Re: GPRS vulnerabilities

From: Emmanuel Gadaix (
Date: 02/04/02

Date: Mon, 04 Feb 2002 12:08:49 +0700
To: Viraf Hathiram <>,
From: Emmanuel Gadaix <>

At 12:40 PM 1/30/2002, Viraf Hathiram wrote:
>We've talked about the air interface and the sim cards of GSM in an earlier
>discussion. I'm just getting acquainted with GPRS and would like to know if
>there are documented cases of the GPRS backbone (GGSN, DNS, etc.) being
>attacked from a mobile node.

Interesting point indeed, as it is a likely way of attack on the operator's
Air interface attacks are interesting from the theoretical point of view
but in practise would not probably be implemented.

There are documented cases of GPRS security exposure seen from the MS,
although such studies are generally kept confidential by the operators
conducting it rather than publicly discussed. GSM operators are like banks,
they usually do not want to discuss their vulnerabilities in a public forum.

We have recently conducted such a study for a startup GSM operator in
Southeast-Asia and the findings were quite interesting...
The GPRS vendor of course claims to be highly secure. But this claim is not
more substantiated than any other vendor.

We were able to compromise the GGSN from a MS due to some misconfiguration
in the way they had their firewall setup. It this case, GPRS infrastructure
(GGSN, SGSN, DNS, authentication server, firewall, etc.) interconnects the
GSM network, the Internet and the operator's Intranet.

The vulnerabilities we exposed were not GPRS-specific, but rather common IP
vulnerabilities usually found during pentest (DNS leaking info, firewall
not restrictive enough on the MS side, poor Intranet security).

Due to common practises by GSM operators ("let's roll out this new thing
quickly so we can have it before the competition") we expect that such
configuration problems will be common. The GPRS users base is still small
but all forecasts point to a huge growth this year and next.

Emmanuel Gadaix
Globe Relay Inc.

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see: