applause
Karsten: Thank you very much
and a very good evening.
We're here yet again to talk about mobile
network attacks, and we're going to give this talk
a somewhat different spin.
Instead of focusing on giving out new vulnerabilities,
and then hinting at how a fix could be,
and suggesting that somebody else would be
responsible for implementing these fixes.
We wanna look at those later stages of the
attack evolution today.
And make sure we don't keep re-creating new
results while old ones are not being resolved yet.
Rest assured there will also be new attacks.
We need to deliver on that every year.
But we want to make sure specifically, to introduce
some dynamics that help everybody,
for networks to become more secure.
My primary goal today is to enable all of you to help
with that evolution, and to do some of the research
that we've been doing in Berlin so far, all over the world.
There will be a couple of tool releases, and a
couple of, hopefully, evolution drivers
In the end, for us security researchers to be successful in
making the world better, we need industry.
As painful as that sounds, we need somebody to put
in a fix, and we haven't been very good
about keeping check on those people that need to put
in fixes for the research that we've been doing
over the last couple of years, and we're going
to complete the picture today.
by talking a little bit about what networks have
been doing around research in two areas.
SIM card attacks, a topic of this year where networks
found themselves in a critical situation
at risk of large parts of the subscriber base being
remotely infected, not in the phone, but in the SIM card.
So there has been fruitful discussion with industry,
and lots of responses, but not enough.
Much more so around GSM intercept, a topic that
probably the NSA discussions have moved
into everbodys mind again, but one that was really
luring for a decade now, that anybody can
intercept your phonecalls at any time.
and again, here we want to check on the network
operators, and make sure that they are
forced into putting in the protection that we deserve.
We first discussed SIM card attacks publicly in August
of this year, after a few months of
responsible disclosure, and we found
a combination of three vulnerabilities,
that led to a potentially terrible situation for networks.
The first fragment that we found was the ability
to send binary text messages from one subscriber
to really any other subscriber, so networks
allowed traffic that has no place to be routed
through networks, there's no such thing as network
neutrality in mobile networks of course,
they shouldn't be routing internal management applications through what basically is
the IP space, or the phone number space of subscribers.
The second thing we found is that the services that
these messages reach on the SIM cards are
often badly protected cryptographically. In particular
we were finding lots of cards that used DES keys
56-bit from the seventies, that has long been
phased out in pretty much any other application.
SIM cards still use old keys like that.
And thirdly we found that applications you
could install through those DES keys
can break out of the sandbox of the Java protection
parameter, and then access all kinds of data
on the SIM card that no Java was supposed to access.
And combining those three made for a remote
SIM cloning vector at massive scale.
And networks raced to fix those on at least
two of the three layers.
They put in filtering so the network, the SMS
messages would not reach the phone any more.
And they upgraded DES keys to triple DES keys.
But most networks left it at that without really
thinking through the problem and without really
understanding the root causes of what
made the SIM card so vulnerable.
So I want to go into the first two categories, since
the third one wasn't adressed even until today, and
show how the industry response
was in large part insufficient.
And I shouldn't generalise as I do now, because
some network operators have responded very
responsibly, but by and large networks shrugged
us off or put in quick fixes and then moved on to
their daily business of making networks faster
and faster and faster, but rarely more secure.
So let's look at filtering first, and what
goes wrong with filtering.
Networks, many networks started filtering at
around the time when we presented this publicly,
around Black Hat and OHM camp, and they put in
one specific filtering rule that was not surprisingly
the exact message that we used in demonstrations
at Black Hat and at OHM to demonstrate this
class of vulnerabilities, but did not understand
how much broader the vulnerabilty class is.
So to put this in a comparison to computer security,
if you tell somebody that they have a problem in a
TCP stack, let's say in the linux implementation,
and you demo it by sending packets to the ssh daemon,
the fix that they implemented is to block port 22, not
understanding that of course this exact same
vulnerability is also present on any
other exposed TCP service,
And there's bunches of ways to format
an SMS to reach the SIM card.
Some have come out of the standard, others are
just fragments of wrong implementations on phones.
In particular some recent android phones will
route pretty much anything to the SIM card.
and that's pretty convenient, because the SIM card
will look at the message and then discard it, if it's not
properly formatted for a SIM card.
So the implementor of the android
phone took the easy way.
Just put everything to the SIM card, it will
decide what it wants and what it doesn't want.
Of course with a phone like that no level of network
filtering, no filtering whatever TCP port will protect it,
Since normal user messages sometimes
get forwarded to the phone.
So the industry response was a bit insufficient here
and we'd like to see more testing of networks
and when we talk about tools we will perhaps
enable you to do exactly that type of testing,
The second area where the industry response falls
way short of understanding the problem,
again I'm generalising here, is that the
configuration of the SIM cards.
We did discuss the problem with DES keys, that you
can break a 56-bit DES key in a minute or so using
a rainbow table, and that of course, this is terrible
if those services are reachable remotely.
And networks then went in to look at
configurations, and lot of them came out
saying "We made sure everything is
triple-DES on our SIM cards"
or at least a few places there was still DES in older
profiles, we patched them to now be triple-DES.
Again that falls way short of
understanding the core issue.
Here's a bit of technical background so you can
appreciate what's going on in the SIM card.
There's a collection of keys, up to sixteen keysets,
and each keyset can have keys for signing and
encryption and so forth, and those keys have
a specific type, DES or triple-DES for instance,
sometimes even AES on very new cards.
And then there's applications on the SIM card
and these applications, there's up to sixteen million
application identifiers.
Of course no sixteen million applications fit on a card,
so some of these are present on
every SIM card, and the application gets to
choose which keys get what level of access.
And what seems to have happened in August is that
the networks go through this first application,
the standard application and make sure that triple-DES
keys are required for signature or encryption or
better, even both. And then the DES keys they
had there, they upgraded to triple-DES.
However we find in a surprisingly large number
of SIM cards the following situation:
One of the other sixteen million applications says
we use this keyset, but we require none of it.
So you send a command to that SIM TAR specifying
this keyset, and you're not required to do
signatures or encryption.
And at that point it doesn't matter if you use triple-DES
or AES or whatever algorithm, this SIM card
will accept any command sent to it.
And again that kind of being obvious to check for
when you're going through your inventory of
SIM cards, but that requires a deeper level
of understanding of these attacks than most
operators seem to have developed for this issue.
So I hope this again helps to carry the point that to
drive the co-evolution of attacks and defenses,
industry is required to think through the attacks and
understand what exactly the attack parameter is.
To make sure it gets across very visually now, I'd like
to get Luca to demo the attack as we think
it would play out in the real world.
and just as one sentence of introduction perhaps,
this is coming from a very recent SIM card
one that we picked up when we started playing
with the iPhone 5 as fingerprint reader.
It's just an US SIM card, and Luca,
what are you going to do now?
Can you switch on his microphone please?
Luca: Ok, so as Karsten said we found this
particularily interesting SIM card and
the last one we found was very recent, it's a
nano SIM and it goes into an iPhone 5.
I'm going to show you what can we do to
bypass the filterset operators have now.
So we put it into the phone. I have here a BTS,
that emulates the real operator network.
Karsten: Of course that's a default way to bypass
any type of filtering that the real network may be
Luka: So now the mobile is connecting, and I'm trying
to show you better, my BTS is sending some SMS's,
as soon as the mobile is close to the BTS, and
it tries to register, because it thinks it is
the home network, I send my application, that
is completly installed without any warning,
or anything on the iPhone.
umm
I want to show you something here, so this is the
first command and it's a delete, since I've already
installed the application many times, I first delete it.
and then I install it again.
Karsten: So this is remote application management.
On a recent SIM card, that requires
no security whatsoever, you can put in
whatever Java software you'd
like to run on this SIM card.
