VULNERABILITIES

OF MOBILE
INTERNET
(GPRS)

Dmitry Kurbatov
Sergey Puzankov
Pavel Novikov

2014
 Contents
1. Introduction 3
2. Summary 3
3. Mobile network scheme 4
4. GTP protocol 5
5. Searching for mobile operator’s facilities on the Internet 7
6. Threats 10
6.1. IMSI brute force 10
6.2. The disclosure of subscriber’s data via IMSI 11
6.3. Disconnection of authorized subscribers from the Internet 12
6.4. Blocking the connection to the Internet 13
6.5. Internet at the expense of others 14
6.6. Data interception 15
6.7. DNS tunneling 16
6.8. Substitution of DNS for GGSN 17
7. Conclusion and recommendations 18

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 2

1. Introduction
Modern mobile networks facilitate the most convenient access to the
Internet without the need for static infrastructures. People can access
email, messengers, social networks and online stores whenever and
wherever they need it. A range of businesses use mobile Internet for
remote administration, financial operations, e-commerce, M2M and
some other purposes. Government organizations provide more and
more services via the web, and it results in a significant increase in
the volume of the world’s mobile data traffic. This traffic is expected
to increase significantly in both 3G/3.5G and 4G through 2018, see
table below.
Many users have approached the use of broadband Internet access
with caution, due to publicity around security breaches. In response
Exabytes per Month
18
16
14
12
10
4
2 9%
60%
0 4G
30%
2013 2014 2015
Source: Cisco VNI Mobile 2014
Fig. 1. The expected growth in mobile data traffic [1]
2. Summary
Positive Technologies has determined that there are serious security
issues in the networks that support mobile Internet devices. A large
number of devices belonging to 2G/3G networks of mobile network
operators are available via open GTP ports as well as some other open
communication protocols (FTP, Telnet, HTTP). An attacker can connect
to the node of a mobile network operator by exploiting vulnerabilities
(for example, default passwords) in these interfaces.
Having acquired access to the network of any operator, an at-
tacker can automatically gain access to the GRX network, which in
turn allows him/her to perform various attacks on subscribers of any
operator:
1. Searching for valid IMSI
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
to this, a great number of security solutions were introduced to pro-
tect this services sector, such as antivirus software, firewalls, etc. By
contrast, the level of consciousness about security while using the
mobile Internet is relatively low. Most users assume that mobile net-
work access is much safer because a big mobile-telecoms provider
will protect subscribers and has the benefit of the developments in
security from the broadband Internet arena. Unfortunately, as prac-
tice shows, mobile Internet is a great opportunity for the attacker,
and can be less secure than more traditional options. This report will
provide an analysis of these threats, as well as recommendations to
ensure the safety of mobile Internet services.
3%
46%
51% 2/2.5G
3/3.5G
2016 2017 2018
2. Obtaining subscriber’s data via IMSI (including his/her location)
3. Disconnection of subscribers from the Internet or blocking their
access to the Internet
4. Connecting to the Internet with credentials of the legitimate
user and at the expense of others
5. Listening to the traffic of the victim
6. Engage in a fishing attack
Security measures required to protect against such attacks include
proper configuration of equipment, utilizing a firewall and regular se-
curity monitoring. More details on the recommended set of protec-
tive measures is provided in the final part of this review.
3
3. Mobile network scheme
Fig. 2. Provider’s mobile network
Mobile provider’s network consists of the Circuit Switched Core
Network (CS core), the Packet Switched Core Network (PS core),
