Old GTP protocol vulnerabilities will also impact future 5G networks

Bugs allow denial-of-service, user impersonation, user tracking, and fraud attacks, two separate reports warn.
Written by Catalin Cimpanu, Contributor
telco 5G mobile tower
Image via Maxwell Ingham

Vulnerabilities in the GPRS Tunnelling Protocol (GTP) will continue to impact mobile operators even as they migrate to 5G infrastructure.

In reports published last week and in December 2019, cyber-security firms Positive Technologies and A10 Networks detailed a series of vulnerabilities in this legacy mobile protocol. These include:

  • Disclosure of subscriber information (including location data, used for user tracking)
  • Spoofing, which can be used for fraud and impersonation attacks
  • Denial-of-Service (DoS) attacks on network equipment, resulting in mass disruption of mobile communication

Researchers say that because mobile providers will have to support the protocol on their 5G networks for legacy reasons, users will remain vulnerable to attacks even if the 5G protocol itself contains security features to prevent similar attacks.

What is GTP?

GTP, or the GPRS Tunnelling Protocol, is a mechanism developed to interconnect different networks by creating IP-based tunnels between devices and the mobile network.

The protocol was initially developed as a method of interconnecting different providers of GPRS (2.5G) communications, and allow users to roam across different provider networks, but still have access to features like SMS, MMS, WAP, and others.

As new protocols were developed, such as 3G and 4G (LTE), GTP retained its role inside mobile operators, acting as a liaison between old and new technologies alike.

However, GTP was developed in the early days of internet-capable mobile devices. As with all first-gen protocols, security was not baked into its original design.

While the protocol can be excused for not supporting encrypted communications in an era when such a feature was not common, GTP also didn't support something as basic as "sender authentication."

This means that anyone can send a GTP packet to a mobile telco's GTP infrastructure with fake data, and the mobile operator will execute the GTP packet, thinking it's legitimate traffic, with no way of verifying it came from one of its legitimate users.

From this basic design flaw, security researchers have, over the past years, discovered different ways to abuse GTP across 2.5G, 3G, 4G, and now, 5G.

Old GTP issues confirmed in current 5G networks

In a report published last week, Positive Technologies said it performed security audits of 28 mobile operators in Europe, Asia, Africa, and South America.

The security audits took place in 2018 and 2019, and researchers looked at both 4G and 5G network designs, at multiple protocols, and not just GTP.

Most of the networks they analyzed, were vulnerable to the old GTP attacks, regardless if the telcos were running 4G or 5G setups, Positive Technologies said.

Image: Positive Technologies

Currently, GTP is used in mixed 4G-5G networks, but the protocol will also be supported on 5G standalone networks, as they begin rolling out.

Positive Technologies says that 5G network operators need to secure their GTP legacy integrations by deploying additional systems that perform subscriber authentication and authorization.

"GTP security issues will not go away completely even after the transition to 5G Standalone," Positive Technologies said.

"While 5G security is a big step forward, mobile networks will continue to be exposed to GTP threats through roaming partners or prior mobile technologies using GTP," A10 Networks said last year. "Mobile operators will need to deploy a GTP firewall to protect against GTP-based attacks coming in from access networks, roaming partners, IoT, and more to support uninterrupted operations for their networks and subscribers."

All the major Intel vulnerabilities

Editorial standards