PORTUGUESE MOBILE ANTENNAS NETWORK LOCATION VODAFONE

VODAFONE:

Fusao	CODIGO ANTENAS	LATITUDE	LONGITUDE	AZIMUTH	ENDEREÇO	Codigo Postal	CONSELHO	CIDADE	DISTRITO	DISTRICT

38,764441 -9,123426 Rua Cidade de João Belo LT 75 Santa Maria dos Olivais	268-01-5-62607	38.764441	-9.123426	350	Rua Cidade de João Belo LT 75	1800087	Lisboa	Santa Maria dos Olivais	Lisboa	Lisboa
38,764441 -9,123426 Rua Cidade de João Belo LT 75 Santa Maria dos Olivais	268-01-5-62608	38.764441	-9.123426	100	Rua Cidade de João Belo LT 75	1800087	Lisboa	Santa Maria dos Olivais	Lisboa	Lisboa
38,764441 -9,123426 Rua Cidade de João Belo LT 75 Santa Maria dos Olivais	268-01-5-62609	38.764441	-9.123426	240	Rua Cidade de João Belo LT 75	1800087	Lisboa	Santa Maria dos Olivais	Lisboa	Lisboa
38,764441 -9,123426 Rua Cidade de João Belo LT 75 Santa Maria dos Olivais	268-01-5-62604	38.764441	-9.123426	350	Rua Cidade de João Belo LT 75	1800087	Lisboa	Santa Maria dos Olivais	Lisboa	Lisboa
38,764441 -9,123426 Rua Cidade de João Belo LT 75 Santa Maria dos Olivais	268-01-5-62606	38.764441	-9.123426	240	Rua Cidade de João Belo LT 75	1800087	Lisboa	Santa Maria dos Olivais	Lisboa	Lisboa
38,764441 -9,123426 Rua Cidade de João Belo LT 75 Santa Maria dos Olivais	268-01-5-62605	38.764441	-9.123426	100	Rua Cidade de João Belo LT 75	1800087	Lisboa	Santa Maria dos Olivais	Lisboa	Lisboa
38,949368999 -9,009868 Casal da Mata 38 Vila Franca de Xira	268-01-9-36386	38.949368999	-9.009868	340	Casal da Mata 38	2600044	Casal da Mata	Vila Franca de Xira	Vila Franca de Xira	Lisboa
38,949368999 -9,009868 Casal da Mata 38 Vila Franca de Xira	268-01-9-36384	38.949368999	-9.009868	40	Casal da Mata 38	2600044	Casal da Mata	Vila Franca de Xira	Vila Franca de Xira	Lisboa
41,40223 -8,772456 Avenida Nossa Senhora Neves Bloco 3 A Ver-o-Mar	268-01-13-35776	41.40223	-8.772456	270	Avenida Nossa Senhora Neves Bloco 3	4490011	Póvoa de Varzim	A Ver-o-Mar	Póvoa de Varzim	Porto
41,40223 -8,772456 Avenida Nossa Senhora Neves Bloco 3 A Ver-o-Mar	268-01-13-35775	41.40223	-8.772456	150	Avenida Nossa Senhora Neves Bloco 3	4490011	Póvoa de Varzim	A Ver-o-Mar	Póvoa de Varzim	Porto
41,40223 -8,772456 Avenida Nossa Senhora Neves Bloco 3 A Ver-o-Mar	268-01-13-35774	41.40223	-8.772456	30	Avenida Nossa Senhora Neves Bloco 3	4490011	Póvoa de Varzim	A Ver-o-Mar	Póvoa de Varzim	Porto
40,23792 -8,48802 Geria Oeste - Junto à A1 Antuzede	268-01-18-27471	40.23792	-8.48802	15	Geria Oeste - Junto à A1	3000	Coimbra	Antuzede	Coimbra	Coimbra
40,23792 -8,48802 Geria Oeste - Junto à A1 Antuzede	268-01-18-46484	40.23792	-8.48802	15	Geria Oeste - Junto à A1	3000	Coimbra	Antuzede	Coimbra	Coimbra
40,23792 -8,48802 Geria Oeste - Junto à A1 Antuzede	268-01-18-27473	40.23792	-8.48802	270	Geria Oeste - Junto à A1	3000	Coimbra	Antuzede	Coimbra	Coimbra
40,23792 -8,48802 Geria Oeste - Junto à A1 Antuzede	268-01-18-46486	40.23792	-8.48802	270	Geria Oeste - Junto à A1	3000	Coimbra	Antuzede	Coimbra	Coimbra
40,23792 -8,48802 Geria Oeste - Junto à A1 Antuzede	268-01-1004-1087	40.23792	-8.48802	0	Geria Oeste - Junto à A1	3000	Coimbra	Antuzede	Coimbra	Coimbra
40,23792 -8,48802 Geria Oeste - Junto à A1 Antuzede	268-01-18-46485	40.23792	-8.48802	180	Geria Oeste - Junto à A1	3000	Coimbra	Antuzede	Coimbra	Coimbra
40,51111 -8,53583 Lugar de Cabeção, denominado Vale da Cerva Oliveira do Bairro	268-01-51-49781	40.51111	-8.53583	320	Lugar de Cabeção, denominado Vale da Cerva	3770	Oliveira do Bairro	Oliveira do Bairro	Oliveira do Bairro	Aveiro
40,51111 -8,53583 Lugar de Cabeção, denominado Vale da Cerva Oliveira do Bairro	268-01-51-49782	40.51111	-8.53583	160	Lugar de Cabeção, denominado Vale da Cerva	3770	Oliveira do Bairro	Oliveira do Bairro	Oliveira do Bairro	Aveiro
40,51111 -8,53583 Lugar de Cabeção, denominado Vale da Cerva Oliveira do Bairro	268-01-51-49783	40.51111	-8.53583	240	Lugar de Cabeção, denominado Vale da Cerva	3770	Oliveira do Bairro	Oliveira do Bairro	Oliveira do Bairro	Aveiro
40,68653 -8,51913 Lugar de Sobreiro Albergaria-a-Velha	268-01-51-12954	40.68653	-8.51913	350	Lugar de Sobreiro	3850	Albergaria-a-Velha	Albergaria-a-Velha	Albergaria-a-Velha	Aveiro
40,68653 -8,51913 Lugar de Sobreiro Albergaria-a-Velha	268-01-51-49771	40.68653	-8.51913	350	Lugar de Sobreiro	3850	Albergaria-a-Velha	Albergaria-a-Velha	Albergaria-a-Velha	Aveiro
40,68653 -8,51913 Lugar de Sobreiro Albergaria-a-Velha	268-01-51-12955	40.68653	-8.51913	80	Lugar de Sobreiro	3850	Albergaria-a-Velha	Albergaria-a-Velha	Albergaria-a-Velha	Aveiro
40,68653 -8,51913 Lugar de Sobreiro Albergaria-a-Velha	268-01-51-49773	40.68653	-8.51913	200	Lugar de Sobreiro	3850	Albergaria-a-Velha	Albergaria-a-Velha	Albergaria-a-Velha	Aveiro
40,68653 -8,51913 Lugar de Sobreiro Albergaria-a-Velha	268-01-51-12956	40.68653	-8.51913	200	Lugar de Sobreiro	3850	Albergaria-a-Velha	Albergaria-a-Velha	Albergaria-a-Velha	Aveiro
40,68653 -8,51913 Lugar de Sobreiro Albergaria-a-Velha	268-01-51-49772	40.68653	-8.51913	80	Lugar de Sobreiro	3850	Albergaria-a-Velha	Albergaria-a-Velha	Albergaria-a-Velha	Aveiro
40,71772 -8,52131 Rua Barroca Canelas	268-01-51-49763	40.71772	-8.52131	270	Rua Barroca	3865002	Canelas	Canelas	Estarreja	Aveiro
40,71772 -8,52131 Rua Barroca Canelas	268-01-51-49761	40.71772	-8.52131	0	Rua Barroca	3865002	Canelas	Canelas	Estarreja	Aveiro
40,71772 -8,52131 Rua Barroca Canelas	268-01-51-49762	40.71772	-8.52131	180	Rua Barroca	3865002	Canelas	Canelas	Estarreja	Aveiro
41,113017 -8,62498 Travessa Telheira Vilar do Paraíso	268-01-14-2944	41.113017	-8.62498	0	Travessa Telheira	4405908	Vila Nova de Gaia	Vilar do Paraíso	Vila Nova de Gaia	Porto
41,113017 -8,62498 Travessa Telheira Vilar do Paraíso	268-01-14-2946	41.113017	-8.62498	240	Travessa Telheira	4405908	Vila Nova de Gaia	Vilar do Paraíso	Vila Nova de Gaia	Porto
41,113017 -8,62498 Travessa Telheira Vilar do Paraíso	268-01-14-2945	41.113017	-8.62498	120	Travessa Telheira	4405908	Vila Nova de Gaia	Vilar do Paraíso	Vila Nova de Gaia	Porto
41,47943 -8,40584 Portela de Baixo ou Almorro, S. Martinho de Leitõe Morreira	268-01-26-49271	41.47943	-8.40584	330	Portela de Baixo ou Almorro, S. Martinho de Leitõe	4705735	Guimarães	Morreira	Braga	Braga
41,47943 -8,40584 Portela de Baixo ou Almorro, S. Martinho de Leitõe Morreira	268-01-26-49272	41.47943	-8.40584	90	Portela de Baixo ou Almorro, S. Martinho de Leitõe	4705735	Guimarães	Morreira	Braga	Braga
41,46667 -8,3903 Monte de Ventosas, S. Martinho de Leitões São Vicente de Oleiros	268-01-26-49282	41.46667	-8.3903	60	Monte de Ventosas, S. Martinho de Leitões	4805636	Guimarães	São Vicente de Oleiros	Guimarães	Braga
41,46667 -8,3903 Monte de Ventosas, S. Martinho de Leitões São Vicente de Oleiros	268-01-26-49281	41.46667	-8.3903	330	Monte de Ventosas, S. Martinho de Leitões	4805636	Guimarães	São Vicente de Oleiros	Guimarães	Braga
41,46667 -8,3903 Monte de Ventosas, S. Martinho de Leitões São Vicente de Oleiros	268-01-26-49283	41.46667	-8.3903	210	Monte de Ventosas, S. Martinho de Leitões	4805636	Guimarães	São Vicente de Oleiros	Guimarães	Braga
