SS7 Location Tracking Attacks
Techniques to track subscriber location without their knowledge or consent using SS7 MAP protocol operations. These attacks enable real-time location monitoring, surveillance, and tracking of mobile subscribers.
The SendRoutingInfoForSM (SRI-SM) attack exploits the SMS routing mechanism to determine a subscriber's current location. Attackers send SRI-SM messages to the target's Home Location Register (HLR), pretending to deliver an SMS message. The HLR responds with the subscriber's IMSI and current serving MSC address, revealing their approximate location.
Technical Details:
- • Exploits MAP protocol's SMS routing functionality
- • Requires only the target's phone number (MSISDN)
- • Returns IMSI and serving MSC/VLR address
- • Can be performed remotely with SS7 network access
- • Location accuracy: Network-level (city/region)
- • Minimal detection footprint on target device
Attack Sequence:
- Attacker sends SendRoutingInfoForSM request to target's HLR
- HLR queries serving MSC/VLR for subscriber location
- HLR returns IMSI and MSC/VLR address to attacker
- Attacker can map MSC/VLR to geographic location
Real-World Impact:
Used by NSO Group's Pegasus spyware for initial target location before deploying mobile malware. Also exploited in the 2016 60 Minutes CBS investigation that tracked German politicians. This attack is particularly dangerous because it requires only a phone number and SS7 network access.
AnyTimeInterrogation (ATI) is a more sophisticated location tracking method that provides precise cell-level location information. After obtaining the IMSI through SRI-SM, attackers send ATI requests to the HLR, which forwards the request to the serving MSC/VLR. The response includes Cell Global Identity (CGI), providing location accuracy of 50m-2km depending on cell density.
Technical Details:
- • Provides Cell Global Identity (CGI) information
- • Includes timing advance for distance calculation
- • Can reveal subscriber state (active, idle, roaming)
- • Minimal detection footprint on target device
- • Location accuracy: Cell-level (50m-2km)
- • Requires IMSI obtained from SRI-SM attack
Attack Sequence:
- Obtain target's IMSI via SendRoutingInfoForSM
- Send AnyTimeInterrogation request to HLR with IMSI
- HLR forwards request to serving MSC/VLR
- MSC/VLR returns Cell Global Identity (CGI)
- Attacker maps CGI to precise geographic location
Real-World Impact:
Used by intelligence agencies for surveillance operations. Enables continuous tracking as subscribers move between different network areas. The high location accuracy makes this attack particularly dangerous for high-value targets.
ProvideSubscriberInfo (PSI) requests detailed subscriber location and status information directly from the serving MSC/VLR. This attack provides comprehensive data including cell location, subscriber state, and service information.
Information Obtained:
- • Current cell location (CGI)
- • Subscriber state (active call, idle, etc.)
- • IMEI (device identifier)
- • Service information and capabilities
- • Location age (time since last update)
- • Roaming status and network information
Technical Details:
- • Direct query to serving MSC/VLR
- • Provides comprehensive subscriber data
- • Higher accuracy than SRI-SM
- • Can reveal active call information
- • Requires positioning in signaling path or HLR access
Attackers often combine multiple SS7 location tracking techniques to achieve continuous, precise surveillance. These combined attacks provide real-time location monitoring with high accuracy.
Multi-Stage Location Tracking:
- Initial location via SendRoutingInfoForSM (network-level accuracy)
- Precise location via AnyTimeInterrogation (cell-level accuracy)
- Continuous monitoring via repeated ATI requests
- Subscriber state monitoring via ProvideSubscriberInfo
Real-World Application:
Used in sophisticated surveillance operations where continuous tracking is required. The combination of SRI-SM for initial location and ATI for precise tracking enables real-time monitoring without device compromise.
Real-World Case Studies
In a groundbreaking 60 Minutes CBS investigation, security researchers demonstrated live SS7 exploitation by tracking German politicians' locations and intercepting their communications. The demonstration used only the targets' phone numbers and SS7 network access, revealing the ease with which these attacks can be performed.
Attack Methods Used:
- • SendRoutingInfoForSM for location tracking
- • Real-time location monitoring
- • Call and SMS interception capabilities demonstrated
Research by Citizen Lab revealed that NSO Group's Pegasus spyware used SS7 vulnerabilities as part of its attack chain. SS7 was used for initial target location before deploying mobile malware, enabling sophisticated surveillance operations against journalists, activists, and political figures worldwide.
Attack Chain:
- SS7 location tracking to identify target's current network
- Network-specific exploit delivery
- Spyware installation on target device
- Ongoing surveillance and data exfiltration
Detection and Mitigation
Deploy SS7 firewalls to filter unauthorized location query operations. Block SendRoutingInfoForSM, AnyTimeInterrogation, and ProvideSubscriberInfo requests from untrusted sources.
Firewall Rules:
- • Block SRI-SM from non-SMSC sources
- • Restrict ATI to authorized services only
- • Filter PSI requests by source Global Title
- • Implement rate limiting on location queries
Monitor SS7 traffic for suspicious location query patterns. Detect anomalies such as repeated queries for the same subscriber or queries from unusual sources.
Detection Indicators:
- • High frequency of location queries
- • Queries from non-SMSC sources
- • Unusual query patterns
- • Repeated queries for same subscriber
- SS7 Attacks OverviewComprehensive guide to all SS7 attack categories and vulnerabilities
- Call Interception AttacksLearn about SS7 call interception and eavesdropping techniques
- SS7 Attack SequencesStep-by-step analysis of SS7 attack methodologies
- Mobile Network AttacksComplete guide to mobile network attack vectors