In a compelling reminder of the weaknesses embedded in legacy telecom infrastructure, security researchers have unveiled a new method of bypassing Signaling System No. 7 (SS7), the decades-old protocol still used widely in global mobile communications. The exploit allows malicious operators to intercept SMS messages, reroute calls, manipulate billing requests, and track user locations—all without alerting network defenses. Active since at least late 2024, the technique leverages obscure vulnerabilities in the Transaction Capabilities Application Part (TCAP) layer of SS7, reigniting concerns about the viability of Signal System security.
TCP Tag Manipulation Allows Bypass of Carrier-Level Protections
Security analysts from several research groups, including Enea’s Threat Intelligence Unit, investigated a new class of SS7 protocol bypass attacks that exploit flaws in the TCAP layer. TCAP is used within SS7 networks to exchange non-circuit related data, such as user location, subscriber status, and more.
Malformed Commands Hide Location Requests
According to multiple sources, attackers—believed to be tied to a surveillance vendor—crafted malformed SS7 messages using nonstandard TCAP encodings, effectively masking the user’s unique subscriber identifier (IMSI). By embedding an extended TCAP tag (`30 13 9f 00 08`), threat actors were able to send ‘ProvideSubscriberInfo’ (PSI) requests to mobile operators across the globe. These requests, typically used for legitimate billing or roaming operations, could now bypass existing SS7 firewalls and other protocol-layer defenses because the altered tag format rendered them illegible to traditional IMSI filtering mechanisms.
Security tools and SS7 firewalls interpret the PSI request based on known structures. However, due to the extended tag format used in the attack, the signaling security systems failed to recognize the command as valid or threatening—especially in older network architectures. As a result, compromised commands were allowed through without triggering alarms.
This exploit path works particularly well against SS7 stacks with outdated or incomplete implementations—common in legacy systems still in use by many carriers worldwide.
Attackers Circumvented Global Security Deployments
Enea’s investigation revealed active and ongoing exploitation of this method as early as Q4 2024. The surveillance company behind the campaign had been systematically leaking user locations, bypassing international network security protections, and executing signaling-level espionage on targeted devices.
Researchers emphasized that this is not merely a proof-of-concept or isolated vulnerability. Instead, it reflects a fully operational technique now trending in both private-sector surveillance use and increasingly on underground forums. In fact, Cyber Security News reported on October 22, 2025, that a version of this SS7 bypass exploit is now for sale in illicit online marketplaces for $5,000 USD, marketed as a turnkey interception and location-tracking service.
The Long History—and Present Danger—of SS7 Exploits
SS7, developed in the 1970s, remains foundational for 2G, 3G, and some 4G telecom operations. The protocol was never designed with strong authentication or encryption, making it inherently trust-based. Despite the rollout of the more secure Diameter protocol in LTE and future 5G standards, backward compatibility and cross-network communication have forced continued SS7 usage.
Historical incidents underline the continuing risks:
- In 2017, attackers exploited SS7 flaws to bypass two-factor authentication (2FA) in Germany, stealing funds from mobile bank customers.
- Metro Bank in the U.K. experienced a similar SS7-based 2FA interception attack in 2019.
- Security firm Positive Technologies documented several campaigns in 2018 that targeted subscriber data using SS7 vulnerabilities.
SS7’s architecture allows any authorized network—potentially even rogue operators—to send signaling messages that appear legitimate. Without robust cross-border gateway filters, these commands can penetrate even well-secured networks.
Evolution of SS7 Exploits Reveals Attackers’ Ingenuity
Research from Cyber Press outlines the timeline and progression of SS7 bypass techniques:
- 2019: Global Opcode manipulation detected and analyzed.
- 2022: Introduction of Extended Application Context exploits.
- 2022: Emergence of Long TCAP ID techniques to spoof endpoint identity.
- 2024–2025: TCAP extended tag manipulation bypasses IMSI-based filtering logic.
The blend of legacy protocol weaknesses and uneven global deployment of modern defenses offers persistent opportunities for exploitation.
Mobile Operators Must Assess Legacy Defenses Against Modern Threats
With evidence that attackers can now evade even mature SS7 firewall deployments, Enea warns that telecom providers cannot rely solely on signature-based blocking or static IDS policies. Instead, enterprises and mobile operators should:
- Upgrade SS7 stack implementations to include better tag validation and packet structure analysis.
- Implement anomaly detection systems that flag irregular TCAP command sequences.
- Deploy cross-layer security that contextualizes signaling events with subscriber behavior.
- Audit interconnect traffic from external vendors and operators for malformed signaling commands.
Until the full global migration to modern, end-to-end encrypted signaling solutions is complete—especially within 5G environments—SS7 and its successor protocol Diameter will remain soft targets for persistent attackers.
Surveillance Capabilities Sold on Criminal Marketplaces Suggest Wider Risk
The operationalization of this SS7 bypass attack and its emergence on dark web forums elevate the risk beyond state-sponsored espionage or niche surveillance use. Now commoditized, these exploits are accessible to financially motivated actors who can weaponize them for identity theft, 2FA bypass, or large-scale fraud campaigns.
Mobile network operators and security teams must assume SS7-based location tracking and SMS interception remain viable attack vectors. The shift from proof-of-concept to active exploitation—and now commercialization—demands an urgent re-evaluation of inter-carrier trust assumptions and overall telecom infrastructure hardening.
