GPRS Tunneling Protocol (GTP) is a 2.5G technology that provides interconnect between various network interfaces, enabling mobile users to roam seamlessly between networks of different generations. The protocol was developed in tandem with General Packet Radio Service (GPRS), the packet-oriented mobile data standard integrated into GSM (G2) that allows mobile networks to transmit IP to external networks (i.e., the internet). GPRS is the mobile communications service that enables SMS, MMS, IM, WAP, peer-to-peer, smartphone internet apps, and more.
Developed at the “dawn” of the mobile age, GTP was not designed with security in mind and is very lightly protected, because before smartphones there were virtually no security problems plaguing mobile networks. The technologies were proprietary and difficult to penetrate, resulting in “attack-free” network infrastructures where trust was assumed within what was then a closed industry. As the industry evolved to IP-based technology, the need for secure network interfaces using GTP grew exponentially. Lacking encryption and sender authentication, GTP was not up to the task.
Today, we see an increasing number of attacks exploiting vulnerabilities by abusing GTP-exposed interfaces. Both subscribers and carrier-class operators are impacted, as attackers eavesdrop on communications to harvest network information and subscriber IDs, often leading to denial of service (DoS), customer churn, and criminal activity enabled by the exfiltration of confidential data.
A Growing Attack Surface
While 5G provides vast security enhancements, it is important to note that multiple generations of mobile networks will hang on long into the foreseeable future. This means that GTP will still be relevant in a 5G world, as it remains the primary protocol for user-plane and control-plane traffic. As with all previous generations, 5G introduces new standards. However, new network technologies such as 5G do not replace the previous ones, but rather, they overlap. So as long as earlier generations remain operative, old mobile signaling protocols and their accompanying vulnerabilities will threaten networks. Today’s mobile threats stem from traditional IP-based threats within 4G/LTE networks combined with legacy 2G and 3G technologies. As 5G continues to grow, overlapped with 3G and 4G, a wealth of new services and technologies will lead to an ever-expanding attack surface.
GTP: A Key Technology for Mobile Roaming
Changes in EU regulations eliminated international roaming charges. This, combined with the explosive growth in the number of devices, applications, and traveling subscribers, has led to skyrocketing roaming traffic — up as much as 95 percent according to Telecoms.com. Within the mobile core, GTP is the main protocol for exchanging user and control data between serving and packet gateways, enabling packet networks to signal and carry data between devices and apps. When it comes to roaming, GTP connects the local (home) and visited network, allowing subscribers to shift between networks easily. Its extensive use between mobile networks (e.g, roaming) makes GTP an attractive target for attackers. With roaming traffic continually on the rise, it is also a growing target. To learn more, download the eBook: Smart Phones and Stupid Devices — Why Roaming Still Matters in a 5G World.
IP-based Networks are Easier to Hack; GTP Makes it Even Easier
Prior to 4G/LTE, attacking mobile networks required sophisticated tools and mastery of little-known protocols used for routing voice calls. IP-based 4G technology changed everything and allowed attackers to leverage readily available internet hacking tools with which they were already familiar. Launching attacks on mobile networks became as easy as hacking any device connected to the internet — no in-depth knowledge of mobile technology required.
Because of the many vulnerabilities in the protocol’s specifications, GTP became a prime attack target. The protocol does not support encryption, so, among other pieces of sensitive information, international mobile subscriber identity (IMSI), integrity session keys, and user data are sent in clear text. Also lacking is integrity protection, which leaves the door open for cyber attackers to hack GTP messages and corrupt signaling commands, alter user data, and redirect their own mobile billing charges onto unwitting victims. Lastly, the protocol lacks any means for authenticating senders, making it impossible to tell legitimate subscribers from imposters.
All in all, these GTP vulnerabilities make it easier for attackers to gain access to critical network and subscriber information, including key identifiers such as the tunnel endpoint identifier (TEID — a pathway into the network’s mobile core assigned by the GPRS Tunneling Protocol — GTP) and the temporary mobile subscriber identity (TMSI). Using such information, impersonators can gain access to the IMSI of legitimate subscribers, drop subscriber communications or overwhelm the network with bot-transmitted messages to instigate a DDoS attack.
