well you can use IPSec diameter runs on top of IP so you can use it with trusted partners directly and not with all these hop-by-hop thingies that's at least very useful for partners which have a lot of interaction I suppose that there's a lot of interaction between US and Canada for example or US and Mexico for those communications it's quite worthwhile to has set up this IP Hasek tunnel I'm not sure it's worthwhile setting up an IPSec tile to Tuvalu is probably not worth the effort so for those those kind you might just say okay I take the risk then as 9 interface it should only be open if it's really needed might be obvious to IT people but for for telcos that's not so I Chi we are still sort of learning a lot let's put it that way then on the routing part so to make the attackers life hard the routing should be by origin realm and origin host not I hope I hope I D then there are things that are more telco specific in the range remember MZ is the user identity in the mobile network it's not your phone number it's MZ and each operator has assigned a range which is he's supposed to use so you can basically check if this is really from that operator or not this avoid for example this kind of government alert X makes it harder one important thing is also to check that you don't get messages which can't seem to come from your own notes another one logical separation in the nodes of your visited incoming Roma's and your home subscribers so to have them separated and not just a request comes in and you just execute it with no feeling if it makes sense or not and then there's the location distance check where you can basically check if somebody can physically be here so if I've been two minutes ago I had last location update in in Finland I cannot have five minutes later charging message here in US but just not feasible so and then there are sort of more advanced stuff like fingerprinting partners so you can take the traffic throw it into very nice machine learning sort of magic magic and sort of because each partners a specific way to send messages to configure them which features they support and so on and by that you can sort of fingerprint the traffic and these flows you can easily then sort of identify and see if there's something strange in there and that moment you can sort of raise some flex so this is not rocket science and but it helps a lot and it can be put on a running network without sort of too big costs for normal users check your bill and keep an eye on the news that's my best suggestion for corporate users in general I think security should be something like bandwidth or coverage because it's a quality singie security doesn't come for free I'm paid most of you are somehow paid so we don't work for free we are experts in our fields and it's the same with bandwidth people which blow up the bandwidth and invented 5g the radio part they get also paid so I think it's a quality indicator and it should be part of business contracts because if something goes wrong it usually cost money so this is something very important to understand and also sort of if things go wrong so that there's also some punishments for not investing properly into security and the GSMA are recommendations more details if operators are interested in it and that's basically the end of my talk so
this has been partially funded by the EU they do this kind of research and that it thanks a lot [Applause] so I I can take some questions this demo that is not gonna work come
hi I was wondering about the billing so you mentioned that this this could potentially bill be billed to the company or to a user different subscriber but it looked like the only thing that was being changed was the level of service given to a different user right yeah so how does it affect the building of someone else so the question was about sort of how it affects the bill of somebody else if you're in the case you have group subscriptions like cooperative then it affects somebody else bill but it can also sort of I could upgrade your or downgrade your subscription basically to a denial of service attack so that's the
other way around but for somebody else bill that would be the corporate case and the individual case would be denial of service basically so I could basically keep downgrade you to 2g forever yep I was just curious how press as course I'm how persistent is that changed like when would that get reset the question was how participant is that change let me think for the visited case it would be persistent for the time that you are brought the time of the handset is unregistered on the network in the foreign Network for the whole network that's a good question it yeah yeah yeah it would be needed social to distribute through the network to be persistent yes it just sort of quite a pain yeah yeah what's the fastest mobile network speed you've seen on a phone or just in general I don't measure the network speed Oh mostly so looking more as a security at the backend so thanks a lot