Cell Phone Tracking And SS7 – Hacking Security Vulnerabilities To Save Lives

Desi: Welcome Forensic Focus listeners, friends and enemies alike. This week we’ve invited Ryan onto our podcast. So Ryan is…I met him at a conference in Brisbane. It was BSides Brisbane. It was his first time attending a conference and also first time presenting. But the topic that he covered was so awesome that I really wanted to get him onto the Forensic Focus Podcast with Si myself to talk through what exactly it is and what he presented on and his findings when he went through it. But welcome Ryan, thanks for joining us this evening and taking out some of your time to talk through what you presented on.

Ryan: Thanks so much for having me guys. It’s really good to be here.

Desi: Sweet. So, I guess we’ll get into some basic definitions of what you spoke about. So the topic of your talk was hacking SS7, I think from memory.

Ryan: Yeah. “Hacking SS7 to Save Lives”.

Desi: Yep. So, interesting title that already gripped me as soon as I saw it in the program, but can you explain in a basic way what SS7 is for all of our listeners that have probably, like myself, never heard of this before?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Ryan: Okay. So SS7, you can think about it…it was in one of the slides, like BGP is the internet, SS7 is to mobile communications. It’s basically a stack that was created in the 1970s and it’s the backbone of signaling behind telecommunications. It used to be for either PSTN networks, now basically it’s ubiquitous system that sits behind sending of SMS. It is a signaling protocol basically in the background that makes everything go to the places it should go to. Certain parts of it look after your subscriber information, and then when you’re roaming that subscriber information then goes to other vendors, other telecommunication providers to basically know where phone calls and text messages should go.

Desi: Yeah, so…and I think you covered it in the presentation, but it covers specifically the phone calls and SMS. We’re not talking like anything that goes through the digital channels through your data, or anything like that?

Ryan: No, this is all to do with your phone calls and SMS. It’s not…it has very little to do with the data…

Desi: Yeah, okay.

Si: And I’m detecting from the fact that you said this dates back to, I think you said 1980s, I may have been…

Ryan: No, no, 1970s. 1974. It was 1974 and it became a standard in (don’t hold me to this) but 1976. So it’s been around a really long time. Basically the people used to whistle SS7 command!

Si: Oh, so Captain Crunch and 2,400, this is SS7 hacking, yeah?

Ryan: Yeah. This is how long it’s been around for. And this is what I found fascinating about it is a technology that’s been around so long and is so ingrained in the system that it used to basically…it was trust networks. So basically you didn’t have access to the SS7 network, but as demand has dictated like your one-time password services, anyone that has anything to do with SMS has basically access to this SS7 network. And that’s where people like us come in.

Si: So this was a protocol, if it was a trust network, this is a protocol that was designed without security as a fundamental….yeah, zero.

Ryan: It basically worked on the principle that if you had access to this, then you were meant to be there. So, certain controls have been put in place since, but they’re very easy to get around basically. But the title of my talk was a little bit misleading. Though I’ve theoretically dabbled in SS7, playing around with SS7, the bits that I exposed were actually parts of the SS7 network, the HLR and VLR, which is the host location registry and the visitor location registry, are basically it’s data, it’s your personal data that you can’t opt out of that it’s sold by telcos every day.

Si: Right. Okay. That’s reassuring. Good!

Ryan: Yeah. Good, isn’t it?

Desi: So we were talking after the conference, I think I remember about how widespread SS7 was in terms of, is this specific to Australian telcos or is it prevalent all around the world? And it’s like everyone’s built on pretty much the same trust protocol and it’s just spread everywhere.

Ryan: Yeah, it’s ubiquitous globally. Have you heard of the…it kind of comes in waves, it’s popularity ebbs and flows, but have you heard of the anytime interrogation attacks that were coming through? Basically it was anytime interrogation, there was a few other specific ones, but basically when your one time passwords were being stolen from people’s mobile phones so that the text messages were being redirected, that’s an SS7 attack.

Desi: Right, okay.

