The Vulnerabilities of SS7: A Threat to Privacy in the Digital Age
Since the introduction of the SS7 (Signaling System No. 7) network in the 1980s, global telecommunications have relied on it to enable core functionalities, such as roaming and seamless communication between countries. Initially, SS7 was designed with a “walled garden” model, meaning only trusted telecom operators could access it. However, the rapid expansion of the telecom industry has introduced new players, weakened trust barriers, and left critical vulnerabilities open to exploitation. Today, these flaws have exposed individuals and institutions to serious privacy and security threats. This article explores the history, vulnerabilities, and potential consequences of SS7 attacks and examines how these flaws impact our privacy in ways that even everyday users should be concerned about.
The Foundation of SS7 and Its Evolving Landscape
SS7 was introduced at a time when mobile phones were a rarity, mainly restricted to car use, and the internet was still in its infancy. The network was designed to let telecom companies exchange essential information with each other. For example, when a user roams into another country, SS7 allows the host network to confirm with the user's home network that the individual is a paying customer and to process charges accordingly.
To achieve this, telecom companies established unique identifiers, known as Global Titles (GTs), for each other, allowing them to send and receive data. Initially, SS7's security was relatively robust, as it only included a handful of trustworthy operators. But as the demand for connectivity exploded, so did the number of players. Today, over 1,200 operators and 4,500 networks participate in the SS7 ecosystem, many of which are lesser-known providers with limited security infrastructure. Furthermore, some SS7 connections are leased by third parties, leading to potential misuse by vendors seeking profit or by malicious actors exploiting these vulnerabilities.
The Cost of Access and Increasing Risks
While obtaining access to SS7 might seem like a challenge, it is actually relatively inexpensive. Researchers have documented illegal SS7 leases costing as little as $13,000 per month, offering rogue entities access to this critical communication network. With SS7 access, malicious actors can monitor calls, intercept text messages, and even track the physical location of unsuspecting users, typically without alerting them. Aided by this affordable access, hackers and criminal organizations have infiltrated the once-trusted SS7 network, turning it into a hunting ground for sensitive information and private conversations.
SS7's open-access nature has also attracted state-sponsored entities, private security firms, and surveillance organizations, including the Israeli NSO Group. The NSO Group, which developed the infamous Pegasus spyware, has used SS7 to gather preliminary data, such as device type and software version, on target phones before deploying more invasive surveillance measures.
How SS7 Attacks Work: The Three Steps of an SS7 Exploit
SS7 attacks can be executed in three distinct stages: infiltrating SS7, gaining trust, and launching the attack.
Step 1: Infiltrating SS7
Accessing SS7 requires a GT, which grants the attacker entry into the network. Using GTs rented or bought from third parties, attackers can bypass many barriers designed to protect against unverified entities.Step 2: Gaining Trust
While simply gaining access to SS7 is not enough to compromise a target’s information, attackers use a unique identifier called the IMSI (International Mobile Subscriber Identity) that is tied to a user’s SIM card. Obtaining the IMSI allows attackers to identify and link specific individuals to their phone activities.Step 3: Launching the Attack
With a verified GT and IMSI, attackers can redirect calls, intercept messages, and track location data. To a regular user, everything appears normal, but the data is rerouted to a shadow entity before reaching the intended recipient. The attacker might forward a call intended for a specific number to their own device, listen in on the conversation, and even capture SMS-based two-factor authentication codes without the user’s knowledge.
This three-step process was highlighted in a demonstration by YouTuber Linus Sebastian and cybersecurity experts Karsten Nohl and Alexandre De Oliveira, who showcased SS7’s vulnerabilities by intercepting Sebastian’s calls and texts. Despite the mock nature of the experiment, the exercise underscores how straightforward it can be for malicious actors to access someone’s phone without physical contact.
The Expansive Consequences of SS7 Exploits
One of the most alarming use cases of SS7 attacks is the ability to intercept SMS-based two-factor authentication (2FA) codes. SMS 2FA is widely used for protecting accounts, from social media to bank accounts. With SS7, attackers can trick networks into thinking the target is “roaming,” redirecting 2FA messages to themselves and compromising accounts within seconds.
SS7-based tracking is another powerful tool in an attacker’s arsenal. By locating the cell towers a target is connected to, attackers can triangulate the target’s location within a few hundred meters. This tracking method, used extensively in urban areas, provides detailed information about a person’s daily movements, offering insights into their home, work, and other frequently visited locations.
In one particularly chilling incident, a U.S.-based GT leased by foreign operatives was used in the tracking and eventual capture of Princess Latifa of Dubai, who had attempted to escape her family. The SS7 network was used to monitor the movements of her escape vessel. Though the exact role of SS7 in locating her remains unclear, investigators agree that it was one of several surveillance methods that ultimately led to her recapture.
The Legacy of SS7 and the Challenges of Moving Forward
Despite the clear risks, transitioning away from SS7 has proven challenging. SS7 remains fundamental to 2G and 3G networks, which are still widely used for various applications, such as emergency call buttons in European cars. Even as 4G and 5G networks advance, SS7 is deeply ingrained in the telecommunications infrastructure.
SS7 has two newer, more secure alternatives: Diameter, introduced with 4G, and a robust 5G signaling protocol. However, due to network inertia, telecom operators are hesitant to migrate fully until all systems can support the new protocols seamlessly. This results in a situation where even 5G calls often rely on SS7 for compatibility, leaving millions of devices vulnerable.
A global transition to a more secure system could take another decade or more, with experts estimating it might be 20 years before SS7 is entirely phased out. In the meantime, millions of requests are made each year to track or monitor individuals via SS7, affecting the privacy of countless unsuspecting people.
Protecting Yourself from SS7 Exploits
While it’s impossible to completely shield oneself from SS7-based location tracking, there are measures individuals can take to protect sensitive information:
Use Alternatives to SMS-Based 2FA
Authenticator apps and hardware tokens are more secure alternatives to SMS-based 2FA. By not relying on text messages for account access, users can reduce the risk of interception through SS7 vulnerabilities.Use Encrypted Communication Services
To avoid phone call interceptions, users can opt for encrypted, internet-based messaging apps, such as Signal or WhatsApp, which offer end-to-end encryption. These apps reduce the risk of third-party interference and prevent attackers from rerouting communication through SS7.Maintain Digital Hygiene
Avoid using the same username and password across multiple accounts and refrain from sharing personal information like IMEI numbers, which can help protect against certain types of SS7-based attacks.Limit Sharing of Phone Numbers
Since an attacker only needs a phone number to initiate an SS7 attack, users should be mindful of where and how they share their number, particularly in online forums or public profiles.
The Broader Implications of SS7 and the Need for Privacy
The continued vulnerabilities within SS7 represent a serious breach of privacy in the digital age. Karsten Nohl, one of the researchers who exposed SS7’s flaws, argues that privacy is not just an individual right but a democratic prerequisite. The ability to live one’s life without fear of surveillance forms the basis of freedom and democratic thought. However, the rise of SS7 abuse shows how easily these freedoms can be compromised.
Proponents of state surveillance often argue that “if you have nothing to hide, you have nothing to fear.” Yet, SS7 demonstrates that widespread surveillance not only targets criminals or state enemies but also affects ordinary people who simply want their right to privacy. As SS7 continues to be the foundation of global telecommunications, the conversation surrounding it has shifted. Rather than asking if SS7 will be replaced, the question is when and how soon. Until then, individual awareness and proactive measures remain essential.
Conclusion
The story of SS7 is a cautionary tale of how legacy technology, if left unchecked, can become a significant privacy threat in an interconnected world. While the conveniences of SS7-powered roaming and communication were revolutionary decades ago, they come at a steep price in the digital age. Until the technology is completely replaced, individuals, governments, and telecom providers must remain vigilant, understanding that the vulnerabilities in SS7 are not just a technological issue but a societal one, affecting everyone from high-profile figures to ordinary citizens.