Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GPRS vulnerabilities

From: Emmanuel Gadaix <emmanuel () relaygroup com>
Date: Mon, 04 Feb 2002 12:08:49 +0700
At 12:40 PM 1/30/2002, Viraf Hathiram wrote:

We've talked about the air interface and the sim cards of GSM in an earlier
discussion.  I'm just getting acquainted with GPRS and would like to know if
there are documented cases of the GPRS backbone (GGSN, DNS, etc.) being
attacked from a mobile node.
Interesting point indeed, as it is a likely way of attack on the operator's infrastructure. Air interface attacks are interesting from the theoretical point of view but in practise would not probably be implemented.
There are documented cases of GPRS security exposure seen from the MS, although such studies are generally kept confidential by the operators conducting it rather than publicly discussed. GSM operators are like banks, they usually do not want to discuss their vulnerabilities in a public forum.
We have recently conducted such a study for a startup GSM operator in Southeast-Asia and the findings were quite interesting... The GPRS vendor of course claims to be highly secure. But this claim is not more substantiated than any other vendor.
We were able to compromise the GGSN from a MS due to some misconfiguration in the way they had their firewall setup. It this case, GPRS infrastructure (GGSN, SGSN, DNS, authentication server, firewall, etc.) interconnects the GSM network, the Internet and the operator's Intranet.
The vulnerabilities we exposed were not GPRS-specific, but rather common IP vulnerabilities usually found during pentest (DNS leaking info, firewall not restrictive enough on the MS side, poor Intranet security).
Due to common practises by GSM operators ("let's roll out this new thing quickly so we can have it before the competition") we expect that such configuration problems will be common. The GPRS users base is still small but all forecasts point to a huge growth this year and next. 


Emmanuel Gadaix
Globe Relay Inc.
http://globerelay.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: