0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/831 Thanks! 1 00:00:15,470 --> 00:00:17,689 So our first speaker of today 2 00:00:17,690 --> 00:00:19,759 is Dr. Zager Hold 3 00:00:19,760 --> 00:00:20,760 Months. 4 00:00:22,400 --> 00:00:24,439 She has an impressive amount of 5 00:00:24,440 --> 00:00:26,269 publications, actually, ICE stopped 6 00:00:26,270 --> 00:00:28,329 counting at the forty fifth on the list 7 00:00:28,330 --> 00:00:30,139 was going on and on and on. 8 00:00:30,140 --> 00:00:31,140 Pretty impressive. 9 00:00:32,270 --> 00:00:34,409 She also was previously speaker 10 00:00:34,410 --> 00:00:36,229 at many different and other conferences, 11 00:00:36,230 --> 00:00:37,549 including the Black Hat Conference. 12 00:00:39,590 --> 00:00:42,069 And today she's gonna speak about 13 00:00:42,070 --> 00:00:44,659 the SS seven and dynamiter 14 00:00:44,660 --> 00:00:46,729 and the security aspects of both 15 00:00:46,730 --> 00:00:49,170 of these LTE protocols. 16 00:00:50,660 --> 00:00:52,669 The title of her talk is Mobile Data 17 00:00:52,670 --> 00:00:54,409 Interception from the Interconnection 18 00:00:54,410 --> 00:00:55,459 Link. 19 00:00:55,460 --> 00:00:57,119 Please welcome her with a lot of 20 00:00:57,120 --> 00:00:58,120 applause. 21 00:01:05,540 --> 00:01:06,540 Thanks a lot. 22 00:01:07,520 --> 00:01:08,989 I said my dad was sick a whole month, I 23 00:01:08,990 --> 00:01:11,029 work for Nokia but upsets the research 24 00:01:11,030 --> 00:01:13,129 brand of Nokia on 25 00:01:13,130 --> 00:01:15,559 been doing mobile security for 17 26 00:01:15,560 --> 00:01:17,839 years. So everybody of you sitting 27 00:01:17,840 --> 00:01:19,839 here has an LTE phone. 28 00:01:19,840 --> 00:01:22,069 And he enabled phone, has a piece 29 00:01:22,070 --> 00:01:23,799 of Samsung I designed in it. 30 00:01:23,800 --> 00:01:25,430 It's quite nice feeling, actually. 31 00:01:31,780 --> 00:01:34,359 This but this is not only my work. 32 00:01:34,360 --> 00:01:35,919 It's also from my colleague Danny 33 00:01:35,920 --> 00:01:37,989 Eckmann, who works 34 00:01:37,990 --> 00:01:39,819 in our testing department, who sets up 35 00:01:39,820 --> 00:01:41,949 test networks so that we don't crash 36 00:01:41,950 --> 00:01:43,989 accidentally operators networks when we 37 00:01:43,990 --> 00:01:45,519 make an update. 38 00:01:45,520 --> 00:01:47,649 So and actually with 39 00:01:47,650 --> 00:01:49,809 our competitor, CSL McDade from 40 00:01:49,810 --> 00:01:50,799 Adaptive Mobile. 41 00:01:50,800 --> 00:01:52,359 So we have been working closely together 42 00:01:52,360 --> 00:01:53,979 on this one. 43 00:01:53,980 --> 00:01:55,419 I would explain later how that has 44 00:01:55,420 --> 00:01:56,739 happened. 45 00:01:56,740 --> 00:01:58,389 So I will talk about mobile data 46 00:01:58,390 --> 00:02:00,009 interception from the interconnection 47 00:02:00,010 --> 00:02:01,389 link. 48 00:02:01,390 --> 00:02:03,459 And, well, let's 49 00:02:03,460 --> 00:02:05,089 let's start with the practicalities. 50 00:02:05,090 --> 00:02:07,299 So this is something that's 51 00:02:07,300 --> 00:02:09,698 not so visible in public. 52 00:02:09,699 --> 00:02:12,039 Some of you might have been in 2014 53 00:02:12,040 --> 00:02:14,169 here or 2008 meant to be an angle 54 00:02:14,170 --> 00:02:16,380 or cost nor presented their A text. 55 00:02:17,530 --> 00:02:20,199 So for those who have not been there, so 56 00:02:20,200 --> 00:02:22,299 we are here in line to you 57 00:02:22,300 --> 00:02:24,219 are connected now to Vodafone, Deutsche 58 00:02:24,220 --> 00:02:26,379 Telekom or 59 00:02:26,380 --> 00:02:28,959 Telefonica, and 60 00:02:28,960 --> 00:02:30,549 meeting eternities here are 61 00:02:30,550 --> 00:02:31,539 international. 62 00:02:31,540 --> 00:02:33,699 So you will also have people from UK 63 00:02:33,700 --> 00:02:34,959 connected from usually have a 64 00:02:34,960 --> 00:02:37,509 subscription from three firm prongs 65 00:02:37,510 --> 00:02:39,609 from Orange, from the 66 00:02:39,610 --> 00:02:42,369 output from Poland, maybe from plus 67 00:02:42,370 --> 00:02:43,899 or emptiest when they are coming from 68 00:02:43,900 --> 00:02:44,900 Russia. 69 00:02:45,280 --> 00:02:46,809 I'm from Finland. 70 00:02:46,810 --> 00:02:48,639 Well, I live nowadays in Finland. 71 00:02:48,640 --> 00:02:51,789 So my colleagues and families have Elysa 72 00:02:51,790 --> 00:02:54,629 Tahlia, our DNA subscription. 73 00:02:54,630 --> 00:02:56,709 And if there's 74 00:02:56,710 --> 00:02:59,169 a big difference to credit card system, 75 00:02:59,170 --> 00:03:01,539 what the credit card world is one big 76 00:03:01,540 --> 00:03:04,659 mump sort of mother company. 77 00:03:04,660 --> 00:03:06,729 But for telecommunication operators, 78 00:03:06,730 --> 00:03:09,189 these are different legal entities 79 00:03:09,190 --> 00:03:10,509 in different countries. 80 00:03:10,510 --> 00:03:12,279 And still, you can just pop up in their 81 00:03:12,280 --> 00:03:14,409 network, switch your phone on, and you 82 00:03:14,410 --> 00:03:16,719 can get data or 83 00:03:16,720 --> 00:03:18,729 make voice calls or estimates and you're 84 00:03:18,730 --> 00:03:21,849 charged to your home, but it works. 85 00:03:21,850 --> 00:03:23,229 So that's actually something to think 86 00:03:23,230 --> 00:03:24,609 about because that's not happening 87 00:03:24,610 --> 00:03:25,629 automatically. 88 00:03:26,800 --> 00:03:28,719 And the reason why is, is this actually 89 00:03:28,720 --> 00:03:30,609 working is because there's something 90 00:03:30,610 --> 00:03:32,409 called interconnection link 91 00:03:34,000 --> 00:03:35,229 or IP network. 92 00:03:35,230 --> 00:03:36,519 It's not the Internet. 93 00:03:36,520 --> 00:03:39,159 It has touching points with the Internet, 94 00:03:39,160 --> 00:03:41,469 but it's a private, separate network 95 00:03:41,470 --> 00:03:43,959 which enables mobile data, communication 96 00:03:43,960 --> 00:03:47,020 or in general, more telecommunication. 97 00:03:48,840 --> 00:03:51,009 So and actually why this 98 00:03:51,010 --> 00:03:53,639 is such an important network, because 99 00:03:53,640 --> 00:03:55,119 we are all connected to it. 100 00:03:55,120 --> 00:03:57,279 Everybody here has switched on phone, is 101 00:03:57,280 --> 00:03:59,289 connected to it, and not just your 102 00:03:59,290 --> 00:04:00,729 phones. 103 00:04:00,730 --> 00:04:02,619 It's also tablets, which when if they are 104 00:04:02,620 --> 00:04:04,719 cell or enabled, for example, this tablet 105 00:04:04,720 --> 00:04:07,059 with Android, it lets say to AT&T 106 00:04:07,060 --> 00:04:09,579 in Anchorage, there's a connected scale, 107 00:04:09,580 --> 00:04:12,369 let's say, to valorize on in U.S. 108 00:04:12,370 --> 00:04:14,709 or there we have a car which can 109 00:04:14,710 --> 00:04:17,059 connect a car which made from telephone 110 00:04:17,060 --> 00:04:19,419 a car in South America. 111 00:04:19,420 --> 00:04:21,729 And the button you see there, a gas 112 00:04:21,730 --> 00:04:24,369 meter from British Telecom, 113 00:04:24,370 --> 00:04:26,859 which is also Sarovar enabled. 114 00:04:26,860 --> 00:04:29,169 Then we have their fire alarm 115 00:04:29,170 --> 00:04:30,099 from Telstra. 116 00:04:30,100 --> 00:04:31,839 I heard there might need to fire alarm in 117 00:04:31,840 --> 00:04:33,779 case of a burning platform arrive there 118 00:04:33,780 --> 00:04:36,039 at their Shores Hotel or something 119 00:04:36,040 --> 00:04:37,179 like that has arrived. There 120 00:04:38,650 --> 00:04:40,839 are industrial optimization 121 00:04:40,840 --> 00:04:43,059 sort of assembly lines which might have 122 00:04:43,060 --> 00:04:45,139 connectivity, Sello connectivity and, 123 00:04:45,140 --> 00:04:47,019 of course, classical phones. 124 00:04:47,020 --> 00:04:48,459 So you see there are all kinds of 125 00:04:48,460 --> 00:04:50,559 different operating system, all kinds of 126 00:04:50,560 --> 00:04:52,179 different hardware, and they are 127 00:04:52,180 --> 00:04:53,859 connected to a local operator. 128 00:04:53,860 --> 00:04:55,779 And while that they are connected to the 129 00:04:55,780 --> 00:04:57,549 interconnection network so they can be 130 00:04:57,550 --> 00:04:59,919 reached from the interconnection network 131 00:04:59,920 --> 00:05:01,899 in case something arrives for them 132 00:05:04,810 --> 00:05:06,399 to understand the security of 133 00:05:06,400 --> 00:05:08,349 interconnection, we need to go back a 134 00:05:08,350 --> 00:05:09,549 bit. 135 00:05:09,550 --> 00:05:12,069 So 1981 Interconnection 136 00:05:12,070 --> 00:05:14,199 Network was established between four 137 00:05:14,200 --> 00:05:16,159 countries, Nordic countries. 138 00:05:16,160 --> 00:05:18,189 And you see there a beautiful picture of 139 00:05:18,190 --> 00:05:20,679 the Nordic mobile telephony of the Nordic 140 00:05:20,680 --> 00:05:22,809 Nokia Walkman, as we FINSA used 141 00:05:22,810 --> 00:05:23,810 to say. So 142 00:05:25,330 --> 00:05:27,519 it's sort of this size and we wait about 143 00:05:27,520 --> 00:05:28,409 five kg. 144 00:05:28,410 --> 00:05:30,069 So I didn't bring it. 145 00:05:30,070 --> 00:05:32,499 Very beautiful piece of hardware 146 00:05:32,500 --> 00:05:34,419 and it was closed and private network. 147 00:05:34,420 --> 00:05:36,369 So that was the main security feature of 148 00:05:36,370 --> 00:05:38,079 that network. It was close and private 149 00:05:38,080 --> 00:05:39,699 and nobody could get in. 150 00:05:39,700 --> 00:05:40,989 Only the people that know each other. 151 00:05:42,820 --> 00:05:44,319 It was running the signaling system 152 00:05:44,320 --> 00:05:46,299 number seven protocol. 153 00:05:46,300 --> 00:05:47,919 And that was a huge success. 154 00:05:47,920 --> 00:05:49,929 And they extend it and extend it to more 155 00:05:49,930 --> 00:05:52,479 or more operators, a joint lot ference 156 00:05:52,480 --> 00:05:54,009 on Estonia. 157 00:05:54,010 --> 00:05:56,919 And nowadays we have all kinds of 158 00:05:56,920 --> 00:05:58,269 applications using it. 159 00:05:58,270 --> 00:06:00,159 You get your S. M. S reminder for your 160 00:06:00,160 --> 00:06:02,169 dentist or whatever, sort of your banking 161 00:06:02,170 --> 00:06:03,519 tons, whatever. 162 00:06:03,520 --> 00:06:05,889 And now we move towards the LTE Diomedes 163 00:06:05,890 --> 00:06:07,629 protocols. 164 00:06:07,630 --> 00:06:09,729 And so just to 165 00:06:09,730 --> 00:06:11,469 give you an idea, sort of that's how it 166 00:06:11,470 --> 00:06:13,659 started. Probably Finland, 167 00:06:13,660 --> 00:06:15,820 Sweden, Norway, Denmark. 168 00:06:17,170 --> 00:06:18,409 That's how they started. 169 00:06:18,410 --> 00:06:19,959 They probably went together in a sauna, 170 00:06:19,960 --> 00:06:21,669 having some good beer and say, hey, let's 171 00:06:21,670 --> 00:06:23,680 do it. And they managed to do it. 172 00:06:27,040 --> 00:06:29,759 That's how it nowadays looks like. 173 00:06:29,760 --> 00:06:31,709 Sort of more has grown a bit. 174 00:06:31,710 --> 00:06:33,439 So we have. 175 00:06:33,440 --> 00:06:36,119 That's two G and two and a half G. 176 00:06:36,120 --> 00:06:38,239 Then we had 3G with 177 00:06:38,240 --> 00:06:39,849 a 4G. 178 00:06:39,850 --> 00:06:41,699 And now we have all the 5G. 179 00:06:41,700 --> 00:06:44,789 So it has gotten a bit more complex. 180 00:06:44,790 --> 00:06:47,129 So and it's a sort of organically grown 181 00:06:47,130 --> 00:06:48,059 structures. 182 00:06:48,060 --> 00:06:50,279 And the thing is, everything 183 00:06:50,280 --> 00:06:51,899 is connected to everything else. 184 00:06:51,900 --> 00:06:53,969 So you see GSM networks, 185 00:06:53,970 --> 00:06:55,859 really old networks connect to LTE 186 00:06:55,860 --> 00:06:57,749 networks. And the other way round. 187 00:06:57,750 --> 00:06:59,849 So sometimes there are nodes in 188 00:06:59,850 --> 00:07:01,319 the middle, sometimes not. 189 00:07:01,320 --> 00:07:03,629 So it's it's very, very sort 190 00:07:03,630 --> 00:07:04,630 of 191 00:07:05,780 --> 00:07:07,869 in homogeneous to call it that way. 192 00:07:07,870 --> 00:07:08,870 So. 193 00:07:09,930 --> 00:07:12,059 So back to 194 00:07:12,060 --> 00:07:13,259 security. 195 00:07:13,260 --> 00:07:15,839 I mean, the main security feature 196 00:07:15,840 --> 00:07:17,669 of this jungle was that it's closed and 197 00:07:17,670 --> 00:07:19,049 private. 198 00:07:19,050 --> 00:07:21,419 Now, let's revisit this assumption 199 00:07:21,420 --> 00:07:23,609 sort of 35 years later and see what 200 00:07:23,610 --> 00:07:24,610 has happened. 201 00:07:26,120 --> 00:07:27,689 It's so close and private. 202 00:07:29,230 --> 00:07:30,899 I am afraid to say no. 203 00:07:30,900 --> 00:07:33,329 There are different angles 204 00:07:33,330 --> 00:07:35,269 to close and private on the top. 205 00:07:35,270 --> 00:07:37,949 You see, there are three. 206 00:07:37,950 --> 00:07:40,649 I could have chosen any European operator 207 00:07:40,650 --> 00:07:42,479 that's not particularly to three. 208 00:07:42,480 --> 00:07:45,199 It's just in the European Union. 209 00:07:45,200 --> 00:07:47,219 The European Union wanted to encourage 210 00:07:47,220 --> 00:07:49,439 competition so that mobile 211 00:07:49,440 --> 00:07:51,689 virtual network operator have very easy 212 00:07:51,690 --> 00:07:53,609 to establish their business. 213 00:07:53,610 --> 00:07:55,829 So, for example, supermarket 214 00:07:55,830 --> 00:07:57,329 chains are now selling here 215 00:07:57,330 --> 00:08:00,029 subscriptions, for example, in Germany. 216 00:08:00,030 --> 00:08:03,329 So they rent their services 217 00:08:03,330 --> 00:08:05,879 from an traditional 218 00:08:05,880 --> 00:08:07,439 operator. 219 00:08:07,440 --> 00:08:09,659 And all operators in the European 220 00:08:09,660 --> 00:08:11,879 Union are forced to rent 221 00:08:11,880 --> 00:08:13,759 out the services that they have, some 222 00:08:13,760 --> 00:08:16,499 self, which includes roaming 223 00:08:16,500 --> 00:08:18,689 to anybody who has basically come and 224 00:08:18,690 --> 00:08:20,909 ask to and has a proper 225 00:08:20,910 --> 00:08:21,910 business model. 226 00:08:23,560 --> 00:08:24,850 That makes it also very. 227 00:08:26,090 --> 00:08:28,359 All right. Makes it easier for nasty guys 228 00:08:28,360 --> 00:08:30,999 to buy the interconnection access 229 00:08:31,000 --> 00:08:32,000 in the middle. 230 00:08:33,240 --> 00:08:35,529 Their cell phone reports, 231 00:08:35,530 --> 00:08:37,548 cell phone interception. 232 00:08:37,549 --> 00:08:39,759 This is us from the dark net 233 00:08:39,760 --> 00:08:41,649 from a company called Interceptor. 234 00:08:41,650 --> 00:08:43,839 But they have a horrible service, 235 00:08:43,840 --> 00:08:46,209 so I wouldn't recommend that company. 236 00:08:46,210 --> 00:08:47,469 They're not answering to emails or 237 00:08:47,470 --> 00:08:49,719 anything, but they are claiming to rent 238 00:08:49,720 --> 00:08:51,309 out these kind of services. 239 00:08:52,630 --> 00:08:54,759 So the access can also 240 00:08:54,760 --> 00:08:57,039 gain from the darknet by just rent buying 241 00:08:57,040 --> 00:08:59,739 it here on the bottom. 242 00:08:59,740 --> 00:09:02,799 We see screenshot from Shodan. 243 00:09:02,800 --> 00:09:03,949 You see he has this g.g. 244 00:09:03,950 --> 00:09:06,069 Yes. And you might not know which nodes 245 00:09:06,070 --> 00:09:08,199 this is, but I can tell you a 246 00:09:08,200 --> 00:09:10,299 g.g is and has no reason 247 00:09:10,300 --> 00:09:12,399 to be on the Internet. 248 00:09:12,400 --> 00:09:13,400 It shouldn't be there. 249 00:09:14,200 --> 00:09:15,549 I don't know why it is here. 250 00:09:15,550 --> 00:09:17,079 Maybe it's a honey pot, so I don't 251 00:09:17,080 --> 00:09:18,129 suggest to hack that. 252 00:09:18,130 --> 00:09:19,479 So you never know. 253 00:09:19,480 --> 00:09:20,480 But come speck 254 00:09:21,640 --> 00:09:24,100 then we have on the right hand side here. 255 00:09:25,840 --> 00:09:28,209 A GP or s SL 256 00:09:28,210 --> 00:09:31,209 SL is a big operate in India 257 00:09:31,210 --> 00:09:33,489 and they seem to have a GP arrest notes 258 00:09:33,490 --> 00:09:34,490 on the Internet. 259 00:09:36,550 --> 00:09:38,729 The protocol here is s m 260 00:09:38,730 --> 00:09:40,959 m p. That is simple network 261 00:09:40,960 --> 00:09:42,940 management protocol and it's used 262 00:09:44,230 --> 00:09:46,479 and above that you a turn at lock in. 263 00:09:46,480 --> 00:09:48,939 My personal assumption is that somebody 264 00:09:48,940 --> 00:09:51,019 who was on call duty to fix the 265 00:09:51,020 --> 00:09:52,569 network and didn't want to go into 266 00:09:52,570 --> 00:09:54,759 office. So we just set himself 267 00:09:54,760 --> 00:09:56,589 up. This turn at accessibly could easily 268 00:09:56,590 --> 00:09:57,799 configure the stuff from home. 269 00:09:58,900 --> 00:09:59,919 But these things happen. 270 00:09:59,920 --> 00:10:00,920 That's life. 271 00:10:01,630 --> 00:10:03,579 But well, of course, turn that luck in 272 00:10:03,580 --> 00:10:05,349 your throw on a sort of password, Krekar, 273 00:10:05,350 --> 00:10:07,049 and see what you have admin admins or 274 00:10:07,050 --> 00:10:08,050 it's worth a try. 275 00:10:10,390 --> 00:10:11,829 Then there are this map. 276 00:10:11,830 --> 00:10:12,789 It's a bit older. 277 00:10:12,790 --> 00:10:14,379 That's from the WikiLeaks, from the 278 00:10:14,380 --> 00:10:15,789 Snowden leaks. 279 00:10:15,790 --> 00:10:17,440 And it's showing the 280 00:10:18,820 --> 00:10:21,209 countries which the NSA says 281 00:10:21,210 --> 00:10:23,319 they have access to the 282 00:10:23,320 --> 00:10:24,320 phone network. 283 00:10:25,520 --> 00:10:26,949 It's probably no longer up to date. 284 00:10:26,950 --> 00:10:28,539 I think the situation in particular in 285 00:10:28,540 --> 00:10:30,309 Europe has approved substantially since 286 00:10:30,310 --> 00:10:31,310 then. 287 00:10:31,540 --> 00:10:34,119 And on the top, there is an article 288 00:10:34,120 --> 00:10:36,589 from The Intercept where the 289 00:10:36,590 --> 00:10:38,769 DC HQ, basically a British 290 00:10:38,770 --> 00:10:41,089 spy, hacked Belgacom, 291 00:10:41,090 --> 00:10:43,329 but that was he depressed 292 00:10:43,330 --> 00:10:44,330 transport protocol. 293 00:10:45,610 --> 00:10:48,129 So I think it's fair to say that 294 00:10:48,130 --> 00:10:50,229 there are points Veza network 295 00:10:50,230 --> 00:10:52,359 is no longer that close and private. 296 00:10:52,360 --> 00:10:54,809 So hackers 297 00:10:54,810 --> 00:10:57,009 say May just ran to service the 298 00:10:57,010 --> 00:10:59,169 hack their way in 299 00:10:59,170 --> 00:11:01,389 having power in some countries. 300 00:11:01,390 --> 00:11:04,119 The line between government 301 00:11:04,120 --> 00:11:06,219 and telecommunication providers, not 302 00:11:06,220 --> 00:11:08,739 so strict, let's call it that way. 303 00:11:08,740 --> 00:11:10,119 And if the government wants to have 304 00:11:10,120 --> 00:11:11,649 access to just get access. 305 00:11:14,200 --> 00:11:15,909 Of course, there's a classical bribing of 306 00:11:15,910 --> 00:11:18,069 an employee that always works, just 307 00:11:18,070 --> 00:11:19,479 amount of cresson, probably amount of 308 00:11:19,480 --> 00:11:20,529 money. 309 00:11:20,530 --> 00:11:22,629 You can become an operator 310 00:11:22,630 --> 00:11:24,329 or you can do social engineering. 311 00:11:24,330 --> 00:11:25,599 That has also be seen. 312 00:11:25,600 --> 00:11:27,579 But that's a quite rare case, actually. 313 00:11:27,580 --> 00:11:29,679 Social engineering is not so common, but 314 00:11:29,680 --> 00:11:30,680 the other ones are sort of. 315 00:11:31,690 --> 00:11:32,690 More likely. 316 00:11:35,270 --> 00:11:37,699 So let's do a brief recap. 317 00:11:37,700 --> 00:11:39,679 As a seven, that's the old protocol. 318 00:11:40,970 --> 00:11:43,639 And there were attacks. 319 00:11:43,640 --> 00:11:45,379 These are the attacks that exist for the 320 00:11:45,380 --> 00:11:47,449 old signaling system number seven, which 321 00:11:47,450 --> 00:11:49,129 is still most commonly used on the 322 00:11:49,130 --> 00:11:50,179 interconnection link. 323 00:11:51,500 --> 00:11:53,449 We have their location tracking that was 324 00:11:53,450 --> 00:11:55,469 published, I think, in 2008 very course. 325 00:11:55,470 --> 00:11:58,039 Can our clarity by two be us? 326 00:11:58,040 --> 00:12:00,289 Then we have eavesdropping, fraud, 327 00:12:00,290 --> 00:12:02,369 denial of service on the user, 328 00:12:02,370 --> 00:12:04,669 our network credential theft 329 00:12:04,670 --> 00:12:06,829 that are the cryptographic keys that 330 00:12:06,830 --> 00:12:08,509 are stored also on your SIM card that are 331 00:12:08,510 --> 00:12:09,989 used for confidentiality at 332 00:12:09,990 --> 00:12:10,990 authentication 333 00:12:13,700 --> 00:12:15,219 data session hijacking. 334 00:12:15,220 --> 00:12:16,249 But that's not S7. 335 00:12:16,250 --> 00:12:18,709 That's actually GTP protocol 336 00:12:18,710 --> 00:12:20,419 unblocking of stolen phones. 337 00:12:20,420 --> 00:12:22,639 That is an implementation specific 338 00:12:22,640 --> 00:12:24,319 attack. Not from our notes. 339 00:12:24,320 --> 00:12:25,320 I'm happy to say 340 00:12:26,890 --> 00:12:29,149 as a mass interception, 341 00:12:29,150 --> 00:12:31,489 basically, that's pretty risky because 342 00:12:31,490 --> 00:12:34,189 of all the one time password theft, 343 00:12:34,190 --> 00:12:35,690 because nowadays many 344 00:12:36,860 --> 00:12:38,989 password reset systems sent you a one 345 00:12:38,990 --> 00:12:41,329 time code and the attacker 346 00:12:41,330 --> 00:12:43,249 could actually trigger the sending of the 347 00:12:43,250 --> 00:12:45,109 one time code. 348 00:12:45,110 --> 00:12:46,110 So 349 00:12:47,180 --> 00:12:48,379 depending on the. 350 00:12:50,070 --> 00:12:52,199 On the system used, it's more 351 00:12:52,200 --> 00:12:53,419 or less vulnerable to it. 352 00:12:53,420 --> 00:12:55,559 So there are even 353 00:12:55,560 --> 00:12:57,419 on YouTube videos how that works. 354 00:12:57,420 --> 00:12:59,789 So this is basically a situation 355 00:12:59,790 --> 00:13:01,909 for us. A seven just 356 00:13:01,910 --> 00:13:04,229 tax were sort of done by P1 357 00:13:04,230 --> 00:13:06,539 positive technologies 358 00:13:06,540 --> 00:13:08,699 cost nor to be a single. 359 00:13:08,700 --> 00:13:09,809 And these are source of some. 360 00:13:11,210 --> 00:13:12,720 I'm focusing more on 361 00:13:14,430 --> 00:13:16,079 on diameters security. 362 00:13:16,080 --> 00:13:17,999 So that's basically the S7, the old 363 00:13:18,000 --> 00:13:19,000 protocol. 364 00:13:21,230 --> 00:13:23,569 And that's the status of the security 365 00:13:23,570 --> 00:13:24,980 for the IPCC network. 366 00:13:27,110 --> 00:13:28,399 So, yes, the seven are still most 367 00:13:28,400 --> 00:13:30,409 commonly used, but things slowly move 368 00:13:30,410 --> 00:13:31,410 forward. 369 00:13:32,870 --> 00:13:35,449 The communication is sometimes 370 00:13:35,450 --> 00:13:37,519 direct, sometimes intermediate 371 00:13:37,520 --> 00:13:39,289 nodes involve depending. 372 00:13:39,290 --> 00:13:41,629 For example, we are here now in Germany. 373 00:13:41,630 --> 00:13:44,029 I don't think the access to specific 374 00:13:44,030 --> 00:13:46,809 cable from Germany, let's say to Tuvalu. 375 00:13:46,810 --> 00:13:47,840 The Pacific Island. 376 00:13:50,510 --> 00:13:52,309 I think two thousand people living there, 377 00:13:52,310 --> 00:13:54,469 something like that, so but 378 00:13:54,470 --> 00:13:55,630 they have their own operator. 379 00:13:57,470 --> 00:13:59,179 So I don't think they exist. 380 00:13:59,180 --> 00:14:01,399 Explicit cable from here to to 381 00:14:01,400 --> 00:14:03,649 there. So there is probably 382 00:14:03,650 --> 00:14:05,929 some intermediate nodes 383 00:14:05,930 --> 00:14:07,369 involved. If you make a phone call to 384 00:14:07,370 --> 00:14:08,689 Tuvalu. 385 00:14:08,690 --> 00:14:10,729 But some operators also have direct 386 00:14:10,730 --> 00:14:12,769 personal pipes with their most common 387 00:14:12,770 --> 00:14:14,569 partners, for example, in Frankfurt. 388 00:14:14,570 --> 00:14:15,599 Such a big hub. 389 00:14:17,540 --> 00:14:19,489 Also, nowadays, some deploy as a seven 390 00:14:19,490 --> 00:14:20,839 firewalls. I think that was a big 391 00:14:20,840 --> 00:14:22,669 achievement of the presentation done here 392 00:14:22,670 --> 00:14:24,709 in 2014 that really something happened 393 00:14:24,710 --> 00:14:25,710 afterwards. 394 00:14:26,390 --> 00:14:28,669 The first firewall product came up and 395 00:14:28,670 --> 00:14:30,349 auto operators started to deploy it. 396 00:14:30,350 --> 00:14:32,419 So not all have them, 397 00:14:32,420 --> 00:14:34,190 but it's better now. 398 00:14:35,330 --> 00:14:37,069 And but there's no form of transport 399 00:14:37,070 --> 00:14:39,139 security, no IP sex, no tearless, 400 00:14:39,140 --> 00:14:41,059 no details, no MUP security, 401 00:14:42,260 --> 00:14:44,449 no false authentication on containers, 402 00:14:44,450 --> 00:14:46,399 confidentiality, protection and no 403 00:14:46,400 --> 00:14:47,899 integrity. 404 00:14:47,900 --> 00:14:49,100 That's how it is. 405 00:14:51,700 --> 00:14:52,949 No fun, but that's it. 406 00:14:54,400 --> 00:14:56,529 So I meet her new Fonte, 407 00:14:56,530 --> 00:14:58,779 new rule, new protocol, 408 00:14:58,780 --> 00:15:00,549 new game. Everything is better. 409 00:15:00,550 --> 00:15:01,550 Let's see. 410 00:15:03,430 --> 00:15:04,430 Yeah. 411 00:15:04,840 --> 00:15:06,819 All will be better with LTE and diameter. 412 00:15:06,820 --> 00:15:07,820 I've heard that from. 413 00:15:08,980 --> 00:15:11,109 One company I'm not going to say which 414 00:15:11,110 --> 00:15:13,989 company that was, and I say, 415 00:15:13,990 --> 00:15:16,179 well, all 416 00:15:16,180 --> 00:15:17,180 will be different. 417 00:15:17,860 --> 00:15:19,659 We have a different protocol, but it's 418 00:15:19,660 --> 00:15:21,899 doing roughly the same things 419 00:15:21,900 --> 00:15:24,189 as the user. You still move from A 420 00:15:24,190 --> 00:15:25,359 to place B. 421 00:15:25,360 --> 00:15:27,519 You move from one antenna to the next 422 00:15:27,520 --> 00:15:28,449 antenna. 423 00:15:28,450 --> 00:15:30,759 So the logic for hand over 424 00:15:30,760 --> 00:15:33,279 and subscriber profile management 425 00:15:33,280 --> 00:15:34,599 and things like that, they are pretty 426 00:15:34,600 --> 00:15:36,699 similar. They're not exactly the same. 427 00:15:36,700 --> 00:15:38,379 They're pretty similar. 428 00:15:38,380 --> 00:15:40,779 So it's possible that some things 429 00:15:40,780 --> 00:15:42,729 are just sort of converted, let's call it 430 00:15:42,730 --> 00:15:43,730 that way. 431 00:15:45,470 --> 00:15:47,799 ATEX to reality. 432 00:15:47,800 --> 00:15:50,079 I've seen myself some ATEX 433 00:15:50,080 --> 00:15:51,549 quite manically. 434 00:15:51,550 --> 00:15:52,600 I've been doing 435 00:15:53,800 --> 00:15:56,109 Trace's analysis, looking at the traces 436 00:15:56,110 --> 00:15:57,459 and trying to figure out what the heck is 437 00:15:57,460 --> 00:15:58,629 that. 438 00:15:58,630 --> 00:16:00,639 And there's one important question one 439 00:16:00,640 --> 00:16:02,729 needs to sort of why should a check 440 00:16:02,730 --> 00:16:04,959 us top just because we have a different 441 00:16:04,960 --> 00:16:06,039 protocol? 442 00:16:06,040 --> 00:16:07,989 Come on. They make money with it. 443 00:16:07,990 --> 00:16:09,849 That or they are governments, 444 00:16:09,850 --> 00:16:11,439 intelligence communities. 445 00:16:11,440 --> 00:16:12,849 They still have our limits of all. 446 00:16:12,850 --> 00:16:13,899 You can eat data. 447 00:16:13,900 --> 00:16:15,939 Give me all your data. 448 00:16:15,940 --> 00:16:17,079 They track VIPs. 449 00:16:18,760 --> 00:16:20,289 I don't know. And they are these kind of 450 00:16:20,290 --> 00:16:22,479 service companies. 451 00:16:22,480 --> 00:16:24,459 Basically, you have to know that some 452 00:16:24,460 --> 00:16:26,589 governments have their own agencies which 453 00:16:26,590 --> 00:16:27,579 do stuff. 454 00:16:27,580 --> 00:16:29,559 And other governments, they just hire 455 00:16:29,560 --> 00:16:32,049 service companies because it's cheaper, 456 00:16:32,050 --> 00:16:33,579 because the service companies sell to 457 00:16:33,580 --> 00:16:34,679 several governments. 458 00:16:34,680 --> 00:16:36,639 It means I can offer per government the 459 00:16:36,640 --> 00:16:37,640 things cheaper. 460 00:16:38,440 --> 00:16:39,759 Also, governments have budgets. 461 00:16:41,020 --> 00:16:42,519 So there is this kind of service 462 00:16:42,520 --> 00:16:44,679 companies, although they 463 00:16:44,680 --> 00:16:45,680 are just 464 00:16:47,290 --> 00:16:48,879 entities which make money from it. 465 00:16:48,880 --> 00:16:51,069 Fraud and 466 00:16:51,070 --> 00:16:53,259 also military uses a mobile 467 00:16:53,260 --> 00:16:55,539 network data for target localization. 468 00:16:55,540 --> 00:16:57,849 For example, in The Intercept, 469 00:16:57,850 --> 00:16:59,469 it was published that 470 00:17:01,060 --> 00:17:02,769 I think they called it drones papers at 471 00:17:02,770 --> 00:17:05,409 about 70 percent of the 472 00:17:05,410 --> 00:17:08,529 data for target localization 473 00:17:08,530 --> 00:17:10,389 for the drones where they use their drone 474 00:17:10,390 --> 00:17:12,549 strikes comes from mobile telephone 475 00:17:12,550 --> 00:17:14,739 networks, which sort 476 00:17:14,740 --> 00:17:16,899 of I find pretty coming from 477 00:17:16,900 --> 00:17:19,149 telco industry, sort of bit pretty. 478 00:17:19,150 --> 00:17:20,150 This 479 00:17:21,579 --> 00:17:23,169 makes me a bit upset because they weren't 480 00:17:23,170 --> 00:17:24,789 designed for it. 481 00:17:24,790 --> 00:17:26,649 They were designed for user mobility and 482 00:17:26,650 --> 00:17:28,129 making phone calls. 483 00:17:28,130 --> 00:17:29,739 I mean, they're not not a military 484 00:17:29,740 --> 00:17:31,180 weapon, but they are used for it. 485 00:17:33,840 --> 00:17:35,709 Yeah. Even the German Bundeswehr 486 00:17:38,590 --> 00:17:40,779 was observed doing 487 00:17:40,780 --> 00:17:43,249 something with the Afghan phone app. 488 00:17:43,250 --> 00:17:44,250 So. 489 00:17:45,550 --> 00:17:46,550 So. 490 00:17:48,640 --> 00:17:50,099 Attacks are moving forward. 491 00:17:53,710 --> 00:17:55,029 Let's see how this touches this with 492 00:17:55,030 --> 00:17:56,289 diameter. 493 00:17:56,290 --> 00:17:58,449 I'm from research, and when 494 00:17:58,450 --> 00:18:00,249 I started looking into interconnection 495 00:18:00,250 --> 00:18:02,379 attacks, my manager said 496 00:18:02,380 --> 00:18:03,669 S7 is old stuff. 497 00:18:03,670 --> 00:18:04,659 Don't look at it. 498 00:18:04,660 --> 00:18:05,739 Look for what? 499 00:18:05,740 --> 00:18:06,879 Market research. 500 00:18:06,880 --> 00:18:07,899 I look forward. 