SlideShare a Scribd company logo

SecurityGen GTP Vulnerabilities.pptx

Download as PPTX, PDF
SecurityGen
SecurityGen

In this presentation, we delve into the world of GTP (GPRS Tunneling Protocol) security, peeling back the layers to reveal potential risks and their far-reaching impact on the ever-evolving 5G landscape. Key Highlights: -️ Understanding GTP: Get to the core of GTP and its critical role in mobile networks. - The 5G Nexus: Explore the complex relationship between 5G, 4G, and legacy networks. - Uncovering Vulnerabilities: Examine the common thread of GTP vulnerabilities spanning generations. - Securing the Future: Discover how knowledge of GTP vulnerabilities can empower mobile operators to fortify their networks and safeguard user data.

Technology
1 of 20
GTP Vulnerabilities: A cause for concern in 5G and LTE networks Pavel Novikov Pavel.Novikov@security-gen.com Kirill Puzankov Kirill.Puzankov@security-gen.com
Pavel Novikov Pavel.Novikov@security-gen.com Presenters • 10 years in telecom security, • co-author of GSMA FS.20 GPRS Tunneling Protocol (GTP) Security document • Head of telecom security research in SecurityGen • Focused on telecom vulnerabilities: RAN, VoLTE, VoWiFi, GTP, Diameter, 5G SA and NSA. • Conducting telecom security assessments for mobile operators for many years. Kirill.Puzankov Kirill.Puzankov@security-gen.com Confidential. Copyright © 2023 SecurityGen. All rights reserved. • 10 years in telecom security • Product manager in SecurityGen • Exploring telco threats and vulnerabilities starting from SS7 up to 5G • Growing solutions for protection of mobile core networks as well as for providing visibility of the network security posture
GPRS Tunnelling Protocol (GTP) - a group of IP-based communications protocols used to carry general packet radio service (GPRS) within GSM, UMTS, LTE and 5G networks. GTP GTP-C GTP-U GTP’ 3GPP 29.281 Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U) 3GPP 29.060 General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface 3GPP 29.274 Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C) 3GPP 32.295 Telecommunication management; Charging management; Charging Data Record (CDR) transfer What is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
SGW E-UTRAN eNb Internet PGW GTP-U GTP-C UE S5 interface - 4G Network, GTPv2 S1-U interface MME MME S10 interface S11 interface Where is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
… L1 L2 IP UDP GTP-C Information element Information element GTP header Information element Group Information element (v2 only) Information element GTP protocol stack Confidential. Copyright © 2023 SecurityGen. All rights reserved.
GTP Security, why it is important? • Widespread • Lack built-in security mechanisms • Roaming connection • Fraud • Interception • DoS • etc Confidential. Copyright © 2023 SecurityGen. All rights reserved.
SGW UTRAN eNb Internet PGW GTP-U UE 1 - 4G Network, GTPv2 SGW UTRAN eNb Internet PGW GTP-C UE 2 S8 interface Network 1 Network 2 GRX Roaming in GTP Confidential. Copyright © 2023 SecurityGen. All rights reserved.
- 4G Network, GTPv2 SGW UTRAN eNb Internet PGW S8 interface Network 1 Attacker GRX Where is GTP? Attacker UE 1 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Analytics Attack scenarios • Data interception via Create PDP Context request • Fraud via Create Session request with a non-existent subscriber • Impersonation via Create Session request • Data disclosure via SGSN Context request • Network DoS via Create Session request • Subscriber DoS via Update PDP Context request Methodology 150 + Telecom security assessments 2022 39 MNOs 24 countries SEA, LATAM, MEA Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Level of protection Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 85% of networks are vulnerable to subscriber DoS attacks via different techniques: • Fake session on behalf of the subscriber • Illegitimate change of PGW node, cause redirecting subscriber traffic • Deletion of subscriber session
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 71% of networks are vulnerable to information disclosure attacks via: • Obtaining TEID, which needed to carry out other attacks • Also, it is possible to obtain IMEI, radio encryption keys, internal IP addresses
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 69% of networks are vulnerable to user traffic interception: • The intruder can change the actual nodes that process user traffic, thus all incoming traffic is handled by intruder
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 62% of networks are vulnerable to fraud: • The intruder can establish connection on behalf of non-existed subscriber
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 46% of networks are vulnerable to Network DoS: • By sending numerous requests to open new connections, which may lead to occupation of whole DHCP server pool, or GTP tunnels pool
Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. Implementing GSMA-recommended security measures. Combination of the approaches mentioned above 1 2 3 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Confidential. Copyright © 2023 SecurityGen. All rights reserved. 17 Often requires no additional equipment for filtering incoming traffic, effectively blocking "wild" GTP hackers connected to a rogue provider. • Attacker may gain access to the trusted MNO. • Partners may lease their IP ranges and parts of their infrastructures for 3rd parties. Based on GSMA FS.20 GTP Security recommendations. • Requires GTP-Firewall with cross-protocol checks • Implement monitoring Combines the advantages of the first two, offering the highest level of security. Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. 1 Implementing GSMA-recommended security measures. 2 Combination of the approaches mentioned above 3
Current real security measures Implemented protection measures IP filtering of roaming partners Configuration not directly connected to security No Security measures 77% 8% 15% Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Our solution: TSG Protection Suite Confidential. Copyright © 2023 SecurityGen. All rights reserved.
- Stay Tuned. Confidential. Copyright © 2023 SecurityGen. All rights reserved. About SecurityGen Founded in 2022, SecurityGen is a global start-up focused on telecom security. We deliver a solid security foundation to drive secure Telco digital transformations and ensure safe and robust network operations. Connect With Us Email: contact@secgen.com Website: www.secgen.com

Recommended

20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網
Dr. Chang Jung Lee
 
Advanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public NetworksAdvanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public Networks
3G4G
 
Mastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to SuccessMastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to Success
SecurityGen1
 
Unraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient CommunicationUnraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient Communication
SecurityGen1
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
PositiveTechnologies
 
Shield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGenShield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGen
Security Gen
 
5G Security Briefing
5G Security Briefing5G Security Briefing
5G Security Briefing
3G4G
 
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
IRJET Journal
 

Recommended

20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網
Dr. Chang Jung Lee
 
Advanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public NetworksAdvanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public Networks
3G4G
 
Mastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to SuccessMastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to Success
SecurityGen1
 
Unraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient CommunicationUnraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient Communication
SecurityGen1
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
PositiveTechnologies
 
Shield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGenShield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGen
Security Gen
 
5G Security Briefing
5G Security Briefing5G Security Briefing
5G Security Briefing
3G4G
 
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
IRJET Journal
 
A Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksA Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G Networks
CPqD
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
PositiveTechnologies
 
5G: A 2020 Vision
5G: A 2020 Vision5G: A 2020 Vision
5G: A 2020 Vision
eXplanoTech
 
5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx
Ali Ahmed
 
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
Mastel Indonesia
 
Realizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GRealizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5G
Qualcomm Research
 
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
Bryan Len
 
Future tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceFuture tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based service
Yi-Hsueh Tsai
 
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurity Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
SecurityGen1
 
Unlock the Future: SecurityGen's 5G Standalone Solutions
Unlock the Future: SecurityGen's 5G Standalone SolutionsUnlock the Future: SecurityGen's 5G Standalone Solutions
Unlock the Future: SecurityGen's 5G Standalone Solutions
Security Gen
 
5 gppt
5 gppt5 gppt
5 gppt
Samir Mohanty
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
Satish Chavan
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and Virtualization
Dr. Edwin Hernandez
 
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesNavigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
SecurityGen1
 
Unveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesUnveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security Services
SecurityGen1
 
Address 5G Vulnerabilities with SecurityGen's Expert Solution
Address 5G Vulnerabilities with SecurityGen's Expert SolutionAddress 5G Vulnerabilities with SecurityGen's Expert Solution
Address 5G Vulnerabilities with SecurityGen's Expert Solution
Security Gen
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...
journalBEEI
 
Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0
liemgpc2
 
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
PositiveTechnologies
 
5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK
IRJET Journal
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
 

More Related Content

Similar to SecurityGen GTP Vulnerabilities.pptx

A Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksA Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G Networks
CPqD
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
PositiveTechnologies
 
5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx
Ali Ahmed
 
Realizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GRealizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5G
Qualcomm Research
 
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
Bryan Len
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...
journalBEEI
 

Similar to SecurityGen GTP Vulnerabilities.pptx (20)

A Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksA Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G Networks
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
 
5G: A 2020 Vision
5G: A 2020 Vision5G: A 2020 Vision
5G: A 2020 Vision
 
5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx
 
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
 
Realizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GRealizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5G
 
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
 
Future tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceFuture tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based service
 
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurity Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
 
Unlock the Future: SecurityGen's 5G Standalone Solutions
Unlock the Future: SecurityGen's 5G Standalone SolutionsUnlock the Future: SecurityGen's 5G Standalone Solutions
Unlock the Future: SecurityGen's 5G Standalone Solutions
 
5 gppt
5 gppt5 gppt
5 gppt
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and Virtualization
 
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesNavigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
 
Unveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesUnveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security Services
 
Address 5G Vulnerabilities with SecurityGen's Expert Solution
Address 5G Vulnerabilities with SecurityGen's Expert SolutionAddress 5G Vulnerabilities with SecurityGen's Expert Solution
Address 5G Vulnerabilities with SecurityGen's Expert Solution
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...
 
Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0
 
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
 
5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

SecurityGen GTP Vulnerabilities.pptx

  • 1. GTP Vulnerabilities: A cause for concern in 5G and LTE networks Pavel Novikov Pavel.Novikov@security-gen.com Kirill Puzankov Kirill.Puzankov@security-gen.com
  • 2. Pavel Novikov Pavel.Novikov@security-gen.com Presenters • 10 years in telecom security, • co-author of GSMA FS.20 GPRS Tunneling Protocol (GTP) Security document • Head of telecom security research in SecurityGen • Focused on telecom vulnerabilities: RAN, VoLTE, VoWiFi, GTP, Diameter, 5G SA and NSA. • Conducting telecom security assessments for mobile operators for many years. Kirill.Puzankov Kirill.Puzankov@security-gen.com Confidential. Copyright © 2023 SecurityGen. All rights reserved. • 10 years in telecom security • Product manager in SecurityGen • Exploring telco threats and vulnerabilities starting from SS7 up to 5G • Growing solutions for protection of mobile core networks as well as for providing visibility of the network security posture
  • 3. GPRS Tunnelling Protocol (GTP) - a group of IP-based communications protocols used to carry general packet radio service (GPRS) within GSM, UMTS, LTE and 5G networks. GTP GTP-C GTP-U GTP’ 3GPP 29.281 Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U) 3GPP 29.060 General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface 3GPP 29.274 Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C) 3GPP 32.295 Telecommunication management; Charging management; Charging Data Record (CDR) transfer What is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 4. SGW E-UTRAN eNb Internet PGW GTP-U GTP-C UE S5 interface - 4G Network, GTPv2 S1-U interface MME MME S10 interface S11 interface Where is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 5. … L1 L2 IP UDP GTP-C Information element Information element GTP header Information element Group Information element (v2 only) Information element GTP protocol stack Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 6. GTP Security, why it is important? • Widespread • Lack built-in security mechanisms • Roaming connection • Fraud • Interception • DoS • etc Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 7. SGW UTRAN eNb Internet PGW GTP-U UE 1 - 4G Network, GTPv2 SGW UTRAN eNb Internet PGW GTP-C UE 2 S8 interface Network 1 Network 2 GRX Roaming in GTP Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 8. - 4G Network, GTPv2 SGW UTRAN eNb Internet PGW S8 interface Network 1 Attacker GRX Where is GTP? Attacker UE 1 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 9. Analytics Attack scenarios • Data interception via Create PDP Context request • Fraud via Create Session request with a non-existent subscriber • Impersonation via Create Session request • Data disclosure via SGSN Context request • Network DoS via Create Session request • Subscriber DoS via Update PDP Context request Methodology 150 + Telecom security assessments 2022 39 MNOs 24 countries SEA, LATAM, MEA Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 10. Level of protection Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 11. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 85% of networks are vulnerable to subscriber DoS attacks via different techniques: • Fake session on behalf of the subscriber • Illegitimate change of PGW node, cause redirecting subscriber traffic • Deletion of subscriber session
  • 12. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 71% of networks are vulnerable to information disclosure attacks via: • Obtaining TEID, which needed to carry out other attacks • Also, it is possible to obtain IMEI, radio encryption keys, internal IP addresses
  • 13. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 69% of networks are vulnerable to user traffic interception: • The intruder can change the actual nodes that process user traffic, thus all incoming traffic is handled by intruder
  • 14. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 62% of networks are vulnerable to fraud: • The intruder can establish connection on behalf of non-existed subscriber
  • 15. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 46% of networks are vulnerable to Network DoS: • By sending numerous requests to open new connections, which may lead to occupation of whole DHCP server pool, or GTP tunnels pool
  • 16. Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. Implementing GSMA-recommended security measures. Combination of the approaches mentioned above 1 2 3 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 17. Confidential. Copyright © 2023 SecurityGen. All rights reserved. 17 Often requires no additional equipment for filtering incoming traffic, effectively blocking "wild" GTP hackers connected to a rogue provider. • Attacker may gain access to the trusted MNO. • Partners may lease their IP ranges and parts of their infrastructures for 3rd parties. Based on GSMA FS.20 GTP Security recommendations. • Requires GTP-Firewall with cross-protocol checks • Implement monitoring Combines the advantages of the first two, offering the highest level of security. Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. 1 Implementing GSMA-recommended security measures. 2 Combination of the approaches mentioned above 3
  • 18. Current real security measures Implemented protection measures IP filtering of roaming partners Configuration not directly connected to security No Security measures 77% 8% 15% Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 19. Our solution: TSG Protection Suite Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 20. - Stay Tuned. Confidential. Copyright © 2023 SecurityGen. All rights reserved. About SecurityGen Founded in 2022, SecurityGen is a global start-up focused on telecom security. We deliver a solid security foundation to drive secure Telco digital transformations and ensure safe and robust network operations. Connect With Us Email: contact@secgen.com Website: www.secgen.com