A new report showcases serious vulnerabilities the modern GTP communication protocol deployed by mobile network operators.
It is crucial to note that the GTP protocol is used to transmit user and control traffic on 2G, 3G, and 4G networks. This is not the first time the researchers explore specific flaws in the GTP protocol that lead to similar outcomes. Their latest report explains how these vulnerabilities affect the security of mobile networks, and more specifically – their impact on 5G networks.
GTP Protocol Vulnerabilities
The vulnerabilities can be exploited to intercept user data in various attack scenarios, including DoS, impersonation, and fraud.
“The GTP protocol contains a number of vulnerabilities threatening both mobile operators and their clients,” says a new report by cybersecurity researchers at Positive Technologies.
The vulnerabilities could allow attackers to interfere with network equipment and leave an entire city without communications. Impersonation attacks are also possible as well as using network services at the expense of the operator or subscribers. The researchers tested various networks, and they all proved to be vulnerable to denial-of-service attacks, impersonation, and fraud. This makes the vulnerabilities high-risk, as there are even cases when an attack can be carried out just by using a phone.
More specifically, these vulnerabilities directly impact 5G networks:
At the moment, 5G Non-Standalone networks are deployed on the EPC core network. Therefore, all these threats also apply to current 5G networks. The GTP protocol will partially remain in the Standalone architecture, so its security will remain a key issue for a long time, the report says.
How was the research carried out?
In order to evaluate the security of SS7, Diameter, and GTP networks, the researchers reproduce the actions of would-be external attackers:
Attackers can send requests to the operator’s network, actuating a wide range of threats if the operator does not take appropriate protective measures. Malicious actions are simulated with the help of PT Telecom Vulnerability Scanner (PT TVS). The experts also use PT Telecom Attack Discovery (PT TAD) for security monitoring and detection of bona fide attacks that target vulnerabilities in the network.
The first vulnerability originates from the way the protocol doesn’t check for the subscriber’s location, thus making it hard to verify if the incoming traffic is legitimate. Another vulnerability stems from the way the manner subscriber credentials are verified. This could allow threat actors to spoof the node that acts as an SGSN (Serving GPRS Support Node).
However, the most troublesome of the issues is the fact that fraud and impersonation attacks are possible. Threat actors could leverage a compromised identifier to use mobile internet at the expense of the legitimate user. Another version of an impersonation attack could allow threat actors to hijack user session data that contains relevant identifiers of existing subscribers to impersonate targeted individuals to access the internet.
“On all tested networks, it was possible to use mobile Internet at the expense of both other subscribers and the operator,” the researchers say.
Full technical disclosure of the vulnerabilities is available in the report named “Threat Vector: GTP. Vulnerabilities in LTE and 5G networks 2020”.
Other experts have also pointed out that the fundamentals of 5G are vulnerable to potential risks, just like its forerunners. Accessibility, data security, and confidentiality are a concern with this budding technology. The 3G and 4G technologies have brought vulnerabilities, and just like the previous generations, the 5G technology is set to be challenged by the same hurdles.
A flaw discovered in 2019 could enable surveillance entities with a new exploitation way where new-generation IMSI-catchers (international mobile subscriber identity-catcher eavesdropping devices) are created that work across all modern telephony protocols.