501 00:18:07,900 --> 00:18:09,429 I study first. Kay Hull with us is the 502 00:18:09,430 --> 00:18:11,049 seven work. And then I look forward 503 00:18:12,810 --> 00:18:14,829 and particularly I looked at the diameter 504 00:18:14,830 --> 00:18:18,159 protocol as the successor of S7 505 00:18:18,160 --> 00:18:20,259 and then 506 00:18:20,260 --> 00:18:21,549 he's looked at sort of where are the 507 00:18:21,550 --> 00:18:23,469 similarities for a text? 508 00:18:23,470 --> 00:18:25,659 And we started basically with 509 00:18:25,660 --> 00:18:26,660 location tracking. 510 00:18:27,970 --> 00:18:29,589 And that's sort of relatively easily 511 00:18:29,590 --> 00:18:30,590 done. 512 00:18:31,330 --> 00:18:33,129 Then you have downgrading a text that 513 00:18:33,130 --> 00:18:34,729 basically because, as I said, they are 514 00:18:34,730 --> 00:18:36,639 old networks and new networks and they 515 00:18:36,640 --> 00:18:38,289 have to talk to each other. 516 00:18:38,290 --> 00:18:40,389 So basically, the attack comes just 517 00:18:40,390 --> 00:18:41,909 to, hey, I'm an old network. 518 00:18:41,910 --> 00:18:43,299 I only speak as a seven. 519 00:18:43,300 --> 00:18:45,219 Can you please translate the stuff for 520 00:18:45,220 --> 00:18:46,239 me? And actually, then there are 521 00:18:46,240 --> 00:18:48,719 translation boxes which translate 522 00:18:48,720 --> 00:18:50,619 the whole the tech enjoys a new protocol. 523 00:18:50,620 --> 00:18:51,949 Very convenient for an attack. 524 00:18:51,950 --> 00:18:53,229 So the attacker doesn't even have to 525 00:18:53,230 --> 00:18:54,669 learn the new protocol. 526 00:18:54,670 --> 00:18:55,670 It just can. 527 00:18:57,370 --> 00:18:59,769 It's very nice if you have a translator. 528 00:18:59,770 --> 00:19:01,209 I hope I don't speak too fast for the 529 00:19:01,210 --> 00:19:02,210 translators. 530 00:19:03,910 --> 00:19:05,769 Then we have denial of service attacks 531 00:19:05,770 --> 00:19:08,199 and fraud, denial of service attacks also 532 00:19:08,200 --> 00:19:11,469 in that sense. Very easy, because 533 00:19:11,470 --> 00:19:13,329 denial of service attack, the attacker 534 00:19:13,330 --> 00:19:14,650 can just push. 535 00:19:17,210 --> 00:19:19,279 The attack to its networks, 536 00:19:19,280 --> 00:19:21,759 and he doesn't care if the answer message 537 00:19:21,760 --> 00:19:24,109 is correctly, wrote it so he can spoof 538 00:19:24,110 --> 00:19:26,209 the origin, he can use the origin 539 00:19:26,210 --> 00:19:28,459 of a partner because he can just push 540 00:19:28,460 --> 00:19:29,869 the message and doesn't care and just 541 00:19:29,870 --> 00:19:31,399 cease, OK, things go down. 542 00:19:31,400 --> 00:19:32,400 What? 543 00:19:33,290 --> 00:19:35,420 So a denial of service attacks are very 544 00:19:36,530 --> 00:19:38,989 easy in that sense that you can spoof 545 00:19:38,990 --> 00:19:41,119 these sources as a mess. 546 00:19:41,120 --> 00:19:43,309 And one time password interception 547 00:19:43,310 --> 00:19:45,469 is very sad because of 548 00:19:45,470 --> 00:19:47,469 this kind of password usage. 549 00:19:47,470 --> 00:19:49,549 And some mess was just a few bit bits 550 00:19:49,550 --> 00:19:51,049 of space in the protocol that way. 551 00:19:51,050 --> 00:19:52,969 So somebody said, OK, let's use it for 552 00:19:52,970 --> 00:19:54,319 texting. 553 00:19:54,320 --> 00:19:56,569 And it was never designed for security. 554 00:19:56,570 --> 00:19:58,200 And yeah, well, there we go. 555 00:19:59,240 --> 00:20:01,009 And then we have subscriber profile 556 00:20:01,010 --> 00:20:01,809 modifications. 557 00:20:01,810 --> 00:20:05,299 So the subscriber profile is basically 558 00:20:05,300 --> 00:20:07,399 an entry in a database in the main 559 00:20:07,400 --> 00:20:09,469 database of the operator, which says 560 00:20:09,470 --> 00:20:11,749 if you have prepaid postpaid, 561 00:20:11,750 --> 00:20:14,389 if you press, if you're allowed to roam, 562 00:20:14,390 --> 00:20:15,649 what's your phone number? 563 00:20:15,650 --> 00:20:17,339 What's your identity? And so on. 564 00:20:17,340 --> 00:20:19,639 So that if you meddle with that, you can 565 00:20:19,640 --> 00:20:21,679 imagine that it can cost quite some 566 00:20:21,680 --> 00:20:22,680 hiccup. 567 00:20:24,570 --> 00:20:26,849 Then there was by positive 568 00:20:26,850 --> 00:20:27,850 technology 569 00:20:29,070 --> 00:20:31,409 on denial-of-service and easy retrieval 570 00:20:31,410 --> 00:20:33,799 and also at the Black Hat. 571 00:20:33,800 --> 00:20:36,349 Hendrickx and Danielle presented 572 00:20:36,350 --> 00:20:38,579 Denial-of-service. I think it had 573 00:20:38,580 --> 00:20:40,349 Donya present because Hendrickx etiquette 574 00:20:40,350 --> 00:20:41,350 in a car accident. 575 00:20:42,720 --> 00:20:44,339 But he's OK. 576 00:20:44,340 --> 00:20:46,139 And now we are presenting basically data 577 00:20:46,140 --> 00:20:47,909 interception for G.P.S. 578 00:20:47,910 --> 00:20:50,609 and ETTY. Just as a reminder, 579 00:20:50,610 --> 00:20:52,739 there are usually some restrictions when 580 00:20:52,740 --> 00:20:54,669 things work and when they not work. 581 00:20:54,670 --> 00:20:55,670 So. 582 00:20:56,680 --> 00:20:58,689 So that's important, not all the networks 583 00:20:58,690 --> 00:21:00,159 are vulnerable. It's very important to 584 00:21:00,160 --> 00:21:02,259 understand. So 585 00:21:02,260 --> 00:21:04,839 to the talk now to data interception, 586 00:21:06,310 --> 00:21:08,619 and I'm afraid I have to give you a very 587 00:21:08,620 --> 00:21:11,589 tiny crash course 588 00:21:11,590 --> 00:21:13,529 for LTE networks, but I keep it really to 589 00:21:13,530 --> 00:21:14,530 a sort of 590 00:21:15,970 --> 00:21:17,799 acceptable level that causes me. 591 00:21:17,800 --> 00:21:19,979 So the background, as I said, this first 592 00:21:19,980 --> 00:21:21,639 time together with one of our 593 00:21:21,640 --> 00:21:24,189 competitors, Adaptive Mobile 594 00:21:24,190 --> 00:21:26,349 and the GSM AC operator 595 00:21:26,350 --> 00:21:28,599 organization, which enables basically 596 00:21:28,600 --> 00:21:29,600 roaming. 597 00:21:30,550 --> 00:21:32,499 Well, we also have a security group that 598 00:21:32,500 --> 00:21:34,629 we discuss the security and what we 599 00:21:34,630 --> 00:21:36,939 can do to improve it and so on. 600 00:21:36,940 --> 00:21:39,189 And adoptive mother reported on AGP 601 00:21:39,190 --> 00:21:40,909 arrest, traffic interception, a text that 602 00:21:40,910 --> 00:21:42,190 I saw in Life Network. 603 00:21:43,570 --> 00:21:45,729 And then I was at the same time I 604 00:21:45,730 --> 00:21:47,139 was working with some colleagues on 605 00:21:47,140 --> 00:21:49,359 subscriber profile modification using 606 00:21:49,360 --> 00:21:50,829 the diameter protocol. 607 00:21:50,830 --> 00:21:51,789 And let me discuss it. 608 00:21:51,790 --> 00:21:53,559 I was thinking, hey, we could combine 609 00:21:53,560 --> 00:21:55,739 those text the ideas of those texts. 610 00:21:56,830 --> 00:21:59,229 And so 611 00:21:59,230 --> 00:22:00,729 and get the potential data interception 612 00:22:00,730 --> 00:22:02,649 for LTE. So we but we weren't hundred 613 00:22:02,650 --> 00:22:04,809 percent sure about the constraints, 614 00:22:04,810 --> 00:22:07,239 but was clear for us from the beginning 615 00:22:07,240 --> 00:22:08,799 that there are probably some constraints, 616 00:22:08,800 --> 00:22:09,789 that it only works in some 617 00:22:09,790 --> 00:22:11,049 configurations. 618 00:22:11,050 --> 00:22:13,179 So what I did then I called my colleague 619 00:22:13,180 --> 00:22:15,549 Jenny because we have a test 620 00:22:15,550 --> 00:22:17,689 network as a big network or 621 00:22:17,690 --> 00:22:18,690 never a company. 622 00:22:21,520 --> 00:22:23,619 We roll out updates for the 623 00:22:23,620 --> 00:22:25,930 operators and 624 00:22:27,060 --> 00:22:29,289 as updates have a tendency sometimes 625 00:22:29,290 --> 00:22:30,639 to screw up things. 626 00:22:30,640 --> 00:22:32,889 We have a test network where we basically 627 00:22:32,890 --> 00:22:35,409 copy the exact network of the operator, 628 00:22:35,410 --> 00:22:37,209 where we go to roll out the software 629 00:22:38,260 --> 00:22:41,199 and we also copy the configurations. 630 00:22:41,200 --> 00:22:43,269 So Yenny knew the configurations. 631 00:22:43,270 --> 00:22:45,249 So what are typical configurations and so 632 00:22:45,250 --> 00:22:46,359 on. 633 00:22:46,360 --> 00:22:48,519 And then we also tested those 634 00:22:48,520 --> 00:22:49,520 attacks. 635 00:22:50,980 --> 00:22:52,689 So and there we sort of figured out what 636 00:22:52,690 --> 00:22:54,819 are the constraints so that these attacks 637 00:22:54,820 --> 00:22:55,820 could work. 638 00:22:57,050 --> 00:22:58,050 So. 639 00:22:59,680 --> 00:23:01,079 GPA, is that basically 640 00:23:02,520 --> 00:23:03,719 how it worked? 641 00:23:03,720 --> 00:23:05,909 That's the attacker was modifying 642 00:23:05,910 --> 00:23:08,829 in the Astreus in the 643 00:23:08,830 --> 00:23:11,279 law saying sort of to the home network, 644 00:23:11,280 --> 00:23:13,409 please check if there's a new 645 00:23:13,410 --> 00:23:14,549 access point network. 646 00:23:15,810 --> 00:23:17,579 And when the user then requests a 647 00:23:17,580 --> 00:23:18,849 session, what then happens? 648 00:23:18,850 --> 00:23:21,199 Said This gray cloud there 649 00:23:21,200 --> 00:23:23,129 connects to the attacker and asks for the 650 00:23:23,130 --> 00:23:24,629 access point. 651 00:23:24,630 --> 00:23:26,339 It gets us back and then the user 652 00:23:26,340 --> 00:23:28,259 connects to the access point provided. 653 00:23:28,260 --> 00:23:30,119 So that's the basic idea. 654 00:23:30,120 --> 00:23:31,469 You don't need to understand all the 655 00:23:31,470 --> 00:23:33,659 detailed command codes. 656 00:23:33,660 --> 00:23:34,890 But that's what's the idea. 657 00:23:36,060 --> 00:23:38,699 So now the crash course in 658 00:23:38,700 --> 00:23:40,379 mobile networks. 659 00:23:40,380 --> 00:23:42,089 So that's you? 660 00:23:43,560 --> 00:23:45,539 Well, you are behind that phone, but 661 00:23:45,540 --> 00:23:47,429 somewhere there you connect to an 662 00:23:47,430 --> 00:23:49,739 operator on Tanah Radio Access 663 00:23:49,740 --> 00:23:51,149 Network. 664 00:23:51,150 --> 00:23:52,199 OK. You. 665 00:23:52,200 --> 00:23:54,749 You have friends and you have gadgets. 666 00:23:54,750 --> 00:23:56,130 These are your friends and gadgets. 667 00:23:58,160 --> 00:24:00,549 OK, you move from, 668 00:24:00,550 --> 00:24:02,769 let's say, to from one antenna area 669 00:24:02,770 --> 00:24:04,119 to another antenna area. 670 00:24:04,120 --> 00:24:06,069 So you need somebody to takes care of 671 00:24:06,070 --> 00:24:08,409 your mobility. 