[{"data":1,"prerenderedAt":1208},["ShallowReactive",2],{"/signaling/ss7/":3,"related-signaling/ss7":1207},{"id":4,"title":5,"author":6,"authorName":6,"category":6,"date":6,"description":6,"extension":7,"image":6,"imageAlt":6,"lastModified":6,"meta":8,"readingTime":6,"severity":6,"stem":1205,"__hash__":1206,"body":9},"articles/signaling/ss7.md","Ss7",null,"md",{"body":9},{"type":10,"value":11,"toc":1190},"minimark",[12,15,20,24,27,46,53,89,93,101,104,109,112,222,225,232,236,239,278,280,284,287,291,299,305,313,317,324,328,334],[13,14],"hr",{},[16,17,19],"h2",{"id":18},"title-ss7-location-tracking-vulnerabilitiesdescription-telcosec-ss7-map-exploitation-guide-subscriber-tracking-sms-interception-and-call-redirection-via-sendroutinginfo-and-providesubscriberinfo-attacksdate-2024-03-15lastmodified-2026-05-15author-ruben-f-silvaauthorname-telcosec-researchcategory-signaling_attacksseverity-criticalimage-imagesarticlessignaling-attack-vectorwebpimagealt-ss7-location-tracking-attack-vector-global-signaling-intercept-pathwaysreadingtime-22","title: \"SS7 Location Tracking Vulnerabilities\"\ndescription: \"TelcoSec SS7 MAP exploitation guide: subscriber tracking, SMS interception, and call redirection via SendRoutingInfo and ProvideSubscriberInfo attacks.\"\ndate: \"2024-03-15\"\nlastModified: \"2026-05-15\"\nauthor: \"Ruben F. Silva\"\nauthorName: \"TelcoSec Research\"\ncategory: \"SIGNALING_ATTACKS\"\nseverity: \"CRITICAL\"\nimage: \"/images/articles/signaling-attack-vector.webp\"\nimageAlt: \"SS7 Location Tracking Attack Vector - Global Signaling Intercept Pathways\"\nreadingTime: 22",[21,22,23],"p",{},"Signaling System No. 7 (SS7), the backbone protocol suite managing call setup, routing, and subscriber management across legacy telephone networks worldwide, was designed in the 1970s with an implicit trust model. There was no authentication between signaling nodes. No integrity verification. No encryption. Decades later, this trust-by-default architecture remains the single largest systemic vulnerability in global telecommunications — affecting an estimated 800+ mobile network operators and billions of subscribers.",[21,25,26],{},"The severity of this vulnerability cannot be overstated. SS7 attacks are not theoretical — they are actively exploited by nation-state intelligence agencies, commercial surveillance vendors, and financially motivated criminals. The protocol was designed for a world where only a handful of government-controlled telephone companies existed. Today, with thousands of entities holding SS7 access through MVNOs, roaming hubs, SMS aggregators, and VoIP interconnects, the trust model is irreparably broken.",[21,28,29,30,35,36,40,41,45],{},"Understanding SS7 is foundational to telecom security because its vulnerabilities cascade into every generation of mobile network. Even subscribers on ",[31,32,34],"a",{"href":33},"/5g-network-security-architecture/","5G networks"," remain exposed through legacy interworking gateways, and the ",[31,37,39],{"href":38},"/signaling/diameter/","Diameter"," protocol that replaced SS7 in 4G inherited many of the same architectural trust assumptions. The ",[31,42,44],{"href":43},"/mobile-network-evolution-3gpp-releases/","3GPP releases"," has progressively addressed these issues, but backward compatibility requirements ensure SS7 remains active on most networks worldwide.",[47,48],"lead-magnet",{"ctaTitle":49,"description":50,"tag":51,"title":52},"GET HANDBOOK","Download the technical breakdown of MAP message structures used for real-time location tracking and SMS interception (PDF).","signaling_lead_magnet","HANDBOOK: SS7/MAP Exploit Technicals",[54,55,57,60],"article-intel-briefing",{"title":56},"REPORT OVERVIEW",[21,58,59],{},"This research examines how SS7 MAP (Mobile Application Part) messages are exploited to track subscribers in real time, intercept SMS, and redirect voice calls. We dissect the specific message types abused, the attack infrastructure required, the real-world case studies that have exposed these vulnerabilities, and the defensive countermeasures available today.",[61,62,64],"template",{"v-slot:takeaways":63},"",[65,66,67,71,74,77,80],"ul",{},[68,69,70],"li",{},"SendRoutingInfo + ProvideSubscriberInfo enable real-time geolocation.",[68,72,73],{},"Any operator with an SS7 interconnect can exploit these by design.",[68,75,76],{},"SS7 firewalls and GSMA CAT/DASS provide layered defense.",[68,78,79],{},"Real-world exploitation documented in surveillance, bank fraud, and political targeting.",[68,81,82,84,85,88],{},[31,83,39],{"href":38}," protocol and ",[31,86,87],{"href":33},"5G SBA"," provide evolutionary mitigations, but interworking gaps persist.",[16,90,92],{"id":91},"ss7-architecture","I. SS7 Architecture and the Trust Problem",[21,94,95,96,100],{},"SS7 was built as a closed network connecting a small number of trusted national telephone operators. Every node on the SS7 network — whether a Home Location Register (HLR), Mobile Switching Center (MSC), or Visitor Location Register (VLR) — implicitly trusts every message it receives. There is no built-in source authentication or message integrity verification. This architecture is fundamentally different from ",[31,97,99],{"href":98},"/telco-vs-computer-networks/","IT networks",", where authentication and encryption are standard practice.",[21,102,103],{},"The deregulation of telecom markets and the rise of Mobile Virtual Network Operators (MVNOs), SMS aggregators, and VoIP providers has dramatically expanded the number of entities with direct or indirect SS7 access, making the trust model fundamentally broken. As of 2025, GSMA estimates that over 1,200 entities have some form of SS7 interconnect access globally.",[105,106,108],"h3",{"id":107},"the-ss7-protocol-stack","The SS7 Protocol Stack",[21,110,111],{},"SS7 operates as a layered protocol stack, with the Mobile Application Part (MAP) sitting at the application layer. Understanding the stack is essential for both attack and defense:",[113,114,115,134],"table",{},[116,117,118],"thead",{},[119,120,121,125,128,131],"tr",{},[122,123,124],"th",{},"Layer",[122,126,127],{},"Protocol",[122,129,130],{},"Function",[122,132,133],{},"Security Impact",[135,136,137,152,166,180,194,208],"tbody",{},[119,138,139,143,146,149],{},[140,141,142],"td",{},"Application",[140,144,145],{},"MAP / CAP / INAP",[140,147,148],{},"Subscriber management, location, charging",[140,150,151],{},"Direct attack target — no auth on any operation",[119,153,154,157,160,163],{},[140,155,156],{},"Transaction",[140,158,159],{},"TCAP",[140,161,162],{},"Transaction management",[140,164,165],{},"Session hijacking via component manipulation",[119,167,168,171,174,177],{},[140,169,170],{},"Transport",[140,172,173],{},"SCCP",[140,175,176],{},"Global Title routing",[140,178,179],{},"GT spoofing enables source impersonation",[119,181,182,185,188,191],{},[140,183,184],{},"Network",[140,186,187],{},"MTP3",[140,189,190],{},"Network-level routing",[140,192,193],{},"Point Code spoofing in IP-based SIGTRAN",[119,195,196,199,202,205],{},[140,197,198],{},"Link",[140,200,201],{},"MTP2 / M2PA",[140,203,204],{},"Link-level reliability",[140,206,207],{},"Physical access historically required; now IP",[119,209,210,213,216,219],{},[140,211,212],{},"Physical",[140,214,215],{},"MTP1 / SIGTRAN (IP)",[140,217,218],{},"DS0 timeslots / IP transport",[140,220,221],{},"SIGTRAN over IP massively expanded access surface",[21,223,224],{},"The migration from TDM-based SS7 to SIGTRAN (SS7 over IP) was intended to reduce infrastructure costs, but it inadvertently made SS7 access available to anyone who could establish an IP connection to a signaling transfer point — dramatically lowering the barrier for attackers.",[21,226,227],{},[228,229],"img",{"alt":230,"src":231},"SS7 attack flow visualization showing signaling intercept pathways through global network nodes","/images/articles/ss7-attack-flow-diagram.webp",[105,233,235],{"id":234},"historical-context-how-we-got-here","Historical Context: How We Got Here",[21,237,238],{},"The SS7 trust crisis didn't emerge overnight. Key milestones:",[65,240,241,248,254,260,266,272],{},[68,242,243,247],{},[244,245,246],"strong",{},"1975–1980:"," SS7 designed by AT&T/Bell Labs for the US telephone network. Nodes are physically secured government infrastructure.",[68,249,250,253],{},[244,251,252],{},"1990s:"," Telecom deregulation globally opens networks to new operators. SS7 access broadens.",[68,255,256,259],{},[244,257,258],{},"2008:"," Tobias Engel presents SS7 location tracking at the Chaos Communication Congress (25C3), marking the first public disclosure of these vulnerabilities.",[68,261,262,265],{},[244,263,264],{},"2014:"," German researchers demonstrate SS7 tracking of a German politician's phone on live television, triggering international media coverage and regulatory attention.",[68,267,268,271],{},[244,269,270],{},"2017:"," O2 Germany confirms that SS7 attacks were used to bypass SMS-based 2FA and drain bank accounts.",[68,273,274,277],{},[244,275,276],{},"2020–present:"," Commercial SS7 surveillance platforms (like Circles, documented by Citizen Lab) proliferate, offering turnkey subscriber tracking for government clients.",[13,279],{},[16,281,283],{"id":282},"location-tracking","II. Location Tracking Attack Vectors",[21,285,286],{},"There are three primary MAP operations that are systematically abused for subscriber location tracking:",[105,288,290],{"id":289},"sri","1. SendRoutingInfo (SRI)",[21,292,293,294,298],{},"The ",[295,296,297],"code",{},"SendRoutingInfo"," message is legitimately used during call setup to determine which MSC a subscriber is currently registered with. An attacker who sends an SRI request with a target MSISDN (phone number) receives back the subscriber's current MSC address and IMSI, which reveals their approximate geographic location (city or region level).",[300,301],"code-block",{"language":302,"filename":303,"code":304},"text","sri-request-structure.map","MAP SendRoutingInfoArg ::= SEQUENCE {\n msisdn              [0] ISDN-AddressString,\n interrogationType   [3] InterrogationType OPTIONAL,\n gmsc-OrGsmSCF-Addr  [6] ISDN-AddressString,\n ...\n}\n-- Response includes: imsi, msc-Number, vlr-Number\n-- The MSC/VLR address directly maps to a geographic region",[21,306,307,308,312],{},"The SRI response is especially dangerous because it also returns the target's IMSI — the permanent subscriber identity. Combined with ",[31,309,311],{"href":310},"/imsi-catchers-and-rogue-base-stations/","IMSI catchers"," techniques, this enables precise physical-layer targeting.",[105,314,316],{"id":315},"psi","2. ProvideSubscriberInfo (PSI)",[21,318,319,320,323],{},"Once the attacker knows the VLR address from SRI, they can send a ",[295,321,322],{},"ProvideSubscriberInfo"," request directly to that VLR. The response contains the subscriber's Cell-ID — the exact cell tower they are connected to — enabling location precision down to hundreds of meters in urban environments and within a few kilometers in rural areas. When combined with cell tower databases (publicly available from sources like OpenCellID), this translates directly to geographic coordinates.",[105,325,327],{"id":326},"ati","3. AnyTimeInterrogation (ATI)",[21,329,330,333],{},[295,331,332],{},"AnyTimeInterrogation"," is a single-step location query that combines the functionality of SRI and PSI. It directly requests the HLR for the subscriber's Cell-ID and current serving MSC. While many operators now block ATI from external sources (this is one of the GSMA's most basic recommendations), it remains functional on numerous networks globally — particularly in regions with less mature regulatory oversight.",[335,336,338,342,429],"vue-flow-diagram",{"type":337},"ss7",[105,339,341],{"id":340},"attack-vector-comparison-matrix","Attack Vector Comparison Matrix",[113,343,344,363],{},[116,345,346],{},[119,347,348,351,354,357,360],{},[122,349,350],{},"Technique",[122,352,353],{},"Message",[122,355,356],{},"Precision",[122,358,359],{},"Detectability",[122,361,362],{},"GSMA Blocking Status",[135,364,365,381,397,412],{},[119,366,367,370,372,375,378],{},[140,368,369],{},"SRI",[140,371,297],{},[140,373,374],{},"City/Region (MSC area)",[140,376,377],{},"Low — looks like legitimate call setup",[140,379,380],{},"Rarely blocked (breaks roaming)",[119,382,383,386,388,391,394],{},[140,384,385],{},"PSI",[140,387,322],{},[140,389,390],{},"Cell tower (~100m urban)",[140,392,393],{},"Medium — unusual external source",[140,395,396],{},"Recommended block for external GTs",[119,398,399,402,404,406,409],{},[140,400,401],{},"ATI",[140,403,332],{},[140,405,390],{},[140,407,408],{},"High — no legitimate external use case",[140,410,411],{},"Widely blocked but not universal",[119,413,414,417,420,423,426],{},[140,415,416],{},"SRI-SM",[140,418,419],{},"SendRoutingInfoForSM",[140,421,422],{},"MSC/VLR area",[140,424,425],{},"Low — looks like SMS delivery",[140,427,428],{},"Mitigated by SMS Home Routing",[430,431,434,435],"info-callout",{"type":432,"title":433},"hazard","Real-World Impact: Documented Exploitation","\nCommercially available surveillance platforms aggregate these techniques to provide continuous, real-time location tracking of any mobile subscriber worldwide for as little as a few hundred dollars per target. In 2024, Citizen Lab documented the Circles platform (linked to NSO Group) providing SS7-based tracking capabilities to at least 25 government clients worldwide. The U.S. Department of Homeland Security confirmed in a 2017 report that SS7 tracking of U.S. citizens by foreign entities is ongoing and unmitigated.