The flaw in the phone network that finds anyone, anywhere — SS7 and fake towers

What is SS7, and why does it trust everyone?

SS7 — Signalling System 7 — is the protocol suite that lets phone networks talk to one another behind the scenes. Dreamed up in the 1970s and rolled out through the 1980s, it handles the invisible plumbing of mobility: setting up calls, routing your texts, and — critically — working out which tower your phone is near so the network can deliver a call to you as you move between cities and countries. When you land overseas and your phone connects to a local carrier, SS7 is what tells your home network where to send your calls. Roaming, in a word.

The problem is the founding assumption. SS7 was built for a closed world of a few hundred trusted national operators. There was no need to verify that a request genuinely came from a legitimate carrier, because everyone on the network was, by definition, legitimate. That world is long gone. Today there are thousands of operators, resellers, and intermediaries with SS7 access, and the protocol still does what it was designed to do: it trusts whoever connects to it. Ask the network politely, in the right format, where a given phone number is, and it will frequently tell you — no warrant, no authentication, no alert to the person being located.

Surveillance-for-hire: location from the other side of the planet

This is not a theoretical weakness. There is an entire industry built on it. Surveillance-for-hire firms lease SS7 access and sell the ability to track a phone's location, intercept its texts, and in some cases listen to its calls, all without ever going near the target or asking their carrier's permission.

One well-documented example is Circles, a firm affiliated with the notorious spyware vendor NSO Group. Rather than planting malware on a handset the way NSO's Pegasus does, Circles exploits the weaknesses and lack of authentication in the ageing SS7 system that handles call setup and routing between telcos worldwide. Researchers at the University of Toronto's Citizen Lab traced its customers around the globe by fingerprinting the firewalls Circles deploys.

The detail that should give Australians pause: among the 25 governments Citizen Lab identified as likely Circles customers was Australia, with the relevant system hosted on Optus and TPG networks and geolocated to Canberra. Whoever was operating it, the point stands — this capability is not confined to far-off regimes. It is present here, and it is for sale.

The reason it is so hard to stamp out comes back to economics. SS7 attacks are difficult to block because it is challenging and expensive for telcos to tell malicious signalling traffic apart from genuine subscriber traffic. From the network's point of view, a tracking query and a legitimate roaming request can look almost identical.

Fake towers: the threat standing right next to you

If SS7 is the remote threat, the cell-site simulator is the local one. Better known as an IMSI catcher — or by brand and slang names like Stingray, dirtbox, or “the box” — these devices do something deceptively simple. They impersonate a legitimate mobile tower, broadcasting a stronger signal than the real ones nearby so that every handset within range connects to them instead.

Once your phone connects, the operator can capture its IMSI — the unique identifier tied to your SIM — along with everyone else's in the vicinity. Depending on the device, they can track who is present at a location, log device identifiers, intercept texts and calls, and in some configurations push the connection down to an older, weaker network so it is easier to attack. This is the “downgrade attack,” and it is exactly why simply having a modern 4G or 5G phone is not the protection people assume it is.

IMSI catchers are not exotic military kit. They have turned up at embassies, airports, protests, and sporting events. In Australia, civil liberties groups have warned that police may deploy tower simulators at protests to sweep up the device identifiers of everyone present and work backwards to identities. When the Australian Federal Police were asked under Freedom of Information laws to detail their use of IMSI catchers, the request was refused — a level of secrecy that, as privacy advocates note, contrasts sharply with the more open disclosure required of some overseas forces.

 

Read more: What is a spoofing attack?

 

Didn't the 3G shutdown fix this?

It is a fair question, and the answer is a frustrating “not really.” When Telstra and Optus switched off their 3G networks on 28 October 2024, following TPG/Vodafone, the official line was that retiring the old technology made networks faster and more secure. It did remove some of the weakest legacy attack surface. But it did not close the door.

Two things keep the risk alive. First, SS7-style signalling still underpins international roaming and interconnect globally — your traffic routinely crosses networks and borders where the old trust assumptions persist. Newer 4G networks use a protocol called Diameter, but it inherits many of the same authentication weaknesses. Second, IMSI catchers actively force handsets onto whatever network they can attack. The shutdown changed the furniture; the foundations are the same.

Salt Typhoon: when the advice becomes “assume the carrier is compromised”

If you needed proof that the carrier layer cannot be trusted to keep your communications private, the Salt Typhoon campaign provided it. The China-linked group penetrated major telecommunications providers — in the United States, the list reportedly included AT&T and Verizon — and burrowed so deeply into the network plumbing that, months on, officials could not say with certainty the intruders had been evicted. They reached call records, the private communications of targeted individuals, and even the systems carriers use to service lawful wiretap requests.

The response from Western agencies marked a genuine reversal. The same FBI that spent years arguing for back doors into encryption changed its tune entirely. Its advice, and CISA's, amounted to this: stop relying on the network to keep you private, and use encryption, because even if an adversary intercepts the data it stays unreadable. As one senior CISA official put it bluntly, “Encryption is your friend.” The interagency guidance that followed was co-signed by partners including Australia, Canada and New Zealand — so this is squarely Australia's problem too.

Strip away the diplomacy and the message is stark: assume the carrier layer is compromised, and encrypt end-to-end so it doesn't matter.

What you can realistically do about it

You cannot personally patch a 1970s protocol, and you cannot stop a tower simulator from being switched on near you. What you can do is make yourself a far harder target — and decouple your private communications from a network you have no reason to trust. The principle is the one the FBI landed on: stop depending on the carrier for confidentiality, and build it in yourself.

• Encrypt your communications end-to-end. If your calls and messages are encrypted before they ever touch the network, SS7 interception and fake towers capture nothing but noise. Purpose-built Salt secure communications are designed so that the operator of the tower — whoever they are — simply does not have the keys.

• Decouple your identity from your number. Much of this surveillance starts with one thing: your phone number, tied to your name. Private SIM cards and eSIMs break that link, so a number queried over SS7 doesn't resolve to you, your home network, or your movements.

• Harden the handset itself. A device running a security-focused operating system, with the radio behaviour locked down and downgrade attacks blocked, removes much of what an IMSI catcher relies on. Our GrapheneOS hardened handsets and ultra-secure phones are built for exactly this threat.

• Go dark when you need to. A Faraday sleeve physically blocks every signal in and out of a device. No connection means no tower to impersonate and no location to leak — useful for sensitive meetings, travel, or any moment you simply do not want to be findable.

• Ditch SMS for anything sensitive. Two-factor codes sent by text can be intercepted over SS7. Move to app-based or hardware authentication.

A final word

SS7 and the fake tower are uncomfortable to write about because there is no patch coming. These are structural flaws in the way the world's phone networks were built and the way they still operate, and the surveillance industry that profits from them is well funded and entirely legal in many places. The honest conclusion is the one the FBI reached the hard way: you cannot make the carrier layer trustworthy, so you stop relying on it. Encrypt what matters, separate your identity from your number, harden the device in your pocket, and the question of who owns the tower stops mattering.

If you would like help working out where your business or your people are exposed at the network layer — and putting private SIMs, hardened handsets, and encrypted communications in place — our team can help. Explore our cyber security consulting, or get in touch at enquiries@xiphcyber.com.