VULNERABILITIES OF MOBILE INTERNET (GPRS) · PDF file4. GtP Protocol 5. ... Fig. 3. A scheme...

VULNERABILITIESOF MOBILEINTERNET(GPRS)

Dmitry KurbatovSergey PuzankovPavel Novikov

2014

2VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014

Contents

1. IntroductIon

2. Summary

3. mobIle network Scheme

4. GtP Protocol

5. SearchInG for mobIle oPerator’S facIlItIeS on the Internet

6. threatS

6.1. IMSI brute force

6.2. the dIScloSure of SubScrIber’S data vIa IMSI

6.3. dISconnectIon of authorIzed SubScrIberS froM the Internet

6.4. blockIng the connectIon to the Internet

6.5. Internet at the expenSe of otherS

6.6. data InterceptIon

6.7. dnS tunnelIng

6.8. SubStItutIon of dnS for ggSn

7. concluSIon and recommendatIonS

3

3

4

5

7

10

10

11

12

13

14

15

16

17

18

2 3VULNERABILITIES OF MOBILE INTERNET (GPRS), 2014

IntroduCtIon

summary

1.

2.

Modern mobile networks facilitate the most convenient access to the Internet without the need for static infrastructures. People can access email, messengers, social networks and online stores whenever and wherever they need it. A range of businesses use mobile Internet for remote administration, financial operations, e-commerce, M2M and some other purposes. Government organizations provide more and more services via the web, and it results in a significant increase in the volume of the world’s mobile data traffic. This traffic is expected to increase significantly in both 3G/3.5G and 4G through 2018, see table below.

Many users have approached the use of broadband Internet access with caution, due to publicity around security breaches. In response

to this, a great number of security solutions were introduced to pro-tect this services sector, such as antivirus software, firewalls, etc. By contrast, the level of consciousness about security while using the mobile Internet is relatively low. Most users assume that mobile net-work access is much safer because a big mobile-telecoms provider will protect subscribers and has the benefit of the developments in security from the broadband Internet arena. Unfortunately, as prac-tice shows, mobile Internet is a great opportunity for the attacker, and can be less secure than more traditional options. This report will provide an analysis of these threats, as well as recommendations to ensure the safety of mobile Internet services.

Positive Technologies has determined that there are serious security issues in the networks that support mobile Internet devices. A large number of devices belonging to 2G/3G networks of mobile network operators are available via open GTP ports as well as some other open communication protocols (FTP, Telnet, HTTP). An attacker can connect to the node of a mobile network operator by exploiting vulnerabilities (for example, default passwords) in these interfaces.

Having acquired access to the network of any operator, an at-tacker can automatically gain access to the GRX network, which in turn allows him/her to perform various attacks on subscribers of any operator:

1. Searching for valid IMSI

2. Obtaining subscriber’s data via IMSI (including his/her location)3. Disconnection of subscribers from the Internet or blocking their

access to the Internet4. Connecting to the Internet with credentials of the legitimate

user and at the expense of others5. Listening to the traffic of the victim6. Engage in a fishing attack

Security measures required to protect against such attacks include proper configuration of equipment, utilizing a firewall and regular se-curity monitoring. More details on the recommended set of protec-tive measures is provided in the final part of this review.

9%

3%

2/2.5G

46%

51%

60%

30%

2013

0

2

4

6

8

10

12

14

16

18

2014 2015 2016 2017 2018

Exabytes per Month

Source: Cisco VNI Mobile 2014

3/3.5G4G

Fig. 1. The expected growth in mobile data traffic [1]


mobIle network sCheme3.

Mobile provider’s network consists of the Circuit Switched Core Network (CS core), the Packet Switched Core Network (PS core), the base station network and its 2G controllers (BSC and BTS in the scheme), and the base station network and its 3G controllers (Node B and RNC). The scheme shows that 3G network is based on 2G radio access network; the rest of the operator’s network does not undergo any significant changes in the evolution to the third generation. As clearly outlined in Figure 2.2, the operators’ networks have not under-gone any significant changes in terms of security from 2G to 3G to 4G.

Below is the packet data transfer subsystem (PS core).The scheme in Figure 3 illustrates the architecture of the system

used to transmit data in a 2G network. There are some differences in the chain MS (mobile station) — SGSN within the 3G network (UMTS network). The scheme shows that an attacker can access the provid-er’s network using:

• Subscriber’s Mobile Station• The Internet• The GRX network, i.e. via another mobile providerThus if an attacker enters the network of any mobile provider in the

world, he/she will be able to affect other providers.Service GPRS Support Node (SGSN) and Gateway GPRS Support

Node (GGSN) are the basic elements for data transmission. The former one is used to provide subscribers with data transmission services and it also interacts with other network elements; the latter is a gateway between the internal operator’s network and the Internet.

In addition to the Internet connection, there is a connection to the GRX network — Global Roaming eXchange, which is based on complicated relationships between individual operators (intercon-nection of networks) used to provide Internet access to subscribers in roaming.

Fig. 2. Provider’s mobile network


Fig. 3. A scheme for the packet data transmission within mobile networks (including information on protocols)

GtP ProtoCol4.

GTP protocol is used to send the traffic within PS core and GRX. This is a tunneling protocol, which runs over UDP and utilizes port 2123 (for man-agement purposes, GTP-C), port 2152 (for transmitting user data, GTP-U), and 3386 (for billing, GTP’).

Message Type field in the GTP header is primarily used for manage-ment purposes in GTP-C. Usually, in GTP-U Message Type = 0xFF (T-PDU).

Tunnel Endpoint Identifier (TEID) is a tunnel identifier that is not associ-ated with an IP address, i.e., packages can be sent with the same TEID but from different IP addresses (in case if the subscriber moves and switches to another SGSN).

PDP Context Activation procedure is executed when the subscriber is connecting to the Internet.

In simplified form, the procedure is as follows: 1. The phone sends an Activate PDP Context request, which (amongst

other information) contains the login, password, and APN.2. After receiving the APN, SGSN tries to resolve it on the internal

DNS server; the server resolves the received APN and provides the cor-responding GGSN address.

3. The SGSN sends the Create PDP Context request to this address.4. The GGSN authenticates the submitted login and password, for ex-

ample, on the RADIUS server. 5. The GGSN obtains an IP address for the mobile phone and transmits

all data required for PDP context activation back to the SGSN. 6. The SGSN accomplishes the activation procedure by sending back

to the phone all the data required for establishing a connection.In fact, the PDP Context Activation procedure is the creation of a tun-

nel between a cell phone and a gateway (GGSN) on the operator’s mo-bile network.


Fig. 4. GTP header structure

Fig. 5. The procedure for establishing a connection

SGSN DNS GGSN RADIUS DHCP

1. Activate PDPContext Request

7. Activate PDPContext Accept

2a. DNS RequestmncXXX.mscXXX.internet

2b. DNS Response GGSN IP

3. Create PDP Context Request

6. Create PDP Context Response

4a. Radius AuthenticateRequest

5a. DHCP Address Request

5a. DHCP Address Assignment

4b. Radius Authenticate Response

PDP Context Activation

GTP U GTP C + GTP U

Octets123456789101112

8 7 6Version

5PT

4(*)

3E

2S

1PN

Message TypeLength (1st Octet)Length (2nd Octet)

Tunnel Endpoint Identifier (1st Octet)Tunnel Endpoint Identifier (2nd Octet)Tunnel Endpoint Identifier (3rd Octet)Tunnel Endpoint Identifier (4th Octet)

Sequence Number (1st Octet)1) 4) Sequence Number (2nd Octet)1) 4)

N-PDU Number2) 4)

Next Extension Header Type3) 4)

NOTE 0: (*) This bit is a spare bit. It shall be sent as '0'. The receiver shall not evaluate this bit.NOTE 1: 1) This field shall only be evaluated when indicated by the S flag set to 1.NOTE 2: 2) This field shall only be evaluated when indicated by the PN flag set to 1.NOTE 3: 3) This field shall only be evaluated when indicated by the E flag set to 1.NOTE 4: 4) This field shall be present if and only if any one or more of the S, PN and E flags are set.


Fig. 6. Search results in Shodan

Fig. 7. Countries with the largest number of hosts with open GTP ports (more than 1000)

searChInG for mobIle oPerator’s faCIlItIes on the Internet5.

We already know that GGSN must be deployed as an edge device. Us-ing Shodan.io search engine for Internet-connected devices, we can

find the required devices by their banners.

Search result displays about 40 devices using this abbreviation in their banners. The screenshot provides a list of some devices that use this abbreviation, including devices with open Telnet and turned off password authentication. An attacker can perform an intrusion into the network of the operator in the Central African Republic by con-necting to this device and implementing the required settings.

Having access to the network of any operator, the attacker will automatically get access to the GRX network and other operators of mobile services. One single mistake made by one single operator in

the world creates this opportunity for attack to many other mobile networks. There are more ways of using the compromised boundary host, for example, DNS spoofing attack (more information about at-tacks is considered below).

GGSN and SGSN can also be found in other ways. GTP protocol described above can be used only within PS core and GRX networks and should not be accessible from the Internet. In practice, however, things are often quite different: There are more than 207,000 devices with open GTP ports all over the global Internet.


Fig. 8. The distribution of hosts with open GTP ports around the world

Fig. 9. The response to GTP request received from equipment by Internet Rimon LTD

Fig. 10. Responses to attempts to establish a PDP connection

What can be said about these 207,000 devices? 7,255 devices are not associated with GTP and send HTTP responses (see fig. 9)

The remainder of the 200,000 addresses respond with correct GTP messages. A more in-depth analysis shows that an individual device may not be a component of a mobile network: these are universal devices utilized for other purposes when administrators of certain sys-

tems did not turn off this feature for them. Alcatel-Lucent 7750 and ZTE ZXUN xGW can often be found among such devices, and the lat-ter has open FTP and Telnet ports.

548 devices responded to the request for establishing a connec-tion: four of them allow a user or attacker to create a tunnel while other respond with various errors.


HTTP4%

FTP81%

SSH25%

Telnet82%

BGP4%

VPN (UDP:500)44%

82%79%

58%82%

47%82%

47%45%

42%45%

21%36%

10%36%

64%10%

55%63%

55%25%

2013

2011–2012

2013

2011–2012

2013

2011–2012

2013

2011–2012

2013

2011–2012

2013

2011–2012

2013

2011–2012

2013

2013

2011–2012

2013

2011–2012

2011–2012

Dictionary passwords

Management interfaces availableto any Internet user

Use of open data transferprotocols

Vulnerabilities of systemand application software

caused by lack of updates

SQL Injection

Unrestricted File Upload

Storing important dataunencrypted

Path traversal

Dictionary SNMP CommunityString value (public)

DBMS access interfaces availableto any Internet user

Fig. 11. Number of hosts with various services

Fig. 12. Top 10 vulnerabilities typical of a network perimeter

Let us look into the responses:

1. System failure and mandatory Ie incorrect responses imply that the fields of the GTP packet required for this node were not filled.

2. no resources available response means that node’s DHCP pool or PDP pool has run out.

3. missing or unknown aPn and Service not supported re-sponses imply that the current APN is not included into the list of authorized APNs (you can find proper APNs on the provider’s website in the Internet, WAP, or MMS settings).

4. accept response implies that the device provides an IP address and other connection attributes, i.e. a tunnel is created.

Therefore, an attacker coming from the Internet can detect the proper GGSN, set up the GTP connection and then encapsulate GTP control packets into the created tunnel. If parameters were selected properly, GGSN will take them as packets from legitimate devices within the operator’s network.

Another benefit for attackers is that GTP is not the only protocol used on detected hosts. Telnet, FTP, SSH, Web, etc. are also used for management purposes. The figure below shows how many open ports were detected for each protocol.

According to statistics provided by Positive Technologies, pen-etration tests revealed that data transferring via open protocols (FTP, Telnet, HTTP) and availability of management interfaces from the In-ternet are the most frequent vulnerabilities to appear in the network perimeter of large companies’ information systems. Moreover, the distribution of these vulnerabilities has doubled in 2013 compared to 2011/2012, effectively creating a larger number and range of attacks for mobile Internet suppliers and users to consider.


threats6.

The following parameters are typical for the described attacks: the complexity of implementing (having regard to conditions) is me-

dium, the reproducibility (i.e. the reuse of the attack by other at-tackers) is high.

Goal: To find a valid IMSI.attack vector: An attacker conducts attacks from the GRX network

or the operator’s network.description: IMSI is the SIM card Number (International Mobile

Subscriber ID). It consists of 15 digits, the first three identify the Mo-bile Country Code (MCC), the next two digits are the Mobile Network Code (MNC). You can choose the required operator on the website www.mcc-mnc.com, enter the MCC and MNC and then brute force

the remaining 10 digits by sending a “Send Routing Information for GPRS Request” message via GRX. This message can be sent to any GSN device, which converts the request into an SS7 format (CS core network component) and sends it to HLR where it is processed by SS7 network. If the subscriber with this IMSI uses the Internet, we can get the SGSN IP address serving the mentioned subscriber. Otherwise, response will be as follows: “Mobile station Not Reachable for GPRS”.

result. Obtaining a list of valid IMSI for further attacks.

6.1. IMSI brute force

Fig. 13. The scheme of the attack


Goal: To obtain a phone number, location data, information about the model of a subscriber’s mobile device via IMSI.

attack vector: An attacker conducts attacks from the GRX network or the operator’s network.

description: An attacker can use this vulnerability after the suc-cess of the previous attack or if he/she gets a subscriber’s IMSI via a viral application for the subscriber’s smartphone. The attacker needs to know the SGSN IP address, garnered from the previous attack. Af-ter that, the attacker sends an Update PDP Context Request to the

SGSN IP address requesting the subscriber’s location; the GSN Control Plane is spoofed with the attacker’s IP address. The response contains MSISDN (Mobile Subscriber Integrated Services Digital Number), IMEI (International Mobile Equipment Identity, it helps to identify the mod-el of a subscriber’s phone) and the current subscriber’s mobile radio base tower (MCC, MNC, LAC, CI). Consequently, the attacker can find the subscriber’s location accurate to several hundred meters using the following website: https://xinit.ru/bs/ or http://opencellid.org/.

result: The required information about the subscriber is obtained.

6.2. the dIScloSure of SubScrIber’S data vIa IMSI




Goal: To disconnect the connected subscribers.attack vector: An attacker conducts attacks from the GRX network

or the operator’s network.description: The attack is based on sending the “PDP context de-

lete request” packets to the target GGSN with all the TEID listed. The PDP Сontext information is deleted, which causes disconnection of authorized subscribers.

At the same time, GGSN unilaterally closes tunnels and sends the

responses on this event to the attacker. A valid SGSN used by the subscriber to set up the connection doesn’t have information about closing connections, so tunnels continue to occupy the hardware re-sources. The subscriber’s Internet stops working, but the connection is displayed as active.

result: All subscribers connected to this GGSN will be discon-nected. The amount of subscribers served by one GGSN is 100,000—10,000,000.

6.3. dISconnectIon of authorIzed SubScrIberS froM the Internet



Goal: To block the establishment of new connections to the Internet.


description: The attack is based on sending the “Create PDP con-text request” packets with IMSI list, thus the exhaustion of the avail-able pool of PDP tunnels occurs. For example, the maximum number of PDP Context Cisco 7200 with 256 MB of memory is 80,000, with 512 MB — 135,000: it is not difficult to brute force all possible combi-nations. Moreover, more and more IP addresses from DHCP pool are issued and they may be exhausted. It does not matter what will be exhausted first — the DHCP pool or the PDP pool, — after all, GGSN will response with “No resource available” to all valid connection re-quests. Moreover, GGSN cannot close tunnels, because when you try

to close one, GGSN sends an attacker “Delete PDP context request” with the number of the tunnel to be closed. If there is no response (actually, there isn’t any response because an attacker does not want this to happen), GGSN sends such requests over and over again. The resources remain occupied.

In case of successful implementation of this attack, authorized sub-scribers will not be able to connect to the Internet and those who were connected will be disconnected as GGSN sends these tunnels to the attacker’s address.

This attack is an analogue of the DHCP starvation attack at the GTP level.

result: The subscribers of the attacked GGSN will not be able to connect to the Internet. The amount of subscribers served by one GGSN is 100,000—10,000,000.

6.4. blockIng the connectIon to the Internet



Goal: The exhaustion of the subscriber’s account and use of the connection for illegal purposes.


description: The attack is based on sending the “Create PDP con-text request” packets with the IMSI of a subscriber known in advance. Thus, the subscriber’s credentials are used to establish connection.

Unsuspecting subscriber will get a huge bill.It is possible to establish connection via the IMSI of a non-existent

subscriber, as subscriber authorization is performed at the stage of connecting to SGSN and GGSN receives already verified connections. Since the SGSN is compromised, no verification is carried out.

result: An attacker can connect to the Internet with the creden-tials of a legitimate user.

6.5. Internet at the expenSe of otherS



Goal: To listen to the traffic of the victim and conduct a fishing attack.


description: An attacker can intercept data sent between the sub-

scriber’s device and the Internet by sending an “Update PDP Context Request” message with spoofed GSN addresses to SGSN and GGSN. This attack is an analogue of the ARP Spoofing attack at the GTP level.

result: Listening to traffic or spoofing traffic from the victim and disclosure of sensitive data.

6.6. data InterceptIon



Goal: To get non-paid access to the Internet from the subscriber’s mobile station.

attack vector: The attacker is the subscriber of a mobile phone network and acts through a mobile phone.

description: This is a well-known attack vector, rooted in the days of dial-up, but the implementation of low-price and fast dedicated Internet access made it less viable. However, this attack can be used in mobile networks, for example, in roaming when prices for mobile Internet are unreasonably high and the data transfer speed is not that

important (for example, for checking email).The point of this attack is that some operators do not rate DNS traf-

fic, usually in order to redirect the subscriber to the operator’s web-page for charging the balance. An attacker can use this vulnerability by sending special crafted requests to the DNS server; to get access one needs a specialized host on the Internet.

result: Getting non-paid access to the Internet at the expense of mobile operator.

6.7. dnS tunnelIng



Goal: To listen to the traffic of the victim, to conduct a fishing attack.

attack vector: An attacker acts through the Internet.description: If an attacker gets access to GGSN (which is quite

possible as we could see), the DNS address can be spoofed with the

attacker’s address and all the subscriber’s traffic will be redirected through the attacker’s host. Thus, listening to all the mobile traffic of the subscriber is possible.

result: An ability to listen to traffic or spoof traffic from all subscrib-ers and then gather confidential data to engage it in fishing attacks.

6.8. SubStItutIon of dnS for ggSn


ConClusIon and reCommendatIons7.

Modern mobile networks feature serious vulnerabilities, which allow attackers to perform various attacks against both certain mobile Inter-net users and the entire infrastructure (for example, for the purpose of industrial espionage or elimination of competitors on the market) us-ing inexpensive equipment. In addition, the deterioration of interna-tional relationships and security has historically triggered cell phone tapping followed by the scandalous publication of negotiations be-tween politicians or military officials.

Some of the attacks cannot be performed if the mobile equipment is configured properly, but the results our research suggest that miscon-figuration is a common problem in the telecommunications sphere by those attempting to save money on security. Vendors often leave some services enabled while these services should be disabled on this equip-ment, which gives additional opportunities to attackers.

Many people rely on new communication standards that include new safety technologies. However, despite the development of such standards (3G, 4G) we cannot completely abandon the use of old gen-eration networks (2G). The reason is the specifics of the implementation of mobile networks and the fact that the 2G base stations have better coverage as well as the fact that 3G networks use their infrastructure.

Also, as of later 2014, the majority of operators in the world do not provide opportunities for voice transmission over 4G networks: during a call mobile phone switches forcedly to 3G network or even to 2G and after a call it switches back, if it is possible. The possibility of such “invis-ible” switches is widely used for mobile surveillance.

The key difference between 4G and other networks — voice trans-mission over IP, may be a vulnerability itself: therefore, not only data but also phone calls may be affected. Therefore, we should expect even more surprises from 4G networks. As for the currently used networks (2G and 3G), Positive Technologies experts recommend to implement the following security measures on the side of communication provid-ers (fig. 21): 1. Use firewalls at the GRX network edge for blocking services that are

not associated with providing an Internet access to subscribers in roaming (only required services are permitted: GTP, DNS, etc.).

2. Use firewalls at the Internet edge for blocking services that should not be accessible from the Internet.

3. Use 3GPP TS 33.210 recommendations to configure the security settings within the PS Core network. The network must be secured, in particular, by using IPsec to send the GTP-C traffic within PS core.

Fig. 21. The recommended set of security measures


sourCes

1. Cisco Global Mobile Data Traffic Forecast Update, 2013–2018. Cisco VNI Mobile, 2014

http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white_paper_c11-520862.pdf

2. Vulnerability Statistics for Corporate Information Systems (2013), Positive Technologies, 2014.

http://www.ptsecurity.ru/download/PT_Corporate_vulnerability_ 2014_rus.pdf

3. Vulnerabilities of mobile networks based on SS7 protocols. Positive Technologies, 2014

http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf

4. Cell phones and total NSA surveillance: How does it work? Positive Technologies, 2014

http://habrahabr.ru/company/pt/blog/245113/

5. 4G ‘inherently less secure’ than 3G The Telegraph, 2014 http://www.telegraph.co.uk/technology/internet-security/10951812/

4G-inherently-less-secure-than-3G.html

6. Mobile Internet security from inside and outside Positive Technolo-gies, 2013

http://habrahabr.ru/company/pt/blog/188574/

7. GRX and a Spy Agency http://www.slideshare.net/StephenKho/on-her-majestys-secret-

service-grx-and-a-spy-agency

8. 3GPP TS 29.060 http://www.3gpp.org/DynaReport/29060.htm

4. Carry out a regular security monitoring of the perimeter (Advanced Border Control service). This set of measures will monitor the Cus-tomer’s network protection against external threats. The monitor-ing implies regular scanning of all operator’s networks and hosts available from the Internet. Scanning reveals available network ser-vices, their versions, and types of operational systems. Information

obtained during the scanning is checked against the vulnerabilities and exploits database. Thus, the operator is able to control the pe-rimeter from the point of the attacker, predict possible attacks and prevent them.

5. Develop security compliances of equipment and perform regular compliance management tasks (see example in fig.22).

Fig. 22. MaxPatrol Compliance Management



http://www.ptsecurity.ru/download/PT_Corporate_vulnerability_2014_rus.pdf

http://www.ptsecurity.ru/download/PT_Corporate_vulnerability_2014_rus.pdf

http://www.telegraph.co.uk/technology/internet-security/10951812/4G-inherently-less-secure-than-3G.html

http://www.telegraph.co.uk/technology/internet-security/10951812/4G-inherently-less-secure-than-3G.html


lIst of abbrevIatIons

APN - Access Point Name; a symbolic name of an access point through which the user can get access to the requested type of the service (WAP, Internet, MMS)

BSC - Base Station Controller

BTS - Base Transceiver Station; a piece of equipment (repeaters, transceivers) that facilitates wireless communication between user equipment and a network.

CI - Cell ID

CS - Circuit Switched; data transmission with channel switching

DHCP - Dynamic Host Configuration Protocol

DNS - Domain Name System

FTP - File Transfer Protocol

GGSN - Gateway GPRS Support Node; the node affiliated to PS Core Network, it enables the routing of data between GPRS Core network and external IP networks

GPRS - General Packet Radio Service

GRX - Global Roaming eXchange; network that provides packet data services to the roaming

GTP - GPRS Tunneling Protocol; a protocol describing and perform-ing the transmission of data between GSN nodes within the packet network

HLR - Home Location Register; a database storing all information about the subscriber

HTTP - HyperText Transfer Protocol

IMEI - International Mobile Equipment Identity

IMSI - International Mobile Subscriber Identity

LAC - Local Area Code

MCC - Mobile Country Code; a code of country, in which the Base Station is located

MMS - Multimedia Message System; a system for multimedia mes-saging (images, audio and video files) within the mobile network

MNC - Mobile Network Code

MS - Mobile Station

MSISDN - Mobile Subscriber Integrated Services Digital Number

PS - Packet Switched; data transmission with packet switching

SGSN - Service GPRS Support Node; the main component of the GPRS system for implementation of all packet data processing functions

SS7 - Signaling System 7; a common channel signaling system used in the international and local telephone networks around the world

SSH - Secure Shell

TEID - Tunnel Endpoint IDentifier

UDP - User Datagram Protocol

UMTS - Universal Mobile Telecommunications System; a mobile technology developed by the European Telecommunications Stan-dards Institute (ETSI) in order to implement a 3G service in Europe.

WAP - Wireless Application Protocol

VULNERABILITIES OF MOBILE INTERNET (GPRS) · PDF file4. GtP Protocol 5. ... Fig. 3. A scheme...

Documents

Transcript of VULNERABILITIES OF MOBILE INTERNET (GPRS) · PDF file4. GtP Protocol 5. ... Fig. 3. A scheme...