A Taxonomy of GTP-enabled Attacks
Here’s what mobile operators and their customers are up against:
- Eavesdropping — Attackers listen in on GTP traffic to intercept subscriber communications containing sensitive information sent in clear text (usually during roaming sessions where long-distance links are often not well-protected and vulnerable to interception).
- Denial of Service — Subscriber DoS attacks diminish the quality of service and can lead to customer churn. Attackers need to know the TEID of the subscriber’s session, which can be obtained through GTP eavesdropping. A more severe DoS occurs when attackers overwhelm the packet data network gateway (PGW) with a flood of malformed packets. Such attacks can lead to widespread outages and degradation of quality across the entire subscriber base.
- Fraud — Here an attacker hijacks the IP address of a legitimate subscriber and uses it to order services that are then billed to the unsuspecting subscriber. In some instances, an attacker will request the creation of a session from the PGW using a legitimate subscriber’s IMSI. The traffic usage charges are then billed to the subscriber or borne by the operator.
- Rogue Base Stations — Attackers set up a duplicate, rogue base station to act as an IMSI “catcher.” Mobile devices automatically connect to the strongest signal nearby using the subscriber’s IMSI, which can then be harvested and used to launch attacks or intercept a user’s confidential data for fraudulent purposes.
- Malicious Peers — The explosive growth of roaming and over-the-top (OTT) content has led to an expanded universe of third-party providers requiring access to mobile networks, many of which may not follow mobile security best practices. Vulnerabilities created by third parties such as roaming partners can open the door to attackers targeting valuable information or seeking to disrupt and degrade network operations.
- Roaming IoT — Inefficient and unprotected IoT devices create security risks and can cause an exponential increase in network signaling traffic when deployed on a massive scale. Signaling storms can be caused by botnet-driven DoS attacks or triggered by power failures, natural disasters, and coverage problems in a given service area. When roaming smart meters and IoT endpoint devices lose connectivity, they attempt to roam to another network. Numerous, simultaneous roaming requests create signaling storms that can bring a mobile network down.
GTP Security is Within Reach…with an Effective GTP Firewall
GTP is exploited to target mobile networks via the roaming exchange, the radio access network, and internet interfaces. To prevent the severe consequences of GTP-enabled attacks as described above, mobile operators need to deploy strong counter measures at all key network interfaces. The most important is a GTP firewall, which, as outlined by the GSMA, needs to include: message filtering, exploit detection, message-length control, validity checking, plausibility checking, and information validity for roaming.
5G Changes Everything…or does it?
5G will still use GTP for user-plane traffic and still be exposed to GTP vulnerabilities. However, the 5G architecture does provide several important cybersecurity enhancements, building on proven 4G improvements, including encryption, mutual authentication, integrity protection, privacy, and availability. Nevertheless, multi-generational security will continue to be critical to protect against 2G, 3G, and 4G threats during — and even beyond — the transition to 5G.
New 5G specifications cover security procedures performed within the 5G system, including the 5G core and the 5G New Radio. Key 5G cybersecurity enhancements include:
- Roaming Security — The new Security Edge Protection Proxy (SEPP) provides additional protection against known inter-exchange/roaming vulnerabilities. 5G also enables network operators to steer home customers to preferred visited partner networks to enhance the roaming experience, reduce charges, and prevent fraud.
- Network Slicing Security — Allows mobile operators to create unique network “slices” (independent networks running on top of the shared mobile infrastructure) with their own unique security requirements to support diverse use-case scenarios (e.g., video conferencing, V2X applications).
- Identity Privacy — Similar to IMSI, 5G’s subscription permanent identifier includes encryption that prevents its transmission in clear text. 5G also enforces frequent changes to the globally unique temporary identifier. Both new capabilities make it harder for hackers to steal identities via rogue base stations or eavesdropping.
While 5G security is a big step forward, mobile networks will continue to be exposed to GTP threats through roaming partners or prior mobile technologies using GTP. Mobile operators will need to deploy a GTP firewall to protect against GTP-based attacks coming in from access networks, roaming partners, IoT, and more to support uninterrupted operations for their networks and subscribers.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.