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-32145	41.20897	-8.69112	180	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-33715	41.20897	-8.69112	180	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-32146	41.20897	-8.69112	300	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-47561	41.20897	-8.69112	60	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-32144	41.20897	-8.69112	60	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-33714	41.20897	-8.69112	60	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-33718	41.20897	-8.69112	180	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-33716	41.20897	-8.69112	300	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-33719	41.20897	-8.69112	300	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-47562	41.20897	-8.69112	180	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-47563	41.20897	-8.69112	300	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,20897 -8,69112 Rua Maia Pinto S/N Leça da Palmeira	268-01-16-33717	41.20897	-8.69112	60	Rua Maia Pinto S/N	4450720	Matosinhos	Leça da Palmeira	Matosinhos	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-2965	41.28205	-8.701	90	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-50314	41.28205	-8.701	330	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-16-60302	41.28205	-8.701	90	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-16-60303	41.28205	-8.701	210	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-2968	41.28205	-8.701	90	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-50315	41.28205	-8.701	90	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-16-60301	41.28205	-8.701	330	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-50316	41.28205	-8.701	210	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-2967	41.28205	-8.701	330	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-2969	41.28205	-8.701	210	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-2966	41.28205	-8.701	210	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,28205 -8,701 Rua Labruge s/n Labruge	268-01-21-2964	41.28205	-8.701	330	Rua Labruge s/n	4485317	Labruge	Labruge	Vila do Conde	Porto
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-1012-1095	41.407126	-8.262141	0	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-21-15104	41.407126	-8.262141	110	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-21-15106	41.407126	-8.262141	270	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-21-15105	41.407126	-8.262141	190	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-21-53142	41.407126	-8.262141	190	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-21-53143	41.407126	-8.262141	270	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,407126 -8,262141 Rua Devesa Escura de Cima São Tomé Abação	268-01-21-53141	41.407126	-8.262141	110	Rua Devesa Escura de Cima	4810998	Abação de São Tomé	São Tomé Abação	Guimarães	Braga
41,52879 -8,75042 Rua Lugar das Teixeiras, Palmeira de Faro Gandra	268-01-13-12605	41.52879	-8.75042	90	Rua Lugar das Teixeiras, Palmeira de Faro	4740476	Esposende	Gandra	Esposende	Braga
41,52879 -8,75042 Rua Lugar das Teixeiras, Palmeira de Faro Gandra	268-01-13-12606	41.52879	-8.75042	210	Rua Lugar das Teixeiras, Palmeira de Faro	4740476	Esposende	Gandra	Esposende	Braga
41,52879 -8,75042 Rua Lugar das Teixeiras, Palmeira de Faro Gandra	268-01-13-13903	41.52879	-8.75042	210	Rua Lugar das Teixeiras, Palmeira de Faro	4740476	Esposende	Gandra	Esposende	Braga
41,52879 -8,75042 Rua Lugar das Teixeiras, Palmeira de Faro Gandra	268-01-13-12604	41.52879	-8.75042	330	Rua Lugar das Teixeiras, Palmeira de Faro	4740476	Esposende	Gandra	Esposende	Braga
41,52879 -8,75042 Rua Lugar das Teixeiras, Palmeira de Faro Gandra	268-01-13-13902	41.52879	-8.75042	90	Rua Lugar das Teixeiras, Palmeira de Faro	4740476	Esposende	Gandra	Esposende	Braga
41,52879 -8,75042 Rua Lugar das Teixeiras, Palmeira de Faro Gandra	268-01-13-13901	41.52879	-8.75042	330	Rua Lugar das Teixeiras, Palmeira de Faro	4740476	Esposende	Gandra	Esposende	Braga
38,774604 -9,303299 Avenida Cidade de Londres 7 TERRAÇO Agualva	268-01-7-20313	38.774604	-9.303299	240	Avenida Cidade de Londres 7 TERRAÇO	2735457	Agualva-Cacém	Agualva	Sintra	Lisboa
38,774604 -9,303299 Avenida Cidade de Londres 7 TERRAÇO Agualva	268-01-7-12614	38.774604	-9.303299	340	Avenida Cidade de Londres 7 TERRAÇO	2735457	Agualva-Cacém	Agualva	Sintra	Lisboa
38,774604 -9,303299 Avenida Cidade de Londres 7 TERRAÇO Agualva	268-01-7-12615	38.774604	-9.303299	120	Avenida Cidade de Londres 7 TERRAÇO	2735457	Agualva-Cacém	Agualva	Sintra	Lisboa
38,774604 -9,303299 Avenida Cidade de Londres 7 TERRAÇO Agualva	268-01-7-20311	38.774604	-9.303299	340	Avenida Cidade de Londres 7 TERRAÇO	2735457	Agualva-Cacém	Agualva	Sintra	Lisboa
38,774604 -9,303299 Avenida Cidade de Londres 7 TERRAÇO Agualva	268-01-7-20312	38.774604	-9.303299	120	Avenida Cidade de Londres 7 TERRAÇO	2735457	Agualva-Cacém	Agualva	Sintra	Lisboa
38,774604 -9,303299 Avenida Cidade de Londres 7 TERRAÇO Agualva	268-01-7-12616	38.774604	-9.303299	240	Avenida Cidade de Londres 7 TERRAÇO	2735457	Agualva-Cacém	Agualva	Sintra	Lisboa
39,86928 -8,52633 Carrapia - Abiúl Abiul	268-01-43-17541	39.86928	-8.52633	0	Carrapia - Abiúl	3100026	Carrapia	Abiul	Pombal	Leiria
39,41451 -8,77928 Cabeço de Abrã Abrã	268-01-332-8844	39.41451	-8.77928	70	Cabeço de Abrã	2025011	Abrã	Abrã	Santarém	Santarém
39,41451 -8,77928 Cabeço de Abrã Abrã	268-01-332-38493	39.41451	-8.77928	350	Cabeço de Abrã	2025011	Abrã	Abrã	Santarém	Santarém
39,41451 -8,77928 Cabeço de Abrã Abrã	268-01-332-38491	39.41451	-8.77928	70	Cabeço de Abrã	2025011	Abrã	Abrã	Santarém	Santarém
39,41451 -8,77928 Cabeço de Abrã Abrã	268-01-332-8846	39.41451	-8.77928	270	Cabeço de Abrã	2025011	Abrã	Abrã	Santarém	Santarém
39,41451 -8,77928 Cabeço de Abrã Abrã	268-01-332-8845	39.41451	-8.77928	160	Cabeço de Abrã	2025011	Abrã	Abrã	Santarém	Santarém
39,41451 -8,77928 Cabeço de Abrã Abrã	268-01-332-38492	39.41451	-8.77928	160	Cabeço de Abrã	2025011	Abrã	Abrã	Santarém	Santarém
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-14	41.15601	-8.22258	60	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-1070-3058	41.15601	-8.22258	0	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-234	41.15601	-8.22258	300	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-34811	41.15601	-8.22258	0	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-15	41.15601	-8.22258	180	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-17	41.15601	-8.22258	60	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-18	41.15601	-8.22258	180	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
41,15601 -8,22258 Lugar da Igreja Abragão	268-01-20-16	41.15601	-8.22258	300	Lugar da Igreja	4560	Penafiel	Abragão	Penafiel	Porto
39,4658 -8,2006 Largo Santana São Vicente	268-01-10-5151	39.4658	-8.2006	0	Largo Santana	2200348	Abrantes	São Vicente	Abrantes	Santarém
39,4658 -8,2006 Largo Santana São Vicente	268-01-33-5525	39.4658	-8.2006	120	Largo Santana	2200348	Abrantes	São Vicente	Abrantes	Santarém
39,4658 -8,2006 Largo Santana São Vicente	268-01-10-18092	39.4658	-8.2006	120	Largo Santana	2200348	Abrantes	São Vicente	Abrantes	Santarém
39,4658 -8,2006 Largo Santana São Vicente	268-01-10-18091	39.4658	-8.2006	0	Largo Santana	2200348	Abrantes	São Vicente	Abrantes	Santarém
39,4658 -8,2006 Largo Santana São Vicente	268-01-10-18093	39.4658	-8.2006	240	Largo Santana	2200348	Abrantes	São Vicente	Abrantes	Santarém

