ZillyGurke – Minecraft anarchy – Locate. Track. Manipulate.

Okay welcome back to this advertisement episode for lgl.silihun.com which is a vanilla anarchy server um where did i left off what was the journey oh yeah it’s like removing all this crap i don’t know i should probably um build some machine like there are all these tunnel digging machines that could be quite

Useful here um let’s see or i should i don’t know build some water moving machines again because like this is not real progress what is happening down here or not very efficient progress i would say um yeah let’s see how that goes okay so today we are going to uh watch a

Talk on the media ccc.te channel um which is from 2014 so it’s uh some old stuff it’s from 2ps angle and it has the title to ps angle as seven locate track manipulate it currently has 50 000 views so that’s a lot for the media cctv and it’s also in english i think

Let me check so yeah so you can see how yes it is okay i should have checked that before oh don’t die um yeah and if you’re interested in this talk that i’m now going to play back in the background make sure to check out the original link

To that is in the description as always and uh yes um yeah and if you’re interested in playing on a vanilla energy server where you’re allowed to use hacked clients where you’re allowed to grief and you’re like mostly alone so um yeah you can just lift the old good life

And play vanilla like in the old days then come check out there’s a google net and see you in game i will now start playing back the video okay so why are there so many mobs here this is so annoying so it is my great pleasure to be

Able to announce our next speaker for those of you who have been to previous congresses tobias engel has been presenting at 18 c3 on the short message service protocols and on 25 c3 on locating phones with ss7 through sms routing and as to buses an intimate friend info of diverse

Protocols and their implementations i’m much looking forward to see what he has found today in his talk as the 7 locate track and manipulate so please join me and give a very warm welcome to tobias angle [Applause] yeah thank you um yeah so as andreas already said um i want to talk about

Further security issues with ss7 today so why should you care everybody who has a phone in his pocket indirectly uses ss7 and i’m going to talk about how your every movement can be tracked all over the world and how people can intercept your calls men in the middle of them

And your short messages and all of that only by knowing your phone number okay one thing in advance um a few weeks ago carson moore contacted me he has the talk after this one um and we realized that his company and i did a lot of parallel research over this year so

We kind of split split up the topics a little bit and also as i was made of was was i made aware of only two days ago two russians sergey puzankov and dmitry kubatov already presented in that on that subject in may and talked a lot about the same issues

So it really seems 2014 is the year of the ss7 research okay how did this talk come together um earlier this year a journalist contacted me from the washington post and told me that there are several companies out there selling tracking for people or tracking off people

And so as you can see i didn’t i didn’t come up uh with the title of my talk myself looking like manipulate it’s actually the subtitle of brochure by valent on their skylock product and yeah as it turns out companies are selling that ability and as you can see

It’s very detailed tracking down city streets all over the world and all you need is the phone number to um to track these people and the journalist asked me how because i had done a similar work on the subject and how that would be possible and i wanted to find out but first

Let’s look at what signaling system 7 is it’s a protocol suit used by most telecom network operators throughout the world for the switches to talk to each other it was designed a long time ago and back then in the 80s there were no mobile phones it was all just fixed line phones

Connected to a socket in the wall so there were no privacy implications and also there were only very few telecom operators state controlled big companies who each trusted who trusted each other then came the mobile phones and new features uh with them and so new protocols had to be added to ss7 so

Now you could take your phone everywhere you went to other countries so roaming had to be implemented you could send text messages you have the internet so the mobile application part map was added that does all those things that mobile phones can do that fixed line phones cannot do

Then even later a new protocol was held added the camera application part that allows operators to build uh custom services that cannot be uh that are not possible with that more on that later um and for none of these services any authentication exists so if you are in the seven

Network and you have a roaming agreement with other operators you can simply use these services and don’t have to authenticate yeah getting access to ss7 is becoming easier all the time it can simply be bought from uh telecom operators and network operators um because if you are i don’t know

If you plan on on doing some sns servers or something like that you might actually need seven axis so it can simply be bought um usually so the ss7 access as it is simply like an internet access without an ip address so you still need the address it’s called a global title

And you need roaming agreements that cover that noble title so that your messages get rooted usually but not always sometimes it works without roaming agreement and also several telcos are resetting global titles that are covered by their roaming agreements also network operators it happens that network operators leave their

Seven equipment unsecured on the internet and also there have been several reports of femtocell hacking and femtocells are an extension of the core network of the network operator’s core network into your home so um if you can hack femtocells um there’s also a chance that you have access to ssm

A quick overview over the protocol stack down there on the left side mpp level one that the physical layer t1 or e1 lines back in the days nowadays it’s often rooted over ip but this talk focuses on sccp map cap the network layer and the mobile application part that

Implements all the features for mobile phones quick network overview on the left and on the right you see the base station subsystem this is the part our phones talk to with the cell towers and base station controllers and so on this is not the focus of our talk the focus is The core network of the operator and all the red lines you can see are s7 connections so the operator’s equipment uses s7 and also between operators s7 is being used um one of the most important network elements is the home location register that’s a database containing all information on a subscriber

Meaning his phone number is it a prepaid or post paid contract what is he allowed to do data text messages calls incoming outgoing are there any call forwarding set and so on and also the home database the home location register knows which mobile switching center msc or vlr visitor location register

Is currently closest to a subscriber so the visitor location register it receives a copy of the subscriber’s data as soon as you switch on your phone from the hlr and so for example there is for many networks so for example most networks will have one switching center one mobile switching

Center for hamburg here so we are all logged into the respective network switching centers for hamburg right now and that received a copy of your respective hlr of your subscriber data so visitor location register and the mobile switching center is actually rooting the chords um it’s always co-located

With a vlr so i put them in one box there so the two different logical entry entities but it’s they also have the same address and it’s mostly the same machine addressing is by global title global titles look just like international phone numbers on the left

For german network on the right for a us network most of you if you have ever come in contact with a global title for the smsc back in the days when you still had to enter the smsc on your phone by hand then you entered the global title for

The smsc so that you could send for short message service center so that you could send short messages okay so much for the quick overview um now to sell level track air tracking so what what those commercial providers are offering the network of course needs to know your

Position it needs to know which base station or cell is closest to you because you want to receive calls you want to receive short messages and so on so somebody can find out the id so every every base section of the world has a unique id somebody can can find out that id

Then you can use that id to look up its geographical position in one of several databases on the internet so for example google has a very big id database and of course especially in cities where the cell towers are pretty close the position or the location of the cell

Tower closest to you is also pretty good idea of of where you are currently so the commercial providers claim a coverage of about 70 of worldwide mobile subscribers meaning you don’t have to be close to that subscriber you don’t have to know where he currently is you just need

To know his phone number some have some non-technical limitations so for example from the variant brochure they say you cannot locate israeli subscribers in israel or us subscribers worldwide variant by the way is a u.s israeli company um yeah and so skylork infiltrator therefore very nice names for the product

Okay how does it look on the protocol level on the left the attacker he sends a map any time interrogation requests so anytime interrogation is exactly for that purpose for finding out the cell id of a mobile subscriber It’s used for network internal purposes normally for example if you have a home zone so that you can uh make cheaper calls if you’re currently at home and so on so that’s what it’s used for but it can also be used by attackers to find out the

The cell id so the anytime interrogation goes to the home database of the subscriber and says okay please let me know the sell id and if you want if you want also the imei the the phone serial number of that subscriber and the home database doesn’t know the

Seller id it just knows what uh switching center is currently serving that subscriber so it sends a provide subscriber info request to the switching center the switch pages the the mobile subscriber gets paged um so that the switch can be sure that it’s really that really got the the current current

Cell and the information gets returned to the attacker so it’s really only meant as a network internal service um but still as you can see this wireshark trace of of a request we sent and um it still works for for many networks here you can see the cell id at the bottom

Okay but um many networks especially in europe most of the networks actually or at least in germany all the networks block anytime interrogation by now but as as we have seen before the the hr the home database doesn’t even know the seller id so we just need to find out

The address of the switching center and then we can ask the switching center itself also we need to find out the imsi the international mobile subscriber identifier of the subscriber because internally in the network not phone numbers are are used for routing but the imsi so and luckily there’s a request

For that we can just ask the the home database the hr please tell me the um the imsi and what switching center the subscriber is currently at that’s used for sms routing normally so if you want if you are if you’re a different network and want to send a

