TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

HLR

Home Location Register — the subscriber database of 2G/3G networks

Type

node

Generations

2G3G

Threat level

high
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The HLR — Home Location Register — is the authoritative subscriber database at the heart of every 2G and 3G mobile network. Every MSISDN on the network has a corresponding record in the operator's HLR, containing the subscriber's IMSI, their current serving location, root authentication key, and the full set of subscribed services.

The HLR is not in the traffic path. It does not carry calls, SMS, or data. It answers queries. When a call arrives for a roaming subscriber, the Gateway MSC sends a Send Routing Info (SRI) request to discover which visited MSC currently serves them. When a handset powers on, the VLR contacts the HLR to download the subscriber's profile. When an SMS must be delivered to a roaming subscriber, the SMSC queries the HLR to find their serving SGSN. Every one of these operations passes through the HLR via the Mobile Application Part (MAP) protocol carried over SS7.

This central role makes the HLR the most information-dense node in the 2G/3G core. A national HLR may hold records for tens of millions of subscribers and answer thousands of MAP queries per second at peak. From a security perspective, the HLR is the single most valuable target for an attacker with SS7 access: it can reveal the real-time location of any subscriber, expose authentication material, and be manipulated to deny service.

The HLR is a 2G/3G-era design. In 4G EPC, the HSS superseded it, speaking Diameter rather than MAP. In 5G standalone, the UDM assumes the same role over the Service-Based Interface. Many operators run combined HLR/HSS nodes to serve mixed-generation networks from a single database.

How it works

The HLR maintains two categories of data: permanent subscriber records and transient location state. The core procedures centre on authentication, location management, and routing support.

Authentication vector generation

Every subscriber has a root secret — Ki in 2G, K in 3G — stored in the HLR alongside the matching IMSI. When an MSC or SGSN needs to authenticate a subscriber, it sends a Send Authentication Info (SAI) MAP request to the HLR. For 2G, the HLR uses Ki and the A3/A8 algorithms to produce sets of authentication triplets: RAND, SRES, and Kc. For 3G, it uses the UMTS AKA mechanism to produce authentication quintuplets: RAND, AUTN, XRES, CK, and IK. These are returned to the requesting node and used to challenge the handset. The HLR pre-generates batches of vectors; the requesting node stores them locally and uses them one-by-one without re-querying the HLR for each authentication.

Location management

When a subscriber registers on a VLR or SGSN for the first time, that node sends an Update Location (UL) MAP request to the HLR. The HLR records the new serving node's address, then sends a Cancel Location to whichever VLR or SGSN previously held the subscriber. It follows this with an Insert Subscriber Data (ISD) message that pushes the subscriber's full profile to the new serving node. The HLR therefore always knows which serving node holds each subscriber, without needing to be consulted for every subsequent service request within the same location area.

Call routing via SRI

For mobile-terminating calls, the Gateway MSC does not know where the subscriber is roaming. It sends a Send Routing Info (SRI) MAP request to the HLR, specifying the called MSISDN. The HLR looks up the subscriber's current serving MSC address and triggers that MSC to allocate a Mobile Subscriber Roaming Number (MSRN) — a temporary E.164 number that routes the call. The MSRN is returned to the GMSC, which then routes the call directly to the visited MSC.

Architecture role

In a 2G/3G network the HLR sits at the convergence point of all identity and mobility operations. It is queried by the MSC pool, the SGSN pool, the SMSC, and in some deployments by CAMEL service control points — all via MAP over SS7.

Operators typically deploy one or two physical HLRs with full replication, serving the entire national subscriber base. The HLR connects to the SS7 network via a pair of mated STPs, which provide the point-code routing that allows any MSC or SGSN to reach it without direct peering. The STP infrastructure is therefore a prerequisite for normal HLR operation.

In 2G GSM: The HLR is queried via the C interface by the GMSC for call routing, and via the D interface by the VLR for location registration and profile download. The Gr interface connects it to the SGSN for GPRS authentication and location. The Gc interface allows the GGSN to query it for address resolution, though this is rarely used in practice.

In 3G UMTS: The same MAP procedures apply. The subscription record is extended to include UMTS bearer capabilities and WCDMA security parameters.

In 4G: The HLR is not natively present. However, most operators deploy combined HLR/HSS products that expose both a MAP interface for 2G/3G traffic and a Diameter interface for the 4G MME. This allows a single subscriber database to serve all three generations during the extended migration period.

Key interfaces

InterfaceBetweenProtocolPurpose
CGMSC ↔ HLRMAP/SS7Routing info for mobile-terminating calls; SRI triggers MSRN allocation
DHLR ↔ VLRMAP/SS7Location update, Cancel Location, Insert Subscriber Data
GrSGSN ↔ HLRMAP/SS7GPRS location update, GPRS authentication, subscription download
GcGGSN ↔ HLRMAP/SS7Subscriber address resolution (Send Routing Info for GPRS)

Security posture

The HLR is the highest-value target in a 2G/3G network for an attacker with SS7 access. It holds authentication keys for every subscriber and knows their real-time serving location — and the MAP protocol over which it is accessed provides no authentication mechanism. Any SS7-connected node that knows a subscriber's MSISDN can query the HLR and receive sensitive operational data in response.

This is not a misconfiguration. MAP was designed in an era when SS7 access was limited to a small number of regulated national operators. Commercial SS7 access is now available, and any query that a legitimate SMSC or GMSC can send, an attacker can replicate. The HLR has no way to distinguish them.

The combination of abundant sensitive data and absent authentication makes the HLR the primary target for the class of SS7-based subscriber surveillance attacks that have been publicly demonstrated since 2014. An attacker querying the HLR does not need to be on the radio access network, does not need to be near the subscriber, and cannot be detected by the subscriber in any way.

Attack surface

Subscriber data harvesting via ATI

The Any Time Interrogation (ATI) MAP operation is intended for value-added service providers querying subscriber state. It returns the IMSI, current serving MSC or SGSN address, location area, and IMEI. An attacker with SS7 access can send ATI to the HLR for any MSISDN — no subscriber interaction required.

Impact: IMSI and real-time cell-level location disclosure. IMSI enables IMSI catchers and further attacks against the subscriber's radio interface. Difficulty: Low. A single MAP message to the HLR is sufficient.

Authentication vector theft via SAI

The Send Authentication Info (SAI) MAP operation requests authentication triplets or quintuplets from the HLR. 2G triplets (RAND/SRES/Kc) can be used in conjunction with a rogue BTS to conduct a man-in-the-middle attack against the subscriber's 2G radio connection, decrypting their traffic or intercepting calls in real time.

Impact: Authentication material theft; enables 2G radio MITM attacks. Difficulty: Medium. Requires SS7 access plus rogue base station equipment for full exploitation.

Denial of service via spoofed Update Location

An attacker can send a spoofed Update Location MAP message impersonating a foreign SGSN, claiming the subscriber has attached to a non-existent network node. The HLR sends a Cancel Location to the subscriber's real serving node, deregistering them. The subscriber loses service until they reattach.

Impact: Targeted subscriber denial of service. Difficulty: Low. One MAP message with a plausible SGSN address is sufficient.

Mitigations

The primary technical control is a signalling firewall at the SS7 network boundary, configured per GSMA FS.11 category classifications.

  • FS.11 category controls: ATI maps to Category 2 in the GSMA classification — dangerous without additional context from a roaming partner. A properly configured firewall blocks ATI from non-home network peers or validates it against a service subscriber list. SAI from non-serving nodes is Category 1.

  • GT whitelist validation: Validate the originating Global Title of every inbound MAP request against the IR.21 database for the claimed originating network. GT spoofing is a prerequisite for most MAP-based HLR attacks; rejecting unrecognised GTs eliminates the majority of attack traffic.

  • Volume anomaly detection: A foreign network sending hundreds of SRI or ATI queries per hour for subscribers not actively roaming there is performing surveillance. Define baseline thresholds per interconnect partner and alert on deviation.

  • HLR access control lists: Enterprise-grade HLR products support per-operation access control lists keyed on SCCP originating address. Use these to restrict SAI access to a whitelist of known MSC/SGSN Global Titles.

Spec references

  • 3GPP TS 09.02 — The normative MAP specification for GSM/UMTS. Sections 7 and 8 define the HLR procedures for location management and authentication; Section 19 defines ATI and supplementary service interrogation.

  • 3GPP TS 23.008 — Organisation of subscriber data. Defines the data model held in the HLR — subscription profiles, CAMEL data, GPRS subscription data.

  • GSMA FS.11 — SS7 and SIGTRAN Network Security. Annex A maps individual MAP operations to risk categories, with direct relevance to ATI (Category 2), SAI (Category 1), and SRI (context-dependent).

Related topics

The HLR is the 2G/3G predecessor of the HSS (4G Diameter-based subscriber database) and the UDM (5G SBI-based equivalent). All HLR operations use MAP carried over SS7, routed through STP nodes.

The primary attack taxonomy against the HLR is documented in SS7 attacks. The MSC queries the HLR via the C and D interfaces for call setup and authentication; the SGSN uses the Gr interface for GPRS operations.

Relationships