the base station network and its 2G controllers (BSC and BTS in the
scheme), and the base station network and its 3G controllers (Node
B and RNC). The scheme shows that 3G network is based on 2G radio
access network; the rest of the operator’s network does not undergo
any significant changes in the evolution to the third generation. As
clearly outlined in Figure 2.2, the operators’ networks have not under-
gone any significant changes in terms of security from 2G to 3G to 4G.
Below is the packet data transfer subsystem (PS core).
The scheme in Figure 3 illustrates the architecture of the system
used to transmit data in a 2G network. There are some differences in
the chain MS (mobile station) — SGSN within the 3G network (UMTS
network). The scheme shows that an attacker can access the provid-
er’s network using:
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
• Subscriber’s Mobile Station
• The Internet
• The GRX network, i.e. via another mobile provider
Thus if an attacker enters the network of any mobile provider in the
world, he/she will be able to affect other providers.
Service GPRS Support Node (SGSN) and Gateway GPRS Support
Node (GGSN) are the basic elements for data transmission. The former
one is used to provide subscribers with data transmission services and
it also interacts with other network elements; the latter is a gateway
between the internal operator’s network and the Internet.
In addition to the Internet connection, there is a connection to
the GRX network — Global Roaming eXchange, which is based on
complicated relationships between individual operators (intercon-
nection of networks) used to provide Internet access to subscribers
in roaming.
4
 Fig. 3. A scheme for the packet data transmission within mobile networks (including information on protocols)
4. GTP protocol
GTP protocol is used to send the traffic within PS core and GRX. This is a
tunneling protocol, which runs over UDP and utilizes port 2123 (for man-
agement purposes, GTP-C), port 2152 (for transmitting user data, GTP-U),
and 3386 (for billing, GTP’).
Message Type field in the GTP header is primarily used for manage-
ment purposes in GTP-C. Usually, in GTP-U Message Type = 0xFF (T-PDU).
Tunnel Endpoint Identifier (TEID) is a tunnel identifier that is not associ-
ated with an IP address, i.e., packages can be sent with the same TEID but
from different IP addresses (in case if the subscriber moves and switches
to another SGSN).
PDP Context Activation procedure is executed when the subscriber is
connecting to the Internet.
In simplified form, the procedure is as follows:
1. The phone sends an Activate PDP Context request, which (amongst
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
other information) contains the login, password, and APN.
2. After receiving the APN, SGSN tries to resolve it on the internal
DNS server; the server resolves the received APN and provides the cor-
responding GGSN address.
3. The SGSN sends the Create PDP Context request to this address.
4. The GGSN authenticates the submitted login and password, for ex-
ample, on the RADIUS server.
5. The GGSN obtains an IP address for the mobile phone and transmits
all data required for PDP context activation back to the SGSN.
6. The SGSN accomplishes the activation procedure by sending back
to the phone all the data required for establishing a connection.
In fact, the PDP Context Activation procedure is the creation of a tun-
nel between a cell phone and a gateway (GGSN) on the operator’s mo-
bile network.
5
 Octets 8 7 6 5 4 3 2 1
1 Version PT (*) E S PN
2 Message Type
3 Length (1st Octet)
4 Length (2nd Octet)
5 Tunnel Endpoint Identifier (1st Octet)
6 Tunnel Endpoint Identifier (2nd Octet)
7 Tunnel Endpoint Identifier (3rd Octet)
8 Tunnel Endpoint Identifier (4th Octet)
9 Sequence Number (1st Octet)1) 4)
10 Sequence Number (2nd Octet)1) 4)
11 N-PDU Number2) 4)
12 Next Extension Header Type3) 4)

