GPRS-Tunnelling-Protocol-GTP-Security (6).pptx

GPRS Tunnelling Protocol (GTP) Security Confidential - Operator, Rapporteur, Industry and Sector Members

All Mobile Network Operators Are Affected Universal Impact Signalling security vulnerabilities affect all MNOs worldwide, regardless of network generation (2G/GPRS, 3G/UMTS, and 4G/LTE). Critical Risks Attackers can reconfigure network elements, obtain session keys to decrypt communications, and access subscriber information including location and called numbers. Responsibility If MNOs outsource activities to GRX/IPX providers, those providers become responsible for implementing the security measures described in this document. In the interest of maintaining control over their networks and protecting customer data, it is essential for all MNOs to assess their risk exposure and implement appropriate countermeasures.

All Mobile Network Operators are Affected Universal Impact All MNOs worldwide are vulnerable to signalling security issues Critical Risks Attackers can reconfigure NEs, obtain session keys, and access subscriber data Essential Action Assess risk exposure and implement appropriate countermeasures

GTP Technical Background GTP is one of the major network protocols used for exchanging messages between network elements (NEs) in mobile networks. It is defined by 3GPP and used across multiple interfaces. GTP consists of three components: GTP-C (Control): Uses UDP port 2123, handles session management and location information GTP-U (User): Carries encapsulated user data between tunnel endpoints GTP' (Prime): Used for carrying charging data within a single MNO's domain Only two 3GPP interfaces are used between MNOs: Gp (for GPRS/UMTS using GTPv1) and S8 (for LTE using GTPv2). For security considerations, understanding the network topology, domain borders, and established connections is crucial to protect GTP-capable network elements from external threats.

Attack Vectors and Vulnerabilities Network Topology Exposure SGSNs/SGWs and GGSNs/PGWs are exposed to the GRX/IPX network and potentially reachable via that network, creating attack surfaces. Information Gathering Attackers can discover GTP nodes, guess valid TEIDs, and obtain subscriber data including cryptographic keys and location information. Subscriber Attacks Denial of service attacks, fraud, and location tracking can be performed using various GTP message manipulations. A critical vulnerability is the lack of binding between network interfaces and 3GPP interfaces, allowing attackers to send GTP messages meant for internal use across MNO boundaries.

Specific Attack Examples TEID Guessing Attackers can discover valid Tunnel Endpoint Identifiers (TEIDs) by sending GTP-U messages with incrementing TEIDs or through brute force methods. Many implementations don't use all 32 bits for TEID generation, making them predictable. Subscriber DoS Using Delete Session Request or Delete PDP Context Request messages with valid TEIDs to disconnect users. IP address pool exhaustion can be achieved by flooding Create Session Requests. Tunnel Hijacking Attackers can redirect existing GTP-U traffic using Modify Bearer Request or Update PDP Context Request with altered tunnel parameters, enabling man-in-the-middle attacks. Information Gathering Denial of Service Fraud Location Tracking Other Exploits

Countermeasures: Secure Network Architecture Network Separation Keep networks separated physically or logically through VPNs or VLANs. Assign disjoint IP address segments for each network to prevent direct access to GTP interfaces. Edge Filtering Filter traffic at network edges based on source/destination IP addresses and only allow necessary application layer protocols. Implement packet filter firewalls at internet and GRX/IPX edges. Only APNs connected to the internet on a GGSN/PGW need direct internet access. The GGSN/PGW itself should not be reachable from the internet. For GRX/IPX connections, filters should only accept incoming traffic from known peer MNOs with existing roaming agreements, using IP subnets published in the IR.21/IR.85 RAEX database.

Countermeasures: Network Element Security Secure Configuration Apply secure configurations to all network elements and services. Disable insecure and unneeded network services and change default passwords. Authentication & Access Control Configure and enable strong authentication and access control. Log all access attempts and other security-relevant events. Patching & Testing Deploy the latest security patches continuously. Conduct regular security testing and vulnerability scanning. TEID Randomization Ensure network elements randomly allocate GTP TEIDs with sufficient entropy to prevent guessing attacks. It's essential to secure all network elements since attackers may have access not only to the internet but also to other connected networks like GRX/IPX.

GTP Security: Message Filtering Categories Category 1: Interface-Unauthorised Packet Filter GTP messages that are not related to the Gp/S8 interface and should never enter from external sources. Apply whitelist filtering at the network edge. Category 2: Home-Network Packet Filter messages targeting home subscribers that must be allowed for inbound roaming. Verify that requests with IMSI/MSISDN don't target home subscribers. Category 3: Plausible-Network Packet Filter messages by comparing subscriber location. Block messages from interconnect pretending to be from subscribers currently in the home network. A GTP Gp/S8 firewall should be deployed between the mobile core network and the GRX/IPX network to enforce these filtering rules and perform plausibility checks on GTP messages.

GTP Firewall Implementation Options Combined Firewall (IP + APP) Advantage: Single point of management, end-to-end network security. Disadvantage: More complex implementation and increased security risk with bundled functionalities. Dedicated GTP-C Firewall Advantage: Cost-effective and transparent to the network, focusing only on control traffic. Disadvantage: Requires alignment between GTP-C and GTP-U sessions for policy enforcement. Implementation isn't limited to a specific deployment architecture, vendor type, or hardware. MNOs should consider their specific network requirements and security needs when choosing an implementation approach.

Summary and Resources Key Takeaways All MNOs worldwide are affected by GTP security vulnerabilities Comprehensive protection requires security at multiple layers GTP firewalls should implement Category 1, 2, and 3 filtering Network separation and proper edge filtering are fundamental Regular security testing and monitoring are essential Required Resources Securing GTP requires time, expertise, and ongoing maintenance: Expert team for firewall and network element maintenance Regular updates to firewall configurations as peer operators change Independent signalling monitoring/IDS to validate protection Continuous security testing and vulnerability assessment The key to success is implementing a well-designed network architecture and establishing an expert team that deals with firewall, signalling security monitoring, and network element maintenance. Investing in these resources is necessary for MNOs to maintain control over their networks and protect subscriber data from increasingly sophisticated attacks.

Network Topology and Reachability Risks Risk: The SGW may accept GTP messages from any source on the IPX Network Risk: The SGW and PGW may accept GTP messages from any UE and from the internet

GTP-Related Attacks: Information Gathering GTP Node Discovery Attackers send valid GTP messages to discover NEs capable of GTP TEID Guessing Brute force to find valid Tunnel Endpoint Identifiers Subscriber Data Disclosure Obtaining session details including cryptographic keys

Subscriber Data Disclosure Attack Risk: Disclosure of details about the session of a subscriber Risk: Disclosure of subscriber's session in GTP-v2 via internal S10 interface

Subscriber Denial of Service & Fraud Subscriber DoS Using Delete Session Request or Delete PDP Context Request Fraud Using invalid IMSI or any subscriber IMSI

Tunnel Hijacking Attacks Tunnel hijacking using Modify Bearer Request Full MITM attack combining multiple techniques

Location Tracking & Interface Binding Issues Location tracking by changing APN PGW settings Risk: Missing binding of network interfaces to 3GPP interfaces allows acceptance of any GTP message

Countermeasures Secure Network Architecture Network separation IP/transport layer filtering Firewall implementation Network Element Security Secure configuration Hardening Random TEID allocation GTP Security GTP message filtering Plausibility checks GTP firewall implementation

GPRS-Tunnelling-Protocol-GTP-Security (6).pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

GPRS-Tunnelling-Protocol-GTP-Security (6).pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx