Movie clips that reveal phone surveillance

live now:

Of all things, the previously almost trivial recording of telephone calls is becoming a problem in 5G networks that becomes apparent when roaming. The reason for this is a simplified roaming procedure that is already being used by telecoms in LTE networks.

From Erich Moechel

The further the standardization of monitoring progresses in the coming 5G networks, the clearer the expected technical problems become. The special meeting of the surveillance force 3GPP SA3LI in the first week of September was therefore entirely devoted to error corrections and the prevention of protocol collisions, especially when roaming.

A large part of the technical documents presented there therefore deal with the various possible roaming scenarios. The most complex problem turns out to be the previously trivial monitoring of telephone calls while roaming. Since the introduction of LTE broadband, most telecommunications companies have been using a simplified roaming procedure, which only reveals its pitfalls for law enforcement officers with the introduction of 5G.

Public domain

At the bottom left in the graphic of the industry association GSMA you can see that "Voice over LTE" (VoLTE) is already widespread worldwide. All operators worldwide will then implement Vo5G in the 5G networks.

Routing in the guest network

In order to be able to monitor 5G networks, these networks must have an interface for monitoring in each individual segment of the 5G cloud. These interfaces are currently being standardized in the European Telecom Standards Institute.

The problems result from the simplified roaming method S8HR, which is preferred by the telecoms. S8HR for VoLTE was far easier to implement in the existing LTE networks than the LBO ("Local Breakout") method favored by the GSMA. The main difference is that with LBO, extensive interoperability tests have to be carried out with each individual roaming network. In this case, the entire routing of voice and video data packets is handled by the roaming network, with all the imponderables that arise from different network configurations and specified parameters for the respective smartphone. Since the routing of the roaming smartphone is taken over by the guest network, all identifiers - the most important of which is the so-called IMSI - can be accessed relatively easily.


This graphic from the company Metaswitch - which has nothing to do with 5G monitoring itself - shows the two network functions that are crucial for successfully monitoring a roaming smartphone. The “Session Management Function” (SMF, marked in red) must permanently monitor the “User Plane Function” (UPF, blue) in order to identify the protocols for establishing a telephone call in this data stream and to check whether the relevant data stream is being used Smartphone is on the list of devices to be monitored.

S8HR, routing from home

The secret list of all police-monitored numbers of a provider must be available in duplicate at all tapping points of the 5G network. The prosecutors have a problem with that.

With the S8HR method ("S8 Home Routing"), the routing is not handled in the guest network but in the home network of the smartphone in question. The S8HR method can be implemented quickly and appropriately for all possible roaming networks. A third-party smartphone can then no longer be operated by at least two “services” in the roaming network. This involves “lawful interception”, the court-ordered interception of telephone calls - which is technically also a service of the network operator - as well as the automatic emergency call function including the transmission of geodata. And here there are problems with S8HR.

The routing commands for these data packets do not come in via the network operator's so-called "control plane", in which the metadata, control commands, IMSI identifiers, etc. are transported in the cellular networks, but rather via the so-called "IP multimedia subsystem". To put it in a somewhat simplified way, this means the entire TCP / IP traffic and, since “Voice Over LTE”, all telephone calls including the dialing process have been running through it. However, only temporary identifiers (XIDs) are used on the “User Plane”, which means that there must be another function for comparing the temporary identifier with the actual identifier. This is usually the "International Mobile Subscriber Identification" (IMSI) or the hardware identifier of the smartphone (IMEI). Only with this globally unique identifier can law enforcement officers clearly identify the target smartphone.

Public domain

This entry by the British secret service GHCQ in the standardization committee for surveillance 3GPP SA3LI shows the problems that arise in roaming practice when the routing is taken care of by the home network. If any TCP / IP session is opened by the smartphone, a temporary identification number (XID) is created for this smartphone according to the specifications of the European Telecom Standards Institute (ETSI). If the smartphone has a second or more TCP / IP connection open in addition to a phone call - for example to WhatsApp or other chat services - the same XID would have to be assigned again. However, this is expressly forbidden by the 5G standards because it would collide with the higher-level 5G protocols and result in an error message. All documents from the 3GPP SA3LI meeting in early September

"Deep Packet Inspection" in permanence

Most recently, the FBI had massively intervened in the 5G surveillance standards. Together with European law enforcement officers and secret services, attempts are now being made to force the telecoms to rebuild the 5G security architecture in line with the surveillance requirements of the authorities.

In order to even notice the establishment of a phone call, the operator of such a network has to provide complex filter mechanisms over the entire data traffic in the network in order to identify VoIP calls based on the protocols used (SIP, SDP, RTP / RTCP). The data packets of the phone calls are in the same data stream as YouTube videos, online gaming, WhatsApp chats or e-mails. The entire data traffic of all customers must therefore be continuously analyzed in order to identify every roaming phone call of a smartphone to be monitored when the call is set up and to copy the conversation content for monitoring purposes.

The mechanisms for monitoring, however, are located on a network level below and can only take action when they are informed by the “packet inspector”. A further “point of intercept” is therefore necessary around the parcel inspection, namely exactly between the “control plane” of the network operator and the “user plane” (see graphic above). This is the only point in the topology of a 5G network at which VoLTE / Vo5G calls can be recorded while roaming. Much to the displeasure of the criminal prosecutors, the list of all connections to be monitored in the relevant network must therefore also be available in full at this point.

Public domain

This proposal from the same GCHQ document is unlikely to please the telecoms. The user identification number has to be given additional parameters, "which some people might find distasteful," as the GCHQ puts it. This refers to the telecoms, because such an inflated identifier of every roaming smartphone requires significantly more computing power in the 5G network.

Pre-programmed latencies

As can also be seen from the documents presented at the SA3LI meeting, preparations are already being made for the scenarios resulting from the routing / roaming problem. Since home network-based routing will also dominate roaming in the 5G networks for at least the next few years, it is foreseeable that the prosecutors will have to revise their demand on the telecommunications company to record all metadata and all telephone calls of a monitored connection in full. In practice, it is to be expected with some probability that the routing data required for monitoring is only available in full when the telephone call has already started. How high these latencies will be is currently still completely uncertain.