The core network provides central functionality for mobility management, session management, authentication, and routing in telecommunication networks. This research area focuses on the security aspects of core network elements across different network generations.
| Traffic Type | Entry Point | Attack Types | Known Vulnerabilities | Tools |
|---|---|---|---|---|
| SS7/SIGTRAN | GT/PC (23.003) | - Location tracking - SMS interception - Call interception |
- Unfiltered MAP messages - SCCP routing abuse |
- SigPloit - SS7map - Locator |
| Diameter | Origin-Host/Realm | - AVP injection - Command spoofing - Session hijacking |
- Missing edge protection - Weak AVP validation |
- Diameter EPC Framework - DIAMETERpot - Baseprotect |
| GTP-C | TEID/IP | - Tunnel hijacking - Session manipulation - DoS attacks |
- Missing TEID validation - Weak GTP firewall rules |
- GTP Toolkit - PGW Tester - EPC Sim |
| HTTP/2 (5G) | FQDN/IP | - API abuse - Token theft - SEPP bypass |
- OAuth vulnerabilities - TLS misconfiguration |
- Burp Suite - NRF Scanner - 5G Core Test |
| SCTP | IP/Port | - Association flooding - Path failure - Stream reset |
- SCTP multi-homing abuse - Missing protection |
- SCTPscan - SCTP Toolkit - PathManager |
-
Authentication Frameworks
- AKA (Authentication and Key Agreement)
- EAP-AKA/EAP-AKA'
- 5G-AKA
- EAP-TLS implementation
-
Subscriber Identity Protection
- TMSI/GUTI allocation security
- SUPI/SUCI concealment
- IMSI/IMEI security
- Identity request procedures
-
Authorization Mechanisms
- Policy enforcement
- Subscriber profile security
- Network slice authorization
- Service authorization
-
SS7 Security
- MAP security
- CAMEL security
- ISUP protection
- SS7 filtering
-
Diameter Security
- Command filtering
- Application-level security
- Transport security (SCTP/TLS)
- AVP validation
-
HTTP/2 and SBA Security
- API security in 5G
- OAuth 2.0 implementation
- TLS profile conformance
- Certificate management
-
4G Core Elements
- MME security
- HSS vulnerabilities
- SGW/PGW security
- PCRF security
-
5G Core Elements
- AMF security
- UDM/AUSF/UDR security
- SMF/UPF security
- NRF/NSSF security considerations
-
Control Plane/User Plane
- CUPS security
- N4 interface security
- Sx interface protection
- GTP-u security
-
Interconnect Security
- IPX security
- Border gateway security
- Interconnect firewall design
- Traffic filtering rules
-
Roaming Security
- Roaming interface protection
- SEPP (Security Edge Protection Proxy)
- Home-routed vs. local breakout
- Steering of roaming security
-
Network Function Security
- SEPP security
- SCP (Service Communication Proxy)
- NEF (Network Exposure Function)
- NWDAF security
-
NFV Security
- MANO security
- VNF security requirements
- NFV infrastructure security
- Orchestration security
-
Container Security
- Kubernetes security for telco
- Container image security
- CNI security
- Micro-service architecture security
-
Cloud-Native Security
- CI/CD pipeline security
- DevSecOps for telco environments
- Continuous security monitoring
- Security policy as code
-
Slice Isolation
- Resource isolation mechanisms
- Control plane isolation
- User plane isolation
- Management plane isolation
-
Slice-Specific Authentication
- Network slice selection
- Slice-specific credentials
- Multi-slice authentication
- Slice access control
- SS7/Diameter filtering bypass
- GTP tunnel hijacking
- HSS/UDM data manipulation
- Subscriber profile modification
- Inter-PLMN security breaches
- Network slice isolation violations
- API-level attacks in 5G SBA
- Core network penetration testing
- Signaling security assessment
- Roaming security testing
- Protocol conformance testing
- Core network fuzzing
- Virtualization security validation
- Container security assessment
- SS7/Diameter Security Testing
- Core Network Element Security
- Roaming Security Analysis
- Network Slicing Security
- 5G Service-Based Architecture Security
- 3GPP TS 33.210: Network Domain Security
- 3GPP TS 33.310: Network Domain Security Authentication Framework
- 3GPP TS 33.501: Security architecture and procedures for 5G System
- GSMA FS.11: SS7 Interconnect Security Monitoring Guidelines
- GSMA FS.19: Diameter Interconnect Security
Attack Flow:
1. Obtain GT/PC of target network
2. Send SendRoutingInfoForSM to HLR/HSS
3. Extract serving node information
4. Send ProvideSubscriberInfo to serving MSC/VLR
5. Retrieve precise location information
Tools:
- SigPloit (SS7 Attack Framework)
- SS7map (Network Mapping)
- Location Tracker Suite
Mitigation:
- Category 1 & 2 SS7 filtering
- SMS Home Routing
- Location query rate limiting
- Subscriber privacy controls
Attack Flow:
1. Discover Diameter edge agents
2. Forge origin-host/realm
3. Send malicious S6a commands
4. Bypass AVP validation
5. Extract subscriber data
Tools:
- Diameter EPC Testing Framework
- DIAMETERprot
- EPC Security Scanner
Mitigation:
- SEPP implementation
- Strict AVP validation
- Origin-host whitelisting
- Realm-based access control
- SigPloit - Telecom Signaling Exploitation Framework
- SS7map - SS7 Network Mapping
- Diameter EPC Framework - Diameter Testing
- 5G Core Security Suite - 5G Core Testing
- Positive Technologies Telecom Attack Discovery
- Cellusys Signaling Firewall
- Nokia NetGuard
- Mavenir Security Suite
- "A Formal Analysis of 5G Authentication" - ACM CCS 2018
- "New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols" - IACR 2019
- "5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol" - CCS 2019
- "Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems" - NDSS 2016
- "Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations" - CCS 2016
- "Security Analysis of Network Slicing in 5G" - IEEE S&P 2023
- "Slice Isolation Security in 5G Core" - USENIX Security 2023
- "Breaking Core Network Security" - BlackHat USA 2023
- "5G Core Security Deep Dive" - DEF CON 31
- "Exploiting Signaling Networks" - HITB 2023
- "Core Network Security Testing" - Protocol Analysis
- "5G Security Architecture" - Architecture Series
- "Signaling Security Assessment" - Testing Guide
- TS 33.210 - Network Domain Security
- TS 33.310 - Authentication Framework
- TS 33.501 - 5G Security Architecture
-
SS7 Protection
- Category 1-3 filtering
- SMS Home Routing
- Location privacy controls
- MAP screening
-
Diameter Security
- DEA deployment
- SEPP implementation
- Command filtering
- Origin validation
-
5G SBA Security
- OAuth 2.0/OpenID Connect
- mTLS enforcement
- API gateway controls
- Rate limiting
- Core Network Security Forum
- 5G Security Working Group
- GSMA Fraud & Security Group
- Telecom Security Mailing List
We welcome contributions to this research. Please see our contribution guidelines for more information.
This research documentation is licensed under Apache License 2.0.
Trademarks:
All product names, logos, and brands are property of their respective owners. All company, product, and service names used in this documentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.