SS7 Hack or SS7 Attack: A Step by Step Guide (Updated 2023)

SS7 Hack is the process of getting calls or SMS for a subscriber, on another mobile number or in an application.

For many services (e.g social media apps etc.), if the person is using a verification of SMS or a call.

Since call and SMS can be routed to another number then you should know SS7 hack is possible.

SS7 vulnerability exposes network users to Voice and SMS hack, also when this vulnerability gets exploited, the attacker can get the the real-time location of a person of the victim.

SS7 hack is not simple as it looks, some people claim to install software and then just enter phone number to hack SMS or calls, NO, it doesn’t work that way.

Here is how the ss7 attack work?

 

 

Thats the pictoral explanation of how ss7 attack work.

But wait how can we then exploit this ss7 vulnerability? here’s how.

To get calls and SMS via the SS7 hack, you will have to connect to the ss7 network and run an application so that the home network of an original subscriber gets the impression that software is the roaming VLR/MSC node in a network.

So the first step here is getting the SS7 connection.

How to get the SS7 Connection for the SS7 hack

Option 1: Getting the SS7 Global Title and Point Code

To get the SS7 connection, you need to have a Global Title and a point code (international), a local point code (local, between you and mobile operator )can be used, depends on the ss7 connection provider.

If one is a  mobile operator, then get this from the standard GSM body. New network code is assigned by gsm so that you can have a big range of global titles or MSISDNs and IMSIs.

If not a mobile operator, one can take a global title on lease from a mobile operator. Once you have GT.

Option 2: SS7 connection via an aggregator

You can connect to an SS7 aggregator and they can publish you GT on all networks. So any traffic coming to your GT will be forwarded by aggregator in the direction of your node or application.

This is a common thing with MVNO, some of their GT ranges which are published to an aggregator for connecting mobile network operators globally.

Option 3: Directly with a Mobile Operator

Here, you need to have direct links with mobile operators, each will set routing for your GT, towards the serving node. so you will need to connect each mobile operator Individually.

SS7 Software or Tool kit:

Once you have access to the ss7 network or ss7 connection, Now time to develop an ss7 application or get one which is made already.

You need to have the SDK for ss7 which provides the required ss7 stack and libraries for developing the ss7 hack software.

You can also check out Loay Razak SS7 Exploitation script called Sigploit.

Sigploit is an open source tool, to use the script you will be needing an HackRF hardware toolkit, you can get the HackRF kit from Amazon.

Application Registration as a real phone:

Firstly you need to register the application as a phone registers in the roaming network.

This will require the IMSI of the sim card of the mobile number, you know mobile number is easy to get by anybody, but IMSI details are not easy.

So you will need to get the IMSI details of the user mobile number, you can use the IMSI cather tool/hardware.

After that, the hcaking application sends SRI-SM with the phone number to the HLR, which sends the IMSI and roaming information in response.

The roaming information includes the county code and area code.

The ss7 hack application builds the location update along with other parameters from the IMSI datas, Then it opens a TCAP dialogue to the SS7 node.

The open dialogue needs to fill the SCCP called party address and SCCP Calling party address.

Called Party address is derived from IMSI and calling party address is the GT of software application.

During Update Location, the HLR will respond with ISD or Insert Subscriber Data.

The software application needs to acknowledge the ISD to the HLR, else update location procedure will fail and the application will not attach as a phone.

But once the HLR sends update location ACK, which means registration is done.

SS7 Hack for Voice:

Once you are done with the phone registration call flow, The ss7 hack software should activate the call forwarding to the new number.

When you have activate the call forwarding, SS7 hack tool will send the type of call forwarding and the mobile number where the attacker(hacker) wants to receive those call too.

You can set the call forwarding type to be “Call Forwarding Unconditionally”.

This means ‘Call Forwarding’ will be active on victims phone all time.  the victim wont even detect that his calls has been hacked, then when you are done, recieving the the verfication code via the call thats forwarded to your own device. you can now remove the call forwarding.

SS7 Hack for SMS:

Once the application is registered with the home network.

The GT of ss7 hack software gets updated on the home HLR as an outcome of update location procedure.

When a request for authentication from the mobile end SMS starts.

HLR gets SRI-SM query from the ss7 hack application, in the response of SRI-SM, HLR sends the visiting MSC number and IMSI.

The MSC number is the GT of the application, the sender SMS will send the SMS to the software application using the MSC number.

Now its the responsibility of the ss7 hack application to decode the message and display the message in a user-readable string, Then you can have the auth/otp code you were looking for.

What Application can be hacked through the SS7 attack?

