SS7 Attack
What is SS7 Attack?
SS7 AttackAbuse of Signalling System No. 7 inter-carrier messages to locate subscribers, intercept SMS or divert calls anywhere in the world.
Signalling System No. 7 (SS7) is the legacy out-of-band signalling protocol that international carriers use to set up calls, deliver SMS, roam, and route lawful intercepts. The trust model assumes that only licensed carriers can send MAP messages, but the GSMA noted leaks for years and Tobias Engel publicly demonstrated tracking and call-interception attacks at the Chaos Communication Congress in December 2014. With access to an SS7 endpoint (purchased, leased or pirated), an attacker can send AnyTimeInterrogation, SendRoutingInfoForSM or UpdateLocation messages to locate a subscriber, intercept SMS-based 2FA codes, redirect calls, or trigger denial of service. Real-world bank thefts using SS7 SMS interception have been reported in Germany and the UK. Mitigations include SS7 firewalls, GSMA FS.07/FS.11 monitoring, signed Diameter peering in 4G and end-to-end auth apps instead of SMS OTP.
● Examples
- 01
Attacker uses SS7 to intercept a bank's SMS OTP and drain customer accounts.
- 02
Pinpointing a journalist's phone location using AnyTimeInterrogation.
● Frequently asked questions
What is SS7 Attack?
Abuse of Signalling System No. 7 inter-carrier messages to locate subscribers, intercept SMS or divert calls anywhere in the world. It belongs to the Attacks & Threats category of cybersecurity.
What does SS7 Attack mean?
Abuse of Signalling System No. 7 inter-carrier messages to locate subscribers, intercept SMS or divert calls anywhere in the world.
How does SS7 Attack work?
Signalling System No. 7 (SS7) is the legacy out-of-band signalling protocol that international carriers use to set up calls, deliver SMS, roam, and route lawful intercepts. The trust model assumes that only licensed carriers can send MAP messages, but the GSMA noted leaks for years and Tobias Engel publicly demonstrated tracking and call-interception attacks at the Chaos Communication Congress in December 2014. With access to an SS7 endpoint (purchased, leased or pirated), an attacker can send AnyTimeInterrogation, SendRoutingInfoForSM or UpdateLocation messages to locate a subscriber, intercept SMS-based 2FA codes, redirect calls, or trigger denial of service. Real-world bank thefts using SS7 SMS interception have been reported in Germany and the UK. Mitigations include SS7 firewalls, GSMA FS.07/FS.11 monitoring, signed Diameter peering in 4G and end-to-end auth apps instead of SMS OTP.
How do you defend against SS7 Attack?
Defences for SS7 Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SS7 Attack?
Common alternative names include: SS7 abuse, Signaling System 7 attack.
● Related terms
- attacks№ 521
IMSI Catcher
A fake cell-site that tricks nearby phones into revealing their IMSI/IMEI and, on weak networks, intercepting calls and SMS.
- attacks№ 1104
Stingray
A commercial cell-site simulator originally made by Harris Corporation that mimics a base station to collect IMSIs and track or intercept mobile devices.
- attacks№ 1046
SIM Cloning
Copying the secret key Ki from a SIM card so that a second card can impersonate the original on the mobile network.
- attacks№ 1059
Smishing
Phishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data.
● See also
- № 822Phreaking