672 00:24:08,410 --> 00:24:09,789 You don't need to remember the whole 673 00:24:09,790 --> 00:24:11,319 abbreviation. Just remember. 674 00:24:11,320 --> 00:24:12,369 And like mobility. 675 00:24:12,370 --> 00:24:14,409 So this guy is basically taking care that 676 00:24:14,410 --> 00:24:16,179 you're tracking your mobility where you 677 00:24:16,180 --> 00:24:17,109 move. And so on. 678 00:24:17,110 --> 00:24:19,390 So it's a mobility management entity. 679 00:24:22,660 --> 00:24:24,339 Then we have a database 680 00:24:25,360 --> 00:24:28,389 where it's 681 00:24:28,390 --> 00:24:30,549 stored pre-paid postpaid, all the 682 00:24:30,550 --> 00:24:32,979 digital details and the application 683 00:24:32,980 --> 00:24:34,839 server, the application server you need 684 00:24:34,840 --> 00:24:36,639 when you want to make voice over LTE 685 00:24:36,640 --> 00:24:37,640 calls. 686 00:24:40,350 --> 00:24:42,479 And he has a database where your 687 00:24:42,480 --> 00:24:44,229 subscriber, DHS. 688 00:24:44,230 --> 00:24:46,919 S I put their DHS 689 00:24:46,920 --> 00:24:49,019 s because if that thing is down, then 690 00:24:49,020 --> 00:24:51,179 the whole network is down. 691 00:24:51,180 --> 00:24:52,799 That's the most important box in an 692 00:24:52,800 --> 00:24:54,089 operating network. 693 00:24:54,090 --> 00:24:56,369 The enemy, they are several of them, and 694 00:24:56,370 --> 00:24:58,109 they are so for regional level. 695 00:24:58,110 --> 00:25:00,209 So if an amendment goes down, some region 696 00:25:00,210 --> 00:25:01,449 is affected. But if the H. 697 00:25:01,450 --> 00:25:03,329 S goes down, the whole network is dead. 698 00:25:05,420 --> 00:25:07,369 Meaning that the operator has no income 699 00:25:07,370 --> 00:25:08,389 and he's pretty upset. 700 00:25:12,270 --> 00:25:14,729 Yet the network has a edge. 701 00:25:14,730 --> 00:25:16,439 That s diameter. 702 00:25:16,440 --> 00:25:18,739 Note Lucy used them also. 703 00:25:19,910 --> 00:25:22,159 And then the other operator said, look, 704 00:25:22,160 --> 00:25:23,089 basically the same. 705 00:25:23,090 --> 00:25:24,829 So we make his's assumption that we have 706 00:25:24,830 --> 00:25:26,939 to LTE networks talking to each other. 707 00:25:26,940 --> 00:25:28,729 We are not going on all the inter working 708 00:25:28,730 --> 00:25:29,709 cases with Jeffs. 709 00:25:29,710 --> 00:25:30,889 It is a man whatsoever. 710 00:25:30,890 --> 00:25:32,359 So let's keep it easy. 711 00:25:33,380 --> 00:25:34,609 That's the easy Worsham, believe me. 712 00:25:35,990 --> 00:25:38,119 So as I 713 00:25:38,120 --> 00:25:40,099 explained with the two value exampled, 714 00:25:40,100 --> 00:25:42,139 those two network might have a direct 715 00:25:42,140 --> 00:25:43,849 cable, let's say, if they are sort of 716 00:25:43,850 --> 00:25:45,919 sitting very close to each other. 717 00:25:45,920 --> 00:25:48,169 But there might also be one or 718 00:25:48,170 --> 00:25:49,929 more of the interconnection providers 719 00:25:49,930 --> 00:25:50,930 sitting in between. 720 00:25:52,690 --> 00:25:55,119 So now we have all the hardware together. 721 00:25:55,120 --> 00:25:57,309 And then their interfaces, 722 00:25:57,310 --> 00:25:58,310 as they're called. 723 00:25:59,200 --> 00:26:01,419 So we have the most important and most 724 00:26:01,420 --> 00:26:03,909 busy interfaces, the S6 interface. 725 00:26:03,910 --> 00:26:05,289 That's between the mobility and the 726 00:26:05,290 --> 00:26:06,369 database, because 727 00:26:10,490 --> 00:26:12,909 the mobility node needs to know what 728 00:26:12,910 --> 00:26:15,549 law to grant to you, what kind of 729 00:26:15,550 --> 00:26:17,169 network connectivity you're allowed. 730 00:26:17,170 --> 00:26:18,999 Are you allowed to use LTE? 731 00:26:19,000 --> 00:26:21,489 You're not allowed to use LTE. 732 00:26:21,490 --> 00:26:22,779 What are your constraints? 733 00:26:22,780 --> 00:26:24,189 What are your credentials? 734 00:26:24,190 --> 00:26:26,379 And so on. So that's a lot of data 735 00:26:26,380 --> 00:26:27,380 traffic on that one. 736 00:26:28,450 --> 00:26:29,809 And then there are C. 737 00:26:29,810 --> 00:26:32,199 S H interface, which is usually internal. 738 00:26:32,200 --> 00:26:33,200 But I come to that. 739 00:26:35,120 --> 00:26:36,919 And of course, you also have that 740 00:26:36,920 --> 00:26:38,659 enrollment case, so when you are, let's 741 00:26:38,660 --> 00:26:40,759 say, here now and have 742 00:26:40,760 --> 00:26:41,959 subscription from. 743 00:26:43,580 --> 00:26:45,109 If you have a subscription, let's say 744 00:26:45,110 --> 00:26:46,220 from Germany 745 00:26:47,300 --> 00:26:49,729 and you are then connected to an MMD, 746 00:26:49,730 --> 00:26:51,020 let's say in France, 747 00:26:52,190 --> 00:26:54,289 then the SSX A will be used, for 748 00:26:54,290 --> 00:26:55,879 example, to fetch your cryptographic 749 00:26:55,880 --> 00:26:57,139 credentials to provide you 750 00:26:57,140 --> 00:26:58,069 confidentiality. 751 00:26:58,070 --> 00:27:00,289 Also, while you are traveling in France 752 00:27:00,290 --> 00:27:01,879 somewhere, the French network needs to 753 00:27:01,880 --> 00:27:03,919 get your cryptographic keys so that they 754 00:27:03,920 --> 00:27:05,449 can protect your communication on the 755 00:27:05,450 --> 00:27:07,769 interface, the 756 00:27:07,770 --> 00:27:10,279 S.H. interface in some scenarios, 757 00:27:10,280 --> 00:27:11,679 some configuration scenarios. 758 00:27:12,830 --> 00:27:14,599 It might also go over the interconnection 759 00:27:14,600 --> 00:27:15,949 link and I would come back with it. 760 00:27:15,950 --> 00:27:16,950 So. 761 00:27:20,500 --> 00:27:23,109 Country generation vulnerabilities, 762 00:27:23,110 --> 00:27:25,179 settings that are not uncommon 763 00:27:25,180 --> 00:27:26,349 and have been observed. 764 00:27:26,350 --> 00:27:28,219 The price pressure on the mobile network 765 00:27:28,220 --> 00:27:30,789 markets, it's pretty tough. 766 00:27:30,790 --> 00:27:32,769 And so what they do. 767 00:27:32,770 --> 00:27:35,259 Operators which make they use 768 00:27:35,260 --> 00:27:37,839 equipment for different purposes 769 00:27:37,840 --> 00:27:39,909 and the opening up interface and 770 00:27:39,910 --> 00:27:42,039 so on. And one typical scenario is if you 771 00:27:42,040 --> 00:27:43,789 have a big operator which has 772 00:27:45,310 --> 00:27:47,969 subsidiaries in many countries, 773 00:27:47,970 --> 00:27:50,169 they buy first one box. 774 00:27:50,170 --> 00:27:52,539 They place it in one country 775 00:27:52,540 --> 00:27:54,699 and then they use it from all countries. 776 00:27:56,350 --> 00:27:58,419 Just to see if the service flies, if they 777 00:27:58,420 --> 00:28:00,899 use a lot likes it and so on, 778 00:28:00,900 --> 00:28:02,559 and then if it's running well, it's sort 779 00:28:02,560 --> 00:28:04,659 of also deployed in us on networks. 780 00:28:04,660 --> 00:28:06,339 Makes sense business wise. 781 00:28:06,340 --> 00:28:08,649 That makes perfect sense. 782 00:28:08,650 --> 00:28:10,839 If it doesn't fly, he can just swap one 783 00:28:10,840 --> 00:28:13,299 server and the investment was not so big. 784 00:28:13,300 --> 00:28:15,369 So. But that also means that 785 00:28:15,370 --> 00:28:17,469 they open up the link to the server 786 00:28:17,470 --> 00:28:18,609 over the interconnection link. 787 00:28:20,380 --> 00:28:21,819 That has been seen for application 788 00:28:21,820 --> 00:28:22,820 servers. 789 00:28:23,980 --> 00:28:26,169 And similar, there's the problem 790 00:28:26,170 --> 00:28:27,460 of the DNS resolution. 791 00:28:29,890 --> 00:28:31,869 Of course, it's cheaper to have one box 792 00:28:31,870 --> 00:28:33,039 instead of two boxes. 793 00:28:33,040 --> 00:28:35,289 So we have internal traffic, which is for 794 00:28:35,290 --> 00:28:37,539 the core network internal. 795 00:28:37,540 --> 00:28:39,459 And when we have external traffic like 796 00:28:39,460 --> 00:28:41,140 Internet traffic, DNS resolution, 797 00:28:42,190 --> 00:28:43,899 and some operators just put it on the 798 00:28:43,900 --> 00:28:46,239 same note because it's cheaper. 799 00:28:46,240 --> 00:28:47,240 Yeah. 800 00:28:49,030 --> 00:28:50,289 Also, actually, that's not the 801 00:28:50,290 --> 00:28:51,939 configuration venerability. 802 00:28:51,940 --> 00:28:54,189 But I thought 803 00:28:54,190 --> 00:28:56,009 I mentioned that anyway. 804 00:28:56,010 --> 00:28:57,659 There's the assumption that the attackers 805 00:28:57,660 --> 00:28:59,779 are able to set up any IPCA 806 00:28:59,780 --> 00:29:01,779 IPN. So that's more an assumption. 807 00:29:01,780 --> 00:29:02,780 The attacker. 808 00:29:03,460 --> 00:29:05,169 The attacks that I'm going to present has 809 00:29:05,170 --> 00:29:06,170 several steps. 810 00:29:07,680 --> 00:29:10,049 Step one, classical data acquisition. 811 00:29:11,640 --> 00:29:13,949 This can be quite sort of done 812 00:29:13,950 --> 00:29:15,449 well before it can be done half a year 813 00:29:15,450 --> 00:29:16,979 before you don't need to do it directly 814 00:29:16,980 --> 00:29:18,029 beforehand. 815 00:29:18,030 --> 00:29:19,709 So you can do it just before. 816 00:29:19,710 --> 00:29:21,989 Can do it now and then 817 00:29:21,990 --> 00:29:24,619 do it. And the attack half a year later 818 00:29:24,620 --> 00:29:25,620 is the easy. 819 00:29:27,850 --> 00:29:29,709 You know each other by phone numbers. 820 00:29:29,710 --> 00:29:31,109 But the emcee is he 821 00:29:32,460 --> 00:29:34,899 is a subs bribe identity 822 00:29:34,900 --> 00:29:36,879 that's used by the telephone network. 823 00:29:36,880 --> 00:29:39,069 So the phone network usually doesn't use 824 00:29:39,070 --> 00:29:40,799 you emphasized in your phone number. 825 00:29:40,800 --> 00:29:42,879 You seem easy for the messages, 826 00:29:42,880 --> 00:29:44,979 certain techniques, easy to get 827 00:29:44,980 --> 00:29:45,980 things running. 828 00:29:48,410 --> 00:29:50,629 So be focus 829 00:29:50,630 --> 00:29:52,489 on the SAHD, the face. 830 00:29:52,490 --> 00:29:53,749 There's something called user data 831 00:29:53,750 --> 00:29:55,929 request that you ask, gives 832 00:29:55,930 --> 00:29:58,219 you a profile back and the profile 833 00:29:58,220 --> 00:30:00,469 contains Amesys Impey, the whole 834 00:30:00,470 --> 00:30:02,279 subscriber profile, all the details the 835 00:30:02,280 --> 00:30:03,589 attacker needs. 