How SS7 attack works

[Man]

An SS7 (Signaling System No. 7) attack is a type of cyberattack that exploits vulnerabilities in the SS7 signaling protocol, which is used to manage phone calls, SMS, and other services in mobile networks. These attacks allow attackers to intercept calls, SMS, track the location of the subscriber, or even block communications. However, it is important to emphasize that using SS7 attacks for unauthorized access is a criminal offense. Below, we describe the technical aspects of how such attacks work for educational purposes.

1. What is SS7?​

SS7 is a set of protocols used by telecommunications networks to transmit control signals (e.g. call setup, SMS routing, subscriber location). It operates in the background, providing interaction between telecom operators and network equipment.

The main functions of SS7 are:

• Call and SMS routing.
• Registration of the subscriber's location (for example, when roaming).
• Time synchronization and billing (calculation of service costs).

2. How do SS7 attacks work?​

SS7 attacks are possible due to the protocol's open architecture and trust between network nodes. An attacker can:

1. Access the SS7 network via:
   • Connecting to a node through a subsidiary network (e.g. through an operator that does not verify the authenticity of nodes).
   • Exploiting vulnerabilities in operator APIs.
   • Compromise of equipment (e.g. base stations or HLR (Home Location Register) servers).
2. Send fake commands to the network, for example:
   • MAP_SEND_ROUTING_INFORMATION: Requests information about the current location of the subscriber.
   • MAP_PREPARE_HANDOVER: Redirects calls or SMS to another number.
   • MAP_CANCEL_LOCATION: Removes the subscriber's location record to hide the attack.
3. Perform one of the following attacks:

A. Interception of SMS and calls​

• The attacker sends the MAP_SEND_ROUTING_INFORMATION command to determine which network node the subscriber is passing through.
• It then uses MAP_PREPARE_HANDOVER to forward all calls and SMS to its device.
• This allows you to obtain two-factor authentication (2FA) codes, passwords for banking applications or private messages.

B. Listening to conversations​

• The attacker sends the MAP_PROCESS_UNSTRUCTURED_SS_DATA command to activate the eavesdropping feature (e.g. turn on the victim's phone microphone without their knowledge).
• Can also be used to forward calls to a recording device.

C. Geolocation Determination​

• The MAP_SEND_ROUTING_INFORMATION command returns information about the subscriber's current location (for example, a cell tower identifier).
• This allows you to track the victim's movements in real time.

D. Communication Blocking​

• The attacker sends the MAP_CANCEL_LOCATION command to delete the subscriber's location record.
• This makes the number unavailable for incoming calls and SMS, which can be used as a distraction during financial attacks.

3. Attack example: Cryptocurrency theft via SS7​

1. The attacker identifies the victim who owns cryptocurrency (for example, through social networks).
2. It sends the MAP_SEND_ROUTING_INFORMATION command to obtain the victim's geolocation and ensure that it is in a region where there is access to the SS7 network.
3. He then forwards the victim's SMS messages to his number, receiving 2FA codes from a cryptocurrency exchange (such as Coinbase).
4. Using these codes, he resets the victim's account password and withdraws funds to his wallet.

4. Why is SS7 vulnerable?​

1. No encryption: SS7 messages are transmitted in clear text, making them susceptible to interception.
2. Trust between nodes: SS7 does not verify the authenticity of nodes, so fake commands are accepted as legitimate.
3. Outdated architecture: The protocol was designed in the 1970s when security was not a priority.
4. Complexity of upgrade: Replacing SS7 with more secure protocols (such as Diameter or SIP) requires a global upgrade of the infrastructure.

5. Modern analogues of vulnerabilities​

SS7 attacks are not the only way to compromise mobile communications:

• Diameter attacks: Exploit vulnerabilities in the Diameter protocol (a replacement for SS7 in LTE/5G networks).
• SIP attacks: Target VoIP networks using the SIP protocol to intercept calls.
• IMSI-catcher: Devices that imitate base stations to intercept data from mobile devices.

6. How to protect yourself from SS7 attacks?​

A. Use encryption​

• For communication: Signal, WhatsApp, Telegram (end-to-end encryption).
• For SMS codes: Switch to hardware tokens (e.g. YubiKey) or authenticator apps (Google Authenticator).

B. Opt out of SMS for 2FA​

• Set up secure keys with Google, Apple, or cryptocurrency exchanges.
• Use U2F (Universal 2nd Factor) to log into your accounts.

C. Upgrade your equipment​

• Use smartphones with LTE/5G support, where SS7 vulnerabilities are partially fixed.
• Install applications to monitor suspicious activity (for example, SS7 Firewall from some antiviruses).

D. Control access to the SS7 network​

• Telecom operators must:
  • Verify the authenticity of nodes via STIR/SHAKEN (Standards for Authentication of Challenges).
  • Use IDS/IPS to detect suspicious SS7 commands.
  • Encrypt SS7 traffic using IPsec or TLS.

7. Legal consequences​

SS7 attacks violate the laws of many countries:

• USA: Computer Fraud and Abuse Act (up to 10 years in prison).
• Russia: Article 138 of the Criminal Code of the Russian Federation (unauthorized access to computer information).
• EU: GDPR (unlawful collection of personal data).

8. Educational resources​

If you want to study Telecommunications Security legally:

• Books: "Hacking Exposed VoIP" (John Herlich), "Telecom Security" (Daniel Benedict).
• Platforms: TryHackMe (VoIP security courses), OWASP.
• Certifications:
  • Certified Ethical Hacker (CEH) - network vulnerability analysis.
  • Cisco CCNP Security - Telecommunication Network Security.

Summary​

SS7 attacks are an example of the vulnerability of legacy protocols that are still used in global telecommunications. Never try to use these methods in real life - it is illegal and dangerous. Instead, focus on learning modern security methods and ethical hacking. If you are interested in practical examples or code for learning - let me know!

 

[Jollier]

SS7 attack: how mobile communications are hacked through a vulnerability in the signaling protocol​

SS7 (Signaling System No. 7) is a set of protocols used to manage calls, SMS, and other services in telephone networks. It was developed in the 1970s and is still used in 2G/3G/4G (and partly in 5G).

Due to the lack of cryptography and weak authentication, attackers can use SS7 to:

• interception of SMS and calls,
• subscriber geolocation,
• call forwarding,
• theft of money through mobile banking.

How does SS7 attack work?​

1. Access to SS7 network​

The attacker needs to:

• Have access to SS7 (via a compromised operator or buy it on the black market).
• Know the victim's number (for example, from social networks or leaked databases).

2. Sending malicious requests​

By exploiting SS7 vulnerabilities, an attacker can send signaling commands such as:

Geolocation (Track & Trace)​

• ProvideSubscriberLocation request – the operator returns the phone coordinates.
• Method: You can track movements in real time.

Interception of SMS and calls​

• SMS redirection (ForwardSM) – messages go to the attacker’s server.
• Call Deflection – calls are forwarded to another number.

SIM cloning (partial)​

• In some cases, it is possible to gain temporary access to a 2G/3G session to intercept authentication codes.

Stealing money (attack on banking 2FA)​

• If the bank uses SMS to confirm payments, the attacker intercepts the code and writes off the money.

Real Examples of SS7 Attacks​

• 2017 – Hackers stole money from bank accounts in Germany by intercepting SMS-TAN.
• 2018 – researchers showed how calls can be listened to via SS7 (even in encrypted messengers, if the call is activated via the operator’s network).
• 2020 – BBC journalists tracked the location of politicians via SS7.

How to protect yourself?​

1. Opting out of SMS-2FA​

• Use Google Authenticator, Authy, U2F keys (YubiKey).
• Enable biometric authentication at banks.

2. Communication encryption​

• Signal, WhatsApp (E2E encryption) protect against eavesdropping.
• VoIP calls (Telegram, Zoom) are less vulnerable than regular ones.

3. Blocking international roaming​

Some attacks require international signaling requests - disable unnecessary services.

4. Using eSIM / virtual numbers​

• eSIM is more difficult to clone.
• Virtual numbers (Google Voice, MySudo) reduce risks.

5. Monitoring suspicious activity​

• If your phone receives "strange" SMS or loses network, it may be an SS7 attack.

Why is SS7 still vulnerable?​

• An obsolete standard (developed in the era of analog communications).
• Operators are slow to upgrade infrastructure (especially in developing countries).
• 5G also uses SS7 (although some functions are replaced by Diameter Protocol, but vulnerabilities remain).

Conclusion: SS7 attacks are a serious threat, but risks can be minimized by abandoning SMS authentication and using modern encryption methods.

 

[Professor]

What is SS7 and why is it vulnerable?​

SS7 (Signaling System 7) is a protocol developed in the 1970s to manage telephone networks. It is used for call routing, SMS transmission, subscriber authentication, and other functions in 2G and 3G networks. However, due to outdated security principles, SS7 does not provide data encryption and node authentication, which makes it vulnerable to attacks.

How does SS7 attack work?​

1. Gaining access to the SS7 network:
   • The attacker connects to the SS7 network, which is possible through vulnerabilities in telecom operators or by purchasing access on the darknet.
   • Access to SS7 allows you to send commands that look like legitimate requests from telecom operators.
2. Victim identification:
   • Knowing the victim's phone number (MSISDN), the attacker sends a SendRoutingInfoForSM request to the HLR (Home Location Register) database. In response, he receives the IMSI (unique SIM card identifier) and the address of the MSC (Mobile Switching Center) servicing the subscriber.
3. Interception of SMS and calls:
   • The attacker redirects the victim's SMS and calls to their server, replacing data on the network. This allows them to intercept one-time verification codes (OTP) used for two-factor authentication (2FA), as well as listen to calls.
4. Location determination:
   • Using data from the HLR and MSC, an attacker can determine the location of the victim down to the base station (cell).

Examples of attacks​

• Bank SMS Interception: Attackers use SS7 to obtain 2FA codes to gain access to victims' bank accounts.
• Subscriber surveillance: Attacks on SS7 have been used to spy on high-profile individuals, including the leak of US diplomatic communications in 2014.

Why SS7 Remains Vulnerable?​

• The protocol was developed in an era when security was not a priority and access to the network was expected to be strictly limited.
• Modern 4G and 5G networks use more secure protocols (such as Diameter), but SS7 is still used for compatibility with 2G/3G.

How to protect yourself from SS7 attacks?​

1. Avoid SMS for 2FA: Use authenticator apps or hardware security keys.
2. Limit international roaming: This can prevent some types of attacks.
3. Use SS7 firewalls: Telecom operators may implement firewalls to filter out suspicious requests.
4. Updating networks: Upgrading to more modern protocols such as Diameter reduces the risk of attacks.

SS7 attacks remain a serious threat, especially for users who rely on SMS for authentication. Awareness and use of modern security techniques can significantly reduce the risks.