🎯 Goal
Understand the core protocols that power global mobile networks—SS7 (2G/3G), Diameter (4G/LTE), and GTP (data roaming). Learn their inherent vulnerabilities and how attackers exploit them for interception, location tracking, and fraud, as well as how to defend with signaling firewalls and monitoring.
🔑 Key Skills to Learn
- GSM/UMTS/LTE/5G Architecture: Core network nodes (MSC, HLR, SGSN, GGSN, MME, S-GW, P-GW), interfaces, and the role of signaling.
- SS7 Protocol Stack: MTP, SCCP, TCAP, MAP. Understand key MAP operations (sendRoutingInfoForSM, provideSubscriberInfo, etc.).
- SS7 Attack Classes: Location tracking (ATI), call/SMS interception (redirect), fraud (USSD manipulation), denial of service.
- Diameter Protocol (4G): Base protocol, AVPs, and how Diameter replaces SS7 for signaling, new attack vectors (inter-operator interconnect weaknesses).
- GTP (GPRS Tunneling Protocol): GTP-C, GTP-U, GTPv1/v2, and attacks on roaming data (traffic eavesdropping, modification, charging fraud).
- Signaling Security: Signaling firewalls, filtering rules, anomaly detection, GSMA guidelines (IR.82, FS.11).
- Telecom Fraud: Wangiri, PBX hacking, SIM swapping (technical basis), international revenue share fraud.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| SigPloit | SS7/Diameter/GTP penetration testing framework (signaling attack simulation). |
| Yate | Open-source telephony engine; can be used to set up test signaling nodes. |
| Wireshark (with protocol dissectors) | Analyze SS7/MAP/TCAP, Diameter, and GTP captures. |
| OsmoDevCall / OpenBTS | Open-source GSM stack for building private mobile test networks. |
| sccp-scan | Scan SS7 networks for accessible global titles. |
| gtp-scan / dia-scan | Scanning tools for GTP and Diameter services. |
| SCTP/TCP-based Signaling Test Tools | Custom scripts using Scapy to craft signaling packets. |
📖 Free Learning Resources
- Positive Technologies – SS7 Security Research – Seminal papers and presentations on SS7/Diameter weaknesses. Link
- P1 Security – Telecom Security Blog – Deep dives into telecom protocols and attacks. Link
- Chaos Communication Congress (CCC) Talks – "Mobile Self Defense" (SS7), "Diameter: The SS7 of 4G", "LTE in Bullet Points". Search YouTube for CCC and SS7/Diameter.
- GSMA FS.11 & IR.82 (Summaries) – While full documents are member-only, many free summaries and presentations exist online explaining signaling security guidelines.
- GitHub: SigPloit Documentation – Practical guide to setting up SS7 pentest labs. Link
- TelcoSec Day / TROOPERS Conference – Free recordings of telecom security talks. Search “TROOPERS telco” or “TelcoSec Day”.
- "SS7: Locate. Track. Manipulate." – Tobias Engel’s famous talk, available on YouTube.
🎯 Goal
Understand the 5G core and radio access network architecture, its security enhancements over 4G (e.g., new authentication framework, encrypted SUPI, SEPP for roaming), and the new attack surfaces introduced by service-based architecture (SBA), virtualized network functions, and network slicing.
🔑 Key Skills to Learn
- 5G Architecture: Service-Based Architecture (SBA), core network functions (AMF, SMF, UPF, NRF, NSSF, AUSF, UDM, PCF, AF), interfaces (N1–N50, F1AP, E1AP, NGAP).
- 5G RAN & gNB: CU/DU split, F1 interface, RRC, SDAP layers.
- 5G Authentication & Key Management: 5G-AKA, EAP-AKA', SUPI/SUCI encryption (ECIES), new USIM (5G SIM).
- Roaming Security: Security Edge Protection Proxy (SEPP), N32 interface, PRINS protocol, IPX interworking.
- Network Slicing: Slice identifiers (S-NSSAI), security isolation between slices, NSSF exposure.
- Virtualization & Cloud-Native 5G Core: NFV/SDN, containers/VMs for network functions, risks from shared infrastructure, API security (HTTP/2, JSON, REST APIs).
- New Attack Vectors: Exposure of NRF/NSSF/PCF APIs, service discovery hijacking, 5G-specific MITM, downgrade to 4G/3G, Stingray/IMSI-catcher evolution (SUPI catching without encryption), gNB impersonation, GTP-U hijacking in 5G NSA.
- Interworking with Legacy (4G/3G): Dual connectivity (EN-DC), handover attacks, cross-protocol vulnerabilities.
- 5G Security Standards: 3GPP TS 33.501 (security architecture), GSMA NESAS/SCAS, ITU-T guidelines.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Open5GS / free5GC | Open-source 5G core (SA) for lab testing and analysis. |
| OAI (OpenAirInterface) 5G | Open-source RAN and core implementation for experimentation. |
| UERANSIM | Lightweight 5G UE and RAN simulator to connect to a 5G core. |
| Wireshark (with 5G dissectors) | Analyze NGAP, HTTP/2, PFCP, GTP-U, etc. |
| Scapy / Python (with SCTP libraries) | Craft and test 5G signaling packets. |
| 5G-EVE / Open5G-lab | Testbeds and scripts for 5G security experiments. |
| My5G-RANTester | Security assessment tool for 5G RAN and core. |
| Nmap (with 5G-capable NSE scripts) | Scan and fingerprint 5G core network functions. |
📖 Free Learning Resources
- 3GPP TS 33.501 – "Security architecture and procedures for 5G System" (available free to read). Link
- ENISA 5G Security Reports – EU’s cybersecurity agency analysis and recommendations. Link
- NIST Special Publication 800-187 – Guide to 5G Security. Link
- GSMA 5G Security Resources – Summaries of NESAS, FS.31, and security guidelines. Link
- 5G Security for Dummies (Thales) – Introductory free e-book. Link
- Positive Technologies – 5G Security Research – Whitepapers on SBA threats and signaling attacks. Link
- TROOPERS / TelcoSecDay Talks – Look for recent presentations on 5G core vulnerabilities (YouTube).
- O-RAN Alliance Security Focus Group – Public documents and webinars on open RAN security. Link
🔗 Roadmap Placement
- Prerequisites: Telecom Security (SS7, Diameter, GTP) to understand legacy signaling and how 5G interworks with them; Networking (TCP/IP, HTTP/2, SCTP); Linux.
- Directly Enables: 5G Security Researcher, Telecom Penetration Tester for mobile operators, Regulatory/Government roles in telecom security, and contribution to 3GPP/GSMA security working groups.