Telecom Security Assessment

This comprehensive security assessment Program has been developed by our expert team with decades of experience and expertise in deploying global telecom security projects. This Program covers testing across the telecom network ecosystem - signalling network, SIP deployments, RAN, SIM cards and VoLTE.

Signalling Security Assessment

Our Telecom Security Assessment (TSA) program provides complete visibility into the actual state of signalling protection across SS7, Diameter, GTP protocols. These detailed assessments (TSA) highlight potential attack vectors on signalling network and other risks, thus keeping the network and subscribers safe.

  • Our experts use in-house tools to generate test messages for customer mobile network. This tool is connected to our IPX provider.
  • Messages are submitted from the tool via global SS7/IPX network to customer mobile network.
  • In the first stage of TSA, our experts undertake the evaluation independent of customer interactions.
  • In the later stages of testing, customers are asked to replicate certain scenarios using mobile phones.

We have also developed a SecurityGen Telecom Training module, tailored to customer requirements, and conducted by our team of experienced researchers. Our in-depth training Program cover SS7 Security Training, Diameter Security Training and GTP Security Training.

SIP Security Assessment

Our SIP Security assessment focuses on non-SIM based access or No SIM SIP User Agents (Hosted Voice), SIP trunking and SIP Interconnect. This assessment requires remote access to Customer SIP environments (via VPN or Internet).

  • The testing includes all appropriate elements and threats reviewed as part of GSMA FS.38 and other recommendations.
  • This assessment is intended to evaluate whether available SIP deployments are secure or vulnerable to possible threats and attacks aimed at accessing confidential communications, disrupting availability, or performing fraudulent activities.
  • The goal of these checks is to determine whether the identified test cases executed on target SIP network have been successful.

VoLTE/VoWiFi Security Assessment

This assessment addresses VoLTE and VoWiFi. These services use SIM-enabled equipment to access the mobile network but utilize different connection mediums. As with SIP assessments, there has been a substantial amount of investigation into VoLTE testing that reflects all details and threats highlighted in GSMA FS.22, GSMA FS.38 other relevant documentation for access using SIM-enabled SIP devices. This assessment requires onsite presence of our specialists

RAN Security Assessment (onsite)

Adversaries can exploit the Radio Access Network (RAN) that connects subscriber mobile devices with the core wireline network through attack vectors that can interact, capture, replay and inject signals. These attacks may range from eavesdropping on conversations between mobile devices and Base Stations (BS); cloning of mobile subscribers to use network resources without paying, creating fake BSs, enticing users to camp at these phony BSs, to ‘denial of service’ attacks on the RAN and social engineering against subscribers.

  • To ensure that security controls are in place against such attacks and to evaluate their effectiveness, Communication Service Providers (CSPs) plan to execute a range of test cases on the end customer's RAN from two designated sites identified and approved by the end customer.
  • TA set of test cases will be executed to validate multiple attack scenarios, and all security vulnerabilities identified will be presented in a formal technical report, including relevant artefacts and recommendations.
  • The goal of these tests is to evaluate the end customer's network resistance to passive listening, cloning of mobile phones, cloning subscribers, fake BSs and subscriber DOS conditions.

SIM Card Security Assessment

SIM card security assessments cover a set of services that help detect potential vulnerabilities related to the installed SIM card. This assessment conducted remotely and with proper authorisation helps detect whether the customer's signalling network transmits illegitimate signalling messages that allow hackers to deliver a binary SIM. It also helps evaluate if the customer's SIM cards contain potentially dangerous applications which can compromise data integrity and security.

During testing, our specialists will use various tools, including the SecurityGen Artificial Cybersecurity Expert which has been developed by our telecom security team based on their extensive experience in researching the security of signalling networks and a modified Open-Source SIM Tester.

During testing, we have 3 standard stages:

1) Offline SIM Card Testing

2) Mobile Terminated SIM Toolkit messages (MT STK SMS)

3) Mobile Originated SIM Toolkit messages (MO STK SMS)

eSIM Security Assessment

There are two main eSIM deployment schemes – a consumer eSIM solution and a M2M eSIM solution. For consumer eSIMs, the profile activation is initiated by a user device. In the case of M2M eSIMs activation is initiated by the network. This document describes the methodology for eSIM security assessments for consumer eSIMs only. The customer provides the SecurityGen team with a web-link or QR-code of an eSIM registration. Our experts then try to execute attacks aimed at eSIM confidentiality, integrity, and availability. Interaction with the Customer employees is not required.

During the eSIM Security Assessment, we test vulnerabilities of:

  • Cryptographic channel
  • eSIM infrastructure
  • SIM tool kit

The eSIM Security Assessment empowers MNOs with detailed information on:

  • Strength and resistance of the cryptographic channel
  • Identification of MNO restrictions on user equipment
  • Possibility of remote exploitation of the eSIM STK
  • Possibility of illegitimate control of the eSIM platform