NOTE 0: (*) This bit is a spare bit. It shall be sent as '0'. The receiver shall not evaluate this bit.
NOTE 1: 1) This field shall only be evaluated when indicated by the S flag set to 1.
NOTE 2: 2) This field shall only be evaluated when indicated by the PN flag set to 1.
NOTE 3: 3) This field shall only be evaluated when indicated by the E flag set to 1.
NOTE 4: 4) This field shall be present if and only if any one or more of the S, PN and E flags are set.

Fig. 4. GTP header structure

PDP Context Activation

SGSN DNS GGSN RADIUS DHCP

1. Activate PDP 2a. DNS Request 4a. Radius Authenticate

Context Request mncXXX.mscXXX.internet Request

2b. DNS Response GGSN IP 4b. Radius Authenticate Response

3. Create PDP Context Request 5a. DHCP Address Request

7. Activate PDP 6. Create PDP Context Response 5a. DHCP Address Assignment
Context Accept

GTP U GTP C + GTP U

Fig. 5. The procedure for establishing a connection

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 6

5. Searching for mobile operator’s facilities on the Internet
We already know that GGSN must be deployed as an edge device. Us-
ing Shodan.io search engine for Internet-connected devices, we can
Fig. 6. Search results in Shodan
Search result displays about 40 devices using this abbreviation in
their banners. The screenshot provides a list of some devices that use
this abbreviation, including devices with open Telnet and turned off
password authentication. An attacker can perform an intrusion into
the network of the operator in the Central African Republic by con-
necting to this device and implementing the required settings.
Having access to the network of any operator, the attacker will
automatically get access to the GRX network and other operators of
mobile services. One single mistake made by one single operator in
Fig. 7. Countries with the largest number of hosts with open GTP ports (more than 1000)
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
find the required devices by their banners.
the world creates this opportunity for attack to many other mobile
networks. There are more ways of using the compromised boundary
host, for example, DNS spoofing attack (more information about at-
tacks is considered below).
GGSN and SGSN can also be found in other ways. GTP protocol
described above can be used only within PS core and GRX networks
and should not be accessible from the Internet. In practice, however,
things are often quite different: There are more than 207,000 devices
with open GTP ports all over the global Internet.
7
Fig. 8. The distribution of hosts with open GTP ports around the world
What can be said about these 207,000 devices? 7,255 devices are
not associated with GTP and send HTTP responses (see fig. 9)
The remainder of the 200,000 addresses respond with correct GTP
messages. A more in-depth analysis shows that an individual device
may not be a component of a mobile network: these are universal
devices utilized for other purposes when administrators of certain sys-
Fig. 9. The response to GTP request received from equipment by Internet Rimon LTD
Fig. 10. Responses to attempts to establish a PDP connection
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
tems did not turn off this feature for them. Alcatel-Lucent 7750 and
ZTE ZXUN xGW can often be found among such devices, and the lat-
ter has open FTP and Telnet ports.
548 devices responded to the request for establishing a connec-
tion: four of them allow a user or attacker to create a tunnel while
other respond with various errors.
8
 Let us look into the responses:
1. System failure and Mandatory IE incorrect responses imply
that the fields of the GTP packet required for this node were not filled.
2. No resources available response means that node’s DHCP pool
or PDP pool has run out.
3. Missing or unknown APN and Service not supported re-
sponses imply that the current APN is not included into the list of
authorized APNs (you can find proper APNs on the provider’s website
in the Internet, WAP, or MMS settings).
4. Accept response implies that the device provides an IP address
and other connection attributes, i.e. a tunnel is created.

4%
HTTP

81%
FTP

25%
SSH

82%
Telnet

4%
BGP

44%
VPN (UDP:500)

Fig. 11. Number of hosts with various services

2013 82%
Dictionary passwords 2011–2012 79%

2013 82%
Management interfaces available 2011–2012
to any Internet user 58%

2013 82%
Use of open data transfer 2011–2012
protocols 47%

2013 64%
Vulnerabilities of system
and application software 2011–2012 10%
caused by lack of updates
2013 55%
SQL Injection 2011–2012 63%

2013 55%
Unrestricted File Upload 2011–2012 25%

2013 45%
Storing important data 2011–2012
unencrypted 47%

2013 45%
Path traversal 2011–2012 42%

2013 36%
Dictionary SNMP Community
String value (public) 2011–2012 21%

2013 36%
DBMS access interfaces available
to any Internet user 2011–2012 10%

Fig. 12. Top 10 vulnerabilities typical of a network perimeter

Therefore, an attacker coming from the Internet can detect the
proper GGSN, set up the GTP connection and then encapsulate GTP
control packets into the created tunnel. If parameters were selected
properly, GGSN will take them as packets from legitimate devices
within the operator’s network.
Another benefit for attackers is that GTP is not the only protocol
used on detected hosts. Telnet, FTP, SSH, Web, etc. are also used for
management purposes. The figure below shows how many open
ports were detected for each protocol.
According to statistics provided by Positive Technologies, pen-
etration tests revealed that data transferring via open protocols (FTP,
Telnet, HTTP) and availability of management interfaces from the In-
ternet are the most frequent vulnerabilities to appear in the network
perimeter of large companies’ information systems. Moreover, the
distribution of these vulnerabilities has doubled in 2013 compared to
2011/2012, effectively creating a larger number and range of attacks
for mobile Internet suppliers and users to consider.

