SS7 vulnerabilities and attack exposure report, 2018

  • Telecom


These days it is hard to imagine life without telecommunications. Anyone who uses e-banking, online payment, online shopping, e-government are long used to onetime passwords for transaction confirmation. The security of this authentication method is based merely on restricting access to telecommunication networks.

While the internet of things is spreading widely into industrial processes and city infrastructure, failures in the mobile network can paralyze them, causing not only occasional interruptions in smart home or car devices, which dissatisfy the operator's customers, but also more critical consequences, such as traffic collapses or power outages.

This report reveals the results of SS7 security analysis. Signaling System 7 (SS7) is used for exchanging data between network devices in telecommunications networks. While this standard was being developed, only fixed-line operators had access to the SS7 network, so its security was not first on the priority list. Today the signaling network is not isolated, and this allows an intruder to exploit its flaws and intercept calls and SMSs, bypass billing, steal money from mobile accounts, or affect mobile network operability.

Although new 4G networks use another signaling system, Diameter, SS7 security issues have not been forgotten, because mobile operators should ensure 2G and 3G support and interaction between networks of different generations. Moreover, research shows that Diameter is prone to the same threats. This protocol's vulnerabilities along with possible cross-protocol attacks that use Diameter and SS7 flaws will be outlined in the next report.

To demonstrate the extend of security problems in modern communication networks, this report shows not only the vulnerabilities that we revealed during SS7 networks security analysis, but also the exploitation of these vulnerabilities as would happen in real life. We have been monitoring SS7 security over the past three years and learned what protection methods are used by telecom operators and whether they are effective in real conditions.


HLR (Home Location Register) is a database storing all information about subscribers in the home network.

MSC is a mobile switching center

SS7 (Signaling System 7) is a common channel signaling system used in international and local telephone networks.

STP (Signaling Transfer Point) is a host that routes signaling messages.

VLR (Visitor Location Register) is a database that contains information about all subscribers located within its area (home subscribers and roamers), including subscriber location data.


All networks contain critical vulnerabilities
All analyzed networks contain critical vulnerabilities that lead to subscriber services disruption. It was possible to intercept a subscriber's conversation or text message in almost every network; 78 percent of networks were prone to fraud.

Intruders know about vulnerabilities
PT Telecom Attack Discovery detects real attacks on operator networks. These attacks are mostly aimed at gathering information about subscribers and network configuration. However, there are attacks that are likely used for fraud, traffic interception, and subscriber availability disruption.

Operators are aware of the risks
Operators take measures to reduce the risk of threat exploitation. They succeed in reducing subscriber and network data leakage. In 2017, all analyzed networks used SMS Home Routing, and every third network had signaling traffic filtering and blocking enabled.

Existing solutions are not sufficient
Despite additional protection measures, all the networks were prone to vulnerabilities caused by occasional incorrect setup of equipment or faults in SS7 network architecture that cannot be eliminated using existing tools. Only a comprehensive approach that combines security analysis, network setup maintenance, regular monitoring of signaling traffic, and timely detection of illegitimate activities can ensure a higher level of protection against criminals.

Download PDF