15_real_world_attack_matrix
Part 15: Real-World Attack Matrix & Defense Roadmap
Learning Objective: Synthesize all 20 real-world cellular network attacks from Parts 11โ14 into a unified reference โ master comparison matrix, combined STRIDE profile, standards mapping, lab replicability guide, and a prioritized defense roadmap for telecom security engineers.
Important
This article is the executive summary and quick-reference guide for the entire Real-World Attack Case Study series (Parts 11โ14). Use it to compare attacks side-by-side, identify coverage gaps in your defenses, and prioritize mitigation investments. Each attack links back to its detailed case study for the full narrative, diagrams, and technical deep dive.
Table of Contents
- Unified Network Attack Map
- Master Attack Comparison Matrix
- Combined STRIDE Profile (All 20 Attacks)
- Attack Kill Chain Mapping
- Unified Standards Mapping
- Lab Replicability Guide
- Defense Roadmap
- Lab Exercises
Unified Network Attack Map
The following diagram shows where all 20 attacks originate across the mobile network architecture. Each attack is mapped to its primary entry point and the network layers it traverses.
graph TB
subgraph "Radio Access Network"
UE[๐ฑ UE
Subscriber Device]
RAN[๐ก eNB / gNB
Base Station]
end
subgraph "Core Network โ Control Plane"
MME_AMF[๐๏ธ MME / AMF
Mobility Management]
HSS_UDM[(๐ HSS / UDM
Subscriber Database)]
SMSC[๐จ SMSC / SMSF
SMS Routing]
AUSF[๐ AUSF
Authentication]
end
subgraph "Core Network โ User Plane"
SGW_UPF[๐ฆ SGW / UPF
User Plane Gateway]
PGW[๐ฆ PGW-U
PDN Gateway]
end
subgraph "Interconnect & Roaming"
STP_DRA[๐ STP / DRA
Signaling Transfer]
GRX_IPX[๐ GRX / IPX
Roaming Exchange]
end
subgraph "Carrier Business Systems"
BSS[๐ฐ BSS / Billing]
CRM[๐ฅ๏ธ CRM / Portal]
Provisioning[โ๏ธ Provisioning
SIM Management]
CDR_DB[(๐ CDR Database)]
end
subgraph "External Systems"
A2P[๐จ A2P SMS
Aggregators]
Internet[๐ Internet]
Banks[๐ฆ Banks / SaaS]
end
subgraph "Attacker Entry Points (Red = Attack Origin)"
ATK_SS7[๐ด 1,2,4,13
SS7 Signaling
Access]
ATK_Diameter[๐ด 3
Diameter
Peer Access]
ATK_GTP[๐ด 5
GTP Roaming
Access]
ATK_Breach[๐ด 6,9
Carrier Data
Breach]
ATK_Social[๐ด 7,8,20
Social Engineering
of Carrier Staff]
ATK_Insider[๐ด 8
Insider
Access]
ATK_Malware[๐ด 11,15
Device
Malware]
ATK_A2P[๐ด 14,10
A2P SMS
Channel Abuse]
ATK_Platform[๐ด 12,19
CaaS
Platform]
ATK_APT[๐ด 16,17,18
APT/Gang
Operations]
end
ATK_SS7 -.->|"MAP msgs"| STP_DRA
ATK_Diameter -.->|"Diameter"| STP_DRA
ATK_GTP -.->|"GTP-C/U"| GRX_IPX
STP_DRA <--> HSS_UDM
STP_DRA <--> MME_AMF
STP_DRA <--> SMSC
GRX_IPX <--> SGW_UPF
ATK_Breach -.->|"Exploit/exfil"| CDR_DB
ATK_Breach -.->|"Exploit/exfil"| CRM
ATK_Social -.->|"SIM swap"| Provisioning
ATK_Insider -.->|"Direct access"| Provisioning
ATK_Insider -.->|"Direct access"| HSS_UDM
ATK_Malware -.->|"Infected device"| UE
UE <--> RAN
RAN <--> MME_AMF
MME_AMF <--> HSS_UDM
MME_AMF <--> AUSF
SGW_UPF <--> PGW
PGW <--> Internet
ATK_A2P -.->|"Spoofed SMS"| A2P
A2P -.-> SMSC
SMSC --> UE
ATK_Platform -.->|"Multi-method"| STP_DRA
ATK_Platform -.->|"Multi-method"| UE
ATK_APT -.->|"Surveillance"| STP_DRA
ATK_APT -.->|"Spear-phish"| UE
ATK_APT -.->|"Carrier compromise"| CRM
Provisioning <--> HSS_UDM
BSS <--> CDR_DB
Banks <-.-> Internet
style ATK_SS7 fill:#ff6666,color:#fff
style ATK_Diameter fill:#ff6666,color:#fff
style ATK_GTP fill:#ff6666,color:#fff
style ATK_Breach fill:#ff6666,color:#fff
style ATK_Social fill:#ff6666,color:#fff
style ATK_Insider fill:#ff6666,color:#fff
style ATK_Malware fill:#ff6666,color:#fff
