SS7 Attacks & Security Vulnerabilities
Comprehensive analysis of Signaling System 7 protocol vulnerabilities, attack vectors, real-world exploitation scenarios, and advanced security testing methodologies for telecommunications networks
Total Attacks
15
Critical
12
High
3
Medium
0
Signaling System No. 7 (SS7) is a critical telecommunications protocol suite that forms the backbone of global mobile networks. Developed in the 1970s, SS7 is responsible for setting up and tearing down telephone calls, routing SMS messages, enabling mobile roaming, and supporting essential services like number portability and prepaid billing.
Despite its fundamental importance to telecommunications infrastructure, SS7 was designed in an era when security was not a primary concern. The protocol operates on a trust-based architecture, assuming all connected operators are legitimate and trustworthy. This design philosophy, combined with the lack of built-in authentication and encryption mechanisms, has created significant security vulnerabilities that persist in modern networks.
- •Call setup and teardown signaling
- •SMS message routing and delivery
- •Mobile subscriber roaming management
- •Number portability services
- •Prepaid billing and charging
- •Location-based services
- •No authentication mechanisms in original design
- •Absence of encryption for signaling messages
- •Trust-based architecture with no verification
- •Limited access controls between networks
- •Legacy equipment with outdated security
- •Complex international roaming agreements
SS7 Attack Categories
Explore detailed information about each SS7 attack category. Click on a category to learn about specific attack vectors, exploitation techniques, and mitigation strategies.
Track subscriber location without knowledge or consent using MAP protocol operations.
Intercept and eavesdrop on voice communications by manipulating location and routing information.
Intercept text messages including OTPs and sensitive communications for account takeover and fraud.
Disrupt subscriber services and network availability through malicious signaling messages.
Facilitate financial fraud and identity theft through SIM cloning and authentication vector theft.
Attack Category Overview
Location tracking attacks exploit SS7 MAP protocol operations to determine subscriber location. These attacks enable real-time location monitoring with varying accuracy levels, from network-level to precise cell-level tracking.
SendRoutingInfoForSM
Network-level location tracking via SMS routing mechanism
CriticalAnyTimeInterrogation
Cell-level precise location with 50m-2km accuracy
CriticalProvideSubscriberInfo
Comprehensive subscriber location and status information
HighCall interception attacks exploit SS7 signaling to redirect voice calls through attacker-controlled infrastructure, enabling complete eavesdropping, recording, and manipulation of voice communications without subscriber knowledge.
UpdateLocation Manipulation
Most powerful attack - redirects all incoming calls to attacker's infrastructure
CriticalInsertSubscriberData
Modifies subscriber profiles to enable call forwarding without user consent
CriticalSendRoutingInfo Exploitation
Intercepts and modifies routing information to redirect calls mid-path
HighSMS interception attacks redirect text messages through attacker-controlled systems, enabling interception of OTPs, password resets, and sensitive communications. These attacks are especially dangerous for financial fraud and account takeovers.
UpdateLocation + SMS Routing
Redirects all SMS messages to attacker's infrastructure via location manipulation
CriticalMT-ForwardSM Interception
Captures SMS messages in transit through signaling path manipulation
HighSendRoutingInfoForSM Manipulation
Modifies SMS routing responses to redirect specific messages selectively
HighService disruption attacks use SS7 signaling to forcibly disconnect subscribers from the network or disable specific services, causing denial of service and preventing legitimate use of mobile communications.
CancelLocation Attack
Forces immediate network detachment, causing complete loss of all mobile services
HighPurgeMS Attack
Removes subscriber data from VLR, marking subscriber as unreachable until re-registration
MediumDeleteSubscriberData
Selectively disables specific services like call forwarding, roaming, or data services
HighFraud enablement attacks extract authentication credentials and subscriber identifiers to enable SIM cloning, identity theft, and financial fraud. These attacks can result in massive financial losses and service abuse.
SendIMSI Attack
Obtains permanent subscriber identifier (IMSI) for SIM cloning preparation
HighSendAuthenticationInfo
Most critical attack - extracts authentication vectors enabling complete SIM cloning
CriticalRoaming Fraud
Impersonates roaming partners to enable fraudulent usage billed through agreements
HighReal-World Incidents & Case Studies
In a groundbreaking 60 Minutes CBS investigation, security researchers demonstrated live SS7 exploitation by tracking German politicians' locations and intercepting their communications. The demonstration used only the targets' phone numbers and SS7 network access, revealing the ease with which these attacks can be performed.
Attack Methods Used:
- • SendRoutingInfoForSM for location tracking
- • Real-time location monitoring
- • Call and SMS interception capabilities demonstrated
Research by Citizen Lab revealed that NSO Group's Pegasus spyware used SS7 vulnerabilities as part of its attack chain. SS7 was used for initial target location before deploying mobile malware, enabling sophisticated surveillance operations against journalists, activists, and political figures worldwide.
Attack Chain:
- SS7 location tracking to identify target's current network
- Network-specific exploit delivery
- Spyware installation on target device
- Ongoing surveillance and data exfiltration
During the Ukrainian conflict, SS7 attacks were used to intercept communications and track military personnel. The attacks resulted in military intelligence compromise and operational security breaches, demonstrating the use of SS7 vulnerabilities in modern warfare scenarios.
Impact:
- • Military communications intercepted
- • Troop movements tracked
- • Operational security compromised
- • Strategic intelligence gathered
Criminal organizations have exploited SS7 vulnerabilities to intercept SMS-based one-time passwords (OTPs) used for banking authentication. By intercepting these OTPs, attackers can authorize fraudulent transactions, leading to significant financial losses for victims and financial institutions.
Attack Pattern:
- Obtain victim's banking credentials (phishing, data breach)
- Use SS7 to intercept SMS OTPs
- Authorize fraudulent transactions
- Transfer funds before detection
Financial Impact:
Estimated losses in millions of dollars globally. Multiple cases reported across Europe, Asia, and North America. Led to increased adoption of app-based authentication methods.
Mitigation Strategies & Countermeasures
Deploying specialized SS7 firewalls is the most effective defense against SS7 attacks. These firewalls filter malicious signaling traffic based on configurable rules and policies.
Key Features:
- • Block unauthorized MAP operations
- • Filter messages based on source Global Title
- • Category-based filtering (Cat 1-3 attacks)
- • Real-time threat detection and blocking
- • Whitelist/blacklist management
- • Anomaly detection and alerting
SMS Home Routing creates architectural separation between the SMS service center and the HLR, preventing direct access for SMS-related operations.
Protection Mechanism:
- • Prevents SendRoutingInfoForSM location tracking
- • Routes all SMS through home network
- • Eliminates direct HLR access from external networks
- • Maintains SMS delivery functionality
- • Transparent to end users
Continuous monitoring of SS7 traffic for anomalies enables early detection of attacks in progress and provides forensic data for incident response.
Monitoring Capabilities:
- • Detect unusual patterns in signaling traffic
- • Alert on suspicious MAP operations
- • Track location query volumes
- • Identify unauthorized source networks
- • Generate security incident reports
- • Provide forensic analysis data
Implementing stronger authentication for SS7 operations adds security layers beyond the original trust-based model.
Authentication Methods:
- • Mutual authentication between network elements
- • Digital signatures for critical operations
- • Time-based tokens to prevent replay attacks
- • Certificate-based authentication
- • Origin verification for all messages
Securing the interface between SS7 and Diameter networks prevents attacks from legacy networks affecting modern 4G/5G infrastructure.
Security Controls:
- • Protocol translation security
- • Message validation at boundaries
- • Filtering at interworking points
- • Separate security policies per protocol
Implementing strict access controls and network segmentation limits the attack surface and contains potential breaches.
Best Practices:
- • Restrict SS7 interconnections to trusted partners
- • Implement least-privilege access policies
- • Segment signaling and media networks
- • Regular security audits of interconnections
- • Terminate untrusted connections
SS7 Security Testing Methodology
Security Testing Tools & Resources
SigPloit
Open-source SS7 security testing framework with comprehensive attack modules
github.com/SigPloiter/SigPloit →SS7map
SS7 network mapping and reconnaissance tool for infrastructure discovery
github.com/ernw/ss7map →SS7 Pentesting Suite
Professional toolkit for comprehensive SS7 vulnerability assessment
Get 10% Off →P1 Security SS7 Scanner
Automated SS7 vulnerability scanner with reporting capabilities
Industry Standards & Guidelines
GSMA FS.11
SS7 Interconnect Security Monitoring and Firewall Guidelines
GSMA FS.07
SS7 and SIGTRAN Network Security
GSMA IR.82
SS7 Security Network Implementation Guidelines
ENISA Guidelines
Technical Guideline on Security Measures for Article 4 and Article 13a
NIST SP 800-187
Guide to LTE Security
ITU-T Q.3057
Signalling System No. 7 Security Framework
- 2G HackingComprehensive guide to 2G GSM network attacks and vulnerabilities
- SS7 Attack SequencesStep-by-step analysis of SS7 attack methodologies and techniques
- Diameter Protocol SecurityComprehensive guide to Diameter protocol vulnerabilities and attacks
- GTP VulnerabilitiesCritical security issues in 4G/5G GTP protocol implementations
- Mobile Network AttacksComplete guide to mobile network attack vectors and exploitation
- VoLTE Security AnalysisIn-depth analysis of VoLTE security vulnerabilities and attack vectors
- Signaling Protocols ReferenceComprehensive reference guide to telecommunications signaling protocols
- Penetration Testing GuideProfessional methodologies for telecommunications security testing
- Case StudiesReal-world case studies of telecommunications security incidents