TelcoSec

SS7 Signaling Protocol

Architecture, Security Vulnerabilities & Attack Vectors

SS7 Security Analysis
Critical Infrastructure

SS7 vulnerabilities expose critical telecom infrastructure to sophisticated attacks

Introduction to SS7

Signaling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975 that is used worldwide to establish and terminate telephone calls on the public switched telephone network (PSTN) and mobile networks. Despite its age, SS7 remains a critical component of global telecommunications infrastructure.

SS7 was designed in an era when telecom networks were closed systems operated by a small number of trusted entities. This fundamental assumption of trust is at the root of many security issues that plague SS7 networks today, as the ecosystem has evolved to include hundreds of operators worldwide with varying security practices.

The protocol enables various services beyond basic call setup, including:

  • SMS message transmission
  • Toll-free calling
  • Local number portability
  • Caller ID services
  • Roaming capabilities
  • Prepaid billing

SS7 Architecture

The SS7 network consists of various network elements that communicate with each other to facilitate call setup, routing, and other services. Understanding this architecture is crucial for identifying potential security vulnerabilities.

Network Elements
  • SSP (Service Switching Point): Handles call setup, teardown, and routing
  • STP (Signal Transfer Point): Routes messages between network elements
  • SCP (Service Control Point): Contains service logic and subscriber databases
  • HLR (Home Location Register): Stores subscriber information
  • VLR (Visitor Location Register): Temporarily stores visiting subscriber data
  • MSC (Mobile Switching Center): Handles mobile call routing and control
Network Interfaces
  • A Interface: Between MSC and BSS
  • B Interface: Between MSC and VLR
  • C Interface: Between HLR and GMSC
  • D Interface: Between HLR and VLR
  • E Interface: Between MSCs
  • F Interface: Between MSC and EIR
  • G Interface: Between VLRs

These network elements communicate over SS7 links, which are categorized as A-links (access), B-links (bridge), C-links (cross), D-links (diagonal), E-links (extended), and F-links (fully associated).

SS7 Protocol Stack

SS7 uses a layered protocol architecture similar to the OSI model. Each layer provides specific functionality and contains potential security vulnerabilities.

Application Layer

MAP, CAP, INAP, TCAP

Network Layer

SCCP

Transport Layer

MTP Level 3

Data Link Layer

MTP Level 2

Physical Layer

MTP Level 1

Message Transfer Part (MTP): Provides reliable transfer of signaling messages between network elements. It consists of three levels:

  • MTP Level 1: Physical layer that defines the physical and electrical characteristics of signaling links
  • MTP Level 2: Data link layer that ensures reliable transfer of messages between adjacent signaling points
  • MTP Level 3: Network layer that handles message routing, traffic management, and network management

Signaling Connection Control Part (SCCP): Provides additional addressing capabilities beyond what MTP offers, allowing for the routing of messages to specific applications within a signaling point.

Transaction Capabilities Application Part (TCAP): Provides a framework for non-circuit-related information exchange between applications.

Mobile Application Part (MAP): Used for mobile-specific operations such as location updates, authentication, and SMS delivery.

ISDN User Part (ISUP): Used for setting up, managing, and releasing trunk circuits that carry voice and data calls between exchanges.

Security Vulnerabilities

SS7 was designed with an inherent trust model that assumes all participants in the network are legitimate and well-behaved. This fundamental assumption creates numerous security vulnerabilities that can be exploited.

  • Lack of Authentication: SS7 does not authenticate the source of messages
  • No Encryption: Messages are transmitted in plaintext
  • Implicit Trust Model: Assumes all network participants are trustworthy
  • No Access Control: Limited mechanisms to restrict operations based on source
  • Global Title Routing: Allows attackers to route messages through intermediaries

These vulnerabilities affect all layers of the SS7 protocol stack, with the most severe issues occurring at the application layer (MAP) where subscriber data and services are accessed.

Common SS7 Attacks

SS7 vulnerabilities can be exploited in various ways to compromise subscriber privacy, intercept communications, or disrupt services.

Location Tracking

Attackers can query the HLR or MSC/VLR to determine a subscriber's location, often with accuracy down to the cell tower level.

