Vulnerabilities of Mobile Internet (Gprs)

VULNERABILITIES OF MOBILE INTERNET (GPRS)

Dmitry Kurbatov Sergey Puzankov Pavel Novikov

2014 Contents

1. Introduction 3 2. Summary 3 3. mobile network scheme 4 4. GTP protocol 5 5. Searching for mobile operator’s facilities on the Internet 7 6. Threats 10 6.1. IMSI brute force 10 6.2. the disclosure of subscriber’s data via IMSI 11 6.3. dISconnection of authorized subscribers from the Internet 12 6.4. blocking the connection to the Internet 13 6.5. Internet at the expense of others 14 6.6. data interception 15 6.7. dnS tunneling 16 6.8. Substitution of DNS for GGSN 17 7. conclusion and recommendations 18

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 2 1. Introduction

Modern mobile networks facilitate the most convenient access to the to this, a great number of security solutions were introduced to pro- Internet without the need for static infrastructures. People can access tect this services sector, such as antivirus software, firewalls, etc. By email, messengers, social networks and online stores whenever and contrast, the level of consciousness about security while using the wherever they need it. A range of businesses use mobile Internet for mobile Internet is relatively low. Most users assume that mobile net- remote administration, financial operations, e-commerce, M2M and work access is much safer because a big mobile-telecoms provider some other purposes. Government organizations provide more and will protect subscribers and has the benefit of the developments in more services via the web, and it results in a significant increase in security from the broadband Internet arena. Unfortunately, as prac- the volume of the world’s mobile data traffic. This traffic is expected tice shows, mobile Internet is a great opportunity for the attacker, to increase significantly in both 3G/3.5G and 4G through 2018, see and can be less secure than more traditional options. This report will table below. provide an analysis of these threats, as well as recommendations to Many users have approached the use of broadband Internet access ensure the safety of mobile Internet services. with caution, due to publicity around security breaches. In response

Exabytes per Month

16 3%

12 46% 10

4 51% 2/2.5G 9% 2 3/3.5G 60% 0 4G 30% 2013 2014 2015 2016 2017 2018

Source: Cisco VNI Mobile 2014

Fig. 1. The expected growth in mobile data traffic [1]

2. Summary

Positive Technologies has determined that there are serious security 2. Obtaining subscriber’s data via IMSI (including his/her location) issues in the networks that support mobile Internet devices. A large 3. Disconnection of subscribers from the Internet or blocking their number of devices belonging to 2G/3G networks of mobile network access to the Internet operators are available via open GTP ports as well as some other open 4. Connecting to the Internet with credentials of the legitimate communication protocols (FTP, Telnet, HTTP). An attacker can connect user and at the expense of others to the node of a mobile network operator by exploiting vulnerabilities 5. Listening to the traffic of the victim (for example, default passwords) in these interfaces. 6. Engage in a fishing attack Having acquired access to the network of any operator, an attacker can automatically gain access to the GRX network, which in Security measures required to protect against such attacks include turn allows him/her to perform various attacks on subscribers of any proper configuration of equipment, utilizing a firewall and regular se- operator: curity monitoring. More details on the recommended set of protec- 1. Searching for valid IMSI tive measures is provided in the final part of this review.

2 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 3 3. Mobile network scheme

Fig. 2. Provider’s mobile network

Mobile provider’s network consists of the Circuit Switched Core • Subscriber’s Mobile Station Network (CS core), the Packet Switched Core Network (PS core), • The Internet the base station network and its 2G controllers (BSC and BTS in the • The GRX network, i.e. via another mobile provider scheme), and the base station network and its 3G controllers (Node Thus if an attacker enters the network of any mobile provider in the B and RNC). The scheme shows that 3G network is based on 2G radio world, he/she will be able to affect other providers. access network; the rest of the operator’s network does not undergo Service GPRS Support Node (SGSN) and Gateway GPRS Support any significant changes in the evolution to the third generation. As Node (GGSN) are the basic elements for data transmission. The former clearly outlined in Figure 2.2, the operators’ networks have not under- one is used to provide subscribers with data transmission services and gone any significant changes in terms of security from 2G to 3G to 4G. it also interacts with other network elements; the latter is a gateway Below is the packet data transfer subsystem (PS core). between the internal operator’s network and the Internet. The scheme in Figure 3 illustrates the architecture of the system In addition to the Internet connection, there is a connection to used to transmit data in a 2G network. There are some differences in the GRX network — Global Roaming eXchange, which is based on the chain MS (mobile station) — SGSN within the 3G network (UMTS complicated relationships between individual operators (intercon- network). The scheme shows that an attacker can access the provid- nection of networks) used to provide Internet access to subscribers er’s network using: in roaming.

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 4 Fig. 3. A scheme for the packet data transmission within mobile networks (including information on protocols)

4. GTP protocol

GTP protocol is used to send the traffic within PS core and GRX. This is a other information) contains the login, password, and APN. tunneling protocol, which runs over UDP and utilizes port 2123 (for man- 2. After receiving the APN, SGSN tries to resolve it on the internal agement purposes, GTP-C), port 2152 (for transmitting user data, GTP-U), DNS server; the server resolves the received APN and provides the cor- and 3386 (for billing, GTP’). responding GGSN address. Message Type field in the GTP header is primarily used for manage- 3. The SGSN sends the Create PDP Context request to this address. ment purposes in GTP-C. Usually, in GTP-U Message Type = 0xFF (T-PDU). 4. The GGSN authenticates the submitted login and password, for ex- Tunnel Endpoint Identifier (TEID) is a tunnel identifier that is not associ- ample, on the RADIUS server. ated with an IP address, i.e., packages can be sent with the same TEID but 5. The GGSN obtains an IP address for the mobile phone and transmits from different IP addresses (in case if the subscriber moves and switches all data required for PDP context activation back to the SGSN. to another SGSN). 6. The SGSN accomplishes the activation procedure by sending back PDP Context Activation procedure is executed when the subscriber is to the phone all the data required for establishing a connection. connecting to the Internet. In fact, the PDP Context Activation procedure is the creation of a tun- In simplified form, the procedure is as follows: nel between a cell phone and a gateway (GGSN) on the operator’s mo- 1. The phone sends an Activate PDP Context request, which (amongst bile network.

4 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 5 Octets 8 7 6 5 4 3 2 1 1 Version PT (*) E S PN 2 Message Type 3 Length (1st Octet) 4 Length (2nd Octet) 5 Tunnel Endpoint Identifier (1st Octet) 6 Tunnel Endpoint Identifier (2nd Octet) 7 Tunnel Endpoint Identifier (3rd Octet) 8 Tunnel Endpoint Identifier (4th Octet) 9 Sequence Number (1st Octet)1) 4) 10 Sequence Number (2nd Octet)1) 4) 11 N-PDU Number2) 4) 12 Next Extension Header Type3) 4)

NOTE 0: (*) This bit is a spare bit. It shall be sent as '0'. The receiver shall not evaluate this bit. NOTE 1: 1) This field shall only be evaluated when indicated by the S flag set to 1. NOTE 2: 2) This field shall only be evaluated when indicated by the PN flag set to 1. NOTE 3: 3) This field shall only be evaluated when indicated by the E flag set to 1. NOTE 4: 4) This field shall be present if and only if any one or more of the S, PN and E flags are set.

Fig. 4. GTP header structure

PDP Context Activation

SGSN DNS GGSN RADIUS DHCP

1. Activate PDP 2a. DNS Request 4a. Radius Authenticate Context Request mncXXX.mscXXX.internet Request

2b. DNS Response GGSN IP 4b. Radius Authenticate Response

3. Create PDP Context Request 5a. DHCP Address Request

7. Activate PDP 6. Create PDP Context Response 5a. DHCP Address Assignment Context Accept

GTP U GTP C + GTP U

Fig. 5. The procedure for establishing a connection

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 6 5. Searching for mobile operator’s facilities on the Internet

We already know that GGSN must be deployed as an edge device. Us- find the required devices by their banners. ing Shodan.io search engine for Internet-connected devices, we can

Fig. 6. Search results in Shodan

Search result displays about 40 devices using this abbreviation in the world creates this opportunity for attack to many other mobile their banners. The screenshot provides a list of some devices that use networks. There are more ways of using the compromised boundary this abbreviation, including devices with open Telnet and turned off host, for example, DNS spoofing attack (more information about at- password authentication. An attacker can perform an intrusion into tacks is considered below). the network of the operator in the Central African Republic by con- GGSN and SGSN can also be found in other ways. GTP protocol necting to this device and implementing the required settings. described above can be used only within PS core and GRX networks Having access to the network of any operator, the attacker will and should not be accessible from the Internet. In practice, however, automatically get access to the GRX network and other operators of things are often quite different: There are more than 207,000 devices mobile services. One single mistake made by one single operator in with open GTP ports all over the global Internet.

