What Is SS7 and Why It Still Matters
Signalling System No. 7 (SS7) has been a cornerstone of global mobile communication for decades. Originally developed in the 1970s and standardised in the 1980s, it was built for a world where telecom networks were state-owned, access was tightly controlled, and trust among operators was assumed.
Security, in this context, was not a design priority. The SS7 signalling protocol, has critical vulnerabilities due to its outdated design: it lacks authentication and encryption, making it easier for attackers to intercept messages, track locations, and reroute calls or texts. These flaws still pose risks today because SS7 remains widely used, especially for SMS-based two-factor authentication and essential services like voice calls, SMS, and mobile roaming. SS7 uses out-of-band signalling, meaning control messages travel on separate channels from voice data. It comprises a protocol suite with a number of functional areas including Mobile Application Part (MAP) operations, which functions similarly to API calls, enabling telecom infrastructure nodes to exchange subscriber and network information.
A Protocol Built on Trust, Now Under Pressure
The telecom environment has changed dramatically. Access to SS7 is no longer limited to national carriers. Through Global Title (GT) leasing, entities can obtain SS7 access, sometimes without proper identity verification. GTs, which act like IP addresses for telecom infrastructure, are now leased globally. They’re unique identifiers used to route signalling messages across networks and allow messages to be routed without knowing the exact physical destination. This shift has created opportunities for abuse, making it easier for attackers to operate anonymously or under the guise of legitimate operators.
To address this issue, GSMA members have developed a GT leasing Code of Conduct reference document (FS.52) that describes GT leasing motivations, benefits, issues and concerns. The document, which can be accessed here, also contains a code of conduct detailing requirements and guidelines intended to minimise risks associated with GT leasing. GT lessors and transit carriers involved in GT leasing arrangements are invited to voluntarily declare to the GSMA that they adhere to the GT leasing code of conduct, as evidence of their commitment to routing transparency and to reduce the risks for mobile network operators and their customers.
The Visibility Gap and the Rise of SS7 Firewalls
For years, SS7 traffic remained largely invisible to traditional security teams. The complexity of the data, the lack of mature tools, and the divide between telecom and IT security created significant blind spots.
This began to shift with the introduction of SS7 firewalls in the mid-2010s. These firewalls brought programmable logic and industry-standard protections to telecom networks. They enabled operators to detect and block malicious traffic, while also providing visibility into attacker behaviour through tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs).
GMSA T-ISAC: Leading the Charge in Threat Intelligence
A major turning point in SS7 security came with the leadership of GMSA T-ISAC, the GSMA Telecommunication Information Sharing and Analysis Center. Since 2022, T-ISAC has played a pivotal role in transforming how telecom operators share and act on threat intelligence.
T-ISAC developed and maintains a centralised intelligence-sharing platform that enables telecom providers to exchange SS7-related Indicators of Compromise (IoCs), attack patterns, and threat actor profiles. This platform has become the backbone of collaborative defence in the telecom sector, allowing operators to move from isolated detection to coordinated response.
By 2024, the ecosystem expanded further with the introduction of commercial intelligence feeds, many powered by AI. These feeds now complement the T-ISAC platform, enhancing attacker profiling and enabling faster, more accurate detection.
Integrating SS7 into Modern Security Operations
The integration of SS7 data into broader security operations has been another key advancement. Security Information and Event Management (SIEM) systems now ingest curated SS7 events, making them searchable and can correlate with other data sources. This supports advanced detection use cases and long-term data retention.
Campaign identification is now possible by analysing patterns across multiple GTs. When foreign GTs target a shared list of victims using identical methodologies, it becomes clear that a coordinated campaign is underway. Threat actor attribution has also improved. By combining metadata and operational behaviour, analysts can link activity to known threat actors or ongoing campaigns.
Automated response is perhaps the most transformative development. With SS7 data integrated into SOAR platforms, reactive mitigation actions can be taken directly on firewalls. Malicious GTs can be blocked or tagged in real time.
A New Era for Telecoms Security
SS7 security has come a long way. What was once a legacy protocol with limited oversight is now part of a dynamic, intelligence-driven security ecosystem. Thanks to the guidance of GMSA T-ISAC and the growing collaboration among telecom operators, SS7 security is increasing globally. This shift is not limited to SS7. Similar trends are emerging for other telecom protocols like Diameter and GTP, as the industry embraces a more proactive and unified approach to security.
Jeremy Schmidt
Cyber Security and Incident Response Specialist
Proximus Ada