Skip to main content

Penetration Testing

Penetration testing for Indonesian telecommunications operators

In short

How Indonesian telecom operators scope a penetration test across subscriber systems, signalling, and 5G core, meeting the annual assessment Kominfo expects.

Penetration testing

A telecom operator cannot wait for an incident to find out whether its subscriber database or its signalling layer is exploitable. The systems that hold customer identity and carry authentication traffic are exactly what an attacker probes first, and Kominfo now expects operators to run annual security assessments and keep a tested incident response plan. Testing those systems before an attacker does is how an operator turns that expectation into evidence. This page covers what has to be in scope for a telecom operator specifically, why the work looks different from an enterprise test, and how we deliver it. For how a penetration test works in general, see our penetration testing service page.

Why testing looks different for a telecom operator

A telecom network is not a bigger enterprise network. It has layers that only an operator runs, and each of them carries its own risk that a generic test would never reach.

BSS, OSS, and subscriber databases

Business and operations support systems sit in front of the HLR and HSS subscriber databases that hold identity and location data at scale. A weak access control or an exposed admin interface here is a direct route to the personal data of millions of subscribers.

SS7 and Diameter signalling

The signalling layer that connects networks is where subscriber tracking, SMS redirection, and call interception happen. Testing it checks whether an attacker who reaches the signalling plane can abuse it, which is a class of risk no enterprise test would ever include.

5G core and edge nodes

Early 5G cores add cloud-native components alongside legacy signalling, so the network now has container and API security questions on top of the older ones. The test has to cover both the new cloud-native surface and the signalling it sits beside.

External perimeter, provisioning, and billing

The internet-facing perimeter, the provisioning chain that activates SIMs, and the billing platform are where external attackers and fraud crews both start. A perimeter test checks what an attacker sees before they touch anything internal.

The breach pattern behind most of these is consistent and worth naming. Subscriber data is exposed through unpatched internet-facing systems, excess data retention that keeps records long after they are needed, and weak access controls on the customer databases. A penetration test is built to find those three before an attacker does, because each of them is a known way a subscriber-database breach starts rather than a hypothetical.

What we test and how we deliver it

A telecom operator's attack surface is wider than a single web app, so scoping has to account for every layer that reaches subscriber data or carries authentication traffic.

BSS and OSS platformsHLR and HSS subscriber databasesSS7 and Diameter signalling5G core and edge nodesExternal network perimeterProvisioning and billing platformsSegmentation between corporate IT and the signalling core
Scope against Kominfo expectations and the operator's networkTest subscriber systems, signalling, and the 5G core against agreed targetsValidate exploitability and business impact without disrupting live trafficDeliver a report with remediation deadlines, then retest for free

Every engagement includes a free retest once fixes are in, because a report that says "fixed" only means something if someone checks. The part that matters most for a telecom operator is the segmentation between corporate IT and the signalling core: the real question is whether a compromised office system can reach the network that carries subscriber traffic, and that boundary is tested rather than assumed. If you are weighing a lighter-touch vulnerability scan against a full test, our page on vulnerability assessment vs penetration testing sets out where each one fits, and our page on how long penetration testing takes explains why a telecom scope runs longer than an enterprise one.

What the numbers say about the sector

350M+

Mobile connections in Indonesia, more than the population (GSMA via DataReportal, 2024)

~15%

Share of the population with 5G coverage in late 2023 (ABI Research)

72 hours

UU PDP deadline to notify after a breach of subscriber personal data (UU 27/2022)

More than 350 million mobile connections means a subscriber database is one of the largest concentrations of personal data in the country, so an untested access control on it is a national-scale risk rather than a local one. With 5G coverage still around 15 percent of the population in late 2023, most operators are testing a hybrid network where a growing cloud-native 5G core sits alongside legacy signalling, and both need to be in scope. The short UU PDP notification clock is why finding the exploitable gap first, through testing, is cheaper than finding it through a breach.

If your annual security assessment is coming up and you want the test scoped to your subscriber, signalling, and 5G systems rather than a generic checklist, our team can set out a concrete next step.

References

  1. 1.Republic of Indonesia, Perpres No. 82 Tahun 2022 on Electronic System Operation
  2. 2.Republic of Indonesia, PP No. 71 Tahun 2019 on Electronic System and Transaction Operation
  3. 3.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)
  4. 4.DataReportal, Digital 2026 Indonesia (mobile connections, GSMA data)
  5. 5.ABI Research, on 5G adoption in Indonesia

Reviewed by Naren Krishnan, Cybersecurity Manager

Frequently asked questions

The subscriber-facing and internal systems where an attacker actually lands: BSS and OSS platforms with the subscriber databases behind them, the SS7 and Diameter signalling layer, the 5G core and edge nodes, and the external perimeter including provisioning and billing. A test that only covers a public website misses the signalling and subscriber systems where the real damage happens.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.