Fig. 7. Countries with the largest number of hosts with open GTP ports (more than 1000)

6 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 7 Fig. 8. The distribution of hosts with open GTP ports around the world

What can be said about these 207,000 devices? 7,255 devices are tems did not turn off this feature for them. Alcatel-Lucent 7750 and not associated with GTP and send HTTP responses (see fig. 9) ZTE ZXUN xGW can often be found among such devices, and the lat- The remainder of the 200,000 addresses respond with correct GTP ter has open FTP and Telnet ports. messages. A more in-depth analysis shows that an individual device 548 devices responded to the request for establishing a connec- may not be a component of a mobile network: these are universal tion: four of them allow a user or attacker to create a tunnel while devices utilized for other purposes when administrators of certain sys- other respond with various errors.

Fig. 9. The response to GTP request received from equipment by Internet Rimon LTD

Fig. 10. Responses to attempts to establish a PDP connection

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 8 Let us look into the responses: 3. Missing or unknown APN and Service not supported responses imply that the current APN is not included into the list of 1. System failure and Mandatory IE incorrect responses imply authorized APNs (you can find proper APNs on the provider’s website that the fields of the GTP packet required for this node were not filled. in the Internet, WAP, or MMS settings). 2. No resources available response means that node’s DHCP pool 4. Accept response implies that the device provides an IP address or PDP pool has run out. and other connection attributes, i.e. a tunnel is created.

4% HTTP 81% FTP 25% SSH 82% Telnet 4% BGP 44% VPN (UDP:500)

Fig. 11. Number of hosts with various services

2013 82% Dictionary passwords 2011–2012 79%

2013 82% Management interfaces available 2011–2012 to any Internet user 58%

2013 82% Use of open data transfer 2011–2012 protocols 47%

2013 64% Vulnerabilities of system and application software 2011–2012 10% caused by lack of updates 2013 55% SQL Injection 2011–2012 63%

2013 55% Unrestricted File Upload 2011–2012 25%

2013 45% Storing important data 2011–2012 unencrypted 47%

2013 45% Path traversal 2011–2012 42%

2013 36% Dictionary SNMP Community String value (public) 2011–2012 21%

2013 36% DBMS access interfaces available to any Internet user 2011–2012 10%

Fig. 12. Top 10 vulnerabilities typical of a network perimeter

Therefore, an attacker coming from the Internet can detect the According to statistics provided by Positive Technologies, pen- proper GGSN, set up the GTP connection and then encapsulate GTP etration tests revealed that data transferring via open protocols (FTP, control packets into the created tunnel. If parameters were selected Telnet, HTTP) and availability of management interfaces from the In- properly, GGSN will take them as packets from legitimate devices ternet are the most frequent vulnerabilities to appear in the network within the operator’s network. perimeter of large companies’ information systems. Moreover, the Another benefit for attackers is that GTP is not the only protocol distribution of these vulnerabilities has doubled in 2013 compared to used on detected hosts. Telnet, FTP, SSH, Web, etc. are also used for 2011/2012, effectively creating a larger number and range of attacks management purposes. The figure below shows how many open for mobile Internet suppliers and users to consider. ports were detected for each protocol.

8 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 9 6. Threats

The following parameters are typical for the described attacks: the dium, the reproducibility (i.e. the reuse of the attack by other at- complexity of implementing (having regard to conditions) is me- tackers) is high.

