International mobile data networks still a serious security problem

In the rush to roll out LTE mobile networks worldwide, basic security measures are ignored. More than two years after problems were first exposed, roaming data links are still at risk.
Written by Stilgherrian , Contributor

Documents leaked by Edward Snowden showed that the UK's Government Communications Headquarters (GCHQ) had supposedly hacked Belgian telecommunications company Belgacom. A presentation at the Ruxcon information security conference in Melbourne on Saturday suggests that it wasn't a difficult job.

The short version is that roaming mobile data connections are routed via a shoddy network that's meant to be separate from the internet, but isn't.

The long version is, well, here we go...

At the heart of the problem is the GPRS Roaming eXchange (GRX), a network of 25 providers globally that routes international mobile connections between telcos. When a user makes a mobile data connection, GRX traces their device back to its home network, identifies the user for billing purposes, and ensures that the telcos correctly bill each other for the service.

The specifics of the signalling and switching protocols are complex. But in brief, GRX uses the Stream Control Transmission Protocol (SCTP) to route the mobile data connections, and the encrypting GPRS Tunnelling Protocol (GTP) for the user data connections themselves.

In theory, while GRX is an internet protocol (IP) network, it's separate from the internet. User data can't be read from the GRX, because it's encrypted.

In practice, however, just as supposedly air-gapped industrial networks end up being connected to the internet, GRX is too.

The GRX carries all the connection metadata -- device ID, location, user ID, billing information -- unencrypted. Vulnerabilities in its servers mean that it's possible to intercept that unencrypted traffic, re-route the encrypted data connections, and use a man-in-the-middle (MITM) attack to break into the encryption.

Stephen Kho is currently the managing principal with HP Enterprise Consulting Services in the Australia, New Zealand, and SE Asia regions. But before that, he was CISO Program Manager with Dutch telco KPN.

In May 2014, Kho and his colleague Rob Kuiters conducted what the called a "light scan" for GRX-connected computers. The results are frightening.

Kho and Kuiters found 413 of the GRX's domain name system (DNS) servers from the internet. They also found 770 servers responding to GTP's UDP port 2123, and 1,042 responding to UDP port 2152.

None of these should be visible from the internet at all.

In total, out of around 42,000 live GRX hosts, Kho and Kuiters could reach 5,500 of them, from 15 of the 25 GRX providers, from the internet.

Now here comes the fun bit.

Of these exposed hosts, 401 were also running the SMTP email protocol, 1,425 were running the HTTP web protocol, 810 were running FTP, and 1,182 were running -- wait for it -- telnet. Some were even running SMB, which means that it would be possible to connect to GRX even if you weren't on GRX.

Now here comes the really fun bit.

Kho and Kuiters checked the version numbers of the services running on those exposed servers. They found versions of the BIND DNS server with vulnerabilities dating back to 2012. Versions of the Sendmail SMTP server with vulnerabilities dating back to 2002. OpenBSD ftpd 6.4, with vulnerabilities dating back to 2001. Apache web server version 1.3.22 dating to 2002. And on and on.

None of the exposed servers belonged to Australia's GRX provider, Telstra. But does that matter when GRX, a global network, is an easy target to attack from somewhere else?

Similar problems were found in GRX's routers. Some were even found to be sending their border gateway protocol (BGP) routing information to the internet. Many, of coure, were running ancient, vulnerable software.

Should I mention that some Windows 2000 hosts were found? I thought not.

The Snowden documents indicate that GCHQ got into Belgacom using a LinkedIn-spoofing spearphishing attack on the company's engineers, and the Regin malware. Now I'm wondering why they bothered to go to all that effort.

The good news is that things have gotten better since Kho and Kuiters notified the vulnerable GRX providers. The bad news is that it hasn't gotten that much better.

Kho re-scanned the network last month, October 2016, in preparation for his Ruxcon presentation.

The number of exposed DNS servers has dropped from 413 to 174; SMTP servers, from 401 to 158; HTTP servers, from 1,425 to 1,004; FTP servers, from 810 to 340; and Telnet, from 1,181 to 355.

But the number of exposed GTP servers on ports 2123 and 2152 has actually gone up, from 770 to 1,231, and 1,042 to 1,062, respectively.

Do you feel safer? I thought not.

Just in case you are feeling safer, consider some other research presented at Ruxcon.

Wanqiao Zhang of Chinese hacking house Qihoo 360 has found that every single 4G call or text can be intercepted.

Zhang has worked out how to use 4G's LTE emergency fallover provisions against itself, forcing mobile devices to connect to an "unsafe" network, such as an attacker's own dodgy base station.

The technique was tested again at the weekend. It still works.

All this is yet another example of how the need for speed in rolling out mobile networks means that basic security precautions, such as patching your servers and turning off unneeded services, is simply ignored.

Hackers don't just have a way to intercept your mobile communications, they have multiple ways. Happy Monday.

Editorial standards