SS7 Attacks: What They Are, How They Work And How to Protect Yourself Against Them
Published:
The ability to make phone calls and send text messages across various networks is something we often take for granted. This seamless connectivity is made possible by a telecommunications protocol known as Signaling System No. 7, or SS7.
SS7 is the backbone of global telecommunications, enabling features like call setup, SMS management, and mobile services. However, despite its crucial role, SS7 has significant vulnerabilities that hackers can exploit, posing severe risks to both individuals and organizations.
In this article, we will explore SS7 attacks, how they work, and how you can protect yourself against them.
What Is SS7?
Have you ever wondered how you call a friend across the country or text abroad without any glitches? A telecommunication protocol called Signaling System No. 7, or SS7, makes this possible.
SS7, developed in 1975, is the universal language of the global telephone network. It governs how different parts of the world’s public switched telephone network (PSTN) communicate.
Here are its essential functions:
➡️ Call setup and teardown: Manages the signaling required to establish and terminate telephone calls for mobile phone users.
➡️ SMS management: Handles the delivery and routing of text messages across networks.
➡️ Mobile services: Supports roaming and handover, ensuring seamless network transitions.
➡️ Number portability: Enables services like toll-free numbers and number portability, allowing users to keep their numbers when switching providers.
➡️ Intelligent network services: Supports advanced services like call forwarding, caller ID, voicemail, and prepaid billing.
Without SS7, seamless connectivity across different carriers and countries wouldn’t be possible, and many of the features we rely on would not exist. It’s a vital behind-the-scenes technology for modern communication.
SS7 architecture
The SS7 network consists of several main components that work together to manage and route the signaling (or communication instructions) between different parts of the telephone network:
Service Switching Points (SSPs)
SSPs are the network’s “communication hubs.” They originate, route, and terminate calls. When you make a call, it starts at an SSP, which helps to set up and manage the call.
Signaling Transfer Points (STPs)
STPs route signaling messages between SPs. If SPs are the hubs, STPs are like the routers that decide the best path for each message to travel through the network.
Service Control Points (SCPs)
SCPs store and provide important information for call processing, such as database lookups for number portability (allowing you to keep your number when switching carriers) and other services.
Signaling Links
These “roads” connect all the points (SSPs, STPs, and SCPs). Signaling links carry the signaling messages between the network components. They ensure that messages travel securely and efficiently from one point to another. These are the lines connecting all the nodes in the diagram above.
Stop illegal phone tracking
Download one of Certo's award-winning apps today and uncover spyware and other cyber threats on your phone.
How SS7 Works
Now that you have an overview of what the SS7 network is, let’s explore how the SS7 protocol works.
SS7 operates in layers, and each layer has a specific job to ensure that messages are sent, received, and processed properly.
Think of it like a multi-step process where each step checks and forwards the message to its next point. Below is a diagram of the process:
Let’s walk through an example of making a phone call to see how the SS7 protocol works.
1. Initiating a call
You decide to call your friend, so you dial their number on your phone. First, your phone sends a request to set up the call. This request is packaged into a small packet called a Message Signal Unit (MSU), which contains all the information needed to connect the call.
The MSU goes through three Message Transfer Part (MTP) levels to ensure that your request is properly formatted and ready to travel through the network.
- MTP Level 1: Manages the physical connection, like the wires or wireless links that carry your call’s information from your phone to the nearest network hub.
- MTP Level 2: Handles error checking and correction, ensuring the information sent from your phone is received correctly, without any errors.
- MTP Level 3: This takes care of routing messages, deciding the best path for your call request to travel through the network to reach your friend’s phone.
2. Routing the call
Once the MSU is correctly formatted and error-checked, it travels through the network. The Service Connection Control Part (SCCP) provides additional routing options and supports advanced services. For example, if your friend has a special service like call forwarding, SCCP ensures the call is routed correctly.
3. Setting up the call
When your call request reaches the network hub nearest your friend’s phone, the Telephone User Part (TUP) or ISDN User Part (ISUP) takes over. These parts of the protocol manage the setup, maintenance, and termination of telephone calls.
They ensure that your friend’s phone rings, and when they answer, the connection is maintained for the duration of your conversation. This system keeps the call stable and clear until you decide to hang up.
4. Advanced services
While the call is connected, SS7 also supports other services that might be in use. The Transaction Capabilities Application Part (TCAP) supports services like mobile roaming, allowing you or your friend to use your phone outside your home network.
It also handles number portability, so if your friend has switched carriers but kept their old number, the call still connects properly.
5. Additional applications
SS7 supports a range of additional applications through specific elements known as Application Service Elements (ASEs). These applications include mobile messaging services. So, if you receive a text message during your call, SS7 ensures that this message is delivered without disrupting your call.
How Hackers Exploit SS7 Vulnerabilities
Despite its critical role in telecommunications, this signaling system has several security holes that attackers can exploit.
These vulnerabilities arise mainly from the protocol’s original design, which assumed a trusted environment within the telecom networks.
Hackers (and sometimes government agencies) exploit SS7 vulnerabilities for activities like intercepting calls, messages, and data from various apps. Here’s how they carry out an SS7 attack:
Step 1: Establishing an SS7 connection
Hackers first need to connect to the SS7 network. To do this, they require a Global Title (GT) and a point code, which act as unique identifiers within the network.
They can obtain these from network operators, who will grant them a new network code and allow them to have various international titles — IMSIs (International Mobile Subscriber Identities), and MSISDNs (Mobile Station International Subscriber Directory Numbers).
Alternatively, they can purchase a GT from a phone company.
Next, an SS7 aggregator broadcasts the GT across all networks, diverting traffic to the hacker’s application or node.
Establishing direct contact with telecom carriers is necessary, as each carrier needs to configure the routing for the hacker’s GT to the hosting node. This requires enrolling with each phone company separately.
💡 What Is an SS7 Aggregator?
An SS7 aggregator is a service provider or intermediary that facilitates the routing and managing of SS7 signaling messages between different telecom networks.
They act as a bridge between carriers, ensuring that signaling information is correctly routed and managed across multiple networks.
Step 2: Using an SS7 toolkit
After establishing a connection to the SS7 system, hackers either create their own SS7 app using an SDK (Software Development Kit) with the necessary SS7 libraries and stacks or purchase an existing app. This app is crucial for carrying out the attack and gaining access to mobile devices.
Step 3: Registering the SS7 app as an actual phone
To carry out the attack, the SS7 app must be registered as if it were a legitimate phone joining a roaming network. This involves several steps:
- Enroll the app: The app needs the IMSI (International Mobile Subscriber Identity) from the target’s SIM card. While obtaining a mobile number is easy, getting the IMSI information is more challenging. Hackers use an IMSI catcher tool to capture the IMSI associated with the target’s mobile number.
- Initiate communication with the network: Using the IMSI information, the SS7 app pretends to be the target’s phone and communicates with the network’s SS7 node. The app provides its GT (Global Title) as the source address and uses the IMSI to generate the destination address.
- Update location: The network’s Home Location Register (HLR) responds by updating the location of the target’s phone to the attacker’s app. This involves exchanging data identifying the app as the target phone’s location.
- Complete enrollment: The enrollment process is completed after the HLR sends an updated location acknowledgment.
Once these steps are completed, hackers can orchestrate an SS7 attack on a cell phone, which we’ll discuss below.
SS7 Attacks Explained
Interception of calls and messages
Hackers exploit SS7 vulnerabilities to intercept phone calls and SMS messages, gaining unauthorized access to private communications.
Here’s how they do it once they are connected to the SS7 network:
- Masquerading as network nodes: Hackers can intercept signaling messages by deceiving the network into believing their device is a legitimate MSC (Mobile Switching Center) or VLR (Visitor Location Register) node. An MSC node manages voice call setup, routing, and termination. A VLR node stores temporary information about subscribers within the range of the MSC it is associated with.
- Interception process: Once connected, hackers can redirect calls and messages to their devices. This allows them to listen in on phone calls and read SMS messages, often without the knowledge of the affected users.
💡 Case study: Ukrainian Political Espionage
Between 2014 and 2015, Ukrainian political figures were targeted using SS7 vulnerabilities. Attackers intercepted high-ranking officials' phone calls and text messages, gaining access to sensitive information. This espionage highlighted the use of SS7 vulnerabilities for political and intelligence purposes, posing serious national security risks.
