Numerous security reports indicate an alarming rise in global cyberattacks. Check Point’s 2025 report shows a 44% year-over-year increase in such attacks. One of the leading causes of cyberattacks is human error, but it’s not the only one. Critical security flaws in outdated telecommunications technologies, such as SS7, can enable attackers to access your device and the data stored on it.
Considering that an SS7 attack can lead to call and message interception, location tracking, and financial loss, it’s essential to learn more about its mechanisms and efficient prevention methods. To help you understand SS7 attacks, this guide will cover how they occur, their primary goals, and whether it’s possible to prevent them.
What Is SS7?
Signaling system no. 7, commonly known as SS7, is a set of longstanding international telecommunications protocols that enable phone networks worldwide to:
- Set up and route calls
- Exchange information
- Bill phone calls and short message service (SMS)
- Enable mobile phone roaming and tracking
- Support features such as call forwarding, call ID, or call waiting
SS7 was developed in the 1970s and quickly became the industry standard. While the protocols underwent some revisions, they weren’t significant. The technology has remained largely unchanged for decades, although it’s still used worldwide. This makes it especially vulnerable to hackers, who can exploit the technology’s flaws to access and surveil sensitive user data or commit fraud.
Over time, newer mobile network protocols, such the Diameter protocol used in 4G and 5G networks, were developed to replace SS7. As a result, SS7 became more closely associated with 2G and 3G systems.
You may think your device isn’t at risk if you don’t use 2G or 3G, but that’s far from the truth. Most mobile providers are still connected to SS7 for roaming or call and message routing, even while operating on more advanced 4G and 5G networks. This lingering dependence keeps you exposed to SS7 attacks even if you don’t use the technology directly.
What Is an SS7 Attack?
An SS7 attack exploits vulnerabilities in SS7 protocols to conduct various malicious activities, from location tracking to traffic interception.
SS7 protocols have so many vulnerabilities because they were developed at a time when encryption and modern authentication methods weren’t in use. In the 1970s and 1980s, the telecommunications industry relied on mutual trust. With no significant security threats, network security was not a major priority.
During that period, the key strength of SS7 protocols was that they enabled worldwide interoperability. Mobile carriers worldwide can access the network to deliver calls and messages, as well as exchange signaling information. Today, this strength has become a weakness. As the SS7 infrastructure isn’t based on robust security mechanisms, malicious actors can relatively easily impersonate legitimate users and access the system.
What SS7 Vulnerabilities Allow Attacks?
SS7 is often targeted by hackers due to its flaws, including:
What Are the Potential Goals of SS7 Attacks?
Hackers carry out SS7 attacks for different reasons. Below are the five most common goals of these attacks:
- Access to user information: Hackers often exploit an SS7 vulnerability to gain access to user info, such as their account details and location. This information is often used for further attacks.
- Fraudulent transactions: Through SS7 signaling manipulation, hackers can reroute calls and texts and initiate or approve fraudulent transactions. For instance, they can reroute a call you wanted to make to your bank to a hacker’s device and facilitate transactions or get access to your sensitive banking information for later use.
- Traffic interception: SS7 weaknesses enable hackers to intercept your calls and texts. For example, a malicious actor could intercept an SMS with a one-time password (OTP) used for two-factor authentication (2FA) and gain unauthorized access to your account. Or, they could eavesdrop on your calls and collect sensitive information for future attacks.
- Denial of Service (DoS): By exploiting SS7, hackers can de-register your device from the network, leaving you unable to make or receive calls and messages. This creates room for hackers to access your accounts or make fraudulent transactions without triggering alerts.
- SIM swap: Malicious actors can leverage SS7 vulnerabilities to transfer your phone number to a new SIM card, allowing them to receive your calls and texts, which could potentially result in financial loss, unauthorized account access, and identity theft.
Can SS7 Firewalls Offer Sufficient Protection Against SS7 Attacks?
Since SS7 was built on trust, mobile carriers have taken it upon themselves to address the infrastructure’s vulnerabilities and protect their networks and end users. SS7 firewalls represent software-based security systems that protect from SS7 threats by:
- Monitoring and detecting suspicious activity
- Inspecting signaling messages
- Validating message sources
- Checking if a message complies with relevant rules
Based on their findings, SS7 firewalls can allow, flag, or block a message to protect the network from potential attacks. While valuable, an SS7 firewall doesn’t provide sufficient protection against SS7 attacks due to the following:
- Lack of cross-protocol integration: The modules used in SS7 firewalls don’t integrate with other network elements that process protocols like ISUP, SIP, or GTP. As a result, the firewalls can’t protect against certain attacks that require SS7 to provide user location information.
- Complex rules: SS7 firewalls are governed by complex rules, and managing them requires a specialized skill set. If firewall rules aren’t properly adjusted, there may be blind spots that hackers can exploit to access the infrastructure.
- Poor reporting functionalities: Although not universally true, SS7 firewalls tend to offer limited reporting capabilities. Their output is machine-like, so interpreting results can be challenging and time-consuming. This can lead to taking appropriate result-based actions being delayed, which could jeopardize the infrastructure’s security.
- Insider threats: Signalling messages from a mobile provider’s affiliates can fly under the firewalls’ radar as they’re coming from “within.” A rogue employee at a carrier could launch an attack from within and bypass firewalls.
How To Detect an SS7 Attack
For end users, detecting an SS7 attack is tricky because the attack targets the carrier’s network, not a specific device. If the attack has affected you, you may notice signs such as:
- Inability to make calls or send texts to a specific person
- Unexpected roaming charges
- Inability to complete SMS-based 2FA because the texts never arrive
- No service on your device
Note that these are not telltale signs of an SS7 attack as they could also indicate issues with device configurations or other types of malicious attacks. Another problem is timing. By the time you notice the signs, the attack has already occurred, meaning you’re only seeing the results.
Mobile carriers are far more likely to identify an SS7 attack and react before it causes significant damage. This is because carriers have access to the network and can leverage robust tools to identify potential issues through strategies such as:
- Traffic monitoring: Carriers keep an eye on network traffic to spot unusual patterns and requests. For instance, they use a reliable traffic analytics tool for 24/7 traffic analysis, gaining detailed insights into potential network anomalies that enable them to react to threats in real-time.
- SS7 firewall utilization: Firewalls can block or flag suspicious requests to prevent potential threats from entering the system. That said, firewalls aren’t perfect, and mistakes could happen, so customizing the rules based on which they operate is crucial for maintaining high security and accuracy.
How To Prevent an SS7 Attack
End users have no control over a carrier’s network and protective measures; you can’t install firewalls or monitor and flag suspicious signaling requests to nip an SS7 attack attempt in the bud. In other words, there isn’t much you can do to prevent an SS7 attack except turn off your device.
There are a few actions you can take to protect yourself against an SS7 attack:
- Avoid SMS-based 2FA
- Choose a reliable mobile provider
1. Avoid SMS-Based 2FA
SMS-based 2FA delivers a one-time password (OTP) or another unique piece of information as a text message to verify your identity and enable you to log into an app or complete an action.
Although it’s widely used, SMS-based 2FA isn’t secure and can be intercepted by hackers exploiting SS7 vulnerabilities.
To enhance protection, use alternative authentication methods, such as:
- Authenticator apps: Apps like Google Authenticator or Authy generate unique one-time codes that serve as a secondary verification method. These apps offer functionalities like offline access, backups, and multi-device sync to maintain your security and enhance convenience.
- Biometric authentication: This type of authentication utilizes your unique physical characteristics, such as fingerprints or facial features, to verify your identity. This method is convenient for those who prefer not to remember passwords or manage additional authentication apps.
2. Choose a Reliable Mobile Provider
SS7 is the Achilles’ heel of many mobile providers; the protocols are crucial for global communication, but they have alarming security gaps that make them prone to attacks.
As SS7 is inherently flawed, there is a growing concern around the protective measures carriers implement to protect users from SS7 attacks. In 2024, the Federal Communications Commission (FCC) issued a request for comments on the security of SS7 and Diameter (a protocol that was developed as a successor to SS7, but also comes with security issues) from U.S. networks.
In response to the FCC’s request, the three major providers in the U.S., Verizon, AT&T, and T-Mobile, provided more insight into their safety protocols and asserted that their firewalls are fully effective. However, a comment by Kevin Briggs, the Chief of Continuity Assessment and Resilience at the Cybersecurity and Infrastructure Security Agency (CISA), raised concerns. Briggs claims that there have been numerous examples of hackers leveraging SS7 and Diameter vulnerabilities to access user location data through U.S. telecommunications service providers.
This highlights a critical point: despite major carriers’ assurances, users are still vulnerable to the consequences of SS7 attacks. Fortunately, there is a more secure alternative. Cape is a mobile carrier that doesn’t rely on outdated protocols; instead, it protects subscribers from SS7 attacks by eliminating SS7 dependencies entirely, and blocking any malicious signaling attach requests.
Cape: Uncompromised Connectivity, Complete Privacy
Cape is a mobile carrier offering premium, unlimited call, text, and 4G/5G data.
Cape is changing the way we think about privacy in our daily lives by building its network in the cloud, with privacy and security baked into its core.
One of Cape’s most unique features is its Enhanced Signaling Protection. Our service comes with a proprietary signaling proxy that protects subscribers from signaling-based attacks by blocking malicious attach requests. Read more about how it works here.
As a privacy-first carrier, Cape offers several privacy and security-first features to give you control over your communications without demanding your personal data:
- Minimal data collection and retention: Cape collects the minimum amount of information required to provide you with service, and we store it only for the minimum amount of time. We believe that we can’t lose or sell what we don’t have, so we aim to know as little about you as possible.
- SIM swap protection: Instead of passwords, your account is secured by a 24-word recovery phrase created at signup. Encrypted with a private key stored only on your device, it ensures only you can move your number to a new phone—preventing the insider threats and social engineering attacks that fuel most SIM swaps as many SIM swaps are initiated by compromised carrier employees.
- Private payment: We don’t require your name or billing address. Payments are processed by Stripe and tokenized, so your subscription can’t be tied back to your personal details.
- Encrypted voicemail: Voicemail content and metadata are encrypted and then re-encrypted with your private key, meaning only you can access them.
These protections are built directly into Cape’s network without compromising performance. You get unlimited calls, texts, and 4G/5G across the U.S., plus free international roaming (eligible devices and countries).
Ditch Legacy Carriers: Get Cape Today
Cape follows a simple philosophy: Don’t trust us. By not collecting it in the first place, we close off major vulnerabilities before they can be exploited.
Ready to switch? Visit cape.co/get-cape to sign up.
Cape is $99/per month, no additional fees, taxes, or hidden charges.
To extend your privacy beyond the network, Cape subscribers can get Proton Unlimited or Proton VPN Plus for only $1 for six months.
