TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

MAP

Mobile Application Part β€” the SS7 signalling protocol for mobile networks

Type

protocol

Generations

2G3Gcross-gen

Threat level

critical
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

MAP β€” Mobile Application Part β€” is the application-layer protocol that runs over the SS7 stack and carries virtually all subscriber management signalling in 2G and 3G mobile networks. Where SS7 defines the lower transport layers (MTP, SCCP, TCAP), MAP defines the specific operations that network nodes use to register subscribers, authenticate USIMs, route calls and SMS, coordinate roaming, and manage supplementary services. In practical terms, MAP is what the HLR and MSC speak to each other β€” SS7 is the road; MAP is the conversation that travels on it.

MAP is the source of nearly every SS7 security vulnerability that has been widely discussed and exploited since the 2014 Tobias Engel and Karsten Nohl disclosures. The location tracking, SMS interception, and subscriber denial-of- service attacks that made SS7 security a mainstream concern are all MAP-level attacks β€” they exploit specific MAP operations (SRI, ATI, ISD, Cancel Location) rather than lower SS7 layers. Understanding MAP is essential for understanding what a signalling firewall actually blocks and why.

MAP is specified by 3GPP as a Remote Procedure Call protocol running over TCAP (Transaction Capabilities Application Part). Each MAP operation is a TCAP Invoke that a sending node delivers to a receiving node, addressed via SCCP Global Title (GT). The receiving node executes the requested operation and returns a TCAP Return Result. There is no authentication, no authorisation check, and no mechanism for the receiving node to verify that the sending node has the right to make the request. The trust model assumes all nodes on the SS7 network are operated by regulated telecommunications providers β€” an assumption that has not been reliable for over a decade.

MAP version 3 (Release 99, TS 29.002) is the version deployed in most live networks. It extended earlier versions to cover GPRS subscriber management (the Gr interface between SGSN and HLR) and enhanced authentication procedures.

How it works

Protocol stack

MAP sits at the top of the SS7 protocol stack:

  • MTP 1–3 β€” Physical, link, and network layer. Provides point-code-based routing between SS7 nodes.
  • SCCP β€” Adds Global Title addressing, which allows messages to be addressed to a phone number or IMSI rather than a fixed point code, enabling flexible routing through Signal Transfer Points.
  • TCAP β€” Transaction Capabilities Application Part. Provides the invoke/return framework that MAP uses. A TCAP Begin message carries the initial MAP invoke; a TCAP End carries the MAP return result.
  • MAP β€” The application layer. Defines each specific operation (SendRoutingInfo, UpdateLocation, etc.), the parameters each carries, and the expected responses.

In IP-based networks, SS7 is carried over SIGTRAN (SS7 over IP), with M3UA replacing MTP at the transport layer. The MAP layer itself does not change.

Key MAP operations

Location management:

  • UpdateLocation (UL) β€” Sent by MSC or SGSN to HLR when a subscriber registers in a new serving node. The HLR updates its location record and sends InsertSubscriberData to push the subscriber's profile. The HLR then sends CancelLocation to the previous MSC/SGSN to deregister the old context.
  • CancelLocation (CL) β€” Sent by HLR to MSC/SGSN/VLR to deregister a subscriber. Legitimate use: prior registration cleanup. Attack use: force deregistration to deny service.
  • InsertSubscriberData (ISD) β€” HLR pushes subscriber profile (MSISDN, IMSI, service triggers, supplementary services) to the MSC/VLR. Can also be sent mid-session to update the profile. Attack use: push modified profile to activate call forwarding or supplementary services.
  • PurgeMS (PMS) β€” Sent by SGSN to HLR to indicate a subscriber has powered off.

Authentication:

  • SendAuthenticationInfo (SAI) β€” MSC or SGSN requests authentication triplets (2G: RAND/SRES/Kc) or quintets (3G: RAND/AUTN/XRES/CK/IK) from the HLR. The HLR generates vectors using the subscriber's Ki and returns them. The MSC uses the vectors to challenge the UE.

Call routing:

  • SendRoutingInfo (SRI) β€” The primary MAP call routing operation. A GMSC receiving an incoming call sends SRI to the subscriber's HLR. The HLR returns the subscriber's current serving MSC address and IMSI. The GMSC then sends ProvideRoamingNumber to the serving MSC to get a temporary MSRN for call routing. Attack: any node with SS7 access can send SRI to any HLR, revealing the subscriber's serving MSC and IMSI.
  • ProvideRoamingNumber (PRN) β€” Sent by GMSC to serving MSC to obtain an MSRN for terminating call routing. Attack: fake PRN to claim an MSRN and intercept the call.

