Editing Signalling System No. 7

{{pp-move|small=yes}}
{{Short description|Set of telephony signaling protocols}}
{{Use American English|date=November 2021}}<!--note that the title uses British spelling as the American invention was popularized by international use-->
{{Infobox technology standard
| title             = Q.700 series
| long_name         = Signaling System No. 7
| image             = 
| caption           = 
| status            = In force
| year_started      = 1984
| version           = (03/93)
| version_date      = March 1993
| preview           = 
| preview_date      = 
| organization      = [[ITU-T]]
| committee         = Study Group XI, WTSC
| base_standards    = 
| related_standards = Q.701, Q.711
| abbreviation      = 
| domain            = [[telephony]]
| license           = 
| website           = https://www.itu.int/rec/T-REC-Q.700
}}
'''Signalling System No. 7''' ('''SS7''') is a set of [[telephony signaling]] protocols developed in the 1970s that is used to [[call setup|setup]] and [[Clearing (telecommunications)|teardown]] telephone calls on most parts of the global [[public switched telephone network]] (PSTN). The protocol also performs number translation, [[local number portability]], prepaid billing, [[Short Message Service]] (SMS), and other services.

The protocol was introduced in the Bell System in the United States by the name ''Common Channel Interoffice Signaling'' in the 1970s for signaling between No. [[4ESS switch]] and No. 4A crossbar toll offices.<ref>{{Cite journal |last1=Cieslak |first1=T. J. |last2=Croxall |first2=L. M. |last3=Roberts |first3=J. B. |last4=Saad |first4=M. W. |last5=Scanlon |first5=J. M. |date=September 1977 |title=No.4E SS: Software Organization and Basic Call Handling |journal=Bell System Technical Journal |language=en |volume=56 |issue=7 |pages=1113–1138 |doi=10.1002/j.1538-7305.1977.tb00558.x}}</ref><ref>{{Cite journal |last1=Kaskey |first1=B. |last2=Colson |first2=J. S. |last3=Mills |first3=R. F. |last4=Myers |first4=F. H. |last5=Raleigh |first5=J. T. |last6=Schweizer |first6=A. F. |last7=Tauson |first7=R. A. |date=February 1978 |title=Common Channel Interoffice Signaling: Technology and Hardware |journal=Bell System Technical Journal |language=en |volume=57 |issue=2 |pages=379–428 |doi=10.1002/j.1538-7305.1978.tb02093.x}}</ref> The SS7 protocol is defined for international use by the Q.700-series recommendations of 1988 by the [[ITU-T]].<ref name="q700">{{cite web |date=1993-03-01 |title=ITU-T Recommendation Q.700 |url=https://www.itu.int/rec/T-REC-Q.700-199303-I/en/}}</ref> Of the many national variants of the SS7 protocols, most are based on variants standardized by the [[American National Standards Institute]] (ANSI) and the [[European Telecommunications Standards Institute]] (ETSI). National variants with striking characteristics are the Chinese and Japanese [[Telecommunication Technology Committee]] (TTC) national variants. 

SS7 has been shown to have several security vulnerabilities, allowing location tracking of callers, interception of voice data, intercept [[Multi-factor authentication|two-factor authentication]] keys, and possibly the delivery of spyware to phones.<ref>{{Cite news |title=It is dangerously easy to hack the world's phones |url=https://www.economist.com/science-and-technology/2024/05/17/it-is-dangerously-easy-to-hack-the-worlds-phones |access-date=2024-05-28 |newspaper=The Economist |issn=0013-0613}}</ref>

The [[Internet Engineering Task Force]] (IETF) has defined the [[SIGTRAN]] protocol suite that implements levels 2, 3, and 4 protocols compatible with SS7. Sometimes also called ''Pseudo SS7'', it is layered on the [[Stream Control Transmission Protocol]] (SCTP) transport mechanism for use on [[Internet Protocol]] networks, such as the [[Internet]].

In North America, SS7 is also often referred to as ''Common Channel Signaling System 7'' (CCSS7) (or CCS7). In the [[United Kingdom]], it is called ''C7'' (CCITT number 7), ''number 7'' and ''Common Channel Interoffice Signaling 7'' (CCIS7). In Germany, it is often called ''Zentraler Zeichengabekanal Nummer 7'' (ZZK-7).

==History==
[[Signaling System No. 5]] and earlier systems use [[in-band signaling]], in which the call-setup information is sent by generating special [[Multi-frequency signaling|multi-frequency]] tones transmitted on the telephone line audio channels, also known as ''bearer channels''. Since the bearer channels are directly accessible by users, they can be exploited with devices such as the [[blue box]], which can replicate the tones used by the network for call control and routing. As a remedy, SS6 and SS7 implements out-of-band signaling, carried in a separate signaling channel,<ref name=Ronayne/>{{rp|141}} thus keeping the call control and speech paths separate. SS6 and SS7 are referred to as [[common-channel signaling]] (CCS) protocols, or ''Common Channel Interoffice Signaling'' (CCIS) systems.

Another element of in-band signaling addressed by SS7 is network efficiency. With in-band signaling, the voice channel is used during call setup which makes it unavailable for actual traffic. For long-distance calls, the talk path may traverse several nodes which reduces usable node capacity. With SS7, the connection is not established between the end points until all nodes on the path confirm availability. If the far end is busy, the caller gets a busy signal without consuming a voice channel.

Since 1975, CCS protocols have been developed by major telephone companies and the International Telecommunication Union Telecommunication Standardization Sector (ITU-T); in 1977 the ITU-T defined the first international CCS protocol as [[Signaling System No. 6]] (SS6).<ref name=Ronayne>{{cite book|author=Ronayne, John P|date= 1986|title= The Digital Network Introduction to Digital Communications Switching|edition=1|location= Indianapolis|publisher= Howard W. Sams & Co., Inc|isbn= 0-672-22498-4}}</ref>{{rp|145}} In its 1980 Yellow Book Q.7XX-series recommendations ITU-T defined the Signaling System No. 7 as an international standard.<ref name="q700"/> SS7 replaced SS6 with its restricted 28-bit signal unit that was both limited in function and not amenable to digital systems.<ref name=Ronayne/>{{rp|145}} SS7 also replaced [[Signaling System No. 5]] (SS5), while [[Multi-frequency signaling|R1]] and [[R2 signaling|R2]] variants are still used in numerous countries.{{citation needed|date=December 2014}}

The [[Internet Engineering Task Force]] (IETF) defined [[SIGTRAN]] protocols which translate the common channel signaling paradigm to the IP Message Transfer Part (MTP) level 2 (M2UA and M2PA), Message Transfer Part (MTP) level 3 ([[M3UA]]) and Signaling Connection Control Part (SCCP) (SUA).{{citation needed|date=January 2015}} While running on a transport based upon IP, the SIGTRAN protocols are not an SS7 variant, but simply transport existing national and international variants of SS7.<ref name="rfc2716">{{cite IETF |title=Framework Architecture for Signaling Transport|rfc=2719|publisher=[[Internet Engineering Task Force|IETF]]}}</ref>{{clarify|date=January 2015}}

==Functionality==
[[Signaling (telecommunications)|Signaling]] in telephony is the exchange of [[Protocol-control information|control information]] associated with the setup and release of a telephone call on a telecommunications circuit.<ref name=Russell>{{cite book|last=Russell|first=Travis|date=2002|title= Signaling System #7|edition=4|location= New York|publisher= McGraw-Hill|isbn= 978-0-07-138772-9}}</ref>{{rp|318}} Examples of control information are the digits dialed by the caller and the caller's billing number.

When signaling is performed on the same circuit as the conversation of the call, it is termed [[channel-associated signaling]] (CAS). This is the case for analogue trunks, [[multi-frequency]] (MF) and R2 digital trunks, and [[DASS1|DSS1/DASS]] [[Business telephone system#Private branch exchange|PBX]] trunks.{{citation needed|date=December 2014}}

In contrast, SS7 uses [[common channel signaling]], in which the path and facility used by the signaling is separate and distinct from the signaling without first seizing a voice channel, leading to significant savings and performance increases in both signaling and channel usage.{{citation needed|date=December 2014}}

Because of the mechanisms in use by signaling methods prior to SS7 (battery reversal, [[Multi-frequency|multi-frequency digit outpulsing]], [[Robbed-bit signaling|A- and B-bit signaling]]), these earlier methods cannot communicate much signaling information. Usually only the dialed digits are signaled during call setup. For charged calls, dialed digits and charge number digits are outpulsed. SS7, being a high-speed and high-performance packet-based communications protocol, can communicate significant amounts of information when setting up a call, during the call, and at the end of the call. This permits rich call-related services to be developed. Some of the first such services were call management related, [[Call forwarding|call forwarding (busy and no answer)]], [[voice mail]], [[call waiting]], [[conference call]]ing, [[Caller ID|calling name and number display]], [[call screening]], [[malicious caller identification]], [[Automatic callback|busy callback]].<ref name=Russell/>{{rp|Introduction xx}}<!--page xx is in the introduction-->

The earliest deployed upper-layer protocols in the SS7 suite were dedicated to the setup, maintenance, and release of telephone calls.<ref>{{cite web|url=https://www.itu.int/rec/T-REC-Q.700-199303-I/en/|title=ITU-T Recommendation Q.700, section 3.2.1|page=7|date=1993-03-01}}</ref> The [[Telephone User Part]] (TUP) was adopted in Europe and the [[Integrated Services Digital Network]] (ISDN) User Part ([[ISDN User Part|ISUP]]) adapted for [[public switched telephone network]] (PSTN) calls was adopted in North America. ISUP was later used in Europe when the European networks upgraded to the ISDN. {{As of| 2020}} North America has not accomplished full upgrade to the ISDN, and the predominant telephone service is still [[Plain old telephone service|Plain Old Telephone Service]]. Due to its richness and the need for an out-of-band channel for its operation, SS7 is mostly used for signaling between [[Telephone exchange|telephone switches]] and not for signaling between local exchanges and [[customer-premises equipment]].{{citation needed|date=December 2014}}

Because SS7 signaling does not require seizure of a channel for a conversation prior to the exchange of control information, [[Non-Facility Associated Signaling|non-facility associated signaling]] (NFAS) became possible. NFAS is signaling that is not directly associated with the path that a conversation will traverse and may concern other information located at a centralized database such as service subscription, feature activation, and service logic. This makes possible a set of network-based services that do not rely upon the call being routed to a particular subscription switch at which service logic would be executed, but permits service logic to be distributed throughout the telephone network and executed more expediently at originating switches far in advance of call routing. It also permits the subscriber increased mobility due to the decoupling of service logic from the subscription switch. Another ISUP characteristic SS7 with NFAS enables is the exchange of signaling information during the middle of a call.<ref name=Russell/>{{rp|318}}

SS7 also enables Non-Call-Associated Signaling, which is signaling not directly related to establishing a telephone call.<ref name=Russell/>{{rp|319}} This includes the exchange of registration information used between a mobile telephone and a [[Network switching subsystem#Home location register .28HLR.29|home location register]] database, which tracks the location of the mobile. Other examples include [[Intelligent Network]] and [[local number portability]] databases.<ref name=Russell/>{{rp|433}}

===Signaling modes===
Apart from signaling with these various degrees of association with call set-up and the facilities used to carry calls, SS7 is designed to operate in two modes: ''associated mode'' and ''quasi-associated mode''.<ref>{{cite web|url=https://www.itu.int/rec/T-REC-Q.700-199303-I/en/|title=ITU-T Recommendation Q.700|page=4|date=1993-03-01}}</ref>