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 9

6. Threats
The following parameters are typical for the described attacks: the
complexity of implementing (having regard to conditions) is me-
6.1. IMSI brute force
Goal: To find a valid IMSI.
Attack vector: An attacker conducts attacks from the GRX network
or the operator’s network.
Description: IMSI is the SIM card Number (International Mobile
Subscriber ID). It consists of 15 digits, the first three identify the Mo-
bile Country Code (MCC), the next two digits are the Mobile Network
Code (MNC). You can choose the required operator on the website
www.mcc-mnc.com, enter the MCC and MNC and then brute force
Fig. 13. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
dium, the reproducibility (i.e. the reuse of the attack by other at-
tackers) is high.
the remaining 10 digits by sending a “Send Routing Information for
GPRS Request” message via GRX. This message can be sent to any
GSN device, which converts the request into an SS7 format (CS core
network component) and sends it to HLR where it is processed by
SS7 network. If the subscriber with this IMSI uses the Internet, we can
get the SGSN IP address serving the mentioned subscriber. Otherwise,
response will be as follows: “Mobile station Not Reachable for GPRS”.
Result. Obtaining a list of valid IMSI for further attacks.
10
6.2. The disclosure of subscriber’s data via IMSI
Goal: To obtain a phone number, location data, information about
the model of a subscriber’s mobile device via IMSI.
Attack vector: An attacker conducts attacks from the GRX network
or the operator’s network.
Description: An attacker can use this vulnerability after the suc-
cess of the previous attack or if he/she gets a subscriber’s IMSI via a
viral application for the subscriber’s smartphone. The attacker needs
to know the SGSN IP address, garnered from the previous attack. Af-
ter that, the attacker sends an Update PDP Context Request to the
Fig. 14. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
SGSN IP address requesting the subscriber’s location; the GSN Control
Plane is spoofed with the attacker’s IP address. The response contains
MSISDN (Mobile Subscriber Integrated Services Digital Number), IMEI
(International Mobile Equipment Identity, it helps to identify the mod-
el of a subscriber’s phone) and the current subscriber’s mobile radio
base tower (MCC, MNC, LAC, CI). Consequently, the attacker can find
the subscriber’s location accurate to several hundred meters using
the following website: https://xinit.ru/bs/ or http://opencellid.org/.
Result: The required information about the subscriber is obtained.
11
6.3. Disconnection of authorized subscribers from the Internet
Goal: To disconnect the connected subscribers.
Attack vector: An attacker conducts attacks from the GRX network
or the operator’s network.
Description: The attack is based on sending the “PDP context de-
lete request” packets to the target GGSN with all the TEID listed. The
PDP Сontext information is deleted, which causes disconnection of
authorized subscribers.
At the same time, GGSN unilaterally closes tunnels and sends the
Fig. 15. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
responses on this event to the attacker. A valid SGSN used by the
subscriber to set up the connection doesn’t have information about
closing connections, so tunnels continue to occupy the hardware re-
sources. The subscriber’s Internet stops working, but the connection
is displayed as active.
Result: All subscribers connected to this GGSN will be discon-
nected. The amount of subscribers served by one GGSN is 100,000—
10,000,000.
12
6.4. Blocking the connection to the Internet
Goal: To block the establishment of new connections to the
Internet.
Attack vector: An attacker conducts attacks from the GRX network
or the operator’s network.
Description: The attack is based on sending the “Create PDP con-
text request” packets with IMSI list, thus the exhaustion of the avail-
able pool of PDP tunnels occurs. For example, the maximum number
of PDP Context Cisco 7200 with 256 MB of memory is 80,000, with
512 MB — 135,000: it is not difficult to brute force all possible combi-
nations. Moreover, more and more IP addresses from DHCP pool are
issued and they may be exhausted. It does not matter what will be
exhausted first — the DHCP pool or the PDP pool, — after all, GGSN
will response with “No resource available” to all valid connection re-
quests. Moreover, GGSN cannot close tunnels, because when you try
Fig. 16. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
to close one, GGSN sends an attacker “Delete PDP context request”
with the number of the tunnel to be closed. If there is no response
(actually, there isn’t any response because an attacker does not want
this to happen), GGSN sends such requests over and over again. The
resources remain occupied.
In case of successful implementation of this attack, authorized sub-
scribers will not be able to connect to the Internet and those who
were connected will be disconnected as GGSN sends these tunnels
to the attacker’s address.
This attack is an analogue of the DHCP starvation attack at the GTP
level.
