GTP penetration test

The GTP protocol is used to transport subscribers’ mobile data traffic between network nodes (SGSNs and GGSNs or SGWs and PGWs), both when at home and while roaming. The architecture is very similar to that of SS7 and Diameter, in the sense that a private but shared network is used to transport packets between home and visited networks: the GRX / IPX. The same suppliers than those providing SS7 and Diameter connectivity, are generally also involved in providing GRX / IPX connectivity to operators.

Just like for SS7 and Diameter, nodes are exposed to other peers on the GRX / IPX network for roaming purposes, but may be reachable and execute commands even when subscribers are consuming data services at home.
Most operators do not apply firewalling on the GRX / IPX interfaces of their nodes, so that nodes are reachable even by non-roaming partners. Thousands of entities worldwide, including MVNOs and service providers, have access to the GRX and/or IPX networks.

After first conducting discovery and exposure / vulnerability assessments on the various GTP capable nodes in the operator’s network, the GTP vulnerability assessment consists in isolating a small number of test subscribers, and sending various unexpected GTP signaling packets to alter or influence service for these subscriptions, similarly to what is done in a SS7 or Diameter penetration test. A large number of possible messages, parameters and target nodes typically result in at least some type of vulnerability being discovered on most networks, even after they have passed previous security audits successfully!