6.1. IMSI brute force

Goal: To find a valid IMSI. the remaining 10 digits by sending a “Send Routing Information for Attack vector: An attacker conducts attacks from the GRX network GPRS Request” message via GRX. This message can be sent to any or the operator’s network. GSN device, which converts the request into an SS7 format (CS core Description: IMSI is the SIM card Number (International Mobile network component) and sends it to HLR where it is processed by Subscriber ID). It consists of 15 digits, the first three identify the Mo- SS7 network. If the subscriber with this IMSI uses the Internet, we can bile Country Code (MCC), the next two digits are the Mobile Network get the SGSN IP address serving the mentioned subscriber. Otherwise, Code (MNC). You can choose the required operator on the website response will be as follows: “Mobile station Not Reachable for GPRS”. www.mcc-mnc.com, enter the MCC and MNC and then brute force Result. Obtaining a list of valid IMSI for further attacks.

Fig. 13. The scheme of the attack

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 10 6.2. The disclosure of subscriber’s data via IMSI

Goal: To obtain a phone number, location data, information about SGSN IP address requesting the subscriber’s location; the GSN Control the model of a subscriber’s mobile device via IMSI. Plane is spoofed with the attacker’s IP address. The response contains Attack vector: An attacker conducts attacks from the GRX network MSISDN (Mobile Subscriber Integrated Services Digital Number), IMEI or the operator’s network. (International Mobile Equipment Identity, it helps to identify the mod- Description: An attacker can use this vulnerability after the suc- el of a subscriber’s phone) and the current subscriber’s mobile radio cess of the previous attack or if he/she gets a subscriber’s IMSI via a base tower (MCC, MNC, LAC, CI). Consequently, the attacker can find viral application for the subscriber’s smartphone. The attacker needs the subscriber’s location accurate to several hundred meters using to know the SGSN IP address, garnered from the previous attack. Af- the following website: https://xinit.ru/bs/ or http://opencellid.org/. ter that, the attacker sends an Update PDP Context Request to the Result: The required information about the subscriber is obtained.

Fig. 14. The scheme of the attack

10 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 11 6.3. Disconnection of authorized subscribers from the Internet

Goal: To disconnect the connected subscribers. responses on this event to the attacker. A valid SGSN used by the Attack vector: An attacker conducts attacks from the GRX network subscriber to set up the connection doesn’t have information about or the operator’s network. closing connections, so tunnels continue to occupy the hardware re- Description: The attack is based on sending the “PDP context de- sources. The subscriber’s Internet stops working, but the connection lete request” packets to the target GGSN with all the TEID listed. The is displayed as active. PDP Сontext information is deleted, which causes disconnection of Result: All subscribers connected to this GGSN will be discon- authorized subscribers. nected. The amount of subscribers served by one GGSN is 100,000— At the same time, GGSN unilaterally closes tunnels and sends the 10,000,000.

Fig. 15. The scheme of the attack

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 12 6.4. Blocking the connection to the Internet

Goal: To block the establishment of new connections to the to close one, GGSN sends an attacker “Delete PDP context request” Internet. with the number of the tunnel to be closed. If there is no response Attack vector: An attacker conducts attacks from the GRX network (actually, there isn’t any response because an attacker does not want or the operator’s network. this to happen), GGSN sends such requests over and over again. The Description: The attack is based on sending the “Create PDP con- resources remain occupied. text request” packets with IMSI list, thus the exhaustion of the avail- In case of successful implementation of this attack, authorized sub- able pool of PDP tunnels occurs. For example, the maximum number scribers will not be able to connect to the Internet and those who of PDP Context Cisco 7200 with 256 MB of memory is 80,000, with were connected will be disconnected as GGSN sends these tunnels 512 MB — 135,000: it is not difficult to brute force all possible combi- to the attacker’s address. nations. Moreover, more and more IP addresses from DHCP pool are This attack is an analogue of the DHCP starvation attack at the GTP issued and they may be exhausted. It does not matter what will be level. exhausted first — the DHCP pool or the PDP pool, — after all, GGSN Result: The subscribers of the attacked GGSN will not be able to will response with “No resource available” to all valid connection re- connect to the Internet. The amount of subscribers served by one quests. Moreover, GGSN cannot close tunnels, because when you try GGSN is 100,000—10,000,000.

