Vulnerabilities in the GPRS Tunneling Protocol (GTP) expose 4G and 5G cellular networks to a range of attacks, including denial of service, user impersonation and fraud, security researchers say Optimistic Technologies.
The issues identified impact both mobile operators and their customers, and could result in attackers leaving entire cities without communications, impersonating users to access various resources, or using network services at the operator’s or subscribers’ expense.
Some of the attacks can be carried out with the simple use of a mobile phone and all the networks tested have been found vulnerable to DoS, impersonation and fraud, researchers say. 5G networks are specifically influenced by GTP faults, which are used to relay users and control traffic, they emphasize.
On behalf of 28 telecom operators in Europe, Asia, Africa and South America, Positive Technologies carried out security assessments, discovering that all networks are susceptible to exploitation.
One of the core flaws in the GTP protocol is the fact that it does not check the user’s actual location, the security researchers explain. One, they contend, is that the user credentials are verified by default on the computer that serves the gateway (S-GW).
The researchers discovered that a DoS attack against a cellular network could be launched by sending multiple requests to open new connections, thus exhausting the DHCP server pool or GTP tunnel pool, preventing legitimate users from accessing the Internet.
Such DoS attacks could result in the loss of connection for a large number of users, since a single GGSN (GPRS Gateway Support Node) or P-GW (Packet Data Network Gateway) element usually supports all operator subscribers within a city or region.
“Mass communication failure is particularly dangerous for 5G networks, as its users are IoT devices such as industrial equipment, smart homes and urban infrastructure,” the researchers note.
Positive Technologies discovered on all tested networks that it was possible to connect using corrupted identificators of legitimate subscribers, which would result in that customer paying for the service. If instead an inexistent identifier is used, the attack would result in loss of revenue for the operator.
It is also possible to impersonate subscribers and access online third-party services using their identities, either through compromised identifiers or by spooofing user session data using a real subscriber’s identifiers (phone number).
Services perform pass-through authentication for ease, where the operator automatically offers encrypted access to the services because the customer has the SIM card. These services may be allowed to verify the MSISDN (a number used to identify a foreign phone number) during account registration, conduct anti-fraud checks and authorize access without a password.
“This is also an assault on impersonation, in which an adversary effectively assumes the identity of one of the legitimate parties in a scheme. The implications vary according to which resource or service the attacker can access, “the researchers explain.
The tests revealed that the GTP vulnerabilities identified can be exploited via the IPX interoperator network, and in some cases even from a mobile device. With most 5 G network implementations being non-standalone as of early 2020, they are vulnerable to disclosure of user information and the DoS, impersonation, and fraud attacks mentioned above.
And if 5G arrives independently, the issues will exist as GTP must exist in operation in these networks, even if for restricted uses. To ensure subscribers are protected, operators should “see the GTP protocol closely, ensure GTP-level filtering and deploy purpose-built security solutions,” the researchers note. This will also support enforcing GSMA safety guidelines and conducting security assessments.
