Surveillance Firm Bypasses SS7 Defences to Track Users via IMSI Manipulation

A surveillance company has been exploiting a previously undetected method to bypass Signaling System 7 (SS7) protocol protections and extract location data of mobile users, according to cybersecurity firm Enea. The attack, observed since late 2024, leverages modified Transaction Capabilities Application Part (TCAP) messages — specifically altering Information Elements (IEs) within ProvideSubscriberInfo (PSI) commands. By extending the Tag code that contains a user’s International Mobile Subscriber Identity (IMSI), attackers effectively hide it from mobile operator security checks. This allows PSI location tracking requests to be processed, even though they originate from unauthorized external sources.

Enea’s investigation suggests that some mobile network operators' SS7 security systems failed to interpret the extended Tag structure correctly due to outdated or permissive decoding stacks. While the firm cannot determine the global impact, the use of this technique in an active surveillance suite indicates operational value. The cybersecurity company recommends blocking malformed or suspicious MAP PDUs and implementing stricter validation where IMSI data is expected but missing. The activity, believed to be part of a surveillance company’s toolkit, demonstrates the ongoing challenges in retrofitting security onto legacy telecom protocols like SS7.

www.securityweek.com/surveilla…