Vulnerabilities in the GPRS Tunnelling Protocol (GTP) expose 4G and 5G cellular networks to a variety of attacks, including denial-of-service, user impersonation, and fraud, Positive Technologies security researchers warn.
The identified issues impact both mobile operators and their clients, and could result in attackers leaving entire cities without communications, impersonating users to gain access to various resources, or using network services at the expense of the operator or subscribers.
Some of the attacks may be performed with the simple use of a mobile phone and all of the tested networks were found vulnerable to DoS, impersonation, and fraud, the researchers say. 5G networks, they underline, are directly impacted by faults in GTP, which is used to transmit user and control traffic.
Positive Technologies performed security assessments on behalf of 28 telecom operators in Europe, Asia, Africa, and South America, discovering that all networks are susceptible to exploitation.
One of the core flaws in the GTP protocol, the security researchers explain, is the fact that it does not check the user’s actual location. Another, they argue, is that subscriber credentials are checked on the serving gateway (S-GW) equipment by default.
The researchers discovered that it was possible to launch a DoS attack against a cellular network by sending multiple requests to open new connections, thus exhausting the DHCP server pool or pool of GTP tunnels, preventing legitimate users from accessing the Internet.
Such DoS attacks could result in the loss of connection for a large number of users, as a single GGSN (GPRS Gateway Support Node) or P-GW (Packet Data Network Gateway) element usually provides support to all subscribers of the operator within a city or a region.
“Mass loss of communication is especially dangerous for 5G networks, because its subscribers are IoT devices such as industrial equipment, Smart Homes, and city infrastructure,” the researchers note.
On all tested networks, Positive Technologies discovered that it was possible to connect using compromised identifiers of legitimate subscribers, which would result in that subscriber paying for the service. If a non-existent identifier is used instead, the attack results in revenue losses for the operator.
It is also possible to impersonate subscribers and access third-party online services using their identity, either through compromised identifiers, or by spoofing user session data using the identifiers (phone number) of a real subscriber.
For convenience, services perform pass-through authentication, where the operator automatically provides authenticated access to services because the user has the SIM card. Such services may be allowed for verifying the MSISDN (a number used to identify a phone number internationally) during account registration, performing anti-fraud checks, and authorizing access without a password.
“This is called an impersonation attack, in which an adversary successfully assumes the identity of one of the legitimate parties in a system. Consequences vary based on which resource or service the attacker is able to access,” the researchers explain.
The tests revealed that the identified GTP vulnerabilities can be exploited via the inter-operator IPX network, and even from a mobile device in some cases. With most 5G network deployments being non-standalone as of early 2020, they are vulnerable to disclosing subscriber information and the aforementioned DoS, impersonation, and fraud attacks.
Even when 5G standalone arrives, the issues will remain, because GTP will remain in use in these networks, even if for limited uses. To ensure subscribers are protected, operators should “look closely at the GTP protocol, en-sure filtering at the GTP level, and deploy purpose-made security solutions,” the researchers note. Implementing GSMA security recommendations and performing security assessments should also help.