Fig. 16. The scheme of the attack

12 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 13 6.5. Internet at the expense of others

Goal: The exhaustion of the subscriber’s account and use of the Unsuspecting subscriber will get a huge bill. connection for illegal purposes. It is possible to establish connection via the IMSI of a non-existent Attack vector: An attacker conducts attacks from the GRX network subscriber, as subscriber authorization is performed at the stage of or the operator’s network. connecting to SGSN and GGSN receives already verified connections. Description: The attack is based on sending the “Create PDP con- Since the SGSN is compromised, no verification is carried out. text request” packets with the IMSI of a subscriber known in advance. Result: An attacker can connect to the Internet with the creden- Thus, the subscriber’s credentials are used to establish connection. tials of a legitimate user.

Fig. 17. The scheme of the attack

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 14 6.6. Data interception

Goal: To listen to the traffic of the victim and conduct a fishing scriber’s device and the Internet by sending an “Update PDP Context attack. Request” message with spoofed GSN addresses to SGSN and GGSN. Attack vector: An attacker conducts attacks from the GRX network This attack is an analogue of the ARP Spoofing attack at the GTP level. or the operator’s network. Result: Listening to traffic or spoofing traffic from the victim and Description: An attacker can intercept data sent between the sub- disclosure of sensitive data.

Fig. 18. The scheme of the attack

14 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 15 6.7. DNS tunneling

Goal: To get non-paid access to the Internet from the subscriber’s important (for example, for checking email). mobile station. The point of this attack is that some operators do not rate DNS traf- Attack vector: The attacker is the subscriber of a mobile phone fic, usually in order to redirect the subscriber to the operator’s web- network and acts through a mobile phone. page for charging the balance. An attacker can use this vulnerability Description: This is a well-known attack vector, rooted in the days by sending special crafted requests to the DNS server; to get access of dial-up, but the implementation of low-price and fast dedicated one needs a specialized host on the Internet. Internet access made it less viable. However, this attack can be used Result: Getting non-paid access to the Internet at the expense of in mobile networks, for example, in roaming when prices for mobile mobile operator. Internet are unreasonably high and the data transfer speed is not that

Fig. 19. The scheme of the attack

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 16 6.8. Substitution of DNS for GGSN

Goal: To listen to the traffic of the victim, to conduct a fishing attacker’s address and all the subscriber’s traffic will be redirected attack. through the attacker’s host. Thus, listening to all the mobile traffic of Attack vector: An attacker acts through the Internet. the subscriber is possible. Description: If an attacker gets access to GGSN (which is quite Result: An ability to listen to traffic or spoof traffic from all subscrib- possible as we could see), the DNS address can be spoofed with the ers and then gather confidential data to engage it in fishing attacks.

Fig. 20. The scheme of the attack

16 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 17 7. Conclusion and recommendations

Modern mobile networks feature serious vulnerabilities, which allow Also, as of later 2014, the majority of operators in the world do not attackers to perform various attacks against both certain mobile Inter- provide opportunities for voice transmission over 4G networks: during net users and the entire infrastructure (for example, for the purpose of a call mobile phone switches forcedly to 3G network or even to 2G and industrial espionage or elimination of competitors on the market) us- after a call it switches back, if it is possible. The possibility of such “invis- ing inexpensive equipment. In addition, the deterioration of interna- ible” switches is widely used for mobile surveillance. tional relationships and security has historically triggered cell phone The key difference between 4G and other networks — voice trans- tapping followed by the scandalous publication of negotiations be- mission over IP, may be a vulnerability itself: therefore, not only data tween politicians or military officials. but also phone calls may be affected. Therefore, we should expect even Some of the attacks cannot be performed if the mobile equipment is more surprises from 4G networks. As for the currently used networks configured properly, but the results our research suggest that miscon- (2G and 3G), Positive Technologies experts recommend to implement figuration is a common problem in the telecommunications sphere by the following security measures on the side of communication provid- those attempting to save money on security. Vendors often leave some ers (fig. 21): services enabled while these services should be disabled on this equip- 1. Use firewalls at the GRX network edge for blocking services that are ment, which gives additional opportunities to attackers. not associated with providing an Internet access to subscribers in Many people rely on new communication standards that include roaming (only required services are permitted: GTP, DNS, etc.). new safety technologies. However, despite the development of such 2. Use firewalls at the Internet edge for blocking services that should standards (3G, 4G) we cannot completely abandon the use of old gen- not be accessible from the Internet. eration networks (2G). The reason is the specifics of the implementation 3. Use 3GPP TS 33.210 recommendations to configure the security of mobile networks and the fact that the 2G base stations have better settings within the PS Core network. The network must be secured, coverage as well as the fact that 3G networks use their infrastructure. in particular, by using IPsec to send the GTP-C traffic within PS core.

