High impact vulnerabilities in modern communication protocol used by mobile network operators (MNOs) can be exploited to intercept user data and carry out impersonation, fraud, and denial of service (DoS) attacks, cautions a newly published research.
The findings are part of a new Vulnerabilities in LTE and 5G Networks 2020 report published by London-based cybersecurity firm Positive Technologies last week.
“This paper encompasses the results of security assessments performed during the 2018–2019 timeframe on behalf of 28 telecom operators in Europe, Asia, Africa, and South America.”
GPRS Tunneling Protocol (GTP) is a 2.5G technology that provides interconnect between various network interfaces, enabling mobile users to roam seamlessly between networks of different generations.
The protocol was developed in tandem with General Packet Radio Service (GPRS), the packet-oriented mobile data standard integrated into GSM (G2) that allows mobile networks to transmit IP to external networks (i.e., the internet). GPRS is the mobile communications service that enables SMS, MMS, IM, WAP, peer-to-peer, smartphone internet apps, and more.
Developed at the “dawn” of the mobile age, GTP was not designed with security in mind and is very lightly protected, because before smartphones there were virtually no security problems plaguing mobile networks.
The technologies were proprietary and difficult to penetrate, resulting in “attack-free” network infrastructures where trust was assumed within what was then a closed industry.
As the industry evolved to IP-based technology, the need for secure network interfaces using GTP grew exponentially. Lacking encryption and sender authentication, GTP was not up to the task.
Today, we see an increasing number of attacks exploiting vulnerabilities by abusing GTP-exposed interfaces. Both subscribers and carrier-class operators are impacted, as attackers eavesdrop on communications to harvest network information and subscriber IDs, often leading to denial of service (DoS), customer churn, and criminal activity enabled by the exfiltration of confidential data.
GTP: A Key Technology for Mobile Roaming
Changes in EU regulations eliminated international roaming charges. This, combined with the explosive growth in the number of devices, applications, and traveling subscribers, has led to skyrocketing roaming traffic — up as much as 95 percent according to Telecoms.com.
Within the mobile core, GTP is the main protocol for exchanging user and control data between serving and packet gateways, enabling packet networks to signal and carry data between devices and apps.
When it comes to roaming, GTP connects the local (home) and visited network, allowing subscribers to shift between networks easily. Its extensive use between mobile networks (e.g, roaming) makes GTP an attractive target for attackers. With roaming traffic continually on the rise, it is also a growing target.
It also forms the basis for GPRS core network and its successor Evolved Packet Core (EPC), thus making it possible for users to keep connected to the Internet while moving from one place to the other.
“The GTP protocol contains a number of vulnerabilities threatening both mobile operators and their clients,” the company said, “As a result, attackers can interfere with network equipment and leave an entire city without communications, impersonate users to access var-ious resources, and use network services at the expense of the operator or subscribers.”
The main flaw stems from the fact that the protocol does not check for the subscriber’s actual location, thereby making it difficult to verify if the incoming traffic is legitimate.
A second architectural issue resides in the manner subscriber credentials are verified, thus allowing bad actors to spoof the node that acts as an SGSN (Serving GPRS Support Node).
More concerning is the potential for fraud and impersonation, wherein the attacker leverages a compromised identifier to use mobile Internet at the legitimate user’s expense.
In an alternate scenario, a malicious actor can hijack user session data containing relevant identifiers (e.g., phone number) of a real subscriber to impersonate that individual and access the Internet.
“These attacks can also be used by a dishonest MNO to create roaming traffic, with the MNO (falsely) charging another operator for non-existent roaming activity of that operator’s subscribers,” the report said.
“On all tested networks, it was possible to use mobile Internet at the expense of both other subscribers and the operator.”
With 5G networks making use of EPC as the core network for wireless communications, Positive Technologies said they are equally vulnerable to spoofing and disclosure attacks.
It added that every tested network was susceptible to denial of service against network equipment, therefore preventing valid subscribers from connecting to the Internet and resulting in disruption of mobile communication services.
“Mass loss of communication is especially dangerous for 5G networks, because its subscribers are IoT devices such as industrial equipment, Smart Homes, and city infrastructure,” the researchers said.
To mitigate the security issues, the firm is urging operators to carry out whitelist-based IP filtering at the GTP level, in addition to following GSMA security recommendations to analyze traffic in real-time, as well as take actions to block illegitimate activity.
“Security must be a priority during network design,” the report concluded. “This is truer now than ever before as operators begin to tackle construction of 5G networks.”
“Attempts to implement security as an afterthought at later stages may cost much more: operators will likely need to purchase additional equipment, at best. At worst, operators may be stuck with long-term security vulnerabilities that cannot be fixed later.”
IP-based Networks are Easier to Hack; GTP Makes it Even Easier
Prior to 4G/LTE, attacking mobile networks required sophisticated tools and mastery of little-known protocols used for routing voice calls. IP-based 4G technology changed everything and allowed attackers to leverage readily available internet hacking tools with which they were already familiar. Launching attacks on mobile networks became as easy as hacking any device connected to the internet — no in-depth knowledge of mobile technology required.