I will say its any application that requires user verification through SMS or Voice verification can all be hacked by the SS7 attack when they access the SS7 network.

I will explain the ss7 hack work flow for WhatsApp and Facebook here.

SS7 hack on WhatsApp:

Knowing that Whatsap is used globally, it does the transfer of message and file over the IP network.

It connects you to other users on your phone book by using your phone number, your phone number is your WhatsApp profile id.

You know whenever you are installing WhatsApp, it requires you to enter an authentication code sent via SMS to access your WhatsApp account.

If WhatsApp needs to get hacked via ss7, after the installation of WhatsApp, run the ss7 hack software/tool and get the authentication message of the victim on the hack software app.

The Enter the code in the WhatsApp you’ve installed.

Now you can have messages on the your WhatsApp, but the number belongs to another person(victim).

SS7 hack on Facebook:

You all know facebook also have the SMS authentication that they always sent to the number attached to your Facebook account when you are about to recover the account, you can always get the SMS codes using the ss7 hack software.

The Effects Of SS7 Attack On Individual Or Organization:

😲Anyone with a mobile phone can be vulnerable to the attack. The movements of the mobile phone users can be followed virtually from anywhere in the world and have a success rate of almost 70%.

😲It is a man-in-the-middle attack on mobile phone communications that exploits authentication in communication protocols running on top of SS7, even when the cellular networks use advanced encryption. It is as if the front door of your house is secured, but the tailgate is wide open.

😲The attacks are worrying by opening the door to mass surveillance activities. The attack undermines the privacy of billions of customers around the world. Those who are in the place of power can have higher chances of targeting the risk.

What measures can we take to prevent SS7 hack attacks?

Shutting down your device is the only way to be safe from SS7 hack, but you know that’s not a good option.

Well, Here are few measures you can take:

😤You should start use encrypted messaging services: like Signal Private Messenger, to be honest, I will advise the use of Signal over other messaging app.

😤Using Of a Non-Default Call Service: calls are to be made using voice over IP services like TrueCaller or FaceTime in iPhones and avoiding using the default call setup on the device.

😤Install an app Called SnoopSnitch: A tool called as SnoopSnitch was created to warn individuals when a certain SS7 attack occurs or detection of fake IMSI Catchers if any.

Terminologies you need to understand

Global Title (GT):  All connector in the core of the operator (msc,vlr) have their own address (i.e public IP) in a format of an international number ,example: +12345687878.

Those address are used for routing traffic to and from the nodes between the operators.

Point Code (PC): Communication in SS7 network is done on a hop by hop basis in order to reach the final destination (GT).

PC is a 4-5 digits that determines the next peer hop that packets should go through (STP) in order to reach the destination.

When you access an SS7 connection, your SS7 provider is your peer, and the peer (PC) should be set to theirs.

International Mobile Subscriber Identity (IMSI): This is the most important target parameter.

It is a subscriber Unique ID to a user SIM Card that used in all operations within the home operator or for roaming operations between operators.

This is the first subscriber info that should be gathered as it is critical and important for the ss7 attack (i.e interception) is done with IMSI, you can use an IMSI catcher to get anyone IMSI Unique ID.

Mobile Station International Subscriber Directory Number (MSISDN): Your phone number, the phone number you call and sends SMS to.

International Mobile Equipment Identity (IMEI): is a unique number for each mobile device. The IMEI number is used by a GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network.

For example, if a mobile phone is stolen, you can call your network provider and instruct them to blacklist the phone using its IMEI number.

The importance of this info is that some extension of IMEI (IMEISV) provides the software version as well of the handset, allowing to initiated a more targeted client side attack

Home Location Register (HLR): Every operator has one or more HLR depending on their capacity. HLR operator’s database each subscriber’s profile/info is stored in only one HLR.

Information such as IMEI, IMSI, Subscriber latest location, Services allowed (call forwarding, barring), Auth keys of subscriber, subscription profile

Visitor Location Register (VLR): There different VLR which are responsible for a specific region. All subscriber roaming in a specific region is attached to the VLR responsible for their region.

It acts as a temporary database for the period of the roaming subscriber,It has the same info as the home network (HLR).

Mobile Switching Centre (MSC): The MSC is responsible for routing and switching calls,SMS and data to and fro the subscribers attached to it. Every group of cells/BTS/towers are connected to an MSC.

Short Message Switching Centre (SMSC): It’s responsible for sending and delivering short messages (SMS) to subscribers.

Signal Transfer Point (STP): It acts as router of the operators, which is responsible for all the routing, path determination and relaying of the SS7 messages.