The Development of a Telco Attack Testing Tool

NCC Group developed a Java-based Telco Attack testing tool to semi-automate GSMA-specified signalling protocol tests (initially DIAMETER) and record results for repeatable testing and retesting. The project focused on parsing protocol specifications, generating message templates, and implementing attacks that can retrieve subscriber identifiers and location data. #DIAMETER #GTP #SS7 #GSMA #NCCGroup

Keypoints

Purpose: Build a semi-automated testing tool to evaluate telecom signalling interconnects per GSMA guidance, starting with DIAMETER and extensible to GTP and MAP/SS7.
Primary attacks implemented include Update-Location-Request DoS, IMSI acquisition, User-Data-Request location info, Insert-Subscriber-Data, Provide-Location-Request, and LCS-Routing-Info-Request.
Tech stack: Java (cross-platform) with JavaFX GUI, Antlr4 for DIAMETER spec parsing, and custom Java annotation processors for MAP/SS7 boilerplate generation.
Specification processing: 23 DIAMETER specs were parsed (1000–15000 lines each) to produce dictionary files and Java constants used to generate message templates at runtime.
Major challenges: inconsistent/erroneous spec text, deep cross-references between specs (e.g., 3GPP TS 29.272 referencing ETSI TS 129 212), and deciding which optional fields could be ignored to reduce processing scope.
Automation approach: custom tools extract ABNF from spec files, create dictionaries, manually validate application/vendor IDs, and generate Java constants before runtime template composition.
Outcome: Generated parsers and annotation-based codegen significantly reduced manual boilerplate coding and improved reliability for attack message construction and execution; GUI provides panels for attack selection, settings, execution, and packet capture.

MITRE Techniques

[T1071] Application Layer Protocol – Abuse of telecom signalling protocols (DIAMETER, GTP, MAP/SS7) to query or exfiltrate subscriber data. (‘it is possible for an attacker to abuse these signalling protocols to illicit information from a mobile operator such as subscriber phone number (MSISDN), unique identifier (IMSI), location down to the mobile cell or in some cases user traffic.’)
[T1040] Network Sniffing – Lack of encryption in some telecom deployments enables interception and eavesdropping of signalling and user data. (‘Lack of Encryption: … leaving data and communications vulnerable to interception and eavesdropping.’)
[T1595] Active Scanning – Discovery and testing of operator interconnects across IPX/GRX or direct peers to identify reachable signalling nodes and attack surface. (‘test the interconnects between operators… via the semi-private IPX/GRX network or by direct peers between operators.’)
[T1195] Supply Chain Compromise – Risk from globally manufactured telecom equipment where supply chain vulnerabilities can introduce malicious components into infrastructure. (‘Supply Chain Vulnerabilities: Telecom equipment is often manufactured globally, and supply chain vulnerabilities can be exploited to introduce malicious components into the network infrastructure.’)
[T1608] Develop Capabilities – Creation of custom tooling and code generation (Antlr4 grammars, annotation processors) to synthesize protocol messages and listeners for attack execution. (‘we used Antlr 4 to pre-process the specifications… and a custom Java annotation processor to generate some of the boiler plate code.’)

Indicators of Compromise

[Domain] reference/analysis sites – surveillancemonitor.org (used to visualise attack types), research.nccgroup.com (original post and demo).
[Specification documents] protocol references used in tooling – 3GPP TS 29.272 (defines UpdateLocationRequest fields), ETSI TS 129 212 (defines RAT-Type), and 23 DIAMETER specs processed in total.
[Generated artifacts] preprocessing outputs – dictionary files and Java constants produced from ABNF extraction (examples: generated dictionary files, generated Java constants), and other generated code for MAP response listeners.

To implement GSMA-specified signalling attacks in a repeatable way, the developers built a Java framework that programmatically consumes protocol specifications, generates message constants and templates, and composes attack messages at runtime. The DIAMETER workflow involved copying spec text to plain files, extracting ABNF with a custom parser app, manually validating application and vendor IDs, and generating Java constants; at runtime the tool reads dictionary files to produce message templates combined with constants to send crafted DIAMETER messages. To reduce manual coding and cope with inconsistent specs and deep cross-references (e.g., 3GPP TS 29.272 referencing ETSI TS 129 212), Antlr4 grammars were used to parse many spec files and a Java annotation processor produced MAP/SS7 boilerplate and listener code.

Attacks implemented include Update-Location-Request DoS, IMSI acquisition, multiple location-tracking requests, and user-data queries; these rely on composing precise protocol AVPs and optionally omitting non-required fields to limit the number of specs that must be parsed. The tool’s architecture emphasizes reuse and extensibility: DIAMETER was the initial focus (23 specs processed), with stacks for GTP and SS7 also developed; code-generation reduced boilerplate and improved message-creation reliability, while a JavaFX GUI allows selection, configuration, execution, and packet-capture of attacks to support testing and retesting of fixes.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print