Mobile operators remain highly exposed to vulnerabilities in the GTP protocol, rendering almost every network open to denial of service attacks, impersonations and fraud campaigns.
The GTP protocol is a tunneling protocol defined by the 3GPP standards to carry General Packet Radio Service (GPRS) within 3G/4G networks; security issues with it are widely recognised.
Security firm Positive Technologies said its tests for 28 telecom operators in Europe, Asia, Africa, and South America found that every one was vulnerable, with the attacks in some places able to be carried out merely with a mobile phone; GTP issues also directly impact 5G networks.
One of the main flaws in the GTP protocol is that it does not check a user’s location, an attacker can use this flaw to send malicious traffic which the home network has trouble identifying the legitimacy of; subscriber credentials are also checked on S-GW (SGSN) equipment by default, which can be mimicked by an attacker to steal data, the security firm said in a new report.
The report states that: “The problem is that location tracking must be cross-protocol, which means checking the subscriber’s movements by using SS7 or Diameter. The security tools used on most networks don’t have such capabilities.”
The researchers tested the networks by simulating real-world attacks by sending request to an operator’s network. Using tools such as a PT Telecom Vulnerability Scanner and a PT Telecom Attack Discovery they found that DoS attacks were successful 83 percent of the time.
Dmitry Kurbatov, CTO at Positive Technologies commented that: “Every network tested was found to be vulnerable to DoS, impersonation and fraud. In practice, this means that attackers could interfere with network equipment and leave an entire city without communications, defraud operators and customers, impersonate users to access various resources, and make operators pay for non-existent roaming services. Moreover, the risk level is very high: some of these attacks can be performed using just a mobile phone.”
GTP Protocol and 5G
Unfortunately 5G networks are deployed on the Evolved Packet Core (EPC) which was also used to establish the 4G Long-Term Evolution network, as such 5G is also vulnerable to same flaws opened up by the GTP protocol.
The use of the EPC network is supposed to be only a temporary measure till 5G’s core standalone networks is established, but until that is in place 5G is vulnerable to the same security risks as all the other networks.
Dmitry Kurbatov states that: “We can say that most of today’s 5G networks, just like 4G ones, are vulnerable to these types of attacks. This makes the security vulnerabilities of the GTP protocol urgent – as the increased use of 5G vastly increases the damage an attack such as a denial of service attack could do.”
“Currently, operators are putting very few security measures in place to protect against these vulnerabilities and are also making configuration mistakes that are putting their networks at further risk.
“We urge operators to read this research and pay more attention to the GTP protocol and follow the recommendations of the GSMA FS.20 GPRS Tunnelling Protocol (GTP) Security, including implementing ongoing monitoring and analysis of signalling traffic to detect potential security threats.”