More Related Content Similar to SecurityGen GTP Vulnerabilities.pptx (20) SecurityGen GTP Vulnerabilities.pptx1. GTP Vulnerabilities: A
cause for concern in 5G
and LTE networks
Pavel Novikov
Pavel.Novikov@security-gen.com
Kirill Puzankov
Kirill.Puzankov@security-gen.com
2. Pavel Novikov
Pavel.Novikov@security-gen.com
Presenters
• 10 years in telecom security,
• co-author of GSMA FS.20 GPRS Tunneling
Protocol (GTP) Security document
• Head of telecom security research in
SecurityGen
• Focused on telecom vulnerabilities: RAN,
VoLTE, VoWiFi, GTP, Diameter, 5G SA and
NSA.
• Conducting telecom security assessments
for mobile operators for many years.
Kirill.Puzankov
Kirill.Puzankov@security-gen.com
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
• 10 years in telecom security
• Product manager in SecurityGen
• Exploring telco threats and vulnerabilities
starting from SS7 up to 5G
• Growing solutions for protection of mobile core
networks as well as for providing visibility of
the network security posture
3. GPRS Tunnelling Protocol (GTP) - a group of IP-based communications protocols used to carry general packet
radio service (GPRS) within GSM, UMTS, LTE and 5G networks.
GTP
GTP-C
GTP-U
GTP’
3GPP 29.281 Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U)
3GPP 29.060 General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP)
across the Gn and Gp interface
3GPP 29.274 Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS)
Tunnelling Protocol for Control plane (GTPv2-C)
3GPP 32.295 Telecommunication management; Charging management; Charging Data
Record (CDR) transfer
What is GTP?
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
6. GTP Security, why it is
important?
• Widespread
• Lack built-in security mechanisms
• Roaming connection
• Fraud
• Interception
• DoS
• etc
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
8. - 4G Network, GTPv2
SGW
UTRAN
eNb
Internet
PGW
S8 interface
Network 1
Attacker
GRX
Where is GTP?
Attacker
UE
1
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
9. Analytics
Attack scenarios
• Data interception via Create PDP Context request
• Fraud via Create Session request with a non-existent
subscriber
• Impersonation via Create Session request
• Data disclosure via SGSN Context request
• Network DoS via Create Session request
• Subscriber DoS via Update PDP Context request
Methodology
150 +
Telecom security
assessments 2022
39
MNOs
24
countries
SEA,
LATAM,
MEA
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
11. Attacks and impact
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
85% of networks are vulnerable to subscriber DoS attacks via different
techniques:
• Fake session on behalf of the subscriber
• Illegitimate change of PGW node, cause redirecting subscriber traffic
• Deletion of subscriber session
12. Attacks and impact
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
71% of networks are vulnerable to information disclosure attacks via:
• Obtaining TEID, which needed to carry out other attacks
• Also, it is possible to obtain IMEI, radio encryption keys, internal IP
addresses
13. Attacks and impact
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
69% of networks are vulnerable to user traffic interception:
• The intruder can change the actual nodes that process user
traffic, thus all incoming traffic is handled by intruder
14. Attacks and impact
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
62% of networks are vulnerable to fraud:
• The intruder can establish connection on behalf of
non-existed subscriber
15. Attacks and impact
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
46% of networks are vulnerable to
Network DoS:
• By sending numerous requests to open
new connections, which may lead to
occupation of whole DHCP server pool,
or GTP tunnels pool
17. Confidential. Copyright © 2023 SecurityGen. All rights reserved. 17
Often requires no additional equipment for filtering incoming
traffic, effectively blocking "wild" GTP hackers connected to a
rogue provider.
• Attacker may gain access to the trusted MNO.
• Partners may lease their IP ranges and parts of their infrastructures for 3rd parties.
Based on GSMA FS.20 GTP Security recommendations.
• Requires GTP-Firewall with cross-protocol checks
• Implement monitoring
Combines the advantages of the first two, offering the highest level of security.
Possible protection measures
Filtering incoming
traffic based on IP
addresses of
Roaming partners.
1
Implementing
GSMA-recommended
security measures.
2
Combination of the
approaches
mentioned above
3
18. Current real security
measures
Implemented protection measures
IP filtering of roaming partners
Configuration not directly connected to security
No Security measures
77%
8%
15%
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
19. Our solution: TSG Protection
Suite
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
20. - Stay Tuned.
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
About SecurityGen
Founded in 2022, SecurityGen is a
global start-up focused on telecom
security. We deliver a solid security
foundation to drive secure Telco
digital transformations and ensure
safe and robust network operations.
Connect With Us
Email: contact@secgen.com
Website: www.secgen.com