The GPRS Roaming Exchange (GRX) network, which carries roaming traffic among hundreds of mobile operators worldwide, contains Internet-reachable hosts that run vulnerable and unnecessary services, recent security scans reveal.
The scans were performed over a period of several months by Stephen Kho and Rob Kuiters, a penetration tester and an incident response handler from KPN, the largest telecommunications provider in the Netherlands.
The two security experts were inspired to test how vulnerable the GRX network is, after news reports last year claimed that British intelligence agency GHCQ targeted network engineers from Belgacom, a large Belgian telecom provider, to access the company’s GRX routers and intercept mobile roaming traffic.
BICS, a subsidiary of Belgacom, is one of the approximately 25 GRX providers worldwide that act as hubs for connecting mobile operators to their roaming partners worldwide. The roaming traffic of mobile subscribers in different countries almost certainly passes through the GRX infrastructure of one of these providers.
Kho and Kuiters’ scanning efforts were aimed at determining how large the global GRX network is and how easy it is to get into it remotely without targeting network engineers. They also wanted to understand what kind of information an attacker can potentially obtain by sniffing the traffic inside.
The team presented their findings Friday at the Hack in the Box security conference in Amsterdam.
Their scans identified approximately 42,000 live GRX hosts, 5,500 of which were accessible from the Internet, even though GRX was created with the intention of being a private network that serves only trusted mobile operators.
A closer analysis of the Internet-facing hosts revealed that in addition to services like GTP (GPRS Tunneling Protocol) and DNS (Domain Name System), many of them were also exposing a lot of other unexpected services including SMTP (Simple Mail Transfer Protocol), FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol), Telnet, SMB (Server Message Block) and SNMP (Simple Network Management Protocol).
In many cases those services had been implemented using outdated software with known critical remote code execution vulnerabilities like old versions of BIND, Exim, Sendmail, OpenBSD ftpd, ProFTPD, VxWorks ftpd, Apache, Microsoft IIS, Oracle HTTP Server, Samba and others.
It looks like some operators brought their office equipment onto the GRX network, which should normally be used only to carry roaming traffic, the two security researchers said.
A relatively simple hack
Compromising those hosts that run vulnerable services to gain access to the GRX network doesn’t even require that attackers buy zero-day exploits—exploits for previously unknown vulnerabilities. They can use freely available tools like Metasploit, the researchers said.
Once a host is compromised, attackers can then pivot into the GRX network and gain access to the GTP traffic passing through it. Someone sniffing this user traffic can extract session identifiers, credentials, browsed images, URLs, files, but also information that can be used to track users and identify their mobile device.
The location information that is being sent as part of each user’s GTP traffic includes the mobile country code, the mobile network code, cell identifiers, the International Mobile Subscriber Identity (IMSI) code and location area codes. The two security experts showed that by putting all of this data into a freely available online service, they can track a user’s location on a map.
The distribution of the vulnerable hosts appears to be global, Kho and Kuiters said, adding that they’ve notified the operators who own them about the issues. Running the scans and identifying the vulnerable hosts was not difficult and the tools used are freely available, so it is possible that other people have done it before and maybe even already exploited the issues, they added.