836 00:30:03,590 --> 00:30:04,579 Easy. 837 00:30:04,580 --> 00:30:05,869 It's a standard feature. 838 00:30:07,190 --> 00:30:08,670 It just requires a T. 839 00:30:10,650 --> 00:30:13,099 The attacker impersonates 840 00:30:13,100 --> 00:30:14,809 an application and that's hardly how it 841 00:30:14,810 --> 00:30:16,789 looks like on Wireshark. 842 00:30:16,790 --> 00:30:19,160 So just for information, 843 00:30:20,210 --> 00:30:21,419 I'm not going through the details of the 844 00:30:21,420 --> 00:30:24,049 Wireshark kadota in case 845 00:30:24,050 --> 00:30:25,050 the 846 00:30:26,450 --> 00:30:28,489 the S.H. 847 00:30:28,490 --> 00:30:30,199 interface not open, because also you'll 848 00:30:30,200 --> 00:30:32,269 see a sexy interface, 849 00:30:32,270 --> 00:30:34,429 but not many operates actually using that 850 00:30:34,430 --> 00:30:36,919 one either. So the attacker has a choice 851 00:30:36,920 --> 00:30:39,949 of of 852 00:30:39,950 --> 00:30:41,149 attack possibilities. 853 00:30:41,150 --> 00:30:43,519 And actually, this attack works the same 854 00:30:43,520 --> 00:30:44,689 way for us as seven. 855 00:30:44,690 --> 00:30:46,669 So the attacker might also do basically 856 00:30:46,670 --> 00:30:47,930 the same stuff in 857 00:30:49,250 --> 00:30:50,419 an S7. 858 00:30:50,420 --> 00:30:52,489 So I presented this the detail of 859 00:30:52,490 --> 00:30:53,589 that in Paris. 860 00:30:53,590 --> 00:30:55,609 Some then may. 861 00:30:55,610 --> 00:30:57,109 And also the attacker could do other 862 00:30:57,110 --> 00:30:59,089 things as six a. 863 00:30:59,090 --> 00:31:01,340 But they also already need the easy 864 00:31:02,990 --> 00:31:05,119 it can make an update location request. 865 00:31:05,120 --> 00:31:07,609 This is a most common message 866 00:31:07,610 --> 00:31:08,869 in the over the interconnection 867 00:31:10,430 --> 00:31:12,519 that you basically 868 00:31:12,520 --> 00:31:14,449 put synchronization purposes. 869 00:31:14,450 --> 00:31:16,119 You impersonate an enemy and say, please 870 00:31:16,120 --> 00:31:17,359 let me subscribe profile. 871 00:31:17,360 --> 00:31:18,529 I need an update. 872 00:31:18,530 --> 00:31:20,749 Well, the network is so nice 873 00:31:20,750 --> 00:31:22,369 and this is all possible because there's 874 00:31:22,370 --> 00:31:24,529 no source of education. 875 00:31:24,530 --> 00:31:27,959 Other way to get to Amesys than this 876 00:31:27,960 --> 00:31:28,679 is a mess. 877 00:31:28,680 --> 00:31:30,980 ATEC is, for example, that you 878 00:31:32,840 --> 00:31:34,909 set up a false base station or a 879 00:31:34,910 --> 00:31:37,379 wireless LAN access point and one aim. 880 00:31:37,380 --> 00:31:38,929 Okay, I need to speed up a bit. 881 00:31:38,930 --> 00:31:40,189 Sorry. 882 00:31:40,190 --> 00:31:42,349 So HPN placing 883 00:31:42,350 --> 00:31:44,089 the tech works at your place and 884 00:31:44,090 --> 00:31:46,219 subscriber profile your 885 00:31:46,220 --> 00:31:49,519 fake bad IP it HPN. 886 00:31:49,520 --> 00:31:50,839 And then the user connects to it. 887 00:31:50,840 --> 00:31:51,949 That's the basic idea. 888 00:31:51,950 --> 00:31:54,109 So how to get the API in 889 00:31:54,110 --> 00:31:56,179 there. One way is again 890 00:31:56,180 --> 00:31:58,549 using S.H. interface profile 891 00:31:58,550 --> 00:32:00,859 update request system network nodes 892 00:32:00,860 --> 00:32:03,529 synchronize which each other. 893 00:32:03,530 --> 00:32:05,089 And there is a message called profit 894 00:32:05,090 --> 00:32:06,769 update request. 895 00:32:06,770 --> 00:32:09,169 And with that you can update 896 00:32:09,170 --> 00:32:10,939 the API. And in that case. 897 00:32:10,940 --> 00:32:12,709 So because you know from the previous 898 00:32:12,710 --> 00:32:14,929 step how the subscriber profile looks 899 00:32:14,930 --> 00:32:16,629 like that, you can update it because you 900 00:32:16,630 --> 00:32:18,469 know how. Looks like you just changed 901 00:32:18,470 --> 00:32:19,439 some values. 902 00:32:19,440 --> 00:32:20,630 Tiny B Billu 903 00:32:23,150 --> 00:32:25,099 API details. 904 00:32:25,100 --> 00:32:27,739 Let me say you can change the 905 00:32:27,740 --> 00:32:29,969 AP ns for GP arrest or 906 00:32:29,970 --> 00:32:33,319 all four of packet core UPC. 907 00:32:33,320 --> 00:32:34,609 That's how this kind of 908 00:32:36,620 --> 00:32:38,450 update looks like in Wireshark. 909 00:32:40,990 --> 00:32:43,299 And also, you can you'll see a 910 00:32:43,300 --> 00:32:45,339 a interface which is a bit bothersome 911 00:32:45,340 --> 00:32:46,779 because you cannot stop the S.H. 912 00:32:46,780 --> 00:32:47,259 interface. 913 00:32:47,260 --> 00:32:49,719 But a six eight interface, 914 00:32:49,720 --> 00:32:51,849 you can that's a soft little 915 00:32:51,850 --> 00:32:52,749 trick. 916 00:32:52,750 --> 00:32:54,520 If the edges s has reset, 917 00:32:55,630 --> 00:32:56,630 then. 918 00:32:57,580 --> 00:33:00,189 To avoid that, somebody needs to manually 919 00:33:00,190 --> 00:33:02,259 all update all access points network 920 00:33:02,260 --> 00:33:03,789 after a process, reset 921 00:33:05,800 --> 00:33:07,959 it. Basically the m m e 922 00:33:07,960 --> 00:33:10,149 Kent's updated 923 00:33:10,150 --> 00:33:11,170 the HPN data 924 00:33:12,760 --> 00:33:14,259 so that they should only do that after a 925 00:33:14,260 --> 00:33:16,359 reset. So there's a logic behind 926 00:33:16,360 --> 00:33:18,009 that, how you could detect this kind of 927 00:33:18,010 --> 00:33:19,010 attack. 928 00:33:22,460 --> 00:33:24,469 So this is all too possible. 929 00:33:24,470 --> 00:33:25,939 So the attack is actually a set of 930 00:33:25,940 --> 00:33:26,940 possibilities. 931 00:33:28,640 --> 00:33:31,069 And also, you can update the subscriber 932 00:33:31,070 --> 00:33:33,469 profile in DMM, either to mobility 933 00:33:33,470 --> 00:33:34,470 note. 934 00:33:36,120 --> 00:33:38,249 So there are several points where you 935 00:33:38,250 --> 00:33:40,679 can update the profile and then the user 936 00:33:40,680 --> 00:33:42,359 connects. 937 00:33:42,360 --> 00:33:44,189 So how does that happen? 938 00:33:44,190 --> 00:33:46,379 So user 939 00:33:46,380 --> 00:33:47,839 connects, that's a new easier to use 940 00:33:47,840 --> 00:33:50,429 equipment. The three P terminal G. 941 00:33:50,430 --> 00:33:51,779 It attaches to the HS. 942 00:33:51,780 --> 00:33:53,849 S update location and 943 00:33:53,850 --> 00:33:56,039 then we fall without synchronization that 944 00:33:56,040 --> 00:33:58,619 has the attacker basically try and area. 945 00:33:58,620 --> 00:34:00,630 You don't know an. 946 00:34:02,440 --> 00:34:04,599 Then if he has update, basically just 947 00:34:04,600 --> 00:34:06,279 as the Emmy. 948 00:34:06,280 --> 00:34:09,189 What happens then that the 949 00:34:09,190 --> 00:34:10,719 M.E. connects the user 950 00:34:11,860 --> 00:34:14,649 to the fake HPN? 951 00:34:14,650 --> 00:34:17,029 And this only works for 952 00:34:17,030 --> 00:34:19,269 one? Does the constraints I extend 953 00:34:19,270 --> 00:34:21,609 before and 954 00:34:21,610 --> 00:34:23,158 actually you say, hey, I have an AP 955 00:34:23,159 --> 00:34:24,339 insetting on my phone. 956 00:34:24,340 --> 00:34:25,809 Why is not that not used? 957 00:34:25,810 --> 00:34:27,339 Well, that comes from the old times when 958 00:34:27,340 --> 00:34:29,439 you still had to configure your HPN 959 00:34:29,440 --> 00:34:30,899 settings manually. 960 00:34:30,900 --> 00:34:32,948 So the MMD just assumes you made a typo 961 00:34:32,949 --> 00:34:33,949 and you are wrong. 962 00:34:35,679 --> 00:34:37,029 These are the legacy stuff. 963 00:34:37,030 --> 00:34:39,099 So it sometimes pops up. 964 00:34:39,100 --> 00:34:41,259 So as industrial research, 965 00:34:41,260 --> 00:34:42,638 I cannot just complain. 966 00:34:42,639 --> 00:34:43,639 This is bad. 967 00:34:46,449 --> 00:34:47,459 I also have to fix it. 968 00:34:47,460 --> 00:34:49,669 You from the I.T. community, most of your 969 00:34:49,670 --> 00:34:51,779 letters. Hey, let's easy let's use IP 970 00:34:51,780 --> 00:34:53,249 second. We have source authentication. 971 00:34:53,250 --> 00:34:54,988 Everybody's happy. 972 00:34:54,989 --> 00:34:57,189 Well, we sure would be so easy. 973 00:34:57,190 --> 00:34:58,419 Be seconds. Even standardized for 974 00:34:58,420 --> 00:34:59,420 diameter. 975 00:35:00,150 --> 00:35:01,150 But 976 00:35:03,690 --> 00:35:05,819 it's not all IP. 977 00:35:05,820 --> 00:35:08,169 We have human who are members is a Sir 978 00:35:08,170 --> 00:35:10,319 Transport Protocol SICP. 979 00:35:10,320 --> 00:35:12,649 Yeah. We still have it living there. 980 00:35:12,650 --> 00:35:14,579 And as a political question, we talk 981 00:35:14,580 --> 00:35:16,769 about an international network 982 00:35:16,770 --> 00:35:18,779 all across the world who would be 983 00:35:18,780 --> 00:35:20,699 trustworthy enough to host a root 984 00:35:20,700 --> 00:35:21,419 certificate. 985 00:35:21,420 --> 00:35:23,999 And the key generation worldwide. 986 00:35:24,000 --> 00:35:25,880 I know who Bank of Artecoll 987 00:35:27,880 --> 00:35:28,949 it. 988 00:35:28,950 --> 00:35:30,839 I mean, you name one country, I name you 989 00:35:30,840 --> 00:35:32,569 another country that says no, no, no, no, 990 00:35:32,570 --> 00:35:34,859 no, no. So no way we are going to have 991 00:35:34,860 --> 00:35:36,719 maybe we get something on a regional 992 00:35:36,720 --> 00:35:39,959 level one day that that's possible. 993 00:35:39,960 --> 00:35:41,939 And then there are operators that just 994 00:35:41,940 --> 00:35:43,909 don't have the money or exercise. 995 00:35:43,910 --> 00:35:45,359 And to value it, which I mentioned 996 00:35:45,360 --> 00:35:47,609 before, they have something 47 employees. 997 00:35:47,610 --> 00:35:48,749 They don't have a security expert. 998 00:35:48,750 --> 00:35:49,679 I'm pretty sure. 999 00:35:49,680 --> 00:35:50,850 Maybe they have one. I don't know. 1000 00:35:52,230 --> 00:35:53,280 Also still, 1001 00:35:54,300 --> 00:35:56,339 it's no protection against sort of got 1002 00:35:56,340 --> 00:35:57,689 some governments or 1003 00:35:59,100 --> 00:36:00,659 renting out the service companies or heck 1004 00:36:00,660 --> 00:36:02,219 notes or things like that. 1005 00:36:02,220 --> 00:36:04,349 But I tech would still be a good idea if 1006 00:36:04,350 --> 00:36:05,999 there's not already a secure pipe in 1007 00:36:06,000 --> 00:36:07,229 place. 