SS7 HACK

What is SS7 Hack or SS7 Attack?

SS7 or signaling system 7 hack is the process of receiving calls or SMS of a real subscriber, on another mobile number, or in an application. For many services (e.g. banking etc.), a person is verified by using SMS or a voice call.  If, somehow call and SMS can be routed to another number, then it is possible to hack.

We will explain the ss7 protocol and call flow for receiving calls and SMS over another number/application. 

The SS7 vulnerability makes the network vulnerable to SMS and voice hacking. Additionally, once a person gains access to the ss7 network, real-time location can be determined for a phone number.

SS7 is the traditional network that uses standard ISUP and MAP protocols for calls and SMS, respectively.

SS7 hack is not simple as it looks. People claim to install software and then just enter a phone number to hack SMS or calls.  Getting calls and SMS via a hack is the process of connecting to the ss7 network and running an application so that the home network of an original subscriber gets the impression that the software is the roaming VLR/MSC node in a network. The first step is to get the ss7 connection.

Get an SS7 Connection for the hack:

Get SS7 Global Title and Point Code: For an SS7 connection, one should have a Global Title and a point code (international), a local point code (local, between you and the mobile operator )can be used, depending on the ss7 connection provider. If a mobile operator, get this from the standard GSM body. New network code is assigned by gsm, so you can have a wide range of global titles or MSISDNs and IMSIs.

If not a mobile operator, one can take a global title on lease from a mobile operator. Once you have GT, now there are the following options.

SS7 connection via an aggregator: You can connect to an SS7 aggregator, and they can publish your GT on all networks. So any traffic coming to your GT will be forwarded by the aggregator towards your node or application. Most MVNOs do this. They have GT ranges published to an aggregator for connecting mobile network operators globally.

Directly with a Mobile Operator: You will have direct links with mobile operators, and each will set routing for your GT towards the serving node. In this, you need to connect each mobile operator Individually.

SS7 vs. Sigtran:

If you are using pure SS7 (E1/T1), then the box with the application should be on the premises of mobile operators. If using SIGTRAN, which is IP-based, You can have your box in a data center on the cloud.

Ss7 hack tool or Software:

Once one has an ss7 connection. Now time to develop an ss7 application over GSM MAP signaling. SDK for ss7 provides the required ss7 stack and libraries for developing ss7 hack software.  Before developing the application, first, finalize the requirements. 

If one wants to receive SMS, then the application should be developed to handle protocol messages for SMS. Now the ss7 application will simulate a real device.

Application Registration as a real phone:

The first step is registering the application as a real phone in the roaming network. This requires the IMSI of the sim card to which the mobile number belongs. 

The mobile number is public information, while IMSI doesn’t. So the first step is to get IMSI from the phone number. A hacking Application sends SRI-SM with the phone number to the HLR, which sends IMSI and roaming information in response. Roaming information includes the county code and area code.

From IMSI, the application builds the location update along with other parameters. Then open a TCAP dialogue to the SS7 node. The open dialogue must fill SCCP called party address and SCCP Calling party address. Called Party address is derived from IMSI, and the calling party address is the GT of the software application.

During Update Location, HLR will respond with ISD or Insert Subscriber Data. The software application must acknowledge the ISD to the HLR, or the update location procedure will fail, and the application will not attach as a phone.  One HLR sends an update location ACK, which means registration is done.

SS7 Hack for SMS:

Once the application is registered with the home network. The global title of ss7 hack software gets updated on the home HLR as an outcome of the update location procedure.

When a request for authentication for mobile terminated SMS starts. HLR gets the SRI-SM query from the hack application, in the response of SRI-SM, HLR sends have visiting MSC number and IMSI. In our scenario, the MSC number is the GT of the application.

The sender SMS will send the SMS to the software application using the MSC number. Now it is the application’s responsibility to decode the message and display the message as a user-readable string. Now you have the authentication code you were looking for.

SS7 Hack for Voice: 

For voice, after phone registration call flow. The hack software should activate the call forwarding to the new number. While activating call forwarding, the ss7 hack tool can send the type of call forwarding and the mobile number where the hacker wants to receive the call.  The call forwarding type can be “Call Forwarding Unconditionally”. This will enable call forwarding all the time.  In this case, even the mobile user never comes to know that his call has been hacked. After voice verification, the call forwarding can be removed.

SS7 hack applications examples:

Any application which required user verification from SMS or voice can be hacked by the ss7 network. We will cover the ss7 call flows for WhatsApp and Facebook.

ss7 hack Whatsapp:

Whatsapp is used everywhere. It does the message and file transfer over the IP network. It connects your phone book to the others using phone numbers. So no need to add a contact explicitly.  Like in skype, we need to create an account and need to add other skype ids before any communication. But with this app, the phone number is the profile id.  Installation of WhatsApp requires user authentication via SMS. 

If WhatsApp needs to hack, after installation, run the ss7 hack software app and receive the authentication message on the hack software app.  Enter the code in installed WhatsApp. Now you can have messages on your WhatsApp, while the number belongs to another guy.

ss7 hack Facebook:

Facebook also does authentication via SMS. One can get SMS on an ss7 hack software.