11_real_world_ss7_signaling
Part 11: Real-World Attacks β Core Signaling (SS7 / Diameter / GTP)
Learning Objective: Understand how real-world attackers exploit the SS7, Diameter, and GTP signaling planes of cellular networks β where in the network these attacks originate, the step-by-step attack sequences, and how to detect and mitigate them.
Important
These five case studies cover the most foundational telecom attack surface: the inter-operator signaling plane. SS7 (2G/3G), Diameter (4G), and GTP (all generations) form the nervous system of global mobile networks. Unlike IP-layer attacks, signaling-plane attacks exploit trust assumptions built into the telecom architecture itself β any operator with interconnect access can, by design, query any other operator's subscribers.
Table of Contents
- 1. SS7-Based SMS OTP Theft for Bank Fraud
- 2. SS7 Location Tracking of High-Value Targets
- 3. Diameter Exploitation for US Subscriber Tracking
- 4. Commercialized SS7 Interception as Access-Broker Service
- 5. GTP and Roaming-Plane Abuse for Fraud and Stealth Traffic
- Signaling Attack Summary
- Lab Exercises
How SS7/Diameter/GTP Interconnect Works
Before diving into individual attacks, it is critical to understand why these attacks are possible. The global mobile network is built on a trust model where operators exchange signaling messages to support roaming, SMS delivery, and call setup.
graph TB
subgraph "Home Network (Operator A)"
HLR_HSS[(π HLR/HSS
Subscriber DB)]
MSC_MME[ποΈ MSC/VLR Β· MME
Switching / Mobility]
SMSC[π¨ SMSC
SMS Center]
end
subgraph "Visited Network (Operator B β Roaming Partner)"
V_MSC[ποΈ Visited MSC/MME]
V_SGSN[π¦ SGSN/SGW]
end
subgraph "Signaling Network (SS7/Diameter)"
STP[π STP/DRA
Signal Transfer Point /
Diameter Routing Agent]
end
subgraph "GTP Roaming Plane"
GRX[π GRX/IPX
GPRS Roaming Exchange]
end
Attacker[π΄ Attacker
Rogue operator /
Leased SS7 access]
V_MSC <-->|MAP/Diameter
via SS7/IP| STP
STP <-->|MAP/Diameter| HLR_HSS
STP <-->|MAP| SMSC
V_SGSN <-->|GTP-C| GRX
GRX <-->|GTP-C/U| MSC_MME
Attacker -.->|β Purchased
SS7/Diameter
access| STP
Attacker -.->|β Rogue
GTP peer| GRX
style Attacker fill:#ff6666,color:#fff
style STP fill:#ffaa66
style GRX fill:#ffaa66
style HLR_HSS fill:#ffee66
style SMSC fill:#ffee66Note
Key insight: SS7 was designed in the 1970s for a closed club of national telephone companies. There was no authentication between operators β any node that could send a MAP message was trusted. This trust model persists today because replacing SS7 would require coordinated global migration. Diameter (4G) added optional TLS but most deployments still lack it. GTP has no built-in encryption or authentication at all.
1. SS7-Based SMS OTP Theft for Bank Fraud (S, I, E)
Executive Summary
In 2017, attackers exploited SS7 signaling access β obtained through a foreign mobile operator β to intercept SMS-based two-factor authentication codes sent to German bank customers by O2-TelefΓ³nica. The attackers first harvested banking credentials via phishing, then used SS7 to redirect victims' SMS messages to attacker-controlled numbers, authorizing fraudulent wire transfers that drained accounts.
Real-World Incident
| Detail | Value |
|---|---|
| When | January 2017 (publicly reported) |
| Who | Organized criminal group with purchased SS7 access |
| Targets | German O2-TelefΓ³nica mobile subscribers with online banking |
| Method | SS7 UpdateLocation to re-register victim MSISDNs to attacker-controlled MSC, redirecting SMS |
| Impact | Direct financial theft β bank accounts drained via authorized mTAN transfers |
| Discovery | O2-TelefΓ³nica confirmed the attacks after SΓΌddeutsche Zeitung reporting |
Network Position β Where the Attack Starts
graph TB
subgraph "Victim's Home Network (O2-TelefΓ³nica Germany)"
HLR[(π HLR
Home Location Register)]
SMSC[π¨ SMSC
SMS Center]
MSC_Home[ποΈ Home MSC/VLR]
end
subgraph "SS7 Interconnect"
STP[π STP
Signal Transfer Point]
end
subgraph "Attacker Infrastructure"
Rogue_MSC[π΄ Rogue MSC
Attacker-controlled
via leased SS7 GT]
Attacker_Phone[π΄ Attacker Phone
Receives redirected SMS]
end
subgraph "Victim Side"
Victim_UE[π± Victim UE
German bank customer]
Bank[π¦ Online Bank
Sends mTAN via SMS]
end
Bank -->|"1. Sends mTAN SMS
to victim MSISDN"| SMSC
SMSC -->|"2. Queries HLR:
SRI-for-SM"| HLR
HLR -.->|"3. Returns ATTACKER's
MSC address
(poisoned by UpdateLocation)"| SMSC
SMSC -.->|"4. Routes SMS to
attacker's MSC"| STP
STP -.->|"5. Delivers SMS"| Rogue_MSC
Rogue_MSC -.->|"6. OTP received"| Attacker_Phone
Victim_UE -.->|"β Never receives SMS"| MSC_Home
style Rogue_MSC fill:#ff6666,color:#fff
style Attacker_Phone fill:#ff6666,color:#fff
style HLR fill:#ffaa66
style SMSC fill:#ffaa66
style Victim_UE fill:#ffee66
style Bank fill:#ffee66Attack Sequence β Step by Step
sequenceDiagram
participant Attacker as π΄ Attacker
participant SS7 as π SS7 Network
participant HLR as π HLR (O2)
participant SMSC as π¨ SMSC (O2)
participant Bank as π¦ Bank
participant Victim as π± Victim
Note over Attacker: Phase 1: Credential Harvesting
Attacker->>Victim: Phishing email/SMS with fake bank login
Victim->>Attacker: Enters bank username + password
Note over Attacker: Phase 2: SS7 Subscriber Hijack
Attacker->>SS7: MAP UpdateLocation
(IMSI=victim, new MSC=attacker GT)
SS7->>HLR: Forward UpdateLocation
HLR->>SS7: UpdateLocation ACK
(Victim now "roaming" at attacker MSC)
Note over Attacker: Phase 3: Trigger and Intercept OTP
Attacker->>Bank: Login with stolen credentials
Bank->>SMSC: Send mTAN SMS to victim MSISDN
SMSC->>HLR: SendRoutingInfo-for-SM (SRI-SM)
HLR->>SMSC: Returns attacker's MSC address
SMSC->>SS7: MT-ForwardSM (SMS to attacker MSC)
SS7->>Attacker: SMS delivered with mTAN code
Note over Attacker: Phase 4: Cash-Out
Attacker->>Bank: Submit mTAN β authorize wire transfer
Bank->>Bank: Transfer approved β
Note over Victim: β Victim never receives SMS
β Victim unaware until funds goneTechnical Deep Dive
The attack exploits two SS7 MAP (Mobile Application Part) operations:
-
UpdateLocation(UL): Normally sent by a visited MSC/VLR when a subscriber roams to a new network. It tells the HLR: "this subscriber is now registered at my MSC." The HLR updates its records and returns the subscriber profile. There is no authentication β the HLR trusts any UpdateLocation from any SS7-connected node. -
SendRoutingInfo-for-SM(SRI-SM): When the SMSC needs to deliver an SMS, it queries the HLR for the current serving MSC address. After the malicious UpdateLocation, the HLR returns the attacker's MSC address instead of the legitimate one.
Protocol-level detail:
MAP UpdateLocation Request:
IMSI: 262-02-XXXXXXXXX (victim's IMSI)
MSC Number: +XXX-XXXX (attacker's Global Title)
VLR Number: +XXX-XXXX (attacker's Global Title)
HLR Response:
UpdateLocation ACK
(HLR now records victim as served by attacker GT)
The attacker needs:
- The victim's IMSI (obtainable via SS7
SendRoutingInfoor from breached carrier data) - An SS7 Global Title (leased from a compliant or corrupt operator, or purchased from a signaling-as-a-service provider)
Detection Indicators
- Anomalous
UpdateLocationfrom unexpected Global Titles: HLR receives UL from an operator the subscriber has never roamed to - Rapid location changes: Subscriber appears to "teleport" between countries within minutes
SRI-SMreturning foreign MSC for domestic subscribers: SMS routing queries returning unexpected serving nodes- SMS delivery failures followed by fraud reports: Temporal correlation between missing SMS and unauthorized bank transactions
- SS7 firewall alerts: Category 1 (info gathering) and Category 3 (fraud) message patterns per GSMA FS.11
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | High | Attacker impersonates a legitimate roaming MSC |
| Tampering | N/A | No data modification β redirection only |
| Repudiation | Medium | SS7 logging often insufficient to trace attacker |
| Information Disclosure | Critical | SMS content (OTP codes) exposed to attacker |
| Denial of Service | Medium | Victim loses SMS service during hijack window |
| Elevation of Privilege | Critical | Attacker gains access to victim's bank account |
Mitigation
- β SS7 firewall (GSMA FS.11 Category 1-3 filtering) β block unexpected UpdateLocation/SRI-SM from untrusted origins
- β Home Routing for SMS β SMSC delivers to an SMS router in the home network first, not directly to the serving MSC
- β Replace SMS-based 2FA with app-based TOTP, FIDO2/WebAuthn, or push notifications
- β Real-time velocity checks on HLR β flag UL from a new country if subscriber was domestic seconds ago
- β οΈ Subscriber notification β alert users when their HLR record changes (rarely implemented)
- β οΈ CAT (CAMEL Application Toolkit) triggers β use CAMEL to validate location changes (complex to deploy)
References
- Terrazone: SS7 Security Vulnerabilities, Attacks & Prevention
- GSMA FS.11: SS7 Interconnect Security Monitoring Guidelines
- GSMA FS.19: Diameter Interconnect Security
- 3GPP TS 29.002: MAP Protocol Specification
- SΓΌddeutsche Zeitung (2017): Reporting on O2-TelefΓ³nica SS7 bank fraud
2. SS7 Location Tracking of High-Value Targets (I)
Executive Summary
State intelligence agencies and criminal organizations have repeatedly used SS7 signaling queries β specifically SendRoutingInfo (SRI) and ProvideSubscriberInfo (PSI) β to track the real-time geographic location of journalists, activists, political dissidents, and other high-value targets. These attacks turn every mobile phone into a persistent tracking beacon, requiring only the target's phone number.
Real-World Incident
| Detail | Value |
|---|---|
| When | Documented from 2014 onward; confirmed ongoing through 2024 |
| Who | State-level actors, surveillance companies (e.g., Circles, linked to NSO Group), and commercial location-tracking services |
| Targets | Journalists, human rights activists, political opposition figures, diplomats |
| Method | SS7 SRI to get serving MSC/Cell-ID, PSI to get precise location (cell sector + timing advance) |
| Impact | Persistent surveillance of targets across borders; physical safety compromised |
| Discovery | EFF, Citizen Lab, and carrier security teams detected anomalous SS7 queries from unusual origins |
Network Position β Where the Attack Starts
graph TB
subgraph "Target's Home Network"
HLR[(π HLR
Home Location Register)]
MSC[ποΈ MSC/VLR
Serving the target]
BTS[π‘ BTS/eNB
Cell tower serving target]
end
subgraph "SS7 Interconnect"
STP[π STP
Signal Transfer Point]
end
subgraph "Attacker (Surveillance Operator)"
Attacker_Node[π΄ SS7 Node
Intelligence agency /
surveillance vendor]
Analyst[π΄ Analyst
Plots target location
on map over time]
end
subgraph "Target"
Target_UE[π± Target Phone
Journalist / Activist]
end
Target_UE -.->|"Connected to cell"| BTS
BTS <--> MSC
MSC <--> HLR
Attacker_Node -.->|"1. SRI: Where is
MSISDN +49XXX?"| STP
STP -.->|"2. Query HLR"| HLR
HLR -.->|"3. Returns:
MSC addr + IMSI"| STP
STP -.->|"4. SRI Response"| Attacker_Node
Attacker_Node -.->|"5. PSI: Give me
exact cell + TA"| STP
STP -.->|"6. Query MSC"| MSC
MSC -.->|"7. Cell-ID + LAC
+ Timing Advance"| STP
STP -.->|"8. Location data"| Attacker_Node
Attacker_Node -->|"9. Plot on map"| Analyst
style Attacker_Node fill:#ff6666,color:#fff
style Analyst fill:#ff6666,color:#fff
style STP fill:#ffaa66
style HLR fill:#ffaa66
style MSC fill:#ffaa66
style Target_UE fill:#ffee66Attack Sequence β Step by Step
sequenceDiagram
participant Attacker as π΄ Surveillance Node
participant SS7 as π SS7 Network
participant HLR as π HLR
participant MSC as ποΈ Serving MSC
participant Target as π± Target
Note over Attacker: Only needs target's phone number
Attacker->>SS7: MAP SendRoutingInfo (SRI)
(MSISDN=target phone number)
SS7->>HLR: Forward SRI
HLR->>SS7: SRI Response
(IMSI, serving MSC address)
SS7->>Attacker: IMSI + MSC address
Note over Attacker: Now knows target's IMSI and serving network
Attacker->>SS7: MAP ProvideSubscriberInfo (PSI)
(IMSI=target, RequestInfo=location)
SS7->>MSC: Forward PSI
MSC->>SS7: PSI Response
(Cell-ID, LAC, Age of Location)
SS7->>Attacker: Cell-ID=4521, LAC=1003, Age=2min
Note over Attacker: Maps Cell-ID β GPS coordinates
via public cell tower databases
Note over Attacker: Repeats every 5-15 minutes
to build movement pattern
loop Every 5-15 minutes
Attacker->>SS7: MAP PSI (IMSI=target)
SS7->>MSC: Forward PSI
MSC->>SS7: Updated Cell-ID + LAC
SS7->>Attacker: New location
end
Note over Attacker: Builds timeline:
Home β Office β Meeting β AirportTechnical Deep Dive
Two primary SS7 MAP operations are used:
-
SendRoutingInfo(SRI) β Input: target MSISDN (phone number). Output: IMSI and current serving MSC/VLR address. Originally designed for call routing but gives the attacker the target's IMSI and which MSC currently serves them. -
ProvideSubscriberInfo(PSI) β Input: IMSI. Output: current Cell-ID, Location Area Code (LAC), and "age of location" (how recently the location was updated). Originally designed for lawful intercept and emergency services. Cell-ID maps to a specific cell tower sector, providing location accuracy of 50mβ2km depending on cell density.
Additional techniques:
AnyTimeInterrogation(ATI): A single query that returns both routing info and location. Blocked by some operators but still widely functional.- Triangulation: By correlating Cell-ID + Timing Advance (TA) from multiple queries or by triggering handovers, attackers can refine position to ~50m in urban areas.
- Silent SMS (Type 0): Send a "silent" SMS that doesn't appear on the target's phone but forces a location update in the MSC, giving a fresh Cell-ID. Often combined with PSI.
Detection Indicators
- High-frequency SRI/PSI queries for the same IMSI from a single source
- SRI/PSI from Global Titles not associated with any legitimate roaming or interconnect agreement
- ATI queries from non-CAMEL origins β ATI should only come from CAMEL service platforms
- Silent SMS (TP-PID=0x40) bursts to the same subscriber preceding PSI queries
- Subscriber location queries outside business hours or from unexpected geographic origins
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Low | Attacker uses legitimate SS7 identity (leased GT) |
| Tampering | N/A | Read-only attack β no data modification |
| Repudiation | High | Difficult to attribute queries to specific actors |
| Information Disclosure | Critical | Real-time location tracking of any subscriber globally |
| Denial of Service | N/A | No service disruption |
| Elevation of Privilege | N/A | No privilege change |
Mitigation
- β SS7 firewall with Category 1 filtering (GSMA FS.11) β block SRI/PSI/ATI from unauthorized origins
- β Home Routing β proxy SRI responses through home network, hiding true serving MSC
- β GSMA SISS (Signaling Intelligence and Security Service) β industry threat intelligence sharing
- β Monitor and alert on anomalous query patterns β rate-limit SRI/PSI per source GT
- β οΈ Carrier-level opt-in location privacy β some operators offer VIP subscribers enhanced location query blocking
- β οΈ Use a secondary phone/eSIM for sensitive communications β changes IMSI linkage
References
- EFF: SS7 is Vulnerable and Telecoms Must Acknowledge It (2024)
- GSMA FS.11: SS7 Interconnect Security Monitoring Guidelines
- Citizen Lab: "Running in Circles" β NSO Group / Circles surveillance infrastructure
- 3GPP TS 29.002: MAP Protocol (SRI, PSI, ATI operations)
- Tobias Engel, 31C3 (2014): "SS7: Locate. Track. Manipulate."
3. Diameter Exploitation for US Subscriber Tracking (I)
Executive Summary
In 2022, US government cybersecurity officials disclosed that unauthorized parties had attempted to exploit Diameter signaling β the 4G successor to SS7 β to retrieve location data of US mobile subscribers. The attacks used Diameter routing agents connected via the IPX (IP eXchange) roaming backbone to query Home Subscriber Servers (HSS) at US carriers, demonstrating that the move from SS7 to Diameter did not eliminate signaling-plane surveillance capabilities.
Real-World Incident
| Detail | Value |
|---|---|
| When | 2022 (disclosed by CISA and FCC communications) |
| Who | Unauthorized foreign entities (specific attribution classified) |
| Targets | Specific individuals on US mobile networks |
| Method | Diameter Location-Info-Request and User-Data-Request via IPX interconnect |
| Impact | Attempted real-time location surveillance of US persons |
| Discovery | US carrier security teams and CISA identified anomalous Diameter signaling patterns |
Network Position β Where the Attack Starts
graph TB
subgraph "US Carrier (Home Network)"
HSS[(π HSS
Home Subscriber
Server)]
MME[ποΈ MME
Mobility Management]
eNB[π‘ eNodeB]
end
subgraph "Diameter Interconnect (IPX)"
DRA_Home[π Home DRA
Diameter Routing Agent]
IPX[π IPX Backbone
IP eXchange]
DRA_Visited[π Visited DRA]
end
subgraph "Attacker Infrastructure"
Attacker_DRA[π΄ Rogue Diameter
Client / Proxy
via compromised or
leased IPX access]
end
subgraph "Target"
Target_UE[π± Target UE
US subscriber]
end
Target_UE -.-> eNB
eNB <--> MME
MME <-->|S6a Diameter| DRA_Home
DRA_Home <-->|Diameter| IPX
IPX <--> DRA_Visited
Attacker_DRA -.->|"β Diameter queries
via IPX"| IPX
style Attacker_DRA fill:#ff6666,color:#fff
style IPX fill:#ffaa66
style DRA_Home fill:#ffaa66
style HSS fill:#ffee66
style Target_UE fill:#ffee66Attack Sequence β Step by Step
sequenceDiagram
participant Attacker as π΄ Rogue Diameter Client
participant IPX as π IPX Backbone
participant DRA as π Home DRA
participant HSS as π HSS (US Carrier)
participant MME as ποΈ MME
Note over Attacker: Attacker has IPX interconnect access
(via leased or compromised Diameter peer)
Attacker->>IPX: Diameter S6a:
Authentication-Information-Request (AIR)
(IMSI=target)
IPX->>DRA: Route Diameter message
DRA->>HSS: Forward AIR
alt No DRA Filtering
HSS->>DRA: Authentication-Information-Answer
(Auth vectors: RAND, AUTN, XRES, KASME)
DRA->>IPX: Forward AIA
IPX->>Attacker: Auth vectors received
Note over Attacker: β οΈ Can now derive session keys
else DRA Filtering Active
DRA->>Attacker: Diameter Error:
DIAMETER_AUTHORIZATION_REJECTED
Note over Attacker: β Blocked by DRA policy
end
Note over Attacker: Location query attempt
Attacker->>IPX: Diameter S6a:
Notify Request (NOR) with
Alert-Reason=UE_PRESENT
IPX->>DRA: Route message
DRA->>HSS: Forward NOR
HSS->>MME: Triggers location update procedure
MME->>HSS: Update-Location-Request
(includes serving eNB / cell info)
HSS->>DRA: Notify Answer
(location data in response)
DRA->>IPX: Forward response
IPX->>Attacker: Cell-level location obtained
Note over Attacker: Alternative: Insert-Subscriber-Data
to modify subscriber profileTechnical Deep Dive
Diameter (defined in RFC 6733 and 3GPP TS 29.272 for S6a) was designed to replace SS7 MAP for 4G/LTE. While it uses TCP/SCTP and supports TLS, the protocol has several exploitable properties:
Key Diameter commands abused:
| Command | Code | Purpose | Abuse Potential |
|---|---|---|---|
Authentication-Information-Request (AIR) |
318 | Retrieve auth vectors for a subscriber | Extract RAND/AUTN/XRES β derive session keys |
Update-Location-Request (ULR) |
316 | Register subscriber at new MME | Redirect subscriber to attacker-controlled MME |
Notify-Request (NOR) |
323 | Alert HSS of subscriber state | Trigger location update β extract cell info |
Insert-Subscriber-Data-Request (IDR) |
319 | Push subscriber profile updates | Modify QoS, APN, roaming permissions |
Cancel-Location-Request (CLR) |
317 | De-register subscriber from current MME | Denial of service β force re-attach |
Why Diameter is still vulnerable:
- TLS is optional β many IPX peers negotiate without TLS
- DRA (Diameter Routing Agent) policies are often permissive β operators whitelist all roaming partners rather than restricting per-command
- IPX backbone is shared β multiple operators and MVNOs share IPX connectivity, increasing the attack surface
- No per-subscriber authorization β any Diameter peer can query any IMSI
Detection Indicators
- Diameter messages from unexpected Diameter identities (Origin-Host / Origin-Realm not matching known roaming partners)
- AIR/ULR for domestic subscribers from foreign Diameter peers β domestic subscribers should not trigger foreign S6a queries
- High-frequency location-related commands (NOR, IDR) for the same IMSI
- Diameter messages without TLS from IPX-connected peers
- DRA logs showing routing anomalies β messages for subscribers not associated with the source realm
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Medium | Attacker uses valid Diameter peer identity (leased access) |
| Tampering | Medium | IDR can modify subscriber profiles |
| Repudiation | High | Attribution difficult across IPX backbone |
| Information Disclosure | Critical | Location data, auth vectors, subscriber profiles exposed |
| Denial of Service | Medium | CLR can de-register subscribers |
| Elevation of Privilege | High | IDR can elevate QoS or enable unauthorized roaming |
Mitigation
- β Diameter Edge Agent (DEA) / Diameter firewall β filter messages by command type, origin realm, and destination IMSI
- β Mandatory TLS on all Diameter peering β enforce at IPX interconnect level
- β Per-command authorization policies β only allow AIR/ULR from contracted roaming partners for their subscribers
- β GSMA FS.19 compliance β implement Diameter interconnect security recommendations
- β Anomaly detection on DRA β alert on unexpected command patterns per origin
- β οΈ IPX provider contractual enforcement β require IPX providers to validate all connected peers (inconsistently enforced)
References
- EFF: SS7 is Vulnerable and Telecoms Must Acknowledge It (2024)
- GSMA FS.19: Diameter Interconnect Security
- 3GPP TS 29.272: Diameter-based S6a/S6d Interface
- NIST SP 800-187: Guide to LTE Security
- FCC CSRIC Best Practices for SS7 and Diameter Security
4. Commercialized SS7 Interception as Access-Broker Service (S, I, E)
Executive Summary
Underground platforms β exemplified by services like fastsms[.]su β have industrialized SS7-based SMS interception, selling it as a commodity service. Threat actors pay to receive OTPs and verification codes sent to any mobile number, enabling at-scale account takeover across banking, email, social media, and cloud services. This represents the evolution of SS7 exploitation from targeted espionage to mass-market cybercrime infrastructure.
Real-World Incident
| Detail | Value |
|---|---|
| When | Active since at least 2019; documented by Zimperium in 2024 |
| Who | Organized cybercrime syndicates operating as service providers |
| Targets | Any mobile subscriber globally; 600+ brand OTPs across 113 countries |
| Method | Combination of SS7 interception, SIM farms, and Android malware to capture SMS OTPs at scale |
| Impact | Mass account takeover β customers can buy phone numbers and receive their OTPs |
| Discovery | Zimperium zLabs identified 107,000+ malware samples tied to the ecosystem |
Network Position β Where the Attack Starts
graph TB
subgraph "Legitimate Mobile Network"
HLR[(π HLR/HSS)]
SMSC[π¨ SMSC]
MSC[ποΈ MSC/MME]
BTS[π‘ BTS/eNB]
end
subgraph "SS7 Interconnect"
STP[π STP]
end
subgraph "Access-Broker Infrastructure"
SS7_Gateway[π΄ SS7 Gateway
Leased interconnect]
SIM_Farm[π΄ SIM Farm
Thousands of SIMs
for number rental]
C2[π΄ C2 Server
Manages OTP
delivery pipeline]
Web_Portal[π΄ Web Portal
fastsms.su etc.
Customer self-service]
Telegram_Bot[π΄ Telegram Bot
OTP delivery
channel]
end
subgraph "Criminal Customers"
Buyer[π€ Buyer
Pays for OTP
interception]
end
subgraph "Victim Services"
Bank_App[π¦ Bank]
Email[π§ Email Provider]
Cloud[βοΈ Cloud/SaaS]
end
Bank_App -->|"SMS OTP"| SMSC
Email -->|"SMS OTP"| SMSC
Cloud -->|"SMS OTP"| SMSC
SMSC --> HLR
HLR -.->|"Routing info
(poisoned or
SIM farm number)"| SMSC
SMSC -.-> STP
STP -.-> SS7_Gateway
SS7_Gateway --> C2
SIM_Farm -->|"Registered numbers
on real network"| BTS
BTS --> MSC
C2 --> Web_Portal
C2 --> Telegram_Bot
Buyer -->|"1. Select number
2. Pay crypto
3. Receive OTP"| Web_Portal
Telegram_Bot -->|"OTP delivered"| Buyer
style SS7_Gateway fill:#ff6666,color:#fff
style SIM_Farm fill:#ff6666,color:#fff
style C2 fill:#ff6666,color:#fff
style Web_Portal fill:#ff6666,color:#fff
style Telegram_Bot fill:#ff6666,color:#fff
style Buyer fill:#ff6666,color:#fff
style HLR fill:#ffaa66
style SMSC fill:#ffaa66Attack Sequence β Step by Step
sequenceDiagram
participant Buyer as π€ Criminal Buyer
participant Portal as π΄ OTP Service Portal
participant C2 as π΄ C2 Infrastructure
participant SS7_GW as π΄ SS7 Gateway
participant SMSC as π¨ Target SMSC
participant Service as π¦ Bank / Email / SaaS
Buyer->>Portal: 1. Browse available numbers
by country + carrier
Portal->>Buyer: 2. Number list + pricing
(~$0.50-$5.00 per OTP)
Buyer->>Portal: 3. Select number + pay (crypto)
Buyer->>Service: 4. Request account creation
or password reset with
purchased number
Service->>SMSC: 5. Send SMS OTP to number
SMSC->>SS7_GW: 6. SMS routed via SS7
(or delivered to SIM farm)
SS7_GW->>C2: 7. OTP captured
C2->>Portal: 8. OTP available
Portal->>Buyer: 9. OTP displayed
(or via Telegram bot)
Buyer->>Service: 10. Enter OTP β account created/hijacked
Note over Buyer,Service: Entire flow takes 30-120 seconds
Buyer can repeat for unlimited accountsTechnical Deep Dive
The access-broker ecosystem operates through multiple parallel interception channels:
Channel 1 β SS7 Interception (highest capability):
- Operator purchases SS7 access through a corrupt or complicit telco
- Uses
UpdateLocation+MT-ForwardSMinterception (same as Attack #1) - Scales to any subscriber on any network reachable via SS7
Channel 2 β SIM Farm (most common):
- Operator purchases prepaid SIMs in bulk across many countries
- SIMs are inserted into GSM modem banks connected to servers
- Numbers are rented to buyers; incoming SMS is read directly from the SIM
- Does not require SS7 access β uses the legitimate network
Channel 3 β Android Malware (widest reach):
- 107,000+ malware samples distributed via fake apps, malvertising, and Telegram
- Malware requests SMS permission, then forwards all incoming SMS to C2
- Infected phones become unwitting participants in the OTP interception network
- Zimperium documented OTP theft for 600+ brands across 113 countries
Business model:
- Customers interact via Telegram bots or web portals
- Pricing: $0.50β$5.00 per OTP depending on country and carrier
- Some services offer subscriptions for continuous SMS forwarding
- Cryptocurrency payments for anonymity
Detection Indicators
- Multiple OTP requests from the same number in short succession for different services
- Numbers that receive OTPs but never make calls or send SMS (SIM farm pattern)
- Sudden increase in SMS delivery to specific MSC addresses (SS7 redirection)
- Android devices with SMS permission granted to unknown apps sending data to C2 domains
- Service-side signals: New account registrations from the same number for different user identities
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | Critical | Mass identity spoofing via number rental / interception |
| Tampering | N/A | No data modification |
| Repudiation | High | Cryptocurrency payments, rotating infrastructure |
| Information Disclosure | Critical | OTP codes for 600+ service brands exposed |
| Denial of Service | Low | Victims may experience delayed SMS delivery |
| Elevation of Privilege | Critical | Enables account takeover across banking, email, cloud |
Mitigation
- β Eliminate SMS as a primary 2FA channel β migrate to TOTP, FIDO2, or push-based authentication
- β Service-side number intelligence β flag numbers known to belong to SIM farms (services like Telesign, IPQualityScore)
- β Device binding β bind MFA to a specific device, not just a phone number
- β SS7 firewall (addresses SS7 interception channel only)
- β Google Play Protect / app store enforcement β flag apps requesting SMS permissions without legitimate need
- β οΈ User education β users should avoid granting SMS permissions to untrusted apps
- β οΈ Rate limiting OTP issuance β limit how many OTPs a single number can receive per hour
References
- SecurityWeek: Massive OTP-Stealing Android Malware Campaign Discovered (2024)
- Zimperium zLabs: "SMS Stealer" campaign analysis (107,000+ samples, 113 countries)
- GSMA FS.11: SS7 Interconnect Security
- 3GPP TS 29.002: MAP Protocol (SMS interception operations)
5. GTP and Roaming-Plane Abuse for Fraud and Stealth Traffic (S, T, I, E)
Executive Summary
The GPRS Tunneling Protocol (GTP) β used across 2G, 3G, 4G, and 5G for user-plane tunneling and control-plane signaling between operators β has no built-in authentication or encryption. Malicious or compromised roaming partners have exploited GTP to inject traffic, create unauthorized data sessions, bypass billing, and establish covert communication channels through the roaming interconnect (GRX/IPX). These attacks are harder to detect than SS7 abuse because GTP traffic is high-volume and looks like legitimate roaming data.
Real-World Incident
| Detail | Value |
|---|---|
| When | Ongoing; security research published 2018-2024 |
| Who | Malicious roaming partners, criminal organizations with GTP access |
| Targets | Mobile operators (revenue fraud), subscribers (unauthorized access to sessions) |
| Method | GTP-C session creation, GTP-U tunnel injection, TEID spoofing |
| Impact | Revenue fraud, unauthorized data tunneling, subscriber session hijacking |
| Discovery | P1 Security, GSMA, and operator security teams via traffic analysis |
Network Position β Where the Attack Starts
graph TB
subgraph "Home Operator Network"
HSS[(π HSS)]
MME[ποΈ MME]
SGWC[βοΈ SGW-C]
SGWU[π¦ SGW-U]
PGWC[βοΈ PGW-C/SMF]
PGWU[π¦ PGW-U/UPF]
Internet[π Internet]
end
subgraph "GTP Roaming Interconnect"
GRX[π GRX/IPX
GPRS Roaming
Exchange]
end
subgraph "Legitimate Roaming Partner"
V_SGSN_OK[π¦ Visited SGSN/MME
Legitimate partner]
end
subgraph "Attacker (Malicious Roaming Partner)"
V_SGSN_Bad[π΄ Rogue SGSN/MME
Malicious or
compromised partner]
Attacker_UPF[π΄ Rogue User Plane
Traffic injection]
end
V_SGSN_OK <-->|"GTP-C (legitimate
roaming sessions)"| GRX
V_SGSN_Bad -.->|"β GTP-C: Fake
Create Session Request
(spoofed IMSI)"| GRX
Attacker_UPF -.->|"β GTP-U: Injected
tunneled traffic
(spoofed TEID)"| GRX
GRX <-->|"GTP-C"| SGWC
GRX <-->|"GTP-U"| SGWU
SGWC <--> MME
SGWC <--> PGWC
SGWU <--> PGWU
MME <--> HSS
PGWU <--> Internet
style V_SGSN_Bad fill:#ff6666,color:#fff
style Attacker_UPF fill:#ff6666,color:#fff
style GRX fill:#ffaa66
style SGWC fill:#ffaa66
style SGWU fill:#ffaa66
style PGWU fill:#ffee66
style Internet fill:#ffee66Attack Sequence β Step by Step
sequenceDiagram
participant Attacker as π΄ Rogue Roaming Partner
participant GRX as π GRX/IPX
participant SGW as βοΈ SGW-C (Home)
participant PGW as βοΈ PGW-C (Home)
participant UPF as π¦ PGW-U/UPF (Home)
participant HSS as π HSS (Home)
participant Internet as π Internet
Note over Attacker: Scenario A: Fraudulent Session Creation
Attacker->>GRX: GTP-C: Create Session Request
(IMSI=spoofed, APN=internet
RAT=EUTRAN)
GRX->>SGW: Forward Create Session Request
SGW->>PGW: Create Session Request
(allocate IP, create GTP-U tunnel)
PGW->>UPF: PFCP Session Establishment
(install forwarding rules)
UPF->>PGW: PFCP Response (UE IP: 10.45.0.X)
PGW->>SGW: Create Session Response
(GTP-U TEID for data plane)
SGW->>GRX: Create Session Response
GRX->>Attacker: Session established
(TEID + UE IP allocated)
Note over Attacker: Attacker now has a GTP-U tunnel
through home operator to Internet
β billed to spoofed subscriber or operator
Attacker->>GRX: GTP-U: Encapsulated IP packets
(using assigned TEID)
GRX->>UPF: Forward GTP-U packets
UPF->>Internet: Decapsulate β forward to Internet
Note over Attacker: Scenario B: TEID Spoofing / Session Hijack
Attacker->>GRX: GTP-U: Packets with
spoofed TEID of legitimate session
GRX->>UPF: Injected into existing
subscriber's tunnel
UPF->>Internet: Attacker traffic exits via
legitimate subscriber's IP
Note over Attacker: Scenario C: Billing Bypass
Note over Attacker: Create sessions with APN=free-tier
or exploit zero-rated data partnersTechnical Deep Dive
GTP has two planes, both vulnerable:
GTP-C (Control Plane β UDP port 2123):
Create Session Request/Create PDP Context Requestβ establishes new data sessionsModify Bearer Requestβ changes tunnel endpointsDelete Session Requestβ tears down sessions- No authentication: Any GTP-C peer can create sessions for any IMSI
- No integrity protection: Messages can be spoofed or replayed
GTP-U (User Plane β UDP port 2152):
- Carries encapsulated user IP packets inside GTP tunnels
- Identified by TEID (Tunnel Endpoint Identifier) β a 32-bit value
- TEIDs are not cryptographically bound: If an attacker knows a TEID, they can inject packets
- No encryption: All user data visible inside the GTP tunnel
Attack variants:
| Variant | Method | Impact |
|---|---|---|
| Session creation fraud | Create GTP sessions with spoofed IMSIs | Free data, billed to others |
| TEID hijacking | Inject packets into existing subscriber sessions | Traffic injection, session takeover |
| Billing bypass | Exploit zero-rated APNs or roaming billing gaps | Revenue loss for operators |
| Covert tunneling | Use GTP tunnels to hide C2 or exfiltration traffic | Stealth communication channel |
| DNS/data manipulation | Modify user-plane packets in transit | Content injection, credential theft |
Detection Indicators
- GTP-C sessions from unexpected GRX/IPX peers β Create Session Requests from operators not in roaming agreements
- IMSIs in Create Session Requests that don't match the source operator's IMSI range (MCC/MNC mismatch)
- GTP-U traffic volume anomalies β unusually high data volume from roaming sessions
- TEID reuse or collision β same TEID used from different source IPs
- Sessions with no corresponding authentication on S6a/Diameter β GTP session created without AIR/AIA exchange
- Asymmetric traffic patterns β data sessions with high download but no corresponding subscriber activity
STRIDE Assessment
| Category | Rating | Justification |
|---|---|---|
| Spoofing | High | Sessions created with spoofed IMSIs |
| Tampering | High | GTP-U packets can be injected/modified in transit |
| Repudiation | High | Difficult to trace through GRX/IPX to originator |
| Information Disclosure | High | User-plane data visible in GTP-U tunnels |
| Denial of Service | Medium | Tunnel flooding, session deletion |
| Elevation of Privilege | High | Unauthorized Internet access, billing fraud |
Mitigation
- β GTP firewall at GRX/IPX border β validate IMSI ranges, rate-limit session creation, block unknown peers
- β IPsec on GTP interfaces (S1-U, S5-U, GRX-facing) β encrypt and authenticate GTP traffic
- β TEID validation β cross-reference GTP-U TEIDs with active GTP-C sessions
- β Correlate GTP-C with Diameter/S6a β ensure every session has corresponding authentication
- β GSMA IR.88 β GTP security recommendations for roaming
- β οΈ IPX provider filtering β depends on IPX provider enforcing source validation (inconsistent)
- β οΈ GTP-U sequence number validation β provides limited replay protection but not widely enforced
References
- P1 Security: SMS-Based Attacks β The Hidden Threat Still Exploiting Mobile Networks
- GSMA IR.88: LTE and EPC Roaming Guidelines
- GSMA FS.20: GTP Security
- 3GPP TS 29.274: GTPv2-C Protocol Specification
- 3GPP TS 29.281: GTPv1-U Protocol Specification
- P1 Security: "GTP Security" research publications
Signaling Attack Summary
Attack Comparison Matrix
| # | Attack | Entry Point | Protocol | Attacker Type | Skill Level | Detectability |
|---|---|---|---|---|---|---|
| 1 | SMS OTP Theft | SS7 interconnect | MAP (UL, SRI-SM) | Organized crime | Medium | Medium |
| 2 | Location Tracking | SS7 interconnect | MAP (SRI, PSI, ATI) | State / surveillance vendor | Low-Medium | Low |
| 3 | Diameter Location | IPX / Diameter peer | Diameter (AIR, NOR) | State-level | Medium-High | Medium |
| 4 | OTP-as-a-Service | SS7 + SIM farm + malware | Multiple | Cybercrime syndicate | Low (buyer) | Medium |
| 5 | GTP Roaming Abuse | GRX/IPX | GTP-C/U | Rogue roaming partner | High | Low |
Combined STRIDE Profile
| Attack | S | T | R | I | D | E | Overall Severity |
|---|---|---|---|---|---|---|---|
| 1. SS7 OTP Theft | β | β οΈ | β | β οΈ | β | Critical | |
| 2. SS7 Location | β | β | Critical | ||||
| 3. Diameter Tracking | β οΈ | β οΈ | β | β | β οΈ | β | Critical |
| 4. OTP-as-a-Service | β | β | β | β | Critical | ||
| 5. GTP Abuse | β | β | β | β | β οΈ | β | High |
β = Primary impact, β οΈ = Secondary/moderate impact
Standards Mapping
| Attack | 3GPP Reference | GSMA Reference | NIST Reference |
|---|---|---|---|
| 1 | TS 29.002 (MAP) | FS.11 | SP 800-187 Β§5 |
| 2 | TS 29.002 (MAP) | FS.11 | SP 800-187 Β§5 |
| 3 | TS 29.272 (S6a) | FS.19 | SP 800-187 Β§6 |
| 4 | TS 29.002, TS 23.040 | FS.11 | β |
| 5 | TS 29.274 (GTPv2-C), TS 29.281 (GTP-U) | FS.20, IR.88 | SP 800-187 Β§7 |
Lab Replicability
| Attack | Replicable in Docker Lab? | How |
|---|---|---|
| 1 | β οΈ Partial | Simulate HLR poisoning by editing subscriber records in MongoDB; observe SMS routing changes |
| 2 | β οΈ Partial | Use tcpdump to capture Diameter S6a queries between MMEβHSS and observe location information in AVPs |
| 3 | β Yes | Capture Diameter traffic on S6a interface; craft Diameter messages with seagull or freeDiameter |
| 4 | β No | Requires real SS7/SIM farm infrastructure |
| 5 | β Yes | Inject GTP-U packets with scapy on the S1-U/S5-U interface; observe TEID handling |
π¬ Lab Exercises
Using the Docker lab from Part 4, try these exercises to understand signaling attack surfaces:
Exercise 1: Observe Diameter S6a Authentication
# Capture Diameter traffic between MME and HSS
docker exec -it open5gs_mme tcpdump -i any -w /tmp/diameter_s6a.pcap tcp port 3868
# Attach a UE with UERANSIM, then open capture in Wireshark
# Filter: diameter
# Look for: Authentication-Information-Request (AIR) containing IMSI
# Look for: Authentication-Information-Answer (AIA) containing RAND, AUTN, XRES
# Question: Is TLS negotiated? (Look for Capabilities-Exchange-Request TLS AVP)
Exercise 2: Capture GTP-U and Inspect User Plane
# Capture GTP-U traffic on the UPF
docker exec -it open5gs_upf tcpdump -i any -w /tmp/gtpu.pcap udp port 2152
# Generate traffic: docker exec -it ueransim_ue ping -c 5 8.8.8.8
# Open in Wireshark, filter: gtp
# Observe: Inner IP packets (UE's traffic) visible in cleartext inside GTP-U tunnel
# Find the TEID in the GTP header β this is the only session identifier
# Question: What prevents an attacker from injecting packets with this same TEID?
Exercise 3: Examine GTP-C Session Creation
# Capture GTP-C signaling (control plane)
docker exec -it open5gs_smf tcpdump -i any -w /tmp/gtpc.pcap udp port 2123
# Trigger a PDN session by registering a UE
# Filter: gtpv2
# Look for: Create Session Request (IMSI, APN, RAT type)
# Look for: Create Session Response (allocated IP, TEID)
# Question: What authentication exists in GTP-C to prevent spoofed Create Session Requests?
Exercise 4: Simulate GTP-U Injection with Scapy
# On a machine with access to the Docker network:
pip install scapy
python3 -c "
from scapy.all import *
from scapy.contrib.gtp import GTPHeader
# Craft a GTP-U packet with a known TEID (from Exercise 2)
pkt = IP(dst='UPF_IP') / UDP(dport=2152) / GTPHeader(teid=0x12345678) / IP(dst='8.8.8.8') / ICMP()
send(pkt)
# If the UPF accepts this, the packet will be forwarded β demonstrating lack of source validation
"
Warning
These exercises are for educational purposes only in your isolated Docker lab. Never test against real networks or without explicit authorization.
3GPP and Industry References
| Document | Title | Relevance |
|---|---|---|
| 3GPP TS 29.002 | MAP Protocol Specification | SS7 MAP operations (SRI, PSI, UL) |
| 3GPP TS 29.272 | Diameter S6a/S6d Interface | 4G Diameter signaling between MME and HSS |
| 3GPP TS 29.274 | GTPv2-C Protocol | GTP control plane for session management |
| 3GPP TS 29.281 | GTPv1-U Protocol | GTP user plane for data tunneling |
| GSMA FS.11 | SS7 Interconnect Security | SS7 firewall categories and filtering guidelines |
| GSMA FS.19 | Diameter Interconnect Security | Diameter firewall and DRA security |
| GSMA FS.20 | GTP Security | GTP firewall and roaming security |
| GSMA IR.88 | LTE Roaming Guidelines | GTP roaming interconnect security |
| NIST SP 800-187 | Guide to LTE Security | US government LTE security framework |
Summary
- β SS7 signaling attacks remain the most impactful telecom threat due to the protocol's inherent lack of authentication
- β The move from SS7 to Diameter (4G) did not eliminate signaling-plane attacks β it changed the protocol but not the trust model
- β GTP attacks are harder to detect than SS7/Diameter because they blend with legitimate high-volume roaming traffic
- β The commercialization of SS7 interception (OTP-as-a-service) has lowered the barrier from nation-state to commodity cybercrime
- β Effective defense requires signaling firewalls (SS7, Diameter, GTP) combined with industry coordination (GSMA, IPX providers)
Next: Part 12: Real-World Attacks β Subscriber Identity & SIM β