PTA LTE/Diameter EPC Network Vulnerability Assessments

PTA LTE/Diameter EPC Network Vulnerability Assessment security project concerns an active Diameter signaling scanning of an Operator’s EPC Network from International Roaming perspective.

This vulnerability assessment uses the proprietary P1 Security telecom scanner (PTA) to automate the auditing & penetration testing processes. This allows for the effective combination of a proprietary software (PTA) and the associated expertise for analysing results and drafting and delivering the final report. Moreover, the use of PTA makes it possible to minimise the number of days devoted to the project while going deeper into the analysis of the concerned perimeters.

International Roaming perspective will be evaluated.

Through use of PTA, P1 Security Proprietary Telecom-specific scanner, this Vulnerability Assessment will cover FS.19 GSMA Category 0, 1, 2, 3 Diameter signaling messages:

  • Category 0 messages: Spoofing attempts to relay messages into the network.
  • Category 1 messages: Application ID & Command Code filtering. Interface misusage (important to prevent that internal interfaces can be accessed from outside), hijacking interfaces and consistencies inside the message.
  • Category 2 messages: AVP filtering. Messages that should not target internal subscribers from international interconnect.
  • Category 3 PLC & TLC messages: message and location filtering conditions.

P1 Security will test every GSMA FASG FS.19 category, in compliance with FS.19.

In addition, P1 Security will also test attacks only known to P1 Security, some of which are referenced in P1 Security’s proprietary Vulnerability Knowledge Base (VKB) and are not referenced in GSMA documents.

The tests provide information about potential:

Network discovery, Spoofing, Network Element DoS, Network Element misconfiguration, Subscriber DoS, Subscriber information leak, Subscriber location leak, SMS interception, Voice interception…

(many of these attacks are not even featured in FS.19 “Diameter Interconnect Security”)

Vulnerabilities can be potentially discovered on the following network elements:



“LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements (Philippe Langlois, HITB, 2013)

“Hacking Telco equipment: The HLR/HSS” (Laurent Ghigonis, Hackito Ergo Sum, 2014)

“Malicious AVPs: exploits to the LTE Core” (Laurent Ghigonis & Philippe Langlois, Hackito Ergo Sum, 2015)

“SigFW Open Source SS7/Diameter firewall for Antisniff, Antispoof & Threat Hunt” (Philippe Langlois & Martin Kacer, Black Hat, 2017)