GPRS Security Threats and Solution Recommendations -By Jitesh Jain ABSTRACT This white paper discusses critical

threats to GPRS Networks and the approach taken by Aujas to identify and mitigate these threats. Aujas security Labs recommended comprehensive framework is also presented to address GPRS security and risks involved. Best practices to mitigate these risks are also presented.

INTRODCUTION TO GPRS

In its simplest terms GPRS is a technology that enables and supports packet switching in a GSM network. When GPRS is introduced into a GSM network, it introduces two new network elements into the GSM network: Serving GPRS Support Node (SGSN) Gateway GPRS Support Node (GGSN)

SGSN handles all packet switched data within the network and is responsible for the authentication and tracking of the users. SGSN performs the same functions as the MSC for voice traffic. SGSN and MSC are often co-located. GGSN is the interface from the GSM/GPRS network to external networks. GGSN is also responsible for allocation of IP-addresses.

GPRS networks use a MODIFIED version of the standard second generation GSM Base Station Subsystem (BSS). A BSS consists of a BSC and several BTSs. The first point of contact for the GPRS MS is the Base Transceiver Station (BTS). The BTS is the component in each geographical area (cell) that provides radio coverage. The GSM and GPRS air interfaces are supported by the BTS. The BTS works with the next component in the radio network - the Base Station Controller (BSC) - to provide wireless coverage for GSM and GPRS mobiles. The BSC controls several BTSs. An entity within the BSC, called the Packet Control Unit (PCU), supports packet data services. Existing GSM BSCs can be upgraded with PCUs to support GPRS. The BSC/PCU coordinates all activities between the MS and the packet core network. It also coordinates the activities of all MSs within its domain and allocates radio resources for GPRS and GSM dynamically based on demand.

The SGSN is the entry point into the GPRS packet core network for mobile stations. It performs a role much like a Mobile Switching Center / Visitor Location Register (MSC/VLR) in a GSM network. When an MS registers with the GPRS network, the registration process is carried out by the SGSN. The SGSN coordinates with the Home Location Register (HLR) to authenticate subscribers. It maintains the mobiles current location and stores a temporary copy of the subscriber profile downloaded from the HLR, It manages packet data traffic for subscribers that are active in the SGSNs service area. The SGSN determines which Gateway GPRS Support Node (GGSN) best meets the needs of each packet data session. The SGSN works closely with the GGSN to establish and maintain packet data sessions. The GGSN is the gateway between GPRS wireless networks and external packet data networks such as the Internet. The GGSN manages the connections of mobiles to the external networks and masks the mobility of the MS from the external packet data networks. The GGSN is responsible for allocating IP addresses to mobile stations if required. In addition, the GGSN may implement service specific functions for services such as Virtual Private Network (VPN) for secure access to enterprise networks. Data Services on the Gp, Gn and Gi Interfaces In order to understand appropriate security solutions, it is important to understand the type of traffic and data services provided on the above interfaces and then the corresponding threats can be analyzed in detail.

Gp Interface: It is an IP based interface between internal SGSN and external GGSNs. between the SGSN and the external GGSN, there is the border gateway (which is essentially a firewall) Gi Interface: It IP based interface between the GGSN and a public data network (PDN) either directly to the Internet or through a WAP gateway. Gn Interface: It is IP Based interface between SGSN and other SGSNs and (internal) GGSNs. DNS also shares this interface and uses the GTP Protocol.

Threats on Gp:

Security on Gp Availability

Authentication and authorization Integrity and confidentiality

Threats DNS flood GTP (GPRS Tunneling Protocol) flood Border gateway bandwidth saturation Spoofed GTP PDP (Packet Data Protocol, e.g. IP, X.25, Frame Relay) context delete Spoofed Create PDP Context Request Spoofed Update PDP Context Request Seizing data connection of a subscriber

1. DNS flood: The attacker is likely to spread a lot of DNS queries to the DNS Server, and therefore make the subscribers lose the ability to locate the proper GGSN to use as an external gateway 2. GTP flood: The attacker is likely to spread a lot of GTP traffic between SGSN and GGSN to make their CPU process a great deal of illegal data. It is likely to keep subscribers from being able to roam to the external networks. 3. Border gateway (BG) bandwidth saturation: A roaming partner connected to the same Grx can generate an illegal traffic or large amount of traffic which may block the complete bandwidth of Grx availability leading to failure of roaming access 4. GTP PDP Context delete: An attacker can generate a GTP PDP Context delete message which will remove the GPRS tunnel created for a particular subscriber between SGSN and GGSN. Also the attacker can make complete N/W paralyzed by sending lots of GTP PDP context delete message. This attack is very similar to attack on VLR in case of GSM wherein the subscribers are deleted from VLR leading to MTC failures.

Authentication and authorization 1. Spoofed Create PDP Context Request: There is no mechanism of GTP Authentication between SGSN and GGSN, hence an attacker having access to a fake SGSN can create a GTP tunnel towards GGSN and can use the service provider network for their own use. Such an issue can result in complete blockage of GGSN resource if the fake SGSN is pumping data at much higher rate which can be tolerated by GGSN 2. Spoofed Update PDP Context Request: An attacker is likely to utilize the fake SGSN to spread Update PDP Context Request to an SGSN which is processing an existing GTP session. Hence, the attacker can hijack the existing GTP data connection. 3. Billing attacks: This can be correlated to SMS Spoofing issue in case of GSM. Here the attacker gets access to Mobile ip allocated by the GGSN for a particular session. Using this IP the attacker can browse/ download data and the innocent subscriber has no idea about it but he gets duped away badly. Integrity and Confidentiality As GTP is unencrypted the attacker can have can access the path between SGSN and GGSN and can capture a subscriber data connection. Threats on Gi interface Availability 1. Bandwidth Saturation: Like Gp interface Gi interface also has largest threat of Denial of Service attacks. An attacker can flood the complete bandwidth between PDN and Mobile Network. 2. MS Flooding: An attacker can flood great deal of traffic to a particular MS hence the MS wont be able to use GPRS Network Authentication and authorization MS can choose any IP address by itself regardless of the IP address which GGSN assigned to the MS; hence the source ip address cannot be relied at all. Integrity and confidentiality GPRS traffic is conveyed unprotected enabling compromises to confidentiality and integrity. Also GPRS traffic is exposed to malicious SW like viruses, worms, Trojan horses, etc This SW may target any GPRS node or user

For example, a virus may affect an MS and perform an over billing attack Threats on Gn interface The IP technology is used to connect the SGSN and the GGSN of the same network operator (Gn interface). This connection may be built on the top of an already existing IP network, which is not dedicated to the GPRS traffic. Therefore, traffic that originates from outside of the GPRS network shares the GPRS backbone links with the GPRS traffic. The latter is conveyed in clear-text in the GPRS backbone since the GTP protocol, which is employed for both signaling and user data, does not support any security measure. The above situation might cause performance problems to the GPRS backbone (i.e., network overload) and expose the GPRS traffic to security threats (e.g., denial of service attacks, IP spoofing, compromise of confidentiality and privacy etc.) that the public Internet encounters. Therefore, the Gn Interface is vulnerable to attacks that can potentially lead to network downtime, loss of service, revenue loss and disgruntle customers. In the following, the most prominent security attacks that may be carried out against this part of the GPRS backbone network are presented. Since the IP network that is used as a basis for the GPRS backbone is not dedicated to it, a malicious third party may masquerade as a legitimate part of the GPRS network by spoofing the address of a GPRS network component (e.g., GGSN or SGSN). Once the malicious party establishes himself as a legitimate network element, he is able to perform various actions that are detrimental to the mobile subscribers and the network operator. By executing commands that normally a legitimate network component does, the attack remains undetected until its results are noticeable. One of these attacks is related to the GTP protocol, and more specifically to the exploitation of the GTP commands like PDP context create, PDP context delete, PDP context update, etc. The attacker, who has access to the GPRS backbone network, is able to get information regarding the GTP tunneling by simply monitoring the GTP traffic, which is unencrypted. Without encryption, data carried by the GTP protocol can either be read or manipulated. Possessing the appropriate information, the attacker may create and forward to the GGSN of the network PDP context create, delete and update commands. These commands overload the GGSN under attack and change the servicing contexts of the mobile users that are currently served by the network, resulting in denial of service. In addition to malicious third parties that get access to the GPRS backbone network, the mobile users (legitimate or not) may represent a threat to it. Since the MSs are behind the firewall, which is located between the GGSN and the public Internet, they may get access to the network elements of the GPRS backbone (i.e., SGSN, GGSN, DNS servers, O&M workstations, etc.). Having access to these elements, a malicious MS may perform various attacks such as denial of service, IP spoofing, compromise of confidentiality and privacy, etc. In addition, once the malicious MS gets access to the GPRS network, it may send massive amounts of data to unsuspecting users. Since the GPRS is a usage-based service, the mobile users under attack are over billed for content that they did not request for. Such an attack would be even more harmful than spam is for email, as it becomes much more than an annoyance. Finally, a malicious MS in cooperation with a malicious server, which is located outside of the GPRS network, may also perform an over billing attack to a legitimate mobile subscriber. The malicious MS may hijack the IP address of the legitimate MS, and invokes a download from the malicious server. Once the downloading begins, the malicious MS exits the session.