\n",[436,437,439,440],"red-team-insight",{"title":438},"GT SPOOFING AND SCCP RELAY ABUSE","\nAdvanced adversaries rarely attack directly from their own Global Title (GT). Instead, they leverage SCCP Relay vulnerabilities in poorly configured STPs (Signaling Transfer Points) or hijack legitimate but dormant GTs from operators in jurisdictions with weak oversight. By \"renting\" access through gray-market signaling hubs, attackers can bypass basic GT screening filters, making their malicious MAP queries appear as legitimate roaming traffic from a trusted partner network.\n",[441,442,444,445,447,451,467,470,485,490,494,498,501,505,511,517,519,523,526,630,634,753,755,759,767,806,819],"defense-callout",{"title":443},"SIGNALING FIREWALL BEST PRACTICES","\nA robust SS7 defense requires more than simple message filtering. Effective signaling firewalls should implement:\n- **Stateful Correlation:** Map responses must correspond to previously seen requests.\n- **Velocity Tracking:** Detect anomalous numbers of queries for a single IMSI/MSISDN across multiple GTs.\n- **Protocol Anomaly Detection:** Block malformed TCAP components and non-standard MAP message sequences.\n- **Cross-Protocol Validation:** Verify that a subscriber being tracked in SS7 is actually registered in the VLR associated with the requesting GT.\n",[13,446],{},[16,448,450],{"id":449},"sms-interception","III. SMS Interception via UpdateLocation",[21,452,453,454,457,458,461,462,466],{},"Beyond tracking, SS7 enables full SMS interception through a technique called ",[244,455,456],{},"HLR manipulation",". By sending a fraudulent ",[295,459,460],{},"UpdateLocation"," message to the target's home HLR, the attacker registers a fake MSC/VLR address for the subscriber. All incoming SMS messages — including two-factor authentication codes — are then routed to the attacker's infrastructure. This is often the precursor to ",[31,463,465],{"href":464},"/sim-cloning-and-sim-swap-attacks/","SIM swap fraud"," and account takeover attacks.",[21,468,469],{},"\u003CCodeBlock\nlanguage=\"text\"\nis-terminal\ncode=\"  # Simplified attack flow:",[471,472,473,476,479,482],"ol",{},[68,474,475],{},"Attacker sends UpdateLocation(IMSI=target, newVLR=attacker_GT)",[68,477,478],{},"HLR updates subscriber record → SMS routes to attacker",[68,480,481],{},"Attacker captures SMS OTP codes",[68,483,484],{},"Attacker sends RestoreData to revert the record",[486,487,489],"h1",{"id":488},"total-attack-duration-30-120-seconds","Total attack duration: 30-120 seconds",[486,491,493],{"id":492},"detection-difficulty-high-temporary-record-change","Detection difficulty: HIGH (temporary record change)\">",[105,495,497],{"id":496},"the-banking-fraud-epidemic","The Banking Fraud Epidemic",[21,499,500],{},"This attack has been documented extensively in real-world bank fraud cases. In the 2017 O2 Germany incident, attackers intercepted SMS-based 2FA codes to drain customer bank accounts. The attack chain combined credential phishing (to obtain bank login details) with SS7 SMS interception (to capture the OTP), demonstrating how SS7 vulnerabilities amplify traditional cybercrime. The attack is temporary and reversible — the attacker restores the original VLR record within seconds — making detection extremely difficult without active SS7 monitoring.",[105,502,504],{"id":503},"voice-call-interception-and-redirection","Voice Call Interception and Redirection",[21,506,507,508,510],{},"The same ",[295,509,460],{}," technique can redirect voice calls. By registering an attacker-controlled MSC, incoming calls are routed through the attacker's infrastructure, enabling real-time wiretapping. The attacker forwards the call to the legitimate destination to avoid detection, creating a transparent man-in-the-middle position.",[21,512,513],{},[228,514],{"alt":515,"src":516},"SS7, Diameter, and 5G SBA security comparison showing protocol evolution","/images/articles/ss7-diameter-5g-comparison.webp",[13,518],{},[16,520,522],{"id":521},"defenses","IV. Defensive Countermeasures",[21,524,525],{},"While the underlying SS7 protocol cannot be patched without breaking backward compatibility, several layered defense strategies exist. The effectiveness of each depends on consistent deployment across all interconnect points — a single unprotected gateway negates the entire defensive posture.",[527,528,534,567,583,599],"grid",{"className":529},[530,531,532,533],"grid-cols-1","md:grid-cols-2","gap-6","my-8",[535,536,546,556,564],"div",{"className":537},[538,539,540,541,542,543,544,545],"bg-[#050B14]","p-6","border","border-[var(--border)]","group","hover:border-[var(--primary)]","transition-colors","relative",[547,548],"absolute",{":right-0":549,":top-0":549,"className":550},"true",[551,552,553,554,555],"w-8","h-8","bg-gradient-to-bl","from-[var(--primary)]/20","to-transparent",[105,557,559,563],{"id":558},"_01-ss7-firewalls",[560,561,562],"span",{},"01"," SS7 Firewalls",[21,565,566],{},"Deploy signaling firewalls at all interconnect points. These filter incoming SS7 messages based on source Global Title (GT), message type, and subscriber context to block unauthorized queries like external ATI or PSI requests. Modern SS7 firewalls can correlate message sequences to detect multi-step attack chains that individual message filters would miss.",[535,568,570,573,580],{"className":569},[538,539,540,541,542,543,544,545],[547,571],{":right-0":549,":top-0":549,"className":572},[551,552,553,554,555],[105,574,576,579],{"id":575},"_02-gsma-catdass",[560,577,578],{},"02"," GSMA CAT/DASS",[21,581,582],{},"The GSMA's Categories, Address Screening and Sending (CAT/DASS) framework provides a standardized rule-set for operators to validate the legitimacy of SS7 messages based on the sender's role and the message context. Operators are categorized (Category 1 through 3), and message permissions are enforced accordingly.",[535,584,586,589,596],{"className":585},[538,539,540,541,542,543,544,545],[547,587],{":right-0":549,":top-0":549,"className":588},[551,552,553,554,555],[105,590,592,595],{"id":591},"_03-home-routing-for-sms",[560,593,594],{},"03"," Home Routing for SMS",[21,597,598],{},"By routing all SMS through an SMS home router, operators can verify that the delivering MSC matches the subscriber's actual serving network, preventing UpdateLocation-based interception. This is one of the most effective single countermeasures against SMS-based 2FA bypass.",[535,600,602,605,612],{"className":601},[538,539,540,541,542,543,544,545],[547,603],{":right-0":549,":top-0":549,"className":604},[551,552,553,554,555],[105,606,608,611],{"id":607},"_04-migration-to-diameter5g",[560,609,610],{},"04"," Migration to Diameter/5G",[21,613,614,615,617,618,622,623,626,627,629],{},"The ultimate solution is migrating signaling to ",[31,616,39],{"href":38}," protocol (4G) and HTTP/2 ",[31,619,621],{"href":620},"/glossary/#service-based-architecture-sba","SBA"," (",[31,624,625],{"href":33},"5G","), which support TLS and mutual authentication. However, legacy interworking will persist for years, and ",[31,628,39],{"href":38}," vulnerabilities must also be addressed.",[105,631,633],{"id":632},"defense-effectiveness-matrix","Defense Effectiveness Matrix",[113,635,636,658],{},[116,637,638],{},[119,639,640,643,646,649,652,655],{},[122,641,642],{},"Countermeasure",[122,644,645],{},"Blocks Location Tracking",[122,647,648],{},"Blocks SMS Interception",[122,650,651],{},"Blocks Call Redirect",[122,653,654],{},"Deployment Complexity",[122,656,657],{},"Industry Adoption",[135,659,660,679,698,717,736],{},[119,661,662,665,668,671,673,676],{},[140,663,664],{},"SS7 Firewall",[140,666,667],{},"Partial (ATI/PSI)",[140,669,670],{},"Partial",[140,672,670],{},[140,674,675],{},"Medium",[140,677,678],{},"~60% of Tier-1 operators",[119,680,681,684,687,690,692,695],{},[140,682,683],{},"GSMA CAT/DASS",[140,685,686],{},"Good (with proper rules)",[140,688,689],{},"Good",[140,691,689],{},[140,693,694],{},"High (coordination needed)",[140,696,697],{},"~40% globally",[119,699,700,703,706,709,711,714],{},[140,701,702],{},"SMS Home Routing",[140,704,705],{},"No",[140,707,708],{},"Yes",[140,710,705],{},[140,712,713],{},"Low-Medium",[140,715,716],{},"~50% globally",[119,718,719,722,725,728,730,733],{},[140,720,721],{},"Diameter/5G Migration",[140,723,724],{},"Full (when complete)",[140,726,727],{},"Full",[140,729,727],{},[140,731,732],{},"Very High",[140,734,735],{},"Ongoing (~15% SA)",[119,737,738,741,744,746,748,750],{},[140,739,740],{},"Network Monitoring",[140,742,743],{},"Detection only",[140,745,743],{},[140,747,743],{},[140,749,675],{},[140,751,752],{},"~70% of Tier-1 operators",[13,754],{},[16,756,758],{"id":757},"testing-methodology","V. SS7 Security Testing Methodology",[21,760,761,762,766],{},"Validating SS7 firewall effectiveness requires systematic security assessment. ",[31,763,765],{"href":764},"/telecom-penetration-testing-methodologies/","Telecom penetration testing"," for SS7 networks follows a structured approach:",[471,768,769,775,781,787,793],{},[68,770,771,774],{},[244,772,773],{},"Reconnaissance:"," Map the target operator's signaling infrastructure — identify STPs, GTs, and interconnect partners.",[68,776,777,780],{},[244,778,779],{},"Passive Monitoring:"," Analyze legitimate signaling patterns to establish baseline traffic profiles.",[68,782,783,786],{},[244,784,785],{},"Active Probing:"," Send controlled MAP messages (SRI, PSI, ATI) from authorized test GTs to validate firewall blocking rules.",[68,788,789,792],{},[244,790,791],{},"Bypass Attempts:"," Test advanced evasion techniques — GT spoofing, SCCP relay abuse, multi-hop routing through compliant intermediary networks.",[68,794,795,798,799,805],{},[244,796,797],{},"Reporting:"," Document findings against GSMA FS.11 and IR.82 frameworks, map to ",[31,800,804],{"href":801,"rel":802},"https://fight.mitre.org/",[803],"nofollow","MITRE FiGHT"," techniques.",[21,807,808,809,813,814,818],{},"TelcoSec's ",[31,810,812],{"href":811},"/services/dedicated-labs/","dedicated lab environments"," provide isolated signaling infrastructure for safe SS7 security testing without impacting production networks. The ",[31,815,817],{"href":816},"/projects/tools/","TelcoSec Tools"," suite includes protocol analyzers specifically designed for signaling security assessment.",[430,820,823,824,826,830,833,959,966,968,972,1074,1076,1080,1087,1093,1105,1111,1121,1140,1142,1146,1149,1159,1182],{"type":821,"title":822},"info","Testing Best Practice","\nSS7 security assessments should be conducted quarterly, not just during initial firewall deployment. Attack techniques evolve continuously, and new bypass methods are regularly published at security conferences. The GSMA recommends annual signaling security audits as a minimum standard per FS.11.\n",[13,825],{},[16,827,829],{"id":828},"protocol-evolution","VI. Signaling Protocol Security Evolution",[21,831,832],{},"SS7's vulnerabilities did not exist in isolation — they directly influenced the design (and limitations) of successor protocols. Understanding this evolution is critical for assessing the security posture of any telecom network:",[113,834,835,856],{},[116,836,837],{},[119,838,839,842,845,850],{},[122,840,841],{},"Aspect",[122,843,844],{},"SS7 (2G/3G)",[122,846,847,849],{},[31,848,39],{"href":38}," protocol (4G)",[122,851,852,855],{},[31,853,854],{"href":33},"HTTP/2 SBA"," (5G)",[135,857,858,872,891,905,919,933],{},[119,859,860,863,866,869],{},[140,861,862],{},"Transport Security",[140,864,865],{},"None (cleartext)",[140,867,868],{},"Optional TLS (rarely deployed)",[140,870,871],{},"Mandatory TLS 1.3 + mTLS",[119,873,874,877,880,883],{},[140,875,876],{},"Authentication",[140,878,879],{},"None — implicit trust",[140,881,882],{},"Optional (IPsec/TLS available)",[140,884,885,886,890],{},"OAuth2 + ",[31,887,889],{"href":888},"/glossary/#network-repository-function-nrf","NRF"," service authorization",[119,892,893,896,899,902],{},[140,894,895],{},"Message Integrity",[140,897,898],{},"None",[140,900,901],{},"Optional (DTLS)",[140,903,904],{},"JWS for N32 (PRINS)",[119,906,907,910,913,916],{},[140,908,909],{},"Access Control",[140,911,912],{},"Global Title screening (manual)",[140,914,915],{},"Diameter Edge Agent (DEA)",[140,917,918],{},"SEPP + API gateway policies",[119,920,921,924,927,930],{},[140,922,923],{},"Identity Protection",[140,925,926],{},"IMSI sent in cleartext",[140,928,929],{},"IMSI in signaling