Man
Professional
- Messages
- 3,218
- Reaction score
- 783
- Points
- 113
An SS7 (Signaling System No. 7) attack is a type of cyberattack that exploits vulnerabilities in the SS7 signaling protocol, which is used to manage phone calls, SMS, and other services in mobile networks. These attacks allow attackers to intercept calls, SMS, track the location of the subscriber, or even block communications. However, it is important to emphasize that using SS7 attacks for unauthorized access is a criminal offense. Below, we describe the technical aspects of how such attacks work for educational purposes.
The main functions of SS7 are:
1. What is SS7?
SS7 is a set of protocols used by telecommunications networks to transmit control signals (e.g. call setup, SMS routing, subscriber location). It operates in the background, providing interaction between telecom operators and network equipment.The main functions of SS7 are:
- Call and SMS routing.
- Registration of the subscriber's location (for example, when roaming).
- Time synchronization and billing (calculation of service costs).
2. How do SS7 attacks work?
SS7 attacks are possible due to the protocol's open architecture and trust between network nodes. An attacker can:- Access the SS7 network via:
- Connecting to a node through a subsidiary network (e.g. through an operator that does not verify the authenticity of nodes).
- Exploiting vulnerabilities in operator APIs.
- Compromise of equipment (e.g. base stations or HLR (Home Location Register) servers).
- Send fake commands to the network, for example:
- MAP_SEND_ROUTING_INFORMATION: Requests information about the current location of the subscriber.
- MAP_PREPARE_HANDOVER: Redirects calls or SMS to another number.
- MAP_CANCEL_LOCATION: Removes the subscriber's location record to hide the attack.
- Perform one of the following attacks:
A. Interception of SMS and calls
- The attacker sends the MAP_SEND_ROUTING_INFORMATION command to determine which network node the subscriber is passing through.
- It then uses MAP_PREPARE_HANDOVER to forward all calls and SMS to its device.
- This allows you to obtain two-factor authentication (2FA) codes, passwords for banking applications or private messages.
B. Listening to conversations
- The attacker sends the MAP_PROCESS_UNSTRUCTURED_SS_DATA command to activate the eavesdropping feature (e.g. turn on the victim's phone microphone without their knowledge).
- Can also be used to forward calls to a recording device.
C. Geolocation Determination
- The MAP_SEND_ROUTING_INFORMATION command returns information about the subscriber's current location (for example, a cell tower identifier).
- This allows you to track the victim's movements in real time.
D. Communication Blocking
- The attacker sends the MAP_CANCEL_LOCATION command to delete the subscriber's location record.
- This makes the number unavailable for incoming calls and SMS, which can be used as a distraction during financial attacks.
3. Attack example: Cryptocurrency theft via SS7
- The attacker identifies the victim who owns cryptocurrency (for example, through social networks).
- It sends the MAP_SEND_ROUTING_INFORMATION command to obtain the victim's geolocation and ensure that it is in a region where there is access to the SS7 network.
- He then forwards the victim's SMS messages to his number, receiving 2FA codes from a cryptocurrency exchange (such as Coinbase).
- Using these codes, he resets the victim's account password and withdraws funds to his wallet.
4. Why is SS7 vulnerable?
- No encryption: SS7 messages are transmitted in clear text, making them susceptible to interception.
- Trust between nodes: SS7 does not verify the authenticity of nodes, so fake commands are accepted as legitimate.
- Outdated architecture: The protocol was designed in the 1970s when security was not a priority.
- Complexity of upgrade: Replacing SS7 with more secure protocols (such as Diameter or SIP) requires a global upgrade of the infrastructure.
5. Modern analogues of vulnerabilities
SS7 attacks are not the only way to compromise mobile communications:- Diameter attacks: Exploit vulnerabilities in the Diameter protocol (a replacement for SS7 in LTE/5G networks).
- SIP attacks: Target VoIP networks using the SIP protocol to intercept calls.
- IMSI-catcher: Devices that imitate base stations to intercept data from mobile devices.
6. How to protect yourself from SS7 attacks?
A. Use encryption
- For communication: Signal, WhatsApp, Telegram (end-to-end encryption).
- For SMS codes: Switch to hardware tokens (e.g. YubiKey) or authenticator apps (Google Authenticator).
B. Opt out of SMS for 2FA
- Set up secure keys with Google, Apple, or cryptocurrency exchanges.
- Use U2F (Universal 2nd Factor) to log into your accounts.
C. Upgrade your equipment
- Use smartphones with LTE/5G support, where SS7 vulnerabilities are partially fixed.
- Install applications to monitor suspicious activity (for example, SS7 Firewall from some antiviruses).
D. Control access to the SS7 network
- Telecom operators must:
- Verify the authenticity of nodes via STIR/SHAKEN (Standards for Authentication of Challenges).
- Use IDS/IPS to detect suspicious SS7 commands.
- Encrypt SS7 traffic using IPsec or TLS.
7. Legal consequences
SS7 attacks violate the laws of many countries:- USA: Computer Fraud and Abuse Act (up to 10 years in prison).
- Russia: Article 138 of the Criminal Code of the Russian Federation (unauthorized access to computer information).
- EU: GDPR (unlawful collection of personal data).
8. Educational resources
If you want to study Telecommunications Security legally:- Books: "Hacking Exposed VoIP" (John Herlich), "Telecom Security" (Daniel Benedict).
- Platforms: TryHackMe (VoIP security courses), OWASP.
- Certifications:
- Certified Ethical Hacker (CEH) - network vulnerability analysis.
- Cisco CCNP Security - Telecommunication Network Security.