Result: The subscribers of the attacked GGSN will not be able to
connect to the Internet. The amount of subscribers served by one
GGSN is 100,000—10,000,000.
13
6.5. Internet at the expense of others
Goal: The exhaustion of the subscriber’s account and use of the
connection for illegal purposes.
Attack vector: An attacker conducts attacks from the GRX network
or the operator’s network.
Description: The attack is based on sending the “Create PDP con-
text request” packets with the IMSI of a subscriber known in advance.
Thus, the subscriber’s credentials are used to establish connection.
Fig. 17. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
Unsuspecting subscriber will get a huge bill.
It is possible to establish connection via the IMSI of a non-existent
subscriber, as subscriber authorization is performed at the stage of
connecting to SGSN and GGSN receives already verified connections.
Since the SGSN is compromised, no verification is carried out.
Result: An attacker can connect to the Internet with the creden-
tials of a legitimate user.
14
6.6. Data interception
Goal: To listen to the traffic of the victim and conduct a fishing
attack.
Attack vector: An attacker conducts attacks from the GRX network
or the operator’s network.
Description: An attacker can intercept data sent between the sub-
Fig. 18. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
scriber’s device and the Internet by sending an “Update PDP Context
Request” message with spoofed GSN addresses to SGSN and GGSN.
This attack is an analogue of the ARP Spoofing attack at the GTP level.
Result: Listening to traffic or spoofing traffic from the victim and
disclosure of sensitive data.
15
6.7. DNS tunneling
Goal: To get non-paid access to the Internet from the subscriber’s
mobile station.
Attack vector: The attacker is the subscriber of a mobile phone
network and acts through a mobile phone.
Description: This is a well-known attack vector, rooted in the days
of dial-up, but the implementation of low-price and fast dedicated
Internet access made it less viable. However, this attack can be used
in mobile networks, for example, in roaming when prices for mobile
Internet are unreasonably high and the data transfer speed is not that
Fig. 19. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
important (for example, for checking email).
The point of this attack is that some operators do not rate DNS traf-
fic, usually in order to redirect the subscriber to the operator’s web-
page for charging the balance. An attacker can use this vulnerability
by sending special crafted requests to the DNS server; to get access
one needs a specialized host on the Internet.
Result: Getting non-paid access to the Internet at the expense of
mobile operator.
16
6.8. Substitution of DNS for GGSN
Goal: To listen to the traffic of the victim, to conduct a fishing
attack.
Attack vector: An attacker acts through the Internet.
Description: If an attacker gets access to GGSN (which is quite
possible as we could see), the DNS address can be spoofed with the
Fig. 20. The scheme of the attack
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
attacker’s address and all the subscriber’s traffic will be redirected
through the attacker’s host. Thus, listening to all the mobile traffic of
the subscriber is possible.
Result: An ability to listen to traffic or spoof traffic from all subscrib-
ers and then gather confidential data to engage it in fishing attacks.
17
7. Conclusion and recommendations
Modern mobile networks feature serious vulnerabilities, which allow
attackers to perform various attacks against both certain mobile Inter-
net users and the entire infrastructure (for example, for the purpose of
industrial espionage or elimination of competitors on the market) us-
ing inexpensive equipment. In addition, the deterioration of interna-
tional relationships and security has historically triggered cell phone
tapping followed by the scandalous publication of negotiations be-
tween politicians or military officials.
Some of the attacks cannot be performed if the mobile equipment is
configured properly, but the results our research suggest that miscon-
figuration is a common problem in the telecommunications sphere by
those attempting to save money on security. Vendors often leave some
services enabled while these services should be disabled on this equip-
ment, which gives additional opportunities to attackers.
Many people rely on new communication standards that include
new safety technologies. However, despite the development of such
standards (3G, 4G) we cannot completely abandon the use of old gen-
eration networks (2G). The reason is the specifics of the implementation
of mobile networks and the fact that the 2G base stations have better
coverage as well as the fact that 3G networks use their infrastructure.
Fig. 21. The recommended set of security measures
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
Also, as of later 2014, the majority of operators in the world do not
provide opportunities for voice transmission over 4G networks: during
a call mobile phone switches forcedly to 3G network or even to 2G and
after a call it switches back, if it is possible. The possibility of such “invis-
