In 2024, a sophisticated cybercrime group intercepted SMS messages from thousands of banking customers across Europe, draining accounts of millions of euros within hours. The attack didn’t exploit any software vulnerability or require malware installation- it leveraged weaknesses in SS7, a telecommunications protocol designed in the 1970s that still forms the backbone of global mobile communications.
SS7 (Signaling System 7) is the protocol suite that enables mobile networks worldwide to exchange information for call routing, SMS delivery, roaming, and subscriber management. While essential for telecommunications functionality, SS7 was designed in an era when network access was limited to trusted telecom operators. Today, that trust model has collapsed, creating security vulnerabilities that expose billions of mobile users to surveillance, fraud, and account takeover.
This comprehensive guide explains what is SS7, details how does SS7 work, examines what is an SS7 attack and its various forms, explores the controversial topic of how to hack SS7 from a security research perspective, and most importantly, provides actionable guidance on how to detect SS7 attacks and how to prevent SS7 attacks. Understanding SS7 security is essential for any organization relying on SMS-based authentication or mobile communications.
What Is SS7?
SS7 (Signaling System 7), also known as Common Channel Signaling System 7 (CCSS7) or C7, is a set of telephony signaling protocols developed in the 1970s and standardized by the International Telecommunication Union (ITU). It serves as the nervous system of global telecommunications, enabling networks to exchange the control information necessary for establishing calls, routing messages, and managing subscriber services.
The Role of SS7 in Telecommunications
What is SS7 signalling in practice? SS7 handles the “out-of-band” signaling that controls telephone networks- meaning the control signals travel separately from the actual voice or data communications.
Core SS7 Functions:
- Call Setup and Teardown: Establishing, maintaining, and terminating phone calls
- SMS Routing: Delivering text messages between networks and devices
- Number Translation: Converting dialed numbers to routing addresses
- Roaming Support: Enabling mobile phones to work on foreign networks
- Billing Information: Exchanging charging and accounting data
- Subscriber Database Queries: Looking up user information across networks
- Mobile Switching: Handing off calls as users move between cell towers
SS7 Network Architecture
Key SS7 Components:
Signaling Points (SP)
- Service Switching Points (SSP): Telephone switches that originate/terminate calls
- Signal Transfer Points (STP): Routers that relay SS7 messages between nodes
- Service Control Points (SCP): Databases providing call processing information
Network Elements:
- Home Location Register (HLR): Master database of subscriber information
- Visitor Location Register (VLR): Temporary database for roaming subscribers
- Mobile Switching Center (MSC): Switches that route mobile calls
- Short Message Service Center (SMSC): Handles SMS message routing
SS7 Protocol Stack:
Layer | Protocol | Function |
Application | MAP, INAP, CAP, ISUP | Service-specific operations |
Transaction | TCAP | Dialog management |
Network | SCCP | Routing and addressing |
Data Link | MTP Level 3 | Network routing |
Data Link | MTP Level 2 | Link reliability |
Physical | MTP Level 1 | Physical transmission |
How Does SS7 Work?
Understanding how does SS7 work is essential for grasping its security implications. SS7 operates as a separate signaling network that controls the public switched telephone network (PSTN) and mobile networks.
