SS7 Vulnerabilities Explained: The 1970s Protocol Still Threatening Your Phone

What Is SS7

Signaling System 7 is the set of protocols that telephone networks use to exchange information about calls, text messages, and subscriber management. When you dial a phone number, SS7 is what sets up the call. When you send an SMS, SS7 carries it. When you travel to another country and your phone still works, SS7 handles the roaming coordination between your home network and the visited network.

SS7 was developed in the 1970s by AT&T and standardized by the ITU in the 1980s. It replaced earlier in-band signaling systems (where control signals traveled on the same channel as voice) with an out-of-band signaling network. This was a significant improvement for reliability and functionality, but the security model was designed for an era when access to the signaling network was limited to a small number of trusted telephone companies.

That assumption no longer holds. The global SS7 network now interconnects thousands of operators across every country. Access to the SS7 network can be obtained through small telecom operators, VoIP providers, and in some cases through commercial services that sell SS7 access directly. The result is a critical infrastructure protocol with essentially no authentication, running on a network accessible to a much broader set of actors than its designers ever intended.

SS7 Architecture

graph TD
    subgraph SS7_Network["SS7 Signaling Network"]
        A[Signal Transfer Point - STP] --> B[Signal Transfer Point - STP]
        B --> C[Signal Transfer Point - STP]
    end
    
    subgraph Network_Elements["Network Elements"]
        D[HLR - Home Location Register] --> A
        E[VLR - Visitor Location Register] --> B
        F[MSC - Mobile Switching Center] --> A
        G[SMSC - SMS Center] --> C
        H[GMSC - Gateway MSC] --> B
    end
    
    subgraph Key_Functions["SS7 Message Types"]
        I[MAP - Mobile Application Part]
        J[ISUP - ISDN User Part]
        K[TCAP - Transaction Capabilities]
        I --> L[Location updates]
        I --> M[SMS routing]
        I --> N[Authentication]
        J --> O[Call setup/teardown]
    end
    
    subgraph Attacker_Access["Attacker Access Points"]
        P[Rogue operator] --> A
        Q[Compromised STP] --> B
        R[SS7 access provider] --> C
    end

SS7 architecture showing the signaling network, key network elements, and potential attacker access points

The SS7 network is built around three key components. Signal Transfer Points (STPs) are routers that forward SS7 messages between network elements. Service Switching Points (SSPs) are telephone switches that originate and terminate calls. Service Control Points (SCPs) are databases that contain information about subscribers, routing, and services.

The most important database for understanding SS7 vulnerabilities is the Home Location Register (HLR). The HLR stores the master record for every subscriber on the network, including their phone number (MSISDN), their SIM identity (IMSI), their current location (which Visitor Location Register is serving them), and their service profile. When another network needs to route a call or message to a subscriber, it queries the HLR to find out where that subscriber currently is.

The protocol that carries these queries and responses is MAP (Mobile Application Part), which runs on top of the SS7 stack. MAP messages include operations like SendRoutingInfo (to find where to route a call), ProvideSubscriberInfo (to get a subscriber's current location), and UpdateLocation (to tell the HLR that a subscriber has moved to a new network).

The Trust Model Problem

SS7 was designed with a simple trust model: every entity on the SS7 network is trusted. There is no authentication of SS7 messages. There is no encryption. If a message arrives at an STP, it is forwarded to its destination without any verification of whether the sender is authorized to send that type of message or whether the content is legitimate.

In the 1970s, this was reasonable. The SS7 network was accessible only to a handful of national telephone companies, all of which had established business relationships with each other. The idea that an untrusted entity might gain access to the signaling network and send fraudulent messages was not a realistic concern.

By the 2000s, the situation had changed dramatically. Telecom deregulation created thousands of new operators worldwide. Mobile Virtual Network Operators (MVNOs) gained SS7 access through their host networks. VoIP providers and interconnect services created additional access points. Some companies began offering commercial SS7 access as a service, allowing essentially anyone with a few hundred dollars a month to send SS7 messages to any network in the world.

The fundamental problem remains: SS7 messages are not authenticated. When a network element receives a MAP message requesting a subscriber's location, it has no way to verify that the request came from a legitimate network with a legitimate reason. It simply responds with the information.

Location Tracking via SS7

SS7-based location tracking is conceptually simple. An attacker with SS7 access sends a MAP message (specifically, ProvideSubscriberInfo or SendRoutingInfo) to the target's home network, requesting the subscriber's current serving cell. The network responds with the Cell ID of the tower currently serving the target's phone.

Because this is a legitimate SS7 operation (networks need to locate subscribers to route calls and messages), the request looks identical to normal inter-network traffic. There is no flag that distinguishes a legitimate routing query from a surveillance query.

The cell tower information returned by the network provides location accuracy ranging from a few hundred meters in urban areas to several kilometers in rural areas. Repeated queries can track movement in near-real-time by observing cell tower changes.

This capability has been demonstrated publicly multiple times. In 2014, German security researcher Tobias Engel demonstrated SS7 location tracking at the Chaos Communication Congress. In 2016, U.S. Congressman Ted Lieu participated in a 60 Minutes demonstration where researchers tracked his phone's location using SS7 with only his phone number.

More sophisticated attacks combine location tracking with call interception, first locating the target and then redirecting their communications.

Call Interception

SS7 call interception exploits the roaming infrastructure of cellular networks. When you travel to another country, your phone registers with a foreign network. Calls to your number are routed through that foreign network's Mobile Switching Center (MSC), which is identified by a temporary roaming number assigned through SS7 signaling.

An attacker can exploit this process by sending an UpdateLocation message to the target's HLR, claiming that the target has roamed to a network controlled by the attacker. The HLR updates its records and begins routing incoming calls through the attacker's infrastructure. The attacker can then record the call and forward it to the target (who receives the call normally but through a relay), making the interception invisible to both parties.

Outgoing calls can be intercepted through a variant of this attack. By manipulating the routing information associated with the called number (rather than the calling number), an attacker can insert themselves into the call path for calls the target makes.

These attacks are not theoretical. Commercial surveillance companies have sold SS7 interception capabilities to government agencies worldwide. Companies like Circles (an affiliate of NSO Group), Ability Inc., and others have marketed products that exploit SS7 for call interception and location tracking.

SMS Hijacking and 2FA Bypass

SMS hijacking through SS7 is perhaps the most immediately impactful vulnerability for everyday users, because it directly undermines SMS-based two-factor authentication.

The attack works similarly to call interception. The attacker sends an UpdateLocation message to the target's HLR, registering a network element under the attacker's control as the target's current serving MSC. When an SMS is sent to the target's number (including 2FA codes from banks, email providers, and other services), the message is routed to the attacker instead of the target.

sequenceDiagram
    participant Bank as Bank / Service
    participant SMSC as SMS Center
    participant HLR as Home Location Register
    participant Attacker as Attacker MSC
    participant Real as Target's Real MSC
    
    Note over Attacker: Step 1: Register fake location
    Attacker->>HLR: UpdateLocation (target IMSI -> attacker MSC)
    HLR->>HLR: Updates routing to attacker MSC
    
    Note over Bank: Step 2: 2FA code sent
    Bank->>SMSC: Send SMS "Your code is 847291"
    SMSC->>HLR: Where is target?
    HLR->>SMSC: Route to attacker MSC
    SMSC->>Attacker: SMS delivered to attacker
    
    Note over Attacker: Step 3: Attacker has 2FA code
    Attacker->>Attacker: Uses code to access account
    
    Note over Real: Target never receives SMS

SS7 SMS hijacking redirects two-factor authentication codes to an attacker-controlled system

The target may notice that they stop receiving text messages during the attack (since messages are being rerouted), but by the time they realize something is wrong, the attacker may have already used the intercepted 2FA codes to access their accounts.

This attack was used in real-world bank fraud in Germany in 2017, where attackers used SS7 SMS interception to bypass two-factor authentication and drain bank accounts. The German newspaper Suddeutsche Zeitung reported that the attacks exploited SS7 access obtained through a foreign network operator.

The NIST has recommended against SMS-based 2FA since 2016 (in Special Publication 800-63B), citing SS7 vulnerabilities among the reasons. Despite this, SMS remains the most common second factor for consumer-facing services, and many banks and financial institutions still rely on it.

Documented Real-World Attacks

SS7 attacks are not confined to security conference demonstrations. Several documented incidents confirm real-world exploitation.

German bank fraud (2017). Attackers exploited SS7 to intercept SMS 2FA codes and drain customer bank accounts through the mTAN (mobile Transaction Authentication Number) system. The German Federal Office for Information Security (BSI) confirmed the attacks.

