Many cellular network protocols don’t have clear documentation explaining them, especially when it comes to the proprietary protocols used by 4G and 5G networks. This makes them difficult to understand by the average person, but also potentially vulnerable to anyone willing to take the time to research them and find issues. We haven’t yet seen attacks on these new protocols that outright break them, but I find that adversaries often find other methods that might give them the unauthorized access they want. For instance, instead of accessing the connection between the cellphone and cell tower I’ve found reports that hackers compromised the General Packet Radio Services (GPRS).
Attacks targeting internal Telco background services have increased in recent years, with examples like the Syniverse SMS attack and the T-Mobile breach. The T-Mobile breach occurred because of a compromised GPRS development server. Most recently CrowdStrike identified the hacking group Lightbasin, who have links to China, compromising GPRS servers.
In business-to-business connections and partnerships, the Telco community seems to lack the same security measures as it applies to its connections to the external Internet. The Lightbasin group used DNS services and a GPRS tunneling protocol to move laterally between Telcos and compromised servers. Using this method, they compromised 13 Telcos, none of which were named.
Outside of Telco companies no one really uses that GPRS tunneling protocol. However, we do use DNS services and other less known protocols. With breaches happening all too regularly, we must inspect the communications between our business-to-business connections using security controls like a DNS proxy. You should have security controls that inspect any inter-business network communications, even if using unique protocols. This way even if the business you have a connection to becomes compromised you may still detect an issue and remain protected.