When operating in the ''associated mode'', SS7 signaling progresses from [[Telephone exchange|switch to switch]] through the Public Switched Telephone Network following the same path as the associated facilities that carry the telephone call. This mode is more economical for small networks. The associated mode of signaling is not the predominant choice of modes in North America.<ref>{{harv|Dryburgh|Hewitt|2004|pp=22–23}}.</ref>

When operating in the ''quasi-associated mode'', SS7 signaling progresses from the originating [[Telephone exchange|switch]] to the terminating switch, following a path through a separate SS7 signaling network composed of [[Signal Transfer Point|signal transfer point]]s. This mode is more economical for large networks with lightly loaded signaling links. The quasi-associated mode of signaling is the predominant choice of modes in North America.<ref>{{harv|Dryburgh|Hewitt|2004|p=23}}.</ref>

==Physical network==
SS7 separates signaling from the voice circuits. An SS7 network must be made up of SS7-capable equipment from end to end in order to provide its full functionality. The network can be made up of several link types (A, B, C, D, E, and F) and three signaling nodes – [[Service switching point|Service Switching Points]] (SSPs), [[Signal Transfer Point]]s (STPs), and [[Service Control Point]]s (SCPs). Each node is identified on the network by a number, a signaling point code. Extended services are provided by a database interface at the SCP level using the SS7 network.{{citation needed|date=December 2014}}

The links between nodes are full-duplex 56, 64, 1,536, or 1,984&nbsp;kbit/s graded communications channels. In Europe they are usually one (64&nbsp;kbit/s) or all (1,984&nbsp;kbit/s) [[timeslot]]s ([[DS0]]s) within an [[E-carrier|E1]] facility; in North America one (56 or 64&nbsp;kbit/s) or all (1,536&nbsp;kbit/s) timeslots ([[DS0A]]s or DS0s) within a [[T-carrier|T1]] facility. One or more signaling links can be connected to the same two endpoints that together form a signaling link set. Signaling links are added to link sets to increase the signaling capacity of the link set.{{citation needed|date=December 2014}}

In Europe, SS7 links normally are directly connected between switching exchanges using F-links. This direct connection is called ''associated signaling''. In North America, SS7 links are normally indirectly connected between switching exchanges using an intervening network of STPs (Signaling Transfer Points). This indirect connection is called ''quasi-associated signaling'', which reduces the number of SS7 links necessary to interconnect all switching exchanges and SCPs in an SS7 signaling network.<ref>{{cite web|url=https://www.itu.int/rec/T-REC-Q.700-199303-I/en/|title=ITU-T Recommendation Q.700, section 2.2.3|pages=4–5|date=1993-03-01}}</ref>

SS7 links at higher signaling capacity (1.536 and 1.984&nbsp;Mbit/s, simply referred to as the 1.5&nbsp;Mbit/s and 2.0&nbsp;Mbit/s rates) are called [[high-speed link]]s (HSL) in contrast to the low speed (56 and 64&nbsp;kbit/s) links. High-speed links are specified in ITU-T Recommendation Q.703 for the 1.5&nbsp;Mbit/s and 2.0&nbsp;Mbit/s rates, and ANSI Standard T1.111.3 for the 1.536&nbsp;Mbit/s rate.<ref name="Q.703"/> There are differences between the specifications for the 1.5&nbsp;Mbit/s rate. High-speed links utilize the entire bandwidth of a T1 (1.536&nbsp;Mbit/s) or E1 (1.984&nbsp;Mbit/s) transmission facility for the transport of SS7 signaling messages.<ref name="Q.703">{{cite web|url=https://www.itu.int/rec/T-REC-Q.703-199607-I/en/|title=ITU-T Recommendation Q.703, Annex A, ''Additions for a national option for high speed signaling links''|publisher=[[International Telecommunication Union]]|pages=81–86}}</ref>

[[SIGTRAN]] provides signaling using [[Stream Control Transmission Protocol|SCTP]] associations over the [[Internet Protocol]].<ref name=Russell/>{{rp|456}} The protocols for [[SIGTRAN]] are [[M2PA]], [[M2UA]], [[M3UA]] and [[Signaling Connection Control Part#Transport over IP Networks|SUA]].<ref>{{cite web|url=https://www.eetimes.com/understanding-the-sigtran-protocol-suite-a-tutorial/?_ga|title=Understanding the Sigtran Protocol Suite: A Tutorial {{!}} EE Times|website=EETimes|date=6 November 2003 |access-date=2016-06-30}}</ref>

==SS7 protocol suite==
{{SS7 stack}}
The SS7 [[protocol stack]] may be partially mapped to the [[OSI Model]] of a packetized digital protocol stack. OSI layers 1 to 3 are provided by the [[Message Transfer Part]] (MTP) and the [[Signaling Connection Control Part]] (SCCP) of the SS7 protocol (together referred to as the Network Service Part (NSP)); for circuit related signaling, such as the [[Interconnect User Part|BT IUP]], [[Telephone User Part (TUP)]], or the [[ISDN User Part]] (ISUP), the User Part provides layer 7. Currently there are no protocol components that provide OSI layers 4 through 6.<ref name="q700"/> The [[Transaction Capabilities Application Part]] (TCAP) is the primary SCCP User in the Core Network, using SCCP in connectionless mode. SCCP in connection oriented mode provides transport layer for air interface protocols such as BSSAP and [[RANAP]]. TCAP provides transaction capabilities to its Users (TC-Users), such as the [[Mobile Application Part]], the [[INAP|Intelligent Network Application Part]] and the [[Camel Application Part|CAMEL Application Part]].{{citation needed|date=December 2014}}

The Message Transfer Part (MTP) covers a portion of the functions of the OSI network layer including: network interface, information transfer, message handling and routing to the higher levels. Signaling Connection Control Part (SCCP) is at functional Level 4. Together with MTP Level 3 it is called the Network Service Part (NSP). SCCP completes the functions of the OSI network layer: end-to-end addressing and routing, connectionless messages (UDTs), and management services for users of the Network Service Part (NSP).<ref>{{cite web|url=https://www.itu.int/rec/T-REC-Q.711-200103-I/en/|title=ITU-T Recommendation Q.711, section 1|page=1-2}}</ref> Telephone User Part (TUP) is a link-by-link signaling system used to connect calls. ISUP is the key user part, providing a circuit-based protocol to establish, maintain, and end the connections for calls. Transaction Capabilities Application Part (TCAP) is used to create database queries and invoke advanced network functionality, or links to Intelligent Network Application Part (INAP) for intelligent networks, or Mobile Application Part (MAP) for mobile services.

===BSSAP===
'''BSS Application Part''' ('''BSSAP''') is a protocol in SS7 used by the [[Network switching subsystem#Mobile switching center (MSC)|Mobile Switching Center]] (MSC) and the [[Base station subsystem]] (BSS) to communicate with each other using signaling messages supported by the [[Message_Transfer_Part|MTP]] and [[Connection-oriented communication|connection-oriented services]] of the [[Signaling_Connection_Control_Part|SCCP]]. For each active [[Mobile station|mobile equipment]] one signaling connection is used by BSSAP having at least one active transactions for the transfer of messages.<ref>{{cite web|url=https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2759|title=3GPP TS 48.008, Mobile Switching Centre - Base Station System (MSC-BSS) interface; Layer 3 specification}}</ref> 

BSSAP provides two kinds of functions:

* The BSS Mobile Application Part (BSSMAP) supports procedures to facilitate communication between the MSC and the BSS pertaining to resource management and [[handover]] control.
* The Direct Transfer Application Part (DTAP) is used for transfer of those messages which need to travel directly to mobile equipment from MSC bypassing any interpretation by BSS. These messages are generally pertaining to [[mobility management]] (MM) or [[call management]] (CM).

==Protocol security vulnerabilities==
In 2008, several SS7 vulnerabilities were published that permitted the tracking of mobile phone users.<ref>Archived at [https://ghostarchive.org/varchive/youtube/20211211/OEcW4HlrpYE Ghostarchive]{{cbignore}} and the [https://web.archive.org/web/20120113174147/http://www.youtube.com/watch?v=OEcW4HlrpYE&gl=US&hl=en Wayback Machine]{{cbignore}}: {{cite web|last1=Engel|first1=Tobias|title=Locating Mobile Phones using SS7|url=https://www.youtube.com/watch?v=OEcW4HlrpYE|website=Youtube|publisher=25th Chaos Communication Congress (25C3)|access-date=2016-04-19|format=Video|date=2008-12-27}}{{cbignore}}</ref>

In 2014, the media reported a protocol vulnerability of SS7 by which anyone can [[cell phone tracking|track the movements of mobile phone users]] from virtually anywhere in the world with a success rate of approximately 70%.<ref>{{cite news|url=https://www.washingtonpost.com/business/technology/for-sale-systems-that-can-secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html |title=For sale: Systems that can secretly track where cellphone users go around the globe|last1=Timburg|first1=Craig|newspaper=[[The Washington Post]]|date=24 August 2014|access-date=27 December 2014}}</ref> In addition, eavesdropping is possible by using the protocol to forward calls and also facilitate decryption by requesting that each caller's carrier release a temporary encryption key to unlock the communication after it has been recorded.<ref>{{cite news|last1=Timburg|first1=Craig|title=German researchers discover a flaw that could let anyone listen to your cell calls.|url=https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/ |newspaper=[[The Washington Post]]|date=18 December 2014|access-date=19 December 2014}}</ref> The software tool ''SnoopSnitch'' can warn when certain SS7 attacks occur against a phone,<ref>SnoopSnitch is for [[Rooting (Android)|rooted]] Android mobile phones with [[List of Qualcomm Snapdragon systems-on-chip|Qualcomm chip]]</ref> and detect [[IMSI-catcher]]s that allow call interception and other activities.<ref>{{cite web|url=https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf |archive-url=https://web.archive.org/web/20141231144037/https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf |archive-date=2014-12-31 |url-status=live |title=Mobile self-defence|author=Karsten Nohl|publisher=Chaos Communication Congress|date=2014-12-27}}</ref><ref>{{cite web |title=SnoopSnitch |work=[[Google Play]] |date=August 15, 2016 |url=https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch }}</ref>

In February 2016, 30% of the network of the largest mobile operator in Norway, [[Telenor]], became unstable due to "unusual SS7 signaling from another European operator".<ref>{{cite web|url=https://www.mynewsdesk.com/no/telenor/pressreleases/feilen-i-mobilnettet-er-funnet-og-rettet-1322239|title=Feilen i mobilnettet er funnet og rettet|date=21 February 2016 |language=no|publisher=Telenor ASA}}</ref><ref>{{cite web|url=https://www.digi.no/artikler/et-ondsinnet-angrep-mot-telenor-ville-hatt-samme-konsekvens/320604|title=SS7 signalering – Et ondsinnet angrep mot Telenor ville hatt samme konsekvens|date=22 February 2016 |language=no|publisher=digi.no / Teknisk Ukeblad Media AS|access-date=2024-09-23|archive-date=2022-09-26|archive-url=https://web.archive.org/web/20220926062502/https://www.digi.no/artikler/et-ondsinnet-angrep-mot-telenor-ville-hatt-samme-konsekvens/320604|url-status=live}}</ref>

The security vulnerabilities of SS7 have been highlighted in U.S. governmental bodies, for example when in April 2016 Congressman [[Ted Lieu]] called for an oversight committee investigation.<ref>{{cite news |title=US congressman calls for investigation into vulnerability that lets hackers spy on every phone |work=[[The Guardian]] |date=April 19, 2016 |url=https://www.theguardian.com/technology/2016/apr/19/ss7-hack-us-congressman-calls-texts-location-snooping }}</ref>

