Menu
Global mobile roaming hub accessible from the Internet and vulnerable, researchers find

Global mobile roaming hub accessible from the Internet and vulnerable, researchers find

Two security researchers from KPN found vulnerable hosts in the GPRS Roaming Exchange that can be attacked from the Internet

The GPRS Roaming Exchange (GRX) network, which carries roaming traffic among hundreds of mobile operators worldwide, contains Internet-reachable hosts that run vulnerable and unnecessary services, recent security scans reveal.

The scans were performed over a period of several months by Stephen Kho and Rob Kuiters, a penetration tester and an incident response handler from KPN, the largest telecommunications provider in the Netherlands.

The two security experts were inspired to test how vulnerable the GRX network is, after news reports last year claimed that British intelligence agency GHCQ targeted network engineers from Belgacom, a large Belgian telecom provider, to access the company's GRX routers and intercept mobile roaming traffic.

BICS, a subsidiary of Belgacom, is one of the approximately 25 GRX providers worldwide that act as hubs for connecting mobile operators to their roaming partners worldwide. The roaming traffic of mobile subscribers in different countries almost certainly passes through the GRX infrastructure of one of these providers.

Kho and Kuiters' scanning efforts were aimed at determining how large the global GRX network is and how easy it is to get into it remotely without targeting network engineers. They also wanted to understand what kind of information an attacker can potentially obtain by sniffing the traffic inside.

The team presented their findings Friday at the Hack in the Box security conference in Amsterdam.

Their scans identified approximately 42,000 live GRX hosts, 5,500 of which were accessible from the Internet, even though GRX was created with the intention of being a private network that serves only trusted mobile operators.

A closer analysis of the Internet-facing hosts revealed that in addition to services like GTP (GPRS Tunneling Protocol) and DNS (Domain Name System), many of them were also exposing a lot of other unexpected services including SMTP (Simple Mail Transfer Protocol), FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol), Telnet, SMB (Server Message Block) and SNMP (Simple Network Management Protocol).

In many cases those services had been implemented using outdated software with known critical remote code execution vulnerabilities like old versions of BIND, Exim, Sendmail, OpenBSD ftpd, ProFTPD, VxWorks ftpd, Apache, Microsoft IIS, Oracle HTTP Server, Samba and others.

It looks like some operators brought their office equipment onto the GRX network, which should normally be used only to carry roaming traffic, the two security researchers said.

Compromising those hosts that run vulnerable services to gain access to the GRX network doesn't even require that attackers buy zero-day exploits -- exploits for previously unknown vulnerabilities. They can use freely available tools like Metasploit, the researchers said.

Once a host is compromised, attackers can then pivot into the GRX network and gain access to the GTP traffic passing through it. Someone sniffing this user traffic can extract session identifiers, credentials, browsed images, URLs, files, but also information that can be used to track users and identify their mobile device.

The location information that is being sent as part of each user's GTP traffic includes the mobile country code, the mobile network code, cell identifiers, the International Mobile Subscriber Identity (IMSI) code and location area codes. The two security experts showed that by putting all of this data into a freely available online service, they can track a user's location on a map.

The distribution of the vulnerable hosts appears to be global, Kho and Kuiters said, adding that they've notified the operators who own them about the issues. Running the scans and identifying the vulnerable hosts was not difficult and the tools used are freely available, so it is possible that other people have done it before and maybe even already exploited the issues, they added.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacymobile securitytelecommunication3gintrusionCarriersExploits / vulnerabilitiesBelgacomKPNGovernment Communications HeadquartersBICS

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments