contact@p1sec.com

(Pen)Testing 5G Core Networks

P1 Security has developed in the two last years a set of tools and libraries to help with testing, and pentesting, 5G Core Networks. A dedicated commercial Signaling Scanner is also available since June 2021 for that purpose: the PTA 5GC product that can be directly used by...
Read More…

Remote Code Execution through Signaling Using Log4j (CVE-2021-44228)

What is Log4Shell ? Log4Shell (CVE-2021-44228) is a vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. It impacts the library version from 2.0-beta9 to 2.16.0, excluding 2.12.3 . The vulnerability — which existence wasn’t noticed...
Read More…

All authentication vectors are not made equal

Abstract:In mobile networks, 3G and 4G authentication vectors are completely separate and should not be convertible to each other. P1 Security however discovered that some MNOs distribute over roaming interconnects, for certain subscribers, 3G authentication vectors that can be...
Read More…

Open5GS at P1 Security

In the course of developing new tools for scanning, fuzzing and monitoring 5G signaling interfaces, P1 Security has been more and more using Open5GS internally. This open-source project, mostly developed by its creator Sukchan Lee (also known as acetcom), works really in a clean...
Read More…

New open-source MCC_MNC library

P1 Security is working with mobile operators worldwide, and therefore requires a good knowledge of identifiers used in mobile networks. The P1 Lab has worked carefully to identify all public information related to this topic, and is publishing a new

Read More…

5G SUPI, SUCI and ECIES

The 3GPP has defined a nice subscriber’s identity protection scheme for 5G networks. This is a way for 5G handsets and terminals (or UE, in the 3GPP terminology) to encrypt the subscriber’s identity before sending it over-the-air. In this way, 5G radio sniffers, 5G...

Read More…

P1 Security releases its open-source Python decoder for the 5G NAS protocols

With the introduction of 5G networks, a complete rework of the cellular core network is ongoing, in addition to the introduction of the New Radio stack (abbreviated NR). New network functions are defined, such as AMF for handling the mobility of subscribers, SMF for...

Read More…

Working with TCAP-MAP the efficient way with pycrate

Abstract

In this post, we explain how the TCAP-MAP protocol has been defined and extended in its successive versions, which led to some backward incompatibilities in the message decoding process. This is where pycrate...

Read More…

Presenting QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones

Lately, I have been playing with a 3G dongle – a small USB device enabling to connect to the mobile Internet. I have discovered that most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic...
Read More…

SS7 Security Perimeters and INAT0 NAT0 NAT1 definitions

While P1 Security professional services team are busy deploying Core Network security monitoring with PTM Signaling IDS on SS7, Diameter, GTP, SIP IMS VoLTE, and Radius, one question keeps coming back: the concept of Network Perimeter in SS7. This recurring misunderstood aspect...
Read More…

SS7 Security Perimeters and INAT0 NAT0 NAT1 definitions

While P1 Security professional services team are busy deploying Core Network security monitoring with PTM Signaling IDS on SS7, Diameter, GTP, SIP IMS VoLTE, and Radius, one question keeps coming back: the concept of Network Perimeter in SS7. This recurring misunderstood aspect...
Read More…

LTE Diameter security, filtering and message categories

Abstract: In order to properly manage LTE Diameter security, and it close variants in the IMS and VoLTE domain, we proposed in this presentation a way to categorize the Diameter message types, usage and Command Codes and ways to monitor and filter them. Presentation will be...
Read More…

LTE Diameter security, filtering and message categories

Abstract: In order to properly manage LTE Diameter security, and it close variants in the IMS and VoLTE domain, we proposed in this presentation a way to categorize the Diameter message types, usage and Command Codes and ways to monitor and filter them. Presentation will be...
Read More…

P1 Security Vulnerability Knowledge Base reaches vulnerability #1000 (P1VKB#1000)

The number of referenced vulnerabilities in our unique telecom-specific Vulnerability Knowledge Base has just reached #1000. This is a very Important Milestone in P1 Security’s research in critical networks security. P1 Security’s VKB is a rare case of a private...
Read More…

SS7map: SS7 country risk ratings

Mobile Network Operators rely on a network different from Internet that interconnects operators and other parties, to allow calls to work between operators especially when you are in another country (roaming). This is what is called the “SS7 network” a.k.a....
Read More…