SS7 Attack Sequences

Detailed step-by-step analysis of SS7 attack methodologies with technical implementation details, code examples, and mitigation strategies.

Educational Purpose Only: This content is provided for security research and defensive purposes. Unauthorized access to telecommunications networks is illegal.

High

Location Tracking Attack

Track mobile subscriber location by exploiting SS7 protocol vulnerabilities

Complexity:Medium

Steps:7

Critical

Call Interception Attack

Intercept voice calls by manipulating SS7 signaling messages

Complexity:High

Steps:7

High

SMS Interception Attack

Intercept SMS messages including OTPs and sensitive content

Complexity:Medium

Steps:7

Location Tracking Attack Sequence

Step-by-step breakdown of how attackers exploit SS7 to track mobile subscriber locations

Prerequisites

Access to SS7 network
Knowledge of target's MSISDN (phone number)
SS7 exploitation tools (e.g., SigPloit)

Attack Steps

Step 1

SendRoutingInfoForSM Request

Attacker sends SRI-SM request to victim's HLR, pretending to deliver an SMS

MAP: sendRoutingInfoForSM
MSISDN: +1234567890

Step 2

HLR Response

HLR responds with victim's IMSI and current serving MSC/VLR address

MAP: sendRoutingInfoForSM-Res
IMSI: 123456789012345
MSC/VLR: msc123.network.com

Step 3

AnyTimeInterrogation Request

Attacker sends ATI request to HLR for precise location information

MAP: anyTimeInterrogation
IMSI: 123456789012345
RequestedInfo: locationInformation

Steps 4-7: HLR forwards request to MSC/VLR → MSC/VLR provides Cell Global Identity → HLR returns location to attacker → Attacker maps cell ID to physical coordinates

Result: Latitude: 37.7749, Longitude: -122.4194
Accuracy: 50m-2km (depending on cell density)

Mitigation Strategies

SS7 Firewall

Filter suspicious ATI requests and location-related operations

High Effectiveness

SMS Home Routing

Prevent direct HLR access for SMS-related operations

High Effectiveness

Call Interception Attack Sequence

How attackers manipulate SS7 to intercept voice calls through location update spoofing

Critical Impact: This attack allows complete interception of voice calls, enabling eavesdropping and recording of conversations.

Key Attack Steps

UpdateLocation Request

Attacker impersonates a VLR and sends UpdateLocation to victim's HLR

2-4

Location Update Process

HLR cancels legitimate VLR, sends subscriber profile to attacker's fake VLR

5-7

Call Routing & Interception

Incoming calls routed to attacker who forwards to victim while recording

Defense Mechanisms

Origin-based filtering of UpdateLocation messages

Location verification based on subscriber movement patterns

End-to-end encrypted calling applications (Signal, WhatsApp)

SMS Interception Attack Sequence

Intercepting SMS messages including OTPs through location update manipulation

High-Value Target

SMS interception is particularly dangerous for OTP-based authentication, enabling account takeovers and financial fraud.

Attack Flow

Phase 1: Location Update

Attacker updates victim's location to fake VLR using UpdateLocation message

Phase 2: SMS Routing

SMSC queries HLR, receives attacker's address, delivers SMS to attacker

Phase 3: Interception

Attacker receives SMS containing OTP or sensitive information

Phase 4: Optional Forwarding

Attacker may forward SMS to victim to avoid detection

Protection Measures

Critical

SMS Home Routing

Route all SMS through home network for security inspection

Critical

Alternative Authentication

Use app-based authenticators (Google Authenticator, Authy) instead of SMS OTPs

High

SS7 Firewall

Filter suspicious SMS-related signaling messages

Related Resources

→ SS7 Attacks Overview → Mobile Network Attacks → Security Testing Methodology → Security Testing Tools