In May 2017, [[Telefónica Germany|O2 Telefónica]], a German mobile service provider, confirmed that the SS7 vulnerabilities had been exploited to bypass [[two-factor authentication]] to achieve unauthorized withdrawals from bank accounts. The perpetrators installed [[Trojan horse (computing)|malware]] on compromised computers, allowing them to collect online banking account credentials and telephone numbers. They set up redirects for the victims' telephone numbers to telephone lines controlled by them. Confirmation calls and SMS text messages of two-factor authentication procedures were routed to telephone numbers controlled by the attackers. This enabled them to log into victims' online bank accounts and effect money transfers.<ref>{{Cite news|url=http://thehackernews.com/2017/05/ss7-vulnerability-bank-hacking.html|title=Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts|last=Khandelwal|first=Swati|work=The Hacker News|access-date=2017-05-05|language=en-US}}</ref>

In March 2018, a method was published for the detection of the vulnerabilities, through the use of [[Open-source software|open-source]] monitoring software such as [[Wireshark]] and [[Snort (software)|Snort]].<ref>{{Cite news|url=http://darfe.es/joomla/index.php/descargas/viewdownload/5-seguridad/1353-analisis-de-ataques-vulnerabilidades-ss7-sigtran-empleando-wireshark-y-o-tshark-y-snort-es|title=Análisis de ataques/vulnerabilidades SS7/Sigtran empleando Wireshark (y/o tshark) y Snort|last=Corletti Estrada|first=Alejandro|work=Metodología de detección de vulnerabilidades SS7/Sigtran|access-date=2018-03-31|language=es-ES|archive-date=2018-04-03|archive-url=https://web.archive.org/web/20180403173537/http://darfe.es/joomla/index.php/descargas/viewdownload/5-seguridad/1353-analisis-de-ataques-vulnerabilidades-ss7-sigtran-empleando-wireshark-y-o-tshark-y-snort-es|url-status=dead}}</ref><ref>{{Cite news|url=http://darfe.es/joomla/index.php/descargas/viewdownload/5-seguridad/1354-analysis-of-attacks-vulnerabilities-ss7-sigtran-using-wireshark-and-or-tshark-and-snort-en|title=Analysis of attacks/vulnerabilities SS7/Sigtran using Wireshark (and/or tshark) and Snort|last=Corletti Estrada|first=Alejandro|work=Vulnerability detection methodology SS7/Sigtran|access-date=2018-03-31|language=en-US|archive-date=2018-04-03|archive-url=https://web.archive.org/web/20180403173728/http://darfe.es/joomla/index.php/descargas/viewdownload/5-seguridad/1354-analysis-of-attacks-vulnerabilities-ss7-sigtran-using-wireshark-and-or-tshark-and-snort-en|url-status=dead}}</ref><ref>{{Cite web|url=https://www.smtechub.com/ss7-attack/|title=Definitive guide to SS7/Sigtran Attack and Preventive Measures|work=Full Research on SS7/Sigtran Attack Vector, Exploits and Preventive Measures|date=2019-01-28|access-date=2020-07-03|language=en-US}}</ref> The nature of SS7 normally being used between consenting network operators on dedicated links means that any bad actor's traffic can be traced to its source.

An investigation by ''[[The Guardian]]'' and the [[Bureau of Investigative Journalism]] revealed that the SS7 protocol was exploited in an attempt to locate Sheikha [[Latifa bint Mohammed Al Maktoum (II)]] on 3 March 2018, a day before her abduction.<ref name="TBIJ_20201216">{{Cite web|date=16 December 2020|title=Spy companies using Channel Islands to track phones around the world|url=https://www.thebureauinvestigates.com/stories/2020-12-16/spy-companies-using-channel-islands-to-track-phones-around-the-world|url-status=live|archive-url=https://web.archive.org/web/20201219144441/https://www.thebureauinvestigates.com/stories/2020-12-16/spy-companies-using-channel-islands-to-track-phones-around-the-world|archive-date=19 December 2020|access-date=19 December 2020|quote=Data reviewed by the Bureau shows that a series of signals designed to reveal phone location were sent to a US-registered mobile belonging to the yacht's skipper, Hervé Jaubert, the day before commandos stormed the yacht and seized the princess. The effort appears to have been part of a huge bid by the Emiratis – mobilising boats, a surveillance plane and electronic means – to track down the fleeing princess. Signals were sent via mobile networks in Jersey, Guernsey, Cameroon, Israel, Laos and the USA.}}</ref>