style ATK_A2P fill:#ff6666,color:#fff
style ATK_Platform fill:#ff6666,color:#fff
style ATK_APT fill:#ff6666,color:#fff
style STP_DRA fill:#ffaa66
style GRX_IPX fill:#ffaa66
style Provisioning fill:#ffaa66
style CDR_DB fill:#ffaa66
style CRM fill:#ffaa66
style HSS_UDM fill:#ffee66
style SMSC fill:#ffee66
style UE fill:#ffee66
style SGW_UPF fill:#ffee66
style MME_AMF fill:#99cc99
style AUSF fill:#99cc99
style PGW fill:#99cc99
style RAN fill:#99cc99
style BSS fill:#99cc99Legend: ๐ด Red = attacker entry point | ๐ Orange = directly exploited component | ๐ก Yellow = impacted/victim component | ๐ข Green = not directly affected
Master Attack Comparison Matrix
| # | Attack Name | Category | Entry Point | Protocol / Method | Attacker Type | Skill Level | Detectability | Case Study |
|---|---|---|---|---|---|---|---|---|
| 1 | SS7 OTP Theft for Bank Fraud | Signaling | SS7 interconnect | MAP (UpdateLocation, SRI-SM) | Organized crime | Medium | Medium | Part 11 |
| 2 | SS7 Location Tracking | Signaling | SS7 interconnect | MAP (SRI, PSI, ATI) | State / surveillance vendor | Low-Medium | Low | Part 11 |
| 3 | Diameter Subscriber Tracking | Signaling | IPX / Diameter peer | Diameter (AIR, NOR) | State-level | Medium-High | Medium | Part 11 |
| 4 | Commercialized SS7 Interception | Signaling | SS7 + SIM farm + malware | Multiple | Cybercrime syndicate | Low (buyer) | Medium | Part 11 |
| 5 | GTP Roaming-Plane Abuse | Signaling | GRX/IPX | GTP-C/U | Rogue roaming partner | High | Low | Part 11 |
| 6 | Carrier PII Breach | Identity | API / server exploit | HTTP, SQL injection | Hacker | High | Medium | Part 12 |
| 7 | Targeted SIM Swapping | Identity | Social engineering / bribe | Provisioning API | Crime gang | Medium | Medium | Part 12 |
| 8 | Insider SIM Fraud | Identity | OAM provisioning tools | Direct DB / provisioning | Insider + gang | Low (insider) | Low | Part 12 |
| 9 | Subscriber Metadata Abuse | Identity | Breach data analysis | CDR analysis tools | APT / PI / crime | Medium | Very Low | Part 12 |
| 10 | Smishing with Carrier Data | Identity | A2P SMS channel | SMPP, SMS | Fraud ring | Low-Medium | Medium | Part 12 |
| 11 | Android SMS Stealer Campaign | SMS/Malware | Malicious app install | Android SMS API | Cybercrime syndicate | Medium | Medium | Part 13 |
| 12 | OTP Interception as a Service | SMS/Malware | Service platform | SS7, SIM farm, malware | Access broker | Low (buyer) | Medium | Part 13 |
| 13 | Phishing + SS7 Combo Attack | SMS/Malware | Email + SS7 | MAP + HTTP | Organized crime | High | Low | Part 13 |
| 14 | A2P SMS Channel Abuse | SMS/Malware | Bulk SMS channels | SMPP, SMS | Fraud ring | Low-Medium | Medium | Part 13 |
| 15 | Premium SMS Fraud via Malware | SMS/Malware | Malicious app | MO-SMS, WAP billing | Malware developer | Medium | Medium | Part 13 |
| 16 | State Surveillance via Mobile | APT/Gang | SS7 + Diameter | MAP, Diameter, PFCP | Intelligence agency | High (operator) | Very Low | Part 14 |
| 17 | APT SMS Spear-Phishing | APT/Gang | SMS delivery | SMS + HTTP | APT group | Medium-High | Medium | Part 14 |
| 18 | Ransomware SMS Extortion | APT/Gang | SMS delivery | SMS (psychological) | Ransomware gang | Low | High | Part 14 |
| 19 | CaaS SMS-Based Access Brokering | APT/Gang | Multi-method platform | SS7, SIM farm, malware | Access broker | Medium (operator) | Medium | Part 14 |
| 20 | Coordinated Carrier Targeting | APT/Gang | Social engineering | Provisioning, SMPP, DB | Organized crime | High | Low-Medium | Part 14 |
Combined STRIDE Profile (All 20 Attacks)
| # | Attack | S | T | R | I | D | E | Overall |
|---|---|---|---|---|---|---|---|---|
| 1 | SS7 OTP Theft | โ | โ ๏ธ | โ | โ ๏ธ | โ | Critical | |
| 2 | SS7 Location Tracking | โ | โ | Critical | ||||
| 3 | Diameter Tracking | โ ๏ธ | โ ๏ธ | โ | โ | โ ๏ธ | โ | Critical |
| 4 | SS7 OTP-as-a-Service | โ | โ | โ | โ | Critical | ||
| 5 | GTP Roaming Abuse | โ | โ | โ | โ | โ ๏ธ | โ | High |
| 6 | Carrier PII Breach | โ ๏ธ | โ | โ | Critical | |||
| 7 | Targeted SIM Swap | โ | โ ๏ธ | โ ๏ธ | โ | โ | โ | Critical |
| 8 | Insider SIM Fraud | โ | โ | โ | โ | โ ๏ธ | โ | Critical |
| 9 | Metadata Abuse | โ ๏ธ | โ | High | ||||
| 10 | Smishing + Carrier Data | โ | โ | โ | High | |||
| 11 | Android SMS Stealer | โ ๏ธ | โ | โ | โ | Critical | ||
| 12 | OTP Interception Service | โ | โ | โ | โ | Critical | ||
| 13 | Phishing + SS7 Combo | โ | โ ๏ธ | โ | โ | โ | Critical | |
| 14 | A2P SMS Abuse | โ | โ | โ | High | |||
| 15 | Premium SMS Fraud | โ | โ | โ | High | |||
| 16 | State Surveillance | โ | โ | Critical | ||||
| 17 | APT SMS Phishing | โ | โ | โ | โ | Critical | ||
| 18 | Ransomware SMS | โ ๏ธ | โ | โ | High | |||
| 19 | CaaS SMS Access | โ | โ | โ | โ | Critical | ||
| 20 | Carrier Compromise | โ | โ | โ | โ | โ | โ | Critical |
โ = Primary impact | โ ๏ธ = Secondary/moderate impact
STRIDE Category Heatmap
graph LR
subgraph "STRIDE Frequency Across 20 Attacks"
S["S โ Spoofing
12 attacks (60%)"]
T["T โ Tampering
7 attacks (35%)"]
R["R โ Repudiation
18 attacks (90%)"]
I["I โ Info Disclosure
18 attacks (90%)"]
D["D โ DoS
6 attacks (30%)"]
E["E โ Elev. of Privilege
14 attacks (70%)"]
end
style S fill:#ff9999
style T fill:#ffcc99
style R fill:#ff6666,color:#fff
style I fill:#ff6666,color:#fff
style D fill:#ffffcc
style E fill:#ff9999Key insight: Repudiation and Information Disclosure dominate (90% of attacks each). This reflects the core problem: mobile network attacks are hard to trace (repudiation) and almost always expose sensitive data (info disclosure). Defense investments should prioritize logging/attribution (countering repudiation) and encryption/access control (countering disclosure).
Attack Kill Chain Mapping
Each of the 20 attacks mapped to a simplified Telecom Kill Chain:
graph LR
KC1[1. Reconnaissance
Target identification]
KC2[2. Access Acquisition
SS7/GTP/insider/breach]
KC3[3. Network Positioning
Establish attack path]
KC4[4. Exploitation
Execute attack]
KC5[5. Monetization
Financial gain / intel]
KC6[6. Persistence
Maintain access]
KC1 --> KC2 --> KC3 --> KC4 --> KC5 --> KC6
style KC1 fill:#e6f3ff
style KC2 fill:#cce5ff
style KC3 fill:#99ccff
style KC4 fill:#ff9999
style KC5 fill:#ff6666,color:#fff
style KC6 fill:#cc3333,color:#fff| Kill Chain Stage | Attacks That Operate Here |
|---|---|
| 1. Reconnaissance | 9 (metadata analysis), 16 (surveillance), 6 (breach for data) |
| 2. Access Acquisition | 1-5 (signaling access), 8 (insider), 20 (social engineering), 11 (malware install) |
| 3. Network Positioning | 1,2,3 (SS7/Diameter positioning), 5 (GTP tunnel), 13 (dual-channel setup) |
| 4. Exploitation | All 20 attacks โ this is the execution phase |
| 5. Monetization | 1,13 (bank fraud), 15 (premium SMS), 12,19 (CaaS revenue), 7 (crypto theft) |
| 6. Persistence | 4,12,19 (platform model), 16 (long-term surveillance), 20 (carrier foothold) |
Note
Attacks 4, 12, and 19 (the "as-a-service" models) represent the most concerning evolution: they have industrialized the kill chain into a persistent, self-sustaining business rather than one-off attacks.
Unified Standards Mapping
| # | Attack | 3GPP Reference | GSMA Reference | NIST Reference |
|---|---|---|---|---|
| 1 | SS7 OTP Theft | TS 29.002 (MAP) | FS.11 | SP 800-187 ยง5 |
| 2 | SS7 Location Tracking | TS 29.002 (MAP) | FS.11 | SP 800-187 ยง5 |
| 3 | Diameter Tracking | TS 29.272 (S6a) | FS.19 | SP 800-187 ยง6 |
| 4 | SS7 OTP-as-a-Service | TS 29.002, TS 23.040 | FS.11 | โ |
| 5 | GTP Roaming Abuse | TS 29.274 (GTPv2-C), TS 29.281 (GTP-U) | FS.20, IR.88 | SP 800-187 ยง7 |
| 6 | Carrier PII Breach | TS 23.003 (numbering) | SIM Swap Prevention | SP 800-63B |
| 7 | Targeted SIM Swap | TS 23.003 | SIM Swap Prevention | SP 800-63B ยง5.1.3 |
| 8 | Insider SIM Fraud | TS 23.003, TS 32.240 (OAM) | Insider Threat Guidelines | SP 800-53 (AC, AU) |
| 9 | Metadata Abuse | TS 32.297/32.298 (CDR) | Data Protection Guidelines | SP 800-122 |
| 10 | Smishing + Carrier Data | TS 23.040 (SMS) | A2P SMS Guidelines | SP 800-63B ยง5.1.3 |
| 11 | Android SMS Stealer | TS 23.040 (SMS) | Mobile Malware Guidelines | SP 800-124 |
| 12 | OTP Interception Service | TS 23.040, TS 29.002 | A2P Fraud Framework | SP 800-63B ยง5.1.3 |
| 13 | Phishing + SS7 Combo | TS 29.002 (MAP), TS 23.040 | FS.11 | SP 800-187 ยง5 |
| 14 | A2P SMS Abuse | TS 23.040, TS 23.038 | A2P Anti-Spam | โ |
| 15 | Premium SMS Fraud | TS 23.040 (MO-SMS) | DCB Anti-Fraud | SP 800-124 |
| 16 | State Surveillance | TS 29.002 (MAP) | FS.11 | SP 800-187 |
| 17 | APT SMS Phishing | TS 23.040 (SMS) | A2P Guidelines | SP 800-63B, SP 800-154 |
| 18 | Ransomware SMS | N/A (application layer) | โ | CISA Ransomware Guide |
| 19 | CaaS SMS Access | TS 29.002, TS 23.040 | FS.11, A2P Framework | SP 800-63B |
| 20 | Carrier Compromise | TS 32.240 (OAM) | Operator Security Baseline | SP 800-53 (AC, AU, IR) |
Standards Coverage Summary
| Standard | Attacks Covered | Focus Area |
|---|---|---|
| 3GPP TS 29.002 (MAP) | 1, 2, 4, 12, 13, 16, 19 | SS7 signaling security |
| 3GPP TS 23.040 (SMS) | 4, 10, 11, 12, 13, 14, 15, 17, 19 | SMS protocol security |
| 3GPP TS 29.272 (S6a) | 3 | Diameter signaling security |
| 3GPP TS 29.274/281 (GTP) | 5 | Roaming plane security |
| GSMA FS.11 | 1, 2, 4, 13, 16, 19 | SS7 interconnect monitoring |
| GSMA FS.19 | 3 | Diameter interconnect |
| GSMA FS.20 / IR.88 | 5 | GTP/roaming security |
| NIST SP 800-187 | 1, 2, 3, 5, 13, 16 | LTE security framework |
| NIST SP 800-63B | 6, 7, 10, 12, 17, 19 | Authentication and identity |
| NIST SP 800-53 | 8, 20 | Organizational security controls |
Lab Replicability Guide
Replicability Classification
| Classification | Meaning | Attacks |
|---|---|---|
| โ Fully replicable | Core attack mechanics reproducible in Docker lab | 3, 5, 7, 8 |
| โ ๏ธ Partially replicable | Key concepts demonstrable; full attack chain requires external infrastructure | 1, 2, 6, 9, 13, 16, 20 |
| โ Not replicable | Requires real carrier infrastructure, devices, or live SMS delivery | 4, 10, 11, 12, 14, 15, 17, 18, 19 |
Detailed Lab Exercise Mapping
| # | Attack | Replicable? | Lab Exercise | Docker Lab Reference |
|---|---|---|---|---|
| 1 | SS7 OTP Theft | โ ๏ธ Partial | Simulate HLR poisoning via MongoDB; observe SMS routing changes | Part 11, Ex. 1 |
| 2 | SS7 Location Tracking | โ ๏ธ Partial | Capture Diameter S6a queries; observe location info in AVPs | Part 11, Ex. 2 |
| 3 | Diameter Tracking | โ Yes | Capture Diameter traffic; craft messages with freeDiameter |
Part 11, Ex. 3 |
| 4 | SS7 OTP-as-a-Service | โ No | Requires real SS7/SIM farm infrastructure | โ |
| 5 | GTP Roaming Abuse | โ Yes | Inject GTP-U packets with scapy; observe TEID handling |
Part 11, Ex. 4 |
| 6 | Carrier PII Breach | โ ๏ธ Partial | Demonstrate MongoDB (HSS) exposure: query without auth | Part 12, Ex. 1 |
| 7 | Targeted SIM Swap | โ Yes | Modify subscriber IMSI in MongoDB; observe UE deregistration | Part 12, Ex. 2 |
| 8 | Insider SIM Fraud | โ Yes | Same as #7 via provisioning access; add second IMSI | Part 12, Ex. 2 |
| 9 | Metadata Abuse | โ ๏ธ Partial | Capture signaling; extract CDR-equivalent metadata from pcap | Part 12, Ex. 3 |
| 10 | Smishing + Carrier Data | โ No | SMS infrastructure not in Docker lab | โ |
| 11 | Android SMS Stealer | โ No | Requires Android device/emulator with malware sample | โ |
| 12 | OTP Interception Service | โ No | Requires live SMS infrastructure | โ |
| 13 | Phishing + SS7 Combo | โ ๏ธ Partial | SS7 portion: simulate HLR poisoning (Part 11 exercises) | Part 11, Ex. 1 |
| 14 | A2P SMS Abuse | โ No | Requires A2P SMS infrastructure | โ |
| 15 | Premium SMS Fraud | โ No | Requires Android device with carrier billing | โ |
| 16 | State Surveillance | โ ๏ธ Partial | Simulate polling by repeated Diameter S6a queries | Part 14, Ex. 1 |
| 17 | APT SMS Phishing | โ No | Requires live SMS delivery and SSO infrastructure | โ |
| 18 | Ransomware SMS | โ No | Social/psychological aspects cannot be simulated | โ |
| 19 | CaaS SMS Access | โ No | Requires multi-method interception infrastructure | โ |
| 20 | Carrier Compromise | โ ๏ธ Partial | Modify MongoDB subscriber records; observe downstream impact | Part 14, Ex. 2 |
Tip
Start with the โ fully replicable attacks (3, 5, 7, 8) in your Docker lab from Part 4. These let you observe real protocol behavior and understand why the attacks work at a fundamental level. Then progress to the โ ๏ธ partial exercises to understand broader attack patterns.
Defense Roadmap
Priority Matrix
The following prioritization considers impact severity, attack frequency in the wild, and feasibility of defense implementation.
graph TB
subgraph "Priority 1 โ Immediate (0-6 months)"
P1A[๐ด Eliminate SMS-based MFA
Migrate to FIDO2/WebAuthn
Blocks: 1,4,7,11,12,13,17,19]
P1B[๐ด Deploy SS7/Diameter Firewall
GSMA FS.11/FS.19 categories
Blocks: 1,2,3,4,13,16]
P1C[๐ด Phishing-Resistant MFA
for Carrier Employees
Blocks: 7,8,20]
end
subgraph "Priority 2 โ Near-Term (6-12 months)"
P2A[๐ GTP Firewall at GRX/IPX
GSMA FS.20 + IR.88
Blocks: 5]
P2B[๐ A2P Sender ID Registry
10DLC + brand verification
Blocks: 10,14,18]
P2C[๐ CDR Encryption + Access Control
At rest and in transit
Blocks: 6,9]
P2D[๐ Insider Threat Program
UEBA + provisioning monitoring
Blocks: 8,20]
end
subgraph "Priority 3 โ Medium-Term (12-24 months)"
P3A[๐ก Device Attestation
SafetyNet / Play Integrity
Blocks: 11,15]
P3B[๐ก RCS Business Messaging
Verified sender identity
Blocks: 10,14]
P3C[๐ก Zero-Trust Architecture
for Carrier Internal Systems
Blocks: 8,20]
P3D[๐ก Premium SMS Controls
DCB opt-in + confirmation
Blocks: 15]
end
subgraph "Priority 4 โ Long-Term (24+ months)"
P4A[๐ข Full 5G SA Migration
Eliminates SS7/Diameter exposure
Blocks: 1,2,3,4,13,16]
P4B[๐ข IPsec on All GTP Interfaces
Encrypt + authenticate tunnels
Blocks: 5]
P4C[๐ข Industry-Wide Coordination
GSMA threat sharing, law enforcement
Blocks: 4,12,19]
end
style P1A fill:#ff6666,color:#fff
style P1B fill:#ff6666,color:#fff
style P1C fill:#ff6666,color:#fff
style P2A fill:#ffaa66
style P2B fill:#ffaa66
style P2C fill:#ffaa66
style P2D fill:#ffaa66
style P3A fill:#ffee66
style P3B fill:#ffee66
style P3C fill:#ffee66
style P3D fill:#ffee66
style P4A fill:#99cc99
style P4B fill:#99cc99
style P4C fill:#99cc99Defense-to-Attack Coverage Matrix
| Defense Measure | Attacks Blocked/Mitigated | Priority | Implementation Complexity |
|---|---|---|---|
| Eliminate SMS-based MFA | 1, 4, 7, 11, 12, 13, 17, 19 (8 attacks) | P1 | Medium โ requires service migration |
| SS7/Diameter firewall | 1, 2, 3, 4, 13, 16 (6 attacks) | P1 | High โ requires signaling expertise |
| Phishing-resistant MFA for staff | 7, 8, 20 (3 attacks) | P1 | Low โ deploy FIDO2 keys |
| GTP firewall | 5 (1 attack) | P2 | High โ GRX/IPX coordination |
| A2P sender ID registry | 10, 14, 18 (3 attacks) | P2 | Medium โ regulatory dependency |
| CDR encryption + access control | 6, 9 (2 attacks) | P2 | Medium โ infrastructure change |
| Insider threat program | 8, 20 (2 attacks) | P2 | Medium โ UEBA deployment |
| Device attestation | 11, 15 (2 attacks) | P3 | Medium โ API integration |
| RCS Business Messaging | 10, 14 (2 attacks) | P3 | Low โ adoption-dependent |
| Zero-trust carrier internal | 8, 20 (2 attacks) | P3 | High โ architecture redesign |
| Premium SMS controls | 15 (1 attack) | P3 | Low โ carrier policy change |
| Full 5G SA migration | 1, 2, 3, 4, 13, 16 (6 attacks) | P4 | Very High โ multi-year |
| IPsec on GTP | 5 (1 attack) | P4 | High โ roaming partner coordination |
| Industry coordination | 4, 12, 19 (3 attacks) | P4 | Very High โ multi-stakeholder |
Warning
The single highest-impact defense is eliminating SMS-based authentication. It blocks or significantly mitigates 8 of the 20 attacks (40%). NIST SP 800-63B already classifies SMS as a "restricted authenticator" โ organizations should treat this as a deprecation notice and migrate to FIDO2/WebAuthn.
Defense Sequence Diagram โ Layered Response
sequenceDiagram
participant Carrier as ๐ก Mobile Carrier
participant Enterprise as ๐ข Enterprise (Downstream)
participant Regulator as โ๏ธ Regulator (FCC/GSMA)
participant User as ๐ฑ End User
rect rgb(255, 200, 200)
Note over Carrier,User: Priority 1: Immediate Actions (0-6 months)
Carrier->>Carrier: Deploy SS7/Diameter firewall
(GSMA FS.11 Cat 1-3 rules)
Carrier->>Carrier: Enforce FIDO2 keys for
all employee internal access
Enterprise->>Enterprise: Migrate MFA from SMS
to FIDO2/WebAuthn/TOTP
Enterprise->>User: Notify: "Enroll new MFA method"
end
rect rgb(255, 220, 180)
Note over Carrier,User: Priority 2: Near-Term (6-12 months)
Carrier->>Carrier: Deploy GTP firewall at IPX border
Carrier->>Carrier: Implement CDR encryption
+ strict RBAC
Carrier->>Carrier: Launch insider threat program
(UEBA on provisioning systems)
Regulator->>Carrier: Mandate A2P sender ID
registration (10DLC)
end
rect rgb(255, 255, 200)
Note over Carrier,User: Priority 3: Medium-Term (12-24 months)
Enterprise->>Enterprise: Integrate device attestation
into auth flows
Carrier->>User: Launch RCS Business Messaging
(verified sender identity)
Carrier->>Carrier: Zero-trust architecture
for internal systems
end
rect rgb(200, 255, 200)
Note over Carrier,User: Priority 4: Long-Term (24+ months)
Carrier->>Carrier: Complete 5G SA migration
(sunset 2G/3G + SS7)
Carrier->>Carrier: IPsec on all GTP interfaces
Regulator->>Regulator: International enforcement
cooperation (CaaS takedowns)
endThreat Landscape Summary
By Attacker Type
| Attacker Type | # of Attacks | Example Attacks | Trend |
|---|---|---|---|
| Organized crime | 8 | 1, 7, 10, 12, 13, 14, 15, 20 | Increasing โ industrializing into CaaS |
| State / intelligence | 4 | 2, 3, 9, 16 | Stable โ persistent and well-resourced |
| APT groups | 3 | 6, 17, 19 | Increasing โ mobile as initial access vector |
| Insiders | 2 | 8, 20 | Stable โ hard to eliminate |
| Ransomware gangs | 1 | 18 | Increasing โ SMS as pressure channel |
| Any criminal (low skill) | 2 | 4, 12 | Increasing โ CaaS lowers barrier to zero |
By Network Layer
| Network Layer | # of Attacks | Attack IDs |
|---|---|---|
| Signaling plane (SS7/Diameter/GTP) | 7 | 1, 2, 3, 4, 5, 13, 16 |
| Application plane (SMS/A2P) | 6 | 10, 11, 12, 14, 15, 17 |
| Business systems (BSS/OAM/CRM) | 5 | 6, 7, 8, 9, 20 |
| Cross-layer (operational/strategic) | 2 | 18, 19 |
Critical Observations
-
The signaling plane remains the most dangerous attack surface โ 7 of 20 attacks exploit trust assumptions in SS7, Diameter, or GTP that were designed 30+ years ago and cannot be patched without protocol replacement.
-
SMS is the most exploited delivery/interception mechanism โ it appears in 12 of 20 attacks as either the attack channel (smishing, premium SMS) or the target (OTP interception, SMS stealing).
-
The "as-a-service" trend is the most concerning evolution โ attacks 4, 12, and 19 show that signaling exploitation, OTP interception, and SMS fraud have been productized into commodity services available to anyone.
-
Carrier business systems are an underappreciated attack surface โ attacks 6, 7, 8, 9, and 20 show that compromising CRM, provisioning, and CDR systems has cascading downstream impact across the entire subscriber base.
-
No single defense blocks all attacks โ a defense-in-depth approach is required, combining signaling firewalls (network layer), authentication modernization (application layer), insider threat programs (human layer), and regulatory coordination (ecosystem layer).
๐ฌ Lab Exercises
Exercise 1: Map Your Docker Lab to the Unified Attack Surface
# Identify which components in your Docker lab correspond
# to the attack surface in the Unified Network Attack Map
# List all running containers โ these are your network functions
docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Ports}}"
# For each container, identify:
# 1. What network layer does it belong to? (RAN, control plane, user plane, BSS)
# 2. Which attacks from the matrix target this component?
# 3. What interfaces/ports does it expose?
# Example analysis:
# open5gs_hss โ HSS/UDM (control plane)
# Attacked by: #1 (SS7 OTP), #2 (location), #7 (SIM swap), #8 (insider)
# Interfaces: Diameter S6a (port 3868)
# Defense: Access control, signaling firewall, monitoring
# open5gs_upf โ UPF (user plane)
# Attacked by: #5 (GTP abuse)
# Interfaces: GTP-U (port 2152)
# Defense: GTP firewall, TEID validation, IPsec
Exercise 2: Build a Component Vulnerability Heat Map
# Using the Docker lab, determine which components are exposed
# to the most attack categories
# Check which ports are exposed (these are potential entry points)
docker ps --format "{{.Names}}: {{.Ports}}" | sort
# Check network connectivity between containers
docker network inspect $(docker network ls -q) 2>/dev/null | \
python3 -c "
import json, sys
data = json.load(sys.stdin)
for net in data:
if net.get('Containers'):
print(f\"Network: {net['Name']}\")
for cid, info in net['Containers'].items():
print(f\" {info['Name']}: {info['IPv4Address']}\")
"
# Question: Which container has the most network connections?
# That container likely has the largest attack surface.
# (Answer: Usually MME/AMF โ it connects to HSS, SGW, eNB/gNB, and SMF)
Exercise 3: Test Defense Effectiveness โ Subscriber DB Hardening
# Demonstrate the difference between an unprotected and protected
# subscriber database (relevant to attacks #6, #7, #8, #20)
# Step 1: Show current (unprotected) state
docker exec -it open5gs_mongo mongosh open5gs --eval '
db.subscribers.find({}, {
imsi: 1,
"security.k": 1,
"security.opc": 1
}).pretty()'