messages",[140,931,932],{},"SUCI (encrypted identity)",[119,934,935,938,945,952],{},[140,936,937],{},"Specification",[140,939,940],{},[31,941,944],{"href":942,"rel":943},"https://www.3gpp.org/dynareport?code=29002.htm",[803],"3GPP TS 29.002",[140,946,947],{},[31,948,951],{"href":949,"rel":950},"https://www.3gpp.org/dynareport?code=29272.htm",[803],"3GPP TS 29.272",[140,953,954],{},[31,955,958],{"href":956,"rel":957},"https://www.3gpp.org/dynareport?code=29500.htm",[803],"3GPP TS 29.500",[21,960,961,962,965],{},"The progression shows clear improvement, but each generation maintains backward compatibility with its predecessor — meaning SS7 vulnerabilities propagate forward through interworking gateways until legacy networks are fully decommissioned. The complete ",[31,963,964],{"href":43},"3GPP specification timeline"," provides detailed context on how each release addressed (or deferred) these security challenges.",[13,967],{},[16,969,971],{"id":970},"references","VII. Authoritative References",[973,974,977],"glass-panel",{"className":975},[539,976],"bg-black/20",[65,978,979,995,1014,1028,1042,1058],{},[68,980,981,986,990],{},[244,982,983,985],{},[560,984,562],{}," GSMA IR.82",[987,988,989],"em",{},"SS7 and SIGTRAN Network Security",[31,991,994],{"href":992,"rel":993},"https://www.gsma.com/security/resources/",[803],"GSMA Security Resources & Guidelines →",[68,996,997,1006,1009],{},[244,998,999,1001,1002,1005],{},[560,1000,578],{}," ENISA SS7/",[31,1003,39],{"href":1004},"/glossary/#diameter"," Report",[987,1007,1008],{},"Signaling Security in Telecom Networks",[31,1010,1013],{"href":1011,"rel":1012},"https://www.enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g",[803],"ENISA SS7/Diameter Signalling Security Report →",[68,1015,1016,1021,1024],{},[244,1017,1018,1020],{},[560,1019,594],{}," 3GPP TS 29.002",[987,1022,1023],{},"MAP Protocol Specification",[31,1025,1027],{"href":942,"rel":1026},[803],"3GPP TS 29.002 – SS7 MAP Protocol →",[68,1029,1030,1035,1038],{},[244,1031,1032,1034],{},[560,1033,610],{}," GSMA FS.11",[987,1036,1037],{},"SS7 Interconnect Security Monitoring and Firewall Guidelines",[31,1039,1041],{"href":992,"rel":1040},[803],"GSMA SS7 Firewall Guidelines →",[68,1043,1044,1050,1053],{},[244,1045,1046,1049],{},[560,1047,1048],{},"05"," Citizen Lab — Running in Circles",[987,1051,1052],{},"Uncovering the Clients of Cyberespionage Firm Circles",[31,1054,1057],{"href":1055,"rel":1056},"https://citizenlab.ca/research/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/",[803],"Citizen Lab: Circles Spyware Investigation →",[68,1059,1060,1066,1069],{},[244,1061,1062,1065],{},[560,1063,1064],{},"06"," DHS — SS7 Vulnerabilities and Feasibility of Oversight",[987,1067,1068],{},"U.S. Department of Homeland Security Report on SS7 Security",[31,1070,1073],{"href":1071,"rel":1072},"https://www.dhs.gov/",[803],"DHS IMSI Catcher Security Report →",[13,1075],{},[16,1077,1079],{"id":1078},"faq","VIII. Frequently Asked Questions",[1081,1082,1084],"faq-item",{"title":1083},"Can my phone be tracked through SS7 right now?",[21,1085,1086],{},"If your carrier connects to the global SS7 network (virtually all carriers do), then yes — your approximate location can be queried by any entity with SS7 access. The effectiveness depends on whether your carrier has deployed SS7 firewalls and message filtering. Even with firewalls, SRI-based tracking (city-level) is extremely difficult to block completely because it mimics legitimate call setup signaling.",[1081,1088,1090],{"title":1089},"Does using a VPN protect against SS7 tracking?",[21,1091,1092],{},"No. SS7 tracking operates at the network signaling layer, completely independent of the data plane. A VPN encrypts your internet traffic, but your phone's signaling connection to the cellular network remains unchanged and vulnerable. Even encrypted messaging apps cannot prevent SS7-based location tracking — they protect content, not location.",[1081,1094,1096],{"title":1095},"Is 5G immune to SS7 attacks?",[21,1097,1098,1101,1102,1104],{},[31,1099,1100],{"href":33},"5G Standalone (SA)"," networks do not use SS7. However, most current 5G deployments are Non-Standalone (NSA) and still rely on 4G core infrastructure with ",[31,1103,39],{"href":38}," protocol and SS7 interworking. Until legacy shutdown is complete, SS7 attacks remain viable