Mobile Internet Security Inside and Out
How does each of us connect to the mobile Internet? In principle, you need to know only three parameters: APN, login and password. APN is an access point through which a subscriber can connect to the service he needs (WAP, MMS, Internet); for our operators, it usually looks like internet.
Now that we know the necessary parameters, we can connect to the mobile Internet! How does this mysterious procedure happen? It occurs in two stages:
- GPRS Attach,
- PDP Context Activation.
Let us consider each of them in more detail.
GPRS Attach
In the GPRS Attach procedure, the telephone begins to “communicate” with the operator’s packet network. Authentication and authorization of user equipment takes place according to the following parameters:
IMSI (International Mobile Subscriber Identity, individual subscriber number) - for identification
- subscriber;
- keys stored on the SIM card - for subscriber authentication;
- checking services available to the subscriber (Internet, MMS, WAP) by recording in the subscriber database
It can also be verified by IMEI (International Mobile Equipment Identity). This identifier can be used to check against lists of stolen equipment, and if a particular IMEI is in the list of stolen equipment, access to the network may be denied, or even “where to” should be reported :)
After successful completion of the GPRS Attach procedure, the PDP (Packet Data) procedure begins Protocol) Context Activation. To understand this procedure, we digress and define some concepts.
SGSN (Serving GPRS Support Node, GPRS Customer Care Node) is a device that implements the basic functions of packet data processing in a mobile network.
GGSN (GPRS Gateway Service Node, GPRS gateway node) - a device that provides data transfer from the operator’s network to external networks (for example, to the Internet). In fact, it can be an ordinary router with support for some specific functions.
GTP (GPRS Tunneling Protocol) is the protocol stack used in GPRS, UMTS and LTE networks.
So, PDP Context Activation (the scheme is greatly simplified).

What happens when implementing this scheme?
- The phone sends a context activation request to the SGSN, which, among other things, contains a username, password and APN.
- The SGSN, upon receiving the APN, attempts to resolve it on the internal DNS server. The server resolves the provided APN and returns the address of the GGSN responsible for the given APN.
- At this address, the SGSN sends a request to create a PDP context.
- GGSN checks the provided username and password on a RADIUS server.
- Then it gets the IP address for our phone.
- And all the information necessary to activate the PDP context is transmitted back to the SGSN.
- SGSN completes the activation process by sending the data necessary to establish a connection to the telephone.
In essence, the PDP Context Activation procedure is to create a tunnel between the telephone and the gateway in the carrier network. And now we can go to your favorite sites and read mail.
Roaming
The question immediately arises: how does all this work in roaming? It turns out that there is a special network: GRX (Global Roaming Exchange) - a network for exchanging packet data of roaming subscribers of mobile networks. Through it all our traffic “runs”. Something like this:

- Having successfully reached the warmer climes, we decided to download our favorite series. They turned on the phone, started connecting to the Internet (send username, password, APN).
- Foreign SGSN is trying to resolve the APN we provided on its DNS server.
- The DNS server, not having found such records, addresses the root DNS server, which is located in the GRX network.
- The root DNS server sends a request to the DNS server on the network of our native operator.
- That, in turn, answers him with the address of our GGSN.
- The root DNS reports this address to the DNS server of a foreign operator.
- Which in turn reports this address to foreign SGSN.
- SGSN, knowing the address of the GGSN, sends him a request for activation of the PDP context.
- GGSN, if all the conditions are met (there is money in the account, the correct username and password are indicated, etc.), sends a confirmation, SGSN receives it and sends a confirmation of access to the Internet to our phone.
What do we see? We see that packages with our favorite series run through half the world from our operator to an operator in a warm country. They run on a special network, wrapped in the GTP protocol. And all negotiations between the special iron of the operators are conducted on the same GTP.
And here comes the idea: rather than try to figure out something similar in the laboratory? Build your SGSN and GGSN. Well, how do we get incredible discoveries?
SGSN + GGSN on the knee

After a long search, the following became clear.
There is special software that implements some of the features of SGSN. It looks like a script under Linux, which is able to emulate all the necessary procedures (GPRS Attach and PDP Context Activation) and give out a ready-made interface for accessing the Internet, as if we had stuck a 3G modem. Upon learning about this, we immediately rushed to look for a device ready to shoulder the GGSN functions. It turned out that the popular Cisco 7200 router is quite suitable.
After some manipulations, settings, and tests, success awaited us.

The stand easily lifted the tunnels through which the real Internet was “visible”. We immediately began to look at what kind of packets go between our mighty SGSN and GGSN. Do they look like real? With a sinking heart, we open a dump - and yes! packages like real ones.

Similar packets can go on the GRX network, and an evil hacker can very well listen to them. What will he see there? Let's try to find out.
Security questions
GTP protocol can be of several types: GTP-U is used for direct packaging and transmission of user data, GTP-C for session management (it is with its help that the PDP Context Activation procedure and other service procedures are performed); there is also GTP '(GTP Prime) - it is used to transfer billing information. GTP does not support peer authentication and encryption; it works on top of UDP. What is interesting about all this? Almost everything is interesting here!
Take GTP-U and see what the user data tunnel looks like. Tunnels are separated by the TEID (Tunnel Endpoint Identificator) parameter.

Upon further study, it turned out that, if desired, the field with TEID can be changed, and sending a packet with a changed tunnel identifier can unexpectedly break into someone else's session.
And here is GTP-C. Surprised to find the absence of any authentication or hints of encryption of the transmitted data, you can try not only to listen, but also, sorry, send something. For example, “left” requests to establish or break a session.
Let’s try in this way to outline the vectors of possible attacks and consider them closer.

For example, a DNS flood attack. An attacker sends a large number of requests for APN permission to our operator. All these packets will bombard the poor carrier DNS, which cannot stand the heat and generally refuses to transfer the GGSN address to anyone, causing a global DoS for subscribers.

Or the attacker will begin to send requests for creating a PDP context with his own hand. GGSN, seeing such a pressure, may well think, or even freeze. Which again will lead to a denial of customer service.
But what if, instead of creating requests, you try to send requests to break the session?
For example, like this: An

evil hacker, substituting the address of a foreign SGSN, will send requests to disconnect. GGSN, thinking that the subscriber has downloaded his favorite series and wants to end the Internet session, removes this tunnel from his home, breaking the connection.
Having sketched several vectors, we turn our eyes to real objects in order to “touch” all this. We type the request "GGSN" in shodan. Here is a piece of the results returned.

All this looks like real GGSNs put up on the Internet.
Or try to write a script that sends GTP-echo requests, and let it go for a walk on the Internet: suddenly someone will respond. And the responders are:

Sometimes even with open telnet.

The new generation standard, codenamed LTE, still uses the GTP protocol, and therefore all of the above is relevant and will be relevant for the foreseeable future.
That's all for today. See you soon!
I would like to express my gratitude to the Positive Technologies Network Security Analysis Department for assistance in preparing the material.
Posted by Ilya Safronov, Positive Research.