Short message to that subscriber so the information is returned and then the attacker can simply ask the switching center itself and it works just like before and that works really for a lot of networks because also most uh nscs or switching centers accept requests from just anywhere and anyone

So you would say okay if there’s a german subscriber currently in at home in his german network for example and i don’t know indonesian network should have no business uh clearing his location but the msc or vr doesn’t doesn’t do any plausibility checks and the request will get answered okay so um

So to demonstrate this better um for about two weeks we tracked some people who were nice enough to give me their phone number and said okay you can track me and let me see if i can show that to you yeah okay there’s somewhere there okay okay my touchpad is acting weird

Okay let’s start so that’s a dutch subscriber who was when i started tracking him who was in seattle and you can as you can see down there are the times um and yeah okay so he said he didn’t use the ferry so that’s that’s on the water there

Uh that was a uh by the location data base gave me back a wrong position but he said that’s very accurately near to where he lives and where he works in theater and so it continued for a few days and then dutch subscriber for christmas as you can see down there

He flew back to the netherlands and let’s see we can really see so here’s people and we can really see so the next tracking was when he was on the train away from skipper and then through the netherlands and yeah and he asked me to remove the last point of those

Air tracks because he said that was too close to home okay some other sure too close to home i’m sure it was just a strip club or something let’s see so here we can see very nicely somebody who lives in luxembourg you can actually see him traveling down the autobahn then

Stopping somewhere then continue travelling and then after some time taking the taking the plane to hamburg i wonder what’s he doing there and Okay that’s it so yeah so you can see how he traveled to the to the congress and also i know i think you you got you got the general idea somebody living living in hanover boy darmstadt and also you can see pretty good where he took the autobahn that he traveled

What route he took um also to hamburg in the end so and as you can see it’s really relatively precise so um yeah oh what’s that this is possible for almost all of us [Applause] what’s that and i think it’s really scary because i mean you don’t have to know somebody you just have to know his phone number um and um uh can track him from the other side of the world you don’t have to be near him you can you just need seven

Access and of course um companies are offering those services they are saying uh they’re only offering those services to uh government agencies and law enforcement and so on but i don’t know about you there are many countries in the world world whose governments i wouldn’t trust with this functionality [Applause] okay then

We talked to one of the big german operators to about those problems and they were really shocked finding finding out about that and started monitoring the network and found a lot of traffic that was carrying people’s positions and other stuff so then after a while they implemented some filters

Filtering out the possibility to figure out the imsi and the current mobile switching center so um as we saw earlier you need that you need to find out the imsi or switching center so they disable that ability and the traffic the attack traffic dropped more than 80 percent

And they started to try and figure out um what the traffic where the traffic came from so the some of the traffic was simply misconfiguration in other networks that was quickly fixed then some commercial use cases for example shipping company tracking its vehicles and also um sms provider who provided a service for

Banks uh sending mobile transaction numbers one-time passwords as short messages to phones and they wanted to check if the sim card had been swapped because a few years ago there was a case where criminals swapped the sim cards of their victims and got the mobile transaction number and so they

They wanted to check if the sim card had been had been changed to prevent that kind but they were using a network internal service for that and that was also switched off then and some of those network operators that were contacted by the german operator they either didn’t answer or said they

Didn’t know about anything so the german operator believes that um those were requests by state actors then or by the network by those other network operators themselves and some of these attacks still persist meaning those attackers need other information sources they somehow need to find out the imsi of the subscribers maybe then

They know them from before or they have other resources to find to find that out and for the switching center they can simply brute force it they can simply brute force the number range but yeah those attacks still continue okay um okay uh this very quickly because we don’t have so much time

Uh in the us um there’s a requirement that if you call 911 phones have to be located um very precisely so there was a new feature added to map the location services that don’t just return the cell id but in actual latitude and longitude and they can even return the gps

Position of the phone if it has a gps receiver can be switched on and then returns its position back to the network those emergency services they use the gmlc the gateway mobile location center and that requires authentication thank god um so this is straight from the specification

You see up there the police for example is the client and it sends us lcs service request to the gmlc and that requires authentication but as we have seen before um the searching centers they don’t care about authentication don’t know about authentication so you can again send the provide subscriber location request

