Networking Hacking

SS7 Protocol: Hack and Intercept Mobile Networks – Part 1

Have you ever called a friend, or received an SMS, and wondered how does it know where to go? If the answer’s yes, you will have your curiosity cleared (and learn a cool new hacking technique along the way)

SS7 Protocol: Hack and Intercept Mobile Networks - Part 1 1

What is SS7?

SS7, or Signalling System No. 7, is an international standard network signaling protocol that allows common channel (independent) signaling for call-establishment, billing, routing, and information exchange between nodes in the public switched telephone network (PSTN). In a nutshell, SS7 is the protocol behind Short Messaging Service (SMS) and Mobile Calls.

When users access a PSTN, he constantly exchanges signaling with network elements, for example, signaling information is exchanged between a mobile user and the telephone network.

This information isn’t just limited to SMS or Call, it also consists of dialing digits, providing a dial tone, sending a call-waiting tone, accessing a voice mailbox, etc.

How Does SS7 Work

SS7 uses a technique called Out of Band Signalling. What this means is that the signaling doesn’t take the same path as the conversation. A digital channel is established which is used for the exchange of data and is called a Signal Link.

Call Setup In SS7

You can see the same in the above image, a device A and B want to exchange some information, say send an SMS. The green line specifies how the devices are connected. But since they use a digital channel, it has to go through a sort of virtual network specified with the Blue Line (Signal Link)

This Out Of Band Signaling provides the following advantages for mobile networks:

  • Higher Data Transfer Rate.
  • It allows for signaling at any time in the entire duration of the conversation, not only at the beginning of the call.
  • Network elements where no direct trunks are available can also be connected.

An SS7 network is composed of Service Switching Ports (SSPs), Signaling Transfer Points (STPs), and Service Control Points (SCPs). The SSP gathers the analog signaling information from the local line in the network (endpoint) and converts the information into an SS7 message.

SS7 Signalling Diagram

These messages are transferred into the SS7 network to STPs that transfer the packet closer to its destination. When special processing of the message is required (such as rerouting a call to a call forwarding number), the STP routes the message to an SCP.

The SCP is a database that can use the incoming message to determine other numbers and features that are associated with this particular call.

Of course, there is more to SS7 networking, but that is beyond the scope of this post. So let’s continue further to the security in SS7 Stack.

Security in SS7

While mobile operating systems have evolved and improved in security, the SS7 network has not changed much since it was developed in 1975.

A traditional malware attack is dependent on the security of the Operating System. Therefore mobile phones with weaker OS are more prone to such malware attacks. But SS7 protocol is present in all the mobiles ranging from low quality to that of high. This makes this a much bigger risk.

SS7 Protocol: Hack and Intercept Mobile Networks - Part 1 2

Hacking SS7

In addition to the fact that this protocol is used in all mobile devices, a hacker just needs these 3 things to launch an SS7 Attack:

The main type of attack here is MiTM (Man in the Middle) or Hijacking Attack. The details on how to launch an SS7 Attack will be shared in the next post.

What this means is that a hacker can either intercept the messages and calls of the victim or directly impersonate him and make calls on his behalf.

The implications of this are more severe. People consider 2FA or two-factor authentication, a go-to technique to secure themselves in which they receive an OTP (One Time Password) or a single-use token to identify themselves. With the entire network protocol hacked, an attacker can intercept that OTP in order to take over the account or do other malicious activity.


Similarly, an attacker can impersonate the victim in a call or directly send SMS, which can lead to defamation or something much more serious.

How can I do to protect myself from snooping via SS7?

The simple way to protect yourself is prevention. The best way to achieve it is to avoid the use of these services. Use online services which you know are more secure and encrypted.

For example, you can use any of the internet voice-over applications. These applications include WhatsApp, Instagram, etc.  They are also at risk of an SS7 attack but the risk is minimised in comparison to traditional calls and messages.

You can also use authenticator applications like Google Authenticator instead of OTP Verification via SMS. A lot of time, that’s not in your control. But if you are an admin of such a service, you can start improving the security yourself.

As always, stay safe and don’t use any information provided here for any malicious purposes.

Get the latest tech news and updatesethical hacking tutorials, and cybersecurity tips and tricks. Check out MeuSec for more.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.


4 replies on “SS7 Protocol: Hack and Intercept Mobile Networks – Part 1”

I’m really impressed with your writing skills as well as
with the layout on your blog. Is this a paid theme or did you modify it yourself?

Anyway keep up the excellent quality writing, it’s rare to see a nice blog like this one these days.


Hey, thanks a lot mate. We put in a lot of effort for these.
About the theme, this is a custom theme I built myself. So you wouldn’t find it anywhere online.


Leave a Reply

Your email address will not be published. Required fields are marked *