LaF0rge

LaF0rge, 1 year ago

@penguin42 apparently some German official thought conflagration is the proper English word for something I'd translate as a "wide area fire" or "major fire".

LaF0rge, 1 year ago

@dancinyogi you're clearly missing Motorbike in your list!

LaF0rge, 1 year ago

@jfmezei @jsrailton "global title" is an address in the worldwide SCCP network (part of SS7). What other systems you can reach with it largely depends on filter policies at other operators/networks, just like in IP networks with packet filters and the like

LaF0rge, 1 year ago

@jfmezei @jsrailton so a random global title somewhere is usually not very attractive to surveillance activities. What matters is to have (control over) a global title within one operator network / address range that is white-listed at other operators systems e.g. for roaming. The attacker can then spoof outbound roaming etc.

LaF0rge, 1 year ago

@jfmezei @jsrailton it's more like "crooked MV[N]O or anyone with access to generating traffic from one of their GT can claim that target subscriber is now roaming to crooked MVNO and hence receive all inbound calls/SMS"

LaF0rge, 1 year ago

@jfmezei @jsrailton there is no authentication flow between subscriber and home network in classic 2G/3G roaming on SS7! The visited network simply claims the IMSI has registered there, an the home network has no way of verifying this. If the visited network wants to do authentication, and if it cares about the result, is entirely up to the (rogue) visited network!

LaF0rge, 1 year ago

@jfmezei @jsrailton while it might ring an alarm (if anyone cared), it still opens a race condition sufficient enough for 2FA SMS to end up elsewhere

LaF0rge, 1 year ago

@jfmezei @jsrailton sorry, you are clearly portraying the procedures on the roaming interface wrongly. Please check the GSM MAP specs (TS 29.002). The HPLMN has no way to request the VPLMN to perform any authorization. The decision is entirely in the VPLMN if it ever optionally requests Auth quintuples from HLR via SendAuthInfo, and whether of not it ever uses them.

LaF0rge, 1 year ago

@jfmezei @jsrailton @LaF0rge it is perfectly within the 3GPP specs for any VPLMN to simply perform a MAP UpdateLocation procedure for any IMSI of any inbound roaming partner. The HPLMN has no way within the protocol to mandate anything. I'm implementing those protocols and publishing about them for 15+ years.

LaF0rge, 1 year ago

@jfmezei @jsrailton theres no need for nay "remote provision of your subscription info". The subscription information is stored in the HLR/HSS, not on the SIM. the SIM is merely a token of identifying that subscription.

LaF0rge, 1 year ago

@jfmezei @jsrailton I'm not sure how you come to that conclusion. The HPLMN can and will of course have a white-list about which VPLMN is permitted. But that's not authentication, just a white-list.

LaF0rge, 1 year ago

@jfmezei @jsrailton I don't know where you are getting your Information from, it clearly does not reflect at all the reality of how 3GPP network technology works. There is no point in continuing this conversation.

LaF0rge, 1 year ago

@jfmezei @jsrailton without an IMSI on the card, nothing would ever work. It's impossible to register to any network. In fact, the phone would inform you about a defective SIM if it couldn't read a valid EF.IMSI file on it. Please stop spreading rumors about how cellular technology works.

LaF0rge, 1 year ago

@jfmezei @jsrailton I just contest your technical deductions/conclusions, not your user experience. Of course it is e.g. possible to change the IMSI of a card remotely over SIM OTA, as many multi-IMSI solutions have demonstrated for a long time. But the card must have an IMSI with a valid roaming agreement to reach your HPLMN and then they can do OTA and do whatever to the card. So the card clearly is not "blank and devoid of IMSI". Also, no "provisioning info"

LaF0rge, 1 year ago

@jfmezei @jsrailton just give up on the term "blank sim". call it a "restricted service SIM for bootstrapping". It's anything but blank. Also, the mapping between phone number and IMSI is done in the core network. your sim has nothing to do with that. Within 3GPP networks the operator can change your phone number(s) all day long and nothing on your SIM changes or even knows about it. IMSI also stays the same. final answer.

LaF0rge, 1 year ago

from the network / 3GPP technology point, that SIM is not "inactive". It might be the subscription associated with the IMSI of the card (data stored on HLR/HSS) which is disabled in the core network until you enter the ICCID of the card to some website. That changes nothing on your sim, it just changes some flags in the HLR/HSS database.

LaF0rge, 1 year ago

@mrtoto I have good memories of VIE. Used to be my favourite hop back when I was travelling a lot to Taipei. Used to have direct VIE-TPE flights, and VIE is a very convenient small airport to connect through, no long walks (unlike CDG, FRA, ...)