TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

SMSC

Short Message Service Centre β€” the store-and-forward hub for SMS delivery

Type

node

Generations

2G3G4Gcross-gen

Threat level

high
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The SMSC β€” Short Message Service Centre β€” is the node responsible for storing and forwarding SMS messages in 2G, 3G, and 4G networks. Every SMS a subscriber sends or receives passes through an SMSC: the sending device transmits the message to its serving MSC or SGSN, which forwards it to the home operator's SMSC; the SMSC then queries the HLR for the recipient's location, and delivers the message to the recipient's serving node. If the recipient is unreachable (device off or no coverage), the SMSC stores the message and retries when the HLR notifies it that the subscriber has registered again.

The SMSC has two distinct interfaces to the outside world: the SS7/MAP interface toward the core network (used for subscriber location queries and message delivery), and the SMPP interface toward external entities (used by enterprise customers, SMS aggregators, and other operators to inject messages into the network). This dual exposure makes the SMSC one of the most important security boundaries in the messaging infrastructure β€” it sits at the intersection of the trusted SS7 core and the far-less-trusted commercial SMS ecosystem.

The SMSC's role in the SMS interception attack class makes it a direct concern for anyone working on signalling security. The Send Routing Info for Short Message (SRI-SM) MAP operation β€” which the SMSC sends to the HLR to locate a recipient before delivery β€” is the mechanism exploited to perform subscriber location tracking at the SMS routing level, and is the entry point for the more severe call-forwarding-based SMS interception attack. An attacker who can respond to an SRI-SM with a crafted routing response can redirect the SMSC's delivery attempt to an attacker-controlled node.

The SMSC predates every other node described in this reference and outlives most of them. Introduced in GSM Phase 1 (1991), it remains in operation in 5G-capable networks for two reasons: legacy device compatibility (not all devices support RCS or messaging over IMS), and regulatory requirements (emergency services and certain government systems still rely on SMS). Even subscribers using 5G SA for data receive SMS via the legacy SMSC chain in most deployed networks.

How it works

Mobile-terminated SMS delivery

Mobile-terminated (MT) delivery β€” a message arriving at the SMSC destined for a subscriber β€” is the central store-and-forward procedure.

  1. A message arrives at the SMSC from an external source (another subscriber's MO-SMS, an enterprise via SMPP, or another operator via interconnect).
  2. The SMSC sends a MAP SendRoutingInfoForSM (SRI-SM) to the recipient's HLR, addressed via SCCP Global Title using the recipient's MSISDN. The SRI-SM asks: "Where is this subscriber right now?"
  3. The HLR checks its location record. If the subscriber is registered, it returns the serving MSC or SGSN address (for packet-attached subscribers) along with the subscriber's IMSI.
  4. The SMSC sends a MAP ForwardSM (for circuit-switched MSC delivery) or MT-ForwardSM (for SGSN delivery via the Gd interface) to the serving node, carrying the message content and the IMSI.
  5. The MSC or SGSN delivers the message to the UE. It returns a delivery confirmation to the SMSC. The SMSC records delivery and, if the sender requested a delivery report, generates one.
  6. If delivery fails (subscriber temporarily unreachable), the SMSC stores the message and instructs the HLR to notify it when the subscriber next registers β€” using the MAP ReportSMDeliveryStatus operation. When the HLR subsequently sends AlertServiceCentre, the SMSC retries delivery.

Mobile-originated SMS delivery

Mobile-originated (MO) SMS flows in the reverse direction β€” from the subscriber's device to the SMSC.

  1. The UE composes an SMS and sends it to the MSC (in CS mode) or SGSN (in PS mode) encapsulated in NAS/RRC.
  2. The MSC or SGSN sends MAP MO-ForwardSM to the destination SMSC, carrying the originating MSISDN, destination address, and message content.
  3. The SMSC receives the MO-ForwardSM, acknowledges it (the ACK releases the radio channel hold), and then processes the message β€” either delivering it to the destination subscriber as an MT-SMS or forwarding it via SMPP or interconnect to another operator.

SMPP β€” external message injection

SMPP (Short Message Peer-to-Peer) is the protocol used by enterprise customers, SMS aggregators, and other external entities to inject messages into the SMSC. It is a binary TCP protocol operating on port 2775.

  1. An external entity establishes a persistent TCP connection to the SMSC's SMPP listener and authenticates with a bind_transmitter or bind_transceiver PDU, providing a system ID (username) and password.
  2. Once bound, the entity submits messages using submit_sm PDUs, specifying the source address (sender ID β€” an MSISDN or alphanumeric), destination MSISDN, and message content.
  3. The SMSC validates the submission, queues the message, and processes it via the MT delivery path. It responds with submit_sm_resp carrying a message ID.
  4. For delivery reports, the SMSC sends deliver_sm PDUs to the bound entity when delivery to the UE is confirmed.

SMPP has no inherent transport security β€” it is a plaintext TCP protocol. TLS wrapping (SMPP over TLS, sometimes called SMPPS) is available but optional and not universally supported by aggregators.

Store-and-forward and validity period

Every SMS has a validity period β€” the maximum time the SMSC will attempt to deliver it before discarding. In the absence of explicit specification, the default is typically 24–48 hours depending on operator configuration. If the subscriber does not register within the validity period, the SMSC discards the message and generates a delivery failure report.

Architecture role

The SMSC sits at the application layer of the mobile network, relying on MAP over SS7 for all core network interaction and SMPP for external connectivity. It has no direct voice or data path involvement β€” its sole function is message store and forward.

In 2G/3G: The SMSC communicates with the HLR using MAP SRI-SM to locate subscribers, and with the MSC and SGSN using MAP ForwardSM for delivery. The STP routes all MAP messages between SMSC and core nodes via SS7 point code routing.

In 4G: LTE subscribers receive SMS via one of two paths. With CS Fallback (CSFB), the MME redirects the UE to 2G/3G for SMS, and the standard SMSC chain applies. With SMS over SGs, the MME routes the SMS directly to the MSC via the SGs interface, and the MSC delivers via the standard SMSC chain. In both cases, the SMSC is unchanged β€” the difference is how the UE is reached.

In 5G SA: The SMSF (SMS Function) acts as an intermediary between the AMF and the SMSC. The UE sends SMS via NAS to the AMF, which routes via the SMSF, which in turn uses the existing MAP/SMPP interfaces to the SMSC. The SMSC is not replaced β€” it is re-plumbed behind the SMSF.

The SMSC's SS7 connectivity is significant from a security perspective. Because the SMSC must send MAP messages to any HLR globally β€” to route SMS to subscribers of any operator worldwide β€” it has broad SS7 interconnect access. This makes a compromised SMSC a capable platform for launching MAP-based attacks against any connected operator's HLR or MSC.

Key interfaces

InterfaceBetweenProtocolPurpose
GdSMSC ↔ SGSNMAP over SS7SMS delivery to and from packet-attached subscribers
MAP/SS7SMSC ↔ HLRMAP over SS7SRI-SM subscriber location query; AlertServiceCentre
MAP/SS7SMSC ↔ MSCMAP over SS7ForwardSM delivery to CS-attached subscribers
SMPPSMSC ↔ Enterprise/AggregatorSMPP/TCPExternal message injection from third-party senders
MM7SMSC ↔ MMSCMM7/HTTPMMS interworking β€” SMS notifications for MMS delivery

Security posture

The SMSC is a high-risk node for two distinct reasons. First, it is directly implicated in the most widely deployed SMS attack class β€” the SRI-SM-based SMS interception technique. The SRI-SM query the SMSC sends to the HLR is the mechanism attackers replicate to determine subscriber location and redirect delivery. The SMSC is not the attacker's target in this scenario β€” it is the victim β€” but deploying SMS Home Routing changes the SMSC's role from passive target to active defence.

Second, the SMSC's SMPP interface is the most accessible entry point into the operator's messaging infrastructure. SMPP credentials are issued to hundreds of enterprise customers and aggregators, many of whom have lax internal security. A compromised SMPP account can send SMS with arbitrary sender IDs β€” enabling phishing campaigns that appear to originate from banks, government agencies, or trusted brands. The volume of SMS fraud enabled by SMPP credential abuse is substantially larger than the volume enabled by SS7 MAP attacks.

Attack surface

SRI-SM rerouting for SMS interception

The canonical SMS interception attack exploits the SMSC's SRI-SM query. The attacker β€” who has SS7 network access β€” first uses MAP RegisterSS to activate unconditional call forwarding to an attacker-controlled number on the target subscriber's VLR. When the SMSC sends SRI-SM to the HLR for an incoming SMS, the HLR returns the subscriber's legitimate serving SGSN. The SMSC delivers to that SGSN. However, the registered call forwarding causes a copy of the SMS (or a forwarded response for 2FA codes) to also be delivered to the attacker's number.

A variant: an attacker who can intercept or respond to the SRI-SM before the HLR can return a crafted response pointing to an attacker-controlled node. The SMSC then delivers the SMS directly to the attacker.

Impact: Interception of any SMS destined for the target β€” banking OTPs, account recovery codes, two-factor authentication for email and social media.
Difficulty: Medium. Requires SS7 network access and knowledge of the target's current VLR address (obtainable via a preceding SRI MAP query).

SMPP credential abuse β€” sender ID spoofing

SMPP allows the submitting entity to specify the source address (sender ID) of each message. Unless the SMSC enforces a registered sender ID policy β€” requiring that the source address in each submit_sm match a pre-approved list for that SMPP account β€” any SMPP-bound entity can send messages with any sender ID. A compromised aggregator account sends SMS appearing to come from "HSBC", "DVLA", "Amazon", or any other trusted brand, with no technical indication to the recipient that the sender is fraudulent.

Impact: Mass phishing via SMS (smishing) using trusted brand impersonation. Particularly effective against banking customers, as the message appears in the same conversation thread as legitimate bank messages on many mobile OS SMS apps.
Difficulty: Low given a compromised or malicious SMPP account. Many SMSC operators issue SMPP credentials with loose sender ID restrictions.

SMSC as SS7 pivot point

Because the SMSC requires SS7 connectivity to reach any HLR globally, it holds broad MAP sending capability. An attacker who compromises the SMSC β€” whether by exploiting a vulnerability in the SMSC software, by compromising its management interface, or by gaining access to its SIGTRAN connectivity β€” can use the SMSC's existing SS7 relationships to send MAP messages to any reachable HLR. The SMSC's trusted peer status on the interconnect means its messages are less likely to be filtered by signalling firewalls than messages from unknown origins.

Impact: Attacker gains a fully capable SS7 platform with established, trusted interconnect relationships β€” enabling location tracking, CancelLocation DoS, and SRI exploitation against any reachable operator's subscribers.
Difficulty: High. Requires compromise of the SMSC system itself. The consequence is disproportionate: a single SMSC compromise enables broad MAP attacks against foreign networks.

Delivery receipt MSISDN enumeration

When an SMS is delivered to a subscriber, the SMSC generates a delivery receipt. By sending probe SMS messages via SMPP to a list of candidate MSISDNs and observing which delivery receipts come back β€” and how quickly β€” an attacker can enumerate which phone numbers are assigned to active subscribers. Numbers that return "delivered" are live; numbers that return "absent subscriber" have a known subscriber who was temporarily unreachable; numbers that return "unknown subscriber" are unallocated.

Impact: Subscriber enumeration β€” building a list of active MSISDNs for targeting in phishing or fraud campaigns.
Difficulty: Low given an SMPP account. Mitigation requires the operator to delay or suppress delivery receipts for messages from suspicious SMPP sources.

Mitigations

The SMSC requires defences at the SS7 interface, the SMPP boundary, and the internal MAP signalling plane.

  • SMS Home Routing: The single most effective mitigation for the SRI-SM interception attack class. All inbound SMS destined for the home network's subscribers β€” whether from roaming partners, interconnect, or international operators β€” must be delivered via the home network's SMSC. The home SMSC queries the home HLR and routes internally. This prevents external entities from interacting with the SRI-SM result. Deploy via GSMA IR.70 guidelines.

  • SS7 signalling firewall on SMSC interconnect: The SMSC has full SS7 sending capability. Apply GSMA FS.11-compliant filtering to all MAP messages the SMSC receives from interconnect partners β€” the SMSC should be receiving MO-ForwardSM and MAP responses, not unsolicited location queries or ISD messages. Inbound MAP operations outside the expected set should be blocked.

  • SMPP sender ID allowlisting: Require every SMPP account to pre-register the sender IDs it is authorised to use. Reject submit_sm PDUs where the source address is not in the account's registered list. Issue SMPP credentials per-brand or per-campaign to limit the blast radius of a credential compromise.

  • SMPP rate limiting and anomaly detection: Apply per-account rate limits on submit_sm throughput. Alert on: submission rate spikes above the account's registered volume tier, unusually high rates of delivery receipt requests (MSISDN enumeration pattern), and submission of messages to sequential or near-sequential MSISDN ranges.

  • SMPP TLS (SMPPS): Require TLS on all SMPP connections. Plaintext SMPP on port 2775 exposes credentials and message content to anyone on the network path between the aggregator and the SMSC. Many aggregators support SMPPS β€” enforce it for all new accounts and migrate legacy connections on a defined timeline.

  • HLR response validation: The SMSC should validate SRI-SM responses against expected home network data. An SRI-SM response pointing to a serving MSC or SGSN outside the expected set for the subscriber's registered location should be flagged before delivery is attempted.

Spec references

  • 3GPP TS 23.040 β€” Technical Realisation of the Short Message Service. The foundational SMS architecture specification. Defines the SMSC's role, the MO and MT delivery procedures, the store-and-forward mechanism, and the validity period handling. Essential reading before any SMSC integration work.

  • 3GPP TS 29.002 β€” MAP specification. Sections 12 and 13 define the specific MAP operations used by the SMSC: SendRoutingInfoForSM, ForwardSM, MT-ForwardSM, MO-ForwardSM, ReportSMDeliveryStatus, and AlertServiceCentre.

  • SMPP v3.4 β€” The Short Message Peer-to-Peer protocol specification. Defines the binary PDU format, session management (bind/unbind), message submission (submit_sm), delivery reporting (deliver_sm), and all status codes. The de-facto standard for SMSC external interfaces β€” SMPP 5.0 exists but v3.4 is what virtually all aggregators implement.

  • GSMA FS.11 β€” SS7 and SIGTRAN Network Security. Section 5 and Annex A define the risk categories for MAP operations β€” directly applicable to what the SMSC should and should not accept on its interconnect links.

Related topics

The SMSC depends on MAP for all core network signalling β€” every subscriber location query (SRI-SM) and message delivery (ForwardSM) is a MAP operation carried over SS7. The security vulnerabilities that affect MAP affect the SMSC's delivery chain directly.

The HLR is the SMSC's primary query target. Every MT-SMS triggers an SRI-SM to the HLR before delivery can proceed. The HLR's response determines where the SMSC delivers β€” making HLR data integrity a prerequisite for SMS delivery integrity.

The SGSN is the SMSC's delivery point for packet-attached subscribers via the Gd interface. For CS-attached subscribers, the MSC is the delivery point. The SMSC does not know in advance which path to use β€” the HLR's SRI-SM response specifies it.

The STP routes MAP messages between the SMSC and every other SS7 node. The SMSC typically has no direct SS7 links to individual HLRs or MSCs β€” it relies on the STP to route its SRI-SM queries and ForwardSM deliveries to the correct destination based on SCCP Global Title.

For the full SMS attack taxonomy, see SS7 and MAP. SMS Home Routing as a mitigation is most effective when combined with an SS7 signalling firewall at the interconnect boundary.

Relationships