Ghosts From the Past: Flaws in Legacy GTP Protocol to Impact Future 5G Networks

The GPRS Tunneling Protocol (GTP) has a number of vulnerabilities that puts both mobile network operators and their customers at risk.

What are the vulnerabilities?

GTP was a creation from the early internet days, and as the case is with every first-generation protocol, security was not a major concern. 
  • Every tested GTP network comes with the risk of fraud against the subscribers or operators, along with DoS against the network equipment.
  • One of the most basic flaws in the protocol is that it does not check a user’s actual location, leading to most of the attacks.
  • Another architectural flaw includes the default checking of subscriber credentials on Serving GPRS Support Node (SGSN) equipment. Threat actors can impersonate the host in specific attacks. 

How can these flaws be exploited?

  • Attackers send multiple requests to open new connections, exhausting the GTP tunnels pool or DHCP pool. Due to this, legitimate users would be unable to connect to the Internet.
  • Threat actors can connect to the Internet at the expense of a subscriber or operator. The result is that a dishonest multiple network operator can create roaming traffic, charging a subscriber for non-existent roaming activity.
  • Impersonation attacks can be used to verify MSISDN during account registration and provide authorization without a password.

What repercussions do these flaws have on 5G?

  • 5G uses GTP user-plane traffic which exposes it to GTP vulnerabilities.
  • GTP vulnerabilities can be exploited through the inter-operator Internetwork Packet Exchange (IPX) network, with adverse impacts on its Evolved Packet Core (EPC) which is the core of the network.
  • Most of the early 5G networks are Non-Standalone, utilizing EPC as the core network. Although temporary, this will be the only available option for the next few years.
  • Most of the 5G networks today are vulnerable to a variety of attacks, similar to 4G networks, such as disclosure of subscriber information, spoofing, and DoS attacks.

What is the solution?

  • Operators need to look into GTP flaws, ensure filtering at the GTP level, and deploy purpose-made security solutions.
  • Mobile carriers should also look to implement GSMA security recommendations.

The bottom line is that while 5G security is a giant leap, mobile networks will be exposed to threats posed by GTP. Security assessment needs to be conducted on a regular basis, specifically after the addition or reconfiguration of network equipment.