The Core Network's Original Sins
While the air interface is the most visible battleground, the core network—the vast, interconnected global infrastructure that routes calls and messages - harbours deep-seated, systemic vulnerabilities.
These flaws stem from design decisions made decades ago, based on a model of trust that is dangerously obsolete in today's complex telecommunications landscape. This section explores the inherent weaknesses of the core network's foundational signalling protocols, SS7 and Diameter, and demonstrates how they continue to be exploited for global surveillance and financial crime.
SS7
The Trust-Based Protocol That Still Haunts Global Networks
Signalling System 7 (SS7) is a suite of telephony signalling protocols developed in the 1980s by International Telecommunication Union Telecommunication Standardization Sector (ITU-T). It serves as the central nervous system for 2G and 3G networks worldwide, responsible for critical functions such as setting up and tearing down calls, routing SMS messages, enabling mobile roaming, and managing number translation.
The fundamental, and arguably fatal, design flaw of SS7 is that it was created for a small, closed club of trusted, state-owned telecom operators. As a result, the protocol operates on the assumption of universal trust and lacks virtually any modern security mechanisms, such as authentication or encryption, for its signalling messages.
This broken trust model is not a historical footnote; it is an actively exploited vulnerability in 2025. The SS7 network is no longer a closed system. Access can be leased from smaller, less secure carriers or gained by hacking vulnerable network nodes. Once an attacker gains a foothold on the SS7 network, they can send malicious commands to track or intercept communications of almost any mobile user on the planet. The primary attacks leveraging this flaw include:
Global Location Tracking: An attacker can send a signaling message, such as sendRoutingInfoForSM or AnyTimeInterrogation, to a user's home network (HLR). Because the message comes from the "trusted" SS7 network, the HLR complies, revealing the real-time location of the user's device down to the specific cell tower it is connected to. This can be done with nothing more than the target's phone number.
Call and SMS Interception: By sending a fraudulent updateLocation message, an attacker can trick the victim's home network into believing the user has roamed onto the attacker's network. The home network then dutifully forwards all incoming calls and SMS messages to the attacker's node for interception. This technique is particularly devastating because it allows the interception of SMS-based two-factor authentication (2FA) codes, which are the keys to a user's digital kingdom.
These are not theoretical vulnerabilities. Real-world attacks have demonstrated their catastrophic potential. In 2017, cybercriminals in Germany exploited SS7 to intercept two-factor authentication (2FA) codes sent via SMS, thereby bypassing bank security and draining customer accounts. A similar attack targeted customers of Metro Bank in the UK in 2019. The continued relevance of this threat is underscored by a May 2025 report of a new SS7 zero-day exploit kit being advertised on cybercrime forums for just $5,000, promising real-time phone tracking and SMS interception capabilities.
Diameter
The "Modern" Protocol with Familiar Flaws
Diameter was developed as the successor to SS7, intended to provide the signalling backbone for 4G/LTE and 5G networks. On paper, it is more secure, as it incorporates support for transport-layer encryption using protocols such as TLS and IPsec. However, extensive security research has revealed a troubling reality: these security features are frequently misconfigured or not used at all by network operators. Operators continue to rely on the same flawed peer-to-peer trust model that plagues SS7, leaving their networks exposed to a nearly identical set of attacks.
Security audits of live 4G networks have shown that Diameter is vulnerable to the same fundamental attacks as its predecessor.
Subscriber Information Disclosure: Attackers can obtain a subscriber's IMSI, device information, and precise location. In 100% of tested networks, some form of subscriber information disclosure was possible.
Denial of Service (DoS): DoS attacks against subscribers were found to be possible in 100% of tested Diameter networks, posing a critical risk to the growing number of IoT devices that rely on 4G connectivity.
Fraud: Attackers can manipulate subscriber profiles to gain free access to mobile services, with one in three tested networks being at risk.
The Downgrade Gateway: Perhaps most critically, an attacker can exploit Diameter to force a 4G or 5G device to downgrade its connection to 3G. Once the device is on the 3G network, the attacker can then launch the full, mature suite of SS7 attacks, including the interception of SMS messages.