even for 5G subscribers due to inter-generation handover and fallback mechanisms.",[1081,1106,1108],{"title":1107},"How does SS7 tracking differ from GPS tracking?",[21,1109,1110],{},"SS7 tracking is network-side — it queries the telecom infrastructure for a subscriber's location without any interaction with the target device. GPS tracking requires software on the target device. SS7 tracking works on any phone (even basic feature phones), requires no physical access, and is invisible to the target. The precision is lower (cell tower level vs. meter-level GPS), but the stealth is absolute.",[1081,1112,1114],{"title":1113},"What is the relationship between SS7 attacks and SIM swap fraud?",[21,1115,1116,1117,1120],{},"SS7 SMS interception and ",[31,1118,1119],{"href":464},"SIM swap attacks"," both target SMS-based authentication, but through different vectors. SS7 interception redirects SMS at the network level without changing the SIM. SIM swap involves social engineering the carrier to transfer the victim's number to an attacker-controlled SIM. Both exploit the fundamental weakness of SMS as a second authentication factor.",[1081,1122,1124],{"title":1123},"Can I test my operator's SS7 security posture?",[21,1125,1126,1127,1130,1131,1134,1135,1139],{},"Not independently — SS7 security testing requires authorized interconnect access and specialized ",[31,1128,1129],{"href":816},"signaling analysis tools",". Organizations can commission ",[31,1132,1133],{"href":764},"telecom pentesting methodology"," engagements that include SS7 firewall validation. TelcoSec offers ",[31,1136,1138],{"href":1137},"/services/corporate-training/","corporate training"," programs that include hands-on SS7 security assessment labs.",[13,1141],{},[16,1143,1145],{"id":1144},"conclusion-next-steps","Conclusion & Next Steps",[21,1147,1148],{},"SS7 location tracking remains one of the most pervasive and underestimated threats in telecommunications security. The protocol's inherent trust model — designed for a different era — creates vulnerabilities that no amount of patching can fully address. While the protocol itself cannot be redesigned, proactive deployment of signaling firewalls, GSMA CAT/DASS rule-sets, SMS home routing, and active monitoring can dramatically reduce exposure.",[21,1150,1151,1152,1155,1156,1158],{},"The long-term solution is complete migration to ",[31,1153,1154],{"href":33},"5G Standalone architecture"," with proper SEPP deployment and legacy interworking gateway hardening. Until that transition is complete (estimated 2030+ globally), SS7 security must remain a top priority for every mobile network operator. Understanding ",[31,1157,39],{"href":38}," protocol evolution provides essential context for building a comprehensive defense strategy.",[21,1160,1161,1162,1166,1167,1171,1172,1176,1177,1181],{},"TelcoSec provides comprehensive ",[31,1163,1165],{"href":1164},"/glossary/#ss7","SS7"," security assessments, including simulated attack campaigns to validate your signaling firewall effectiveness. Explore the ",[31,1168,1170],{"href":1169},"/projects/academy/","TelcoSec Academy"," for structured learning paths, review our ",[31,1173,1175],{"href":1174},"/projects/3gpp/","3GPP specification navigator"," for standards reference, or browse the ",[31,1178,1180],{"href":1179},"/projects/library/","TelcoSec research library"," for additional signaling intelligence.",[1183,1184],"telecom-security-cta",{"title":1185,"description":1186,"ctalink":1187,"ctatext":1188,"context":1189},"MASTER SIGNALING EXPLOITATION?","Enroll in the Academy to access the SS7/MAP research vault, signaling fuzzers, and private interconnect labs. Master the protocols that power global mobile roaming.","https://app.telcosec.net/api/auth/login","ENROLL IN SS7 SIGNALING LABS [→]","ss7_security",{"title":63,"searchDepth":1191,"depth":1191,"links":1192},2,[1193,1194,1199],{"id":18,"depth":1191,"text":19},{"id":91,"depth":1191,"text":92,"children":1195},[1196,1198],{"id":107,"depth":1197,"text":108},3,{"id":234,"depth":1197,"text":235},{"id":282,"depth":1191,"text":283,"children":1200},[1201,1202,1203,1204],{"id":289,"depth":1197,"text":290},{"id":315,"depth":1197,"text":316},{"id":326,"depth":1197,"text":327},{"id":340,"depth":1197,"text":341},"signaling/ss7","z6Rp9A_UwT8O0Q1IK7y7Q2vO-mspk2bMEYad9JTg6R8",[],1782059596357]