When you make a call, send a text message, or browse the internet from your mobile device, your mobile provider needs to check that you’re a paying customer and then route your call, message, or web traffic to the appropriate destination. Mobile providers accomplish this using machine-to-machine messages called “signaling,” which identify your location and forward traffic accordingly. Signaling happens in the background, invisible to the user, and has served as the connective tissue between global providers for decades. Signaling is also one of the most overlooked attack surfaces in mobile security. Signaling attacks let adversaries track your real-time location, intercept your text messages, redirect your calls, make calls or send messages from your number, block your service, disrupt entire networks, and more. Criminals and Chinese government-linked cyber actors such as Salt Typhoon and Liminal Panda have reportedly exploited signaling protocols as part of their hacking of bank accounts and global telecommunications infrastructure. These methods are attractive because attackers never need to gain access to your phone; everything happens in automated transactions inside your mobile provider that you can’t see.
Citizen Lab recently exposed two long-running commercial surveillance campaigns that exploited the most broadly abused signaling protocols: Signaling System 7 (SS7) and Diameter. These campaigns aimed thousands of attacks against targets across dozens of countries. This post explains what these signaling attacks are, why most carriers can't really stop them, and what Cape does differently.
How Signaling Attacks Work
SS7 and Diameter perform the same functions in mobile networks that human telephone operators used to perform a hundred years ago when connecting a call meant physically connecting wires from the caller to the callee to complete a circuit. When you make a call or send a text message from your smartphone, your home network uses the SS7 (in 3G) and Diameter (in 4G/LTE) protocols to look up the recipient’s location and create a connection between your two phones. If the person you are communicating with uses a different mobile provider than you, that connection needs to be made to the other provider, a process enabled by a private telecom “internet” called an IPX. The IPX is also used when you’re roaming internationally: the authentication handshake with your home network also travels through the IPX and is controlled by these signaling protocols.
SS7 dates from the 1970s and is used for older 2G and 3G networks, and Diameter, its successor, used in 4G and most 5G networks. Both protocols were designed in an era when a relatively small number of large telecoms could plug into the system, and the security model still reflects that. SS7 has essentially no process for authenticating that the machine requesting to create a connection between phones or between networks should be doing so. By default, networks using SS7 assume that any signaling traffic claiming to come from a legitimate operator actually does. Diameter supports stronger authentication on paper, but in practice, operators don’t always deploy basic protections like encryption and instead may rely on the same peer-to-peer trust model as SS7.
The result is that an attacker with access to the global signaling backbone, whether through a commercial leasing arrangement or a compromised operator, can send messages that get treated as trustworthy by carriers all over the world. Concretely, this lets them do things like:
- Harvest your IMSI: An attacker who knows your phone number can ask your carrier for your IMSI using a Diameter or SS7 message, typically under the pretense that they need to route a call or SMS to you. This can then be reused for follow-on attacks for years afterward.
- Locate you in real time: The attacker asks your carrier where you are, under the pretense of sending a call or SMS. Some queries identify the cell tower to which you last connected, while others – usually reserved for emergency responders that need to find a phone that just called 911 – obtain the actual coordinates reported by your phone.
- Intercept your communications: The attacker claims you roamed onto another network, redirecting subsequent calls or text messages to them instead of you. This technique is most commonly used by hackers that already have your username and password (such as for your bank or email). When they log in, they get the second factor authentication message meant for you, and your phone will never receive it.
- Impersonate you: An attacker can steal your identity and use it to deceive or scam your contacts by using your IMSI to make a call or send an SMS
- Block your service: An attacker cuts off communications that should be coming to you when they falsely claim you are roaming on another provider.
- Disrupt your network: An attacker can intentionally create misconfigured signaling messages that overwhelm telecom provider systems and take down entire networks. For example, in 2024, a reportedly accidental signaling storm cut off cell service for the vast majority of Americans who were roaming overseas through global IPX provider Syniverse.
Standard Defenses Against Attacks
The typical firewalls that carriers set up against signaling messages easily block messages that appear to be sent to, or from, the wrong place. For correctly routed messages, these firewalls often do a “velocity check” to see if it would have been physically possible for you to travel between your last known location and the location claimed in the latest signaling message. If you were in NYC an hour ago and suddenly a carrier in Turkey claims you are on their network, the request should get denied. This has been standard practice for years, but there is a structural problem: The firewall’s most recent location data is often hours old, and there are tons of distinct location identifiers where it’s plausible to have traveled to in that time. In Cape’s own research published at the Wireless Security conference in 2025, we measured that Diameter updates from a visited network can arrive as infrequently as two to ten hours. Further, we found that for subscribers in the US and Germany, over 250 distinct networks are reachable within a single hour of travel time. An attacker with access to enough operator identities will eventually be able to find one that looks plausible.
Citizen Lab’s report on the global surveillance campaigns shows the same thing: the malicious actors the report calls STA1 repeatedly attempted to track a user by “rotating through eleven operator identities in nine countries to masquerade as legitimate roaming traffic.” They also pivoted between SS7 and Diameter attacks since most carriers have different firewalls for each and little coordination to track combined attacks.
None of this is news to the telecom industry. The difference is that most carriers treat signaling security as a compliance exercise. Cape treats it as the core problem.
What Cape Does Differently
We've built four protections that address these patterns directly.
1. Daily IMSI Rotation
Almost every targeted signaling attack starts with an IMSI, and once an attacker has yours, it stays useful for as long as you have it. The Citizen Lab report confirms this, with the same IMSIs being attacked across operations separated by months and years. Academic work on Diameter attacks made the same observation a long time ago. A 2018 paper by researchers at Nokia Bell Labs and Adaptive Mobile noted that the gap between when an attacker harvests an IMSI and when they actually weaponize it is often years. On most carriers, your IMSI is permanent. You get one when you activate your SIM and you keep it forever.
On Cape, your IMSI rotates daily. The databases of harvested IMSIs that surveillance vendors build up over the years are no longer useful against our subscribers.
2. No SS7
Cape doesn't support SS7 at all. There is no SS7 fallback in our network, so no SS7-based attack can work, period. Many providers around the world are still struggling to remove legacy SS7 infrastructure from their networks because some revenue-generating part of their network still requires it. At Cape, this half-century old vulnerable technology was never part of our infrastructure.
3. Network Lock
Velocity checks are a good start, but they rely on the network's understanding of where you are, which is often hours out of date. An attacker with access to enough operator identities will eventually find one that looks plausible. Cape’s Network Lock takes a different approach. When a foreign network requests to attach to your phone, our system asks your device directly whether the claim is legitimate. The Cape app evaluates the request locally at the country level, confirming or denying whether your phone is actually where the requesting network claims, and reports back automatically, behind the scenes, without you needing to think about it. Our network only learns whether the claim matches, not where you actually are.
4. Penetration Testing
Most providers don’t care about your privacy, only whether you can connect successfully and that you pay your bill. For this reason, most signaling firewalls deployed in networks around the world are simple compliance tools and not real security products. They allow providers to claim they comply with the letter of basic guidelines set forth by the GSM Association’s Fraud and Security Group, but many of them do not evolve as attackers evolve their methods.
While the GSMA’s recommendations are important, they represent the absolute bare minimum any provider should do. These recommendations are also distributed among more than 1200 GSMA member providers worldwide, which means that any hostile foreign governments, surveillance companies, and criminals who can get access to send signaling messages in the first place, can also get access to these recommendations. Such access makes it easy for them to devise new approaches to abuse signaling infrastructure that are not blocked by signaling firewalls.
Cape goes above and beyond by conducting extensive penetration testing of our signaling infrastructure via reputable third-party penetration testing services that specialize in the latest signaling exploitation techniques available to hackers. Then we harden our network infrastructure against those techniques, especially the ones that affect subscriber privacy.
Conclusion
Signaling attacks get less attention than device-level threats like spyware and IMSI-catchers since they operate on the invisible protocol exchanges you can’t see. The attack happens between carriers, so it doesn’t leave a trace on your phone.
Cape can’t fix the global telecom systems, but our philosophy is to assume that they are compromised and build solutions that keep your communications private anyway. On a typical carrier, one hack gives attackers the information they need to target you repeatedly for years, legacy protocols like SS7 allow vulnerabilities to persist in network infrastructure for decades, and signaling firewalls do the bare minimum so providers can claim they’ve addressed those vulnerabilities. At Cape, an attacker can’t use SS7 to target you because our network will ignore them, they can’t use your IMSI to target you because it changes quickly, they can’t trick us into forwarding your communications overseas because your phone knows where it really is, and our defenses evolve continuously to stay ahead.
