Re: GPRS vulnerabilities

From: Emmanuel Gadaix (emmanuel@relaygroup.com)
Date: 02/04/02


Date: Mon, 04 Feb 2002 12:08:49 +0700
To: Viraf Hathiram <Viraf.Hathiram@optus.com.au>, pen-test@securityfocus.com
From: Emmanuel Gadaix <emmanuel@relaygroup.com>

At 12:40 PM 1/30/2002, Viraf Hathiram wrote:
>We've talked about the air interface and the sim cards of GSM in an earlier
>discussion. I'm just getting acquainted with GPRS and would like to know if
>there are documented cases of the GPRS backbone (GGSN, DNS, etc.) being
>attacked from a mobile node.

Interesting point indeed, as it is a likely way of attack on the operator's
infrastructure.
Air interface attacks are interesting from the theoretical point of view
but in practise would not probably be implemented.

There are documented cases of GPRS security exposure seen from the MS,
although such studies are generally kept confidential by the operators
conducting it rather than publicly discussed. GSM operators are like banks,
they usually do not want to discuss their vulnerabilities in a public forum.

We have recently conducted such a study for a startup GSM operator in
Southeast-Asia and the findings were quite interesting...
The GPRS vendor of course claims to be highly secure. But this claim is not
more substantiated than any other vendor.

We were able to compromise the GGSN from a MS due to some misconfiguration
in the way they had their firewall setup. It this case, GPRS infrastructure
(GGSN, SGSN, DNS, authentication server, firewall, etc.) interconnects the
GSM network, the Internet and the operator's Intranet.

The vulnerabilities we exposed were not GPRS-specific, but rather common IP
vulnerabilities usually found during pentest (DNS leaking info, firewall
not restrictive enough on the MS side, poor Intranet security).

Due to common practises by GSM operators ("let's roll out this new thing
quickly so we can have it before the competition") we expect that such
configuration problems will be common. The GPRS users base is still small
but all forecasts point to a huge growth this year and next.

Emmanuel Gadaix
Globe Relay Inc.
http://globerelay.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: RE: Questions on GSM Penetration test - Security Associates
    ... GSM secuirity has improved alot since the early 90's when the analog ... >GSM security is generally not very well understood by your average ... >The pentest of a GSM network does involve "normal" security work (e.g. ... >>automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • [a.p] Code That Protects Most Cellphone Calls Is Divulged
    ... BERLIN — A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world’s digital mobile phone calls, in what he called an attempt to expose weaknesses in the security of global wireless systems. ... The action by the encryption expert, Karsten Nohl, aimed to question the effectiveness of the 21-year-old GSM algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of mobile calls worldwide. ...
    (alt.privacy)
  • Re: upgrading a GMS application to the GPRS
    ... two machines into a point-to-point network interface. ... PPP neither knows nor cares about GSM. ... don't use GPRS because it doesn't supply the features you need. ... confidentiality on the "public internet", but this is a problem we ...
    (comp.protocols.ppp)
  • Re: AlarmNet reliability how can it go down with no notice?
    ... Is there any Honeywell GSM product that will be taking the place of the ... Your security company also sets the frequency of the test reports to the ... Companies is such that left in its current state, the demise of POTS is ... off-hook phone stops communication or at least slows it down assuming the ...
    (alt.security.alarms)
  • RE: Questions on GSM Penetration test
    ... The pentest of a GSM network does involve "normal" security work (e.g. ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)