A surveillance firm has been exploiting a new method to bypass Signaling System 7 (SS7) protections and deceive telecom operators into revealing users' locations, according to cybersecurity company Enea.
This technique, believed to have been in use since late 2024, manipulates the Transaction Capabilities Application Part (TCAP) through specially crafted SS7 command packets. These commands are formatted in a way that prevents firewalls and protection systems from properly decoding their contents.
TCAP messages are made up of elements known as Information Elements (IEs), each consisting of three fields: Tag (which defines how the content is interpreted), Length (which indicates the size of the content), and Contents (the actual data). A key component in these messages is the Invoke element, which initiates an operation within the TCAP system.
Enea identified irregularities in how certain IEs were encoded particularly those involving the International Mobile Subscriber Identity (IMSI) paired with a ProvideSubscriberInfo (PSI) Invoke command. PSI, a GSM-MAP command, is commonly used for location tracking by requesting a subscriber’s location from the core network. While PSI commands are legitimate for billing and mobility tracking when users roam, operators are supposed to block such requests if they originate from outside the home network and target local subscribers.
The issue arises when attackers modify PSI commands by extending the Tag that includes the IMSI. This alteration hides the IMSI from systems performing signaling checks, causing them to skip essential validations. As a result, location requests targeting home subscribers can pass through undetected.
Enea found evidence of these live attacks, attributed to a surveillance firm, being carried out as part of a broader testing effort to circumvent telecom security defenses. While it’s unclear how successful the method has been globally since its effectiveness depends on specific vendors and implementations, it appears to have proven valuable within certain environments.
The cybersecurity company suggests the attack works largely because some SS7 decoding systems don’t recognize extended TCAP formats, and security tools built on older systems may not reject unknown or malformed elements.
To address the threat, Enea advises telecom operators to block any malformed PDUs that are not explicitly considered safe and to reject any MAP PDUs that lack a detectable IMSI where one is expected.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
