Overview
The MSC β Mobile Switching Centre β is the core circuit-switched node in 2G GSM and 3G UMTS networks. It is the telephony exchange for mobile subscribers: it sets up calls, manages handovers as subscribers move between base stations, routes SMS, and connects the mobile network to the PSTN. Every voice call or SMS sent or received by a 2G/3G subscriber passes through an MSC.
The MSC co-locates a Visitor Location Register (VLR), which holds a local copy of the subscriber's profile for every subscriber currently attached to that MSC's coverage area. When a subscriber attaches, the VLR contacts the Home Location Register (HLR) to download their profile. The VLR handles all local service requests β supplementary services, call waiting, call forwarding β without needing to re-query the HLR for each operation.
When an MSC is positioned at the network edge facing the PSTN, it acts as a Gateway MSC (GMSC). In this role it receives calls from the public telephone network for mobile subscribers, queries the HLR to discover where the subscriber is roaming, and routes the call on to the serving MSC. The same physical node often serves both roles in smaller networks.
In 4G, the circuit-switched MSC is bypassed for subscribers using LTE. VoLTE sends voice over the IMS architecture. CS Fallback (CSFB) redirects LTE subscribers to a 2G/3G cell when they receive a voice call, landing them back on the MSC. In 5G standalone networks the MSC is entirely absent; it persists only in networks maintaining 2G/3G coverage.
How it works
The MSC is a telephony exchange with mobile-specific extensions for subscriber identity, authentication, and mobility. Its operation divides into three domains: call control, mobility management, and signalling routing.
Mobile-originating call
When a subscriber dials a number, the handset sends a call setup message to the BSC, which forwards it via the A interface to the MSC. The MSC authenticates the subscriber using the VLR's stored authentication vectors (obtained earlier from the HLR), then analyses the dialled number. If the number routes to the PSTN it uses ISUP to set up the circuit. If it routes to another mobile subscriber it queries the HLR or a remote MSC via MAP. Bearer channels are allocated end-to-end before the call is answered.
Mobile-terminating call
An incoming call arrives at the GMSC from the PSTN over an ISUP trunk. The GMSC does not know where the called subscriber is roaming, so it sends a Send Routing Info (SRI) MAP request to the HLR. The HLR triggers the current serving MSC to allocate a Mobile Subscriber Roaming Number (MSRN), and returns this temporary E.164 address to the GMSC. The GMSC uses the MSRN to route an ISUP call directly to the serving MSC, which then pages the subscriber and connects the call.
Handover
As a subscriber moves across cell boundaries, the BSC monitors signal quality and initiates handover. For handovers within a single MSC's BSC pool, the MSC manages the process internally. For inter-MSC handovers β when the subscriber moves to a cell served by a different MSC β the Anchor MSC sends a Prepare Handover MAP message to the Target MSC, which allocates resources and responds with a handover address. The Anchor MSC then instructs the BSC to perform the radio handover.
SMS delivery
Short messages sent by a subscriber pass from the BSC through the MSC to the operator's SMSC via the MAP Forward SM procedure. For incoming SMS, the SMSC sends a Send Routing Info for Short Message (SRI-for-SM) MAP request to the HLR to discover the serving MSC or SGSN, then delivers the message via Forward SM.
Architecture role
The MSC is the fulcrum of the 2G/3G circuit-switched core. In a national 2G/3G network, the operator deploys a pool of MSCs, each serving a geographic coverage region. The MSC pool connects to the SS7 signalling network via the STP infrastructure, which routes MAP messages between MSCs, and between MSCs and the HLR.
In 2G GSM: The MSC connects to Base Station Controllers (BSCs) via the A interface. Each BSC controls multiple BTSs. The MSC is the boundary between the radio access network and the core signalling network.
In 3G UMTS: The MSC connects to Radio Network Controllers (RNCs) via the Iu-CS interface. The 3G MSC also supports UMTS security: 3G AKA authentication with CK/IK keys, and optional UMTS integrity protection. CS voice in 3G still terminates on the MSC.
In 4G LTE (CSFB): The MSC remains part of the network to handle CS Fallback. The MME and MSC maintain the SGs interface, which allows the MME to forward CS paging and the MSC to redirect an LTE subscriber to 2G/3G for a voice call. The MSC still processes the resulting circuit-switched call normally.
In 5G: A standalone 5G deployment does not include an MSC. Voice is handled by the IMS core over the 5G packet network. Legacy MSCs persist wherever operators maintain 2G/3G coverage for rural areas or roaming interworking.
Key interfaces
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| A | MSC β BSC | BSSAP/SS7 | Radio access control, call setup, handover |
| B | MSC β VLR | MAP/SS7 | Local subscriber data queries (typically internal to node) |
| C | GMSC β HLR | MAP/SS7 | Send Routing Info for mobile-terminating call routing |
| D | VLR β HLR | MAP/SS7 | Location update, Insert Subscriber Data, Cancel Location |
| E | MSC β MSC | MAP/SS7 | Inter-MSC handover, roaming number allocation |
| F | MSC β EIR | MAP/SS7 | IMEI check (equipment identity verification) |
| SGs | MSC β MME | SGs (MAP-like) | CS Fallback paging and location update for LTE subscribers |
Security posture
The MSC has a broad attack surface because it is simultaneously the endpoint for radio access signalling, the gateway to the PSTN, and a MAP peer of every other MSC and the HLR across the SS7 network. Its VLR holds active session state for all currently attached subscribers, making it a target for both subscriber-targeted attacks and network-level disruption.
The absence of authentication in MAP is the root cause of the most serious MSC-facing threats. An attacker who can send MAP messages into the SS7 network can manipulate the MSC's view of subscriber services, redirect traffic, or deregister subscribers β all without needing to touch the radio access network or the subscriber's device.
The Register Supplementary Service (Reg SS) MAP operation is particularly dangerous. It allows a requesting node to modify a subscriber's call forwarding settings on the MSC/VLR. An attacker who registers a call forward to a number they control effectively intercepts all calls and SMS messages, including OTP codes, without the subscriber's knowledge.
Attack surface
Call and SMS rerouting via Register Supplementary Service
The Register Supplementary Service (Reg SS) MAP operation allows any SS7-connected node to set call forwarding, call divert, or other supplementary services on a subscriber's VLR record. An attacker who registers a call forward to a number they control receives a copy of every call and SMS, including two-factor authentication codes sent by banks or other services.
Impact: Full call and SMS interception; effective bypass of SMS-based 2FA. Subscriber may be unaware. Difficulty: Medium. Requires SS7 access and knowledge of the target MSISDN.
Subscriber location via MSC address disclosure
When the HLR responds to an SRI request, it returns the serving MSC address as part of the routing response. This MSC address maps to a known geographic region. Repeated SRI queries track a subscriber's location without directly querying the subscriber's handset.
Impact: Coarse location tracking (city or region level) with no subscriber involvement. Difficulty: Low. Derived indirectly from the standard SRI procedure targeting the HLR.
Spoofed inter-MSC handover
The handover procedure over the E interface relies on MAP with no authentication. A rogue node claiming to be a neighbouring MSC can initiate a Prepare Handover request, potentially diverting the subscriber's call to an attacker-controlled node.
Impact: Call hijacking; potential for eavesdropping on the redirected call. Difficulty: High. Requires SS7 access and ability to synthesise a convincing handover procedure.
Mitigations
-
Block Reg SS from non-home networks: Register Supplementary Service arriving from interconnect partners is almost never legitimate and is GSMA FS.11 Category 1 for home subscriber modification from a foreign network. A signalling firewall should block it unconditionally.
-
MSRN validation: The MSC should only allocate MSRNs in response to SRI from known GMSC Global Title addresses. Validate the originating GT against the IR.21 database before allocating roaming numbers.
-
E-interface peer whitelisting: Restrict inter-MSC MAP (handover procedures on the E interface) to known peer MSC Global Titles. Unknown addresses should be blocked or alarmed.
-
SMS home routing: Route all inbound SMS via the home network SMSC. This eliminates the SRI-for-SM rerouting attack class by ensuring that foreign nodes cannot learn the subscriber's serving SGSN or MSC by querying the HLR for SMS routing.
-
SGs interface validation: Where CS Fallback is deployed, validate SGs signalling from the MME pool. A spoofed SGs Location Update Request could register a subscriber to a rogue MSC.
Spec references
-
3GPP TS 09.02 β The normative MAP specification. Sections 16 and 17 define call handling and handover MAP procedures relevant to the MSC.
-
ITU-T Q.761 β ISDN User Part. Defines the ISUP signalling used by the GMSC for PSTN interconnect call setup and teardown.
-
3GPP TS 23.008 β Organisation of subscriber data. Defines the VLR data model and the subscription fields relevant to MSC operation.
-
GSMA FS.11 β SS7 security guidance. Categories A and B cover MSC-relevant attacks: supplementary service manipulation, handover spoofing, and roaming number abuse.
Related topics
The MSC queries the HLR via the C and D interfaces for all subscriber identity and location operations. It uses MAP over SS7, routed through STP nodes. In the 3G packet domain, the SGSN is the MSC's counterpart for data sessions.
The MSC is superseded for voice by the IMS Core in 4G and 5G deployments. For the attack taxonomy that targets MSC services, see SS7 attacks.