Talk to an expert
Talk to an expert

Telecoms & Data

Operators, equipment makers, sovereign ISPs, Cloud

Protocols from 1975.
National critical infrastructure.

SS7 without authentication, Diameter without native encryption, exposed 5G SA APIs — telecom networks run everything else. An SS7 flaw at a partner operator allows interception of your subscribers’ communications without ever touching your network.

SS 1
A 1975 protocol, no native authentication, actively exploited
BGP 1
Hijacking documented across hundreds of ASes per year (Rostelecom 2020)
NIS 1
Major operators classified as OES, incident reporting within 24h
5G SA 1
Hundreds of exposed HTTP/2 APIs, an unmastered cloud-native surface

A PROTOCOLARY AND SYSTEMIC ATTACK SURFACE

SS7/Diameter: global interception without physical access
SS7 allows anyone with complicit operator access to locate any subscriber, intercept their calls and SMS, and disable their service. Diameter (4G) has the same flaws. These protocols are actively exploited by states and cybercriminals.
BGP: traffic hijacking at AS scale
BGP governs global routing with no strong authentication. Documented hijackings (Rostelecom 2020) diverted the traffic of hundreds of operators for hours. The majority of internet traffic remains exposed.
SBI APIs: the unmastered cloud-native surface
The 5G Standalone core exposes hundreds of HTTP/2 APIs handling authentication, sessions and roaming. Slice-traversal vulnerabilities allow access to enterprise-dedicated slices from a public 5G network.
Network-equipment firmware: the least audited surface
The 5G Toolbox directive mandates assessment of high-risk suppliers. Network-equipment firmware (Nokia, Ericsson, Huawei) is the least audited attack surface in the entire sector — and the most exposed in the event of a backdoor.

OUR SERVICES

QREDTEAM

ADVERSARY SIMULATION

  • Red Team simulating a complicit operator — SS7/Diameter exploitation on a live network
  • 5G SA SBI API testing — authentication, slice traversal, inter-operator roaming
  • BGP hijacking and DNS poisoning simulation on operator infrastructure
  • Pentest of LI (Lawful Interception) systems — a critical, under-audited vector
  • Red Team of the core-network infrastructure (EPC, IMS, HLR/HSS).
Discover QRedTeam

QLAB

DEEP SECURITY RESEARCH

  • Audit of SS7/Diameter/GTP protocols — identification of real exposures
  • 0-day research on network equipment (Nokia, Ericsson, Cisco, Juniper)
  • Firmware analysis of critical network equipment without source access
  • Audit of 5G SBI APIs and inter-operator roaming interfaces
  • Equipment supply-chain audit — backdoor detection in network firmware.
Discover QLab

QSHIELD

SOFTWARE PROTECTION

  • Protection of network-management system code against reverse engineering
  • Anti-cloning for telecom-solution vendors exporting to risky markets
  • IP protection of proprietary routing and network-optimization algorithms
  • Protection of LI systems against analysis by adversary states
  • Obfuscation of network-monitoring probe code.
Discover QShield

QUARKSLAB DIFFERENTIATOR

Operators are audited on NIS2 compliance — not on their real SS7 exposure. Quarkslab masters SS7, Diameter and 5G SA stacks at a level only a few research teams worldwide possess. We combine offensive research on network protocols, reverse engineering of equipment firmware without sources, and QShield to protect proprietary solutions — a chain unique in Europe.

WHAT WOULD WE SAY TO EACH OTHER, FACE TO FACE

Do you know whether your SS7 network can be exploited from a foreign partner operator — today?

Most telecom CISOs have decent visibility into their IT perimeter. Very few have real visibility into their SS7 exposure — the core protocols that allow interception of your subscribers’ communications without ever touching your network.

Core-protocol expertise — published research
Our engineers have published research on SS7 and 5G vulnerabilities. This isn't compliance — it's a real technical assessment.
SBI APIs — the new unmastered perimeter
The 5G core exposes hundreds of APIs. We audit them with the same rigor as a critical application — because they are one.
Without source access
We can audit your equipment firmware without source code — a capability your suppliers would prefer you didn't exercise.
Neither Nokia nor Ericsson — zero conflict
Quarkslab has no commercial relationship with network-equipment makers. Our only interest: finding the real vulnerabilities.
Our publications & CVEs
Assess your exposure