Penetration Testing by umlaut

Interconnection security as a

Easy. Continuous. Automated.
Continuous, independent penetration testing is fundamental to a comprehensive security strategy for any network.

  • Regular tests without setup costs
  • Lower testing operational costs
  • Closer to zero-day evaluation

Risks Monitored:

  • Traffic interception (e.g., SMS, Calls)
  • Subscriber/device tracking
  • Denial of Service of a user or the entire network
  • Impersonation of a subscriber. Identity spoofing
  • Profile manipulation (Fraud, Revenue Loss)


  • Easy to setup tests and analyze results
  • Security scoring
  • Regular testing with short time to results
  • Integration with SOC /SIEM
  • Covers most known risks
  • SS7, GTP and Diameter
  • New vulnerabilities added regularly
  • Technical workshops included
  • Protection of target SIMs and data

Autonomy for operators to:

  • Assess security level
  • Verify mitigations
  • Fine tune rules set definition
  • Validation in short time

umlaut Managed Service :

  • Connection setup and troubleshoot
  • Manual results validations
  • Provide detailed countermeasures
  • Follow-up mitigation action plan
  • International security benchmark

How does Intaas work?

Setup & requirements

  • Traffic is routed via the International network
  • Intaas needs be configured as a roaming partner
  • IR.21 is configured by umlaut in the customer interface
  • SIM cards setup locally (home network)

Regular & Ad-hoc

  • Ad-hoc tests can be performed immediately or scheduled (e.g. overnight)
  • Tests can be performed regularly (weekly, monthly) and results integrated with a SIEM tool

Result Analysis

  • Protocols security scoring
  • Risks-based scoring
  • Detailed results per test case
  • Network traces available
  • Export to Excel / CSV

Interconnection protocols

  • SS7 / Diameter / GTP
  • Continuous improvement of test cases
  • Only well-formed requests
  • GSMA and beyond test cases
    • GSMA FS.11, FS.19 and FS.20
    • Tweaks and bypass techniques
  • Limited to well formed messages

Trust It

Privacy and data protection

  • Storage and processing is done on European Union based infrastructure
  • Data retention can be set by the customer (default is 6 months)
  • Dedicated database schema
  • Multiple user roles concept
  • GDPR compliant

Control of Target

  • Only operators can use the tool
  • Operators can only target their network
  • Only MSISDNs / IMSIs from the operator’s range can be targeted. Ported MSISDNs can be set
  • Target SIMs are notified via SMS
  • Customer admin is notified once a new target SIM is configured

Why umlaut?

• umlaut has 15 years of experience in
telecommunication security assessments
• umlaut is active in multiple industries (e.g., automotive,
energy, aviation) which provide experience on services
and criticalities on those industries
• umlaut portfolio covers end-to-end: from
smartphones, IoT devices, air interface, backhaul,
core and services testing
• umlaut has a team of experts for network
engineering and testing
• umlaut has performed security assessments
with all equipment vendors
• umlaut participates in security groups (e.g.,
GSMA Fraud and Security


• ISO 27001 – Information Security
• ISO 17025 – Testing and Calibration of Laboratories
• ISO 9001 – Quality Management
• Our consultants are certified on eg:
• Certified Ethical Hacking (CEH), ISO 27001 Lead Auditor, ISACA
• Continuous partnership with 50+ operators, vendors and
industry partners for active security testing, training and
consulting services
• Groups of operators use our data for security

How can umlaut and Cellusys secure your network?

Contact us to learn more