Political surveillance. A 2020 investigation by the Bureau of Investigative Journalism and The Guardian found that SS7 tracking requests targeting phones in the UK, Europe, Africa, and the Middle East originated from Saudi Arabia. The requests appeared to track Saudi nationals abroad.

Commercial surveillance services. Leaked documents from Circles (an NSO Group affiliate) showed the company offering SS7-based surveillance to government clients, including location tracking and call interception. Citizen Lab identified Circles deployments in at least 25 countries.

U.S. surveillance concerns. Senator Ron Wyden's office has repeatedly raised concerns about SS7 exploitation affecting Americans. A 2017 DHS report confirmed that SS7 vulnerabilities had been exploited to track and intercept communications of people in the United States.

Diameter: SS7's Successor (With Similar Problems)

Diameter is the signaling protocol used in 4G/LTE networks, replacing SS7's MAP with a modern protocol based on TCP/IP rather than the legacy SS7 transport. In principle, Diameter addresses some of SS7's architectural weaknesses. In practice, it introduces its own vulnerabilities and maintains backward compatibility with SS7 that perpetuates the old problems.

Diameter does support TLS for transport encryption, but implementation is inconsistent across operators. Diameter also has a more structured message format with AVPs (Attribute-Value Pairs) that could support authentication and authorization, but many deployments rely on perimeter security (trusting messages that arrive from connected networks) rather than per-message validation.

Research presented at security conferences has demonstrated attacks against Diameter that parallel SS7 attacks: subscriber location tracking, session interception, and denial of service. The fundamental trust model problem persists because inter-operator signaling still relies on mutual trust between connected networks.

5G introduces a new signaling architecture based on HTTP/2 and REST APIs, with built-in support for TLS 1.3 and OAuth 2.0-based authentication. This is a significant improvement, but 5G networks maintain backward compatibility with 4G (and by extension, with SS7 through SS7-to-Diameter gateways), meaning the legacy vulnerabilities remain accessible through interworking functions.

Defenses and Mitigations

Several technical mitigations exist for SS7 vulnerabilities, though adoption has been slow and uneven.

SS7 firewalls. Specialized firewalls (from vendors like GSMA's recommended providers, Cellusys, and others) filter SS7 messages at network boundaries, blocking suspicious requests such as location queries from networks that have no legitimate reason to request them. Effectiveness depends on the quality of the filtering rules and the operator's willingness to block messages that might be legitimate but look suspicious.

GSMA guidelines. The GSMA has published recommendations for SS7 security, including message filtering, monitoring for anomalous signaling patterns, and restricting which MAP operations are accepted from external networks. Compliance is voluntary and varies widely across operators.

Home routing for SMS. Instead of delivering SMS messages directly to the visited network (where they can be intercepted), home routing keeps SMS delivery within the home network's infrastructure. This mitigates the SMS interception attack but does not address location tracking or call interception.

Monitoring and anomaly detection. Some operators deploy monitoring systems that detect unusual patterns of SS7 activity, such as a sudden increase in location queries for a specific subscriber or UpdateLocation messages from unexpected networks. Detection is valuable but reactive - the attack may succeed before it is detected.

What You Can Do

Individual users cannot fix SS7 vulnerabilities - the problem exists in the network infrastructure, not on your device. But you can reduce your exposure to the consequences of SS7 attacks.

Stop using SMS for two-factor authentication. Use authenticator apps (TOTP), hardware security keys (FIDO2/WebAuthn), or push-based authentication instead. SMS 2FA is better than no 2FA, but it is the weakest common form and is directly vulnerable to SS7 attacks.

Use encrypted communication apps. Signal, WhatsApp (which uses Signal Protocol), and similar apps encrypt messages end-to-end. Even if an attacker intercepts your SMS or redirects your calls through SS7, they cannot read Signal messages or listen to Signal calls, because the encryption is between the devices, not between the network elements.

Be aware of the threat. If you are a high-value target (journalist, activist, executive, government official), SS7 attacks are a realistic threat. Your phone number is sufficient for an attacker to track your location and intercept your SMS messages. Plan your communications accordingly.

Understanding the signaling layer of telecommunications helps contextualize the wireless signals you encounter daily. The BLEShark Nano operates at the wireless physical layer (BLE, WiFi, IR), complementing an understanding of higher-layer signaling vulnerabilities like SS7 with hands-on radio frequency analysis.