Exposing The Flaw In Our Phone System

TL;DR

SS7 abuse can reroute calls and intercept SMS, including one-time passwords used for two-factor authentication, enabling account takeovers without direct malware on the phone.

Briefing Cornell Notes

Briefing

A decades-old phone signaling system (SS7) can be abused to hijack calls, intercept SMS-based two-factor authentication codes, and even infer a target’s location—without touching the phone itself. The core takeaway is that the network’s “trust” model and legacy design let attackers reroute communications by manipulating how carriers exchange signaling information, creating a practical path from “dial a number” to “steal access.” That matters because SMS 2FA is widely used, and the same weaknesses that enable privacy intrusions also enable account takeovers and financial theft.

The story begins with phone “phreaking” and the evolution of signaling. Early telephone networks relied on manual operator connections and rotary-dial pulses that worked poorly over long distances because control signals distorted on the line. Touch-tone phones solved that by embedding control information as tones within the voice-frequency band. But that also meant control signals could be spoofed. In the 1970s, Steve Jobs and Steve Wozniak’s “blue box” exploited this by sending a 2600 Hz tone to trick long-distance switching equipment into thinking a call had ended, allowing free routing. The industry responded by moving control signaling off the voice channel.

That fix became SS7—Signaling System No. 7—introduced as a separate digital signaling network intended to be harder to manipulate. Yet SS7’s security assumptions didn’t hold as telecoms expanded. In the modern landscape, thousands of operators and virtual network operators need SS7 access, often through agreements and “walled garden” trust relationships that are easier to penetrate than they appear. Attackers can lease or buy Global Titles (GTs), which function like addressing identifiers for signaling requests. With the right GT access, they can attempt to obtain a subscriber’s IMSI (International Mobile Subscriber Identity), a unique 15-digit identifier tied to the SIM.

Once IMSI and signaling access are in place, the attack chain becomes operational: attackers can make the network believe a victim is “roaming,” then rewrite routing so calls and texts go to the attacker’s controlled destination. In the demonstration, a call placed to Linus didn’t ring on his phone; instead, it reached someone else, illustrating how rerouting can occur while the victim still experiences a normal phone. The same mechanism extends to SMS interception: by capturing one-time passwords during the short window before the victim’s phone reconnects to the correct network, attackers can complete logins without the victim noticing missing messages.

SS7 can also support location requests, though the transcript emphasizes that the method is subtle—often identifying the connected cell tower rather than using GPS. In dense urban areas, that can still narrow a person to within roughly a hundred meters. Researchers Karsten Nohl and Alexandre De Oliveira are credited with showing how these attacks work, and the transcript links SS7 abuse to real-world tracking and surveillance efforts, including the case of Princess Latifa of Dubai, where SS7 was reportedly used to pinpoint a yacht captain’s location.

The transcript closes with why SS7 persists: it remains the backbone for 2G and 3G, and even when 5G signaling is more secure, inter-network routing still relies on SS7. That creates long-term inertia—potentially 10 to 20 years—before full replacement. Personal defenses are limited, but the recommended shift is away from SMS-based 2FA toward authenticator apps or hardware tokens, and toward encrypted calling alternatives like Signal or WhatsApp to reduce exposure to interception and tapping.

Cornell Notes

SS7 (Signaling System No. 7) is a telecom signaling backbone that can be abused to reroute calls and intercept SMS messages, including one-time passwords used for two-factor authentication. Attackers typically follow a three-step path: infiltrate SS7 by obtaining access via Global Titles (GTs), gain trust by collecting a victim’s IMSI (International Mobile Subscriber Identity), and then attack by sending signaling requests that make the network treat the target as roaming—so calls/texts get forwarded to attacker-controlled destinations. The transcript also describes SS7-based location requests that can narrow a target to a cell tower area. The risk persists because SS7 underpins legacy 2G/3G services and still functions as the de facto routing standard even when 5G exists.

How did early phone signaling vulnerabilities lead to today’s SS7 risk?

Early networks used rotary-dial pulses and operator switching. As long-distance automation became difficult due to distorted control pulses, phone companies moved control information into the voice band using touch-tone dual-tone signaling. That made spoofing feasible—illustrated by Jobs and Wozniak’s “blue box,” which used a 2600 Hz tone to trick long-distance switching into free routing. SS7 was introduced to separate control signaling from the voice channel, but later telecom growth and trust assumptions created new ways to abuse the signaling layer.

