Surveillance Firm Exploits SS7 Flaw to Track User Locations

A sophisticated surveillance operation has been discovered exploiting critical vulnerabilities in the global telecommunications infrastructure to track mobile phone users’ locations without authorization, security researchers have revealed.

The attack leverages weaknesses in the decades-old SS7 (Signaling System No. 7) protocol that underpins international cellular networks.

New Attack Method Discovered

Security experts at Enea’s Threat Intelligence Unit have detected a previously unknown variant of SS7 exploitation techniques being used in the wild.

The attack focuses on manipulating the TCAP (Transaction Capabilities Application Part) layer of the SS7 protocol stack, which carries application data between network nodes.

The surveillance firm has been using an obscure encoding technique called “extended tag encoding” to disguise malicious location tracking requests.

By manipulating how certain data fields are structured within SS7 messages, attackers can bypass security filters that mobile operators have implemented to protect their networks.

The exploitation centers around ProvideSubscriberInfo (PSI) commands, which are legitimate network operations used by mobile operators to track their customers’ locations for billing and network management purposes.

However, the surveillance firm has been crafting these commands with deliberately malformed encoding to hide the target’s IMSI (International Mobile Subscriber Identity) from security systems.

In normal operations, PSI commands contain clearly identifiable IMSI fields that allow network security systems to determine whether the request is authorized.

The attackers exploit a rarely-used feature of the TCAP specification that allows for “extended tag codes,” creating packets where the IMSI field becomes essentially invisible to security filters.

Technical Exploitation Details

The attack manipulates the ASN.1 BER (Basic Encoding Rules) encoding format used in TCAP messages.

While the standard encoding for an IMSI field would typically appear as “30 12 80 08,” the attackers use an extended format “30 13 9f 00 08” that many security systems cannot properly decode.

This technique works because many SS7 software stacks were never designed to handle extended tag codes, as they have rarely been used in over 40 years of TCAP operation.

When security systems encounter these malformed packets, they often default to permissive behavior, allowing the malicious requests to pass through.

The discovery highlights ongoing vulnerabilities in global telecommunications infrastructure that have persisted despite years of industry awareness.

Mobile operators have implemented various security measures including SS7 firewalls and filtering systems, but the decentralized nature of international telecommunications makes comprehensive protection challenging.

Security researchers note that several effective SS7 bypass techniques have emerged regularly since 2017, suggesting that well-funded attackers continue developing new methods to circumvent defensive measures.

The attacks can precisely locate mobile devices anywhere globally, as long as the target’s carrier maintains SS7 connectivity with international networks.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now