TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

SS7

Signalling System No. 7 β€” the global telephony signalling backbone

Type

protocol

Generations

2G3Gcross-gen

Threat level

critical
🧩

SS7 Knowledge Check

10 questions

Questions & comments

Join the discussion

Overview

SS7 β€” Signalling System No. 7 β€” is the protocol suite that has underpinned the global public switched telephone network (PSTN) and mobile core since its standardisation by the ITU-T in 1980. It defines how telephone exchanges exchange the information needed to set up, manage, and tear down telephone calls, route SMS messages, and coordinate subscriber mobility across networks.

Despite being a technology from an era when interconnected networks were operated by a small number of trusted national telecoms, SS7 remains operational in virtually every mobile network on earth. The 2G and 3G core networks run on it natively. 4G networks use it in legacy interworking scenarios and for SMS. Even in 5G deployments, operators running non-standalone or maintaining 2G/3G fallback retain SS7 exposure.

Its fundamental design flaw β€” and the source of its security reputation β€” is the complete absence of authentication. Any node that can reach the SS7 network can send any message to any other node, and that message will be acted upon. This was a reasonable assumption in 1980. It is catastrophically wrong in a world where SS7 access can be obtained commercially.

How it works

SS7 is a stack of layered protocols, analogous in structure to TCP/IP but purpose-built for circuit-switched telephony signalling.

The protocol stack:

  • MTP 1–3 (Message Transfer Part) β€” The bottom three layers. MTP1 is the physical interface, MTP2 provides reliable link-layer transmission, MTP3 provides network-layer routing using point codes.
  • SCCP (Signalling Connection Control Part) β€” Adds addressing via Global Titles (GT), subsystem numbers (SSN), and connection-oriented services on top of MTP3.
  • TCAP (Transaction Capabilities Application Part) β€” The application layer transaction framework. Provides the invoke/return mechanism that MAP and CAMEL use to make remote procedure calls between network nodes.
  • MAP (Mobile Application Part) β€” The application layer protocol specific to GSM/UMTS mobile networks. Carries subscriber management, mobility, SMS routing, and authentication procedures. See MAP.
  • ISUP (ISDN User Part) β€” Carries call setup and teardown signalling between exchanges. See ISUP.

How a MAP procedure works

Every MAP operation follows the TCAP invoke/return pattern. Take the Send Routing Info (SRI) operation β€” used legitimately by an HLR to provide routing information so an incoming call can reach a roaming subscriber:

  1. The originating MSC sends a TCAP Begin containing a MAP SRI invoke, addressed via Global Title to the destination subscriber's HLR.
  2. The STP routes the message based on the GT, forwarding it to the correct HLR node.
  3. The HLR responds with a TCAP End containing a MAP SRI return result, carrying the MSISDN, IMSI, and roaming MSC address.

The problem: step 1 can be performed by any node with SS7 access. The HLR has no way to verify whether the requesting MSC is legitimate.

Architecture role

In a 2G/3G network, SS7 is the connective tissue of the entire core. Every node communicates via SS7:

  • The MSC uses MAP over SS7 to talk to the HLR (Gr interface) for location updates and authentication.
  • The HLR uses MAP to talk to the VLR (C interface) and GGSN (Gc interface).
  • The SGSN uses MAP to talk to the HLR (Gr) and other SGSNs (Gn).
  • SMS routing uses MAP SRI-for-SM and Forward-SM between SMSC and HLR.
  • Call setup uses ISUP between switching exchanges.

In 4G, Diameter replaces MAP for most functions. However, SS7 persists for SMS-over-SGs (where the MME interfaces with the MSC via the SGs interface using MAP), and for operators running combined 2G/3G/4G networks.

In 5G SA, SS7 is absent from the native 5G core. But operators with legacy infrastructure maintain SS7 exposure through the 2G/3G fallback path.

Key interfaces

InterfaceBetweenProtocolPurpose
AMSC ↔ BSCBSSAP/SS7Radio access control
BMSC ↔ VLRMAPVisitor location register queries
CGMSC ↔ HLRMAPRouting info for incoming calls
DHLR ↔ VLRMAPLocation registration, auth
GrSGSN ↔ HLRMAPGPRS location, auth
GcGGSN ↔ HLRMAPAddress resolution
GdSGSN ↔ SMSCMAPSMS delivery to roaming subscriber

Security posture

SS7 has no authentication at any layer. There is no mechanism for a receiving node to verify that the sender is who it claims to be, that the message is legitimate, or that the originating network has the right to perform the requested operation. This is not a bug β€” it is the design.

The trust model of SS7 assumes that all nodes connected to the network are operated by regulated, cooperative telecommunications providers. That assumption has not been true for at least a decade. SS7 access is available commercially via certain operators in permissive regulatory jurisdictions, and via direct interconnect to the IPX/GRX network.

The practical consequence: any attacker with SS7 access and knowledge of a target subscriber's MSISDN can, without the subscriber's involvement, determine their real-time location to cell-level accuracy, intercept their SMS messages (including 2FA codes), and in some cases intercept their voice calls.

Attack surface

Location tracking via SRI

The Send Routing Info MAP operation is intended for call routing. It returns the subscriber's current serving MSC address and IMSI. Because the MSC address maps to a known geographic area (cell site, at minimum a city), repeated SRI queries track a subscriber's movements in near real time.

Impact: Subscriber location exposed to cell-level precision, continuously, without their knowledge or involvement.
Difficulty: Low. Requires only SS7 access and the target MSISDN.

SMS interception via SRI-for-SM rerouting

Send Routing Info for Short Message is used by an SMSC to discover which SGSN is serving a subscriber before delivering an SMS. An attacker can send a Register SS (supplementary service) MAP message to redirect the subscriber's call forwarding, then intercept the forwarded SMS β€” including OTP codes sent by banks and two-factor authentication systems.

Impact: Full SMS interception, effective bypass of SMS-based 2FA.
Difficulty: Medium. Requires SS7 access and understanding of MAP procedures.

Subscriber denial of service via Cancel Location

The Cancel Location MAP message is sent by an HLR to a VLR to deregister a subscriber β€” normally used when a subscriber roams to a new network. An attacker sending a spoofed Cancel Location causes the VLR to remove the subscriber's registration, knocking them off the network until they re-register.

Impact: Targeted denial of service against a specific subscriber.
Difficulty: Low. One MAP message is sufficient.

IMSI harvesting via Any Time Interrogation

Any Time Interrogation (ATI) is a MAP operation that returns a subscriber's IMSI, current location, and IMEI from the HLR. It is intended for use by value-added service providers. It is frequently abused for subscriber enumeration and identity correlation.

Impact: IMSI and location disclosure. IMSI can be used in further attacks.
Difficulty: Low. Many HLRs respond without access control.

Mitigations

The primary technical defence is a signalling firewall deployed at the SS7 network boundary β€” specifically at the point where the operator's network connects to the IPX/GRX for roaming and interconnect.

  • GSMA FS.11 category blocking: FS.11 defines five categories of MAP messages by risk level. A properly configured firewall blocks Category 1 (unconditionally dangerous from roaming partners) and Category 2 (dangerous without additional context) messages. Categories 3–5 require contextual validation.

  • Home network verification: For MAP messages arriving from roaming partners claiming to originate from a specific network, validate the originating Global Title against IR.21 data for that network. GT spoofing is a core enabler of most SS7 attacks.

  • Anomaly detection: SRI and ATI query volumes are a reliable signal. A partner network sending hundreds of SRI queries per hour for subscribers who are not roaming to that network is performing surveillance, not call routing.

  • SMS home routing: Route all inbound SMS via the home network SMSC, rather than delivering directly to the visited network. This prevents the SRI-for-SM rerouting attack class.

Spec references

  • ITU-T Q.700 β€” The foundational SS7 specification from the ITU-T. Historical but essential for understanding the original protocol design and intent.

  • GSMA FS.11 β€” The GSMA's SS7 security guidelines. Sections 3 and 5 define the threat categories and recommended controls. Annex A maps specific MAP operations to their risk category. This is the operational reference for firewall configuration.

  • 3GPP TS 09.02 β€” The normative MAP specification for GSM/UMTS.

Related topics

SS7 is the root of the signalling tree. Its direct successors are Diameter (which replaced MAP for 4G subscriber management) and SIP (which replaced ISUP for voice in IMS).

MAP and ISUP are the two primary application-layer protocols that run over SS7 β€” MAP for subscriber management, ISUP for call control. SIGTRAN carries SS7 over IP networks.

For the security dimension, see SS7 attacks for the full attack taxonomy, and Signalling firewall for the primary defence.

Relationships