Basic SS7 Operation
Call Setup Example:
- User dials number → Phone sends request to local switch (SSP)
- SSP queries database → Sends SS7 message to SCP for routing information
- SCP responds → Returns routing data and any special service instructions
- Path established → SS7 messages set up the call path through network
- Call connected → Voice channel established between parties
- Call ended → SS7 messages release network resources
SMS Delivery Example:
- User sends SMS → Message goes to originating network’s SMSC
- SMSC queries HLR → SS7 MAP message requests recipient’s location
- HLR responds → Returns serving MSC/VLR address
- Message routed → SMSC sends SMS to serving MSC via SS7
- Delivery attempt → MSC pages recipient’s phone
- Confirmation → Delivery report sent back through SS7
SS7 Message Types
MAP (Mobile Application Part) Messages:
Message | Purpose | Security Risk |
SendRoutingInfo (SRI) | Locate subscriber for call/SMS routing | Location tracking |
ProvideSubscriberInfo (PSI) | Request subscriber details | Surveillance |
UpdateLocation | Register subscriber location | Location spoofing |
SendAuthenticationInfo | Request authentication vectors | Credential theft |
InsertSubscriberData | Update subscriber profile | Service manipulation |
CancelLocation | Remove subscriber registration | Service denial |
ISUP (ISDN User Part) Messages:
- Initial Address Message (IAM): Initiate call setup
- Answer Message (ANM): Indicate call answered
- Release Message (REL): Terminate call
The Trust Model Problem
SS7 was designed when:
- Only national telecom operators had network access
- Physical security protected network equipment
- Operators were government-controlled entities
- International connections were limited and monitored
Today’s Reality:
- Thousands of operators worldwide have SS7 access
- SS7 access available through MVNOs, resellers, and roaming hubs
- Criminal organizations obtain access through compromised operators
- SS7 gateways available on underground markets
- No authentication between SS7 nodes- messages are inherently trusted
This fundamental trust model failure enables the attacks discussed below.
What Is an SS7 Attack?
What is an SS7 attack? It’s any malicious exploitation of SS7 protocol vulnerabilities to intercept communications, track locations, commit fraud, or disrupt services. Because SS7 was designed without security mechanisms, anyone with network access can send queries and commands that networks execute without verification.
Categories of SS7 Attacks
- Location Tracking
Attackers query network databases to determine a target’s physical location:
- Method: Send SS7 queries (SRI, PSI, ATI) to obtain cell tower and location data
- Precision: Can locate targets to within a few hundred meters in urban areas
- Use Cases: Stalking, surveillance, kidnapping planning, competitive intelligence
- Real-World Example: Journalists and activists tracked by state actors
- Call and SMS Interception
Attackers redirect communications to capture content:
- SMS Interception: Redirect messages by spoofing subscriber location
- Call Forwarding: Unauthorized call redirection to attacker’s number
- Man-in-the-Middle: Insert attacker between communicating parties
- Real-World Example: Banking SMS OTPs intercepted for account takeover
- Fraud Attacks
Financial exploitation through SS7 manipulation:
- Premium Rate Fraud: Route calls through expensive international paths
- Interconnect Bypass: Avoid legitimate billing by manipulating routing
- SMS Spoofing: Send messages appearing to come from trusted sources
- Real-World Example: Millions lost through international revenue share fraud
- Service Disruption (Denial of Service)
Attacks that prevent legitimate service:
- Location Cancellation: De-register subscribers from the network
- Resource Exhaustion: Flood networks with SS7 messages
- Subscriber Deletion: Remove subscribers from databases
- Real-World Example: Targeted individuals unable to receive calls/SMS
- Subscriber Information Theft
Extraction of sensitive subscriber data:
- IMSI Harvesting: Obtain unique subscriber identifiers
- Authentication Data: Steal encryption keys and authentication vectors
- Profile Information: Access subscriber service profiles
- Real-World Example: Building target databases for future attacks
Attack Complexity and Accessibility
Attack Type | Technical Skill | SS7 Access Required | Detection Difficulty |
Location Tracking | Low-Medium | Basic | Medium |
SMS Interception | Medium | Full | High |
Call Interception | High | Full | High |
Fraud (Bypass) | Medium | Partial | Medium |
Denial of Service | Low | Basic | Low |
IMSI Harvesting | Low | Basic | Medium |
Organizations relying on SMS-based authentication face significant risk from SS7 attacks. Implementing Zero Trust Access architecture with phishing-resistant MFA methods eliminates dependence on vulnerable SMS channels.
How SS7 Attacks Work: Technical Analysis
This section provides technical detail on SS7 attack methodologies for security professionals and researchers. Understanding attack mechanics is essential for implementing effective defenses.
Location Tracking Attack Flow
Attack Method: SendRoutingInfo (SRI) Abuse
- Attacker obtains target’s phone number
- Sends SRI query to target’s HLR:
- Query contains target MSISDN (phone number)
- Requests routing information “to deliver SMS”
- HLR responds with:
- IMSI (unique subscriber identifier)
- Current serving MSC address
- Current VLR address
- Attacker sends ProvideSubscriberInfo (PSI):
- Query to serving VLR
- Requests location information
- VLR responds with:
- Cell-ID (cell tower identifier)
- Location Area Code (LAC)
- Age of location information
- Attacker correlates with cell tower databases:
- Determines physical coordinates
- Accuracy: 50m-500m in urban areas
Attack Indicators:
- SRI queries from unexpected sources
- PSI queries without corresponding service
- High-frequency location queries for single subscriber
- Queries from networks without roaming agreements
SMS Interception Attack Flow
Attack Method: UpdateLocation Manipulation
- Attacker obtains target’s IMSI (via SRI attack)
- Sends fraudulent UpdateLocation:
- Claims target has roamed to attacker-controlled network
- Registers fake MSC/VLR addresses
- HLR updates routing:
- Believes subscriber is on attacker’s network
- Updates routing tables accordingly
- Incoming SMS routed to attacker:
- SMS destined for target goes to fake MSC
- Attacker captures message content
- Attacker optionally forwards SMS:
- Sends to victim to avoid detection
- Victim receives delayed message
Attack Window:
- Works until victim’s phone re-registers
- Phone movement or network activity triggers update
- Typical window: minutes to hours
Call Interception Techniques
Method 1: Unconditional Call Forwarding
- Attacker sends InsertSubscriberData:
- Sets unconditional call forwarding
- Forwards to attacker-controlled number
- Calls to target routed to attacker
- Attacker bridges to actual target:
- Victim sees different caller ID
- All audio passes through attacker
Method 2: Encryption Key Theft
- Attacker obtains IMSI
- Sends SendAuthenticationInfo to HLR:
- Requests authentication triplets/vectors
- Obtains Kc (session encryption key)
- Attacker configures radio interception:
- Captures encrypted radio traffic
- Decrypts using obtained keys
Fraud Attack Mechanisms
International Revenue Share Fraud (IRSF):
- Attacker controls premium rate numbers in distant country
- Sends manipulated routing messages:
- Re-routes calls through premium destinations
- Victim billed for expensive international calls
- Revenue splits to attacker:
- Premium number receives payments
- Attacker collects share
SMS Phishing Enhancement:
- Attacker uses SS7 to spoof sender ID
- SMS appears from legitimate source:
- Bank, government agency, employer
- Caller ID shows trusted number
- Victim more likely to trust message
How to Use SS7: Legitimate Security Research
Understanding how to use SS7 for legitimate security research and testing is important for telecom security professionals. This section covers authorized research methodologies.
Authorized Research Frameworks
Important Legal Notice:
Unauthorized access to SS7 networks is illegal in most jurisdictions. Penalties include:
- Criminal prosecution
- Significant fines
- Imprisonment
Legitimate SS7 security research requires:
- Written authorization from network operators
- Controlled test environments
- Ethical research guidelines compliance
- Responsible disclosure practices
SS7 Security Testing Approaches
- Network Operator Engagement
- Partner with telecom operators for authorized testing
- Use operator-provided test environments
- Work within mobile network security teams
- Contribute findings to operator security programs
- Research Lab Environments
- Build isolated SS7 test networks
- Use open-source SS7 stacks (Osmocom)
- Simulate network components
- Test attacks without real network impact
- Security Assessment Services
- Engage specialized telecom security firms
- Conduct authorized penetration testing
- Assess network resilience to SS7 attacks
- Receive remediation recommendations
SS7 Security Assessment Tools
Tool | Purpose | Availability |
SigPloit | SS7/Diameter/GTP testing framework | Open source |
SS7 Attacker | Research and education tool | Restricted |
Osmocom | Open-source SS7/GSM stack | Open source |
P1 Security Assessment | Commercial SS7 security testing | Commercial |
SecurityGen | Telecom security platform | Commercial |
Ethical Guidelines:
- Never test on production networks without authorization
- Document all testing activities
- Report vulnerabilities through responsible disclosure
- Do not sell or distribute attack capabilities
- Comply with all applicable laws and regulations
How to Detect SS7 Attacks
Detecting SS7 attacks is challenging because malicious traffic often mimics legitimate signaling. However, how to detect SS7 attacks involves implementing monitoring systems that identify suspicious patterns and anomalies.
Detection Strategies
- SS7 Firewall Implementation
Deploy dedicated SS7 firewalls that:
- Filter messages based on source/destination
- Validate message parameters against policy
- Block known attack patterns
- Rate-limit suspicious query types
- Alert on anomalous traffic
Key Filtering Rules:
Message Type | Legitimate Use | Suspicious Pattern |
SRI | SMS routing | High frequency, no SMS follows |
PSI | Location services | Queries without active service |
UpdateLocation | Roaming | Impossible roaming patterns |
SendAuthInfo | Network handover | External network requests |
InsertSubData | Provisioning | Unauthorized parameter changes |
CancelLocation | Deregistration | Unexpected source |
- Anomaly Detection Systems
Machine learning and statistical analysis to identify:
- Unusual query volumes for specific subscribers
- Queries from unexpected network sources
- Geographic impossibilities (rapid location changes)
- Time-of-day anomalies
- Message sequence abnormalities
Detection Indicators:
- Multiple SRI queries for same subscriber from different sources
- Location queries without corresponding service delivery
- UpdateLocation from networks without roaming agreements
- Authentication requests from unexpected parties
- Sudden changes in subscriber routing
- Subscriber-Level Monitoring
For high-value targets (executives, VIPs):
- Monitor all SS7 queries related to their MSISDN/IMSI
- Alert on any location queries
- Track routing changes
- Notify of unusual authentication requests
Detection Challenges
Why SS7 Attack Detection Is Difficult:
- High Volume: Billions of legitimate SS7 messages daily
- Similar Patterns: Attacks mimic legitimate operations
- Limited Visibility: Many operators lack SS7 monitoring
- Cross-Network: Attacks traverse multiple operators
- Encrypted Content: SS7 metadata visible, but not always payload
Detection Metrics to Monitor:
Metric | Normal Baseline | Alert Threshold |
SRI queries per subscriber/hour | 1-5 | >10 |
Location queries without SMS | Rare | Any significant volume |
UpdateLocation frequency | Per roaming event | Multiple per hour |
Auth requests from external | Based on roaming | Unexpected networks |
Failed message attempts | <1% | >5% |
Organizations with high-security requirements should implement Endpoint Security Compliance solutions that detect and alert when devices may be compromised through SS7-enabled attacks.
How to Prevent SS7 Attacks
How to prevent SS7 attacks requires a multi-layered approach combining network-level protections, application-level mitigations, and user awareness.
Network-Level Protections
- SS7 Firewall Deployment
Modern SS7 firewalls provide:
- Message filtering based on whitelists/blacklists
- Parameter validation and sanitization
- Rate limiting and throttling
- Anomaly detection and alerting
- Logging and forensic capabilities
Implementation Priorities:
Priority | Protection | Impact |
Critical | Block unauthorized SRI responses | Prevents location tracking |
Critical | Validate UpdateLocation sources | Prevents SMS interception |
High | Filter SendAuthInfo requests | Protects encryption keys |
High | Rate-limit location queries | Limits surveillance |
Medium | Log all SS7 transactions | Enables forensics |
- Category Filtering
Categorize SS7 messages and apply policies:
- Category 1: Local network only (block from external)
- Category 2: Roaming partners only (verify agreements)
- Category 3: Any network (carefully rate-limited)
- Home Routing
Force messages to pass through home network controls:
- All SMS routed via home SMSC
- Location queries answered by home HLR with filtering
- Reduces exposure to fraudulent routing
- GSMA Guidelines Implementation
Follow GSMA recommendations:
- FS.11: SS7 and Diameter security guidelines
- IR.82: Security guidance for roaming
- FS.07: Core network protection guidelines
Application-Level Mitigations
- Eliminate SMS-Based Authentication
The most effective protection against SS7-based account takeover:
Authentication Method | SS7 Risk | Recommendation |
SMS OTP | High | Eliminate |
Voice OTP | High | Eliminate |
Authenticator Apps (TOTP) | None | Good alternative |
Push Notifications | None | Good alternative |
FIDO2/WebAuthn | None | Best option |
Hardware Security Keys | None | Best for high-security |
- Implement Phishing-Resistant MFA
Deploy authentication methods immune to SS7 attacks:
- FIDO2 security keys
- Platform authenticators (Windows Hello, Touch ID)
- Push-based authentication with number matching
- Risk-based authentication with device binding
Organizations implementing Secure Remote Access should ensure all authentication methods are SS7-independent.
