Blog

How Surveillance Companies track you using SS7 on Mobile Networks

Surveillance companies are often in the news, but the month of December, especially, brought three impactful headlines, which all related to how surveillance companies are using mobile networks to track you. So, the talk that Cathal Mc Daid, CTO of AdaptiveMobile Security, gave at the RC3 conference on 30 December could not have come at a better time.

Exploitable vulnerabilities in mobile core signalling networks have been known to exist for many years. However, very little information has been presented on whether these vulnerabilities are being exploited in real-life or not, and if so, how it is being done.

“Watching the watchers” presentation covers how there are 3 types of exploiters of mobile signaling networks. Establishing first how do we know what is malicious in terms of traffic. We then give an overview of what mobile surveillance companies do, before going into detail on how location tracking is done via SS7, Diameter and Simjacker attacks, by showing real-life examples.

We finally make a projection for 5G, and how surveillance companies will target 5G core networks as they are deployed globally over the next few years.

Example - Lack of input parameter validation attack

Example - Lack of input parameter validation attack

Example - Lack of input parameter validation attack

Content:

  • 3 Types of exploiters of mobile signaling networks
  • How do we know what is malicious?
  • What do mobile surveillance companies do
  • How location tracking is done via SS7: example
  • SS7 location tracking command ‘toolbox’ – attacker pros and cons
  • Complexity/info needed v possibility to be blocked: SS7
  • Sample real-life attempted attack – SS7
  • How location tracking is done via Diameter: example
  • SS7 location tracking command ‘toolbox’ – attacker pros and cons
  • Complexity v possibility to be blocked: SS7 and Diameter
  • Sample real-life attempted attack – Diameter
  • Simjacker
  • How location tracking is done via Simjacker SMS
  • Simjacker location tracking commands ‘toolbox’ – attacker pros and cons
  • Complexity v possibility to be blocked: SS7, Diameter, Simjacker
  • Sample real-life attempted attack – Simjacker
  • Distribution of location tracking commands
  • Trends of SS7 location tracking commands over time
  • How do these surveillance companies gain access?
  • 5G and mobile surveillance companies
  • 5G location tracking commands ‘toolbox’ – attacker pros and cons
  • Complexity v possibility to be blocked: SS7, Diameter, Simjacker & 5G

Related insights

Commsrisk logo

Enea CTO Cathal Mc Daid Recognized by Commsrisk for Threat Intelligence Research

Read more

Tags: Cybersecurity

Enea Kaleido Champion Signaling Security Vendor

Enea Recognized as a Champion Vendor by Kaleido for Our Comprehensive Signaling Security. 

Read more
Forbes logo

Enea’s Research on The Mobile Network Battlefield Featured in Forbes Magazine

Read more

Tags: Mobile Security

Mobile phones being used by both sides to identify targets in Ukraine war

Read more

Tags: Mobile Security

National telecom regulator reveals new telemarketing registry and alert service

Read more

Tags: MNO, Voice Security