"It is very likely that a large (15-20 cm in diameter), irregularly-shaped, cm-thick pancake with beveled edges, taped to the abdomen, would be invisible to this technology, ironically, because of its large volume, since it is easily confused with normal anatomy. Thus, a third of a kilo of PETN, easily picked up in a competent pat down, would be missed by backscatter "high technology". Forty grams of PETN, a purportedly dangerous amount, would fit in a 1.25 mm-thick pancake of the dimensions simulated here and be virtually invisible. Packed in a compact mode, say, a 1 cm×4 cm×5 cm brick, it would be detected."

   IED recognition guide.pdf by Elsa Cristina David

If you want to go serious on decrypt Subject Key Identifier (SKI) from a X509 certificate, meaning cloning ID EU cards and passaports...take a close and very careful reading:

How to validate the Subject Key Identifier (SKI) from a X509 certificate

Some days ago I received an odd complain that some of the Root CAs we use had the wrong Subject Key Identifier (SKI). I knew that the claim was false but I also knew that I'll have to prove it. The guy did dig on our own specifications and calculated the SKI as we required, the hash of the certificate public key but unfortunately the identifiers did not match.

In order to reproduce the problem I extracted the public key of the Root CA, converted to DER, hashed it with SHA1 and verified that indeed the hash did not match. Let’s do a demonstration of what I did with a public available Root CA:

