>>Hello, ah okay. So, good morning. Uh, thank you for so much for making so much time. Uh, Well uh, we are happy to be here umm, to -to share our work with you. Um, this is an vulnerability and exploitation we name it as Ghost Telephonist. It's about a problem in CS Fallback in the LTE network. So, let me firstly, oh, give a brief self-introduction. Okay we, we come from the 360 technology and, 360 is the leading internet security company in China and like and McAfee and Symantec and our corporate detects antivirus security software for uh personal computers and cell phones.
 
Umm, for us, we come from the Unicorn Team. This team is um, one research group in 360 and this team was built in 2014. We focus on the security issues in many kinds of wireless systems, wi-  wireless telecommunication systems. And our previous works include, uh, like uh, GPS spoofing in Def Con 23. The year before last year, ok. An LTE redir -redirection attack in Def Con 24 and also the PLC attack in Black Hat in last year.
 
So, this year, we bring the work about the vulnerability in 4G LTE. Ah in the CS Fallback procedure. Okay, so what is CS Fallback? Um, now let me briefly introduce the voice solutions in the LTE network. As we all know um, different from 2G and 3G, In LTE network, the circuit switch was removed and only packet switches left. So now there are mainly 3 solutions for voice in LTE.
 
The first one is the VoLTE, Voice Over IP. This is the -the final objective for the network evolution.


In the second solution is um the case we discussed today, CS Fallback. Circuit switch Fallback. It means when um, when subscriber takes voice call, the cellphone has to switch from the 4G to 2G or 3G.


The third solution is simultaneous voice and LTE. The cell phone keeps two con -connections simultaneously, one is in 4G and the other is 3G or 2G. The solution has higher price and more rapid power consumption on the terminal because it has two basebands chipsets running.
Um, at the beginning of this year, we were working on a project about the well-known GSM Man-in-the-Middle attack and we're debugging on some modifications on OsmocomBB. This is a very uh famous project for GSM protocol. We tried to send fake paging response and then we were surprised to find, um, some fake paging response messages were accepted by the network. There's no authentication and the core was successfully built. We think it's quite strange and so we started to have a deep look into it. See the two pictures. This is the signaling log uhh on some engineering mode of some cell phone. In the part of the red, red blocks, uh you can see the -the left figure. We confirmed in the normal 2G core, authentication does exist for every core. You can see here as uh .core confirmed. Here is the .authentic- oh sorry. This- this figure is the authentication request and response. So in normal 2G core we find AKA does exist for every core. But in the 4G network in the CS Fallback case, the network doesn't require authentication. We found this may be the root of this problem. It was introduced by the CS Fallback procedure. Um, this slide show the signaling flow of CS Fallback mobile terminated core procedure. You can see some uh network elements here um MME for 4G LTE network and MS -MSC for 2G and 3G network.
Okay, when there is a core for a UE, for one user terminal, the network firstly sends paging response on the 4G network from MME to UE. And the 4G will be sends RRC connection release message here. In this message the network tells the UE which 2G base station it should connect. In this step, uh there is another vulnerability we presented in last year, that is the LTE redirection attack. Uh, this problem is still under discussion in standardization groups and it hasn't been solved until now. Um, when the UE falls back to 2G, it will send paging response directly from UE to MSC. Okay, and from this depth to uh the -the –the core setup okay, there is no authentication.
 
So, um the whole principle is like, the network has different doors, for example the depth 1 is the door for LTE and the right one is the door for GSM. So no matter what door the subscriber wants to enter, the door requires the subscriber to show the badge of this door. And once the badge passes the check, the subscriber enters the network space.
 