Text messages are especially vulnerable to SS7 Attacks
SMS for two-factor authentication (2FA) is impacted due to vulnerabilities in the SS7 protocol. This is because hackers can intercept SMS messages containing 2FA codes if an SS7 attack is successful.
With these intercepted codes, attackers can reset passwords and gain unauthorized access to various accounts, including WhatsApp, Google, social media, and bank accounts. This undermines the security of 2FA and exposes users to significant risks of identity theft and fraud.
💡 Case study: 2FA hacks
In 2017, hackers exploited SS7 vulnerabilities to bypass two-factor authentication (2FA) used by German banks. They intercepted SMS messages containing one-time passcodes sent to customers for authorizing transactions.
By doing this, the attackers could access and drain the bank accounts of unsuspecting users. This attack involved phishing to gather initial login credentials and mobile numbers and then using SS7 to reroute the SMS passcodes to their devices to complete fraudulent transactions.
Also, in 2018, attackers used SS7 attacks to hijack Facebook and WhatsApp accounts by intercepting SMS messages containing account verification codes.
Location tracking
Hackers also exploit SS7 to track mobile users’ real-time location by sending special signaling messages that request a cell phone’s location. The network, believing the request is legitimate, responds with the phone’s location.
By repeatedly sending these location requests, attackers can monitor and track a user’s movements, posing significant privacy and security risks.
Denial of Service (DoS) attacks
SS7 can be exploited to launch Denial of Service (DoS) attacks, disrupting telecommunications services.
Attackers flood the network with signaling messages, overwhelming network elements such as Signaling Points (SPs) and Signaling Transfer Points (STPs).
This overload can cause network elements to fail or become unresponsive, leading to dropped calls, delayed messages, and general network instability. Such disruptions can severely affect many personal and business communications.
💡 Expert insight:
“The core problem with the SS7 network lies in its lack of authentication for incoming requests. This means that if an entity—whether a government agency, a surveillance company, or a criminal—gains access to the SS7 network, its commands to reroute text messages or calls are treated as legitimate as those from authorized users. While there are protective measures such as SS7 firewalls and detection methods for specific attacks, the network still has significant vulnerabilities that can be exploited.”
– Simon Lewis, Co-founder at Certo.
Protecting Yourself from SS7 Attacks
While the responsibility for securing SS7 networks primarily falls on telecom operators, there are steps that individuals can take to protect themselves from potential SS7-based threats:
✅ Use encrypted messaging apps: Use messaging apps that offer end-to-end encryption, such as Signal, WhatsApp, or Telegram. These apps encrypt messages so that only the communicating users can read them, providing an additional layer of security against interception.
✅ Avoid SMS for Two-Factor Authentication (2FA). Use authentication apps like Google Authenticator, Authy, or Microsoft Authenticator to get 2FA codes. App-based 2FA generates codes locally on your device, making them inaccessible to SS7-based interception attacks.
✅ Monitor account activity: Regularly check your bank, email, and social media accounts for unauthorized activity.
✅ Use strong passwords: Use a password manager to generate and store strong, unique passwords for your online accounts.
✅ Enable account alerts: Enable account alerts for login attempts, password changes, and other critical activities on your accounts. Instant notifications can help you quickly identify and respond to unauthorized access attempts.
✅ Educate yourself about phishing: Many SS7 attacks start with phishing to gather initial information. Knowing phishing tactics can help you avoid falling victim to these schemes.
✅ Contact your mobile provider: Ask them about the security measures they have in place to protect against SS7 attacks and if they offer any additional security features for your account. Some providers may offer enhanced security options or additional protective measures upon request.
Award-winning mobile security
Certo's industry-leading spyware detection tools for iPhone and Android are trusted by millions worldwide
Final Thoughts
SS7 is essential to the global telecommunications infrastructure, enabling seamless connectivity and various advanced services. However, its vulnerabilities have made it a target.
While telecom operators are responsible for securing SS7 networks, individuals can also take steps to protect themselves.
Encrypted messaging apps, avoiding SMS for two-factor authentication, monitoring account activity, and staying informed about phishing tactics are all effective ways to enhance your security.
Consider using security solutions like Certo to further protect yourself from mobile threats. Our apps offer comprehensive protection against various mobile security threats, helping you to keep your information secure.