The legitimate MS (MS under attack) receives and gets charged for traffic that never requests for. The malicious parties could also execute this attack by sending broadcasts of unsolicited data to legitimate mobile subscribers. The result is still the same: the subscribers are billed for data that they did not solicited and might not have wanted. Security solution on the interfaces Gp, Gn and Gi interfaces: GTP (GPRS Tunneling Protocol) packet filtering: Allow the traffic required only from the source and destinations of roaming partners. A firewall should be implemented that supports GTP inspection and ensures that GSNs are not processing GTP packets that are malformed, have illegal headers, or are not of the correct state. GTP Traffic Shaping: GTP rate limiting can keep the shared bandwidth from being occupied by attackers. GTP rate limiting can address denial of service attacks. IPSec should be implemented between roaming partners: The construction of IPSec tunnels between roaming partners can address the majority of confidentiality and authentication problems. Traffic rate limiting: Rate limiting can keep the shared bandwidth from being occupied by attackers. This will guarantee the attacker from the Internet cannot make mobile intranet service to become paralyzed. Packet inspection: There should be a mechanism incorporated to permit the initial connection from the MS to the public network, otherwise deny it. Ingress and egress packet filtering: Prevent the possibility of spoofed MS to MS data by blocking incoming traffic with the source addresses which are the same as those assigned to an MS for public network access

Logical tunnels from GGSN to corporate networks: IPSec tunnel should be constructed from GGSN to the corporate network, as long as the connection is via the Internet.

Aujas Approach on Securing GSM:Aujas Provides a Systematic approach in assessing and remediating Vulnerabilities in Telecom Core Nodes by offering the following Services: Telecom Penetration Testing and Security consulting:

Most Telecom Operators miss out on having a complete understanding of the present and emerging Security risks to their Core GSM/GPRS Networks. Also this risk is increasing proportionally with the rise in new connections being deployed between core networks and the External world. Aujas Provides Telecom Operators with Security Consulting as well as perform Penetration Testing on GSM/GPRS Core nodes following a Systematic approach in assessing and remediating Vulnerabilities in Telecom Core Nodes. 1. Penetration Testing on GSM SS7 and SIGTRAN Protocols and corresponding core nodes running this Protocols using Industry Standard automated tools and manual approach. 2. Penetration Testing on GPRS GTP,DIAMETER, RADIUS and Layer7 Protocols and corresponding core nodes running this Protocols 3. Penetration Testing on Routers, Firewalls, Switches. MBSS:

