SS7 Exploitation

Audio readout of this entry.

Overview

SS7 exploitation is the most-significant documented institutional vulnerability in the contemporary telecommunications infrastructure. The operational characteristic of SS7 exploitation — that any SS7-network-access party can query and manipulate the subscriber-location, message-routing, and call-routing institutional state of any subscriber on any participating carrier — produces the consequence that device-level secured communications can be intercepted at the network-level layer that the device cannot defend against.

The documented pattern of SS7-network access across the post-2010 period falls into three institutional categories. Licensed-carrier access is the pathway for every participating mobile and landline carrier worldwide. State-actor access is the pathway for state-actor signals-intelligence services, principally through licensed-carrier cooperation or through direct purchase of SS7-network access. Grey-market access is the pathway for commercial actors with sufficient resources to purchase SS7-network-access services from licensed-carrier resellers. The consequence is that SS7 exploitation has been largely the exclusive operational domain of state-actor and well-funded commercial-actor categories — distinct from the more accessible SIM-swap pattern that operates against substantially the same target categories.

Origins of the protocol

SS7 was developed by AT&T in 1975 (within the Bell System for Common Channel Interoffice Signaling on the No. 4ESS switch) and subsequently standardised by the CCITT — the predecessor body of the ITU-T — in the 1980 Yellow Book (Q.7xx series), as the successor to the prior SS6 signaling protocol. The institutional context was the post-1970 expansion of automated long-distance switching infrastructure across the then-dominant national-monopoly-carrier landscape. The institutional design assumption was that SS7-network participants would be a limited cohort of national-monopoly telecom carriers — AT&T in the United States across the pre-1984 period; the British Post Office Telecommunications across the pre-1984 UK period; Deutsche Bundespost across the pre-1995 German period; and the equivalent national-monopoly carrier in substantially every other participating jurisdiction.

The consequence of the trust-relationship design assumption was that SS7 did not implement the cryptographic-authentication framework that adjacent post-1990 protocol designs included. Any SS7-network participant had institutional authority to issue queries against any subscriber on any other participating carrier — the access framework that the trust-relationship assumption supported.

The post-1984 expansion of SS7-network participation — driven by the 1984 AT&T divestiture in the United States, the 1984 British Telecommunications privatisation, the 1990s telecom-deregulation pattern across substantially every developed-economy jurisdiction, and the subsequent emergence of independent mobile-carrier infrastructure — eroded the trust-relationship assumption on which SS7 had been built. The contemporary landscape across the post-2010 period has included approximately 800 institutional SS7-network participants worldwide, a substantially broader cohort than the original design assumption supported.

First public-record demonstration

The first public-record demonstration of SS7-exploitation operational viability was the 27 December 2008 Chaos Communication Congress presentation by Tobias Engel — Locating Mobile Phones using Signaling System #7 at the 25C3 Berlin event. The presentation demonstrated the operational exploitation of SS7's location-query capability to obtain the geographic location of any mobile-network subscriber within range of a participating carrier.

The subsequent demonstrations across 2009–14 — most prominently the December 2014 31C3 demonstrations by Karsten Nohl (Security Research Labs, Berlin) in Mobile Self-Defense and Tobias Engel in SS7: Locate. Track. Manipulate. — established the comprehensive public-record documentation of SS7 exploitation operational characteristics across the location, SMS, and voice-call categories.¹²

Subscriber-location query

The operational pattern is that the SS7-network-access party issues a Mobile Application Part (MAP) location-query message against the targeted subscriber's home-location-register infrastructure. The home-location-register returns the subscriber's current geographic location at cell-tower-level institutional precision — typically a few hundred metres of accuracy in urban environments. The targeted subscriber has no institutional indication that the query has been issued; the operational pattern produces no notification on the subscriber's mobile device.

SMS interception

The operational pattern is that the SS7-network-access party issues a MAP location-update message reporting to the targeted subscriber's home-location-register that the subscriber has roamed to an attacker-controlled mobile-switching-centre — without the subscriber actually having roamed. The consequence is that subsequent SMS messages destined for the subscriber are routed to the attacker-controlled mobile-switching-centre rather than to the subscriber's actual location.

The principal institutional consequence is for SMS-delivered second-factor-authentication codes destined for the subscriber: those codes can be delivered to the attacker, producing the compromise of any SMS-2FA-secured account the subscriber maintains. The 2017 Telefónica Germany incident is the principal documented case of this operational pattern at scale against civilian targets.

Voice-call interception

The operational pattern is analogous to the SMS-interception pattern. The SS7-network-access party issues a call-forwarding-configuration message that configures the call-forwarding state of the targeted subscriber to forward incoming voice calls to an attacker-controlled destination. Incoming voice calls to the targeted subscriber are redirected to the attacker, typically through a call-conferencing pattern that allows the attacker to monitor the call content while the call continues to the intended recipient.⁵

Documented exploitations

Confirmed Tobias Engel demonstration (December 2008). The 27 December 2008 Chaos Communication Congress presentation by Tobias Engel — Locating Mobile Phones using Signaling System #7 at 25C3 Berlin — was the first public-record demonstration of SS7-exploitation operational viability and produced the institutional engagement with SS7-vulnerability questions that has continued across the post-2008 period.

Confirmed Nohl and Engel demonstrations (December 2014). The December 2014 31C3 demonstrations by Karsten Nohl (Mobile Self-Defense) and Tobias Engel (SS7: Locate. Track. Manipulate.) together documented the comprehensive operational exploitation of SS7 against German Telekom subscribers, including the operational interception of SMS, voice calls, and location data against any subscriber for whom the MSISDN was known.

Confirmed Telefónica Germany banking-fraud incident (May 2017). The May 2017 incident in which approximately 200 Telefónica Germany subscriber accounts experienced SS7-mediated unauthorised banking transactions — conducted by attackers who obtained SS7-network access through a foreign-licensed-carrier intermediary, used the access to redirect SMS-based banking-2FA codes from the targeted subscribers, and used the redirected codes to authorise unauthorised banking transactions — was the most-documented operational deployment of SS7 exploitation against civilian targets.

Confirmed DHS / FCC institutional warnings (2017). The institutional warnings issued by the Department of Homeland Security and the Federal Communications Commission in 2017 — including a DHS / DHS NPPD advisory restricting US-government-personnel use of SMS for sensitive communications (the Cybersecurity and Infrastructure Security Agency was not created until November 2018) and the FCC's August 2017 Public Notice (DA-17-799) encouraging carrier adoption of the March 2017 CSRIC V Working Group 10 SS7 security recommendations — constituted the institutional acknowledgement at federal-regulatory level that the SS7 vulnerability was operationally significant.⁴⁹

Alleged Commercial-tracking-services operational deployment. The documented pattern of commercial telecommunications-tracking services across the post-2010 period — including services advertising location-tracking, SMS-interception, and call-monitoring capability — has substantially involved the operational exploitation of SS7-network access. Public-record reporting on these services has included 2020 Bureau of Investigative Journalism reporting on commercial-SS7-access services, Wall Street Journal reporting on Israel-based and Switzerland-based commercial SS7 access vendors, and additional reporting across the post-2020 period.⁷

Diameter as SS7 successor

The Diameter protocol — the post-2010 protocol-design successor to SS7 for 4G-and-later mobile-network infrastructure — included the cryptographic-authentication framework that SS7 lacked. 4G-and-later networks are accordingly less vulnerable to the operational pattern that SS7 exploitation produces. The institutional limitation is that mobile networks retain SS7-network connectivity for backward compatibility with older networks — the consequence being that SS7 exploitation continues to be operationally viable against any subscriber whose mobile network retains SS7 connectivity.³

Carrier firewall deployment

The development of SS7-firewall infrastructure — the institutional capability for participating carriers to filter SS7 messages against rules that distinguish between legitimate and suspicious SS7 traffic — has constrained but not eliminated the operational viability of SS7 exploitation. The deployment pattern across the post-2017 period has varied across participating carriers, with major US, European, and Asian carriers having implemented significant SS7-firewall infrastructure across the post-2018 period.

Federal regulatory engagement

The FCC and DHS engagement with the SS7-vulnerability question — including the FCC's 2017 warning, the subsequent FCC Communications Security, Reliability, and Interoperability Council engagement, and the FCC's 5G-network-security framework — has positioned the federal regulatory infrastructure for institutional reform of the SS7 landscape. The continuing institutional question is whether the SS7-network infrastructure should be retired entirely or secured against subsequent operational exploitation; the question remains unresolved in the public record.⁴

Sources and further reading

1. Tobias Engel, Locating Mobile Phones using Signaling System #7, presentation at 25C3 (25th Chaos Communication Congress), 27 December 2008, Berlin — the principal first-public-record demonstration.
2. Karsten Nohl and Tobias Engel, Mobile Self-Defense, presentation at 31C3 (31st Chaos Communication Congress), 27 December 2014, Hamburg — the principal operational-comprehensive demonstration.
3. Christoph Sorge, et al., Bedrohungspotenzial der Diameter Protokoll-Suite für 4G-Netze, Federal Office for Information Security (BSI), 2014 — the principal German institutional treatment of SS7-vs-Diameter vulnerability comparison.
4. FCC Communications Security, Reliability and Interoperability Council (CSRIC) V Working Group 10, Final Report: Cybersecurity Risk Reduction, 15 March 2017; and FCC Public Notice DA-17-799 (August 2017), encouraging carrier adoption of CSRIC V WG10 SS7 security recommendations.
5. Karsten Nohl, et al., Security Research Labs, ongoing SS7 research at srslabs.de; see also Nohl, Mobile Self-Defense, 31C3, December 2014, and Engel, SS7: Locate. Track. Manipulate., 31C3, December 2014 — the principal contemporary technical demonstrations.
6. P1 Security, SS7 Map: A Mapping of the Worldwide SS7 Network, ongoing institutional research project.
7. Joseph Cox, I Gave a Bounty Hunter $300. Then He Located Our Phone, Motherboard, January 2019 — investigative reporting on the commercial-SS7-access landscape.
8. Lily Hay Newman, A New Wireless Hack Can Unlock 100 Million Volkswagens, Wired, August 2016 — subsequent reporting on the SS7-adjacent vulnerability landscape.
9. Department of Homeland Security (DHS NPPD), Mobile Device Security Study: Report to Congress, April 2017 — the principal DHS 2017 engagement with SS7 and Diameter risk; the Cybersecurity and Infrastructure Security Agency (CISA) was established November 2018.
10. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — chapters on SS7.