Global mobile roaming hub accessible from the Internet and vulnerable, researchers find

Two security researchers from KPN found vulnerable hosts in the GPRS Roaming Exchange that can be attacked from the Internet

The GPRS Roaming Exchange (GRX) network, which carries roaming traffic among hundreds of mobile operators worldwide, contains Internet-reachable hosts that run vulnerable and unnecessary services, recent security scans reveal.

The scans were performed over a period of several months by Stephen Kho and Rob Kuiters, a penetration tester and an incident response handler from KPN, the largest telecommunications provider in the Netherlands.

The two security experts were inspired to test how vulnerable the GRX network is, after news reports last year claimed that British intelligence agency GHCQ targeted network engineers from Belgacom, a large Belgian telecom provider, to access the company's GRX routers and intercept mobile roaming traffic.

BICS, a subsidiary of Belgacom, is one of the approximately 25 GRX providers worldwide that act as hubs for connecting mobile operators to their roaming partners worldwide. The roaming traffic of mobile subscribers in different countries almost certainly passes through the GRX infrastructure of one of these providers.

Kho and Kuiters' scanning efforts were aimed at determining how large the global GRX network is and how easy it is to get into it remotely without targeting network engineers. They also wanted to understand what kind of information an attacker can potentially obtain by sniffing the traffic inside.

The team presented their findings Friday at the Hack in the Box security conference in Amsterdam.

Their scans identified approximately 42,000 live GRX hosts, 5,500 of which were accessible from the Internet, even though GRX was created with the intention of being a private network that serves only trusted mobile operators.

A closer analysis of the Internet-facing hosts revealed that in addition to services like GTP (GPRS Tunneling Protocol) and DNS (Domain Name System), many of them were also exposing a lot of other unexpected services including SMTP (Simple Mail Transfer Protocol), FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol), Telnet, SMB (Server Message Block) and SNMP (Simple Network Management Protocol).

In many cases those services had been implemented using outdated software with known critical remote code execution vulnerabilities like old versions of BIND, Exim, Sendmail, OpenBSD ftpd, ProFTPD, VxWorks ftpd, Apache, Microsoft IIS, Oracle HTTP Server, Samba and others.

It looks like some operators brought their office equipment onto the GRX network, which should normally be used only to carry roaming traffic, the two security researchers said.

Compromising those hosts that run vulnerable services to gain access to the GRX network doesn't even require that attackers buy zero-day exploits -- exploits for previously unknown vulnerabilities. They can use freely available tools like Metasploit, the researchers said.

Once a host is compromised, attackers can then pivot into the GRX network and gain access to the GTP traffic passing through it. Someone sniffing this user traffic can extract session identifiers, credentials, browsed images, URLs, files, but also information that can be used to track users and identify their mobile device.

The location information that is being sent as part of each user's GTP traffic includes the mobile country code, the mobile network code, cell identifiers, the International Mobile Subscriber Identity (IMSI) code and location area codes. The two security experts showed that by putting all of this data into a freely available online service, they can track a user's location on a map.

The distribution of the vulnerable hosts appears to be global, Kho and Kuiters said, adding that they've notified the operators who own them about the issues. Running the scans and identifying the vulnerable hosts was not difficult and the tools used are freely available, so it is possible that other people have done it before and maybe even already exploited the issues, they added.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags telecommunicationGovernment Communications HeadquartersBICSBelgacommobile securityKPNExploits / vulnerabilitiesprivacyintrusion3gCarrierssecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

Gadgets & Things

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >


Learn more >

Family Friendly

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?