telephony
Telephony ( ) is the field of technology involving the development, application, and deployment of telecommunication services for the purpose of electronic transmission of voice, fax, or data, between distant parties. The history of telephony is i ...
signaling
In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...
protocols developed in 1975, which is used to set up and tear down telephone calls in most parts of the world-wide
public switched telephone network
The public switched telephone network (PSTN) provides Communications infrastructure, infrastructure and services for public Telecommunications, telecommunication. The PSTN is the aggregate of the world's circuit-switched telephone networks that ...
(PSTN). The protocol also performs number translation,
local number portability
Local number portability (LNP) for fixed lines, and full mobile number portability (FMNP) for mobile phone lines, refers to the ability of a "customer of record" of an existing fixed-line or mobile telephone number assigned by a local exchange ca ...
, prepaid billing,
Short Message Service
Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...
(SMS), and other services.
The protocol was introduced in the Bell System in the United States by the name ''Common Channel Interoffice Signaling'' in the 1970s for signalling between No.
4ESS switch
The No. 4 Electronic Switching System (4ESS) is a class 4 telephone electronic switching system that was the first digital electronic toll switch introduced by Western Electric for long-distance switching. It was introduced in Chicago in Januar ...
and No. 4A crossbar toll offices. In North America SS7 is also often referred to as ''Common Channel Signaling System 7'' (CCSS7). In the
United Kingdom
The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Europe, off the north-western coast of the continental mainland. It comprises England, Scotland, Wales and North ...
, it is called ''C7'' (CCITT number 7), ''number 7'' and ''Common Channel Interoffice Signaling 7'' (CCIS7). In Germany, it is often called ''Zentraler Zeichengabekanal Nummer 7'' (ZZK-7).
The SS7 protocol is defined for international use by the Q.700-series recommendations of 1988 by the
ITU-T
The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Commu ...
. Of the many national variants of the SS7 protocols, most are based on variants standardized by the
American National Standards Institute
The American National Standards Institute (ANSI ) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organi ...
(ANSI) and the
European Telecommunications Standards Institute
The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the field of Information and communications technology, information and communications. ETSI supports the developmen ...
(ETSI). National variants with striking characteristics are the Chinese and Japanese
Telecommunication Technology Committee
The Telecommunication Technology Committee (TTC; ja, 情報通信技術委員会) is a standardization organization established in 1985 and authorized by Japan's Ministry of Internal Affairs and Communications to conduct research and to develop an ...
(TTC) national variants.
The
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(IETF) has defined the
SIGTRAN SIGTRAN is the name, derived from ''signaling transport'', of the former Internet Task Force (I) working group that produced specifications for a family of protocols that provide reliable datagram service and user layer adaptations for Signaling ...
protocol suite that implements levels 2, 3, and 4 protocols compatible with SS7. Sometimes also called ''Pseudo SS7'', it is layered on the
Stream Control Transmission Protocol
The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the p ...
(SCTP) transport mechanism for use on
Internet Protocol
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP h ...
networks, such as the
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
.
History
Signaling System No. 5 The Signaling System No. 5 (SS5) is a multi-frequency (MF) telephone signaling system that was in use from the 1970s for International Direct Distance Dialing (IDDD). Internationally it became known as CCITT5 or CC5.
and earlier systems use
in-band signaling
In telecommunications, in-band signaling is the sending of control information within the same band or channel used for data such as voice or video. This is in contrast to out-of-band signaling which is sent over a different channel, or even ov ...
, in which the call-setup information is sent by generating special
multi-frequency In telephony, multi-frequency signaling (MF) is a type of signaling that was introduced by the Bell System after World War II. It uses a combination of audible tones for address (telephone number) transport and supervision signaling on trunk lines b ...
tones transmitted on the telephone line audio channels, also known as ''bearer channels''. As the bearer channel are directly accessible by users, it can be exploited with devices such as the
blue box
A blue box is an electronic device that produces tones used to generate the in-band signaling tones formerly used within the North American long-distance telephone network to send line status and called number information over voice circuits. ...
, which plays the tones required for call control and routing. As a remedy, SS6 and SS7 implements out-of-band signaling, carried in a separate signaling channel, thus keeping the speech path separate. SS6 and SS7 are referred to as
common-channel signaling
In telecommunication, common-channel signaling (CCS), or common-channel interoffice signaling (CCIS), is the transmission of control information ''(signaling)'' via a separate channel than that used for the messages, The signaling channel usually c ...
