Offers recommendations for interconnect signaling security, which have been updated to align with the SIP guidelines in FS.38.
| # | Control | Description | |---|---|---| | 1 | | Devices must not ship with weak, public default credentials (e.g., "admin/admin"). Each device should have a unique credential or force a password change on first boot. | | 2 | Secure Boot | The device must verify the integrity and authenticity of its firmware using cryptographic signatures. This prevents attackers from loading malicious code. | | 3 | Software Update Mechanism | A secure, authenticated, and encrypted mechanism for over-the-air (OTA) updates. Updates must be signed, and the device must reject invalid ones. | | 4 | Secure Communication | Use of TLS/DTLS for all network communications. Datagram Transport Layer Security (DTLS) is specified for UDP-based traffic to ensure confidentiality and integrity. | | 5 | Minimize Exposed Attack Surfaces | Disable all unnecessary ports, services, and debug interfaces (e.g., JTAG, UART, USB) in production builds. | | 6 | Secure Storage | Cryptographic keys, unique secrets, and device identifiers must be stored in tamper-resistant hardware (e.g., Secure Element, TEE, or eSIM). | | 7 | Logging & Monitoring | The device must generate security-relevant logs (e.g., failed access attempts, integrity check failures) and have a mechanism to export them securely. | gsma fs.38
As mobile networks transitioned from 2G/3G to 4G and 5G, voice calls shifted from circuit-switched tech to Internet Protocol (IP). This document, often used by SecurityGen for telecom assessments, addresses the unique vulnerabilities created by this shift. | | 2 | Secure Boot | The
The de facto power of FS.38 derives not from law, but from commercial necessity. Most Tier-1 Mobile Network Operators (MNOs) and Mobile Virtual Network Operators (MVNOs) have incorporated FS.38 compliance into their connectivity contract requirements. Before an operator will issue private APN access, static IP addresses, or roaming agreements for an IoT deployment, they frequently demand a "FS.38 Gap Assessment" or a completed security questionnaire based on the guideline. Updates must be signed, and the device must
is a technical specification published by the GSMA’s Fraud and Security (F&S) team that defines standardized formats, processes, and operational guidance related to the secure exchange of fraud and security-related data between mobile network operators, service providers, and trusted third parties. It focuses on enabling timely detection, sharing, and mitigation of mobile network fraud, SIM fraud, subscription fraud, and related threats through consistent data schemas and interoperable message flows.