Because of the many vulnerabilities in the protocol’s specifications, GTP became a prime attack target. The protocol does not support encryption, so, among other pieces of sensitive information, international mobile subscriber identity (IMSI), integrity session keys, and user data are sent in clear text.
Also lacking is integrity protection, which leaves the door open for cyber attackers to hack GTP messages and corrupt signaling commands, alter user data, and redirect their own mobile billing charges onto unwitting victims. Lastly, the protocol lacks any means for authenticating senders, making it impossible to tell legitimate subscribers from imposters.
All in all, these GTP vulnerabilities make it easier for attackers to gain access to critical network and subscriber information, including key identifiers such as the tunnel endpoint identifier (TEID — a pathway into the network’s mobile core assigned by the GPRS Tunneling Protocol — GTP) and the temporary mobile subscriber identity (TMSI).
Using such information, impersonators can gain access to the IMSI of legitimate subscribers, drop subscriber communications or overwhelm the network with bot-transmitted messages to instigate a DDoS attack.
A Taxonomy of GTP-enabled Attacks
Here’s what mobile operators and their customers are up against:
- Eavesdropping — Attackers listen in on GTP traffic to intercept subscriber communications containing sensitive information sent in clear text (usually during roaming sessions where long-distance links are often not well-protected and vulnerable to interception).
- Denial of Service — Subscriber DoS attacks diminish the quality of service and can lead to customer churn. Attackers need to know the TEID of the subscriber’s session, which can be obtained through GTP eavesdropping. A more severe DoS occurs when attackers overwhelm the packet data network gateway (PGW) with a flood of malformed packets. Such attacks can lead to widespread outages and degradation of quality across the entire subscriber base.
- Fraud — Here an attacker hijacks the IP address of a legitimate subscriber and uses it to order services that are then billed to the unsuspecting subscriber. In some instances, an attacker will request the creation of a session from the PGW using a legitimate subscriber’s IMSI. The traffic usage charges are then billed to the subscriber or borne by the operator.
- Rogue Base Stations — Attackers set up a duplicate, rogue base station to act as an IMSI “catcher.” Mobile devices automatically connect to the strongest signal nearby using the subscriber’s IMSI, which can then be harvested and used to launch attacks or intercept a user’s confidential data for fraudulent purposes.
- Malicious Peers — The explosive growth of roaming and over-the-top (OTT) content has led to an expanded universe of third-party providers requiring access to mobile networks, many of which may not follow mobile security best practices. Vulnerabilities created by third parties such as roaming partners can open the door to attackers targeting valuable information or seeking to disrupt and degrade network operations.
- Roaming IoT — Inefficient and unprotected IoT devices create security risks and can cause an exponential increase in network signaling traffic when deployed on a massive scale. Signaling storms can be caused by botnet-driven DoS attacks or triggered by power failures, natural disasters, and coverage problems in a given service area. When roaming smart meters and IoT endpoint devices lose connectivity, they attempt to roam to another network. Numerous, simultaneous roaming requests create signaling storms that can bring a mobile network down.
GTP Security is Within Reach…with an Effective GTP Firewall
GTP is exploited to target mobile networks via the roaming exchange, the radio access network, and internet interfaces. To prevent the severe consequences of GTP-enabled attacks as described above, mobile operators need to deploy strong counter measures at all key network interfaces.
The most important is a GTP firewall, which, as outlined by the GSMA, needs to include: message filtering, exploit detection, message-length control, validity checking, plausibility checking, and information validity for roaming.
5G Changes Everything…or does it?
5G will still use GTP for user-plane traffic and still be exposed to GTP vulnerabilities. However, the 5G architecture does provide several important cybersecurity enhancements, building on proven 4G improvements, including encryption, mutual authentication, integrity protection, privacy, and availability. Nevertheless, multi-generational security will continue to be critical to protect against 2G, 3G, and 4G threats during — and even beyond — the transition to 5G.
New 5G specifications cover security procedures performed within the 5G system, including the 5G core and the 5G New Radio. Key 5G cybersecurity enhancements include:
- Roaming Security — The new Security Edge Protection Proxy (SEPP) provides additional protection against known inter-exchange/roaming vulnerabilities. 5G also enables network operators to steer home customers to preferred visited partner networks to enhance the roaming experience, reduce charges, and prevent fraud.
- Network Slicing Security — Allows mobile operators to create unique network “slices” (independent networks running on top of the shared mobile infrastructure) with their own unique security requirements to support diverse use-case scenarios (e.g., video conferencing, V2X applications).
- Identity Privacy — Similar to IMSI, 5G’s subscription permanent identifier includes encryption that prevents its transmission in clear text. 5G also enforces frequent changes to the globally unique temporary identifier. Both new capabilities make it harder for hackers to steal identities via rogue base stations or eavesdropping.
While 5G security is a big step forward, mobile networks will continue to be exposed to GTP threats through roaming partners or prior mobile technologies using GTP. Mobile operators will need to deploy a GTP firewall to protect against GTP-based attacks coming in from access networks, roaming partners, IoT, and more to support uninterrupted operations for their networks and subscribers.