Global mobile roaming hub accessible from the Internet and vulnerable, researchers find
Two security researchers from KPN found vulnerable hosts in the GPRS Roaming Exchange that can be attacked from the Internet
IDG News Service - The GPRS Roaming Exchange (GRX) network, which carries roaming traffic among hundreds of mobile operators worldwide, contains Internet-reachable hosts that run vulnerable and unnecessary services, recent security scans reveal.
The scans were performed over a period of several months by Stephen Kho and Rob Kuiters, a penetration tester and an incident response handler from KPN, the largest telecommunications provider in the Netherlands.
The two security experts were inspired to test how vulnerable the GRX network is, after news reports last year claimed that British intelligence agency GHCQ targeted network engineers from Belgacom, a large Belgian telecom provider, to access the company's GRX routers and intercept mobile roaming traffic.
BICS, a subsidiary of Belgacom, is one of the approximately 25 GRX providers worldwide that act as hubs for connecting mobile operators to their roaming partners worldwide. The roaming traffic of mobile subscribers in different countries almost certainly passes through the GRX infrastructure of one of these providers.
Kho and Kuiters' scanning efforts were aimed at determining how large the global GRX network is and how easy it is to get into it remotely without targeting network engineers. They also wanted to understand what kind of information an attacker can potentially obtain by sniffing the traffic inside.
The team presented their findings Friday at the Hack in the Box security conference in Amsterdam.
Their scans identified approximately 42,000 live GRX hosts, 5,500 of which were accessible from the Internet, even though GRX was created with the intention of being a private network that serves only trusted mobile operators.
A closer analysis of the Internet-facing hosts revealed that in addition to services like GTP (GPRS Tunneling Protocol) and DNS (Domain Name System), many of them were also exposing a lot of other unexpected services including SMTP (Simple Mail Transfer Protocol), FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol), Telnet, SMB (Server Message Block) and SNMP (Simple Network Management Protocol).
In many cases those services had been implemented using outdated software with known critical remote code execution vulnerabilities like old versions of BIND, Exim, Sendmail, OpenBSD ftpd, ProFTPD, VxWorks ftpd, Apache, Microsoft IIS, Oracle HTTP Server, Samba and others.
It looks like some operators brought their office equipment onto the GRX network, which should normally be used only to carry roaming traffic, the two security researchers said.
Compromising those hosts that run vulnerable services to gain access to the GRX network doesn't even require that attackers buy zero-day exploits -- exploits for previously unknown vulnerabilities. They can use freely available tools like Metasploit, the researchers said.
Once a host is compromised, attackers can then pivot into the GRX network and gain access to the GTP traffic passing through it. Someone sniffing this user traffic can extract session identifiers, credentials, browsed images, URLs, files, but also information that can be used to track users and identify their mobile device.
The location information that is being sent as part of each user's GTP traffic includes the mobile country code, the mobile network code, cell identifiers, the International Mobile Subscriber Identity (IMSI) code and location area codes. The two security experts showed that by putting all of this data into a freely available online service, they can track a user's location on a map.
The distribution of the vulnerable hosts appears to be global, Kho and Kuiters said, adding that they've notified the operators who own them about the issues. Running the scans and identifying the vulnerable hosts was not difficult and the tools used are freely available, so it is possible that other people have done it before and maybe even already exploited the issues, they added.
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Aberdeen: Securing the Evolving Datacenter This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the...
- Is SQL Server AlwaysOn really as powerful? Tips and Tricks from the field With the introduction of AlwaysOn, Windows Clustering Services is now more critical than ever.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Wireless Carriers White Papers | Webcasts