Directly to the switching center so in practice that works as seen before just ask for the imsi ask for the switching center then carry the switching center directly but as i wrote here they implemented some funny kind of sender address verification because they said okay maybe those requests shouldn’t be allowed from

Outside the network so they wanted to um to verify the sender address so the network and destination address for map messages are in the sccp layer so this is how it looks calling party means the the equipment that sends the message and called party for example the calling party in this

Case the hr the home location register called party vlr and the problem is this sccp layer doesn’t know who is allowed to use map services or not um so the solution is they have the sender of the message put in another copy of the sender address in the map layer so

Responses will be rooted to the calling party address up there but verified will be the address down there meaning if we tell the truth put in the same address twice we get back unauthorized requesting network but if you just put in an address that looks similar to the network so that the

Network thinks it’s an internal address it works so you get back the latitude and longitude okay this is obviously not a gps position um i don’t know maybe that person was somewhere where gps was not available or something okay so now we have seen a lot about how it’s possible to

Gather information from the msc um but it’s also possible to manipulate information there sorry um so um okay so it was it’s just white there okay the colors it’s it’s actually colored here on my display but yeah um so if you if you uh remember back in the

Beginning i said when you switch on your phone um the home your home database for the hr transfers a copy of your subscriber data to the to the msc or vlr and he uses so many terms like the msc and the viewer are like boy i’m sure he defined it in

The beginning but uh who’s supposed to like remember that am i going in the wrong direction now did i lose track of where i’m wait yes okay i did and now i’m correct cool from that point on controls everything you can do with your phone but an attacker can also play uh hlr

And send uh send a copy of the subscriber data as he modifies it to your current switching center meaning he can enable or disable the possibility to make calls incoming or outgoing sms or data or delete the subscriber or together from the vr okay and that okay another thing

Protocol camel uh the customized applications for mobile networks enhanced logic nobody ever can remember that it’s like an overlay over the usual map logic and it gives your network operator the ability to say okay for example if you are currently i don’t know you’re a german subscriber you’re currently in france

Um your home network operator can say hey every time that subscriber from my german home network um once you make a call contact the home network it’s the service control function contact the service control function and the home network so and the service control function of the home network then decides

If that call can continue or if the data will be modified or if it will be cancelled so on the left we have the home network with the service control function it sends the address of the service control function to the switching center because you as the german subscriber are currently in france

So it sends the address of the service control function to the french msc and says okay contact me whenever that subscriber of mine wants to make a call okay then the subscriber wants to make a call and he forgets to add the uh the international country code before the

Phone number he just dies like just tells it like a german phone number and usually that wouldn’t work because a french french switching center doesn’t know anything about how german phone numbers work but the service control function gets contacted says okay your subscriber wants to call that number what should i

Do with it and the service control function rewrites it to the international number and then the call can be set up and the subscriber doesn’t know anything about it he just starts the number like usually from germany and it works but if you remember the address of that service control function

It gets sent to the switch by the home database so if the attacker can modify data in the msc he can simply send a different address to the msc his own his own global title you can say okay every time that subscriber does anything contact me and he provides his own address

So now the subscriber there on the left he wants to dive that number that subscriber on the right he died the number and the switching center now contacts the attacker so the attacker now already knows the phone number the subscriber wants to dial and then he changes that phone number to

A number to the number of his recording proxy that he has somewhere i don’t know it can be doesn’t even have to have as seven axis it can just be some asterisk box on the internet with with a publicly reachable phone number okay the call will be set up to the

To the recording proxy and will be bridged to the original subscriber and then both subscribers can talk to each other while the attacker is the man in the middle and records the whole call [Applause] and so just a few days ago i read about that this is actually happening so i heard of

An ukrainian network operator who found out that that several of his subscribers calls had been intercepted and those requests came from a russian ss7 network so this is actually happening okay so um now we’ve seen a lot about the switching center and inspire abilities but the home location register

Also has some vulnerabilities so first let’s look at how what exactly happens if you travel to another region or country so in this case i said it’s a different country but it’s actually the same if you’re just traveling i don’t know from berlin to hamburg and you’re a german subscriber

So your phone sends a location updating request to the to the to the switching center and that sends an update location request to the hlr uh what happens then is the hlr saves the address of the mobile switching center because it needs to know where to root your calls your incoming calls and

Your incoming short messages it saves the address and sends as i said before copy of the subscriber data to the switching center so now for example some somebody wants to send you a short message there on the left the short message service center of that network asks your home location register the

Home database please give me routing information for that phone number and it gets back the address of that switching center there and can then send the short message to you but an attacker can also send an update location request in your name so it will send the update location

Request to your own database to your home location register and then the home location register will save the attacker’s address that means that for example again the bank sending a one-time password a mobile transaction number wants to send you a short message that short message now gets rooted to the attacker without the

Subscriber knowing about that so in the case what i said earlier that uh there was the case of the criminals um sorting sim cards if they have had as a seven axis it would have been even easier for them they wouldn’t even have uh to switch sim cards they could have

Just said okay i am the subscriber now send the short message to me okay another thing ussd codes those star hash codes you probably know you have to enter in your phone sometime they can also be executed for other subscribers from an attacker so not in germany but in several countries carriers allow

Trends transfer of prepaid credits via ussd codes so you could just empty a victim’s prepaid account and send all of his credits to your own number for example all the call forwardings can be said and deleted meaning if i activate the call forwarding on your phone

To for example a premium rate number and then call your phone for just the normal fee and you have to pay for the call to the premium rate number that premium rate number would of course also be controlled by the attacker okay so um and you don’t even have to

What i showed before where you tell the the home database that subscriber is now in my network the attacker does that if the subscriber is now being served by me you don’t even have to do that you can just uh if the subscriber is german subscriber at home in this german

Network can stay there you can uh there’s still the the german home database will say okay i will execute the usb code for the subscriber or activate that that supplementary service for the subscriber call forwarding or something like that so um as you can see here uh we

Queried the balance of a german prepaid card while it was locked into the german network from a network on the other side of the road [Applause] so i guess this one carson is going to talk about [Laughter] okay then [Applause] you have to translate it to english

Okay so this i call it hybrid text because um i don’t get it [Applause] what’s going on there [Applause] okay so i call it hybrid text because um you have to hybrid [Applause] right like like up there sorry is this an actual human doing the translation [Applause] waiting [Applause]

Still the the driver or activate that see here uh we query to the who’s going to talk about cast value [Applause] hybrid [Applause] [Applause] let me quickly scan the comment section can someone please explain what is happening starting at the 37 minutes or unlike Um no no idea man [Applause] um okay so hybrid attacks meaning um you can capture the so over the air interface if the network wants to reach you so now really at the base station if if the network wants to read you it sends your paging request to your phone

And for that it uses a temporary mobile subscriber identifier that has been introduced um okay that the tmc i know that one from different talks um and the temporary identifier has been introduced so that you cannot find out who is currently making a call so there’s not being you’re not being paid

By your phone number or by your imsi it’s a temporary identifier that should not be that uh that should not be possible to be anonymized but as it turns out if the attacker just captures um captures all the paging requests all the tmsis for example with possible combi or something like that

He can then simply ask the mobile switching center for give me the imsi of that subscriber then you can do an update location request and find out the uh the ms isd and the phone number so if you do that i don’t know in berlin at the seat of the government

I don’t know how long it takes until you get under the market’s phone number okay uh call interception carson is going to talk about that in a minute i’m sure um lte so um the ss7 network is used by gsm and umps lte is using a different protocol the diameter protocol

For the for the network core meaning ss7 is becoming a legacy protocol but a lot of the ss7 design flaws have simply been ported to diameter so for example there’s still no end-to-end authentication for subscribers and also gsm and umts will still be around for a long time to come

People say about 20 years ss7 will still be news and also there are interfaces from diameter to ss7 to be able to make calls from lte to gsmgfts or the other way around so yeah to sum it up an attacker with only his victim’s phone number can attack his victim’s movements

In some networks even with gps position precision he can intercept his victims calls and text messages and most likely also data connections also we didn’t try that disabled course is an fdata reboot calls at the latex victims expense and more so what the operators can do against that network operators

So as i um said in the beginning you have to find out the imsi and the mobile switching center to be able to manipulate the mobile switching center and the main reason for network operators to give out that kind of information to external networks is

For sms routing so there has been a new well yeah new way around for quite some time now called sms home routine where the network operator uses an sms router in the subscriber’s home network so that it doesn’t have to give out the actual address the global title of the

Switching center but just the address of the sms router so um some of the german networks for example already use sms home routing so it becomes a lot harder to figure out that kind of information then some don’t yet i hope they will soon and also another another

Source of that information is the same routing information request for for voice calls but if the network operators don’t use optimal routing they can also simply disable it for external networks some of the german networks again already did some didn’t do it so you as the subscriber i

Cannot really do anything because this works for um works for all phones and which are connected to the network no matter smartphone feature phone uh you can’t do anything because it’s happening in the network um okay so now i’ve prepared a small demo um let me just get that back to my screen

Here okay i hope it works and i hope you can see something if you can switch to the yeah thank you oh it’s oh okay [Applause] wow okay so i’m so this is a subscriber in a german network and i’m going to he wants to call his friend on this phone

So and as you can see it works the other phone rings as expected so [Applause] yeah a phone that call the demo yeah very funny yeah i know everybody has the number now okay now i do some ss7 magic so i send an inside subscriber data i try the same thing again

I have the same number and let me see if can you hear that you can’t right okay it says for the for the diet number uh bearing has been activated so um because if you could just stop for a second calling that number the call simply doesn’t go through [Applause] anymore

So it won’t work um i can also switch it back on again if i if i done it again as you can see it works it works now so and another thing so the friend wants to call back what’s called back so he dies the number [Applause] guys stop calling for a second

So it’s calling full test and all the call forwarding still activated okay so the call call arrives on that phone okay i will switch it off okay so and i do the call again brilliant okay so um the original phone rings like it should Um i’ll i will show you again because that was of course now the wrong way around i will show you or they’re confusing them or not gonna lie and okay so there’s no call forwarding um activated so if i activate it now and do the same request again

Okay now you can see the number four called forwarding that has been activated [Applause] okay um yeah that’s it for the demo that’s it for me thank you very much [Applause] everyone if you have any questions please do line up at the microphones if you’re planning to leave please do so now

Get up quietly and leave the room to make room for people who want to enjoy the next hall right now you’re only allowed to leave so please do this now quickly and quietly so we have a question from microphone number two thank you for the talk um in the beginning you said that

Government agencies would be using ss7 for so-called lawful interception and you said you wouldn’t trust the governments of some countries just for completeness could you name the country a country you would trust i’m afraid i can’t thank you if you’re leaving please do so quietly so we can still record the questions and

Answers thank you microphone number one please how did you gain access to the ss7 network for a demo i i rather not say well no it’s like actually so it’s a um yeah it’s it’s a an access that has been borrowed to us for the purpose of um of security research

Microphone number four please uh hello thank you for the talk my question goes into the finding out the location i mean the cell location probably is at no cost to the operator to um you know give that information out but um about the tree angulation

Is there a coast can this be done at scale for like lots of subscribers or i don’t really know how many how many were you thinking but well um of course it’s so it’s been implemented for for emergency services so i guess there’s always a lot of

Emergency calls coming in and i think it can be done for for a lot of customers i don’t know what would happen if you do it if all the subscribers if you would do it for all the subscribers but i think it can be done for a lot of subscribers

We also have a few questions from our signal angel relaying questions from irc signal angel please test okay so the first question is how much would like a whole second cost to track somebody’s phone um well i would say a few hundred euros for the ss7 access if you buy it

And then you need somebody to code the software or Write it yourself and if you write the software yourself and somehow i don’t know find somebody who hacked ss7 axis with via femtocell something like that it wouldn’t even cause the thing another question from our signal angel please okay that’s a question if you require direct ss7 access or

Um would it be like enough to have like a hacked base then mobile device something um no so ss7 is really only uh used in the core network so um meaning the phones don’t have anything to do with ss7 so uh uh the phones uh use the radio network

And that that isn’t ss7 it’s only used in the core network meaning switching centers hlr smsc gmlt and so on they use ssm microphone number two please thank you so i have another question regarding ussd um you were saying it’s completely possible to spoof ussd messages as they are always

Targeted directly towards the hlr um so from what i dimly remember about that there are two different uh uh fields that actually carry the the the request issuer uh can you spoof the entire message like can you spoof all fields um i’m not really sure but as you don’t need an answer

Back you can spoof anything you like so that’s that’s also a thing uh for all the uh for all the messages where you modify something where you just don’t want data back you can put in in any center you like because you don’t need the answer back and the

New data gets activated or the request gets executed as soon as it as it arrives at it at its destination i’m not asking because of protocol compliance i’m asking because of verification because from what i know ussd is not only used for uh like uh you know your own uh subscriber account

Uh credit level but it’s also used for payment solutions and there i really see a massive problem if you could spoof the entire message um yeah yeah yeah okay thanks for watching if it’s really done over ussd i think so yeah microphone number one please uh i have two questions

Uh the first one was uh when you did location through psi ati uh for the where the heck am i guy it was done uh from an access that you paid like an access a website that you paid for to do it or your own access

And if it was your own access it was a trusted gt i mean um okay so it was your own gt that you controlled but it was not into the reich’s ir1321 list exactly so um ir21 by the way is a wave is a set of documents by the gsma

The gstn association um that every operator puts this document there uh that lists all uh his global titles uh all the addresses where to traffic where the hlrs are and so on and so on and so usually you would say okay or would think that if an um if a global title

Or a sender address was not listed in the ir 21 then you could simply discard it if you receive messages from it but in practice that’s not the case so in most most of the time requests get also rooted and answered if your address is not in the ir 21 document

Thanks microphone number four please hi um thank you for your talk um i want to be interested did you looked also in the modified versions uh for emergency calls when i don’t have an mz like a sim in my phone or for the upcoming eco which is used in cars does that have

Some implications to that as well is there trackable or something i didn’t look into that i don’t know okay thanks another question from our signal angel on irc yeah actually i have quite a few questions so i don’t know um but one question is if there are any numbers about

Which countries are like doing the most tracking which which countries drew the most tracking yeah there was a question if you have any numbers about that no i i don’t i also would be very interested in those numbers if anybody has them i would be very interested

Microphone number two please yeah um i have the question if i have a working bass receiver station um which worked for a gsm network is the ss7 assess information in this base receiver station no no so the that’s in the base station subsystem and that’s that’s not ssv

Okay ss7 will only be uh used from the switching center on inward to the core network okay thank you microphone number four please hello uh did your summary slide with a tmsi uh requesting uh also say that you could decrypt the sniff message the sniffed phone call sorry i

Didn’t understand that one of your summary slides was about how you could request an mz after you present the tmsi that you sniffed off the air yeah yeah did that also say you could then decrypt the whole phone call by snapping the air yeah yeah yeah but uh

Carson is going to talk about that in a minute in the next talk so we’ll stay for the next talk and you will learn more about that okay we have time for two more questions microphone number five please hi uh thank you for your talk uh i don’t

Know if you have any virtual operators in germany but do they have access to the ss7 and if so uh does the blocking that you mentioned in your talk also apply to them sorry virtual operators yeah okay do they have access to ss7 yes well if if there are real uh

Mvnos then they do have access to ss7 if they are just resellers then then not but for example i think one of the very few mbn oaths in germany is zip gate or zoom quadhart and they for example operate their own hlr microphone number six please do you

See this as a possible vector to trigger a phone to update the baseband firmware well as you saw in the beginning um you can not only request the cell id you can also request the imei of the phone so the serial number so um you can you can also figure out

What type of phone somebody is using if it’s an iphone or a galaxy as something i don’t know so if you want to install a install and exploit on the phone um that’s of course also easier if you already know what type of phone the person your victim is using

But are you aware of any api functions that are maybe part of map or camera that can be used to directly instruct the phone to like pull firmware from from there or there no i think that would happen uh on a different layer not not in ss7 okay

Okay that’s it if you have any further questions for tobias please catch up with him after the talk um please give a warm round of applause to tobias so that’s it for this advertisement stream um yeah i don’t know it’s always so complicated and these phone talks with all these um

Previous abbreviations but i think over time like if you watch enough of those it uh it gets easier and easier to to follow what is a team z what is the emzy and um yeah well that’s like the only thing that i remotely understood but um we’re getting there we’re getting there

Okay so um make sure to check out laser homeland and see you in game bye