1008 00:36:07,230 --> 00:36:08,759 But it's also important that the partners 1009 00:36:08,760 --> 00:36:10,649 have a similar understanding on hardening 1010 00:36:10,650 --> 00:36:11,650 and so on. 1011 00:36:12,810 --> 00:36:14,429 So that's also. 1012 00:36:16,510 --> 00:36:17,980 For this specific attack, 1013 00:36:19,070 --> 00:36:21,399 the S.H. interface, it's an internal 1014 00:36:21,400 --> 00:36:22,969 network interface, it shouldn't put it 1015 00:36:22,970 --> 00:36:25,399 open it up on the interconnection 1016 00:36:25,400 --> 00:36:27,429 at it nodes in between. 1017 00:36:27,430 --> 00:36:29,710 You can also filter out as h traffic 1018 00:36:31,330 --> 00:36:33,459 if you really need to do it, secure it 1019 00:36:33,460 --> 00:36:34,599 properly. 1020 00:36:34,600 --> 00:36:37,989 DNS proper internal external resolution 1021 00:36:37,990 --> 00:36:39,819 and for the update location stuff, the 1022 00:36:39,820 --> 00:36:42,279 S6, a potentially block 1023 00:36:42,280 --> 00:36:43,389 or velocity check. 1024 00:36:43,390 --> 00:36:45,849 So how fast to use a control. 1025 00:36:45,850 --> 00:36:46,850 I'm nearly done. 1026 00:36:47,770 --> 00:36:49,989 Countermeasures on general level 1027 00:36:49,990 --> 00:36:51,189 monitor what's going on. 1028 00:36:51,190 --> 00:36:52,539 Pend tests the network. 1029 00:36:52,540 --> 00:36:54,669 It's not very common that mobile 1030 00:36:54,670 --> 00:36:55,849 phone networks are panties tested, 1031 00:36:57,370 --> 00:36:58,479 tenant monitoring. 1032 00:36:58,480 --> 00:37:00,069 What are those mobile virtual operators 1033 00:37:00,070 --> 00:37:01,659 really doing in your network? 1034 00:37:01,660 --> 00:37:03,069 Do you really know? Do they stick to the 1035 00:37:03,070 --> 00:37:04,929 service? Look, you know, it's like this. 1036 00:37:04,930 --> 00:37:05,930 I accept. 1037 00:37:06,870 --> 00:37:08,199 And then you just hope they do what 1038 00:37:08,200 --> 00:37:09,200 they're supposed to do. 1039 00:37:11,470 --> 00:37:12,519 Share your experiences. 1040 00:37:12,520 --> 00:37:14,259 That's a bit critical because network 1041 00:37:14,260 --> 00:37:15,849 operators are always afraid that they 1042 00:37:15,850 --> 00:37:17,499 might get into trouble with their 1043 00:37:17,500 --> 00:37:18,489 license. 1044 00:37:18,490 --> 00:37:20,139 So when they disclose they have been sort 1045 00:37:20,140 --> 00:37:21,759 of somehow hacked, they're always a bit, 1046 00:37:21,760 --> 00:37:23,289 Fred. Sort of. Okay. 1047 00:37:23,290 --> 00:37:24,759 But does that mean for my license next 1048 00:37:24,760 --> 00:37:25,760 year and so on, 1049 00:37:26,890 --> 00:37:28,449 some things can already be done with 1050 00:37:28,450 --> 00:37:30,399 business rules. So if you have partners, 1051 00:37:30,400 --> 00:37:33,039 which sent you a lot of bad messages, 1052 00:37:33,040 --> 00:37:35,169 you might want to increase the 1053 00:37:35,170 --> 00:37:36,819 fees for those partners. 1054 00:37:36,820 --> 00:37:38,679 So some stuff can be done with business 1055 00:37:38,680 --> 00:37:39,680 rules. 1056 00:37:40,810 --> 00:37:42,459 Filter, filter, filter on the network 1057 00:37:42,460 --> 00:37:44,679 side, signaling follow 1058 00:37:44,680 --> 00:37:45,729 estimates, home routing. 1059 00:37:45,730 --> 00:37:47,349 Not everybody is doing that. 1060 00:37:47,350 --> 00:37:48,819 I hope the operator knows which one. 1061 00:37:48,820 --> 00:37:50,889 I mean, very 1062 00:37:50,890 --> 00:37:52,000 specifically one there in mind. 1063 00:37:53,830 --> 00:37:56,079 Then we have the GSM documents which 1064 00:37:56,080 --> 00:37:58,179 describe explicitly what you can 1065 00:37:58,180 --> 00:37:59,259 do. 1066 00:37:59,260 --> 00:38:01,399 And layered security from user level. 1067 00:38:01,400 --> 00:38:02,400 So 1068 00:38:03,790 --> 00:38:05,769 don't necessarily assume that the pipe is 1069 00:38:05,770 --> 00:38:07,839 secure, if you can, at some 1070 00:38:07,840 --> 00:38:09,459 security on top of it, do it. 1071 00:38:09,460 --> 00:38:11,169 I mean, if you have a best security, even 1072 00:38:11,170 --> 00:38:13,030 if it's not good, it might help somewhat. 1073 00:38:14,230 --> 00:38:16,839 And note, hardening procedures exist. 1074 00:38:16,840 --> 00:38:18,369 So let's use them. 1075 00:38:21,860 --> 00:38:22,860 Summary. 1076 00:38:26,740 --> 00:38:28,929 All networks are affected by ever 1077 00:38:28,930 --> 00:38:30,769 so, but not all are equally vulnerable, 1078 00:38:30,770 --> 00:38:33,039 some are a bit more, some a bit less 1079 00:38:33,040 --> 00:38:35,159 detect a reality, but still mostly 1080 00:38:35,160 --> 00:38:37,269 S7, but diameters sort of popping 1081 00:38:37,270 --> 00:38:38,809 up slowly. 1082 00:38:38,810 --> 00:38:40,419 It's independent of phone platform. 1083 00:38:43,250 --> 00:38:44,889 The interception detected a presenter 1084 00:38:44,890 --> 00:38:47,019 depend strongly on how what actually 1085 00:38:47,020 --> 00:38:48,429 is really configured in the network and 1086 00:38:48,430 --> 00:38:49,809 how it works. 1087 00:38:49,810 --> 00:38:50,829 But there are networks that are 1088 00:38:50,830 --> 00:38:52,929 vulnerable on the 1089 00:38:52,930 --> 00:38:54,629 general question to the diameters. 1090 00:38:54,630 --> 00:38:56,889 Better or worse than S7 1091 00:38:56,890 --> 00:38:58,269 if nothing is done. 1092 00:38:58,270 --> 00:39:00,429 Well, it's bad, but think I think we have 1093 00:39:00,430 --> 00:39:02,319 now a unique opportunity to do things 1094 00:39:02,320 --> 00:39:03,789 better. And I think now it's actually on 1095 00:39:03,790 --> 00:39:05,209 the on the right track. 1096 00:39:05,210 --> 00:39:07,329 So so I know that last week 1097 00:39:07,330 --> 00:39:08,919 several operators called the IP X 1098 00:39:08,920 --> 00:39:10,779 provider and asking, do you filter SAHD 1099 00:39:10,780 --> 00:39:11,829 traffic? 1100 00:39:11,830 --> 00:39:14,169 So this conference here really did 1101 00:39:14,170 --> 00:39:16,899 some improvement with the security. 1102 00:39:16,900 --> 00:39:19,089 So to all of you and also to 1103 00:39:19,090 --> 00:39:21,190 the people here and to that 1104 00:39:22,510 --> 00:39:23,769 all this guys working here. 1105 00:39:23,770 --> 00:39:25,119 So thank you a lot. 1106 00:39:25,120 --> 00:39:26,799 This really sort of kicked off something 1107 00:39:26,800 --> 00:39:28,130 in the operator community. 1108 00:39:29,620 --> 00:39:30,739 So. 1109 00:39:30,740 --> 00:39:32,939 So basically discretion's. 1110 00:39:45,780 --> 00:39:47,129 Thank you for the very nice talk. 1111 00:39:49,260 --> 00:39:50,149 I think we can actually get that. 1112 00:39:50,150 --> 00:39:51,360 Thank you. Back with some more Plous. 1113 00:39:53,440 --> 00:39:54,440 Thanks a lot. 1114 00:40:01,750 --> 00:40:04,569 Or I'd be off lots of time for questions, 1115 00:40:04,570 --> 00:40:06,549 please. Liable to microphones if you have 1116 00:40:06,550 --> 00:40:07,659 a question. 1117 00:40:07,660 --> 00:40:08,660 Microphone number one. 1118 00:40:10,380 --> 00:40:12,699 Other than the other legitimate uses 1119 00:40:12,700 --> 00:40:15,399 of remotivate, it just US profiles, 1120 00:40:15,400 --> 00:40:17,739 like, I guess it's like, you know, 1121 00:40:17,740 --> 00:40:19,899 something called bearing and call waiting 1122 00:40:19,900 --> 00:40:21,189 options. But yeah. 1123 00:40:21,190 --> 00:40:23,429 Other like, legitimate options. 1124 00:40:23,430 --> 00:40:26,139 What a better use for them 1125 00:40:26,140 --> 00:40:28,359 from hearing partners in 1126 00:40:28,360 --> 00:40:29,409 these subscriber profiles. 1127 00:40:29,410 --> 00:40:31,749 Everything relates to your subscription. 1128 00:40:31,750 --> 00:40:33,520 There is also 1129 00:40:37,350 --> 00:40:38,919 there's called burying. 1130 00:40:38,920 --> 00:40:41,349 There is special services 1131 00:40:41,350 --> 00:40:42,549 which you're allowed to use. 1132 00:40:42,550 --> 00:40:44,649 If you have postpaid if you're prepaid, 1133 00:40:44,650 --> 00:40:46,179 your phone number is there. 1134 00:40:46,180 --> 00:40:48,669 If you have proximity, security, 1135 00:40:48,670 --> 00:40:50,619 which bureaus you are used, allowed to 1136 00:40:50,620 --> 00:40:52,689 use. So it's all kind of technical 1137 00:40:52,690 --> 00:40:54,249 details in there. 1138 00:40:54,250 --> 00:40:56,439 So but basically, you can do easy 1139 00:40:56,440 --> 00:40:57,639 denial of service. 1140 00:40:57,640 --> 00:40:59,799 You can do fraught with meddling there. 1141 00:40:59,800 --> 00:41:01,929 So so the subscriber profile 1142 00:41:01,930 --> 00:41:03,579 offers a lot of opportunities. 1143 00:41:03,580 --> 00:41:05,139 Let's call it that way for all four 1144 00:41:05,140 --> 00:41:05,859 attackers. 1145 00:41:05,860 --> 00:41:07,929 So basically, basically, 1146 00:41:07,930 --> 00:41:10,099 the question is, is 1147 00:41:10,100 --> 00:41:12,579 it legitimate uses for you 1148 00:41:12,580 --> 00:41:14,379 for visiting networks to update your 1149 00:41:14,380 --> 00:41:15,129 profile at home? 1150 00:41:15,130 --> 00:41:16,359 Of course. Of course. 1151 00:41:17,620 --> 00:41:19,919 I mean, if you, for example, R&D 1152 00:41:19,920 --> 00:41:21,729 for a network and want to change your 1153 00:41:21,730 --> 00:41:23,919 subscription or your location, 1154 00:41:23,920 --> 00:41:26,319 update it, also change your subscriber 1155 00:41:26,320 --> 00:41:28,539 profile. So but actually 1156 00:41:28,540 --> 00:41:30,969 not the visited network doesn't 1157 00:41:30,970 --> 00:41:32,829 need your whole subscriber program. 1158 00:41:32,830 --> 00:41:34,059 That's the point. 1159 00:41:34,060 --> 00:41:35,739 At least it shouldn't change your APM, 1160 00:41:35,740 --> 00:41:36,740 for example. 1161 00:41:37,840 --> 00:41:39,399 Yeah. Might be that you want to have 1162 00:41:39,400 --> 00:41:41,259 local connectivity because that might be 1163 00:41:41,260 --> 00:41:42,129 then that better. 1164 00:41:42,130 --> 00:41:43,959 So there might be a good reason for 1165 00:41:43,960 --> 00:41:46,029 giving you this new AP and 1166 00:41:46,030 --> 00:41:47,739 so that you don't need to your traffic 1167 00:41:47,740 --> 00:41:49,239 doesn't need to read altered over the 1168 00:41:49,240 --> 00:41:50,369 ocean and back. So. 1169 00:41:50,370 --> 00:41:51,940 So there are good reasons for doing it. 1170 00:41:53,260 --> 00:41:54,919 But you might want to keep control sort 1171 00:41:54,920 --> 00:41:57,069 of who is doing what on your network. 