Mobile networks are grappling with a significant cybersecurity challenge as researchers have unveiled an alarming method that allows attackers to circumvent SS7 protections. This groundbreaking research from Enea’s threat intelligence, titled “The Good, the Bad, and the Encoding,” illustrates how attackers leverage encoding techniques to exploit vulnerabilities while remaining undetected.
SS7, or Signaling System 7, is an aging protocol fundamental to global telecommunications, facilitating call connections, text messaging, and network roaming. However, this decades-old system was not built with contemporary security measures in mind. Ongoing initiatives to monitor and patch SS7 traffic have struggled to keep up with the evolving tactics of cybercriminals.
Enea’s findings indicate that by manipulating message encoding, attackers can sidestep standard detection mechanisms, thus posing an increased risk of communications interception or malicious activities. This sophisticated approach allows harmful traffic to masquerade as legitimate, evading the scrutiny of existing SS7 firewalls and monitoring solutions, which can leave network operators vulnerable to threats, including data interception and location tracking.
Adding to the urgency of the situation, Enea’s researchers have identified that a surveillance vendor has successfully deployed this particular encoding technique, initially observed in late 2024, to extract mobile subscriber location data from specific operators. By modifying the format of signaling messages, attackers were able to obfuscate crucial data fields from detection systems, allowing their requests to go undetected.
“The source of the attacks matched a surveillance company we have tracked for many years, and we believe this method has been employed by them,” Enea stated. While the overall success of this attack mechanism remains unclear, the company highlights its potential effectiveness varies with vendor and software specifics.
The persistent reliance on SS7 for roaming and interoperability cemented the protocol’s continued usage, even as newer technologies like Diameter and 5G signaling become more prevalent. Given that completely abandoning SS7 is impractical for many operators, Enea recommends that network defenders take a proactive stance. Their advice includes monitoring for irregular encoding patterns, reinforcing signaling firewalls, and integrating threat intelligence with behavioral analytics to identify bypass attempts promptly.