openssl x509 -in GSRootCA-2014.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 02:00:00:00:00:00:d6:78:b7:94:05 Signature Algorithm: md5WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Validity Not Before: Sep 1 12:00:00 1998 GMT Not After : Jan 28 12:00:00 2014 GMT Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b: 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0: 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89: 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c: 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50: 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0: 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2: 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7: 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c: 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2: 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9: c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b: bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91: ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51: 63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa: 48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a: 07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93: 90:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: md5WithRSAEncryption ae:aa:9f:fc:b7:d2:cb:1f:5f:39:29:28:18:9e:34:c9:6c:4f: 6f:1a:f0:64:a2:70:4a:4f:13:86:9b:60:28:9e:e8:81:49:98: 7d:0a:bb:e5:b0:9d:3d:36:db:8f:05:51:ff:09:31:2a:1f:dd: 89:77:9e:0f:2e:6c:95:04:ed:86:cb:b4:00:3f:84:02:4d:80: 6a:2a:2d:78:0b:ae:6f:2b:a2:83:44:83:1f:cd:50:82:4c:24: af:bd:f7:a5:b4:c8:5a:0f:f4:e7:47:5e:49:8e:37:96:fe:9a: 88:05:3a:d9:c0:db:29:87:e6:19:96:47:a7:3a:a6:8c:8b:3c: 77:fe:46:63:a7:53:da:21:d1:ac:7e:49:a2:4b:e6:c3:67:59: 2f:b3:8a:0e:bb:2c:bd:a9:aa:42:7c:35:c1:d8:7f:d5:a7:31: 3a:4e:63:43:39:af:08:b0:61:34:8c:d3:98:a9:43:34:f6:0f: 87:29:3b:9d:c2:56:58:98:77:c3:f7:1b:ac:f6:9d:f8:3e:aa: a7:54:45:f0:f5:f9:d5:31:65:fe:6b:58:9c:71:b3:1e:d7:52: ea:32:17:fc:40:60:1d:c9:79:24:b2:f6:6c:fd:a8:66:0e:82: dd:98:cb:da:c2:44:4f:2e:a0:7b:f2:f7:6b:2c:76:11:84:46: 8a:78:a3:e3

Now let's calculate the SHA1 of the public key:

openssl x509 -in GSRootCA-2014.cer -inform DER -pubkey -noout| openssl rsa -pubin -outform DER| openssl dgst -c -sha1 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75

As reported, both hashes did not match!
At this point I was a bit confused and decided to read some documentation before moving forward. After some reading I found the answer in the 4.2.1.2 section of the the RFC3280 “Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile ” (http://www.ietf.org/rfc/rfc3280.txt)

4.2.1.2 Subject Key Identifier The subject key identifier extension provides a means of identifying certificates that contain a particular public key. To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (section 4.2.1.10) where the value of cA is TRUE. The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension (section 4.2.1.1) of certificates issued by the subject of this certificate. For CA certificates, subject key identifiers SHOULD be derived from the public key or a method that generates unique values. Two common methods for generating key identifiers from the public key are: (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). (2) The keyIdentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bit string bits).

In our case we use method 1) for the SKI but in my calculations I was taking into consideration the whole public key, including tag, length, etc, while I should have used the key bits only.
With the following command I was able to locate the “BIT STRING” with the naked key:

openssl x509 -noout -in GSRootCA-2014.cer -inform DER -pubkey| openssl asn1parse 0:d=0 hl=4 l= 290 cons: SEQUENCE 4:d=1 hl=2 l= 13 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 17:d=2 hl=2 l= 0 prim: NULL 19:d=1 hl=4 l= 271 prim: BIT STRING

And I only need to extract it and put it on a file in DER format:

openssl x509 -noout -in GSRootCA-2014.cer -inform DER -pubkey| openssl asn1parse -strparse 19 -out pub.der 0:d=0 hl=4 l= 266 cons: SEQUENCE 4:d=1 hl=4 l= 257 prim: INTEGER :DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B995110... DDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD4... 73F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5... 6D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F... 2608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F... 265:d=1 hl=2 l= 3 prim: INTEGER :010001

The remaining part was to calculate the SHA1 hash which was the same as the SKI:

openssl dgst -c -sha1 pub.der SHA1(pub.der)= 60:7b:66:1a:45:0d:97:ca:89:50:2f:7d:04:cd:34:a8:ff:fc:fd:4b

The same method was used to verify the SKI of a Root CA using SHA256 as a hashing algorithm.

 http://certificateerror.blogspot.pt/2011/02/how-to-validate-subject-key-identifier.html

In the Cold War period of the 1950s, the CIA installed Radio Free Europe[21] in Glória do Ribatejo, Portugal, and on June 7, 1956, officially formalized the relation by inviting the new PIDE’s director, António Neves Graça, to visit CIA headquarters.[22] Here are two brief examples from a top-secret document with ten articles and several sections and clauses, entitled “Proposed Agreement Between the Policia International e de Defesa do Estado (PIDE) and the Central Intelligence Agency (CIA)”

...

