HomeSS7 SecurityAttack VectorsLocation TrackingAnyTimeInterrogation Attack

AnyTimeInterrogation Attack

Advanced SS7 location tracking through HLR interrogation

Critical Impact
Medium Complexity
MAP Operation
Real-time Tracking
Attack Overview
Understanding the AnyTimeInterrogation attack mechanism

Technical Summary

The AnyTimeInterrogation (ATI) MAP operation was designed to allow certain network entities to query subscriber information directly from the HLR at any time, regardless of the subscriber's status. This operation can be exploited by attackers to obtain detailed location information about target subscribers.

Direct HLR interrogation capability
Real-time location data retrieval
Cell-level precision possible
Minimal network traces

Attack Characteristics

Stealth Level85%
Precision90%
Technical Complexity60%
Detection Difficulty75%

Key Technical Details

MAP Operation

AnyTimeInterrogation (ATI) - MAP operation code 71

anyTimeInterrogation OPERATION ::= {
  ARGUMENT AnyTimeInterrogationArg
  RESULT AnyTimeInterrogationRes
  ERRORS { ... }
}

Information Retrieved

  • • Current serving MSC/VLR address
  • • Cell Global Identity (CGI)
  • • Location Area Identity (LAI)
  • • Service Area Identity (SAI)
  • • Subscriber state information
  • • Location age timestamp

Attack Methodology

Attack Prerequisites
Requirements for executing the AnyTimeInterrogation attack

Technical Requirements

  • Access to SS7 network (direct or via compromised operator)
  • Knowledge of target's MSISDN (phone number)
  • SS7 message crafting capabilities
  • Global Title (GT) spoofing ability
  • Understanding of MAP protocol operations

Network Access Methods

Direct SS7 Connection

Legitimate or illegitimate access to SS7 network infrastructure

Compromised Operator

Access through a compromised telecommunications operator

SS7 Gateway

Commercial SS7 gateway services or compromised gateways

Detection & Mitigation

Detection Strategies
Identifying AnyTimeInterrogation attacks in your network

Mitigation Measures
Protecting against AnyTimeInterrogation attacks

Real-World Impact & Case Studies

Documented Cases
Known instances of AnyTimeInterrogation abuse

Government Surveillance

Intelligence agencies have reportedly used ATI operations for mass surveillance programs, tracking political dissidents and journalists.

Corporate Espionage

Business competitors have used location tracking to monitor executive movements and gain competitive intelligence.

Criminal Activities

Criminal organizations have exploited ATI for stalking, kidnapping planning, and other illegal activities.

Impact Assessment
Potential consequences of successful attacks

Privacy Violations

• Unauthorized tracking of personal movements

• Pattern-of-life analysis and behavioral profiling

• Violation of fundamental privacy rights

Physical Security Risks

• Facilitation of physical attacks or kidnapping

• Stalking and harassment enablement

• Compromise of witness protection programs

Business Impact

• Corporate espionage and competitive intelligence

• Compromise of business negotiations

• Reputational damage to telecommunications operators

Interactive Attack Simulation
Visualize the AnyTimeInterrogation attack flow (Educational purposes only)
Network Simulation

Attacker

Crafts ATI message

HLR

Processes request

Location Data

Returned to attacker

Launch Interactive Demo

Related Resources

SendRoutingInfoForSM Attack
Alternative SS7 location tracking technique
SS7 Security Tools
Tools for testing and defending against SS7 attacks
SS7 Testing Methodology
Comprehensive approach to SS7 security assessment