- Application-Layer Encryption
For sensitive communications:
- End-to-end encrypted messaging (Signal, WhatsApp)
- VPN for all mobile data
- Encrypted voice applications
- Secure email with PGP/S/MIME
Organizational Protections
- High-Risk User Programs
For executives, security personnel, and high-value targets:
- Issue devices with enhanced security configurations
- Implement additional monitoring on their numbers
- Provide secure communication alternatives
- Consider separate devices for sensitive communications
- Security Awareness Training
Educate users about:
- Limitations of SMS security
- Signs of account compromise
- Alternative authentication options
- Reporting suspicious activity
- Vendor and Partner Requirements
When selecting telecom providers:
- Require SS7 firewall implementation
- Demand security audit results
- Include security SLAs in contracts
- Regular security assessments
Protection Effectiveness Summary
Protection Measure | Location Tracking | SMS Interception | Call Interception | Implementation Effort |
SS7 Firewall | High | High | Medium | High (Operator) |
Eliminate SMS Auth | N/A | Eliminates risk | N/A | Medium |
FIDO2/WebAuthn MFA | N/A | Eliminates risk | N/A | Medium |
E2E Encrypted Messaging | N/A | High | High | Low |
VPN Usage | Low | Medium | Medium | Low |
Home Routing | Medium | High | Medium | High (Operator) |
Real-World SS7 Attacks
Case Study 1: German Banking Attack (2017)
Attack Overview:
- Attackers compromised SS7 access through a foreign telecom operator
- Targeted German bank customers
- Intercepted SMS-based two-factor authentication codes
Attack Flow:
- Obtained victims’ banking credentials through phishing
- Initiated money transfers from compromised accounts
- Banks sent SMS OTPs to confirm transactions
- Attackers intercepted SMS via SS7 manipulation
- Entered OTPs to authorize fraudulent transfers
Impact:
- Multiple accounts drained
- Significant financial losses
- Triggered industry-wide reassessment of SMS authentication
Lessons Learned:
- SMS-based 2FA is fundamentally vulnerable
- SS7 access is obtainable by determined attackers
- Financial institutions must move beyond SMS authentication
Case Study 2: Surveillance of Journalists and Activists
Multiple documented cases (2016-2024):
- State actors using SS7 to track journalists
- Activists monitored via location tracking
- Dissidents’ communications intercepted
Techniques Used:
- Location tracking via SRI/PSI queries
- SMS interception for intelligence gathering
- Call metadata collection
Impact:
- Sources compromised
- Physical safety endangered
- Chilling effect on journalism
Lessons Learned:
- SS7 surveillance is accessible to nation-states
- High-risk individuals need enhanced protections
- Mobile phones are inherently trackable
Case Study 3: Cryptocurrency Exchange Attacks (2019-2024)
Attack Pattern:
- Target cryptocurrency holders and exchange employees
- Intercept SMS-based 2FA codes
- Drain cryptocurrency wallets
Notable Incidents:
- Multiple exchanges reported customer losses
- Individual holders lost significant amounts
- Combined losses in hundreds of millions
Attack Sophistication:
- Combined SIM swapping with SS7 attacks
- Multiple attack vectors for redundancy
- Professional criminal organizations involved
SS7 Security Standards and Regulations
Industry Standards
GSMA Guidelines:
- FS.11: SS7 interconnect security monitoring and firewall guidelines
- FS.19: Diameter interconnect security
- IR.82: Security SS7 recommendations for operators
- FS.07: Security accreditation scheme
3GPP Standards:
- Security architecture specifications
- Authentication and key agreement protocols
- Network domain security requirements
ITU-T Recommendations:
- Q.700 series: SS7 protocol specifications
- Security considerations in various recommendations
Regulatory Landscape
Region | Regulatory Body | SS7 Security Requirements |
EU | ENISA, National Regulators | Recommended security measures |