And now there’s one exception. When subscriber goes out from the door of LTE, she –he -he shouts, "Be quick, I have a call on GSM". So it, this urgent case in this special case the door of GSM does not check his badge.
Ok, so after the discovery of this uh problem, we started to think about how to exploit and the direct idea is to send fake paging response and then impersonate the victim’s cell phone and hijack its uh link.
This picture shows our experiment setting.  We use the C118 cell phone where OsmocomBB layer1 is running. And the C118 is connected to laptop which runs OsmocomBB layer 2 and 3. In this picture, we use 2C 118 cell phones to improve the attack and efficiency.
Umm, now let’s watch demo video to -to know how did attack looks like and then we explain the tactical details. This video records the whole attack procedure, okay.
 We use 2 cellphone one is the victim’s cellphone and use the -wow 
So firstly, we check uh the 2 cell phones work. – work in the normal mode. We firstly use the victim’s cell phone cause uh uh a normal cell phone. Okay, so both of them works normally wow ah [sigh]
Okay, so during the -the 2 cores, we captured the TMSI of the victim’s cell phone.
And we start the attack. We set the TMSI on this Macbook. Attack this TMI site. This is the victim’s cell phone TMSI site.
And now we call the victim’s cell phone again.
Now the core is connected to the victim’s cell phone um hasn’t response. The core is connected to the the telephonist. Next we open the Gmail uh Google account webpage. We tried to reset this account’s password by entering the telephone number. And in the -the Google account will send a verification short message to the cell phone. The telephonist receive this verification short message. Now we import the verification code.
Okay now we can reset the password.
[Clapping]
Now we create a new password. Sign In.
Okay, done. This is my Gmail account.
Um, okay this video was uh, recorded in March in this year. And in this month, July, we –we noticed that uh Google announced its new 2 factor authentication scheme.  The new scheme delivers the verification code through Google’s uh special application on Android cell phones. So maybe this attack umm does not work to Google now. Okay 
 Okay, so let my colleague Yuwue introduce more technical details.
 