Luka: Ok, so it's finished, took a couple
of seconds, ten seconds, I dunno.
and now the SIM card is infected with a malware,
that every five minutes sends the current location of
the user to the attackers number.
Since the iPhone doesn't show anything, I'm
going to put this SIM card into another phone,
so you can see it better, and you can also
have a proof that it's on the SIM card.
It's not very easy with the nano SIM
into a normal phone.
so this is the other phone, I have a ok..
Karsten: So the virus stays with the SIM
card (when moved to) another phone
Luka:I'm going to turn it on now.
Yeah.
Hopefully it will register to the home network.
Yeah.
Karsten: Is it still set to manual?
Luka: Yeah, it did register.
Yeah,
So we are actually replaying the
attack again, just for fun.
Karsten: Oops.
Luka: [sigh]
Karsten: Bear with us, this is a complex demo
lots of moving parts.
Luka: What I can do is delete the SMS
Luka: So is it showing someting now?
Ok, I'll just try again.
Oh, actually I have a better idea,
so now I stop my fake BTS
Karsten: yeah, better connect to the real network.
Luka: and I let it connect to the real network.
Okay. Let's see.
Karsten: You're confident the virus
got deployed the second time?
Luka: Umm, that's actually a nice...
Okay, yeah that was a.
Karsten: Ok, lets come back to you
in a couple of minutes then.
When you've prepared this, but everybody
got the idea roughly right,
what should have happend; He's catching
the phone or any of your phones really,
he can test for vulnerabilities by sending
SMS, hundreds of them, not sixteen million,
he has to prepare a little bit, know where
a vulnerability could be, and then once
he finds an unprotected application, he just sends
a bunch of binary SMSs and combine that Java file.
and that java file installs on the SIM card and
it stays installed on the SIM card,
and it will every five minutes send the
current location via SMS to his number,
or do any other thing that the Java on
the SIM card is allowed to do.
It could even try to exploit the other parts of the SIM
card through that unpatched Java vulnerability that
a lot of these SIM cards still have.
Installing the virus again?
Luka: It's installing again.
Luka: This was just the best case we found so
you can actually install an application inside the SIM,
in case this is not available, another choice is just
reading the current ciphering key from the SIM.
Karsten: Yeah, so there's a lot of these..
Luka: So this is the message I was waiting for.
Karsten: So this older Nokia phone is the only phone
we ever found that asked whether you allow your
SIM card to send anything back to the attacker.
The iPhone just does it by default without asking you.
Luka: Press yes.
applause
Luka: Oh it's a bit small there. I try to copy
Karsten: Did you want to show more Luka?
Luka: Yeah the phone now sent the SMS to me,
and I want to show how it looks like, so
hmm no.
Something like this? Nope
sighs
I want to enlarge this, so in this little field, there is
the current network, the location area and cell-ID.
So basically it's a very precise location
information about the user.
applause
Karsten: thank you.
applause
Luka: And the best is that this message is not filtered by the operator since it's a normal text SMS.
So it goes through.
Karsten: So a persistant virus on a modern SIM
card, I think that's what was needed to
give the industry another nudge to
deeply understand this.
Now to create some further nudges from you all,
and to fulfill that goal that I stated going in,
to enable everybody to do these tests yourself,
we wanna release a tool today that condenses all
the SIM card knowledge that we collected
over the last couple of years.
It's an open source tool, written in Java, that was
the easiest to speak to SIM cards with, and it tests
for all the vulnerabilites we discussed in August,
including things like triple-DES downgrade which
a lot of operators seem to not
have understood quite yet.
But it also detects these more recent vulnerabilities.
Now scanning these sixteen million possibilites on
a SIM card, and each sixteen keys for them,
that takes a long time, and some older
slower SIM cards up to two weeks.
So one thing the tool does is pre-select these
TAR's smartly, so it only takes a couple of minutes.
It does run on a normal smart card reader,
PC/SC interface, as well as the Osmocom phone
awesome opensource project also.
We patched it a little bit to now act as a smartcard
reader. So of course it can communicate
with a SIM card.
So if you have any of those; PC/SC reader or an
Osmocom phone and a couple of minutes of time,
download the software and please run the tests,
make sure you're not affected, and if you are
be very vocal to your network operator and
demand that these things get removed.
applause
Thank you.
Looking at similar technology or similar weaknesses,
let's revisit the topic of GSM intercept,
and I'll again try to make the point that networks may
be casually interested in fixing some bugs that
they may not have fully understood, so they only did
half the fixes or not at all and again I think this is
of high urgency, understanding now how many
people are intercepting our phone calls.
Network operators are supposed to protect us on
all the frequencies we use and while 3G and 4G
bring pretty ok cryptography with longer key
lengths, most of our calls still go over 2G,
this standard from the eighties.
It's the only technology that can cover large areas,
and even in cities where the cell sizes don't
have to be so large, these frequencies have to
get used because all frequencies are full.
We have a frequency scarcity, so 2G frequencies are
certainly still used by everybody, almost every day.
and on 2G there are two different encryption
standards that are found in the wild.
There's A5/1, the first encryption cipher, the one
that was originally invented along with GSM, back in
the eighties, and then there's A5/3, a ten year
old encryption standard, that's supported by
newer phones, I would say about half the phones
in current use support this A5/3 cipher.
where the other ones will always default to A5/1.
And the network would have to support both of them
in a secure way or as secure as possible way
to sufficiently protect their customers.
Let's visit each of them in turn.
To break A5/1 with tools like the ones we released
some five years ago now, you have to have
some attack surface. It's not enough to have
a tool that can break an A5/1 packet, you also
need to know what's inside the A5/1 packet.
So for one of all these packets you have to predict
the content, you break the key from it, and
then you can decrypt the rest of them as well.
So you've got to start somewhere
to then break the rest of it.
And I believe no spy agency would have a
better way of breaking A5/1 over the air.
They also have to rely on some attack surface.
So if everything is unpredicable, it basically
becomes XOR'ing random numbers.
The GSMA and later the 3GPP, the standardisation
bodies, that tried to make the mobile world
a little bit more secure, they worked hard
some five years ago to amend standards for
this attack surface to go away.
So in a standard trace as we see it in too many
networks pretty much everything that is
encrypted is predictable, at least in the call setup.
So the phone starts unencrypted, it receives
a ciphering mode command and it will then
encrypt every single packet it sends, and also
expect packets it receives to be encrypted,
including some that actually make sense, where it
says, "Here, you phone with that TMSI, have
another TMSI", but also things are
encrypted that carry not content whatsoever, like
a null frame, that says the network is supposed to
speak now, but it has nothing to say, but also things
with static content, like these system information
messages. This exact same message was sent
maybe a second earlier unencrypted.
And once it switches on encryption the phone
expects this also to be encrypted.
Then there's messages with very little content
and again null frames. Things that bascially have
no meaning whatsoever. Assignment to certain
frequencies, there are not many frequencies
to choose from so this is mostly predictable,
and all of this is to be considered attack surface.
And there are two standards, padding randomisation,
which takes shorter messages and
appends random bytes, and SI5 randomisation which
takes longer messages but scrambles that content,
that removes this attack surface almost entirely.
The little bit of attack surface that's left is due
to vendor specific communications, and
this needs to be fixed vendor by vendor.
But by just putting in those two standards,
A5/1 calls should be protected from at least
the tools that we can think of.
Now given that this is five years ago that these
were standardised and that there is a lot of
pressure on security these days. You'd imagine
that these fixes, just tiny software fixes,
would be deployed thoroughly, however we
rarely see networks that do either of them,
and we've never seen a network
that does both these fixes.
So somewhere along the way, between the
GSMA and 3GPP who write the standards
and you as a customer, that idea got lost.
And it's not a difficult idea, to throw in some
random numbers, instead of static values,
or to take a message and scramble its contents.
These things should be pretty straight forward to
implement, and we've seen both ideas in the wild,
so there is proof that at least some vendors
have implemented these features.
However the networks do not
seem to be using them at all.
The same attack surface then would open up for
A5/3 if somebody had a much bigger computer
to decrypt it. And by much bigger
I mean about a million dollars.
So A5/3 is now ten years old and ten years
ago it seemed like a great idea to take
a 64-bit stream cipher and make a 64-bit block
cipher out of it, you don't have to mess
with key generation or anything, it becomes
much more secure, and in fact it did,
two million times more secure.
But guess who's going to spend a million dollars
to break your A5/3 encrypted call, this year right.
and not just that one agency, every agency has a
spare one million dollar to build an A5/3 cracker.
So industry took ten years to implement
this standard, and now that they do,
in Germany for instance two networks just
started this past month to roll out A5/3,
now it's already outdated.
Guess what, the next standard was developed
five years ago again. A5/4 it's called,
it blows up the key size to a good 128-bit,
it steals that from the 3G part of the SIM card,
but every SIM card these days is a 3G sim card.
So somehow we are always ten years behind
the state of the art in cryptography, and
ten years behind what even industry describes,
prescribes themselves to implement.
We want that to change, and again we want you
to help us change that by creating awareness
around where networks put in
what type of countermeasures.
It's not enough for them to standardise
padding randomisation and SI5 randomisation,
It's not enough for them to specify A5/3 and
A5/4, they actually need to deploy it.
And here's three tools you can
use to create some visibility.
The first two we're releasing today, and the
third one has always been available, there's just
an incremental patch from us today.
First one runs on an android phone and
it allows you to record network traces.
Those network traces of course tell you what type
of encryption is used, whether keys get rolled over,
whether your temporary identity gets
changed regularly, and so forth.
The second tool is basically the same running on a
linux computer, if you want to have the data for
further analysis, with the xgoldmontool,
Tobias Engel's tool.
And then the third possibility for aquiring
the same data, not just for your own phone, but
basically everybody in the cell you're connected to,
is the OsmocomBB open source project.
Sylvain put in a lot of work a few years ago
and created this burst_ind branch,
we extended it just a little bit to run much more
stable and to really help as a capturing tool.
So any of these tools now helps you to look at
what configurations your network is using,
and perhaps interpret this yourself, and to
check whether they are using the latest
encryption and what not.
We'd much appreciate if you shared some of
that information with us, and we could then again
help other by sharing this further and
interpreting the information, and to make that
even easier, we put all these tool in a Live-ISO
that you can put on a USB stick and boot
with it. That has all the tools on it, the network
measurement tools, it has the SIM tester on it,
it has all the stuff on it, catch-a-catcher to
find IMSI catchers in your vincinity.
It has an option to send data to a website called
gsmmap.org and along with all these tools we
are releasing today, a new version of the GSM
map website, much more colourful than before,
but also much more usable we hope.
So here's the new GSM map, and this now
interprets a lot of network traces that many of you
collected over the last couple of years, with Sylvains
burst_ind setup, and for those countries where
we have a little bit of data we do estimates,
these are the striped countries here,
and for those networks where we have a lot of data,
we try to track the network security over time.
So this for instance are the four german networks,
and you see how over time they actually do change
their security settings. T-Mobile for instance,
the high-flyer here, they had a big drop in
network security, intercept this is, by switching off some
of the randomisation, earlier this year, but then
after they did that they started rolling out A5/3,
so somehow they're trading in security features,
one for the other. This now on an aggregate level
tells you how secure your network currently is,
against intercept, basically spy agencies listening
in to your calls, impersonation, that is other
people using your phone identity to conduct
some transaction, and against tracking, that is
somebody following your whereabouts by electronic
means. Basically information exposed through
HLR queries remotely.
And you see how networks
differ in these catgories.
This map by the way is where contributions came
from. So a lot of these of course are collected
by us in Berlin.
But thank you so much to all of you who sent
in all these traces from all these places that
none of us have ever been to.
So it's absolutely fabulous to see what
coverage we've gained here.
Still a lot of striped and white countries,
so we hope to complete the picture, but
we need everybody's help.
And hopefully with the tools we released
today it becomes so much easier to push
data up here, that this will
soon be filled a lot more.
Now for those countries that we have a lot of
data, and that is twenty-seven countries total,
we are releasing detailed reports today
also, that interpret these measurements and
rank the networks, but also explain a little bit
of how we measure these things, but then give you
detailed technical measurements on what encryption
is used, for what types of transactions are
authenticated and so forth.
applause
Thank you.
applause
So if your country is one of the twenty-seven,
we'd love if you read the report.
If it isn't we'd love for you to download the tools
and make sure we can publish a report next month.
So these will be refreshed every month, hopefully
forever, or until every network fulfills every
security goal imaginable and then we
will shut down our website.
laughter
So that's GSM Map, the new website, and
you saw all the tools that are available now.
You may notice that GSM map does not
yet have a security metric on SIM cards.
Just because our measurements are
too sparse to paint a good picture.
We'd like to start calling out the networks that do
bad SIM card security, but again we need your help
to scan your SIM cards, and to make sure we get
some fair comparison among all the networks.
Just as a heads up, we found about in every other
network where we have a lot of SIM cards to test,
vulnerabilites like the ones we discussed today.
So there should be a good chance if you have
couple of SIM cards at home, to find at least a few
that are actually vulnerable.
And if you do you can start installing Java
on them and playing around with them.
Allright, that was everything we wanted to discuss.
A round of thank you, in particular to Lukas and Linus
who have put in many months of really hard work
to get these tools ready for release today,
they were just about ready this morning after many
months of working on them, so thanks to them.
But thanks to everybody else also, who were
involved. There's just a long list of people
who contributed a month or two of work.
Thanks to the open technology fund for sponsoring
this research and for helping us fight
bad security in the world and raising awareness
around where bad security is implemented.
Thank you to all of you for using our tools to take
this research to places that we could not have imagined.
Thanks.
applause
Herald: Thank you very much Karsten and Luca.
So we have quite some time left, so as always if
you have questions, in the room, please line up
behind the four microphones on the ground floor.
If you have questions from the web, or
if you have questions on the streams,
please write them on twitter or on IRC
and we will ask them here live in the room.
And I think we'll start with two
questions from the internet please.
Karsten: One quick...
Signal angel: Okay Herald angel: Wait please.
Karsten: One quick heads-up before the first
people start leaving, if you're interested in playing
with the tools or at least seeing them being
played with there's a workshop that will start
at six in Saal D, so if you want to see the live-ISO
and all its components and perhaps
take a USB stick home, we brought plenty to
play with, saal D is where we'll meet you in a few
minutes. Sorry, go ahead with the questions.
Herald: Okay, two questions
from the internet now.
Signal angel: So first one: there are still many low
hanging fruits, so what about SS7 networks, did you
investigate them and their way of communicating with
each other. Can you tell us anything what happened
with the industry in the last year there?
Karsten: Sure, yeah, SS7 is another decades old
technology that was built with a wrong threat model.
Basically everybody who connects to the network
is trusted, but you have to connect to every
other telco in the world to route calls to them,
so there's some disagreement in the threat model.
And people find SS7 vulnerabilites wherever
they look, both in the configuration, stuff like,
you know, the SIM filtering, the SMS filtering,
the same kinds of topics come up in SS7,
where of course you want to block unneeded traffic,
and networks are really bad at that typically.
But also people find implementation bugs on
boxes that are connected to SS7 and those are
really, really hard to research.
The boxes are very expensive, so you can't just
research it in isolation, and everybody who is
running a box like that, will probably put you
in jail if you ever attempted to break them,
if you started to do some fuzz testing on them.
So SS7 unfortunately isn't really prime for open
research. It actually requires what I showed
on the first slide, kind of a co-evolution where
the networks let the hackers in, so that they
then learn what other hackers could have
done to them, and I don't see many networks
to be ready for that yet.
Definitely a topic with lots of low hanging fruit,
but no easy way to research it.
Signal angel: Okay, thank you.
Signal Angel: Should we go on with the second one?
Karsten: Yes
Signal Angel:Has there been any testing using
parallel application only SIM card overlay
to block apps on the primary SIM card
so that's probably a strange question,
but the MuVuCo? project is mentioned here, or
did you investigate any other simple way to block
the Java card bits?
Karsten: So I think I understood the question as,
is there any easy way of putting in another layer
of protection just in front of your SIM card? I guess
we can't ask the person asking the question right?
But if that were the question then the answer is,
of course you can put all kinds of proxy stuff
in between your phone and your SIM card, there's
a nice open source project called SIMtrace,
That then means you carry a little computer next
to your phone whenever you use it and of course
that's impractical, so that would be a forensic tool
perhaps to investigate what people are currently
doing to your SIM card, when you already have
a suspicion that something is going on, but
there's no practical way to get a phone to give
you that level of access, even on android, the part of
the operating system, the system that speaks with
the SIM card is usually more baseband than android
or at the very least a proprietary device driver type.
So I can't think of any usable phone where
you could easily implement a SIM card firewall
for instance, but I'd love to learn about them
if they do exist.
Herald: Okay we take a question from microphone four.
Question: Did you investigate any upstream
vulnerabilities from or to the baseband
or to the average phone OS, so for instance
if you have infiltrated the SIM card can you do
any stuff to an iPhone or something?
Karsten: Good question, and no we haven't and
I wouldn't think that that would be the most
fruitful vector, because the interface between
a SIM card and a phone is pretty defined,
very narrow channel. So I'd think that a phone
baseband is much easier exploited like Ralph did it
a couple of years ago, emulating a network and
sending commands, that interface is much wider
and has many more protocols running that
could potentially be exploit targets.
Good question though, thank you.
Herald: Okay, number three please.
Question: You showed the map broken down by
country, would it make sense to look at smaller
districts or regions, do we have differences
within one country for example the US.
Karsten: That's a good question, and we have
occasionally come across a country where
there's configuration differences in different
parts of the country, like for instance in Germany
right now, two of the network operators are
rolling out A5/3, but they go location by location.
So there's two zones right now, but those are
going away over time because the goal of course is
to implement the security feature everywhere.
There are networks though where they
purchase one part of the country from one vendor
and another part from another vendor, and
where security patches just don't get deployed
everywhere, and we would like to track that
more accurately. Currently it's just averaged.
What we need to track it more accurately is
constant measurements from more places. So
currently what our metric does is try to fairly
combine information from different location
and then average them even though for instance
in Germany, of course Berlin is dominating in
our measurement set, and some other locations
I think, thank you CCC Munich, are contributing
too, but if there were somewhere in
the middle of Germany, some extra security
feature, we would not learn about it for a long time.
You see this route? This is from last years trip from Hamburg
to Berlin, when everybody came to the CCC. laughter
So we are not distinguishing by country yet,
but if the information is ever there to see
a clear border we'll definitely do that.
Herald: Question from number four please.
Question: Yes, I wanted to ask, you showed that
you were simulating a BTS somewhere around
the middle of the talk, and I was wondering where
you using any of the known OpenBTS or OsmoBTS
solutions or anything else?
Luca: It's a patched version of OpenBSC. It's just
a few lines, there is a nice function that triggers
the software to send the SMS on queue for a
user as soon as the user logs in, and as soon as
the user does this I put a lot of SMS's
in the queue, so I can send it.
Karsten: Yeah there are OpenBSC, OpenBTS,
OsmocomBB project, they are an enormous help in
our research, we could have done none of this,
had we had to implement all of this in open source.