We at Aujas understand the importance of having a Minimum Baseline Security Standard to help Telecom Network operators a minimum Standard or Best Practices standard. Such a standard can then be applied towards most nodes present in a Telecom Network such as: HLR,MSS,MSC,MGW,STP,SMSC,MMSC,GGSN,SGSN,OSS elements, Transmission Elements,IN,Roaming Nodes and many more. Aujas has developed these Base Security Standards keeping in mind the current threat scenario and the required security configuration for every Telecom Core Node. These Standards are updated with the emerging Telecom standard releases and vulnerabilities. Telecom Device configuration Audit/Review:

Aujas has developed global unique checklists to Review/Test the current Security Configuration of most nodes in a typical Telecom network. This process is carried out by: Aujas Performs security configuration review with the existing MBSS and available checklist on Telecom core nodes and points out the security gaps in the system. Aujas covers all mentioned elements for security configuration review as well as performs Testing on this elements like HLR,MSC,MSS,MGW,SMSC,MMSC,Other VAS Nodes,Roaming Nodes, Transmission nodes,OSS,BSS ,Intelligent Networks,Routers,Firewalls,STP,Lawful Interface and Packet core elements like GGSN,SGSN,AAA server ,PCRF,DNS lookup Server,OCS,Enhanced Charging Server and many more in the list.

CONCLUSION: In this paper, the security of the GPRS network is evaluated, and a complete and brief review of its security problems is presented. It is proved that GPRS has many inherent security flaws that can be misused for fraudulent purposes or for deceiving users. We have shown that the GPRS technology is vulnerable to denial of service attacks and the resources needed to mount such an attack are dangerously low hence its very important to maintain security level so as to get rid of such attacks. Today, Operators react to fraud and attacks after they have occurred, increasing the potential for additional risks and substantial costs, in the form of expensive fixes, increased customer churn and a decreased perceived value of the Operator. Therefore, Operators must effectively implement solutions to become aware of vulnerabilities in their Core Network and continuously monitor for risks, before they occur, to ensure smooth, consistent operations. Aujas Networks has developed technology and solutions that will help Telecom Operators to mitigate many of the possible threats to the GPRS network, mobile subscribers, and corporate networks. Aujas Security solutions provide benefits that help Operators minimize risks and reduce costs from postfraud/attack situations, ensuring stronger protection of their Core Network and enabling them to provide a higher level of service to customers. All these benefits add up to decreased costs and improved margins and a strong ROI from implementing Aujas Security solutions. About Author: Jitesh is a Senior Consultant with Aujas working in the Telecom Security Domain. At Aujas Jitesh is involved in Telecommunication Security and Telecom Fraud. Having more than 6 years of rich experience in Telecom Operations, Network Planning & Testing Security Best Practices across Telecom industry. He has diverse experience with Telecom Majors managing Security Risk.Prior to joining Aujas he has worked with Nokia Siemens Networks,Loop Mobile & Cisco R&D.He has been involved in many Telecom Security projects and has carried out Security configuration review ,penetration testing on core (2G/3G) GSM/GPRS nodes.

References: [1]3GPP TS43.020: 3GPP DATA Security related Network functions [2]GPRS Security Threats and Solutions: By Net Screen Technologies [3]Security in GPRS Geir Stian Bajen and Erling Kaasin. May 2001 http://siving.hia.no/ikt01/ikt6400/ekaasin/Master Thesis Web.htm [4]Screening and filtering: In GPRS the subscriber pays MO and MT packets, how to protect against hackers and unwanted packets? Hannu H. KARI [5]http://www.cs.hut.fi/~hhk/GPRS/lect/screening/ppframe.htm GPRS Security. Charles Brookson. December 2001. [6]http://www.brookson.com/gsm/gprs.pdf Wireless and Mobile Network Architectures. Yi-Bing Lin, Herman C.-H Rao, Imrich Chlamtac. John Wiley and Sons 2001. [7] 3GPP TS 09.60 (V7.10.0), GPRS Tunneling Protocol (GTP) Across the Gn and Gp Interface, Dec.2002.