GTP Remains a 5G Security Threat as Operators Transition to 5G

What is GPRS Tunneling Protocol (GTP)?

GPRS Tunneling Protocol (GTP) is a 2.5G technology that provides interconnect between various network interfaces, enabling mobile users to roam seamlessly between networks of different generations. The protocol was developed in tandem with General Packet Radio Service (GPRS), the packet-oriented mobile data standard integrated into GSM (G2) that allows mobile networks to transmit IP to external networks (i.e., the internet). GPRS is the mobile communications service that enables SMS, MMS, IM, WAP, peer-to-peer, smartphone internet apps, and more.

Multi-generational Mobile Networks Will Linger for Years to Come

Developed at the “dawn” of the mobile age, GTP was not designed with security in mind and is very lightly protected, because before smartphones there were virtually no cyber security problems plaguing mobile networks. The technologies were proprietary and difficult to penetrate, resulting in “attack-free” network infrastructures where trust was assumed within what was then a closed industry. As the industry evolved to IP-based technology, the need for secure network interfaces using GTP grew exponentially. Lacking encryption and sender authentication, GTP was not up to the task.

Today, we see an increasing number of attacks exploiting vulnerabilities by abusing GTP-exposed interfaces. Both subscribers and carrier-class operators are impacted, as attackers eavesdrop on communications to harvest network information and subscriber IDs, often leading to denial of service attack (DoS), customer churn, and criminal activity enabled by the exfiltration of confidential data.

A Growing Cyber Attack Surface

While 5G provides vast security enhancements, it is important to note that multiple generations of mobile networks will hang on long into the foreseeable future. This means that GTP will still be relevant in a 5G world, as it remains the primary protocol for user-plane and control-plane traffic. As with all previous generations, 5G introduces new standards. However, new network technologies such as 5G do not replace the previous ones, but rather, they overlap. So as long as earlier generations remain operative, old mobile signaling protocols and their accompanying vulnerabilities will threaten networks. Today’s mobile threats stem from traditional IP-based threats within 4G/LTE networks combined with legacy 2G and 3G technologies. As 5G continues to grow, overlapped with 3G and 4G, a wealth of new services and technologies will lead to an ever-expanding attack surface.

Worldwide Technology Mix

GTP: A Key Technology for Mobile Roaming

Changes in EU regulations eliminated international roaming charges. This, combined with the explosive growth in the number of devices, applications, and traveling subscribers, has led to skyrocketing roaming traffic — up as much as 95 percent according to Telecoms.com.  Within the mobile core, GTP is the main protocol for exchanging user and control data between serving and packet gateways, enabling packet networks to signal and carry data between devices and apps. When it comes to roaming, GTP connects the local (home) and visited network, allowing subscribers to shift between networks easily. Its extensive use between mobile networks (e.g, roaming) makes GTP an attractive target for attackers. With roaming traffic continually on the rise, it is also a growing target. To learn more, download the eBook: Smart Phones and Stupid Devices — Why Roaming Still Matters in a 5G World.

IP-based Networks are Easier to Hack; GTP Makes it Even Easier

Prior to 4G/LTE, attacking mobile networks required sophisticated tools and mastery of little-known protocols used for routing voice calls. IP-based 4G technology changed everything and allowed attackers to leverage readily available internet hacking tools with which they were already familiar. Launching attacks on mobile networks became as easy as hacking any device connected to the internet — no in-depth knowledge of mobile technology required.

Because of the many vulnerabilities in the protocol’s specifications, GTP became a prime attack target. The protocol does not support encryption, so, among other pieces of sensitive information, international mobile subscriber identity (IMSI), integrity session keys, and user data are sent in clear text. Also lacking is integrity protection, which leaves the door open for cyber attackers to hack GTP messages and corrupt signaling commands, alter user data, and redirect their own mobile billing charges onto unwitting victims. Lastly, the protocol lacks any means for authenticating senders, making it impossible to tell legitimate subscribers from imposters.

All in all, these GTP vulnerabilities make it easier for attackers to gain access to critical network and subscriber information, including key identifiers such as the tunnel endpoint identifier (TEID — a pathway into the network’s mobile core assigned by the GPRS Tunneling Protocol — GTP) and the temporary mobile subscriber identity (TMSI). Using such information, impersonators can gain access to the IMSI of legitimate subscribers, drop subscriber communications or overwhelm the network with bot-transmitted messages to instigate a DDoS attack.

A Taxonomy of GTP-enabled Attacks

Here’s what mobile operators and their customers are up against:

Rogue base station configuration
Figure 2: Rogue base station configuration

GTP Security is Within Reach…with an Effective GTP Firewall

GTP is exploited to target mobile networks via the roaming exchange, the radio access network, and internet interfaces. To prevent the severe consequences of GTP-enabled attacks as described above, mobile operators need to deploy strong counter measures at all key network interfaces. The most important is a GTP firewall, which, as outlined by the GSMA, needs to include: message filtering, exploit detection, message-length control, validity checking, plausibility checking, and information validity for roaming.

5G Changes Everything…or does it?

5G will still use GTP for user-plane traffic and still be exposed to GTP vulnerabilities. However, the 5G architecture does provide several important cybersecurity enhancements, building on proven 4G improvements, including encryption, mutual authentication, integrity protection, privacy, and availability. Nevertheless, multi-generational security will continue to be critical to protect against 2G, 3G, and 4G threats during — and even beyond — the transition to 5G.

New 5G specifications cover security procedures performed within the 5G system, including the 5G core and the 5G New Radio. Key 5G cybersecurity enhancements include:

While 5G security is a big step forward, mobile networks will continue to be exposed to GTP threats through roaming partners or prior mobile technologies using GTP.  Mobile operators will need to deploy a GTP firewall to protect against GTP-based attacks coming in from access networks, roaming partners, IoT, and more to support uninterrupted operations for their networks and subscribers.

Additional Resources


|

December 19, 2019

About Terry Young

Terry Young is Director of 5G Marketing at A10 Networks. She is responsible for developing programs and marketing material that describe business value of A10 solutions for mobile network operators and other service providers. Prior to A10 Networks, Terry has 20 years experience in the telecommunications industry, including AT&T (mobile and fixed businesses), where she developed market strategy recommendations for new business initiatives for AT&T. As a principal analyst for a syndicated market research company early in the 3G technology introduction, her 3G/4G market analysis and forecasts were published by the UMTS Forum. She also previously held positions with several start-up mobile infrastructure and software vendors, including Infoblox and Palo Alto Networks. Terry has an MBA from Arizona State University and lives in the San Francisco Bay Area. READ MORE