Fs.38 | Gsma

Enter . Officially titled the IoT Security Assessment Standard , this document is not merely another compliance checklist. It is the mobile industry’s gold standard for ensuring that IoT devices are built, deployed, and maintained with robust security controls. If you are a device manufacturer, a network operator, or an enterprise procurer of IoT solutions, understanding GSMA FS.38 is no longer optional—it is a business imperative.

GSMA FS.38 offers two levels:

Here is the complete breakdown:

Historically, telecom signaling security focused heavily on legacy protocols. The GSMA previously introduced frameworks like for SS7 networks and FS.19 for Diameter networks. However, as global mobile operators phased out legacy 2G and 3G circuit-switched networks, the landscape shifted dramatically toward all-IP networks.

Session Border Controllers function as application-aware firewalls. FS.38 demands that SBCs run deep packet inspection (DPI) to parse incoming SIP requests, strip internal network topologies out of response headers, and enforce explicit rate-limiting to suppress fuzzing and brute-force registration attempts. Protocol Correlation and Signaling Firewalls gsma fs.38

: Voice is no longer handled by circuit-switched hardware. It is compressed into data packets and routed via SIP over standard IP networks.

FS.38 bridges this gap by unifying security expectations across fixed, mobile, and converged carrier networks. Core Threat Vectors Addressed by FS.38

: Safeguards the Session Initiation Protocol used for call setup.

GSMA FS.38 ("SIP Network Security") is a Permanent Reference Document providing a "defense in depth" security framework for SIP infrastructures, including VoLTE, VoNR, and peripheral systems. The guidelines emphasize protecting core network nodes beyond Session Border Controllers (SBCs) and offer specific test cases to mitigate threats like T-DOS and unauthorized access. Read the full details at GSMA . If you are a device manufacturer, a network

represents a maturing industry. No longer can IoT devices be shipped with gaping security holes and fixed with a "future update." The era of connected everything demands connected security everywhere.

The GSMA Permanent Reference Document (PRD) establishes the baseline framework for securing Session Initiation Protocol (SIP) infrastructures within telecom networks. As telecommunications shift globally to all-IP frameworks—such as Voice over LTE (VoLTE), Voice over Wi-Fi (VoWiFi), and 5G Standalone (SA) Voice—SIP has emerged as the foundational protocol for voice, video, and multimedia sessions.

While toll fraud remains a massive threat to the industry, costing carriers billions of dollars annually, FS.38 expands its scope to mitigate broader architectural and protocol-specific risks. 1. Advanced Denial of Service (DoS) and DDoS

: Security profiles for both SIM-enabled customer equipment (smartphones, IoT devices) and non-SIM endpoints (such as hosted corporate voice solutions). However, as global mobile operators phased out legacy

Modern defense requires analyzing signaling context across multiple protocols. If a user plane registers on a local cell site via standard tracking procedures, an incoming SIP call request originating concurrently from a far-off IPX interconnect indicates spoofing. Advanced Signaling Firewalls (SFW) use FS.38 logic to block anomalous protocol variations before they enter the internal network. Core Network Micro-Segmentation

To replace passive checklists with an active defensive strategy, the GSMA outlines explicit expectations for penetration and performance testing within FS.38. Testing Methodology Technical Objective Target Components

: Stopping port scans and SIP fingerprinting used to map network vulnerabilities. Routing Attack Mitigation

By implementing the defensive architecture outlined in GSMA FS.38, communications providers can actively mitigate a diverse spectrum of network-layer threats: