Roaming Security
highGRX/IPX · GTP · SEPP · Inter-operator trust
Roaming is operationally necessary and architecturally dangerous. To provide service abroad, operators must extend trust to hundreds of foreign networks — networks over which they have no visibility, no security controls, and no ability to audit. The GRX/IPX interconnect that carries roaming signalling and data was designed for billing reconciliation and protocol translation; it became the primary highway for inter-operator attacks. GTP, the tunnelling protocol carrying subscriber user-plane and control-plane traffic, was designed with operator-internal deployment in mind and provides minimal protection when exposed to the multi-operator interconnect environment.
Threat vectors
GTP-C tunnel hijacking
highGTP Control Plane messages — particularly Create Session Request and Modify Bearer Request — carry Tunnel Endpoint Identifiers (TEIDs) and IP addresses that can be spoofed or guessed. An attacker with GRX/IPX access can send crafted GTP-C messages to redirect subscriber data traffic through an attacker-controlled endpoint, intercepting or modifying user-plane traffic without the subscriber's knowledge.
GTP flooding and denial of service
highThe GTP-U and GTP-C protocol implementations in SGWs, PGWs, and GGSNs are susceptible to resource exhaustion via message flooding. Attackers send high volumes of GTP-C Create Session Requests with spoofed source addresses, exhausting connection tables and preventing legitimate roaming sessions from being established. This can selectively deny service to subscribers from targeted home networks.
GRX/IPX-based SS7 and Diameter attacks
criticalThe same interconnect that carries GTP also carries SS7 and Diameter signalling for roaming. Entities with GRX/IPX access — including operators in permissive jurisdictions and commercial SS7 access vendors — can launch MAP and Diameter attacks against any subscriber of any operator reachable via the interconnect. The roaming infrastructure is the most widely exploited entry point for SS7 attacks against non-roaming subscribers.
CAMEL protocol exploitation
highCAMEL (Customised Applications for Mobile networks Enhanced Logic) is used to provide prepaid charging and supplementary services for roaming subscribers. CAMEL Intelligent Network Application Part (CAP) messages pass between the visited network and the home network's Service Control Point (SCP). Compromised or malicious visited network nodes can send manipulated CAMEL messages to interfere with charging — either to avoid charges (fraud) or to generate false charges against subscribers.
5G N32 interconnect exposure
high5G roaming uses the N32 interface between SEPPs (Security Edge Protection Proxies) in home and visited networks. SEPP is mandatory in the 3GPP specification but deployment has been uneven. Where SEPPs are absent or misconfigured, the N32 interface exposes HTTP/2-based SBI traffic to the same inter-operator trust abuse that affects SS7. The PRINS protocol protecting sensitive fields can also be misconfigured to provide weaker protection than intended.
Impact
- 01
Subscriber data exposure during roaming — GTP tunnel hijacking can redirect and expose user-plane traffic (browsing, messaging, app data) without any indication to the subscriber or home operator.
- 02
Revenue fraud from CAMEL and GTP manipulation — operators lose revenue through manipulated charging records that are difficult to detect until billing reconciliation, often weeks after the fraud occurred.
- 03
Network-wide compromise via trusted roaming partners — a single compromised roaming partner with GRX/IPX access can attack all subscribers of all operators reachable via the shared interconnect.
- 04
Regulatory and legal exposure — data sovereignty requirements in many jurisdictions prohibit subscriber data from traversing certain networks; GTP routing manipulation can violate these requirements without operator awareness.
Mitigations & solutions
Deploy a GTP Firewall
Implement deep packet inspection of GTP-C traffic at the Gi/SGi and S8/Gp interfaces. Block unexpected message types from roaming partners (e.g., Create Session Requests from non-peered nodes), validate TEID ranges and IP addresses, enforce rate limits per peer, and drop GTP-in-GTP encapsulation outside of legitimate use cases.
Implement SEPP for all 5G roaming traffic
Ensure SEPP deployment is complete and correctly configured before enabling 5G roaming. Enforce PRINS (N32-f) for all sensitive fields including SUPI, location, and charging data. Validate SEPP certificates from roaming partners against a trusted registry and reject connections from uncertified endpoints.
Apply GSMA FS.11/FS.19 signalling controls at the GRX gateway
Place SS7 and Diameter firewalls at the GRX/IPX gateway interface. Enforce GSMA category filtering for all inbound MAP and Diameter messages from roaming partners. Monitor for anomalous message volumes from specific origination points and apply automatic throttling.
Monitor GTP traffic for anomalies
Collect and analyse GTP-C session metadata to detect abnormal patterns: unusually high session creation rates from specific peers, TEIDs appearing in multiple simultaneous sessions, GTP endpoint IP addresses that fall outside expected network ranges, and create/delete session ratio anomalies that indicate resource exhaustion attacks.
Restrict and audit roaming agreements
Maintain a current inventory of active roaming agreements and GRX/IPX peers. Revoke agreements with operators in high-risk jurisdictions or with poor security track records. Require security disclosure and firewall compliance certification as part of new roaming agreement onboarding.