title: "SS7 Location Tracking Vulnerabilities" description: "TelcoSec SS7 MAP exploitation guide: subscriber tracking, SMS interception, and call redirection via SendRoutingInfo and ProvideSubscriberInfo attacks." date: "2024-03-15" lastModified: "2026-05-15" author: "Ruben F. Silva" authorName: "TelcoSec Research" category: "SIGNALING_ATTACKS" severity: "CRITICAL" image: "/images/articles/signaling-attack-vector.webp" imageAlt: "SS7 Location Tracking Attack Vector - Global Signaling Intercept Pathways" readingTime: 22
Signaling System No. 7 (SS7), the backbone protocol suite managing call setup, routing, and subscriber management across legacy telephone networks worldwide, was designed in the 1970s with an implicit trust model. There was no authentication between signaling nodes. No integrity verification. No encryption. Decades later, this trust-by-default architecture remains the single largest systemic vulnerability in global telecommunications — affecting an estimated 800+ mobile network operators and billions of subscribers.
The severity of this vulnerability cannot be overstated. SS7 attacks are not theoretical — they are actively exploited by nation-state intelligence agencies, commercial surveillance vendors, and financially motivated criminals. The protocol was designed for a world where only a handful of government-controlled telephone companies existed. Today, with thousands of entities holding SS7 access through MVNOs, roaming hubs, SMS aggregators, and VoIP interconnects, the trust model is irreparably broken.
Understanding SS7 is foundational to telecom security because its vulnerabilities cascade into every generation of mobile network. Even subscribers on 5G networks remain exposed through legacy interworking gateways, and the Diameter protocol that replaced SS7 in 4G inherited many of the same architectural trust assumptions. The 3GPP releases has progressively addressed these issues, but backward compatibility requirements ensure SS7 remains active on most networks worldwide.
HANDBOOK: SS7/MAP Exploit Technicals
Download the technical breakdown of MAP message structures used for real-time location tracking and SMS interception (PDF).
This research examines how SS7 MAP (Mobile Application Part) messages are exploited to track subscribers in real time, intercept SMS, and redirect voice calls. We dissect the specific message types abused, the attack infrastructure required, the real-world case studies that have exposed these vulnerabilities, and the defensive countermeasures available today.
- SendRoutingInfo + ProvideSubscriberInfo enable real-time geolocation.
- Any operator with an SS7 interconnect can exploit these by design.
- SS7 firewalls and GSMA CAT/DASS provide layered defense.
- Real-world exploitation documented in surveillance, bank fraud, and political targeting.
- Diameter protocol and 5G SBA provide evolutionary mitigations, but interworking gaps persist.
I. SS7 Architecture and the Trust Problem
SS7 was built as a closed network connecting a small number of trusted national telephone operators. Every node on the SS7 network — whether a Home Location Register (HLR), Mobile Switching Center (MSC), or Visitor Location Register (VLR) — implicitly trusts every message it receives. There is no built-in source authentication or message integrity verification. This architecture is fundamentally different from IT networks, where authentication and encryption are standard practice.
The deregulation of telecom markets and the rise of Mobile Virtual Network Operators (MVNOs), SMS aggregators, and VoIP providers has dramatically expanded the number of entities with direct or indirect SS7 access, making the trust model fundamentally broken. As of 2025, GSMA estimates that over 1,200 entities have some form of SS7 interconnect access globally.
The SS7 Protocol Stack
SS7 operates as a layered protocol stack, with the Mobile Application Part (MAP) sitting at the application layer. Understanding the stack is essential for both attack and defense:
| Layer | Protocol | Function | Security Impact |
|---|---|---|---|
| Application | MAP / CAP / INAP | Subscriber management, location, charging | Direct attack target — no auth on any operation |
| Transaction | TCAP | Transaction management | Session hijacking via component manipulation |
| Transport | SCCP | Global Title routing | GT spoofing enables source impersonation |
| Network | MTP3 | Network-level routing | Point Code spoofing in IP-based SIGTRAN |
| Link | MTP2 / M2PA | Link-level reliability | Physical access historically required; now IP |
| Physical | MTP1 / SIGTRAN (IP) | DS0 timeslots / IP transport | SIGTRAN over IP massively expanded access surface |
The migration from TDM-based SS7 to SIGTRAN (SS7 over IP) was intended to reduce infrastructure costs, but it inadvertently made SS7 access available to anyone who could establish an IP connection to a signaling transfer point — dramatically lowering the barrier for attackers.
Historical Context: How We Got Here
The SS7 trust crisis didn't emerge overnight. Key milestones:
- 1975–1980: SS7 designed by AT&T/Bell Labs for the US telephone network. Nodes are physically secured government infrastructure.
- 1990s: Telecom deregulation globally opens networks to new operators. SS7 access broadens.
- 2008: Tobias Engel presents SS7 location tracking at the Chaos Communication Congress (25C3), marking the first public disclosure of these vulnerabilities.
- 2014: German researchers demonstrate SS7 tracking of a German politician's phone on live television, triggering international media coverage and regulatory attention.
- 2017: O2 Germany confirms that SS7 attacks were used to bypass SMS-based 2FA and drain bank accounts.
- 2020–present: Commercial SS7 surveillance platforms (like Circles, documented by Citizen Lab) proliferate, offering turnkey subscriber tracking for government clients.
II. Location Tracking Attack Vectors
There are three primary MAP operations that are systematically abused for subscriber location tracking:
1. SendRoutingInfo (SRI)
The SendRoutingInfo message is legitimately used during call setup to determine which MSC a subscriber is currently registered with. An attacker who sends an SRI request with a target MSISDN (phone number) receives back the subscriber's current MSC address and IMSI, which reveals their approximate geographic location (city or region level).
MAP SendRoutingInfoArg ::= SEQUENCE {
msisdn [0] ISDN-AddressString,
interrogationType [3] InterrogationType OPTIONAL,
gmsc-OrGsmSCF-Addr [6] ISDN-AddressString,
...
}
-- Response includes: imsi, msc-Number, vlr-Number
-- The MSC/VLR address directly maps to a geographic region
The SRI response is especially dangerous because it also returns the target's IMSI — the permanent subscriber identity. Combined with IMSI catchers techniques, this enables precise physical-layer targeting.
2. ProvideSubscriberInfo (PSI)
Once the attacker knows the VLR address from SRI, they can send a ProvideSubscriberInfo request directly to that VLR. The response contains the subscriber's Cell-ID — the exact cell tower they are connected to — enabling location precision down to hundreds of meters in urban environments and within a few kilometers in rural areas. When combined with cell tower databases (publicly available from sources like OpenCellID), this translates directly to geographic coordinates.
3. AnyTimeInterrogation (ATI)
AnyTimeInterrogation is a single-step location query that combines the functionality of SRI and PSI. It directly requests the HLR for the subscriber's Cell-ID and current serving MSC. While many operators now block ATI from external sources (this is one of the GSMA's most basic recommendations), it remains functional on numerous networks globally — particularly in regions with less mature regulatory oversight.