A surveillance company has been using a new attack technique to bypass the Signaling System 7 (SS7) protocol’s protections and trick telecommunications companies into disclosing the location of their users, cybersecurity company Enea reports.
The attack method, likely used since the fourth quarter of 2024, relies on TCAP (Transaction Capabilities Application Part) manipulation through SS7 commands (PDUs) that have been structured in such a manner that their contents are not decoded by the protection systems or firewalls.
TCAP messages contain building blocks called Information Elements (IEs), which have three fields, namely Contents (the information conveyed), Tag (governs the interpretation of Contents) and Length (specifies the Contents length).
In an SS7 system, one of the most important TCAP components is Invoke, which represents the operation that initiates a process in the receiving TCAP element.
Enea says it has observed TCAP anomalies where the encoding of an IE containing the IMSI (International Mobile Subscriber Identity) field with a PSI (ProvideSubscriberInfo) Invoke has been altered.
A GSM-MAP command, PSI can be used extensively for location tracking, by requesting the location information of a targeted mobile subscriber from the core network element.
Mobile operators, Enea explains, use PSIs for billing and mobility control, when subscribers are roaming, but should block commands coming from outside the home operator when they are trying to retrieve information on home subscribers.
“A key way for the mobile operator to know what PSI to permit and what to block is based on the IMSI in the PSI packet. Basically, if the source is not the home network, but the IMSI is from the home network, then the PSI should be blocked,” Enea says.
The cybersecurity firm discovered in-the-wild attacks where the PSI commands were modified using a technique of extending the Tag code that contains the IMSI, breaking mobile operators’ checks for legitimate PSIs requesting subscriber location data.
“We believe that the presence of the extended Tag caused the IMSI field to be ignored by elements that were doing signaling security checks – the targeted IMSI was essentially ‘hidden’ – and so it couldn’t be used in any checks. The end result is that location tracking attacks for home networks subscribers were allowed through,” Enea notes.
The attacks, it says, came from a surveillance company and have been ongoing since at least the end of last year, as part of their test suite for bypassing signaling security defenses.
“We don’t have any information on how successful this attack method has been worldwide, as its success is vendor/software specific, rather than being a general protocol vulnerability, but its use as part of a suite indicates that it has had some value,” Enea notes.
The cybersecurity firm believes the attacks were likely possible because the SS7 software decoding stacks of some operators did not implement the necessary logic to understand the extended TCAP code, and because the SS7 signaling security solutions were built on top of older stacks, which were more permissive regarding undecodable fields.
“To combat this and other related attacks, Enea recommends blocking all malformed PDU structures which are not known to be benign, or blocking any MAP PDUs where an IMSI is expected, but no IMSI was found within the decoded PDU,” the company notes.
Related: eSIM Hack Allows for Cloning, Spying
Related: LTE, 5G Vulnerabilities Could Cut Entire Cities From Cellular Connectivity
Related: ‘5Ghoul’ Vulnerabilities Haunt Qualcomm, MediaTek 5G Modems
Related: US Government Agencies Issue Guidance on Threats to 5G Network Slicing
