Back to SS7 Attacks
Critical Security Vulnerability

SS7 SMS Interception Attacks

Methods to intercept text messages including OTPs and sensitive communications for account takeover and financial fraud. SMS interception is particularly dangerous as SMS is widely used for two-factor authentication and banking OTPs.

SMS Interception Attack Flow
Visual representation of SS7 SMS interception attack sequence showing UpdateLocation manipulation and SMS routing redirection
SS7 SMS interception attack flow diagram showing UpdateLocation manipulation, SMS routing redirection to attacker infrastructure, and OTP interception scenario
UpdateLocation + SMS Routing
Critical
Redirects all SMS messages to attacker infrastructure by manipulating subscriber location

Similar to call interception, attackers use UpdateLocation to register the target with an attacker-controlled MSC/VLR. When SMS messages are sent to the target, the SMSC queries the HLR for routing information and receives the attacker's address, causing all SMS messages to be delivered to the attacker's system.

Attack Flow:

  1. Attacker sends UpdateLocation to target's HLR
  2. HLR updates subscriber location to attacker's VLR
  3. SMS sent to target's phone number
  4. SMSC queries HLR with SendRoutingInfoForSM
  5. HLR returns attacker's VLR address
  6. SMS delivered to attacker's system
  7. Attacker optionally forwards SMS to target

Technical Details:

  • • Requires attacker-controlled MSC/VLR infrastructure
  • • Exploits trust-based SS7 architecture
  • • All SMS messages redirected, not just specific ones
  • • Can forward SMS to target to avoid detection
  • • Enables complete SMS interception including OTPs

Real-World Impact:

Banking fraud cases where attackers intercepted SMS OTPs to authorize fraudulent transactions. Account takeovers where SMS-based password resets were intercepted. Estimated losses in millions of dollars globally. Led to increased adoption of app-based authentication methods.

MT-ForwardSM Interception
High
Intercepts SMS messages in the signaling path during delivery

MT-ForwardSM (Mobile Terminated Forward Short Message) interception involves positioning in the signaling path to capture SMS messages as they're being delivered. This attack requires more sophisticated network positioning but leaves less trace than UpdateLocation attacks.

Technical Details:

  • • Requires position in SMS delivery path
  • • Captures MT-ForwardSM MAP messages
  • • Can be combined with SRI-SM manipulation
  • • Lower detection risk than UpdateLocation
  • • Requires real-time message processing

Advantages:

  • • Less traceable than UpdateLocation attacks
  • • Doesn't disrupt subscriber services
  • • Can be selective (specific SMS only)
  • • Lower risk of detection by target
SendRoutingInfoForSM Manipulation
High
Intercepts and modifies SMS routing queries to redirect specific messages

Attackers intercept SendRoutingInfoForSM queries from the SMSC and modify the responses to redirect SMS delivery. This attack requires positioning between the SMSC and HLR but can be more targeted than UpdateLocation attacks.

Advantages:

  • • More targeted than UpdateLocation
  • • Can be selective (specific SMS only)
  • • Lower impact on legitimate services
  • • Harder to detect than full location update
  • • Minimal subscriber service disruption
OTP Interception Scenarios
Real-world attack scenarios targeting SMS-based one-time passwords

SMS-based one-time passwords (OTPs) are widely used for two-factor authentication and banking transactions. SS7 SMS interception enables attackers to intercept these OTPs, leading to account takeovers and financial fraud.

Attack Pattern:

  1. Obtain victim's banking credentials (phishing, data breach)
  2. Initiate transaction or password reset request
  3. Use SS7 to intercept SMS OTP before it reaches victim
  4. Authorize fraudulent transaction with intercepted OTP
  5. Transfer funds before detection

Financial Impact:

Estimated losses in millions of dollars globally. Multiple cases reported across Europe, Asia, and North America. Led to increased adoption of app-based authentication methods. Banks now recommend using authenticator apps instead of SMS for two-factor authentication.

Real-World Case Studies

Banking Fraud via SMS Interception (2017-Present)
Ongoing Financial Crime
Financial

Criminal organizations have exploited SS7 vulnerabilities to intercept SMS-based one-time passwords (OTPs) used for banking authentication. By intercepting these OTPs, attackers can authorize fraudulent transactions, leading to significant financial losses for victims and financial institutions.

Attack Pattern:

  1. Obtain victim's banking credentials (phishing, data breach)
  2. Use SS7 to intercept SMS OTPs
  3. Authorize fraudulent transactions
  4. Transfer funds before detection

Financial Impact:

Estimated losses in millions of dollars globally. Multiple cases reported across Europe, Asia, and North America. Led to increased adoption of app-based authentication methods.

SMS InterceptionOTP TheftFinancial Fraud

Detection and Mitigation

SMS Home Routing

SMS Home Routing creates architectural separation between the SMS service center and the HLR, preventing direct access for SMS-related operations. This is one of the most effective defenses against SMS interception attacks.

Protection Mechanism:

  • • Prevents SendRoutingInfoForSM location tracking
  • • Routes all SMS through home network
  • • Eliminates direct HLR access from external networks
  • • Maintains SMS delivery functionality
  • • Transparent to end users
Effectiveness: High
Monitoring and Detection

Monitor SS7 traffic for suspicious SMS routing patterns. Detect anomalies such as unexpected UpdateLocation updates or SMS routing changes.

Detection Indicators:

  • • Unexpected UpdateLocation updates
  • • SMS routing to unknown networks
  • • Failed SMS delivery patterns
  • • Unusual routing changes
Related Security Resources