SMS routing:

  • SendRoutingInfoForSM (SRI-SM) β€” SMSC queries the HLR for the subscriber's serving MSC or SGSN before delivering an SMS. Returns the serving node address and IMSI. Attack: SRI-SM reveals the serving node; used to redirect SMS via Register SS / Call Forwarding.
  • ForwardSM / MT-ForwardSM β€” SMSC to serving MSC for SMS delivery.
  • MO-ForwardSM β€” MSC to SMSC for mobile-originated SMS.

Subscriber interrogation:

  • AnyTimeInterrogation (ATI) β€” Queries the HLR for a subscriber's IMSI, current location (VLR number), and IMEI. Intended for value-added service providers. Attack: ATI reveals IMSI and location information with no subscriber interaction.

Architecture role

MAP is the signalling glue of the 2G and 3G core. Every function that requires one node to ask another about a subscriber β€” authentication, location update, call routing, SMS delivery, supplementary service management β€” is a MAP operation.

In 2G GSM: MAP runs natively over SS7 MTP/SCCP/TCAP. The HLR implements MAP as its primary interface to the MSC (for call routing and location updates) and VLR (for subscriber data delivery). The STP routes MAP messages between nodes based on SCCP Global Title.

In 3G UMTS: MAP continues on the same SS7 stack with SGSN added as a new MAP consumer β€” the Gr interface (SGSN-HLR) uses the same MAP UpdateLocation and SendAuthenticationInfo operations as the 2G MSC-HLR path.

In 4G EPC: MAP is not used for LTE access. The HSS uses Diameter S6a instead. However, MAP persists for the SMS-over-SGs path (SMS delivered via MAP through the VLR/MSC even for LTE subscribers on CSFB) and in operators running combined 2G/3G/4G networks.

In 5G SA: MAP is absent from the native 5G core. But operators maintaining 2G/3G fallback retain MAP exposure through the legacy core path.

Key interfaces

InterfaceBetweenDirectionPurpose
BMSC ↔ VLRBidirectionalSubscriber data queries from MSC to its co-located VLR
CGMSC ↔ HLRRequest/responseSRI β€” routing info for incoming call setup
DHLR ↔ VLRBidirectionalLocation update, ISD, CancelLocation
EMSC ↔ MSCBidirectionalInter-MSC handover and SMS delivery
FMSC ↔ EIRRequest/responseIMEI equipment identity check
GrSGSN ↔ HLRBidirectionalGPRS location update, authentication for packet access
GcGGSN ↔ HLRRequest/responseAddress resolution for network-initiated PDP context
GdSGSN ↔ SMSCBidirectionalSMS delivery to roaming packet-attached subscribers

Security posture

MAP's security posture is identical to SS7's β€” it is the application layer through which SS7 attacks are executed. The absence of authentication at every level of the SS7/MAP stack means that any node with SS7 connectivity can invoke any MAP operation against any other node. The GSMA FS.11 framework categorises MAP operations by their abuse potential (Categories 1–5), with Category 1 being operations that are unconditionally dangerous when received from a roaming interconnect partner and should be blocked entirely.

The MAP threat landscape is well-documented, with real-world exploitation confirmed by multiple government intelligence agencies, commercial surveillance vendors (who sell SS7 access as a product), and independent security researchers. MAP attacks are not theoretical β€” they are operationally in use against live networks globally. The primary defence is a signalling firewall that enforces FS.11 category filtering at the SS7 interconnect boundary.

Attack surface

Location tracking via SRI

Send Routing Info is intended to enable call routing. The GMSC sends SRI to the HLR when an incoming call arrives; the HLR returns the subscriber's serving MSC address. Since MSC addresses map to known geographic areas (coverage regions or cities), an attacker sending repeated SRI queries for a target MSISDN tracks the subscriber's movements without their knowledge.

Impact: Real-time location tracking at MSC-area granularity. With correlation against operator cell mapping data, tracking to within a few kilometres.
Difficulty: Low. Requires only SS7 access and the target MSISDN. The HLR responds without any authorisation check.

SMS interception via SRI-SM and Register SS

The attacker sends a Register SS MAP message to the target subscriber's VLR, activating unconditional call forwarding to an attacker-controlled number. When a legitimate SMS is sent to the target, the SMSC sends SRI-SM to the HLR. The HLR returns the subscriber's SGSN. The SMSC then delivers the SMS to the subscriber's actual SGSN β€” but the subscriber also has call forwarding active, so a copy of the SMS or a forwarded SMS response is sent to the attacker's number. For SMS-based 2FA systems (banking OTPs, account recovery codes), this is a complete authentication bypass.

Impact: Interception of SMS β€” including 2FA codes, banking OTPs, and account recovery messages.
Difficulty: Medium. Requires SS7 access and knowledge of the target's VLR address (obtainable via SRI).

IMSI harvesting via ATI

Any Time Interrogation returns IMSI, current VLR number, and IMEI for a target MSISDN. IMSI is the subscriber's permanent identifier β€” knowing it enables a range of further attacks including SS7 IMSI-based operations and IMSI catcher correlation.

Impact: IMSI and location disclosure. IMSI enables further targeted MAP attacks using IMSI rather than MSISDN.
Difficulty: Low. Many HLRs respond to ATI from any node on the SS7 network.

Subscriber denial of service via Cancel Location

CancelLocation is sent by the HLR to deregister a subscriber from their current MSC. An attacker sending a spoofed Cancel Location to a target subscriber's VLR forces the VLR to remove the registration. The subscriber is effectively off the network until their handset retries registration.

Impact: Targeted denial of service for specific subscribers. Can be made continuous β€” each time the subscriber re-registers, a new CancelLocation is sent.
Difficulty: Low. One MAP message is sufficient. The VLR has no mechanism to verify the Cancel Location is from the legitimate HLR.

Call interception via PRN manipulation

The GMSC sends ProvideRoamingNumber to the subscriber's serving MSC to obtain an MSRN for call routing. If an attacker can send a PRN to the MSC and receive the MSRN β€” or manipulate the PRN response β€” they can claim the MSRN and position themselves as the terminating point for the subscriber's incoming call.

Impact: Incoming call interception. Requires chaining with SRI to identify the serving MSC.
Difficulty: High. Requires precise timing to race the legitimate GMSC.

Mitigations

The definitive reference for MAP security controls is GSMA FS.11. Its category framework is the operational baseline for signalling firewall configuration:

  • Category 1 blocking: MAP operations that are unconditionally dangerous from a roaming interconnect partner. These should be blocked regardless of any contextual information. Examples: InsertSubscriberData from a foreign network (only the home HLR should send ISD), CancelLocation from a non-home node.

  • Category 2 contextual validation: Operations that are sometimes legitimate but require context. Example: SRI β€” legitimate when an actual call is in progress for the subscriber, suspicious when no call is associated. A firewall applies contextual rules: is there an active call or SMS for this subscriber? If not, block or rate-limit.

  • Category 3–5 monitoring: Lower-risk operations that should be logged and monitored for anomalous volumes but not automatically blocked.

  • Home network verification: Validate the originating Global Title (GT) of inbound MAP messages against the IR.21 network data for the claimed originating PLMN. GT spoofing is the enabling mechanism for most MAP attacks from external networks.

  • SMS Home Routing: Route all inbound SMS via the home network's SMSC before delivery. This prevents the SRI-for-SM rerouting attack because the SMSC is now in the home network, and only the home network's SMSC delivers to the subscriber β€” an attacker's redirected SMSC cannot be used.

  • SRI and ATI rate limiting: Monitor query volumes per originating GT. A legitimate roaming partner sending hundreds of SRI or ATI queries per hour for subscribers not actively roaming to that network is performing surveillance.

Spec references

  • 3GPP TS 29.002 β€” The normative MAP specification. Defines every MAP operation, its parameters, and the expected behaviour of sending and receiving nodes. An essential reference for signalling firewall rule development and HSS/HLR integration.

  • GSMA FS.11 β€” SS7 and SIGTRAN Network Security. Sections 3 and 5 define the threat categories; Annex A maps specific MAP operations to their FS.11 risk category (1–5). This is the operational reference for firewall configuration.

  • ITU-T Q.771 β€” TCAP functional description. MAP runs over TCAP; understanding TCAP's invoke/return model is prerequisite for understanding how MAP operations are structured and how they can be manipulated.

Related topics

MAP is the application layer of SS7. Every MAP attack is an SS7 attack at the application level β€” the SS7 topic covers the transport and security context; MAP covers the specific operations that are abused.

The primary consumers of MAP are the HLR (which implements the majority of MAP operations as a server) and the MSC and SGSN (which invoke MAP operations as clients). The STP routes MAP messages between nodes using SCCP Global Title addressing.

SIGTRAN carries MAP over IP networks β€” replacing the MTP transport layers with SCTP/M3UA while leaving MAP unchanged. Operators running IP-based cores still speak MAP over SIGTRAN to interconnect with 2G/3G partners.

Diameter superseded MAP for 4G EPC interfaces. The conceptual operations are similar β€” subscriber lookup, authentication, location registration β€” but Diameter has transport security (TLS) and explicit session binding that MAP lacks entirely.

For the full attack taxonomy and defence architecture, see SS7.

Relationships