Since the bearer channels are directly accessible by users, they can be exploited with devices such as the blue box, which can replicate the tones used by the network for call control and routing.
With in-band signaling, the voice channel is used during call setup which makes it unavailable for actual traffic.
[6][clarification needed] Signaling in telephony is the exchange of control information associated with the setup and release of a telephone call on a telecommunications circuit.
[7]: Introduction xx The earliest deployed upper-layer protocols in the SS7 suite were dedicated to the setup, maintenance, and release of telephone calls.
[8] The Telephone User Part (TUP) was adopted in Europe and the Integrated Services Digital Network (ISDN) User Part (ISUP) adapted for public switched telephone network (PSTN) calls was adopted in North America.
It also permits the subscriber increased mobility due to the decoupling of service logic from the subscription switch.
In North America, SS7 links are normally indirectly connected between switching exchanges using an intervening network of STPs (Signaling Transfer Points).
High-speed links utilize the entire bandwidth of a T1 (1.536 Mbit/s) or E1 (1.984 Mbit/s) transmission facility for the transport of SS7 signaling messages.
SCCP in connection oriented mode provides transport layer for air interface protocols such as BSSAP and RANAP.
[citation needed] The Message Transfer Part (MTP) covers a portion of the functions of the OSI network layer including: network interface, information transfer, message handling and routing to the higher levels.
ISUP is the key user part, providing a circuit-based protocol to establish, maintain, and end the connections for calls.
[16] BSSAP provides two kinds of functions: In 2008, several SS7 vulnerabilities were published that permitted the tracking of mobile phone users.
[17] In 2014, the media reported a protocol vulnerability of SS7 by which anyone can track the movements of mobile phone users from virtually anywhere in the world with a success rate of approximately 70%.
[18] In addition, eavesdropping is possible by using the protocol to forward calls and also facilitate decryption by requesting that each caller's carrier release a temporary encryption key to unlock the communication after it has been recorded.
[19] The software tool SnoopSnitch can warn when certain SS7 attacks occur against a phone,[20] and detect IMSI-catchers that allow call interception and other activities.
[23][24] The security vulnerabilities of SS7 have been highlighted in U.S. governmental bodies, for example when in April 2016 Congressman Ted Lieu called for an oversight committee investigation.
[25] In May 2017, O2 Telefónica, a German mobile service provider, confirmed that the SS7 vulnerabilities had been exploited to bypass two-factor authentication to achieve unauthorized withdrawals from bank accounts.
The perpetrators installed malware on compromised computers, allowing them to collect online banking account credentials and telephone numbers.
Confirmation calls and SMS text messages of two-factor authentication procedures were routed to telephone numbers controlled by the attackers.
[26] In March 2018, a method was published for the detection of the vulnerabilities, through the use of open-source monitoring software such as Wireshark and Snort.
[27][28][29] The nature of SS7 normally being used between consenting network operators on dedicated links means that any bad actor's traffic can be traced to its source.
[30] In 2024, Kevin Briggs, an official at the Cybersecurity and Infrastructure Security Agency, reported to the FCC that hacks related to SS7 and Diameter had been used "numerous attempts" to acquire location data, voice and text messages, deliver spyware, and influence voters in the US.
[31] In December 2024, U.S. senator Ron Wyden released information showing that the United States Department of Homeland Security believes China, Russia, Iran, and Israel are the primary countries exploiting SS7 for espionage.