A surveillance firm has been detected exploiting a complicated SS7 bypass method to trace cell phone customers’ places.
The assault leverages beforehand unknown vulnerabilities within the TCAP (Transaction Capabilities Software Half) layer of SS7 networks to avoid safety protections applied by cell operators worldwide.
Key Takeaways1. Malformed SS7 instructions masks the IMSI to allow location monitoring.2. An prolonged TCAP tag (30 13 9f 00 08) evades legacy SS7 firewalls.3. In use since This autumn 2024, this exploit has leaked subscribers’ places.
Bypass SS7 Safety and Monitor IMSI
The assault exploits a little-known characteristic in ASN.1 BER (Fundamental Encoding Guidelines) encoding throughout the TCAP protocol layer.
Attackers manipulate the Tag code construction of TCAP Info Parts containing IMSI (Worldwide Cell Subscriber Id) information through the use of an prolonged tag encoding technique. As a substitute of the usual encoding sequence 30 12 80 08, the malicious packets use 30 13 9f 00 08, successfully extending the Tag code past its regular single-octet format.
Detailed TCAP message construction
This system particularly targets PSI (ProvideSubscriberInfo) instructions, that are professional GSM-MAP operations utilized by cell operators for location monitoring and mobility administration.
The prolonged tag encoding causes the IMSI area—which identifies the goal consumer—to develop into unreadable to many signaling safety techniques.
When safety firewalls can’t decode the IMSI correctly, they fail to use essential home-versus-roaming community checks that ought to block unauthorized location requests.
Breakdown of the TCAP Element with Assault
The surveillance firm behind these assaults has built-in this TCAP manipulation method into their operational toolkit since at the very least This autumn 2024.
Their technique entails sending malformed PSI requests with prolonged tag codes from exterior networks, focusing on residence community subscribers whose places ought to usually be shielded from outdoors queries.
The assault succeeds as a result of many SS7 software program stacks had been by no means designed to deal with prolonged TCAP tag codes, as this encoding technique has hardly ever been utilized in over 40 years of TCAP operations.
Moreover, legacy SS7 techniques typically undertake a permissive method to undecodable fields, permitting packets to cross by if they are often routed, leaving decoding duties to finish nodes.
Wireshark of Assault Message
Enea’s Risk Intelligence Unit has confirmed profitable exploitation of this vulnerability in real-world eventualities, observing full location monitoring assaults the place PSI requests bypassed safety measures and returned subscriber location information.
The method represents a part of an evolving suite of bypass strategies that surveillance firms make use of to defeat signaling safety defenses.
To handle this risk, safety specialists advocate blocking all malformed PDU buildings and implementing enhanced detection for MAP PDUs the place anticipated IMSI fields can’t be decoded.
The GSMA group has been alerted to this vulnerability, with suggestions distributed to assist cell operators strengthen their signaling safety posture.
This discovery highlights the continued arms race between surveillance entities and telecommunications safety, as attackers proceed exploiting the advanced ASN.1 protocol buildings inherent in SS7 networks to evade detection and preserve unauthorized entry to delicate subscriber data.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
