Chinese State-Sponsored Hackers Inside the US Mobile Telecom System: Mobile Telecom Companies Vulnerable to SS7 Vulnerability

Cellphones InfoSec SDR

Welcome back, my rookie cyberwarriors!

 

In recent weeks, a series of sophisticated cyber attacks has once again exposed critical vulnerabilities in the Signaling System 7 (SS7) protocol, a fundamental component of global telecommunications infrastructure that manages call routing, SMS messaging, and cellular network interoperability. These security breaches, detected across multiple major U.S. telecommunications carriers including AT&T, Verizon, Lumen Technologies, and T-Mobile, highlight the inherent weaknesses in this legacy protocol that continues to form the backbone of modern telecommunications systems. This breach by Chinese state-sponsored hackers has exposed ALL cellular traffic to eavesdropping in the US and has prompted the FBI to recommend that all messaging be done by encrypted apps.

The SS7 protocol, originally designed in 1975, operates within the core network infrastructure and was developed with an implicit trust model that predates modern cybersecurity requirements. This architectural limitation makes SS7 particularly susceptible to exploitation, as the protocol lacks robust authentication mechanisms and encryption standards that are commonplace in contemporary network protocols. The recent breaches demonstrate how threat actors can leverage these protocol-level vulnerabilities to potentially intercept communications, track location data, and even manipulate network operations.

 

In this article, let’s explore the SS7 protocol and analyze the risks it poses.

Protocol Architecture and Vulnerability Foundation

The SS7 protocol stack implements a layered architecture that mirrors the OSI model, consisting of the Message Transfer Part (MTP) levels 1-3 and user parts including TCAP (Transaction Capabilities Application Part), SCCP (Signaling Connection Control Part), and MAP (Mobile Application Part). Each layer serves specific functions in signal routing and call management, creating multiple potential attack surfaces.

MTP Level 1 handles physical layer functions, while MTP Level 2 manages link reliability through error detection and correction. MTP Level 3 handles network routing and management functions. The SCCP layer provides additional addressing capabilities through Global Title Translation (GTT), enabling routing based on phone numbers rather than point codes. TCAP manages dialogue between applications, while MAP handles mobile-specific operations such as location updates and SMS routing.
 

The fundamental security weakness originates from SS7’s design philosophy during the monopolistic era of telecommunications. The protocol assumes network trustworthiness based on three flawed premises:

 

(1) physical security of signaling links,

(2) trusted network operators, and

(3) closed network access.

 

This trust model manifests in several critical architectural vulnerabilities:

 

Network Access Control: SS7 lacks robust authentication mechanisms for network elements. Any entity with network access can generate valid signaling messages, as the protocol doesn’t verify message origin authenticity. This enables attackers to impersonate legitimate network elements by manipulating Global Title addresses and point codes.

 

Message Validation: The protocol performs minimal validation of signaling message content and sequence. MAP operations lack cryptographic signing or verification, allowing attackers to generate arbitrary commands that appear legitimate to receiving networks. This weakness particularly affects location update and SMS routing operations.

 

Interconnection Security: SS7’s international routing architecture requires networks to process messages from unknown sources. The protocol’s trust model assumes all interconnected networks implement adequate security controls, creating a weakest-link vulnerability where compromised networks endanger the entire ecosystem.

 

State Management: SS7 implements limited state tracking for signaling dialogues. Attackers can inject messages into existing dialogues or create new ones without establishing proper session context. This enables man-in-the-middle attacks through manipulation of location registers and routing information.

 

Data Confidentiality: The protocol transmits sensitive subscriber data, including location information and authentication tokens, without encryption. While physical security initially protected this data, modern network architectures expose these communications to potential interception.

 

These architectural vulnerabilities manifest in practical attacks through specific protocol operations. For instance, the SendRoutingInfoForSM operation, designed for SMS routing, can be exploited to extract subscriber location data. The UpdateLocation operation, meant for handover between networks, enables call redirection attacks. The AnyTimeInterrogation operation, intended for value-added services, facilitates unauthorized location tracking.

 

The protocol’s inability to validate message origin and authenticity creates a fundamental trust issue that modern security controls can only partially mitigate. Additional layers of validation and filtering add security but cannot address the core architectural weaknesses without breaking backward compatibility with legacy networks.

Documented Attack Cases

1. The German Bank Heist (2017)

In January 2017, cybercriminals exploited SS7 vulnerabilities to intercept two-factor authentication codes sent to German bank customers. The attackers first obtained victims’ online banking credentials through traditional phishing methods. They then leveraged SS7 access to redirect SMS communications, intercepting the one-time passwords sent by banks. This allowed them to authorize fraudulent transfers, resulting in substantial financial losses. The attack demonstrated the practical exploitation of SS7’s SendRoutingInfoForSM operation to bypass SMS-based authentication.

 

2. Congressional Communications Breach (2020)

A major U.S. carrier discovered unauthorized SS7 packets targeting several Congress members’ mobile devices. Analysis revealed systematic attempts to track location data and intercept communications through manipulated MAP operations. The attackers exploited UpdateLocation messages to attempt call redirection, though the attack was detected and blocked by deployed SS7 firewalls.

 

3. European Telecom Infiltration (2019)

A sophisticated threat actor gained access to multiple European telecommunications providers’ SS7 networks. They exploited the ProvideSubscriberInfo operation to track hundreds of high-value targets across

different countries. The attack remained undetected for months due to the legitimate appearance of the SS7 queries used. Investigation revealed careful manipulation of GT addressing to masquerade as authorized network elements.

 

4. Middle East Surveillance Operation (2021)

Security researchers uncovered a large-scale surveillance operation targeting Middle Eastern telecommunications networks. The attackers exploited SS7 to track location data of specific subscribers across multiple countries. Technical analysis showed sophisticated use of SendRoutingInfoForSM and AnyTimeInterrogation operations, combined with careful timing to avoid detection by basic SS7 firewalls.

 

5. Cryptocurrency Theft via SMS Interception (2022)

Attackers exploited SS7 vulnerabilities to hijack SMS verification codes for cryptocurrency exchange accounts. They first compromised victims’ email accounts, then used SS7 access to intercept SMS-based 2FA codes. The attack chain involved carefully timed InsertSubscriberData operations to redirect SMS messages withoutalerting the victims. This resulted in multiple high-value cryptocurrency thefts.

 

6. Australian Telecom Breach (2023)

A major Australian telecommunications provider detected systematic SS7 exploitation attempts originating from compromised Asian network operators. The attacks targeted both location tracking and call interception through manipulated MAP operations. Analysis revealed sophisticated evasion techniques, including distributed SS7 queries and legitimate-appearing GT routing patterns.

 

7. U.S. Telecommunications Campaign (2024)

A widespread Chinese state-sponsored hacking campaign targeted multiple U.S. telecommunications providers, ultimately compromising nine companies. The Salt Typhoon threat actor group orchestrated these attacks as part of a larger campaign affecting dozens of countries. The group, active since at least 2019, demonstrated sophisticated exploitation of SS7 vulnerabilities to breach telecommunications infrastructure, particularly targeting government entities.

 

Summary

These real-world attacks demonstrate the practical exploitation of SS7 vulnerabilities across different scenarios and objectives. They highlight how theoretical protocol weaknesses translate into actual security breaches.

 

With the advent of Software Defined Radio (SDR), reconnaissance and exploiting these weaknesses has become even cheaper and easier.

 

For more on Software Defined Radio check out our SDR for Hackers and Advanced SDR for Hackers. In 2025, we will teach our first SDR for Mobile Systems where many of these techniques will be taught.