So they're very, very useful, and thank you
to everybody who've contributed to them.
Herald: Another question from number four please.
Question: Banks and other organisations love
to send one-time tokens via SMS, from what I
understand the talk, would it be in the range of the
regular criminal to exploit this and steal those tokens?
Karsten: With GSM intercept yes, you can read
other people's SMS when they're A5/1 encrypted,
however you have to be close to them, in a
proximity of let's say two kilometers, and it's probably
unlikely that the person who infected your online
banking credentials, stole them from your infected
computer, is also your neighbour. Those two
groups seem to overlap in locations.
With the SIM card vulnerabilities though,
you can do lots of stuff, you can send SMS,
you can redirect calls, you can steal decryption
keys, the only thing you can't do is read people's
incoming SMS. So banks got lucky there.
Q: Thanks
Herald: We have another question from the internet.
Q: Wouldn't it be easier to just reinvent maybe a more
nerd driven mobile network from scratch, than
to mess around with all this industry stuff
that has piled up for years now?
Karsten: Well, that's interesting, things do not
really pile up as people imagine them, so the
One of the big drivers of the OpenBSC project
I understand was the availability of really cheap
base stations. Why were they available? Because
people threw them away and replaced
them with newer base stations, and they do
that every time they add a new technology.
So when they added 3G they threw away the 2G
base stations, and replaced them with combined
2G/3G base stations, same with 4G now.
So as 4G is being rolled out all over Germany,
everything gets thrown away and
replaced. There isn't so much legacy in terms of
installed boxes, the legacy is more the protocol,
so if you throw away one end of the connection
and not the other you maintain the old protocol,
but then when you throw away the other side,
you again maintain it because it's kind of the logical
legacy. So I don't think there's an easy fix to that.
This is just very high-scalability engineering where
things have to work in extreme corner cases, and I
think all the tools are there for the existing networks
to get fixed, it's just a question of priority. At the
investment that a 4G network costs, a single one,
you can probably make the entire world use
A5/3 and upgrade to secure SIM cards.
So the money is there, it's just a question of
priority that keeps the networks away from
deploying these software patches.
In the end it's single lines of code.
Herald: Ok, we have another question in
the room from microphone number three.
Q: Quick question, for tools that you are offering
can they work with some kind of passive recording
device, for example can you collect data for gsmmap
using the OsmoSDR tools? The ones that use
the simple DVB-tuners to listen to the spectrum.
Harald: Luca, do you know OsmoSDR?
Luca: Yeah, I think that's more focused on being
a BTS than a sniffer device, but I think you can use
it as a sniffer device, it's just that then you need
to process the data in a different way, really the
easiest is to use the Osmocom mobile phone,
and it does this and it's what we use for the
Live-ISO. There are many models actually, so.
Karsten: What would you consider the
advantage of using an OsmoSDR?
Q:It's mostly because it doesn't require a phone
or a SIM card or anything, The question is can it
work passively without being,
without sending anything?
Karsten: Yeah, the phone he just held up,
that captures traffic with no SIM card and
without connecting to a network, it does so passively
by latching on to a cell, passively, just hearing what
is happening on the broadcast channel, and as soon
as the cell starts communicating with another phone
it jumps to that frequency and also listens to
the traffic. So that's already a passive setup.
And the C139 I think is the most available Osmocom
phone, you can still get that for twelve dollars
in China. So I don't think there's any reason to
reimplement that for any other platform if there's
already a twelve dollar solution.
Q: Thank you.
Herald: And we take another question from the internet
Q: Actually some people are complaining that
they have no signal in this room, could that be
caused by you, or is the range not that large?
Karsten: Well, we add choices for signal, we don't
take them away, so this is just an additional BTS.
laughter
Q: Okay, thank you.
Herald: Ok, are there any other questions,
now is the time to ask. If not I ask you again
for a warm round of applause for Karsten and Luca
applause
subtitles created by c3subtitles.de