To appreciate FS.38, one must distinguish it from adjacent standards. Unlike the ETSI EN 303 645 (Consumer IoT security), which focuses on the home device, FS.38 is specifically tuned for wide-area cellular networks. Unlike the NIST IR 8259 series, which is general-purpose, FS.38 explicitly references GSM-specific elements (IMSI catching, false base stations, SMS vulnerabilities).
| # | Control | Description | |---|---|---| | 1 | | Devices must not ship with weak, public default credentials (e.g., "admin/admin"). Each device should have a unique credential or force a password change on first boot. | | 2 | Secure Boot | The device must verify the integrity and authenticity of its firmware using cryptographic signatures. This prevents attackers from loading malicious code. | | 3 | Software Update Mechanism | A secure, authenticated, and encrypted mechanism for over-the-air (OTA) updates. Updates must be signed, and the device must reject invalid ones. | | 4 | Secure Communication | Use of TLS/DTLS for all network communications. Datagram Transport Layer Security (DTLS) is specified for UDP-based traffic to ensure confidentiality and integrity. | | 5 | Minimize Exposed Attack Surfaces | Disable all unnecessary ports, services, and debug interfaces (e.g., JTAG, UART, USB) in production builds. | | 6 | Secure Storage | Cryptographic keys, unique secrets, and device identifiers must be stored in tamper-resistant hardware (e.g., Secure Element, TEE, or eSIM). | | 7 | Logging & Monitoring | The device must generate security-relevant logs (e.g., failed access attempts, integrity check failures) and have a mechanism to export them securely. | gsma fs.38
7.5 / 10 (Vision: 9/10, Implementation Maturity: 6/10) To appreciate FS
Addresses risks associated with the interception or exposure of subscriber identity and metadata within SIP signaling. | # | Control | Description | |---|---|---|
: FS.38 is typically a "Members Only" document. You can check for updates or related public summaries on the GSMA Interworking Security page.
: Methods such as SIP-based bypass or unauthorized service access.