A surveillance company has recently been observed using a novel attack technique to bypass the protections of the Signaling System 7 (SS7) protocol—the global communications protocol that allows mobile networks to connect calls, route SMS messages, and provide roaming service. This new method enables attackers to trick telecommunications operators into divulging the real-time locations of mobile users, sometimes down to a few hundred meters, by finding out which cell tower a phone is attached to.
How the Attack Works
SS7 is an aging protocol designed in the 1970s, lacking robust security features such as encryption and mutual authentication. Although carriers have added defensive measures in recent years, SS7 remains susceptible to expert attackers. The surveillance vendor exploits a loophole in the Transaction Capabilities Application Part (TCAP) sub-protocol. They manipulate SS7 messages—specifically the ProvideSubscriberInfo (PSI) command and its encoded fields—to evade detection by telecom firewalls and security systems.
They use “extended tag encoding,” a rarely used feature of the TCAP protocol, to obscure critical information within the message, such as the International Mobile Subscriber Identity (IMSI). Security firewalls, which would ordinarily block location requests where the IMSI belongs to the home network, fail to detect these requests because they cannot extract the IMSI from the unusually encoded message.
The result is that these specially crafted SS7 packets often slip past operator defenses. This allows the attacker to query which cell tower a target phone is using, revealing the user’s location without their knowledge or consent.
Why Is This Technique Effective?
Most telecom companies have installed SS7 firewalls that rely on normal ASN.1 decoding to check if incoming requests are legitimate. The surveillance company’s attack abuses edge cases in how these messages are structured, making standard detection methods ineffective. Since SS7 is the backbone of global telecommunications and must be open to enable international roaming, attacks can originate from outside the home country or operate across network borders.
The attack is invisible to the user—there are no alerts or signs that their phone’s location is being tracked. There is almost nothing a subscriber can do to protect against such attacks directly; defense relies on network operators using sophisticated, up-to-date security measures.
Real-World Discovery and Use
The attack was detected by Enea’s Threat Intelligence Unit, a respected cybersecurity firm specializing in telecom protections. Evidence surfaced that a Middle East–based surveillance vendor started using this bypass technique as early as the fourth quarter of 2024. According to Enea, the attack targeted only a small number of subscribers, but its demonstrated success underscores a wider systemic risk.
Broader Security Context
Despite over a decade of warnings, the global telecom system remains difficult to secure due to its decentralization, legacy technology, and international dependencies. These vulnerabilities are exploited not just for criminal purposes, but also by private surveillance vendors (often on behalf of governments). Targets may include dissidents, journalists, activists, or business rivals—far beyond legitimate criminal investigation contexts.
