Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
OF MOBILE
INTERNET
(GPRS)
Dmitry Kurbatov
Sergey Puzankov
Pavel Novikov
2014
Contents
1. Introduction 3
2. Summary 3
3. Mobile network scheme 4
4. GTP protocol 5
5. Searching for mobile operator’s facilities on the Internet 7
6. Threats 10
6.1. IMSI brute force 10
6.2. The disclosure of subscriber’s data via IMSI 11
6.3. Disconnection of authorized subscribers from the Internet 12
6.4. Blocking the connection to the Internet 13
6.5. Internet at the expense of others 14
6.6. Data interception 15
6.7. DNS tunneling 16
6.8. Substitution of DNS for GGSN 17
7. Conclusion and recommendations 18
18
16 3%
14
12
46%
10
4
51% 2/2.5G
2 9% 3/3.5G
60%
0 4G
30%
2013 2014 2015 2016 2017 2018
2. Summary
Positive Technologies has determined that there are serious security 2. Obtaining subscriber’s data via IMSI (including his/her location)
issues in the networks that support mobile Internet devices. A large 3. Disconnection of subscribers from the Internet or blocking their
number of devices belonging to 2G/3G networks of mobile network access to the Internet
operators are available via open GTP ports as well as some other open 4. Connecting to the Internet with credentials of the legitimate
communication protocols (FTP, Telnet, HTTP). An attacker can connect user and at the expense of others
to the node of a mobile network operator by exploiting vulnerabilities 5. Listening to the traffic of the victim
(for example, default passwords) in these interfaces. 6. Engage in a fishing attack
Having acquired access to the network of any operator, an at-
tacker can automatically gain access to the GRX network, which in Security measures required to protect against such attacks include
turn allows him/her to perform various attacks on subscribers of any proper configuration of equipment, utilizing a firewall and regular se-
operator: curity monitoring. More details on the recommended set of protec-
1. Searching for valid IMSI tive measures is provided in the final part of this review.
Mobile provider’s network consists of the Circuit Switched Core • Subscriber’s Mobile Station
Network (CS core), the Packet Switched Core Network (PS core), • The Internet
the base station network and its 2G controllers (BSC and BTS in the • The GRX network, i.e. via another mobile provider
scheme), and the base station network and its 3G controllers (Node Thus if an attacker enters the network of any mobile provider in the
B and RNC). The scheme shows that 3G network is based on 2G radio world, he/she will be able to affect other providers.
access network; the rest of the operator’s network does not undergo Service GPRS Support Node (SGSN) and Gateway GPRS Support
any significant changes in the evolution to the third generation. As Node (GGSN) are the basic elements for data transmission. The former
clearly outlined in Figure 2.2, the operators’ networks have not under- one is used to provide subscribers with data transmission services and
gone any significant changes in terms of security from 2G to 3G to 4G. it also interacts with other network elements; the latter is a gateway
Below is the packet data transfer subsystem (PS core). between the internal operator’s network and the Internet.
The scheme in Figure 3 illustrates the architecture of the system In addition to the Internet connection, there is a connection to
used to transmit data in a 2G network. There are some differences in the GRX network — Global Roaming eXchange, which is based on
the chain MS (mobile station) — SGSN within the 3G network (UMTS complicated relationships between individual operators (intercon-
network). The scheme shows that an attacker can access the provid- nection of networks) used to provide Internet access to subscribers
er’s network using: in roaming.
4. GTP protocol
GTP protocol is used to send the traffic within PS core and GRX. This is a other information) contains the login, password, and APN.
tunneling protocol, which runs over UDP and utilizes port 2123 (for man- 2. After receiving the APN, SGSN tries to resolve it on the internal
agement purposes, GTP-C), port 2152 (for transmitting user data, GTP-U), DNS server; the server resolves the received APN and provides the cor-
and 3386 (for billing, GTP’). responding GGSN address.
Message Type field in the GTP header is primarily used for manage- 3. The SGSN sends the Create PDP Context request to this address.
ment purposes in GTP-C. Usually, in GTP-U Message Type = 0xFF (T-PDU). 4. The GGSN authenticates the submitted login and password, for ex-
Tunnel Endpoint Identifier (TEID) is a tunnel identifier that is not associ- ample, on the RADIUS server.
ated with an IP address, i.e., packages can be sent with the same TEID but 5. The GGSN obtains an IP address for the mobile phone and transmits
from different IP addresses (in case if the subscriber moves and switches all data required for PDP context activation back to the SGSN.
to another SGSN). 6. The SGSN accomplishes the activation procedure by sending back
PDP Context Activation procedure is executed when the subscriber is to the phone all the data required for establishing a connection.
connecting to the Internet. In fact, the PDP Context Activation procedure is the creation of a tun-
In simplified form, the procedure is as follows: nel between a cell phone and a gateway (GGSN) on the operator’s mo-
1. The phone sends an Activate PDP Context request, which (amongst bile network.
NOTE 0: (*) This bit is a spare bit. It shall be sent as '0'. The receiver shall not evaluate this bit.
NOTE 1: 1) This field shall only be evaluated when indicated by the S flag set to 1.
NOTE 2: 2) This field shall only be evaluated when indicated by the PN flag set to 1.
NOTE 3: 3) This field shall only be evaluated when indicated by the E flag set to 1.
NOTE 4: 4) This field shall be present if and only if any one or more of the S, PN and E flags are set.
7. Activate PDP 6. Create PDP Context Response 5a. DHCP Address Assignment
Context Accept
Search result displays about 40 devices using this abbreviation in the world creates this opportunity for attack to many other mobile
their banners. The screenshot provides a list of some devices that use networks. There are more ways of using the compromised boundary
this abbreviation, including devices with open Telnet and turned off host, for example, DNS spoofing attack (more information about at-
password authentication. An attacker can perform an intrusion into tacks is considered below).
the network of the operator in the Central African Republic by con- GGSN and SGSN can also be found in other ways. GTP protocol
necting to this device and implementing the required settings. described above can be used only within PS core and GRX networks
Having access to the network of any operator, the attacker will and should not be accessible from the Internet. In practice, however,
automatically get access to the GRX network and other operators of things are often quite different: There are more than 207,000 devices
mobile services. One single mistake made by one single operator in with open GTP ports all over the global Internet.
Fig. 7. Countries with the largest number of hosts with open GTP ports (more than 1000)
What can be said about these 207,000 devices? 7,255 devices are tems did not turn off this feature for them. Alcatel-Lucent 7750 and
not associated with GTP and send HTTP responses (see fig. 9) ZTE ZXUN xGW can often be found among such devices, and the lat-
The remainder of the 200,000 addresses respond with correct GTP ter has open FTP and Telnet ports.
messages. A more in-depth analysis shows that an individual device 548 devices responded to the request for establishing a connec-
may not be a component of a mobile network: these are universal tion: four of them allow a user or attacker to create a tunnel while
devices utilized for other purposes when administrators of certain sys- other respond with various errors.
Fig. 9. The response to GTP request received from equipment by Internet Rimon LTD
4%
HTTP
81%
FTP
25%
SSH
82%
Telnet
4%
BGP
44%
VPN (UDP:500)
2013 82%
Dictionary passwords 2011–2012 79%
2013 82%
Management interfaces available 2011–2012
to any Internet user 58%
2013 82%
Use of open data transfer 2011–2012
protocols 47%
2013 64%
Vulnerabilities of system
and application software 2011–2012 10%
caused by lack of updates
2013 55%
SQL Injection 2011–2012 63%
2013 55%
Unrestricted File Upload 2011–2012 25%
2013 45%
Storing important data 2011–2012
unencrypted 47%
2013 45%
Path traversal 2011–2012 42%
2013 36%
Dictionary SNMP Community
String value (public) 2011–2012 21%
2013 36%
DBMS access interfaces available
to any Internet user 2011–2012 10%
Therefore, an attacker coming from the Internet can detect the According to statistics provided by Positive Technologies, pen-
proper GGSN, set up the GTP connection and then encapsulate GTP etration tests revealed that data transferring via open protocols (FTP,
control packets into the created tunnel. If parameters were selected Telnet, HTTP) and availability of management interfaces from the In-
properly, GGSN will take them as packets from legitimate devices ternet are the most frequent vulnerabilities to appear in the network
within the operator’s network. perimeter of large companies’ information systems. Moreover, the
Another benefit for attackers is that GTP is not the only protocol distribution of these vulnerabilities has doubled in 2013 compared to
used on detected hosts. Telnet, FTP, SSH, Web, etc. are also used for 2011/2012, effectively creating a larger number and range of attacks
management purposes. The figure below shows how many open for mobile Internet suppliers and users to consider.
ports were detected for each protocol.
Sources
1. Cisco Global Mobile Data Traffic Forecast Update, 2013–2018. Cisco 5. 4G ‘inherently less secure’ than 3G The Telegraph, 2014
VNI Mobile, 2014 http://www.telegraph.co.uk/technology/internet-security/10951812/
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ 4G-inherently-less-secure-than-3G.html
visual-networking-index-vni/white_paper_c11-520862.pdf
6. Mobile Internet security from inside and outside Positive Technolo-
2. Vulnerability Statistics for Corporate Information Systems (2013), gies, 2013
Positive Technologies, 2014. http://habrahabr.ru/company/pt/blog/188574/
http://www.ptsecurity.ru/download/PT_Corporate_vulnerability_
2014_rus.pdf 7. GRX and a Spy Agency
http://www.slideshare.net/StephenKho/on-her-majestys-secret-
3. Vulnerabilities of mobile networks based on SS7 protocols. Positive service-grx-and-a-spy-agency
Technologies, 2014
http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf 8. 3GPP TS 29.060
http://www.3gpp.org/DynaReport/29060.htm
4. Cell phones and total NSA surveillance: How does it work? Positive
Technologies, 2014
http://habrahabr.ru/company/pt/blog/245113/
BTS - Base Transceiver Station; a piece of equipment (repeaters, MCC - Mobile Country Code; a code of country, in which the Base
transceivers) that facilitates wireless communication between user Station is located
equipment and a network.
MMS - Multimedia Message System; a system for multimedia mes-
CI - Cell ID saging (images, audio and video files) within the mobile network
CS - Circuit Switched; data transmission with channel switching MNC - Mobile Network Code
DNS - Domain Name System MSISDN - Mobile Subscriber Integrated Services Digital Number
FTP - File Transfer Protocol PS - Packet Switched; data transmission with packet switching
GGSN - Gateway GPRS Support Node; the node affiliated to PS Core SGSN - Service GPRS Support Node; the main component of the GPRS
Network, it enables the routing of data between GPRS Core network system for implementation of all packet data processing functions
and external IP networks
SS7 - Signaling System 7; a common channel signaling system used
GPRS - General Packet Radio Service in the international and local telephone networks around the world
GRX - Global Roaming eXchange; network that provides packet SSH - Secure Shell
data services to the roaming
TEID - Tunnel Endpoint IDentifier
GTP - GPRS Tunneling Protocol; a protocol describing and perform-
ing the transmission of data between GSN nodes within the packet UDP - User Datagram Protocol
network
UMTS - Universal Mobile Telecommunications System; a mobile
HLR - Home Location Register; a database storing all information technology developed by the European Telecommunications Stan-
about the subscriber dards Institute (ETSI) in order to implement a 3G service in Europe.