US | FCC | CSRIC recommendations |
UK | Ofcom, NCSC | Security guidance published |
Australia | ACMA | Telecommunications security framework |
Emerging Regulations:
- Increased disclosure requirements for security incidents
- Mandatory security assessments for operators
- Potential requirements for SS7 firewall deployment
- Cross-border cooperation on telecom security
Compliance Considerations
Organizations subject to security regulations should assess SS7 risks:
PCI DSS:
- Protect cardholder data in transit
- SMS-based authentication increasingly discouraged
- Consider SS7 risks in risk assessments
HIPAA:
- Protect PHI in electronic communications
- SMS risks should be documented
- Alternative communication methods recommended
SOX:
- Financial controls integrity
- SS7 risks to authentication controls
- Document compensating controls
Organizations implementing Privileged Access Management must ensure privileged account authentication doesn’t rely on SS7-vulnerable SMS channels.
The Future of SS7 Security
Network Evolution
Diameter Protocol:
5G networks use Diameter instead of SS7:
- Similar functionality, updated architecture
- Improved security features
- But still has vulnerabilities
5G Security Improvements:
- Stronger authentication (5G-AKA)
- Better encryption
- Improved subscriber privacy (SUPI/SUCI)
- However, legacy interworking maintains some risks
Timeline to SS7 Deprecation:
Phase | Timeframe | Impact |
Current | 2024-2026 | SS7 widely deployed for 2G/3G |
Transition | 2027-2030 | Gradual reduction in SS7 traffic |
Limited Use | 2030-2035 | SS7 for legacy only |
Deprecation | 2035+ | Potential full deprecation |
Recommended Long-Term Strategy
For Telecom Operators:
- Deploy comprehensive SS7 firewalls immediately
- Implement monitoring and anomaly detection
- Plan migration to Diameter/5G
- Participate in industry security initiatives
For Enterprises:
- Eliminate SMS-based authentication now
- Deploy phishing-resistant MFA
- Monitor for SS7-related compromises
- Educate users on mobile security
For Individuals:
- Use authenticator apps instead of SMS
- Enable hardware security keys where available
- Use encrypted messaging applications
- Be aware of mobile surveillance risks
Conclusion
SS7 remains a critical vulnerability in global telecommunications infrastructure. Designed in an era of trusted networks and limited access, its fundamental security weaknesses expose billions of mobile users to location tracking, communication interception, fraud, and account takeover. While network operators work to implement protections, the protocol’s inherent trust model cannot be fully secured.
Key Takeaways:
- What is SS7: The signaling protocol enabling global mobile communications, designed without security mechanisms
- How does SS7 work: Control plane protocol managing call routing, SMS delivery, and subscriber management across networks
- What is an SS7 attack: Exploitation of SS7 vulnerabilities for surveillance, interception, fraud, or service disruption
- How to detect SS7 attacks: Deploy SS7 firewalls, implement anomaly detection, and monitor high-value subscribers
- How to prevent SS7 attacks: Eliminate SMS authentication, deploy phishing-resistant MFA, and implement network-level controls
For organizations, the most actionable protection is eliminating dependence on SMS-based authentication. SS7 vulnerabilities make SMS inherently insecure for sensitive authentication. Moving to FIDO2, hardware security keys, and phishing-resistant MFA eliminates SS7 as an attack vector for account compromise.
Protect your organization from SS7 vulnerabilities. TerraZone’s truePass platform provides Zero Trust Access with FIDO2 authentication, Secure Remote Access without SMS dependency, and Privileged Access Management with hardware key requirements. Contact us to learn how to secure your authentication infrastructure against SS7 and other telecommunications vulnerabilities.