# All authentication secrets are readable!
# Step 2: Demonstrate what role-based access control would look like
# Create a read-only user that can't access security fields
docker exec -it open5gs_mongo mongosh admin --eval '
db.createUser({
user: "readonly_audit",
pwd: "auditpass123",
roles: [{role: "read", db: "open5gs"}]
})'
# Step 3: Even the read-only user can see secrets!
# This demonstrates why field-level encryption (FLE) or
# application-level access control is needed โ database-level
# RBAC alone is insufficient for HSS/UDM protection.
# Question: What additional controls would prevent an attacker
# with database read access from extracting K and OPc values?
# (Answer: Field-level encryption, HSM-backed key storage,
# application-level access control with audit logging)
Exercise 4: Simulate Multi-Vector Attack Chain (Attacks #7 + #1 Combined)
# This exercise demonstrates how SIM swap (#7) + signaling access (#1)
# could be combined for maximum impact
# Step 1: Record original subscriber state
docker exec -it open5gs_mongo mongosh open5gs --eval '
db.subscribers.findOne({imsi: "999700000000001"}, {imsi: 1, msisdn: 1})'
# Step 2: Verify UE is connected
docker exec -it ueransim_ue nr-cli UERANSIM --exec "status"
# Step 3: "SIM swap" โ change the subscriber's auth key
# (simulating what happens after social engineering carrier staff)
docker exec -it open5gs_mongo mongosh open5gs --eval '
db.subscribers.updateOne(
{imsi: "999700000000001"},
{$set: {"security.k": "11111111111111111111111111111111"}}
)'
# Step 4: Force re-authentication โ UE should fail
docker restart ueransim_ue
sleep 5
# Step 5: Check UE status โ should show authentication failure
docker logs ueransim_ue 2>&1 | tail -15
# Step 6: If an attacker had a device with the new key (11111...),
# they could now attach as the victim subscriber
# This is the SIM swap + session hijack combination
# Step 7: Restore original state
docker exec -it open5gs_mongo mongosh open5gs --eval '
db.subscribers.updateOne(
{imsi: "999700000000001"},
{$set: {"security.k": "465B5CE8B199B49FAA5F0A2EE238A6BC"}}
)'
docker restart ueransim_ue
Warning
These exercises are for educational purposes only in your isolated Docker lab. Never test against real carrier systems, subscriber databases, or production networks without explicit authorization.
External References
Academic & Industry Research
| Source | Title | Coverage |
|---|---|---|
| GSMA FS.11 | SS7 Interconnect Security | SS7 firewall categories, monitoring |
| GSMA FS.19 | Diameter Interconnect Security | Diameter firewall, DRA security |
| GSMA FS.20 | GTP Security | GTP firewall, roaming protection |
| GSMA IR.88 | LTE Roaming Guidelines | GTP roaming interconnect security |
| NIST SP 800-187 | Guide to LTE Security | Comprehensive LTE security framework |
| NIST SP 800-63B | Digital Identity: Authentication | SMS as restricted authenticator |
| NIST SP 800-53 | Security and Privacy Controls | Organizational security controls |
| NIST SP 800-124 | Guidelines for Mobile Threats | Mobile device and malware security |
| 3GPP TS 33.501 | 5G Security Architecture | 5G security framework and mechanisms |
News & Incident Sources
- Terrazone: SS7 Security Vulnerabilities, Attacks & Prevention
- EFF: The Danger of SS7 and What You Can Do About It
- SecurityWeek: Massive OTP-Stealing Android Malware Campaign (2024)
- AccountableHQ: T-Mobile Data Breach Explained
- P1 Security: SMS-Based Attacks โ The Hidden Threat
- TechTarget: The Biggest Ransomware Attacks in History
Summary
- โ 20 real-world attack patterns span four categories: signaling exploitation (SS7/Diameter/GTP), subscriber identity theft, SMS abuse/malware, and APT/gang strategic operations
- โ Information Disclosure and Repudiation are the dominant STRIDE categories (90% of attacks each) โ invest in encryption, access control, and attribution/logging
- โ SMS is the single most exploited mechanism โ appearing in 12 of 20 attacks as either the attack channel or the interception target
- โ The "as-a-service" evolution (attacks 4, 12, 19) has commoditized signaling exploitation, making nation-state-grade attacks available to any criminal with cryptocurrency
- โ Eliminating SMS-based authentication is the highest-impact single defense, blocking or mitigating 40% of all catalogued attacks
- โ No single defense is sufficient โ a layered approach combining signaling firewalls, authentication modernization, insider threat programs, and ecosystem coordination is required
- โ 9 of 20 attacks are at least partially replicable in the Open5GS Docker lab, making this a practical learning resource for hands-on telecom security training
Return to: Index
โ Previous: Part 14: APT & Gang Mobile Infrastructure Operations