(CCS) protocols, or ''Common Channel Interoffice Signaling'' (CCIS) systems.
Another element of in-band signaling addressed by SS7 is network efficiency. With in-band signaling, the voice channel is used during call setup which makes it unavailable for actual traffic. For long-distance calls, the talk path may traverse several nodes which reduces usable node capacity. With SS7, the connection is not established between the end points until all nodes on the path confirm availability. If the far end is busy, the caller gets a busy signal without consuming a voice channel.
Since 1975, CCS protocols have been developed by major telephone companies and the International Telecommunication Union Telecommunication Standardization Sector (ITU-T); in 1977 the ITU-T defined the first international CCS protocol as
Signaling System No. 6
Signaling System No. 6 (SS6) was introduced in the 1970s as an early common channel signalling method for telecommunication trunks between international switching centers (ISCs). It is specified in CCITT Recommendations Q.251-Q.300. SS7 replaced SS6 with its restricted 28-bit signal unit that was both limited in function and not amendable to digital systems. SS7 also replaced
Signaling System No. 5 The Signaling System No. 5 (SS5) is a multi-frequency (MF) telephone signaling system that was in use from the 1970s for International Direct Distance Dialing (IDDD). Internationally it became known as CCITT5 or CC5.
(SS5), while R1 and R2 variants are still used in numerous countries.
The
Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(IETF) defined
SIGTRAN SIGTRAN is the name, derived from ''signaling transport'', of the former Internet Task Force (I) working group that produced specifications for a family of protocols that provide reliable datagram service and user layer adaptations for Signaling ...
protocols which translate the common channel signaling paradigm to the IP Message Transfer Part (MTP) level 2 (M2UA and M2PA), Message Transfer Part (MTP) level 3 (
M3UA
M3UA is a communication protocol of the SIGTRAN family, used in telephone networks to carry signaling over Internet Protocol (IP). M3UA enables the SS7 protocol's User Parts (e.g. ISUP, SCCP and TUP) to run over virtually any network technology ...
) and Signaling Connection Control Part (SCCP) (SUA). While running on a transport based upon IP, the SIGTRAN protocols are not an SS7 variant, but simply transport existing national and international variants of SS7.
Functionality
Signaling
In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...
in telephony is the exchange of control information associated with the setup and release of a telephone call on a telecommunications circuit. Examples of control information are the digits dialed by the caller and the caller's billing number.
When signaling is performed on the same circuit as the conversation of the call, it is termed
channel-associated signaling Channel-associated signaling (CAS), also known as ''per-trunk signaling'' (PTS), is a form of digital communication signaling. As with most telecommunication signaling methods, it uses routing information to direct the payload of voice or data to it ...
(CAS). This is the case for analogue trunks,
multi-frequency In telephony, multi-frequency signaling (MF) is a type of signaling that was introduced by the Bell System after World War II. It uses a combination of audible tones for address (telephone number) transport and supervision signaling on trunk lines b ...
(MF) and R2 digital trunks, and DSS1/DASSPBX trunks.
In contrast, SS7 uses
common channel signaling
In telecommunication, common-channel signaling (CCS), or common-channel interoffice signaling (CCIS), is the transmission of control information ''(signaling)'' via a separate channel than that used for the messages, The signaling channel usually c ...
, in which the path and facility used by the signaling is separate and distinct from the signaling without first seizing a voice channel, leading to significant savings and performance increases in both signaling and channel usage.
Because of the mechanisms in use by signaling methods prior to SS7 (battery reversal, multi-frequency digit outpulsing, A- and B-bit signaling), these earlier methods cannot communicate much signaling information. Usually only the dialed digits are signaled during call setup. For charged calls, dialed digits and charge number digits are outpulsed. SS7, being a high-speed and high-performance packet-based communications protocol, can communicate significant amounts of information when setting up a call, during the call, and at the end of the call. This permits rich call-related services to be developed. Some of the first such services were call management related, call forwarding (busy and no answer),
voice mail
A voicemail system (also known as voice message or voice bank) is a computer-based system that allows users and subscribers to exchange personal voice messages; to select and deliver voice information; and to process transactions relating to ind ...
,
call waiting
Call waiting is a telephone service where a subscriber can accept a second incoming telephone call by placing an in-progress call on hold—and may also switch between calls. With some providers it can be combined with additional features such as ...
,
conference call
A conference call is a telephone call in which someone talks to several people at the same time. The conference call may be designed to allow the called party to participate during the call or set up so that the called party merely listens into ...
call screening
Call screening is the process of evaluating the characteristics of a telephone call before deciding how or whether to answer it.
Some methods may include:
* listening to the message being recorded on an answering machine or voice mail.
* checki ...
,
malicious caller identification
Malicious caller identification, introduced in 1992 as Call Trace, is activated by Vertical service code Star codes *57, and is an upcharge fee subscription service offered by telephone company providers which, when dialed immediately after a ...
, busy callback.
The earliest deployed upper-layer protocols in the SS7 suite were dedicated to the setup, maintenance, and release of telephone calls. The
Telephone User Part
Telephone User Part (TUP) provides conventional PSTN telephony services across the Signalling System No. 7 (SS7) network. TUP was the first layer 4 protocol defined by the standards bodies and as such did not provision for ISDN services. It has now ...
(TUP) was adopted in Europe and the
Integrated Services Digital Network
Integrated Services Digital Network (ISDN) is a set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the digitalised circuits of the public switched telephone network. W ...
public switched telephone network
The public switched telephone network (PSTN) provides Communications infrastructure, infrastructure and services for public Telecommunications, telecommunication. The PSTN is the aggregate of the world's circuit-switched telephone networks that ...
(PSTN) calls was adopted in North America. ISUP was later used in Europe when the European networks upgraded to the ISDN. North America has not accomplished full upgrade to the ISDN, and the predominant telephone service is still
Plain Old Telephone Service
Plain old telephone service (POTS), or plain ordinary telephone system, is a retronym for voice-grade telephone service employing analog signal transmission over copper loops. POTS was the standard service offering from telephone companies from 1 ...
. Due to its richness and the need for an out-of-band channel for its operation, SS7 is mostly used for signaling between
telephone switches
telephone exchange, telephone switch, or central office is a telecommunications system used in the public switched telephone network (PSTN) or in large enterprises. It interconnects telephone subscriber lines or virtual circuits of digital syste ...
and not for signaling between local exchanges and
customer-premises equipment
In telecommunications, a customer-premises equipment or customer-provided equipment (CPE) is any terminal and associated equipment located at a subscriber's premises and connected with a carrier's telecommunication circuit at the demarcation poi ...
.
Because SS7 signaling does not require seizure of a channel for a conversation prior to the exchange of control information, non-facility associated signaling (NFAS) became possible. NFAS is signaling that is not directly associated with the path that a conversation will traverse and may concern other information located at a centralized database such as service subscription, feature activation, and service logic. This makes possible a set of network-based services that do not rely upon the call being routed to a particular subscription switch at which service logic would be executed, but permits service logic to be distributed throughout the telephone network and executed more expediently at originating switches far in advance of call routing. It also permits the subscriber increased mobility due to the decoupling of service logic from the subscription switch. Another ISUP characteristic SS7 with NFAS enables is the exchange of signaling information during the middle of a call.
SS7 also enables Non-Call-Associated Signaling, which is signaling not directly related to establishing a telephone call. This includes the exchange of registration information used between a mobile telephone and a
home location register
Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call out and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile ...
database, which tracks the location of the mobile. Other examples include
Intelligent Network
The Intelligent Network (IN) is the standard network architecture specified in the ITU-T Q.1200 series recommendations. It is intended for fixed as well as Global System for Mobile Communications, mobile telecommunication, telecom networks. It al ...
and
local number portability
Local number portability (LNP) for fixed lines, and full mobile number portability (FMNP) for mobile phone lines, refers to the ability of a "customer of record" of an existing fixed-line or mobile telephone number assigned by a local exchange ca ...
databases.
Signaling modes
Apart from signaling with these various degrees of association with call set-up and the facilities used to carry calls, SS7 is designed to operate in two modes: ''associated mode'' and ''quasi-associated mode''.
When operating in the ''associated mode'', SS7 signaling progresses from switch to switch through the Public Switched Telephone Network following the same path as the associated facilities that carry the telephone call. This mode is more economical for small networks. The associated mode of signaling is not the predominant choice of modes in North America.
When operating in the ''quasi-associated mode'', SS7 signaling progresses from the originating
switch
In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
to the terminating switch, following a path through a separate SS7 signaling network composed of
signal transfer point
A Signal Transfer Point (STP) is a node in an SS7 network that routes signaling messages based on their destination point code in the SS7 network. It works as a router that relays SS7 messages between ''signaling end-points'' (SEPs) and other s ...
s. This mode is more economical for large networks with lightly loaded signaling links. The quasi-associated mode of signaling is the predominant choice of modes in North America.
Physical network
SS7 separates signaling from the voice circuits. An SS7 network must be made up of SS7-capable equipment from end to end in order to provide its full functionality. The network can be made up of several link types (A, B, C, D, E, and F) and three signaling nodes – Service Switching Points (SSPs),
Signal Transfer Point
A Signal Transfer Point (STP) is a node in an SS7 network that routes signaling messages based on their destination point code in the SS7 network. It works as a router that relays SS7 messages between ''signaling end-points'' (SEPs) and other s ...
s (STPs), and Service Control Points (SCPs). Each node is identified on the network by a number, a signaling point code. Extended services are provided by a database interface at the SCP level using the SS7 network.
The links between nodes are full-duplex 56, 64, 1,536, or 1,984 kbit/s graded communications channels. In Europe they are usually one (64 kbit/s) or all (1,984 kbit/s)
timeslot
Broadcast programming is the practice of organizing or ordering (scheduling) of broadcast media shows, typically radio and television, in a daily, weekly, monthly, quarterly or season-long schedule.
Modern broadcasters use broadcast automation ...
s (
DS0
Digital Signal 0 (DS0) is a basic digital signaling rate of 64 kilobits per second (kbit/s), corresponding to the capacity of one analog voice-frequency-equivalent communication channel. The DS0 rate, and its equivalents E0 in the E-carrier system ...
s) within an E1 facility; in North America one (56 or 64 kbit/s) or all (1,536 kbit/s) timeslots (
DS0A
DS0A is the interface most commonly used for SS7 networks in the US. It is a 56/64kbit/s channel typically located in a DS1 or larger facility. The DS0A electrical interface usually only exists inside a central office environment, and only exis ...
s or DS0s) within a T1 facility. One or more signaling links can be connected to the same two endpoints that together form a signaling link set. Signaling links are added to link sets to increase the signaling capacity of the link set.
In Europe, SS7 links normally are directly connected between switching exchanges using F-links. This direct connection is called ''associated signaling''. In North America, SS7 links are normally indirectly connected between switching exchanges using an intervening network of STPs. This indirect connection is called ''quasi-associated signaling'', which reduces the number of SS7 links necessary to interconnect all switching exchanges and SCPs in an SS7 signaling network.
SS7 links at higher signaling capacity (1.536 and 1.984 Mbit/s, simply referred to as the 1.5 Mbit/s and 2.0 Mbit/s rates) are called
high-speed link
In a telecommunications network, a link is a communication channel that connects two or more devices for the purpose of data transmission. The link may be a dedicated physical link or a virtual circuit that uses one or more physical links or shar ...
s (HSL) in contrast to the low speed (56 and 64 kbit/s) links. High-speed links are specified in ITU-T Recommendation Q.703 for the 1.5 Mbit/s and 2.0 Mbit/s rates, and ANSI Standard T1.111.3 for the 1.536 Mbit/s rate. There are differences between the specifications for the 1.5 Mbit/s rate. High-speed links utilize the entire bandwidth of a T1 (1.536 Mbit/s) or E1 (1.984 Mbit/s) transmission facility for the transport of SS7 signaling messages.
SIGTRAN SIGTRAN is the name, derived from ''signaling transport'', of the former Internet Task Force (I) working group that produced specifications for a family of protocols that provide reliable datagram service and user layer adaptations for Signaling ...
provides signaling using
SCTP
The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the p ...
associations over the
Internet Protocol
The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP h ...
. The protocols for
SIGTRAN SIGTRAN is the name, derived from ''signaling transport'', of the former Internet Task Force (I) working group that produced specifications for a family of protocols that provide reliable datagram service and user layer adaptations for Signaling ...
M2UA
M, or m, is the thirteenth letter in the Latin alphabet, used in the modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is ''em'' (pronounced ), plural ''ems''.
History
Th ...
,
M3UA
M3UA is a communication protocol of the SIGTRAN family, used in telephone networks to carry signaling over Internet Protocol (IP). M3UA enables the SS7 protocol's User Parts (e.g. ISUP, SCCP and TUP) to run over virtually any network technology ...
protocol stack
The protocol stack or network stack is an implementation of a computer networking protocol suite or protocol family. Some of these terms are used interchangeably but strictly speaking, the ''suite'' is the definition of the communication protoco ...
may be partially mapped to the
OSI Model
The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...
of a packetized digital protocol stack. OSI layers 1 to 3 are provided by the
Message Transfer Part
The Message Transfer Part (MTP) is part of the Signaling System 7 (SS7) used for communication in Public Switched Telephone Networks. MTP is responsible for reliable, unduplicated and in-sequence transport of SS7 messages between communication ...
(SCCP) of the SS7 protocol (together referred to as the Network Service Part (NSP)); for circuit related signaling, such as the BT IUP, Telephone User Part (TUP), or the
ISDN User Part
The ISDN (Integrated Services Digital Network) User Part or ISUP is part of Signaling System No. 7 (SS7), which is used to set up telephone calls in the public switched telephone network (PSTN). It is specified by the ITU-T as part of the Q.76x ser ...
(ISUP), the User Part provides layer 7. Currently there are no protocol components that provide OSI layers 4 through 6. The
Transaction Capabilities Application Part
Transaction Capabilities Application Part, from ITU-T recommendations Q.771-Q.775 or ANSI T1.114 is a protocol for Signalling System 7 networks. Its primary purpose is to facilitate multiple concurrent dialogs between the same sub-systems on the ...
(TCAP) is the primary SCCP User in the Core Network, using SCCP in connectionless mode. SCCP in connection oriented mode provides transport layer for air interface protocols such as BSSAP and
RANAP
In telecommunications networks, RANAP (Radio Access Network Application Part) is a protocol specified by 3GPP in TS 25.413
and used in UMTS for signaling between the Core Network, which can be a MSC or SGSN, and the UTRAN. RANAP is carried over I ...
. TCAP provides transaction capabilities to its Users (TC-Users), such as the
Mobile Application Part
The Mobile Application Part (MAP) is an SS7 protocol that provides an application layer for the various nodes in GSM and UMTS mobile core networks and GPRS core networks to communicate with each other in order to provide services to users. The ...
, the Intelligent Network Application Part and the CAMEL Application Part.
The Message Transfer Part (MTP) covers a portion of the functions of the OSI network layer including: network interface, information transfer, message handling and routing to the higher levels. Signaling Connection Control Part (SCCP) is at functional Level 4. Together with MTP Level 3 it is called the Network Service Part (NSP). SCCP completes the functions of the OSI network layer: end-to-end addressing and routing, connectionless messages (UDTs), and management services for users of the Network Service Part (NSP). Telephone User Part (TUP) is a link-by-link signaling system used to connect calls. ISUP is the key user part, providing a circuit-based protocol to establish, maintain, and end the connections for calls. Transaction Capabilities Application Part (TCAP) is used to create database queries and invoke advanced network functionality, or links to Intelligent Network Application Part (INAP) for intelligent networks, or Mobile Application Part (MAP) for mobile services.
BSSAP
BSS Application Part (BSSAP) is a protocol in SS7 used by the
Mobile Switching Center
Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call out and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobi ...
(MSC) and the
Base station subsystem
The base station subsystem (BSS) is the section of a traditional cellular telephone network which is responsible for handling traffic and signaling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of s ...
(BSS) to communicate with each other using signaling messages supported by the MTP and connection-oriented services of the SCCP. For each active
mobile equipment
Mobile may refer to:
Places
* Mobile, Alabama, a U.S. port city
* Mobile County, Alabama
* Mobile, Arizona, a small town near Phoenix, U.S.
* Mobile, Newfoundland and Labrador
Arts, entertainment, and media Music Groups and labels
* Mobile ( ...
one signalling connection is used by BSSAP having at least one active transactions for the transfer of messages.
BSSAP provides two kinds of functions:
* The BSS Mobile Application Part (BSSMAP) supports procedures to facilitate communication between the MSC and the BSS pertaining to resource management and
handover
In cellular telecommunications, handover, or handoff, is the process of transferring an ongoing call or data session from one channel connected to the core network to another channel. In satellite communications it is the process of transfe ...
control.
* The Direct Transfer Application Part (DTAP) is used for transfer of those messages which need to travel directly to mobile equipment from MSC bypassing any interpretation by BSS. These messages are generally pertaining to
mobility management
Mobility management is one of the major functions of a GSM or
a UMTS network that allows mobile phones to work. The aim of mobility management is to track where the subscribers are, allowing calls, SMS and other mobile phone services to be deli ...
(MM) or
call management
Call management is the process of designing and implementing inbound telephone call parameters, which govern the routing of these calls through a network. The process is most prominently utilized by corporations and the call centre industry and ...
(CM).
Protocol security vulnerabilities
In 2008, several SS7 vulnerabilities were published that permitted the tracking of mobile phone users.
In 2014, the media reported a protocol vulnerability of SS7 by which anyone can track the movements of mobile phone users from virtually anywhere in the world with a success rate of approximately 70%. In addition, eavesdropping is possible by using the protocol to forward calls and also facilitate decryption by requesting that each caller's carrier release a temporary encryption key to unlock the communication after it has been recorded. The software tool ''SnoopSnitch'' can warn when certain SS7 attacks occur against a phone, and detect
IMSI-catcher
An international mobile subscriber identity-catcher, or IMSI-catcher, is a Telephone tapping, telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a "fake" cell sit ...
s that allow call interception and other activities.
In February 2016, 30% of the network of the largest mobile operator in Norway,
Telenor
Telenor ASA ( or ) is a Norwegian majority state-owned multinational telecommunications company headquartered at Fornebu in Bærum, close to Oslo. It is one of the world's largest mobile telecommunications companies with operations worldwide, ...
, became unstable due to "unusual SS7 signaling from another European operator".
The security vulnerabilities of SS7 have been highlighted in U.S. governmental bodies, for example when in April 2016 Congressman
Ted Lieu
Ted W. Lieu (; born March 29, 1969) is an American politician and Air Force Reserve Command colonel who has represented California's 33rd congressional district in the U.S. House of Representatives since 2015. The district includes much of weste ...
called for an oversight committee investigation.
In May 2017, O2 Telefónica, a German mobile service provider, confirmed that the SS7 vulnerabilities had been exploited to bypass
two-factor authentication
Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
to achieve unauthorized withdrawals from bank accounts. The perpetrators installed
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
on compromised computers, allowing them to collect online banking account credentials and telephone numbers. They set up redirects for the victims' telephone numbers to telephone lines controlled by them. Confirmation calls and SMS text messages of two-factor authentication procedures were routed to telephone numbers controlled by the attackers. This enabled them to log into victims' online bank accounts and effect money transfers.
In March 2018, a method was published for the detection of the vulnerabilities, through the use of
open-source
Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
monitoring software such as
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...
and Snort. The nature of SS7 normally being used between consenting network operators on dedicated links means that any bad actor's traffic can be traced to its source.
An investigation by ''
The Guardian
''The Guardian'' is a British daily newspaper. It was founded in 1821 as ''The Manchester Guardian'', and changed its name in 1959. Along with its sister papers ''The Observer'' and ''The Guardian Weekly'', ''The Guardian'' is part of the Gu ...
'' and the
Bureau of Investigative Journalism
The Bureau of Investigative Journalism (typically abbreviated to TBIJ or "the Bureau") is a nonprofit news organisation based in London. It was founded in 2010 to pursue "public interest" investigations. Latifa bint Mohammed Al Maktoum (II)
Sheikha Latifa bint Mohammed bin Rashid Al Maktoum ( ar, لطيفة بنت محمد بن راشد آل مكتوم, translit=Laṭīfa bint Muḥammad bin Rāshid al-Maktūm; born 5 December 1985) is an Emirati sheikha and a member of the Dub ...
on 3 March 2018, a day before her abduction.
See also
*
SS7 probe An SS7 probe is a physical device to obtain signalling and/or bearer information from a telecommunications network, such as the PSTN or a corporate telephone system. The probe passively monitors the E1/ T1 or SDH/SONET bearer channels, and extract ...
*
Out-of-band data In computer networking, out-of-band data is the data transferred through a stream that is independent from the main ''in-band'' data stream. An out-of-band data mechanism provides a conceptually independent channel, which allows any data sent via th ...
*
Signaling System No. 5 The Signaling System No. 5 (SS5) is a multi-frequency (MF) telephone signaling system that was in use from the 1970s for International Direct Distance Dialing (IDDD). Internationally it became known as CCITT5 or CC5.
*
Signaling System No. 6
Signaling System No. 6 (SS6) was introduced in the 1970s as an early common channel signalling method for telecommunication trunks between international switching centers (ISCs). It is specified in CCITT Recommendations Q.251-Q.300.ITU-T recommendations
Signaling System 7TelephonyNetwork protocolsTelephony signals