1172 00:41:59,170 --> 00:42:00,579 All right. Thank you. 1173 00:42:00,580 --> 00:42:02,709 My phone number to your question. 1174 00:42:02,710 --> 00:42:04,779 Hey, there's a bit of a gap 1175 00:42:04,780 --> 00:42:07,029 in public knowledge about 1176 00:42:07,030 --> 00:42:09,939 SS seven attacks in the wild. 1177 00:42:09,940 --> 00:42:12,039 Can you just talk about 1178 00:42:12,040 --> 00:42:14,409 how frequently you see 1179 00:42:14,410 --> 00:42:16,779 these attacks and in what part 1180 00:42:16,780 --> 00:42:18,710 of the what possible world? 1181 00:42:19,990 --> 00:42:21,409 They are everywhere in the world. 1182 00:42:21,410 --> 00:42:23,489 So we are we are doing as a company world 1183 00:42:23,490 --> 00:42:25,969 to do sort of assessments of network 1184 00:42:25,970 --> 00:42:28,209 and we see operate all 1185 00:42:28,210 --> 00:42:30,039 the world under attack. 1186 00:42:30,040 --> 00:42:32,229 It's not bound to a good geographical 1187 00:42:32,230 --> 00:42:34,209 region. Some regions have this type of 1188 00:42:34,210 --> 00:42:35,499 attack a bit more. 1189 00:42:35,500 --> 00:42:37,299 Some others have a bit other types of 1190 00:42:37,300 --> 00:42:39,739 attack it more. But they all 1191 00:42:39,740 --> 00:42:41,309 somewhat commonly observed. 1192 00:42:41,310 --> 00:42:43,540 Attack is usually location tracking, 1193 00:42:46,090 --> 00:42:48,340 followed by credential theft. 1194 00:42:49,720 --> 00:42:51,889 So these are everywhere in the world, 1195 00:42:51,890 --> 00:42:53,169 but not assets. 1196 00:42:53,170 --> 00:42:56,049 We see them at the board of the network 1197 00:42:56,050 --> 00:42:58,509 and they're filter them out. 1198 00:42:58,510 --> 00:43:00,119 So not all of those attacks will really 1199 00:43:00,120 --> 00:43:01,449 be when people monitor it. 1200 00:43:01,450 --> 00:43:04,029 They also filter in the same go so 1201 00:43:04,030 --> 00:43:04,959 and so. 1202 00:43:04,960 --> 00:43:06,279 You see them all of the world. 1203 00:43:06,280 --> 00:43:07,179 So, so. 1204 00:43:07,180 --> 00:43:09,579 And every every operator has some chunk 1205 00:43:09,580 --> 00:43:10,479 of the tech traffic. 1206 00:43:10,480 --> 00:43:12,279 But I've been me noted directly that 1207 00:43:12,280 --> 00:43:14,800 operators that deploy signaling firewalls 1208 00:43:16,600 --> 00:43:17,889 have much less 1209 00:43:20,140 --> 00:43:20,979 malicious traffic. 1210 00:43:20,980 --> 00:43:23,229 For example, an operator that just look 1211 00:43:23,230 --> 00:43:24,939 the first time into their traffic, let's 1212 00:43:24,940 --> 00:43:27,039 call it that way. So, so, so 1213 00:43:27,040 --> 00:43:29,499 also tech seem to sort of more or less. 1214 00:43:29,500 --> 00:43:31,030 I wouldn't say give up, but. 1215 00:43:32,770 --> 00:43:33,770 Well. 1216 00:43:34,760 --> 00:43:37,359 So, so flattering really helps on several 1217 00:43:37,360 --> 00:43:38,360 levels. So. 1218 00:43:40,470 --> 00:43:41,820 And there's one question from the. 1219 00:43:43,670 --> 00:43:44,779 Yes, thank you. 1220 00:43:44,780 --> 00:43:47,059 The IOC wants to know, how many years 1221 00:43:47,060 --> 00:43:49,339 do you expect will be needed to prevent 1222 00:43:49,340 --> 00:43:50,340 these attacks? 1223 00:43:51,110 --> 00:43:53,210 Well, the Internet's not safe today or 1224 00:43:54,450 --> 00:43:56,599 I think mobile networks is going 1225 00:43:56,600 --> 00:43:58,729 through the same evolution process as the 1226 00:43:58,730 --> 00:43:59,779 Internet went. 1227 00:43:59,780 --> 00:44:01,069 So, I mean I mean, beginning with the 1228 00:44:01,070 --> 00:44:02,779 Internet, Rossie ARPANET, where you have 1229 00:44:02,780 --> 00:44:04,369 username, password, I knew that you were 1230 00:44:04,370 --> 00:44:06,859 in. And I think this network is basically 1231 00:44:08,000 --> 00:44:10,249 rushing through the same steps, so. 1232 00:44:11,900 --> 00:44:12,799 Hard to say. 1233 00:44:12,800 --> 00:44:15,229 I mean, I just do what I can and 1234 00:44:15,230 --> 00:44:17,209 it's also an investment question. 1235 00:44:17,210 --> 00:44:19,789 I mean, security costs money 1236 00:44:19,790 --> 00:44:21,859 and it's 1237 00:44:22,880 --> 00:44:24,559 I mean, obviously everybody expects 1238 00:44:24,560 --> 00:44:26,499 security to come for free. 1239 00:44:26,500 --> 00:44:27,499 Also users. 1240 00:44:27,500 --> 00:44:29,719 So there has to be a balance 1241 00:44:29,720 --> 00:44:30,720 somewhere. 1242 00:44:32,210 --> 00:44:34,219 So I think don't think, for example, that 1243 00:44:34,220 --> 00:44:36,379 these 2000 people in Tuvalu 1244 00:44:36,380 --> 00:44:38,329 are willing to pay, let's say, 50 bucks 1245 00:44:38,330 --> 00:44:40,929 more for their subscription per months. 1246 00:44:40,930 --> 00:44:43,169 That's that's just not feasible. 1247 00:44:43,170 --> 00:44:45,469 So and still, people 1248 00:44:45,470 --> 00:44:47,239 there want to be able to call out. 1249 00:44:47,240 --> 00:44:49,219 So we must find solution old for these 1250 00:44:49,220 --> 00:44:50,220 kind of cases. 1251 00:44:51,110 --> 00:44:52,899 So it's been pretty hard. 1252 00:44:52,900 --> 00:44:54,679 So if you face reality in that sense, 1253 00:44:54,680 --> 00:44:55,759 that you have to have to think about 1254 00:44:55,760 --> 00:44:56,719 budgets and so on. 1255 00:44:56,720 --> 00:44:58,639 So I don't think we will ever have 1256 00:44:58,640 --> 00:45:00,260 hundred percent secure networks 1257 00:45:01,460 --> 00:45:03,049 as we don't have hundred percent secure 1258 00:45:03,050 --> 00:45:05,119 Internet, even with Heg Pierce and 1259 00:45:05,120 --> 00:45:06,590 whatever. We have IP second. 1260 00:45:09,510 --> 00:45:10,569 Microphone number six. 1261 00:45:10,570 --> 00:45:11,570 What's your question? 1262 00:45:12,670 --> 00:45:14,499 I see that there's a big problem of 1263 00:45:14,500 --> 00:45:16,120 backward compatibility. 1264 00:45:17,230 --> 00:45:18,969 Do you have a sketch tune when you will 1265 00:45:18,970 --> 00:45:21,639 turn off GSM infrastructure 1266 00:45:21,640 --> 00:45:24,009 like 2G or doesn't 1267 00:45:24,010 --> 00:45:25,209 it exist? 1268 00:45:25,210 --> 00:45:26,210 Well, 1269 00:45:27,940 --> 00:45:30,909 mobile network note, for example, from 1270 00:45:30,910 --> 00:45:33,129 countries which are more progressive, 1271 00:45:33,130 --> 00:45:35,589 which roll out newest technologies, 1272 00:45:35,590 --> 00:45:37,729 these notes are sometimes not scrapped. 1273 00:45:37,730 --> 00:45:39,519 So those radio towers that you see on the 1274 00:45:39,520 --> 00:45:42,399 roofs, they are sometimes sold, 1275 00:45:42,400 --> 00:45:44,499 for example, to Africa, second hand 1276 00:45:44,500 --> 00:45:45,789 equipment. There's a big second hand 1277 00:45:45,790 --> 00:45:47,499 equipment market. 1278 00:45:47,500 --> 00:45:49,749 And because there 1279 00:45:49,750 --> 00:45:52,119 look at how much an African subscriber 1280 00:45:52,120 --> 00:45:54,309 can pay for their subscription per 1281 00:45:54,310 --> 00:45:56,529 month. So the infrastructure is just not 1282 00:45:56,530 --> 00:45:58,689 allowed to cost much money. 1283 00:45:58,690 --> 00:46:00,879 So these GSM will live for a while. 1284 00:46:00,880 --> 00:46:02,059 It will continue for a while. 1285 00:46:02,060 --> 00:46:04,869 Also, there are operators which see GSM 1286 00:46:04,870 --> 00:46:07,509 as a very cheap way to offer IATSE 1287 00:46:07,510 --> 00:46:09,399 I.T. connectivity. 1288 00:46:09,400 --> 00:46:11,679 Because if you have to pay as 1289 00:46:11,680 --> 00:46:14,079 much for a subscription for 1290 00:46:14,080 --> 00:46:16,719 you. Let's say your tablet, your 1291 00:46:16,720 --> 00:46:18,759 your skill, your car and so on, you don't 1292 00:46:18,760 --> 00:46:20,349 want to pay for everything of that, let's 1293 00:46:20,350 --> 00:46:21,730 say, 30 bucks per month. 1294 00:46:22,900 --> 00:46:25,029 So these should have a cheaper 1295 00:46:25,030 --> 00:46:27,159 subscription. But how can you offer us an 1296 00:46:27,160 --> 00:46:28,959 operator, a cheaper subscription, which 1297 00:46:28,960 --> 00:46:30,609 basically means you reused your old 1298 00:46:30,610 --> 00:46:31,719 stuff. 1299 00:46:31,720 --> 00:46:33,879 So especially if it's not time critical 1300 00:46:33,880 --> 00:46:36,219 communication, so you recycle 1301 00:46:36,220 --> 00:46:38,349 your GSM return of investment as 1302 00:46:38,350 --> 00:46:39,350 much as possible. 1303 00:46:40,480 --> 00:46:42,609 That's just business logic on both 1304 00:46:42,610 --> 00:46:43,610 sides. 1305 00:46:45,210 --> 00:46:47,139 So I suppose we will live with just empl 1306 00:46:47,140 --> 00:46:48,140 while. 1307 00:46:51,910 --> 00:46:53,169 Mike, from number four, what's a 1308 00:46:53,170 --> 00:46:54,129 Christian? 1309 00:46:54,130 --> 00:46:56,459 Are there practical Dr. 1310 00:46:56,460 --> 00:46:57,939 Urman, documented mentioner and 1311 00:46:57,940 --> 00:47:01,239 configuration examples for smaller 1312 00:47:01,240 --> 00:47:03,099 providers who might not have the 1313 00:47:03,100 --> 00:47:05,259 resources that you have and which 1314 00:47:05,260 --> 00:47:07,599 are publicly accessible? 1315 00:47:07,600 --> 00:47:09,849 We discuss in just a how to do things 1316 00:47:09,850 --> 00:47:12,139 for them and one that the IPCC 1317 00:47:12,140 --> 00:47:14,289 provides might take more responsibility 1318 00:47:14,290 --> 00:47:16,419 because very often those very 1319 00:47:16,420 --> 00:47:18,399 tiny, tiny islands are so they're 1320 00:47:18,400 --> 00:47:20,649 connected to one satellite operator 1321 00:47:20,650 --> 00:47:23,289 and then it basically goes into the IP 1322 00:47:23,290 --> 00:47:24,189 network. 1323 00:47:24,190 --> 00:47:26,469 And basically, if you just 1324 00:47:26,470 --> 00:47:28,599 have this link, then from this IP 1325 00:47:28,600 --> 00:47:30,579 provide on the IP X provider, that takes 1326 00:47:30,580 --> 00:47:32,109 care of the security security as a 1327 00:47:32,110 --> 00:47:34,219 service, basically like 1328 00:47:34,220 --> 00:47:35,220 you. 1329 00:47:41,140 --> 00:47:43,239 They see no 1330 00:47:43,240 --> 00:47:44,240 one else lined up anymore. 1331 00:47:45,760 --> 00:47:47,799 So thanks for answering all the 1332 00:47:47,800 --> 00:47:48,849 questions. 1333 00:47:48,850 --> 00:47:49,850 I'm thankful for it.