>>Hi good morning, I’m Yuwue. Now let me introduce the first exploitation, the simplest one. The attacker, way the meet the ghost telephonist can impose, impersonate the victim’s cell phone to receive the core. The attacks steps in our experiment, at least here, the first step is beating the PCH the paging Channel and secondly address the TMSI or IMSI in the paging messages.
The third step is the case step. Forging a paging response messaging with a captured TMSI or IMSI. After this step, we check whether the network accepts the paging -paging response. If it accepts, it will enter the core setups procedure. If not, we will wait for the next paging messages. So in this attack we pickup victim randomly so we call this method as random hijack. In the random hi -hijack exploitation, the attacker listen under 2G paging channel, extract TMSI from the paging request and then forging and send the paging response constantly. However, the network standard set the 4G network through the send paging request the way as TMSI. And the TMSI has no relationship with the 2G TMSI.
So someone may ask, “Why do the network send the paging request on 2G site with the -while the standard site send paging on the 4G site?” I don’t know either.  But in fact we found that the same on C118. Also receive CS Fallback paging request on 2G site. So my guess is operators configured the network to do so in order to optimize the network to decrease the late -latency of setting up a voice call.
Here is the success example. You can see C118 have no SIM card. But after a fake paging response, we successfully receive the a call from the number 139 balla balla.
This slide explains the attack signaling. In this figure, UE hasn’t wait represents the victim. UE has an F. Represent the attacker. When there is a incoming call for the victim, the MSC in 2G network will request the MME in 4G network to transmit paging request. When the victim receive the paging request, it will send to eNB and extend the service request to ask for a 4S Fallback to accept the incoming call in 2G. In the normal scenario after fallback, the victim will send a paging response to establish a connection. But in this attacking scenario, because the attacker is constantly sending paging response with the victim’s TMSI number so the call is taken over by the attacker.
Once the telephonist hijacks an incoming call, what can he do in further?
The caller will recognize the calling the voice is abnormal, but the attacker may do something like the social engineering. For example, he may say, “Your friend encounter an accident. He is in the hospital. He needs $2000 from -for the rest co- costs.”
In this scenario, it may generate serious conse -consequence. Anyway, now the attacker only know the victim’s TMSI or IMSI. He don’t know who is the victim and he don’t know further information. In what can we do for the attacker, can we know the victim cell phone number? See, this picture, we found during one hijacked the call. The telephonist can make a call out to a burner phone by sending CM Service request and messages. And the separate is they starting trigger authentic tic doesn’t trigger an authentication either. The network will directly responds to CM Series accept.
By this way, we can see the victim’s phone number on this screen to this burner phone. We call it as phone number catcher. Here we summarize the attack steps by showing this signaling flow. Telephonists get the control from here. It sends paging response then the network sends back setup and the call is can canfor conform. After the call is hijacked, the telephonist make a call out by sending holding messages and the CM service requests. We can send, we can see the network side sends back a setup message. It doesn’t require authentication. This picture shows the pickup records. Here we, here there records captured by Wireshark on laptop that Osmocom is running on.
You can see the hold message to the end of this call. The network does not require authentication as long as the telephonist doesn’t hang up the call, the connection will be maintained. And at the same time, short message can be received or trans -transmitted. 
We tried to make a targeted attack to attacker test the phone which gave us the ability to debug and uh log the signaling. After our investigation, we find a two way to implement a targeted per -persistent hijack. First we can send a paging response back constantly using the test phone TMSI or IMSI which we can get easily. No matter whether there is a paging response or not, or we could use the ISDN number also know as a cell phone number. In this case, we knows the victim’s phone number, we can call the victim and the cape -charact, capt the vic –victim’s TMSI in the air. Then we can launch a targeted attack.
We previously mentioned the attack method. Now let’s go to the next slide and introduce the details about how to implement a targeted hijack. Firstly, we can use TMSI to attack the victim as we discussed. With this attacking method, we could constantly sending paging response to the attacking to the networking using the victim’s Tim -TMSI. Once there is a call to the victim, the call procedure will set up. We can directly take over this procedure because we can respond to paging request requests quicker than the victim. This also means we successfully performed a targeted attack.
Thirdly, impli -implement, implementing targeted attack with IMSI basically require the same steps as using TMSI. But his method has some particular disadvantages. The successful rate is much lower than using TMSI because when the network site receives paging request with IMSI, it send it needs time to lookup the corresponding TMSI in the network.
Thus, because the links set, thus increase the----link setup latency. But the victim will directly send the legal paging response with TMSI. And the setup they link quicker than us while the network is still looking up TMSI with our IMSI. Finally, when we have the victim’s phone number, we can attack the victim in the following way. We need two C118’s and the one on the phone as shown in this figure. Here is the steps firstly we set up 108 as a sniffer, then we use a burner phone to call the victims and a trigger the regular CS Fallback procedure. Our sniffer will log the whole procedure including paging response, call set up, et cetera. Please notice the call setup signaling contains caller’s phone number. That means we can locate the specific call setup signaling and trace back to find corresponding paging response and finally extract the victim’s TMSI. Now we have our Tim our victim’s TMSI. So we can follow the steps we mentioned before to hijack the victim.
Now let’s watch the demo video. This video shows that the targeted attack.  We impersonate one victim’s phone and uh furthermore, we can chose the -we can hijack this short messages and uh we can choose which messages the victim can receive.
[Watching video]
First uh we use two phones to call each other to verify the phone number. Then we start a count to see how much time it makes to mount the attack.
Yeah, we start a counter to see how much time it takes to mount the attack.
Now we call the victim. [Inaudible noise from video presentation] But the call have been hijacked.
So now we have successfully hijacked the voice call. Let’s go on to attack short messages.
So we can successfully hijack short messages and furthermore we can choose which short messages the victim can receive.
So now welcome my team member Lin to introduce a more complex attack.
[Clapping]