ible” switches is widely used for mobile surveillance.
The key difference between 4G and other networks — voice trans-
mission over IP, may be a vulnerability itself: therefore, not only data
but also phone calls may be affected. Therefore, we should expect even
more surprises from 4G networks. As for the currently used networks
(2G and 3G), Positive Technologies experts recommend to implement
the following security measures on the side of communication provid-
ers (fig. 21):
1. Use firewalls at the GRX network edge for blocking services that are
not associated with providing an Internet access to subscribers in
roaming (only required services are permitted: GTP, DNS, etc.).
2. Use firewalls at the Internet edge for blocking services that should
not be accessible from the Internet.
3. Use 3GPP TS 33.210 recommendations to configure the security
settings within the PS Core network. The network must be secured,
in particular, by using IPsec to send the GTP-C traffic within PS core.
18
4. Carry out a regular security monitoring of the perimeter (Advanced
Border Control service). This set of measures will monitor the Cus-
tomer’s network protection against external threats. The monitor-
ing implies regular scanning of all operator’s networks and hosts
available from the Internet. Scanning reveals available network ser-
vices, their versions, and types of operational systems. Information
Fig. 22. MaxPatrol Compliance Management
Sources
1. Cisco Global Mobile Data Traffic Forecast Update, 2013–2018. Cisco
VNI Mobile, 2014
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/
visual-networking-index-vni/white_paper_c11-520862.pdf
2. Vulnerability Statistics for Corporate Information Systems (2013),
Positive Technologies, 2014.
http://www.ptsecurity.ru/download/PT_Corporate_vulnerability_
2014_rus.pdf
3. Vulnerabilities of mobile networks based on SS7 protocols. Positive
Technologies, 2014
http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf
4. Cell phones and total NSA surveillance: How does it work? Positive
Technologies, 2014
http://habrahabr.ru/company/pt/blog/245113/
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
obtained during the scanning is checked against the vulnerabilities
and exploits database. Thus, the operator is able to control the pe-
rimeter from the point of the attacker, predict possible attacks and
prevent them.
5. Develop security compliances of equipment and perform regular
compliance management tasks (see example in fig.22).
5. 4G ‘inherently less secure’ than 3G The Telegraph, 2014
http://www.telegraph.co.uk/technology/internet-security/10951812/
4G-inherently-less-secure-than-3G.html
6. Mobile Internet security from inside and outside Positive Technolo-
gies, 2013
http://habrahabr.ru/company/pt/blog/188574/
7. GRX and a Spy Agency
http://www.slideshare.net/StephenKho/on-her-majestys-secret-
service-grx-and-a-spy-agency
8. 3GPP TS 29.060
http://www.3gpp.org/DynaReport/29060.htm
19
List of abbreviations
APN - Access Point Name; a symbolic name of an access point
through which the user can get access to the requested type of the
service (WAP, Internet, MMS)
BSC - Base Station Controller
BTS - Base Transceiver Station; a piece of equipment (repeaters,
transceivers) that facilitates wireless communication between user
equipment and a network.
CI - Cell ID
CS - Circuit Switched; data transmission with channel switching
DHCP - Dynamic Host Configuration Protocol
DNS - Domain Name System
FTP - File Transfer Protocol
GGSN - Gateway GPRS Support Node; the node affiliated to PS Core
Network, it enables the routing of data between GPRS Core network
and external IP networks
GPRS - General Packet Radio Service
GRX - Global Roaming eXchange; network that provides packet
data services to the roaming
GTP - GPRS Tunneling Protocol; a protocol describing and perform-
ing the transmission of data between GSN nodes within the packet
network
HLR - Home Location Register; a database storing all information
about the subscriber
HTTP - HyperText Transfer Protocol
VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014
IMEI - International Mobile Equipment Identity
IMSI - International Mobile Subscriber Identity
LAC - Local Area Code
MCC - Mobile Country Code; a code of country, in which the Base
Station is located
MMS - Multimedia Message System; a system for multimedia mes-
saging (images, audio and video files) within the mobile network
MNC - Mobile Network Code
MS - Mobile Station
MSISDN - Mobile Subscriber Integrated Services Digital Number
PS - Packet Switched; data transmission with packet switching
SGSN - Service GPRS Support Node; the main component of the GPRS
system for implementation of all packet data processing functions
SS7 - Signaling System 7; a common channel signaling system used
in the international and local telephone networks around the world
SSH - Secure Shell
TEID - Tunnel Endpoint IDentifier
UDP - User Datagram Protocol
UMTS - Universal Mobile Telecommunications System; a mobile
technology developed by the European Telecommunications Stan-
dards Institute (ETSI) in order to implement a 3G service in Europe.
WAP - Wireless Application Protocol
20