- Signaling System No. 7 (SS7) is an outdated telephony protocol that may expose your privacy to cyber threats and surveillance.
- SS7 vulnerabilities have been exploited by criminals to drain bank accounts, governments to track cellphone users, and intelligence firms to spy on people worldwide.
- To protect yourself from SS7 vulnerabilities, use secure messaging apps with end-to-end encryption like Signal or WhatsApp, as they offer better privacy and security than traditional SMS and phone services.
Have you ever heard of Signaling System No. 7 (SS7)? You probably have not, but you still use it daily, and so does everyone you know. The problem is, this technology is very outdated and very unsafe. However, there are alternatives to using SS7, and best of all, they’re free.
What Is SS7, and Why Is It Insecure?
Signaling System No. 7 is a set of telephony protocols that enables telecommunication networks to communicate with one another. In a sense, it is a communication system that lets phone networks exchange important information. Partially, thanks to this technology, you can make phone calls, send text messages, and use similar services.
SS7 was first introduced in the 1970s and deployed in the AT&T network in the United States. Soon after, it became standardized for international use and replaced older systems in other countries worldwide. In the 1990s, SS7 saw more widespread adoption and became the backbone of global telecommunications.
Caller ID, Call Forwarding, and Short Messaging Service (SMS) were also introduced in the 1990s while mobile networks expanded globally. SS7 integration played a key role in this process, and our society has not been the same since. Few of us can now imagine living in a world in which it’s impossible to send a text to a friend who uses a different carrier, and that’s largely thanks to the widespread adoption of this technology.
What is the problem with SS7, then? Well, SS7 is outdated and unsafe, a relic from when digital threats were neither as sophisticated nor as prevalent as today. Since at least the mid-2000s, the security flaws have been evident, and they’ve only become more pronounced with time. This is not a matter of speculation or opinion, nor is it an issue that affects only a specific network, device, or individual. These vulnerabilities are inherent to SS7 itself.
How SS7 Vulnerabilities Expose Your Privacy
As technology and cybercrime developed, SS7 struggled to keep up. Dozens of high-profile incidents and security breaches have been recorded all around the world in recent years.
For example, back in 2017, a group of unidentified criminals took advantage of the security holes in SS7 to drain money from peoples’ bank accounts. They did this by bypassing two-factor authentication certain banks used to prevent unauthorized access and protect customers, according to Ars Technica. At the time, US Congressional representative Ted Lieu called on the federal government to fix these “devastating” flaws, saying that it is “unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security.”
Similarly, The Washington Post reported in 2014 that an SS7 vulnerability allows government entities to track cellphone users in real time. An insider told the outlet “dozens” of countries were doing this, while security experts noted that nothing stops hacker groups and similar organizations from doing the same. In 2020, a whistleblower revealed that Saudi Arabia was exploiting these same vulnerabilities to track its citizens in the United States, per The Guardian.
A 2020 Haaretz investigation, meanwhile, found that the private Israeli intelligence firm Rayzone Group was abusing the flaws in SS7 to track people around the world on behalf of their clients. Around a year later, the CEO of a Swiss tech company focused on automated texting exploited these same vulnerabilities to spy on people, according to the Bureau of Investigative Journalism.
Bear in mind this is just the tip of the iceberg: it is evident that SS7 is unsafe and extremely vulnerable to exploitation. This is why you should not use SMS to protect your privacy—assume that anything you send via text can be intercepted and read by your government or almost anyone else with the right tools and expertise.
But the real question is: why is nothing being done to address SS7 vulnerabilities? Carriers and mobile networks are certainly aware of them; security experts have known about them for ages, as have politicians. In fact, some have spoken openly about them, like Lieu, and urged regulatory bodies to take action. Yet, nothing has changed. When The Register reported on this, they concluded that “maybe America’s intelligence services like the idea of, for them, easily compromised networks.”
It should be noted, however, that this is just one possible explanation that may only partially answer the question. SS7 is a legacy infrastructure, and making sweeping changes would likely call for international cooperation and the deployment and implementation of new technologies, which would all require significant time and financial investment. In short, the incentives to make the necessary changes are just not there.
What You Can Do to Protect Yourself From SS7 Vulnerabilities
If SS7 is ubiquitous, what can ordinary people do to protect themselves? One simple solution is to use secure messaging apps for texting and phone calls since they offer a layer of protection absent from traditional SMS and phone services underpinned by SS7.
These applications use much safer and more private technology than SS7, but if you want to go the extra mile, consider using an end-to-end encrypted messaging app—end-to-end encryption ensures your communications are safe from eavesdropping. There are dozens of such apps on the market, and many are completely free. Signal is arguably the most secure messaging app available today, but WhatsApp is not far behind.
Signal is open-source, boasts a powerful encryption algorithm, and is incredibly secure. WhatsApp, on the other hand, is probably the best option for those who want a simple, easy-to-use app that everyone is familiar with and already has on their phone. However, some steer away from WhatsApp, as it is owned by Meta (Facebook and Instagram’s parent company), and they believe it has privacy issues.
Despite Glaring Issues, SS7 Is Not Going Anywhere
SS7 is outdated and deeply flawed, but it’s not going anywhere. At least for now, there is no indication that the telecommunications industry will phase it out. Until SS7 is replaced with better, more secure technology, do what you can to protect your privacy.
Granted, it’s not always possible to avoid using SMS or making a call, but installing a communication app with end-to-end encryption is a good start. In any case, staying safe from surveillance and other threats requires a serious and sustained commitment to digital hygiene and security.