In 1957 one of the prisoners, Humberto de Lima Morais, stated in his affidavit that after being subjected to the statue torture for several days, he had begun to hear a familiar voice at night. Listening more closely, he had been able to discern the words of a dialogue, in which one voice was clearly his mother’s. She was saying: “‘I am alone and I have no one else, please.’ And the deep male voice of an agent, he thought, had replied, ‘It is only for a day or two, madam.’”[19] However, he could be inclined to admit that it may have been a hallucination, due to his weak physical state. The power of memory on our deepest perceptions and desires is paramount, so that each memory of a voice or other sound is always mediated, deferred and transformed, to a point that “we no longer know what we heard and what we think we’d heard.”[20] Nevertheless, based on similar cases and statements, such apparent hallucinations were actually the result of the use of manipulated sound materials, assembled to produce a state of emotional and psychological confusion through indirect listening, characteristic of acousmatic violence, with the aim of breaking and invading the prisoner’s subjectivity and morale.  

 http://quod.lib.umich.edu/m/mp/9460447.0009.101/--acousmatic-and-acoustic-violence-and-torture-in-the-estado?rgn=main;view=fulltext

Psyops targeting Libya on 6877 kHz

What is Number26?

Number26 is a mobile first bank account interface for their own bank account (the actual bank license is provided by Wirecard Bank), which provides a full featured SEPA bank account and a couple of payment cards.
This bank account uses a rather new method to verify that the initiated SEPA transactions were made by the correct owner of the bank account. To do so, the user first has to link their smartphone with the bank account, using information only known to the account holder. Once this initial pairing is done and a payment via the desktop browser is made, a push notification is sent to the mobile phone and the app is asking for confirmation showing this dialog:
Once the user taps on “Release” (“Freigeben” in the German version), the transfer will be approved. The technical details of how that is done are not publicly disclosed by the time of this writing, but my best guess is that something is being cryptographically signed and sent back to the server.
For those not familiar with SEPA transfers I’ll quickly explain the information you have to provide to initiate a money transfer:

• The recipient’s name (just for reference. Validity is never verified)
• The recipient’s IBAN (International Bank Account Number) and BIC (Bank Identifier Code).
• The amount to be transfered
• A payment reference / subject
• The transfer release pin (which is set once by the user when the bank account was set up)

Where is the problem?

The theory

Look at the information you have to provide to initiate a bank transfer and then look at the screenshot above. Usually, common banks™ use SMS to send a TAN (Transaction Number) to the owner of the bank account, stating at least the amount and some sort of recipient info (usually the IBAN) and ask the user to enter the TAN into the desktop browser to finally release the transaction.
This process has been streamlined with Number26. Instead of entering a TAN into the website received by the phone, the user has to release the transaction directly from the app, which opens once you tap on the notification you’ll receive. The app then shows the name of the recipient and the amount as shown in screenshot above. Once released the money is on it’s way to the recipient.
Stop right here… Let it sink in for a second…
So we just learned that common banks™ have their user verify their transactions. This is done by the user comparing the recipient’s info from the SMS with the info they have in their record, such as an invoice. However, with Number26, this verification is completely impossible as the recipient’s IBAN is never shown to the user once he initiates the transfer.

The attack

The attack on the desktop computer is rather simple. An attacker would install a malicious browser plugin or execute a man-in-the-middle attack exploiting computers with pre-installed insecure Certificate Authorities (see SuperFish on IBM or DELL). The attacking proxy or addon then waits for the user to initiate a bank transfer. It then secretly alters the IBAN and BIC in the background when sending the transaction request via the desktop site https://my.number26.de. Since the app does not show the modified IBAN (because it shows no IBAN at all), the user is in best belief that this transaction is legit and taps on release. In a sophisticated attack, the transaction history on the desktop would also be tampered with so the attack might go unnoticed for days.

The temporary workaround

Luckily I was able to keep using my bank account without being vulnerable to this attack. As a workaround, the user would have to create a standing order which executes the payment in the future (Terminüberweisung). After releasing the transaction it is reviewable in the standing order section in their app.

The Fix

After the update distributed on January 5th 2016, transactions have to be released with this new dialog:
The user finally has the possibility to verify the transaction on a separate channel, thus preventing malicious software on their desktop to secretly alter transaction data. An attack to SEPA payment verification now has to be much more sophisticated, i.e. by adding a rootkit to the potential victim’s cellphone.