Fig. 21. The recommended set of security measures

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 18 4. Carry out a regular security monitoring of the perimeter (Advanced obtained during the scanning is checked against the vulnerabilities Border Control service). This set of measures will monitor the Cus- and exploits database. Thus, the operator is able to control the pe- tomer’s network protection against external threats. The monitor- rimeter from the point of the attacker, predict possible attacks and ing implies regular scanning of all operator’s networks and hosts prevent them. available from the Internet. Scanning reveals available network ser- 5. Develop security compliances of equipment and perform regular vices, their versions, and types of operational systems. Information compliance management tasks (see example in fig.22).

Fig. 22. MaxPatrol Compliance Management

Sources

1. Cisco Global Mobile Data Traffic Forecast Update, 2013–2018. Cisco 5. 4G ‘inherently less secure’ than 3G The Telegraph, 2014 VNI Mobile, 2014 http://www.telegraph.co.uk/technology/internet-security/10951812/ http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ 4G-inherently-less-secure-than-3G.html visual-networking-index-vni/white_paper_c11-520862.pdf 6. Mobile Internet security from inside and outside Positive Technolo- 2. Vulnerability Statistics for Corporate Information Systems (2013), gies, 2013 Positive Technologies, 2014. http://habrahabr.ru/company/pt/blog/188574/ http://www.ptsecurity.ru/download/PT_Corporate_vulnerability_ 2014_rus.pdf 7. GRX and a Spy Agency http://www.slideshare.net/StephenKho/on-her-majestys-secret- 3. Vulnerabilities of mobile networks based on SS7 protocols. Positive service-grx-and-a-spy-agency Technologies, 2014 http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf 8. 3GPP TS 29.060 http://www.3gpp.org/DynaReport/29060.htm 4. Cell phones and total NSA surveillance: How does it work? Positive Technologies, 2014 http://habrahabr.ru/company/pt/blog/245113/

18 VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 19 List of abbreviations

APN - Access Point Name; a symbolic name of an access point IMEI - International Mobile Equipment Identity through which the user can get access to the requested type of the service (WAP, Internet, MMS) IMSI - International Mobile Subscriber Identity

BSC - Base Station Controller LAC - Local Area Code

BTS - Base Transceiver Station; a piece of equipment (repeaters, MCC - Mobile Country Code; a code of country, in which the Base transceivers) that facilitates wireless communication between user Station is located equipment and a network. MMS - Multimedia Message System; a system for multimedia mes- CI - Cell ID saging (images, audio and video files) within the mobile network

CS - Circuit Switched; data transmission with channel switching MNC - Mobile Network Code

DHCP - Dynamic Host Configuration Protocol MS - Mobile Station

DNS - Domain Name System MSISDN - Mobile Subscriber Integrated Services Digital Number

FTP - File Transfer Protocol PS - Packet Switched; data transmission with packet switching

GGSN - Gateway GPRS Support Node; the node affiliated to PS Core SGSN - Service GPRS Support Node; the main component of the GPRS Network, it enables the routing of data between GPRS Core network system for implementation of all packet data processing functions and external IP networks SS7 - Signaling System 7; a common channel signaling system used GPRS - General Packet Radio Service in the international and local telephone networks around the world

GRX - Global Roaming eXchange; network that provides packet SSH - Secure Shell data services to the roaming TEID - Tunnel Endpoint IDentifier GTP - GPRS Tunneling Protocol; a protocol describing and perform- ing the transmission of data between GSN nodes within the packet UDP - User Datagram Protocol network UMTS - Universal Mobile Telecommunications System; a mobile HLR - Home Location Register; a database storing all information technology developed by the European Telecommunications Stan- about the subscriber dards Institute (ETSI) in order to implement a 3G service in Europe.

HTTP - HyperText Transfer Protocol WAP - Wireless Application Protocol

VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014 20