RE: GPRS security

["Ogle Ron (Rennes)" <OgleR () thmulti com>]

GPRS only protects the data over the air waves.  As soon as the wireless
head end converts it back to a physical link, you've got all of the same
threats on the Internet that everybody else has to worry about.  We tested
using IPsec over GPRS and sometimes it failed because of the time delay at
the wireless head-end.

In order for GPRS to be really effective in supporting mobile users, it has
to have enough bandwidth with low time delays to carry encrypted data over
the GPRS link (in essence a tunnel in a tunnel.)  This internal encrypted
tunnel will connect from the mobile user to the end server or gateway to the
internal network.  Also, when you run this internal tunnel, you don't have
to worry about the encryption strength of GPRS.

Ideally to save bandwidth, the wireless head end could provide a VPN between
its network (wireless) and the mobile user's gateway/ server.  However, I
don't believe that any GPRS vendors will support this.

My .02
Ron Ogle
Rennes, France

-----Original Message-----
From: OPITZ,PAUL (HP-France,ex2) [mailto:paul_opitz () hp com]
Sent: Tuesday, February 26, 2002 2:52 PM
To: pen-test () securityfocus com
Subject: GPRS security


Hi;

Does anybody knows well known threats and vulnerabilities in the GPRS world
and countermesures ?

It's to secure mobility people communications and protect telecom operator
services and application servers.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/