Ryan: That’s people who are either hacking SS7 network or paying certain providers to basically redirect text messages for them.

Si: I think the first time I came across SS7 was actually abuse by a nation state. I remember Russia doing it for Telegram password resets.

Ryan: Yep.

Si: So that was SS7 as well?

Ryan: That’s SS7, yeah.

Si: Okay.

Ryan: Basically there’s timing involved with those attacks. Those redirections aren’t permanent. Basically it’s about…you basically set up a fake SMSC, you register the phone’s new location as there, your phone basically disconnects from where it is. And so all text messages get sent to the fake SMSC, but once you start operating a phone again, it then flicks back. So, it’s timing and stuff involved in those attacks. So, they’re not simple to pull off, but they’re by no means the hardest ever.

Si: Yeah, the complexity lies in the execution rather than the technology.

Ryan: Correct.

Si: Yeah. Okay.

Desi: So by the sounds of that then, even if you set up a fake one, your phone has some priority over controlling these redirections. So how is that done on a technological level that your phone has? Is that because of the SIM?

Ryan: It’s just through the request. So basically what happens is the attacker will send a…basically change the location of your phone to the fake SMSC and then…but once your phone tries to interact with the network again, it will then reallocate it back to…it’s basically…even though the regions have changed from Russia to Australia, it doesn’t recognize that as something terrible. It is just how the whole roaming network works.

Desi: Yeah, okay. So it’s just last request is “that’s where the phone is, let’s send it there.” Right. Okay. So this was, I guess you gave a bit of context when you did your talk, maybe you could share with how you got to doing this and doing the presentation. What pathway led you to this point to have some knowledge about SS7, which was something that I’d never seen before?

Ryan: Okay. So RF is what blows my skirt up. I love the idea that there’s packets flying through the air that they’re passing through us every day, and the only thing that’s stopping us from basically grabbing them is the technology, the know-how. So I started off…got an SDR, just to RTL-SDR, and started tracking planes and boats and then got a little bit more interested and then wanted to find out about…it was actually through car hacking. I wanted to basically hack the connected cars and read a great blog post by Alyssa Knight about building a rogue base station, which sparked my interest and then upped my ante from RTL-SDR to a HackRF One.

And basically built my first rogue base station, decided to upgrade from the HackRF to a bladeRF x40. And from there started refining my skills in basically setting up rogue GSM base stations and then figuring out how to spoof major telcos, which is easier than it seems. It’s just a few digits. I see you’ve got a question on your lips there, brother.

Si: I do. And without incriminating yourself in any way that can be used in the court of law, how legal is this?

Ryan: Oh, it’s insanely illegal, but it was all done inside a Faraday cage inside a protected area. So, it was…

Si: Of course! That’s the bit I was looking for. Because, I would love, at the end of this, you mentioned a couple of articles and the fact that you’ve built this stuff and I am absolutely fascinated, and I certainly want to read the articles. I’m thinking we should link to these in the show notes and then I’m going, “and how do we do this without enticing a huge amount of people into committing crimes that they shouldn’t be doing?” So…

Ryan: People should inherently be doing the right thing, doing it for curiosity’s sake and figuring out where the holes are.

Si: Yeah, I couldn’t agree more. It is the way…it is the ethos of the hacker in the traditional sense of let’s push technology to the point where it’s starting to bend.

Desi: I think we’d also say that since it’s been around since 1976, responsible disclosure is well past this due date of three months. So I’m sure that telcos are well aware of how vulnerable this protocol is.

Ryan: Well, and see, the thing is that we don’t actually use GSM. Obviously GSM is still available everywhere. A lot of towers don’t actually have this. And this is where the second part kind of came in. I discovered an operating system called DragonOS by…I don’t know if you guys heard this before, it’s the balls when it comes to anything RF. But through that and some of the videos that he’s posted about, it was a tool called SigPoint, which is basically around SS7 hacking, Diameter, 4G, stuff like that. And that’s kind of what got me excited about it when these attacks came out with anytime interrogation and things like that.

Basically I replicated the attacks using…it comes with a demo server so you can actually practice these attacks against…in a benign environment. Yeah. But just how easy these attacks could take place. And then from there my curiosity went even further. So we know how to do these attacks now we need to find a weak in to the SS7 network. And it was through the hunting for the weak ins that I discovered that there’s actually no need to hack the SS7 network for exactly what I wanted to do, which was basically getting location data of mobile phone users because all this stuff can be purchased online for a really, really cheap subscription fee and a simple API call.

Desi: And obviously that purchase of that location data or the API call access that you’re purchasing, that’s obviously through some legal…what is the legal reason for having access to that kind of data?

Ryan: So, what they run with on the sites is for if you’ve got a massive database, it’s for verifying the mobile phone information you have is valid. So I’m actually sure it is probably used with credit card verification stuff to make sure a mobile phone is actually in the location that it’s said that it’s…the request is being made from. We used it the other week to basically prove that this email was phishing a guy. We basically looked up this guy, found out that he was supposed to be meeting with someone in the UK, pinged his phone and his phone was actually pinging back from the US, so we knew that it was a fake email. So this is where this kind of information can be used for OSINT as well, which is pretty fun.

Si: Is there historical data in there? Is it possible to retrieve any sort of historical information about locations, or is it just real time stuff?

Ryan: I’m sure with very limited social engineering, you could persuade someone to get historical data. It depends…actually no, the API call basically pings the network live, so unless that particular number had been pinged before, probably not from these suppliers, but that would be more something you could go through. If you actually had access to the telco’s VLR or HLR data, then yes, you could probably get historical data. But in the context of what I’ve been doing, no, I don’t think historical data would be…

Si: Okay. No, that’s cool.

Ryan: It’s not actually something I’ve looked into. So…

Si: There you go. Next week’s research topic!

Desi: Yeah, in six months we’ll have Ryan back and he’ll be like, “yeah, I’ve got all this historical data now I just found it.” Go on. You go, Si.

Si: The talk you actually gave had a very specific title: to save lives. What was the hypothesis that you are proposing in your talk?

Ryan: Okay, so basically nation states are using this data to track dissidents and journalists, things like that. Law enforcement is using it to track criminals. And I thought about basically during the COVID pandemic, basically my career…I was in the music industry up until COVID, folded. I went through some tough times, ended up having to go to a soup kitchen to get food. I had to choose between rent and eating. So, rent obviously won, but started chatting to a woman who was the manager of one of the largest crisis accommodation places for domestic violence victims.

And through the conversations I had with her, she was talking about the problems they have with basically offenders tracking down victims where they are, things like that. And I promised her that if I ever (well, I promised myself not her), if I ever had a way of paying her back for their generosity in this time, it was obviously pretty rough for me, I would. And it was through the RF thing and then the SS7 and the discovering the VLR, HLR stuff that the penny dropped. And I figured that if this could be used for basically nefarious purposes, why can’t we use it for the reverse? Like, this technology, not even the technology, the data is being sold every day by the telcos to companies for X amount, for whatever purpose. Why not use it for protecting people?

So, I thought about what were the key bits of information I need, which were basically the cell ID and LAC, which is…they’re the core components when you drill right down to it. So you have the cell ID is the cell tower, the mobile phones pinging into, and LAC is a group of mobile towers. So, basically the hypothesis was that if I could get the LAC or cell ID that was nearest to crisis housing and then get an offender’s phone number, if I could basically just do a BUI in, basically compare the two. So if this cell ID and the offender cell ID are the same, then send out a warning to the crisis housing and basically protocols could be put in place, preparations could be made, or that’s not…

Si: Real time alerting for the presence of a device.

Ryan: The system started with LAC because it’s a larger area. So basically if someone’s in the general area, certain level alerting happens, then when they’re detected in the LAC, more API requests are made, the rate goes up and then it drills down into the cell ID once basically they get closer and then emergency protocols could be set in place.

Si: How refined does it get once you get down to cell ID? I mean, I know, again, forgive me because my knowledge of…I don’t do cell site location stuff. I’ve seen people do it, but I don’t do it. But I understand that you can pinpoint someone on the basis of three cell towers and doing standard triangulation stuff. Can you do that in real time with SS7?

Ryan: I personally haven’t done that. That may be possible, but I was trying to be somewhat privacy orientated for both, even for the offender, knowing that they’re in, say, within a radius of 500 meters, that was kind of as far as I wanted to push the privacy envelope because obviously there’s privacy considerations to be thought of, but when this data’s being sold every day to anyone it, it’s kind of a moot point. But yeah, no, I didn’t kind of drill down beyond that. That was as far as I went.

Si: And it certainly, I’ve seen enough domestic abuse cases that is a very realistic and significant threat. So, to the point where you’re writing reports and not naming people in them so that they can’t find out what new locations and things, it’s very, very, very pertinent. So that’s really cool. And where are you in terms of implementing that as actually as a real solution to work?

Ryan: Basically at the moment it’s, I’m trying to organize meetings with the telecommunications ombudsman to make sure that I’m not basically violating anyone’s privacy and things like that. And also going to get some legal advice because the system wouldn’t be available publicly, it would just be for emergency housing providers and it’s about the offender’s phone number. The offender’s phone number would only be through court order. So, basically I know nothing about the legal side of things.

So, basically I’m getting advice on that. The initial solution was basically profiles for the phones to basically lock down all location things. But after speaking to first line responders, getting a woman or man who’s obviously going through trauma, maybe screaming kids, getting them to implement a profile on their phone during an intake is just…wasn’t a viable option. So this method through HLR and VLR just seemed like a win. So, yeah, I’ve just been pursuing that.

Desi: Yeah. It sounds like when you think about it, you’ve dug into it. Obviously not many people probably think about this in the way that you have thought about because of the circumstances that you got into it. But did you find through any of your research anywhere else in the world, people had researched this particular avenue and were implementing it? Is there any countries that are doing it well for either securing SS7 or trying to do with domestic violence what you are doing?

Ryan: Not so much with domestic violence. I did find one previous use case and it was Kevin Mitnick. It’s actually what he used to allude the FBI way back in the day. So I found that pretty interesting. But…

Si: Yeah, no, that is pretty interesting. Okay, fair enough!

Ryan: So it obviously works!

Si: Up to a point.

Ryan: Up to a point. Yeah! Since I’ve had some really interesting conversations at BSides just about just looking at different technologies, because 3G is obviously an antiquated one, even as old as SS7, there’s ways to exploit 4G as well to get location data that might be a little bit more accurate. So at the moment I’m looking into seeing if there’s a gray area where that data can be extracted. But again, what’d be awesome is for a telco just to go “here, hey, have the data for free.” But yeah, when you’re just one guy go, “hey, can I please have all your subscriber data? I promise I’ll use it for good.”

Desi: Yeah, you’ve just got to wait until some random website offers you an API for sale to just query it.

Ryan: The APIs are everywhere, man. And after the one that I was using initially got shut down, just mysteriously just vanished (surprise, surprise), more and more pop up. But yeah, it’s kind of the worst best kept secret, I think. Like I covered in the talk, your wifi data, you can shut that down. Your GPSs, you can shut that down. This is a location method that is intrinsic to how mobile telecommunications work, so you just can’t turn it off if you want your phone to work, it has to be on.

Si: Is that going to change? I mean we’re going from, again, GPRS to 3G to 4G to 5G, to sooner or later, I assume 6G, unless we get creative in naming. Are these protocols going to be rewritten in the way or is it just such a fundamental TCPIP-based thing that if we turn it off the internet goes away? Is it that sort of fundamental?

Ryan: I couldn’t answer that comprehensively. I don’t know enough about the new…I’d like to say that I know enough about the newer protocols, but it’s just such a massive…

Si: Oh yeah.

Ryan: I think it’s so deeply ingrained that it’s an area that’s going to be with us for a long time to come. It’s used everywhere. The amount of information you can get from these requests, is slowly being locked down. Australia is kind of okay with it. Some providers will send spoofed IMSI numbers, which is your international mobile subscriber identifier (I believe is the correct thing), they’ll send fake ones of those, but the most lockdowned I’ve actually found was South Africa. South Africa’s on the ball with it. I don’t know why South Africa is so on the ball with it, but…

Si: Yeah, fascinating. Okay.

Desi: I think just from a lot of South Africa’s economy runs through mobile phones from what I’ve read. So maybe it was driven from that, but it’d be interesting to figure out why they were so on top of it and what the driving factor was.

Si: Yeah, no, you’re right. I mean it’s interesting. I did some work with Oxfam a few (many) years ago now. But yes, African nations are…where we use computers for things, the mobile phone is the ubiquitous device, for doing banking and all of those things. So yeah, perhaps it is a proactive government attempting to protect their economy from going down the tubes.

Ryan: So can I ask a question, Si? So, does SS7 come up much in your forensic work that you do or is it…?

Si: I think the safe answer to that is no. I mean I’ve been aware of it technically in the background for a while, mostly actually from security stuff I’ve done in the past because we were looking…I’ve done some work with government organizations in the UK and when people are starting to put loud articles about “you can no longer sense multifactor authentication over SMS because there are ways that can be compromised”, you’re like, “well, okay, I’m not going to secure this top secret system using that because wouldn’t be a very good idea.”

So, that’s my, sort of, knowledge of it and I kind of understood that it was a bit shit, but that was 15 ago and I’m kind of, like, “surely somebody’s done something to improve it since then!” And the answer appears to be no.

Ryan: Not as far as I can tell, but I’m obviously quite new to exploring this topic. I’m sure there’s much more educated heads out there than I am. But if myself, someone who’s only been in the industry for two, three years can nut this out in a couple of months, then imagine what’s capable from a motivated attacker.

Si : Yeah, yeah, absolutely. And I mean obviously you’ve gone through…you’ve read all of the papers, you’ve read all of the…created your own pay stations (that’s astonishing anyway), but I mean the protocol, is it an open protocol? Is it is (not RFC), but is it an ISO or whatever that you can effectively just read?

Ryan: Yeah, it’s open protocol. You can download it from anywhere you can download…you can basically install your own stack on your machine and basically start sending messages. But whether you have a network to actually send those messages to, how the communications work is a little bit tricky. But yeah, it’s not too hard to nut out.

Si: So your background…you said you came to this pre-pandemic, you’re a musician. Have you gone back to music since?

Ryan: No, I’ll always do music. Always do music.

Si: Yeah. But are you making money from it again or is it…?

Ryan: No, no. It’s just for fun now. Music’s just fun now.

Si: Alright. But were you into the technical aspects of it before? So, amplifiers and sound systems…?

Ryan: So my old man worked in telcos and wrote my first program in BASIC when I was like six. So it was a Mandelbrot set that I copied out of some computer magazine. I got in trouble for the first time. I wasn’t aware of internal billing, but the old man had a second line at home and I’d just discovered dialers. So I was pinging every phone number known to man looking for modems and basically discovered a bullet and board on (this is before the internet days), a BBS on the Gold Coast and after…

Si: Yeah, I’ll explain this to Desi afterwards. He’s too young to understand this. Some of us have been there.

Desi: Excuse me, I remember pre-internet. I am just old enough for that.

Si: What were you, two?

Ryan: Yeah, just discovered a bullet and board and after answering some shady questions about death metal, made it in as a 12 year old and discovered the world of text files and just started diving in. So I’ve always hacked not in…I’ve never hacked with people, I’ve never been…you’re not going to see me with a Guy Fawkes mask, spitting venom at the…

Si: No cult of a dead cow or anything? Yeah, got you.

Ryan: No. Basically bending digital systems to my will of all sorts, whether that’s an amplifier or a site or a piece of hardware, whatever it is, it’s always fascinated me just, okay, well this is this, but can it do this? That blows my skirt up.

Si: Yeah, totally. Totally get that. That’s cool.

Desi: So it sounds like with this SS7 protocol, it’s not going away. Everyone that has a mobile phone, which it would be surprising to find probably a four year old these days without a mobile phone also. Coming to mind straightaway, I think to protect against the one-time password stuff, if there’s not protections in place, what we can do to protect is potentially choose another method, whether that be a secure email or through the code generating applications where you have to enter the code to avoid that network.

But is there anything else from your experience or from you’ve read that can help individuals protect themselves if they…other than potentially maybe just getting a new phone and a new phone number, if they are really concerned that someone is potentially tracking?

Ryan: I guess just awareness. If you’re going for that OTP route, if you request an OTP and it doesn’t come through to your phone, then something’s wrong. And then I don’t know if requesting it again…I haven’t actually looked…in all honesty, I haven’t looked too much into the precautions, like how to prevent it because that hasn’t really been my interest. My interest is being able to execute it. But yeah, choosing another method would be best. I wouldn’t recommend our government agencies using OTP unless there’s other ways that perhaps that it’s making it to the phone through another…yeah…

Si: Yeah, it’s when we started to use data channels to push it rather than pushing it over SS7. It sounds to me that the only way that you can basically avoid this, not the multifactor authentication problem, but the tracking thing is either leave your phone at home, switched off, or carry a Faraday bag with you all the time.

Ryan: Yeah, pretty much. Every time you take it out it’s still going to ping to the closest tower and then that HLR VLR system is going to come into play and your location’s going to be tagged. So yeah, leave the phone at home. If your location is that important to keep it dark, then yeah, I would be leaving the phone at home.

Desi: So in terms…from the attacker, what exactly do they just need the mobile number? Do they need any other piece of information to get location data or is that it?

Ryan: If you have access to one of these APIs, it’s just a MSISDN, which is basically your phone number with the code in front of it.

Si: Again, you’re talking about the protections in South Africa and the protections in Australia. So, my assumption is that provided that I’ve got basically the area code for somewhere in Tokyo…

Ryan: It only works for mobile. There is a version that I can give you information about landlines, but I haven’t played too much with that one.

Si: Wow, okay. So it will actually triangulate a landline as well. Because it’s such a basic protocol.

Ryan: At least what’s on the subscriber information anyway.

Desi: And how interconnected is a subscriber information. So, say if we use Tokyo as an example and we have the country code for a mobile number and I query it via the API system in Australia, will that do essentially a DNS lookup and go to Japan and go give me that subscriber’s info?

Ryan: It will indeed. So here we go. I’ll post it in the chat because it doesn’t matter, this is a burner number anyway. Is there a chat here that I can post into?

Desi: You can, if you want to show something, you probably can share. You can click on the start screen share.

Ryan: Here we go, let’s go. Actually this is going to be clunky. There we go. So I just did a…this is a HLR  lookup on my burner phone and that’s the…so I’ve got the MC…the MCC, which is basically the country, this second number here, the 01 that shows that it’s Telstra. So it shows that my phone’s on Telstra and that costs me 0.005 euros.

Si: 0.005 euros! So nothing?

Ryan: Basically nothing.

Desi: So I guess for the listeners, because this will be on YouTube if you want to have a look, but for the listeners that are just listening, what Ryan just showed us was I assume you made the API call with your burner mobile number, and then it just returned a JSON data blob with just information about what was on the subscriber list.

Ryan: Exactly. So feel free to use that API key that I’ve just posted up there as well. Everyone who wants to pause the video because I think I’ve got a euro left, so go hard!

Si: Well, I’m going to say with a 0.005 of a euro, we could get a fair few queries in by the time…

Ryan: It works across the board. So UK, basically any country.

Desi: That’s amazing.

Si: And it doesn’t require that you’re subscribed to the network in the country, does it? So I’m going to Iceland in a couple of weeks’ time. My phone…I’m not planning on buying an Iceland phone or an Icelandic SIM, but it will pick up my, and it will track my UK number to Iceland.

