SS7 SecurityAttack VectorsCall Interception

SS7 Call Interception Attacks

Techniques to intercept voice calls

Overview
Understanding SS7 call interception vulnerabilities

SS7 call interception attacks exploit vulnerabilities in the Signaling System No. 7 protocol to redirect and eavesdrop on voice calls intended for a target subscriber. These attacks manipulate the network's location and subscriber data to route calls through an attacker-controlled path, creating a man-in-the-middle scenario without the knowledge of either the caller or the recipient.

Security Implications

  • Confidential conversation eavesdropping
  • Corporate espionage
  • Political surveillance
  • Intelligence gathering
  • Bypassing encryption at the network level
  • Compromising two-factor authentication via voice calls

Technical Prerequisites

  • Access to SS7 network (direct or via compromised operator)
  • Knowledge of target's MSISDN (phone number) and IMSI
  • SS7 message crafting capabilities
  • Global Title (GT) spoofing ability
  • Call routing infrastructure
  • Call recording capabilities

Call Interception Techniques

UpdateLocation Attack
Critical Impact
Medium Complexity
Impersonating the target's device to redirect calls

Technical Details

The UpdateLocation (UL) MAP operation is legitimately used when a mobile device moves to a new location and registers with a new Visitor Location Register (VLR). This operation updates the Home Location Register (HLR) with the subscriber's current location.

In this attack, the attacker sends a fraudulent UpdateLocation message to the target's HLR, impersonating a VLR in the attacker's control. This tricks the HLR into believing the subscriber has moved to the attacker's network.

Once the HLR updates its records, all incoming calls to the target are routed through the attacker's fake VLR, allowing the attacker to intercept, record, and forward the calls to the actual recipient (to avoid detection).

Attack Flow

  1. Attacker obtains target's MSISDN (phone number) and IMSI
  2. Attacker crafts an UpdateLocation message with the target's IMSI
  3. Attacker sets the VLR address to a GT under their control
  4. Message is sent to target's home network HLR
  5. HLR processes the request without adequate authentication
  6. HLR updates its database with the new VLR location
  7. HLR sends InsertSubscriberData to the attacker's fake VLR
  8. Attacker acknowledges receipt of subscriber data
  9. HLR sends CancelLocation to the legitimate VLR
  10. All incoming calls are now routed to the attacker's network
  11. Attacker can intercept, record, and forward calls to hide the attack

Mitigation

Implement UL validation and filtering

  • Implement UL validation and filtering
  • Verify the source GT against known legitimate VLRs
  • Check for suspicious location changes (e.g., international jumps)
  • Implement velocity checking to detect impossible movement patterns
  • Monitor for multiple rapid location updates
InsertSubscriberData Attack
Critical Impact
High Complexity
Modifying subscriber profile to enable call forwarding

Technical Details

The InsertSubscriberData (ISD) MAP operation is used by the HLR to provide subscriber profile information to the VLR, including service configurations like call forwarding settings.

In this attack, the attacker sends a fraudulent InsertSubscriberData message to the target's VLR, impersonating the HLR. The message contains modified subscriber data that enables unconditional call forwarding to a number controlled by the attacker.

Once the call forwarding is activated, all calls to the target are automatically redirected to the attacker's number, where they can be recorded and then forwarded to the actual recipient.

Attack Flow

  1. Attacker obtains target's MSISDN, IMSI, and current VLR
  2. Attacker crafts an InsertSubscriberData message
  3. Attacker includes call forwarding settings pointing to their number
  4. Attacker spoofs the target's HLR as the source
  5. Message is sent to the target's current VLR
  6. VLR processes the request without adequate authentication
  7. VLR updates the subscriber profile with call forwarding enabled
  8. All incoming calls are now automatically forwarded to attacker
  9. Attacker can record calls and forward them to the actual recipient

Mitigation

Validate ISD message sources

  • Validate ISD message sources against known legitimate HLRs
  • Implement mutual authentication between VLR and HLR
  • Monitor for unexpected changes to call forwarding settings
  • Require subscriber confirmation for call forwarding activation
  • Implement anomaly detection for subscriber profile changes
SendRoutingInfo + Call Forwarding
Critical Impact
Medium Complexity
Two-stage attack to identify and then redirect calls

Technical Details

This is a two-stage attack that combines the SendRoutingInfo (SRI) MAP operation with call forwarding manipulation.

First, the attacker uses SRI to obtain the target's IMSI and serving MSC/VLR information. Then, using this information, the attacker either modifies the subscriber data via InsertSubscriberData to enable call forwarding or uses UpdateLocation to redirect the routing path.

This combined approach gives the attacker more flexibility and can be harder to detect since it uses multiple operations that might individually appear legitimate.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker sends SendRoutingInfo request to target's HLR
  3. HLR responds with IMSI and serving MSC/VLR information
  4. Attacker uses this information to craft either:
  5. - An InsertSubscriberData message to enable call forwarding, or
  6. - An UpdateLocation message to redirect the routing path
  7. Attacker sends the crafted message to the appropriate network element
  8. Network updates routing information based on the fraudulent message
  9. Incoming calls are redirected through the attacker's infrastructure
  10. Attacker intercepts, records, and forwards calls to avoid detection

Mitigation

Implement SRI filtering and CF validation

  • Implement SRI filtering and CF validation
  • Restrict SRI responses to contain minimal information
  • Validate call forwarding changes against expected patterns
  • Implement comprehensive monitoring for both operations
  • Consider SMS or app notifications for call forwarding changes

Exploitation Example

Call Interception via UpdateLocation
Python script to redirect calls by impersonating the target's device
from sigploit.ss7.interception import updateLocation

# Target IMSI (subscriber identity)
target_imsi = '204080123456789'

# Attacker's parameters
attacker_gt = '20408999999'
attacker_vlr = '20408999999'

# SS7 connection parameters
ss7_params = {
    'sctp_port': 2905,
    'target_ip': '10.0.0.1',
    'source_pc': 1,
    'destination_pc': 2,
    'source_ssn': 7,
    'destination_ssn': 6
}

# Execute the attack
result = updateLocation.intercept(
    target_imsi=target_imsi,
    attacker_gt=attacker_gt,
    attacker_vlr=attacker_vlr,
    **ss7_params
)

print(f"Attack status: {result.get('status')}")
print(f"HLR response: {result.get('response')}")

Ethical Considerations

This code is provided for educational purposes only. Intercepting calls without consent is illegal in most jurisdictions and violates privacy laws. Always obtain proper authorization before conducting security testing on telecommunications networks.

Detection & Prevention

Detection Strategies

Prevention Measures

Related Resources

Location Tracking Attacks
Techniques for tracking subscriber location via SS7
SMS Interception Attacks
Methods to intercept text messages via SS7
SS7 Exploitation Techniques
Detailed exploitation techniques and code examples