Telecom Security Consulting

GSM/3G/LTE AND SS7 & SIGTRAN Security consulting



Core Network vulnerability assessment and penetration testing:

GSM/3G core network is responsible for providing services such as Call, VAS, SMS, Data. Vulnerability assessment of core network will cover all core network element as well as architecture audit.This testing will be done on management and configuration interface of these elements. LTE and Protocol specific security assessment are considered as different scope.


Core network elements includes:
  • SS7 Signaling Routers( TDM/IP).
  • Circuit Switching: Mobile Switching Center.
  • Messaging Services: MMSC, SMSC.
  • Subscribers database and parameter generation validation: HLR, HSS, AUC, EIR.
  • Intelligent network , Delivery and Billing platform:IN, CAP and CAMEL systems, VAS, Billing Platforms, SDP , GPRS billing gateways.
  • Packet Switched Networks and interfaces:GGSN, SGSN
  • Different Types of Gateway in Packet Switched Domain
  • Radio Access Network: GRAN, GERAN,UTRAN,E-UTRAN

Network element Configuration review

Network element configuration review will cover all the configuration review of core network element which includes user agent level configuration such as frequency of user level authentication, type of encryption allowed and system level configuration such as login password strength , SNMP configuration , MML configuration, Application Specific parameters.

Reconfigured network element could impact on availability of service. Some of common configuration mistake are type of authentication, encryption allowed on network.Frequency of generating ciphering key, frequency of checking IMEI, frequency of performing authentication of user.

Air Interface Assessment

In telecom most of services are provided are from air interface.Air interface in another word is Radio interface. This interface is open to everyone one cannot put restriction on transmitting or receiving radio waves. Hence this interface is most vulnerable .Also tracking incident happened over air interface is useless. To find out vulnerabilities on this interface we have developed our own in house tool which will assess issues over air interface.

Air assessment

Some of common attacks are:
  • Call/SMS sniffing.
  • Network jamming.
  • Identity impersonation.
  • Signal/BTS spoofing(Fake BTS).
  • Mass Cell phone Switch Off.

LTE Architecture audit

This audit will cover LTE EPC(Evolved Packet Core) and E-UTRAN.This is a strategic review of the LTE network design,configuration and implementation. Specific focus will cover the inter-working with the 2G/3G network and associated signalling protocols.


Key elements that will be included from a risk perspective will include:
network , audit ,

E access network and the evolved core network:
  • Call/SMS sniffing.
  • Network jamming.
  • Identity impersonation.
  • Signal/BTS spoofing(Fake BTS).
  • Mass Cell phone Switch Off.

SS7 & SIGTRAN Security consulting

SS7/SIGTRAN is core network protocol of 2G/3G network.This protocol carries calls, sms, billing,roaming information over either TDM or IP(SIGTRAN) links.This is too old protocol and acks security majors which are necessary today. It lacks security because people who designed thought that there will be all gentleman on SS7 network.But this is not the case now a days.In old days it was not easy to access SS7 network but due to VAS service provider SS7 became accessible to everyone with some monthly fees. As there is lack of security majors one just need to connect to SS7 network to send and receive response or perform attacks.

ss7 , sigtran

In Matrix Shell we have developed tool to perform SS7/SIGTRAN network assessment , Which identifies different vulnerabilities on ss7 network.Our tool got price in Telecom Application Developer Hackthon. SS7 Stack for this tool was sponsored by TeleStax Inc USA.


We cover Following protocols in SS7 Suite:
  • SCTP
  • SCCP
  • ISUP
  • CAP
  • M3UA,MTP3
  • TCAP
  • MAP
  • INAP

IP-PBX Security Consulting

IP PBX and Phone systems are mission-critical systems.It plays important role in internal communication of organization.Attack on these systems can cause huge damage to organization.Hence security testing of these systems is needed.Here in Matrix Shell we use Commercial VoIP penetration testing tools such as VOIP-PACK and VoIPAudit.

IP-PBX , cisco

Area covered in IP-PBX assessment:
  • Account enumeration, brute forcing, flooding
  • Cisco Unified Communication Manager
  • Avaya Aura Communication Manager
  • Asterisk ,OpenSIPS, Freeswitch
  • SBC, Registrar , Proxy , Media Server

Minimum Baseline Security Standard (MBSS)

security consultant

We have created MBSS based on industry experience and best practices which help our clients to secure their infrastructure.Currently we have MBSS for HLR/AUC , MSC , MSS , SGSN , SMSC.