In 2024, Kevin Briggs, an official at the [[Cybersecurity and Infrastructure Security Agency]], reported to the [[Federal Communications Commission|FCC]] that hacks related to SS7 and [[Diameter (protocol)|Diameter]] had been used in "numerous attempts" to acquire location data, voice and text messages; to deliver spyware; and to influence voters in the US.<ref>{{Cite news |title=It is dangerously easy to hack the world's phones |url=https://www.economist.com/science-and-technology/2024/05/17/it-is-dangerously-easy-to-hack-the-worlds-phones |access-date=2024-05-28 |newspaper=The Economist |issn=0013-0613}}</ref> In December 2024, U.S. senator [[Ron Wyden]] released information showing that the [[United States Department of Homeland Security]] believes China, Russia, Iran, and Israel are the primary countries exploiting SS7 for espionage.<ref>{{Cite web |last=Cox |first=Joseph |date=2024-12-17 |title=DHS Says China, Russia, Iran, and Israel Are Spying on People in US with SS7 |url=https://www.404media.co/dhs-says-china-russia-iran-and-israel-are-spying-on-people-in-us-with-ss7/ |access-date=2024-12-19 |website=[[404 Media]] |language=en}}</ref>

==See also==
{{Portal|Telephones}}
*[[SS7 probe]]
*[[Out-of-band data]]
*[[Signaling System No. 5]]
*[[Signaling System No. 6]]

==References==
{{Reflist}}

==Further reading==
<!-- Alphabetical, reverse-chronological order please. -->
<!--
* {{cite book
|last=Dryburgh
|first=Lee
|author2=Jeff Hewitt
 |title=Signaling System No. 7 (Ss7/C7)
|year=2007
|publisher=Cisco Press
|location=Indianapolis
|isbn=978-1-58705-357-3}} -->
* {{cite book
|last1=Dryburgh
|first1=Lee
|last2=Hewitt
|first2=Jeff
|title=Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Services
|year=2004
|publisher=Cisco Press
|location=Indianapolis
|isbn=1-58705-040-4
}}
* {{cite book
|last=Ronayne
|first=John P.
|title=Introduction to Digital Communications Switching
|edition=1st
|year=1986
|publisher=Howard W. Sams & Co., Inc.
|location=Indianapolis
|isbn=0-672-22498-4
|chapter=The Digital Network
}}
<!-- * {{cite book
|last=Russell
|first=Travis
|title=Signaling System #7
|year=2006
|edition=5th
|publisher=McGraw-Hill
|location=New York
|isbn=978-0-07-146879-4}} -->
* {{cite book
|last=Russell
|first=Travis
|title=Signaling System #7
|year=2002
|edition=4th
|publisher=McGraw-Hill
|location=New York
|isbn=978-0-07-138772-9
}}
* {{Cite AV media
|url=https://www.youtube.com/watch?v=wVyu7NB7W6Y
|title=Exposing The Flaw In Our Phone System
|date=2024-09-21
|last=[[Derek Muller|Veritasium]]
|access-date=2024-09-24
|via=[[YouTube]]}}

{{telecommunications}}
{{Telsigs}}

[[Category:Computer-related introductions in 1984]]
[[Category:ITU-T recommendations]]
[[Category:Signaling System 7]]
[[Category:Telephony]]
[[Category:Network protocols]]
[[Category:Telephony signals]]