Ryan: You’ll get added to the VLR, which is the visitor location register, and it will map back to your HLR, which is your subscriber information back on your home network. So, when someone calls you a number, it’s going to ping the HLR: “okay, you’re not in that area.” It’s going to ping out and basically find which VLR you are located at, located and then forward the call or text message to that provider’s network basically. And then it will forward that message or call onto you.

Si: So when you do a query of a number, it goes to the HLR, it does a recursive look up until it finds the phone and then you get sent back the location?

Ryan: Correct.

Si: Okay, cool. Terrifying, but cool.

Desi: Yeah, this is terrifying, just to cover it all, but super interesting.

Si: So I mean obviously right now you’ve got the project, you’re talking to lawyers, you’re talking to regulators and stuff, but what’s on the horizon for you beyond that? Or is that…? I mean I can imagine that that is taking up all of your time already.

Ryan: Actually it’s only taking up…my day job is actually taking up most of my time at the moment. I’ve just got to promote it to soc league, so that’s a…

Si: Congrats!

Ryan: That’s taking up most of my bandwidth at the moment. But basically just exploring more projects around…I really like the offensive use of RF and how that can be incorporated into law enforcement capabilities and things like that. Yeah, just exploring technologies around jamming and at the moment I’m trying to really, I guess, perfect my downgrade attack methodology. Basically for anyone who doesn’t know what that is, it’s when you jam 5G, 4G, they attach to your 3G base station and then you downgrade them to 2G where there’s no encryption and you can just have a field day.

Si: I’m giving up on the phone, I’m not going to carry a phone anymore!

Desi: That’s worrying that your phone even lets you do that, downgrade to 2G.

Ryan: Yeah, I’m sure there’s preventative measures in place, but if that was the case, there’s all sorts of interesting attacks happening around 4G at the moment. So I’m kind of trying to up my game, up my knowledge in that area to see where I can branch out into. But at the moment it is purely just for curiosity’s sake, just because I like to know how things work, man.

Si: So you’re doing all of this on your own, you’re not associated with the university or anything?

Ryan: Oh man, I just dig this.

Si: I have to say, credit for having the absolute balls to rock up to a conference and present on something that you’ve just done in your back garden is…so hang on, that also means you have your own Faraday cage.

Ryan: I did, I don’t in the new house, hence why the experimentation has been a bit lackluster of late. But I do live in the sticks, mate, so there’s not too many people to…

Si: Your nearest cell tower is five miles away, so it’s not such a big deal. Yeah, okay.

Ryan: Actually it’s a little closer than that! But yeah, I just enjoy it. I just think it’s a fascinating…it’s basically it’s this thing that facilitates all this technology we use on the daily and we’re all fascinated with the web and servers and all this stuff, but this technology that actually connects us to this massive source of information, it is not forgotten, but it seems like it’s an area, I don’t know, underexplored, it’s…we can just reach out and grab packets from the air, man. Blow your mind!

Si: Familiarity breeds contempt. We’re so used to it, we cease to consider it as anything other than life. And in the same way as you accept that you breathe in and out and it still works, you accept that your mobile phone just does stuff. I mean, I guess I live in a not particularly rural part of England, and I mean we’re a small country, we should be able to plaster the country with cell coverage. I struggled to get…I’m sitting in my study, I can’t get a mobile phone signal in here, it’s ridiculous. If I actually want to send an SMS, I have to walk out the front door and halfway down the path, which is insane.

But yeah, I get pissed off if my mobile phone doesn’t work. You tend to actually sit there and you’re thinking, “well actually what it’s doing is it’s breaking up a waveform caused by moving air into an electrical signal and then transmitting it fucking halfway around the world when I want to speak to someone and I just take it for granted”, and it’s like, “no, it shouldn’t work.” This really shouldn’t work, and it does occasionally. That’s kind of cool! So yeah, I think…and certainly like you say, it’s a technology that, I mean, based in the 1970s is…also insanely cool. I mean, how good were these guys that they managed to write something that’s still bloody works?

