A surveillance company has been identified leveraging a sophisticated Signaling System No. 7 (SS7) bypass technique to monitor the real-time locations of mobile phone users. This method exploits previously unknown vulnerabilities within the Transaction Capabilities Application Part (TCAP) layer of SS7 networks, effectively circumventing security measures implemented by mobile operators worldwide.
Understanding SS7 and Its Vulnerabilities
SS7, developed in the 1970s, is a set of telephony signaling protocols used to set up and tear down telephone calls, as well as to perform number translation, local number portability, prepaid billing, Short Message Service (SMS), and other services. Despite its critical role in global telecommunications, SS7 was designed without robust security features, making it susceptible to various forms of exploitation. Over the years, these vulnerabilities have been exploited to intercept calls and messages, track user locations, and bypass two-factor authentication mechanisms.
The Mechanics of the SS7 Bypass Attack
The recent attack focuses on the TCAP layer of the SS7 protocol, specifically targeting the encoding of the International Mobile Subscriber Identity (IMSI) within ProvideSubscriberInfo (PSI) commands. By manipulating the Tag code structure of TCAP Information Elements containing IMSI data, attackers employ an extended tag encoding method. Instead of the standard encoding sequence (30 12 80 08), the malicious packets use an extended sequence (30 13 9f 00 08). This alteration effectively extends the Tag code beyond its normal single-octet format, rendering the IMSI field unreadable to many signaling security systems.
This technique specifically targets PSI commands, which are legitimate GSM-MAP operations used by mobile operators for location tracking and mobility management. The extended tag encoding causes the IMSI field—which identifies the target user—to become unreadable to many signaling security systems. When security firewalls cannot decode the IMSI properly, they fail to apply crucial home-versus-roaming network checks that should block unauthorized location requests.
Real-World Exploitation and Implications
The surveillance company behind these attacks has integrated this TCAP manipulation technique into their operational toolkit since at least the fourth quarter of 2024. Their method involves sending malformed PSI requests with extended tag codes from external networks, targeting home network subscribers whose locations should normally be protected from outside queries.
The attack succeeds because many SS7 software stacks were never designed to handle extended TCAP tag codes, as this encoding method has rarely been used in over 40 years of TCAP operations. Additionally, legacy SS7 systems often adopt a permissive approach to undecodable fields, allowing packets to pass through if they can be routed, leaving decoding responsibilities to end nodes.
Enea’s Threat Intelligence Unit has confirmed successful exploitation of this vulnerability in real-world scenarios, observing complete location tracking attacks where PSI requests bypassed security measures and returned subscriber location data. The technique represents part of an evolving suite of bypass methods that surveillance companies employ to defeat signaling security defenses.
Historical Context and Ongoing Threats
The vulnerabilities within SS7 have been a known issue for years. In 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data, is fundamentally flawed. These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now we’ve seen the first case of crooks exploiting the design flaws to line their pockets with victims’ cash. O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7. In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.
In 2017, hackers exploited SS7 vulnerabilities to intercept two-factor authentication codes sent via SMS, enabling unauthorized withdrawals from bank accounts. These incidents underscore the critical need for enhanced security measures within the SS7 framework.
Recommendations for Mitigation
To address this threat, security experts recommend blocking all malformed Protocol Data Unit (PDU) structures and implementing enhanced detection for Mobile Application Part (MAP) PDUs where expected IMSI fields cannot be decoded. The GSMA community has been alerted to this vulnerability, with recommendations distributed to help mobile operators strengthen their signaling security posture.
This discovery highlights the ongoing arms race between surveillance entities and telecommunications security, as attackers continue exploiting the complex ASN.1 protocol structures inherent in SS7 networks to evade detection and maintain unauthorized access to sensitive subscriber information.
Conclusion
The exploitation of SS7 vulnerabilities by surveillance companies to track mobile users’ locations is a stark reminder of the inherent weaknesses in legacy telecommunications protocols. As these attacks become more sophisticated, it is imperative for mobile operators and security professionals to implement robust defenses and stay vigilant against evolving threats. Users are also advised to adopt additional security measures, such as using encrypted messaging apps and app-based two-factor authentication, to mitigate potential risks.
