SS7 SecurityAttack VectorsLocation Tracking

SS7 Location Tracking Attacks

Methods to track subscriber location without their knowledge

Overview
Understanding SS7 location tracking vulnerabilities

SS7 location tracking attacks exploit vulnerabilities in the Signaling System No. 7 protocol to determine a mobile subscriber's physical location without their knowledge or consent. These attacks leverage legitimate network operations that were designed for call routing and roaming functionality but can be misused when accessed by unauthorized parties.

Privacy Implications

  • Unauthorized tracking of individuals
  • Pattern-of-life analysis
  • Stalking and harassment facilitation
  • Corporate espionage (tracking executives)
  • Law enforcement impersonation

Technical Prerequisites

  • Access to SS7 network (direct or via compromised operator)
  • Knowledge of target's MSISDN (phone number)
  • SS7 message crafting capabilities
  • Global Title (GT) spoofing ability
  • Understanding of MAP operations

Location Tracking Techniques

SendRoutingInfoForSM Attack
Medium to High Impact
Low Complexity
Using the SMS routing information request to determine subscriber's serving network

Technical Details

This attack exploits the SendRoutingInfoForSM (SRI-SM) MAP operation, which is legitimately used by the SMS service center (SMSC) to query the HLR for routing information needed to deliver SMS messages.

The attacker sends an SRI-SM request to the target's home network HLR, impersonating a legitimate SMSC. The HLR responds with the target's IMSI and current serving MSC/VLR address, which reveals the subscriber's location at the network level.

By mapping the MSC/VLR address to a physical location (using public databases or proprietary knowledge), the attacker can determine the subscriber's approximate location.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker crafts a SendRoutingInfoForSM message with the target MSISDN
  3. Message is sent to target's home network HLR
  4. HLR processes the request without adequate authentication
  5. HLR responds with IMSI and serving MSC/VLR address
  6. Attacker maps MSC/VLR address to physical location
  7. Attacker can repeat the process to track movement over time

Mitigation

Implement SMS Home Routing

  • Implement SMS Home Routing architecture
  • Filter SRI-SM requests based on source GT
  • Monitor for unusual patterns of SRI-SM requests
  • Implement SS7 firewall rules specific to SRI-SM operations
AnyTimeInterrogation Attack
High Impact
Low Complexity
Direct query for subscriber location information

Technical Details

The AnyTimeInterrogation (ATI) MAP operation was designed to allow certain network entities to query subscriber information directly from the HLR at any time, regardless of the subscriber's status.

An attacker can send an ATI request to the target's HLR, impersonating a legitimate network entity (such as a gsmSCF service). The request can include parameters to specifically request location information.

The HLR responds with detailed location information, potentially including cell ID, which can provide location accuracy down to a few hundred meters in urban areas.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker crafts an AnyTimeInterrogation message with the target MSISDN
  3. Attacker spoofs a legitimate service entity (gsmSCF) as the source
  4. Message is sent to target's home network HLR
  5. HLR processes the request without adequate authentication
  6. HLR responds with detailed location information
  7. Attacker can repeat the process for real-time tracking

Mitigation

Block ATI requests from unauthorized sources

  • Block ATI requests from unauthorized sources
  • Implement strict whitelist for entities allowed to use ATI
  • Monitor for ATI requests patterns
  • Consider completely disabling ATI if not required for operations
ProvideSubscriberInfo Attack
High Impact
Medium Complexity
Request for detailed subscriber location and status

Technical Details

The ProvideSubscriberInfo (PSI) MAP operation allows certain network entities to request detailed subscriber information, including precise location data, from the VLR/SGSN.

An attacker first needs to determine which VLR is serving the target (using SRI-SM or other methods), then sends a PSI request to that VLR, impersonating the target's HLR or another authorized entity.

The VLR/SGSN can respond with highly accurate location information, including cell ID, timing advance, and location age, providing much more precise positioning than other methods.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker first determines target's IMSI and serving VLR (using SRI-SM)
  3. Attacker crafts a ProvideSubscriberInfo message with the target IMSI
  4. Attacker spoofs the target's HLR as the source
  5. Message is sent to the serving VLR/SGSN
  6. VLR/SGSN processes the request without adequate authentication
  7. VLR/SGSN responds with precise location information

Mitigation

Filter PSI requests based on source

  • Filter PSI requests based on source
  • Implement mutual authentication between VLR and HLR
  • Monitor for unusual patterns of PSI requests
  • Validate that PSI requests come from legitimate HLRs
SendRoutingInfo Attack
Medium Impact
Low Complexity
Call setup information request revealing subscriber's location

Technical Details

The SendRoutingInfo (SRI) MAP operation is legitimately used during call setup to determine how to route a call to a mobile subscriber.

An attacker sends an SRI request to the target's HLR, impersonating a legitimate GMSC. The HLR queries the serving VLR and returns a Mobile Station Roaming Number (MSRN) allocated by the VLR.

The MSRN contains information about the serving network, which can be mapped to a geographic location. While less precise than other methods, it can still reveal the country, city, or region of the subscriber.

Attack Flow

  1. Attacker obtains target's MSISDN (phone number)
  2. Attacker crafts a SendRoutingInfo message with the target MSISDN
  3. Attacker spoofs a legitimate GMSC as the source
  4. Message is sent to target's home network HLR
  5. HLR queries the serving VLR for an MSRN
  6. HLR responds with the MSRN
  7. Attacker extracts network information from the MSRN
  8. Attacker maps network information to geographic location

Mitigation

Implement SRI filtering

  • Implement SRI filtering
  • Validate SRI requests against expected call patterns
  • Monitor for unusual volumes of SRI requests
  • Consider implementing SRI proxy for additional security

Exploitation Example

Location Tracking via SendRoutingInfoForSM
Python script using SigPloit to track a subscriber's location
from sigploit.ss7.tracking import sendRoutingInfoForSM

# Target MSISDN (phone number)
target = '31612345678'

# Attacker's GT (Global Title)
attacker_gt = '31111111111'

# SS7 connection parameters
ss7_params = {
    'sctp_port': 2905,
    'target_ip': '10.0.0.1',
    'source_pc': 1,
    'destination_pc': 2,
    'source_ssn': 8,
    'destination_ssn': 6
}

# Execute the attack
result = sendRoutingInfoForSM.track(
    target_msisdn=target,
    attacker_gt=attacker_gt,
    **ss7_params
)

print(f"Target IMSI: {result.get('imsi')}")
print(f"Serving MSC: {result.get('msc')}")
print(f"Serving VLR: {result.get('vlr')}")

Ethical Considerations

This code is provided for educational purposes only. Unauthorized tracking of individuals is illegal in most jurisdictions and violates privacy rights. Always obtain proper authorization before conducting security testing on telecommunications networks.

Detection & Prevention

Detection Strategies

Prevention Measures

Related Resources

Call Interception Attacks
Techniques for intercepting voice calls via SS7
SMS Interception Attacks
Methods to intercept text messages via SS7
SS7 Exploitation Techniques
Detailed exploitation techniques and code examples