SS7 Signaling Protocol
Architecture, Security Vulnerabilities & Attack Vectors

SS7 vulnerabilities expose critical telecom infrastructure to sophisticated attacks
Security Advisory
Introduction to SS7
Signaling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975 that is used worldwide to establish and terminate telephone calls on the public switched telephone network (PSTN) and mobile networks. Despite its age, SS7 remains a critical component of global telecommunications infrastructure.
SS7 was designed in an era when telecom networks were closed systems operated by a small number of trusted entities. This fundamental assumption of trust is at the root of many security issues that plague SS7 networks today, as the ecosystem has evolved to include hundreds of operators worldwide with varying security practices.
The protocol enables various services beyond basic call setup, including:
- SMS message transmission
- Toll-free calling
- Local number portability
- Caller ID services
- Roaming capabilities
- Prepaid billing
SS7 Architecture
The SS7 network consists of various network elements that communicate with each other to facilitate call setup, routing, and other services. Understanding this architecture is crucial for identifying potential security vulnerabilities.
- SSP (Service Switching Point): Handles call setup, teardown, and routing
- STP (Signal Transfer Point): Routes messages between network elements
- SCP (Service Control Point): Contains service logic and subscriber databases
- HLR (Home Location Register): Stores subscriber information
- VLR (Visitor Location Register): Temporarily stores visiting subscriber data
- MSC (Mobile Switching Center): Handles mobile call routing and control
- A Interface: Between MSC and BSS
- B Interface: Between MSC and VLR
- C Interface: Between HLR and GMSC
- D Interface: Between HLR and VLR
- E Interface: Between MSCs
- F Interface: Between MSC and EIR
- G Interface: Between VLRs
These network elements communicate over SS7 links, which are categorized as A-links (access), B-links (bridge), C-links (cross), D-links (diagonal), E-links (extended), and F-links (fully associated).
SS7 Protocol Stack
SS7 uses a layered protocol architecture similar to the OSI model. Each layer provides specific functionality and contains potential security vulnerabilities.
Application Layer
MAP, CAP, INAP, TCAP
Network Layer
SCCP
Transport Layer
MTP Level 3
Data Link Layer
MTP Level 2
Physical Layer
MTP Level 1
Message Transfer Part (MTP): Provides reliable transfer of signaling messages between network elements. It consists of three levels:
- MTP Level 1: Physical layer that defines the physical and electrical characteristics of signaling links
- MTP Level 2: Data link layer that ensures reliable transfer of messages between adjacent signaling points
- MTP Level 3: Network layer that handles message routing, traffic management, and network management
Signaling Connection Control Part (SCCP): Provides additional addressing capabilities beyond what MTP offers, allowing for the routing of messages to specific applications within a signaling point.
Transaction Capabilities Application Part (TCAP): Provides a framework for non-circuit-related information exchange between applications.
Mobile Application Part (MAP): Used for mobile-specific operations such as location updates, authentication, and SMS delivery.
ISDN User Part (ISUP): Used for setting up, managing, and releasing trunk circuits that carry voice and data calls between exchanges.
Security Vulnerabilities
SS7 was designed with an inherent trust model that assumes all participants in the network are legitimate and well-behaved. This fundamental assumption creates numerous security vulnerabilities that can be exploited.
- Lack of Authentication: SS7 does not authenticate the source of messages
- No Encryption: Messages are transmitted in plaintext
- Implicit Trust Model: Assumes all network participants are trustworthy
- No Access Control: Limited mechanisms to restrict operations based on source
- Global Title Routing: Allows attackers to route messages through intermediaries
These vulnerabilities affect all layers of the SS7 protocol stack, with the most severe issues occurring at the application layer (MAP) where subscriber data and services are accessed.
Common SS7 Attacks
SS7 vulnerabilities can be exploited in various ways to compromise subscriber privacy, intercept communications, or disrupt services.
Attackers can query the HLR or MSC/VLR to determine a subscriber's location, often with accuracy down to the cell tower level.
Methods: SendRoutingInfoForSM, AnyTimeInterrogation, ProvideSubscriberInfo
Attackers can redirect calls to their own systems before forwarding them to the intended recipient, enabling eavesdropping.
Methods: UpdateLocation, InsertSubscriberData, SendRoutingInfo
Attackers can redirect SMS messages, potentially intercepting one-time passwords or other sensitive information.
Methods: UpdateLocation, InsertSubscriberData, SendRoutingInfoForSM
Attackers can query network databases to extract subscriber information, including IMSIs, MSISDNs, and service profiles.
Methods: SendIMSI, SendAuthenticationInfo, SendIdentification
These attacks can be combined to create sophisticated attack chains. For example, an attacker might first use data extraction to obtain a subscriber's IMSI, then use that information to perform location tracking or call interception.
The technical complexity of these attacks has decreased significantly in recent years, with commercial tools and services now available that simplify the exploitation of SS7 vulnerabilities.
Countermeasures
While SS7 has inherent security flaws that cannot be completely fixed without replacing the protocol, there are several countermeasures that operators can implement to reduce the risk of successful attacks.
Specialized firewalls that monitor and filter SS7 traffic based on message type, origin, and context. They can block suspicious requests and detect attack patterns.
GSMA-recommended security measures categorized by implementation complexity and effectiveness, from basic filtering (Cat 1) to advanced context-based analysis (Cat 3).
Technique that prevents the disclosure of subscriber information during SMS delivery by routing all messages through the home network.
Moving from SS7 to Diameter protocol for 4G/5G networks, which includes built-in security features like IPsec and TLS encryption.
Continuous monitoring of SS7 traffic to detect and respond to suspicious activities and potential attacks in real-time.
Implementing strict security requirements for interconnect partners and regularly auditing their compliance.
Best Practice
Operators should also stay informed about emerging threats and vulnerabilities through industry groups like the GSMA Fraud and Security Group (FASG) and implement security updates promptly.
SS7 Testing Tools
Several tools are available for testing SS7 networks for security vulnerabilities. These tools should only be used by authorized security professionals in controlled environments.
Tool | Type | Features | Usage |
---|---|---|---|
SigPloit | Open Source | SS7, GTP, Diameter, SIP testing | Security research, penetration testing |
SS7 Pentesting Framework | Commercial | Comprehensive SS7 attack simulation | Security audits, vulnerability assessment |
Wireshark with SS7 plugins | Open Source | Protocol analysis, traffic capture | Traffic analysis, troubleshooting |
P1 Security ETP | Commercial | Telecom security assessment platform | Comprehensive security audits |
SS7map | Open Source | SS7 network mapping and testing | Network reconnaissance, vulnerability testing |
When using these tools, it's essential to have proper authorization and to follow responsible disclosure practices if vulnerabilities are discovered.
Additional Resources
For those interested in learning more about SS7 security, there are many valuable resources available including research papers, technical documentation, and training materials.
GSMA FS.11 - SS7 Interconnect Security Monitoring and Firewall Guidelines
GSMA FS.07 - SS7 and SIGTRAN Network Security
GSMA IR.82 - SS7 Security Network Implementation Guidelines
ITU-T Q.700 Series - SS7 Technical Specifications
NIST SP 800-187 - Guide to LTE Security
"Signaling System 7 (SS7) Security Report" - ENISA
"Mobile Self-Defense" - Karsten Nohl & Luca Melette (31C3)
"SS7: Locate. Track. Manipulate." - Tobias Engel (31C3)
"Practical Attacks Against GSM Networks" - P1 Security
"SS7 Attack Discovery and Defense" - Positive Technologies
Subscribe to our newsletter
Get the latest telecom security updates and research delivered to your inbox.