Ryan: It still works across technologies, not just, it worked for landline phones, now it’s working in mobile communications and then from calls through to text. That’s amazing. The forward thinking nature of these guys is just…Bell Labs, mate, Bell Labs have got it going on! Yeah, it probably was a bit fool hardy to present at my first conference ever. But, balls to the wall, we’ve got to dive in.

Desi: Both Si and I have been to a lot of conferences between us and we cover them on the podcast where we have them. And just the enthusiasm that you presented with and the topic that you covered in terms of just it being so novel in the industry and bringing to light something that’s been around for so long, was amazing. And I left that conference and I was putting together a summary and I messaged Si and I was just like, “we need to get Ry onto our podcast because what he spoke about was phenomenal.”

Ryan: I’d love to work with a great guy in the US whose name completely alludes to me right now, but he’s like the SS7 guru. But I would love to work with others who are keen to explore this space. I’m first to admit that I know nothing. It is such a massive…body of work that’s been done and is huge. It would be great to work with others rather than just being a lone wolf, like hacking away in my basement.

Si: I know other people who are interested in certainly in the radio frequency side of things. And yes, I will definitely bear your name in mind and when we’re having a conversation next and share, because you have gotten every bit as far on your own as I’ve seen people with fully equipped labs and financial support get.

Ryan: If anyone wants to throw in some financial support, man, I’m more than happy! I just want to do a plug actually for DragonOs man. DragonOs. Anyone who is interested in RF or anything telecommunication wise, that is the boss, boss hog.

Desi: Yeah, we’ll definitely go through and check all the stuff that we’ve talked about in the links for the show notes, for anyone that is interested to go check out some of this stuff and if you’ve got any other research that you think is good that you’ve come across, Ryan, feel free to send that across to us and we’ll add it into the show notes as well for anyone that’s interested. Yeah, it’s the first time that…

Si: For me if for nobody else.

Desi: Oh yeah. I’m super interested in reading about it as well. Yeah, awesome topic. So I guess before we finish up, we usually like to ask this for people. So you’re pretty busy with your soc league job now and some of your research, but what do you do to unwind other than this stuff? Is there anything that you’ve read or you do to just kind of relax?

Ryan: Yeah, so I’ve always been an…I put out a magazine, man.

Desi: Oh, yeah, that’s right! Totally forgot. I was just like, he’s so busy, surely he’s not making a magazine.

Ryan: I put out a magazine called Hack and basically it’s a celebration of digital counterculture. We do all sorts of shit, man. We’ve spoken to a guy that was, who worked in Israeli intelligence. We’ve speak to a dude who’s basically a hardcore hacktivist who shuts down Russian power stations. We talk to everyone. It’s like a voice for everyone, man. It’s just the goal of it, I guess is just to break down that whole gatekeeper thing. If everyone’s aware of what’s possible, then you can protect against it better and it’s just fun as hell to put it out, man.

Si: I have to say, I find that you are the best embodiment of the actual hacker mentality that I remember coming into when I started of the 2600 Magazine of the “let’s share, let’s talk, let’s go off and do stuff,” perhaps slightly on the fringes of legality…at that time, not now, you’re totally legal now. So am I! So, I think it’s wonderful to see it again and if we can bring that mentality back a bit instead of the absolute corporate culture that seems to pervade security at the moment, I’d be in a very happy place, I must admit, so thank you.

Ryan: For me it’s always been curiosity, man, money doesn’t really blow my skirt up. I just like knowing and sharing and seeing that look on people’s faces when you tell them something and all that one piece of information that is missing from their puzzle. And then you share something and that’s that penny drop moment and their eyes light up and it’s like, “ah, f*ck!”

Si: Yeah, brilliant.

Desi: That’s really cool. Alright, did we have anything else we want to cover? Otherwise we can fold here.

Si: Thank you very much for listening. We will put all notes. There will also be a transcript in the page on the website, and there will be at least a small section of screen sharing to view if you watch it on YouTube, because that was enlightening. Thank you very much for listening and we will catch up with you all later.

Desi: Thanks everyone.

Ryan: Thank you.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles