SIM Tunneling: Achieving High-Speed Travel and Web Traffic Classification

📡 The talk is about decoupling the SIM card from the mobile phone or modem to perform various measurements.

🌐 Roaming in cellular networks can be complex and interesting due to the differences in configurations, hardware, and software between home and visiting networks.

💰 International travel and testing in different networks can be expensive and tedious.

🌐 MobileAtlas decouples SIM cards from modems and enables global connectivity.

⚙️ Goals of the project include scalability, automatability, and controlling background noise.

🔒 Challenges faced include adapting the SIM interface and protocol for global usage.

🔧 The use of SIM tunneling and Schottky diodes simplifies the negotiation of speeds and voltages between the SIM provider and the modem.

🔄 Linux network spaces and binary encoding are used to control background traffic and ensure accurate measurements of data counting.

📲 Bluetooth rSAP protocol allows for the connection and sharing of SIM cards between an Android phone and the system.

🌐 SIM tunneling provides an opportunity for carriers to verify services and improve configurations for Voice over LTE roaming.

🔑 SIM cards can update or change their unique identifier (IMSI) over the air for roaming purposes.

⚙️ USB devices have a practical limit of around 20-30 devices due to hardware and driver limitations.

📍 The system has been deployed to 10 European countries and North America, with some limitations in Canada.

🔬 The use of modems instead of software-defined radios is due to regulatory challenges and safety concerns.

💡 The platform allows for internet-related measurements, including billing and abuse of zero-rating offers.

🔍 Different metrics are used for traffic classification, including UDP port, IP address, and deep packet inspection.

📊 The study focused on deep packet inspection and analyzed zero-rating applications like WhatsApp, Snapchat, and Facebook Messenger.

🧪 Experiments were conducted to verify web endpoints' zero-rating, detect IP-based and hostname-based classification methods.

🔒 Operators use both IP-based and hostname-based classification for zero-rating traffic.

⚙️ Attackers can exploit hostname-based classification by faking host data and spoofing SNI in TLS connections.

🔍 Location tracking can be done through ringback tones issued by terminating operators, allowing differentiation between operators.

🌍 By analyzing the amplitude and frequency of calls, it is possible to determine the operator and country of the callee.

📱 SIM cards can send covert binary SMS messages without the user's knowledge, containing information about the user equipment.

🔒 Roaming is an interesting case where two operators cooperate, and there are ways to exploit it for hiding traffic and locating subscribers.