The attack, detected by Enea’s Threat Intelligence Unit, represents the latest evolution in signaling protocol exploitation and demonstrates how attackers continue to find creative ways around telecommunications security defenses.
Since 2017, security experts have documented a steady stream of SS7 bypass techniques, with the majority targeting the TCAP layer of the SS7 protocol stack.
Previous attacks have included Global Opcode manipulation (detected in 2019), Extended Application Context exploits (2022), and Long TCAP ID techniques (2022).
Each method aims to bypass the increasing security measures that mobile operators have implemented to protect their SS7 networks.
The TCAP layer has become particularly attractive to attackers due to its complexity and the flexibility inherent in ASN.1 BER (Basic Encoding Rules) encoding.
Unlike other encoding standards such as DER (Direct Encoding Rules), ASN.1 BER allows objects to be encoded in multiple ways, creating opportunities for exploitation.
This flexibility, combined with the layer’s critical role in carrying application data between SS7 nodes, makes it an ideal target for sophisticated bypass attempts.
The newly discovered attack focuses on manipulating the encoding of Information Elements (IEs) within TCAP messages, specifically targeting the IMSI (International Mobile Subscriber Identity) field in ProvideSubscriberInfo (PSI) commands.
In normal encoding, a TCAP IE begins with a sequence like 30 12 80 08, where the tag code is contained within the first octet.
However, attackers have discovered they can use an extended tag technique specified in ITU Q.773, encoding the same information as 30 13 9f 00 08.
This extension mechanism, designed for tag codes higher than 30 decimal, allows the tag to span multiple octets by setting bits A-E of the first octet to 11111.
The attack effectively “hides” the IMSI field from security systems that cannot properly decode the extended tag structure.
The manipulation exploits two key weaknesses: many SS7 software decoding stacks never implemented logic for extended TCAP codes since they’re rarely used in normal operations, and security solutions built on older SS7 stacks tend to be permissive with undecoded fields.
Researchers confirmed this technique has been actively used since Q4 2024 by a surveillance company for location tracking attacks against mobile network subscribers.
The attack successfully bypassed security checks that should have blocked unauthorized PSI requests targeting home network subscribers, allowing attackers to obtain location information that should have been protected.
To combat these evolving threats, security experts recommend blocking all malformed PDU structures and any MAP PDUs where an IMSI is expected but cannot be found within the decoded message.
The discovery has been shared with the GSMA community, and affected operators have been notified to update their defenses against this new bypass technique.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post Surveillance Firm Exploits SS7 Flaw to Track User Locations appeared first on Cyber Security News.
NetApp has followed the experiences of its customers and adopted Google Gemini Enterprise across the…
HBHR (HealthBoxHR) has announced HRGenie Auto. The new Agentic AI capability further enhances its AI-powered,…
Datadog just dropped a new tool designed to stop AI projects from bleeding cash on…
Zero Networks has launched AI Segmentation to target enterprise security gaps. It looks to give…
At SuiteConnect London, I sat down with Stephen Cope, the CIO of Astrak, to discuss…
Capcom has celebrated Resident Evil Requiem passing another sales milestone, and provided its director with…
This website uses cookies.