SecurityGen GTP Vulnerabilities.pptx

GTP Vulnerabilities: A
cause for concern in 5G
and LTE networks
Pavel Novikov
Pavel.Novikov@security-gen.com
Kirill Puzankov
Kirill.Puzankov@security-gen.com

Pavel Novikov
Pavel.Novikov@security-gen.com
Presenters
• 10 years in telecom security,
• co-author of GSMA FS.20 GPRS Tunneling
Protocol (GTP) Security document
• Head of telecom security research in
SecurityGen
• Focused on telecom vulnerabilities: RAN,
VoLTE, VoWiFi, GTP, Diameter, 5G SA and
NSA.
• Conducting telecom security assessments
for mobile operators for many years.
Kirill.Puzankov
Kirill.Puzankov@security-gen.com
Confidential. Copyright © 2023 SecurityGen. All rights reserved.
• 10 years in telecom security
• Product manager in SecurityGen
• Exploring telco threats and vulnerabilities
starting from SS7 up to 5G
• Growing solutions for protection of mobile core
networks as well as for providing visibility of
the network security posture

GPRS Tunnelling Protocol (GTP) - a group of IP-based communications protocols used to carry general packet
radio service (GPRS) within GSM, UMTS, LTE and 5G networks.
GTP
GTP-C
GTP-U
GTP’
3GPP 29.281 Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U)
3GPP 29.060 General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP)
across the Gn and Gp interface
3GPP 29.274 Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS)
Tunnelling Protocol for Control plane (GTPv2-C)
3GPP 32.295 Telecommunication management; Charging management; Charging Data
Record (CDR) transfer
What is GTP?

SGW
E-UTRAN
eNb
Internet
PGW
GTP-U
GTP-C
UE
S5 interface
- 4G Network, GTPv2
S1-U interface
MME MME
S10 interface S11 interface
Where is GTP?

…
L1
L2
IP
UDP
GTP-C
Information element
Information element
GTP header
Information element
Group Information
element (v2 only)
Information element
GTP protocol stack

GTP Security, why it is
important?
• Widespread
• Lack built-in security mechanisms
• Roaming connection
• Fraud
• Interception
• DoS
• etc

SGW
UTRAN
eNb
Internet
PGW
GTP-U
UE
1
- 4G Network, GTPv2
SGW
UTRAN
eNb
Internet
PGW
GTP-C
UE
2
S8 interface
Network 1
Network 2
GRX
Roaming in GTP

- 4G Network, GTPv2
SGW
UTRAN
eNb
Internet
PGW
S8 interface
Network 1
Attacker
GRX
Where is GTP?
Attacker
UE
1

Analytics
Attack scenarios
• Data interception via Create PDP Context request
• Fraud via Create Session request with a non-existent
subscriber
• Impersonation via Create Session request
• Data disclosure via SGSN Context request
• Network DoS via Create Session request
• Subscriber DoS via Update PDP Context request
Methodology
150 +
Telecom security
assessments 2022
39
MNOs
24
countries
SEA,
LATAM,
MEA

Level of protection

Attacks and impact
85% of networks are vulnerable to subscriber DoS attacks via different
techniques:
• Fake session on behalf of the subscriber
• Illegitimate change of PGW node, cause redirecting subscriber traffic
• Deletion of subscriber session

Attacks and impact
71% of networks are vulnerable to information disclosure attacks via:
• Obtaining TEID, which needed to carry out other attacks
• Also, it is possible to obtain IMEI, radio encryption keys, internal IP
addresses

Attacks and impact
69% of networks are vulnerable to user traffic interception:
• The intruder can change the actual nodes that process user
traffic, thus all incoming traffic is handled by intruder

Attacks and impact
62% of networks are vulnerable to fraud:
• The intruder can establish connection on behalf of
non-existed subscriber

Attacks and impact
46% of networks are vulnerable to
Network DoS:
• By sending numerous requests to open
new connections, which may lead to
occupation of whole DHCP server pool,
or GTP tunnels pool

Possible protection
measures
Filtering incoming
traffic based on IP
addresses of
Roaming partners.
Implementing
GSMA-recommended
security measures.
Combination of the
approaches
mentioned above
1 2 3

Confidential. Copyright © 2023 SecurityGen. All rights reserved. 17
Often requires no additional equipment for filtering incoming
traffic, effectively blocking "wild" GTP hackers connected to a
rogue provider.
• Attacker may gain access to the trusted MNO.
• Partners may lease their IP ranges and parts of their infrastructures for 3rd parties.
Based on GSMA FS.20 GTP Security recommendations.
• Requires GTP-Firewall with cross-protocol checks
• Implement monitoring
Combines the advantages of the first two, offering the highest level of security.
Possible protection measures
Filtering incoming
traffic based on IP
addresses of
Roaming partners.
1
Implementing
GSMA-recommended
security measures.
2
Combination of the
approaches
mentioned above
3

Current real security
measures
Implemented protection measures
IP filtering of roaming partners
Configuration not directly connected to security
No Security measures
77%
8%
15%

Our solution: TSG Protection
Suite

- Stay Tuned.
About SecurityGen
Founded in 2022, SecurityGen is a
global start-up focused on telecom
security. We deliver a solid security
foundation to drive secure Telco
digital transformations and ensure
safe and robust network operations.
Connect With Us
Email: contact@secgen.com
Website: www.secgen.com

SecurityGen GTP Vulnerabilities.pptx

More Related Content

What's hot

Similar to SecurityGen GTP Vulnerabilities.pptx

Recently uploaded

SecurityGen GTP Vulnerabilities.pptx