>> Sorry for the bad video issue. Um, well, let me continue to explain uh umm the first, the first demo video show the whole procedure. Okay, um, this is about how to attack the internet accounts and we know that uh to -to simplify the uh user experience many internet -internet applications permits login with cell phone number and verification passwords, uh, verification short messages, okay. It doesn't require importing the login password. And so, if attacker obtains the victim's cell phone number and verification short messages, uh, he can impersonate the victim to access the application.
Another attack path is using the verification short message to reset the password as we show in -in the first uh demo video. Um, as we all know, there's some existing exploitations um which can obtain verification messages like uh, the attack we showed here. For example, SS7, SS7 vulnerability can utilize to hijack both core or short messages. Also some malware -malwares on the cell phones which can hijack the short messages content. So, uh telephonists attack is just a new attack method to generate the -the same consequence.
Uh, we verify this kind of attack, the password reset on some of the internet applications uh for example Facebook and Google Account et. cetera. Uh, the steps are illustrated here. In first step, we control the victim's link and get the phone number and in step two here, um we use a computer open the web page um and request uh re- to reset the password with the acquired the phone number. In the step three here, um the telephonist receives the verification short messages. And finally in the step four, we use this verification code to reset the login password.
This picture is the screenshot of the C118 log and the real court in the red rectangle proves that the C118 received the verification short messages sent from network. It says CP Data network to MS. We investigated password reset routine um of a men- many popular website and applications um including global and Chinese ones. This table summarized some of them, um. Facebook, Google Account, WhatsApp. And in China there are AliPay, WeChat, DiDi and Sina et. cetera. Some of them requires sending short message from internet to cell phone, the inbound ones. And some of them requires sending short message from cell phone to internet, the outbound ones. 
Well uh, now you -you may you many think of this vulnerability so dangerous and but -but we want to emphasize that, don't worry so much. Um, there's some constraints okay. In this page, we summarize the constraints to launch the attack. Um, firstly, the telephonist and the victim's cell phone should be in the same paging area. It may be in several base station's coverage. And, secondly, the attack is visible only one 2G network is in use and uses A5/1 or A5/0 encryption. Um, I -I want to uh say here 2G network is in use. That means, even the CS Fallback makes the cellphone fall back to 3G, okay. Um, as long as 2G network is in use, the attack is visible okay. And um compared with known exploitations telephonist attack has uh these features. It doesn't need uh to access the SS7 core network and this attack doesn't need fake base station so it's quite easy to launch. The victim he keeps online in 4G network and is not aware of this attack as the picture shows here. And people may also question that why in that every experiment you make a call to the victim to trigger, uh, the CS Fallback. “Is this necessary for a successful hijack?” The answer is no. Um, it depends on the operators configurations. In some cases, we found we can directly impersonate the victim's cell phone to make a mobile originated, originated core.
Um, during our tests we noticed that uh, we got different success for mm  results when we attacked a different victim, victim's cell phones. Here lists the five cell phones we tested um, with different chipsets. It is changed that some of them um, which we marked with a star in the table will get back its control to the connection and after 10 seconds of our successful hijack. This means out attack is failed in this case.
So what's the problem? Why does such kind of failure exist? Mmm, why do different cell phones have different behavior? Here we went through uh, after we -we we tested and -analyzed, the major reason we found cause in this issue in the fast return, fast return procedure. Um, the chipset manufactures implemented fast return in different ways. When a victim's cell phone received a paging message but it didn't receive this call, uh it may launch a location area update procedure in 2G. And this action will finally leads the interruption of our hijack link. Here we show a 2 cases, the first one is about Qualcomm -Qualcomm chipset in this figure. The green texts are 4G signaling and the white texts are 2G signaling. You can see that Qualcomm chipsets sends location update requests here but there is not location update accept the following. So we doubt whether the chipsets are really complete the location update requests procedures. In this case, the attack will uh will be succeed because the LAU procedure is not complete so we can maintain the connection to do something evil.
Here's the uh failure example. We can see the difference this is the case of empty page chipset. When the cell phone fell back to 2G, it didn't get this call. Mmm, but before returning to 4G the signaling was sent out. There is a location update accept immediately follow, following. So in this case, our –our victim will get a -a new TMSI. That's why the connection will be interrupted 10 seconds after being successfully hijacked. Okay, does this mean the chipset we marked a star or immuned to -to this attack? No. For such chipset issue, we can use the jamming to uh prevent the victim's cell phone sending LAU signaling to the network then uh we could maintain this hijack link.
Okay, we proposed uh, countermeasures to operators and internet providers. We suggest to –to add the CS Fallback authentication in the CS Fallback uh procedure. The additional latency is acceptable and we think the final solution is to speed up the real LTE deployment. And for the internet service provider and it should be careful that the PSTN authentication is not safe and IST guidance already suggested that uh not use PSTN in 2 factor authentication.
Well, finally I want to thanks to GSMA's CVD Program. Um, this is a new program launched in this year. Um, this is a program for -for researchers to record the vulnerabilities related to standards and protocols. Before this program, umm we have no platform to report such uh vulnerabilities so umm we reported this problem in GSMA and we received the first acknowledgement on the Mobile Security Research Hall of Fame. GSMA also transferred this vulnerability information every operators and we know um, some related operators um, already fix and or fixing this problem.
 
Ah well that's all. Thank you all for your patience.
[Clapping]