Conclusion and personal note

What a clusterfail. It gets worse once you read Number26’s security information page. My favourite gem is this:

Partial screenshot of https://number26.eu/security/ taken on 2016-02-05 This states that TAN via SMS should be avoided for mobile banking because the text messages are sent to the same device that is being used for online banking. Number26, do you know that your method of payment release of mobile initiated transactions is just as bad as mTAN? This is the reason why from a security perspective you have to initiate transfers from your dektop instead of from the linked phone exposing you to the vulnerability that I just explained in length.
Fancy new user experience and a high security datacenter will never be able to protect the user if the design is flawed. Flawed? Broken beyond repair!

Communication with Number26

The support chat (a.k.a the bottomless pit)

Communication was always quite one-sided. I reported the issue to multiple support agentsover the course of six months, but all I ever heard was, “I am giving that to the developers”. I never heard back. So I upped the ante and told them that I am going to disclose my findings, when suddenly one support agent asked me to send a mail with the details to them, they will forward this mail to the developers. Success!
For full transparency, this is the email I sent to the developers – as always with no reply coming back. It just went into a black hole. But this time, an update to the app came back. Hooray!

My Mail to the developers

Dear Developers, Dear Product Owner,
after studying your mobile app and transaction release mechanism for a while, I have found a severe design flaw which lead to me coming up with a proof of concept how to unknowingly redirect transactions to unwanted destinations with little to no effort.
I am a big advocate for using responsible disclosure, as putting your customers at risk is neither in my, nor in your interest. However, this design flaw is so apparent, that I am baffled that it is not being actively abused yet.
I will outline the problem for you, so you can take appropriate action to prevent abuse of this flaw after the full release of my findings on Feb-22 2016. I feel it is my responsibility to inform the public about the risks involved and how to minimize them. Should you feel that nothing has to be changed, I’ll be happy to get a mail from you stating so, so I can release my findings earlier.
Here are the details:
When creating a bank transfer via the desktop website on https://my.number26.de, you are asked to enter
* The recipient’s name
* The recipient’s IBAN and BIC
* The amount to be transfered
* A payment reference / subject
* The transfer release pin
In the next step, a push notification is sent to the owner’s smartphone. In my case, it is an android phone. The user is asked to either approve or delete the request. The information provided for this decision is:
* The recipient’s name
* The amount to be transfered
And here lies the severe design flaw. The user does not see the actual IBAN/BIC that has been sent to the server.
In my proof of concept, a browser plugin (which malicious software could install) can secretly alter the recipient’s IBAN and BIC in the HTTPS request so the money gets sent to the bank account of the “evil hacker”. When releasing the transaction on the Android phone, the user has no chance to see that the transaction has been tampered with. Other banks using mTAN verification methods include the recipient’s IBAN and BIC as this information is more crucial than the recipient’s name. They also state in their mTAN terms, that the IBAN in the SMS has to be checked against the IBAN from the invoice document.
Multiple test transfers have shown that with a completely wrong recipient’s name, transfers are still successful. Further, another point of intrusion could be a transparent proxy inbetween. Sure, there is SSL and certificates, but we are seeing manufacturers adding weird CAs to their computers (see superfish), so some computers might be vulnerable to this kind of attack.
I have reported this issue as a regular chat via the customer support half a year ago. Nothing happened since, so I am taking this to the next level. In my full disclosure on Feb-22 2016, I will advise your customers to only create one time standing orders for a date in the future (i.e. tomorrow), so the content of the transfer can be checked with the phone after it has been released, but before it has been executed.
If you have any further questions, don’t hesitate to contact me. Unfortunately according to ***** [your support agent], you do not offer a pgp key for encryption, if someone else should pick up this conversation, I can not be held responsible for any earlier reporting about this issue. Should you use gpg nevertheless, we can upgrade the conversation anytime. Please use https://sks-keyservers.net/pks/lookup?op=vindex&search=0xCADA0055 as encryption key. I will also sign [my mails] with this key. Alternatively, you can call me at +xxxxxxxxxxxxxxxxx
Best Regards,
Christian Hawkins

No Comment

Unfortunately, Number26 was not available to me for a comment, whether or not there is an indication that this vulnerability has already been used.

But worry not…

…your data was always protected. For your amusement, a statement on the security of Number26.

Partial screenshot of https://number26.eu/security/ taken on 2016-02-05    https://metabubble.net/payment-cards-bank-accounts/number26-pushtan-or-when-transaction-verification-is-impossible/