What are Global Titles (GTs) and why do they matter for SS7 attacks?

SS7 uses addressing schemes analogous to IP addressing. Instead of IP addresses, it uses Global Titles (GTs) to identify where signaling requests originate. Telcos typically accept messages only from GTs they have agreements with, creating a “walled garden” model. The transcript argues that the modern telecom ecosystem—now containing far more operators and intermediaries—makes it easier to obtain or lease GT access, effectively widening the set of actors who can send signaling requests.

Why is IMSI the “real key” for mobile SS7 attacks?

Even with SS7 access and a target phone number, attackers need a unique identifier tied to the SIM. The transcript describes IMSI as a 15-digit International Mobile Subscriber Identity that belongs exclusively to the SIM card. Attackers can use SS7 messages such as “send routing info” / “send routing info for SM” to collect IMSI. Firewalls may block suspicious requests, but obtaining IMSI is portrayed as crucial for appearing trusted enough to proceed.

How can a call or SMS be intercepted without the victim’s phone being “hacked” directly?

The transcript describes rerouting by manipulating the network’s roaming assumptions. Attackers send signaling requests that make the network believe the target is roaming, then rewrite routing so the call or text goes to the attacker’s Global Title destination. In the demonstration, a call to Linus didn’t ring his phone; instead, it reached Derek. For SMS 2FA, the attacker can intercept one-time passwords and use the short timing window before the victim’s phone reconnects to the correct GT.

What does SS7 location tracking typically reveal?

Rather than relying on GPS, the transcript says SS7 location requests often identify the cell tower the device is connected to. In urban areas with many towers, that can still narrow location to within about 100 meters. It also notes that researchers used this approach to track US Congressman Ted Lieu in the LA area, illustrating practical precision without GPS.

Why hasn’t SS7 been replaced quickly, even after public research?

SS7 remains the backbone for 2G and 3G communications, including SIM-based services like emergency call buttons in Europe. Even with newer signaling on 5G, inter-network call routing still uses SS7 as the de facto standard. The transcript frames this as “first mover disadvantage” and network inertia: replacing a shared backbone takes years, and routing dependencies keep SS7 alive.

Review Questions

What three-step workflow does the transcript describe for executing SS7-based interception, and what role does IMSI play in that chain?
How does “roaming” manipulation enable call/SMS rerouting, and why might the victim not notice immediately?
Why does SS7 remain in use despite known vulnerabilities, and what legacy services slow down replacement?

Key Points

1
SS7 abuse can reroute calls and intercept SMS, including one-time passwords used for two-factor authentication, enabling account takeovers without direct malware on the phone.
2
Attackers can leverage Global Titles (GTs) to gain signaling access, exploiting the telecom “walled garden” trust model as the number of operators and intermediaries grows.
3
Obtaining a victim’s IMSI (International Mobile Subscriber Identity) is a key step that helps attackers appear legitimate enough for further signaling actions.
4
A common tactic is making the network treat a target as roaming, which rewrites routing so calls/texts go to attacker-controlled destinations.
5
SS7 can support location inference by identifying the connected cell tower, which can still be precise in dense cities.
6
SS7 persists because it underpins 2G/3G and still functions as the routing backbone for inter-network calls, creating long replacement timelines.
7
Reducing risk means moving away from SMS-based 2FA toward authenticator apps or hardware tokens and using encrypted internet calling services where possible.

Highlights

SS7 attacks can make a call “not ring” on the victim’s phone while still completing the call elsewhere—purely through signaling reroute.

SMS 2FA interception can work within a narrow timing window: attackers capture the one-time code before the phone reconnects to the correct network.

SS7 location requests often don’t need GPS; identifying the serving cell tower can still narrow a person to within roughly 100 meters in urban areas.

Replacing SS7 is slow because 2G/3G legacy support and inter-network routing dependencies keep it embedded in telecom infrastructure.

Topics

SS7 Security
Global Titles
IMSI
SMS 2FA
Telecom Signaling

Mentioned

Steve Jobs
Steve Wozniak
Karsten Nohl
Alexandre De Oliveira
Tobias Engel
Ted Lieu
Crofton Black
Latifa Al Maktoum
Hervé Jaubert
Tiina
Sheikh Mohammed
Derek
Linus
SS7
GT
IMSI
SMS
2FA
IP
GPS