Methods: SendRoutingInfoForSM, AnyTimeInterrogation, ProvideSubscriberInfo

High Risk
Call Interception

Attackers can redirect calls to their own systems before forwarding them to the intended recipient, enabling eavesdropping.

Methods: UpdateLocation, InsertSubscriberData, SendRoutingInfo

High Risk
SMS Interception

Attackers can redirect SMS messages, potentially intercepting one-time passwords or other sensitive information.

Methods: UpdateLocation, InsertSubscriberData, SendRoutingInfoForSM

Medium Risk
Data Extraction

Attackers can query network databases to extract subscriber information, including IMSIs, MSISDNs, and service profiles.

Methods: SendIMSI, SendAuthenticationInfo, SendIdentification

Medium Risk

These attacks can be combined to create sophisticated attack chains. For example, an attacker might first use data extraction to obtain a subscriber's IMSI, then use that information to perform location tracking or call interception.

The technical complexity of these attacks has decreased significantly in recent years, with commercial tools and services now available that simplify the exploitation of SS7 vulnerabilities.

Countermeasures

While SS7 has inherent security flaws that cannot be completely fixed without replacing the protocol, there are several countermeasures that operators can implement to reduce the risk of successful attacks.

SS7 Firewalls

Specialized firewalls that monitor and filter SS7 traffic based on message type, origin, and context. They can block suspicious requests and detect attack patterns.

Category 1-3 Controls

GSMA-recommended security measures categorized by implementation complexity and effectiveness, from basic filtering (Cat 1) to advanced context-based analysis (Cat 3).

SMS Home Routing

Technique that prevents the disclosure of subscriber information during SMS delivery by routing all messages through the home network.

Diameter Migration

Moving from SS7 to Diameter protocol for 4G/5G networks, which includes built-in security features like IPsec and TLS encryption.

Monitoring & Detection

Continuous monitoring of SS7 traffic to detect and respond to suspicious activities and potential attacks in real-time.

Interconnect Security

Implementing strict security requirements for interconnect partners and regularly auditing their compliance.

Operators should also stay informed about emerging threats and vulnerabilities through industry groups like the GSMA Fraud and Security Group (FASG) and implement security updates promptly.

SS7 Testing Tools

Several tools are available for testing SS7 networks for security vulnerabilities. These tools should only be used by authorized security professionals in controlled environments.

ToolTypeFeaturesUsage
SigPloitOpen SourceSS7, GTP, Diameter, SIP testingSecurity research, penetration testing
SS7 Pentesting FrameworkCommercialComprehensive SS7 attack simulationSecurity audits, vulnerability assessment
Wireshark with SS7 pluginsOpen SourceProtocol analysis, traffic captureTraffic analysis, troubleshooting
P1 Security ETPCommercialTelecom security assessment platformComprehensive security audits
SS7mapOpen SourceSS7 network mapping and testingNetwork reconnaissance, vulnerability testing

When using these tools, it's essential to have proper authorization and to follow responsible disclosure practices if vulnerabilities are discovered.

Additional Resources

For those interested in learning more about SS7 security, there are many valuable resources available including research papers, technical documentation, and training materials.

Industry Standards & Guidelines

GSMA FS.11 - SS7 Interconnect Security Monitoring and Firewall Guidelines

GSMA FS.07 - SS7 and SIGTRAN Network Security

GSMA IR.82 - SS7 Security Network Implementation Guidelines

ITU-T Q.700 Series - SS7 Technical Specifications

NIST SP 800-187 - Guide to LTE Security

Research Papers & Presentations

"Signaling System 7 (SS7) Security Report" - ENISA

"Mobile Self-Defense" - Karsten Nohl & Luca Melette (31C3)

"SS7: Locate. Track. Manipulate." - Tobias Engel (31C3)

"Practical Attacks Against GSM Networks" - P1 Security

"SS7 Attack Discovery and Defense" - Positive Technologies

Subscribe to our newsletter

Get the latest telecom security updates and research delivered to your inbox.

We respect your privacy. Unsubscribe at any time.