SlideShare a Scribd company logo

SecurityGen GTP Vulnerabilities.pptx

Download as PPTX, PDF
SecurityGen
SecurityGen

In this presentation, we delve into the world of GTP (GPRS Tunneling Protocol) security, peeling back the layers to reveal potential risks and their far-reaching impact on the ever-evolving 5G landscape. Key Highlights: -️ Understanding GTP: Get to the core of GTP and its critical role in mobile networks. - The 5G Nexus: Explore the complex relationship between 5G, 4G, and legacy networks. - Uncovering Vulnerabilities: Examine the common thread of GTP vulnerabilities spanning generations. - Securing the Future: Discover how knowledge of GTP vulnerabilities can empower mobile operators to fortify their networks and safeguard user data.

Technology
1 of 20
GTP Vulnerabilities: A cause for concern in 5G and LTE networks Pavel Novikov Pavel.Novikov@security-gen.com Kirill Puzankov Kirill.Puzankov@security-gen.com
Pavel Novikov Pavel.Novikov@security-gen.com Presenters • 10 years in telecom security, • co-author of GSMA FS.20 GPRS Tunneling Protocol (GTP) Security document • Head of telecom security research in SecurityGen • Focused on telecom vulnerabilities: RAN, VoLTE, VoWiFi, GTP, Diameter, 5G SA and NSA. • Conducting telecom security assessments for mobile operators for many years. Kirill.Puzankov Kirill.Puzankov@security-gen.com Confidential. Copyright © 2023 SecurityGen. All rights reserved. • 10 years in telecom security • Product manager in SecurityGen • Exploring telco threats and vulnerabilities starting from SS7 up to 5G • Growing solutions for protection of mobile core networks as well as for providing visibility of the network security posture
GPRS Tunnelling Protocol (GTP) - a group of IP-based communications protocols used to carry general packet radio service (GPRS) within GSM, UMTS, LTE and 5G networks. GTP GTP-C GTP-U GTP’ 3GPP 29.281 Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U) 3GPP 29.060 General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface 3GPP 29.274 Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C) 3GPP 32.295 Telecommunication management; Charging management; Charging Data Record (CDR) transfer What is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
SGW E-UTRAN eNb Internet PGW GTP-U GTP-C UE S5 interface - 4G Network, GTPv2 S1-U interface MME MME S10 interface S11 interface Where is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
… L1 L2 IP UDP GTP-C Information element Information element GTP header Information element Group Information element (v2 only) Information element GTP protocol stack Confidential. Copyright © 2023 SecurityGen. All rights reserved.
GTP Security, why it is important? • Widespread • Lack built-in security mechanisms • Roaming connection • Fraud • Interception • DoS • etc Confidential. Copyright © 2023 SecurityGen. All rights reserved.
SGW UTRAN eNb Internet PGW GTP-U UE 1 - 4G Network, GTPv2 SGW UTRAN eNb Internet PGW GTP-C UE 2 S8 interface Network 1 Network 2 GRX Roaming in GTP Confidential. Copyright © 2023 SecurityGen. All rights reserved.
- 4G Network, GTPv2 SGW UTRAN eNb Internet PGW S8 interface Network 1 Attacker GRX Where is GTP? Attacker UE 1 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Analytics Attack scenarios • Data interception via Create PDP Context request • Fraud via Create Session request with a non-existent subscriber • Impersonation via Create Session request • Data disclosure via SGSN Context request • Network DoS via Create Session request • Subscriber DoS via Update PDP Context request Methodology 150 + Telecom security assessments 2022 39 MNOs 24 countries SEA, LATAM, MEA Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Level of protection Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 85% of networks are vulnerable to subscriber DoS attacks via different techniques: • Fake session on behalf of the subscriber • Illegitimate change of PGW node, cause redirecting subscriber traffic • Deletion of subscriber session
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 71% of networks are vulnerable to information disclosure attacks via: • Obtaining TEID, which needed to carry out other attacks • Also, it is possible to obtain IMEI, radio encryption keys, internal IP addresses
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 69% of networks are vulnerable to user traffic interception: • The intruder can change the actual nodes that process user traffic, thus all incoming traffic is handled by intruder
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 62% of networks are vulnerable to fraud: • The intruder can establish connection on behalf of non-existed subscriber
Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 46% of networks are vulnerable to Network DoS: • By sending numerous requests to open new connections, which may lead to occupation of whole DHCP server pool, or GTP tunnels pool
Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. Implementing GSMA-recommended security measures. Combination of the approaches mentioned above 1 2 3 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Confidential. Copyright © 2023 SecurityGen. All rights reserved. 17 Often requires no additional equipment for filtering incoming traffic, effectively blocking "wild" GTP hackers connected to a rogue provider. • Attacker may gain access to the trusted MNO. • Partners may lease their IP ranges and parts of their infrastructures for 3rd parties. Based on GSMA FS.20 GTP Security recommendations. • Requires GTP-Firewall with cross-protocol checks • Implement monitoring Combines the advantages of the first two, offering the highest level of security. Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. 1 Implementing GSMA-recommended security measures. 2 Combination of the approaches mentioned above 3
Current real security measures Implemented protection measures IP filtering of roaming partners Configuration not directly connected to security No Security measures 77% 8% 15% Confidential. Copyright © 2023 SecurityGen. All rights reserved.
Our solution: TSG Protection Suite Confidential. Copyright © 2023 SecurityGen. All rights reserved.
- Stay Tuned. Confidential. Copyright © 2023 SecurityGen. All rights reserved. About SecurityGen Founded in 2022, SecurityGen is a global start-up focused on telecom security. We deliver a solid security foundation to drive secure Telco digital transformations and ensure safe and robust network operations. Connect With Us Email: contact@secgen.com Website: www.secgen.com

Recommended

20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網Dr. Chang Jung Lee
 
Advanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public NetworksAdvanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public Networks3G4G
 
Mastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to SuccessMastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to SuccessSecurityGen1
 
Unraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient CommunicationUnraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient CommunicationSecurityGen1
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationPositiveTechnologies
 
Shield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGenShield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGenSecurity Gen
 
5G Security Briefing
5G Security Briefing5G Security Briefing
5G Security Briefing3G4G
 
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...IRJET Journal
 

Recommended

20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網20210805 以5 g與邊緣運算技術佈署物聯網
20210805 以5 g與邊緣運算技術佈署物聯網Dr. Chang Jung Lee
 
Advanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public NetworksAdvanced: Private Networks & 5G Non-Public Networks
Advanced: Private Networks & 5G Non-Public Networks3G4G
 
Mastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to SuccessMastering GTP Protocols: Your Roadmap to Success
Mastering GTP Protocols: Your Roadmap to SuccessSecurityGen1
 
Unraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient CommunicationUnraveling GTP: Threads of Efficient Communication
Unraveling GTP: Threads of Efficient CommunicationSecurityGen1
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationPositiveTechnologies
 
Shield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGenShield Your Network: Prevent DDoS Attacks with SecurityGen
Shield Your Network: Prevent DDoS Attacks with SecurityGenSecurity Gen
 
5G Security Briefing
5G Security Briefing5G Security Briefing
5G Security Briefing3G4G
 
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...
A Review: Evolution of 5G, Security and Multiple Access schemes in Mobile Com...IRJET Journal
 
A Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksA Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksCPqD
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problemPositiveTechnologies
 
5G: A 2020 Vision
5G: A 2020 Vision5G: A 2020 Vision
5G: A 2020 VisioneXplanoTech
 
5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptxAli Ahmed
 
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. KalamullahMastel Indonesia
 
Realizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GRealizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GQualcomm Research
 
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex TrainingBryan Len
 
Future tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceFuture tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceYi-Hsueh Tsai
 
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurity Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurityGen1
 
5 gppt
5 gppt5 gppt
5 gpptSamir Mohanty
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network SecuritySatish Chavan
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationDr. Edwin Hernandez
 
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesNavigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesSecurityGen1
 
Unveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesUnveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesSecurityGen1
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...journalBEEI
 
Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0liemgpc2
 
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20PositiveTechnologies
 
5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORKIRJET Journal
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesPositiveTechnologies
 
EuCNC2019 workshop6
EuCNC2019 workshop6EuCNC2019 workshop6
EuCNC2019 workshop6Klaus Moessner
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

More Related Content

Similar to SecurityGen GTP Vulnerabilities.pptx

A Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksA Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksCPqD
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problemPositiveTechnologies
 
5G: A 2020 Vision
5G: A 2020 Vision5G: A 2020 Vision
5G: A 2020 VisioneXplanoTech
 
5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptxAli Ahmed
 
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. KalamullahMastel Indonesia
 
Realizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GRealizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GQualcomm Research
 
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex TrainingBryan Len
 
Future tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceFuture tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceYi-Hsueh Tsai
 
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurity Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurityGen1
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network SecuritySatish Chavan
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationDr. Edwin Hernandez
 
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesNavigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesSecurityGen1
 
Unveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesUnveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesSecurityGen1
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...journalBEEI
 
Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0liemgpc2
 
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20PositiveTechnologies
 
5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORKIRJET Journal
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesPositiveTechnologies
 

Similar to SecurityGen GTP Vulnerabilities.pptx (20)

A Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G NetworksA Survey on Key Technology Trends for 5G Networks
A Survey on Key Technology Trends for 5G Networks
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
 
5G: A 2020 Vision
5G: A 2020 Vision5G: A 2020 Vision
5G: A 2020 Vision
 
5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx5Gofdmmm-presentation-20190319-v1.3.pptx
5Gofdmmm-presentation-20190319-v1.3.pptx
 
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
5G Emergence and Regulatory Challenges - DG PPI - Prof. Kalamullah
 
Realizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5GRealizing mission-critical industrial automation with 5G
Realizing mission-critical industrial automation with 5G
 
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
5G Cybersecurity Bootcamp - 3GPP Version - Tonex Training
 
Future tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based serviceFuture tech trend for public safety proximity-based service
Future tech trend for public safety proximity-based service
 
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive AssessmentsSecurity Gen Ensures Robust Telecom Security with Comprehensive Assessments
Security Gen Ensures Robust Telecom Security with Comprehensive Assessments
 
5 gppt
5 gppt5 gppt
5 gppt
 
LTE :Mobile Network Security
LTE :Mobile Network SecurityLTE :Mobile Network Security
LTE :Mobile Network Security
 
Securing 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and VirtualizationSecuring 4G and LTE systems with Deep Learning and Virtualization
Securing 4G and LTE systems with Deep Learning and Virtualization
 
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G VulnerabilitiesNavigating the Unseen Risks: Exploring 5G Vulnerabilities
Navigating the Unseen Risks: Exploring 5G Vulnerabilities
 
Unveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security ServicesUnveiling SecurityGen's Advanced 5G Security Services
Unveiling SecurityGen's Advanced 5G Security Services
 
Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...Impact of security breach on the upstream delay performance of next generatio...
Impact of security breach on the upstream delay performance of next generatio...
 
Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0Cisco vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0
 
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
Migrating mobile networks to 5 g a smooth and secure approach 01.10.20
 
5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK5G TECHNALOGY FOR MOBILE NETWORK
5G TECHNALOGY FOR MOBILE NETWORK
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 
EuCNC2019 workshop6
EuCNC2019 workshop6EuCNC2019 workshop6
EuCNC2019 workshop6
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

SecurityGen GTP Vulnerabilities.pptx

  • 1. GTP Vulnerabilities: A cause for concern in 5G and LTE networks Pavel Novikov Pavel.Novikov@security-gen.com Kirill Puzankov Kirill.Puzankov@security-gen.com
  • 2. Pavel Novikov Pavel.Novikov@security-gen.com Presenters • 10 years in telecom security, • co-author of GSMA FS.20 GPRS Tunneling Protocol (GTP) Security document • Head of telecom security research in SecurityGen • Focused on telecom vulnerabilities: RAN, VoLTE, VoWiFi, GTP, Diameter, 5G SA and NSA. • Conducting telecom security assessments for mobile operators for many years. Kirill.Puzankov Kirill.Puzankov@security-gen.com Confidential. Copyright © 2023 SecurityGen. All rights reserved. • 10 years in telecom security • Product manager in SecurityGen • Exploring telco threats and vulnerabilities starting from SS7 up to 5G • Growing solutions for protection of mobile core networks as well as for providing visibility of the network security posture
  • 3. GPRS Tunnelling Protocol (GTP) - a group of IP-based communications protocols used to carry general packet radio service (GPRS) within GSM, UMTS, LTE and 5G networks. GTP GTP-C GTP-U GTP’ 3GPP 29.281 Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U) 3GPP 29.060 General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface 3GPP 29.274 Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C) 3GPP 32.295 Telecommunication management; Charging management; Charging Data Record (CDR) transfer What is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 4. SGW E-UTRAN eNb Internet PGW GTP-U GTP-C UE S5 interface - 4G Network, GTPv2 S1-U interface MME MME S10 interface S11 interface Where is GTP? Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 5. … L1 L2 IP UDP GTP-C Information element Information element GTP header Information element Group Information element (v2 only) Information element GTP protocol stack Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 6. GTP Security, why it is important? • Widespread • Lack built-in security mechanisms • Roaming connection • Fraud • Interception • DoS • etc Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 7. SGW UTRAN eNb Internet PGW GTP-U UE 1 - 4G Network, GTPv2 SGW UTRAN eNb Internet PGW GTP-C UE 2 S8 interface Network 1 Network 2 GRX Roaming in GTP Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 8. - 4G Network, GTPv2 SGW UTRAN eNb Internet PGW S8 interface Network 1 Attacker GRX Where is GTP? Attacker UE 1 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 9. Analytics Attack scenarios • Data interception via Create PDP Context request • Fraud via Create Session request with a non-existent subscriber • Impersonation via Create Session request • Data disclosure via SGSN Context request • Network DoS via Create Session request • Subscriber DoS via Update PDP Context request Methodology 150 + Telecom security assessments 2022 39 MNOs 24 countries SEA, LATAM, MEA Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 10. Level of protection Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 11. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 85% of networks are vulnerable to subscriber DoS attacks via different techniques: • Fake session on behalf of the subscriber • Illegitimate change of PGW node, cause redirecting subscriber traffic • Deletion of subscriber session
  • 12. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 71% of networks are vulnerable to information disclosure attacks via: • Obtaining TEID, which needed to carry out other attacks • Also, it is possible to obtain IMEI, radio encryption keys, internal IP addresses
  • 13. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 69% of networks are vulnerable to user traffic interception: • The intruder can change the actual nodes that process user traffic, thus all incoming traffic is handled by intruder
  • 14. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 62% of networks are vulnerable to fraud: • The intruder can establish connection on behalf of non-existed subscriber
  • 15. Attacks and impact Confidential. Copyright © 2023 SecurityGen. All rights reserved. 46% of networks are vulnerable to Network DoS: • By sending numerous requests to open new connections, which may lead to occupation of whole DHCP server pool, or GTP tunnels pool
  • 16. Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. Implementing GSMA-recommended security measures. Combination of the approaches mentioned above 1 2 3 Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 17. Confidential. Copyright © 2023 SecurityGen. All rights reserved. 17 Often requires no additional equipment for filtering incoming traffic, effectively blocking "wild" GTP hackers connected to a rogue provider. • Attacker may gain access to the trusted MNO. • Partners may lease their IP ranges and parts of their infrastructures for 3rd parties. Based on GSMA FS.20 GTP Security recommendations. • Requires GTP-Firewall with cross-protocol checks • Implement monitoring Combines the advantages of the first two, offering the highest level of security. Possible protection measures Filtering incoming traffic based on IP addresses of Roaming partners. 1 Implementing GSMA-recommended security measures. 2 Combination of the approaches mentioned above 3
  • 18. Current real security measures Implemented protection measures IP filtering of roaming partners Configuration not directly connected to security No Security measures 77% 8% 15% Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 19. Our solution: TSG Protection Suite Confidential. Copyright © 2023 SecurityGen. All rights reserved.
  • 20. - Stay Tuned. Confidential. Copyright © 2023 SecurityGen. All rights reserved. About SecurityGen Founded in 2022, SecurityGen is a global start-up focused on telecom security. We deliver a solid security foundation to drive secure Telco digital transformations and ensure safe and robust network operations. Connect With Us Email: contact@secgen.com Website: www.secgen.com