Signalling Security
criticalSS7 · Diameter · MAP · SIGTRAN
SS7 was designed in the 1980s for a closed, trusted network of a few hundred operators. Today it interconnects thousands of carriers worldwide — and that trust model is irreparably broken. Any entity with purchased or compromised access to an SS7 node can send messages that appear to originate from a legitimate network element. The attack surface is the entire global telephone network, and it has been actively exploited by intelligence agencies, criminal groups, and commercial surveillance vendors for over a decade. Diameter, SS7's 4G-era successor, inherited the same design assumptions and carries many of the same vulnerabilities into modern core networks.
Threat vectors
Location tracking via MAP
criticalAttackers send MAP SendRoutingInfoForSM or ProvideSubscriberInfo requests to an HLR/HSS, which responds with the subscriber's current serving MSC and cell ID. Combined with cell tower databases, this resolves to physical location within metres — without any interaction with the target device. The attack requires only a valid SCCP global title and takes milliseconds to execute.
Call interception via MAP RegisterSS
criticalMAP RegisterSS (Supplementary Service) messages allow an attacker to register an unconditional call forward on the victim's number, silently redirecting incoming calls to an attacker-controlled line. The victim receives no notification. The attacker records or transcribes the call, then optionally bridges it back to maintain transparency.
SMS interception for OTP theft
criticalUsing MAP SendRoutingInfoForSM to obtain the subscriber's current SMSC and MSRN, an attacker can re-route SMS delivery through their own node. One-time passwords, banking alerts, and 2FA codes sent over SMS are intercepted before reaching the victim. This technique has been used in targeted attacks against banking customers and political figures.
Denial of service via MAP CancelLocation
highMAP CancelLocation allows a network element to deregister a subscriber from their current VLR, forcing a location update. Repeated cancellation prevents the subscriber from receiving calls or SMS and exhausts the handset's battery through constant re-registration attempts. A subscriber can be rendered effectively unreachable with a continuous stream of spoofed CancelLocation messages.
IMSI harvesting via Diameter
highDiameter S6a queries (used in 4G for HSS lookups) can be abused to extract subscriber IMSI values and location data from the HSS. Unlike SS7, Diameter was expected to operate in a more controlled environment — but GRX/IPX interconnects expose it to the same inter-operator abuse patterns. Diameter-based attacks have grown substantially as operators migrate core traffic to LTE.
Impact
- 01
Physical safety risks from precise location tracking — documented cases include targeted violence, stalking, and kidnapping facilitated by SS7 location data sold through commercial brokers.
- 02
Mass financial fraud via OTP interception — SS7-enabled SMS interception has been used to bypass 2FA on banking and cryptocurrency platforms, resulting in account takeovers at scale.
- 03
Espionage and corporate intelligence gathering — nation-state actors routinely use SS7 access to monitor communications of diplomatic, military, and corporate targets.
- 04
Regulatory and reputational exposure for operators — carriers that fail to deploy SS7 firewalls face regulatory action in multiple jurisdictions and civil liability when subscriber data is compromised.
Mitigations & solutions
Deploy an SS7 signalling firewall
Implement GSMA FS.11 category-based filtering at the international gateway. A properly configured firewall rejects Category 1 messages unconditionally (e.g., MAP SRI-SM from foreign networks with no roaming agreement) and validates Category 2/3 messages against subscriber context. This is the single highest-impact control available.
Enable SMS Home Routing
Route all inbound SMS through the home network's SMSC before delivery, stripping the ability for foreign nodes to query the subscriber's true MSRN. This blocks the MAP SRI-SM interception vector at the cost of a marginal latency increase.
Monitor for anomalous MAP/Diameter patterns
Deploy real-time analytics on SS7 and Diameter traffic to detect unusual patterns: high-frequency location queries, CancelLocation floods, foreign SRI-SM requests for domestic subscribers, and location queries from unexpected origination points.
Enforce GSMA FS.11/FS.19 compliance
Adopt the full GSMA signalling security framework, including FS.11 (SS7), FS.19 (Diameter), and FS.37 (5G interconnect). These define baseline filtering rules, monitoring requirements, and incident response obligations for operators.
Accelerate migration away from SS7
Where technically feasible, migrate signalling traffic to Diameter (4G) or HTTP/2-based SBI (5G SA), combined with SEPP deployment for inter-operator traffic. SS7 cannot be made secure; the goal is reducing the attack surface progressively.