LONDON — Mobile operators need to reassess security vulnerabilities in the key GPRS Tunnelling Protocol (GTP) and bolster GTP security within their networks as they continue to invest in and roll out 5G, according to a new study by SecurityGen.

SecurityGen’s latest report, titled “GTP vulnerabilities: A cause for concern in 5G and LTE networks,” is based on 150 telecom security assessments of 39 live mobile networks during 2022 and 2023. It found that nearly 77% of networks had no cybersecurity measures in place against GTP-based attacks. Only 23% had a high level of cybersecurity measures to keep successful GTP-based test attacks to a minimum. 

“Despite its widespread use, the GTP mobile network protocol is not entirely secure and opens up opportunities for attackers to intercept sensitive user data, engage in fraudulent activities, or disrupt network services,” said Dmitry Kurbatov, co-founder and CTO of SecurityGen. “As we explored and examined GTP’s security vulnerabilities, it became apparent that the protocol requires in-depth consideration and robust mitigation strategies to block the potential threats more so in the 5G setup.”

The SecurityGen assessments found that all of the tested networks exhibited some vulnerabilities in their management of the GTP protocol as listed below.

  • In 71% of networks assessed, GTP-based test attacks on subscriber information disclosure were successful, which can be used to impact subscribers, perform other attacks, target other interfaces, radio interfaces and OS and network vulnerabilities.
  • 62% of networks assessed were vulnerable to fraudulent activity involving the GTP protocol. 
  • 85% of networks were susceptible to targeted attacks on subscribers aimed at impeding or completely interrupting the functionality of data transmission services.
  • 46% were vulnerable to network equipment denial-of-service attacks. Using this vulnerability, an attacker can simultaneously hinder network connection for individual subscribers and many users via network equipment denial.
  • User traffic interception was successful in 69% of the networks tested. By exploiting this vulnerability, an attacker can direct all incoming traffic to their equipment by altering the nodes that process the user traffic. 

“Throughout our assessments, we were surprised that not a single network was protected with a GTP firewall,” Kurbatov said. “Even when mobile operators claimed to have a GTP firewall deployed, we could carry test attacks successfully, as there was no functional GTP firewall in place. This suggests that either the GTP firewall was not actively operational, or its filtering rules were not correctly configured or enabled.”

“Some mobile operators employ IP address filtering from nonroaming partners to incoming traffic as a countermeasure — however, our simulated test attacks were still able to bypass this technique. The deployment of a fully functional GTP firewall could significantly improve these statistics and provide more robust protection against potential threats. Adopting advanced GTP firewall solutions undoubtedly enhances the overall security of mobile networks and protects them against multiple GTP attack vectors.

“The interconnected nature of 3G, 4G, and now 5G mobile networks across different generations amplify the risks posed by GTP security vulnerabilities,” he continued. “Our research highlighted a worrying lack of robust security measures across a significant proportion of the mobile networks we examined. Despite ongoing efforts by the GSMA and individual mobile operators since 2017, we found that comprehensive cybersecurity measures are still not in place for the most part.

“The increasingly vital role of mobile technology in nearly every aspect of how we live and work means that operators must regard effective cybersecurity measures and policies that protect their networks and mobile users as a commercial and operational priority,” Kurbatov added. “This includes a comprehensive GTP protection strategy encompassing deployment of functional GTP firewalls, the application of GSMA-recommended protections, the integration of intrusion detection systems, and the regular monitoring of all network communication interfaces.” 

“The findings of this study should serve as a wakeup call that spurs operators and the wider telecoms industry to take action necessary to secure our interconnected digital future,” he concluded.