Surveillance Company Using SS7 Bypass Attack to Track the User’s Location Information

A surveillance company has been detected exploiting a sophisticated SS7 bypass technique to track mobile phone users’ locations.

The attack leverages previously unknown vulnerabilities in the TCAP (Transaction Capabilities Application Part) layer of SS7 networks to circumvent security protections implemented by mobile operators worldwide.

Key Takeaways
1. Malformed SS7 commands mask the IMSI to enable location tracking.
2. An extended TCAP tag (30 13 9f 00 08) evades legacy SS7 firewalls.
3. In use since Q4 2024, this exploit has leaked subscribers’ locations.

Bypass SS7 Security and Track IMSI

The attack exploits a little-known feature in ASN.1 BER (Basic Encoding Rules) encoding within the TCAP protocol layer. 

Attackers manipulate the Tag code structure of TCAP Information Elements containing IMSI (International Mobile Subscriber Identity) data by using an extended tag encoding method. Instead of the standard encoding sequence 30 12 80 08, the malicious packets use 30 13 9f 00 08, effectively extending the Tag code beyond its normal single-octet format.

This technique specifically targets PSI (ProvideSubscriberInfo) commands, which are legitimate GSM-MAP operations used by mobile operators for location tracking and mobility management. 

The extended tag encoding causes the IMSI field—which identifies the target user—to become unreadable to many signaling security systems. 

When security firewalls cannot decode the IMSI properly, they fail to apply crucial home-versus-roaming network checks that should block unauthorized location requests.

The surveillance company behind these attacks has integrated this TCAP manipulation technique into their operational toolkit since at least Q4 2024. 

Their method involves sending malformed PSI requests with extended tag codes from external networks, targeting home network subscribers whose locations should normally be protected from outside queries.

The attack succeeds because many SS7 software stacks were never designed to handle extended TCAP tag codes, as this encoding method has rarely been used in over 40 years of TCAP operations. 

Additionally, legacy SS7 systems often adopt a permissive approach to undecodable fields, allowing packets to pass through if they can be routed, leaving decoding responsibilities to end nodes.

Enea’s Threat Intelligence Unit has confirmed successful exploitation of this vulnerability in real-world scenarios, observing complete location tracking attacks where PSI requests bypassed security measures and returned subscriber location data. 

The technique represents part of an evolving suite of bypass methods that surveillance companies employ to defeat signaling security defenses.

To address this threat, security experts recommend blocking all malformed PDU structures and implementing enhanced detection for MAP PDUs where expected IMSI fields cannot be decoded. 

The GSMA community has been alerted to this vulnerability, with recommendations distributed to help mobile operators strengthen their signaling security posture.

This discovery highlights the ongoing arms race between surveillance entities and telecommunications security, as attackers continue exploiting the complex ASN.1 protocol structures inherent in SS7 networks to evade detection and maintain unauthorized access to sensitive subscriber information.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now