Cybersecurity experts have discovered a new attack vector on telecom infrastructure, in which a spy company used a bypass method of the SS7 protocol to covertly track the location of mobile users. By manipulating TCAP packets, they were able to bypass the protection built on IMSI identification, which threatens millions of subscribers around the world.
Research by Enea has revealed active malicious attacks that exploit weaknesses in the SS7 protocol, the system responsible for the global exchange of signals between mobile operators. The attackers used TCAP (Transaction Capabilities Application Part) commands, which contain hidden modified elements that are not recognized by standard firewalls or signaling security systems.
The key element of the attack was the GSM–MAP ProvideSubscriberInfo (PSI) request, which in a normal scenario is used for billing and roaming control. In the modified version, the PSI command was modified so that the subscriber’s IMSI code was not recognized by the security system, which allowed obtaining data about the user’s location.
Enea notes that the TCAP tag was intentionally changed (extended Tag), due to which the signaling security elements did not identify the IMSI as belonging to the home network. As a result, the command was not blocked and passed, even if it came from outside.
This bypass works due to the imperfect implementation of SS7 stacks by some operators: older solutions do not have the logic to recognize such “invisible” elements.
SS7 (Signaling System 7) is a set of protocols used to exchange information between telecom operators. It was developed in the 1970s and still underlies voice, roaming, SMS, and calls between operators.
Over the past decade, SS7 has been repeatedly criticized for its weak protection, in particular against attacks aimed at obtaining user location or intercepting SMS. TCAP is the part of SS7 that is used to launch application services, and it was its structure that was used for this attack. This vector is not a global vulnerability of the protocol – the success of the attack depends on the implementation of a particular vendor.
This case proves once again: old protocols, even with implemented protection, remain critically vulnerable if not updated and analyzed more deeply. The new attack is not about a bug – but about manipulation of the specification, which allows you to bypass the check.
Experts advise blocking all unknown or incorrect TCAP/SS7 structures, as well as MAP PDUs in which an IMSI is expected, but it is not found. This is a critical step in protecting subscriber data.
