Signaling System 7 (SS7)

What is Signaling System 7 (SS7)?

Signaling System 7 (SS7) is an international telecommunication protocol standard that defines how the network elements in a public switched telephone network (PSTN) exchange information and control signals. Nodes in an SS7 network are called signaling points.

It is the system that controls how telephone calls are routed and billed, and it enables advanced calling features and Short Message Service (SMS). It may also be called Signalling System No. 7, Signaling System No. 7 or -- in the United States -- Common Channel Signaling System 7, or CCSS7.

SS7 was first adopted as an international standard in 1988, and the latest revision of the standard was in 1993. It is still the current standard for telephone calls and is in use for both landline and mobile phone service all the way up to and including 5G.

How does Signaling System 7 work?

The signaling transport (SIGTRAN) protocols provide interoperability of SS7 signaling to operate over Internet Protocol (IP)-based networks. This enables PSTN service to operate over legacy, analog plain old telephone service systems and modern IP networking equipment. SIGTRAN uses its own Stream Control Transmission Protocol, as opposed to Transmission Control Protocol or User Datagram Protocol.

Earlier signaling implementations, such as Signaling System 5, used in-band signaling, where the same channel used for voice also carried the signal tones to control calls. This caused many issues. Occasionally, for example, callers could hear the audible signals. It also required reserving a voice channel for signaling even if the other party was unavailable, tying up resources. This gave callers direct access to the control channel, enabling early hackers, called phreaks, to use simple tone generators -- such as the blue box -- to control the phone system to make free calls and for other purposes as well.

To remove the issues of in-band signaling, SS7 uses out-of-band signaling, called common channel signaling (CCS). In CCS, a dedicated channel separate from the voice channel is used to carry the SS7 control signals. This channel is only accessible to the underlying infrastructure and not the end callers, increasing security.

SS7 is a high-performance, packet-based system that can transmit much information related to the call and user. The extra data channel offered by SS7 enabled many of the modern conveniences in telephone service. It can also be used for services not directly related to voice calls. Because of the level of access SS7 provides to the underlying infrastructure and need for an extra dedicated signal line, SS7 is mainly used between telephone network switches and is not used at the local level to connect a local exchange to the customer.

Services offered by SS7 include the following:

  • call setup, routing and teardown
  • call forwarding
  • automated voicemail
  • call waiting
  • conference calling
  • caller ID
  • subscriber authentication and extended billing
  • toll-free (800 and 888) and toll (900) calls
  • SMS
  • mobile phone roaming and tracking
typical signaling system 7 (SS7) architecture
SS7 is a longstanding telecommunications protocol and standard for both landline and mobile phone service.

What are SSP, STP and SCP Signaling System 7 nodes?

There are three main types of signaling nodes in a SS7 network: Service Switching Points (SSPs), Signal Transfer Points (STPs) and Service Control Points (SCPs). SSPs originate or terminate a call and are the initial point on the SS7 network. The control signals are routed through various STPs, which operate as interconnected switches on the SS7 network. The SCPs determine how to route a call or set up and manage some special feature.

SCPs and STPs usually exist as a collection of discrete nodes so that service can continue if one network point fails. The SCPs may also communicate with a Service Data Point, which stores the user database and directory. The signaling links between nodes generally operate at full-duplex 56 or 64 kilobits per second (Kbps) bandwidth, with large facilities using a full T1 line at 1.536 megabits per second (Mbps) for signaling links.

SS7 allows for several modes of operation for both voice and data service, including the following:

  • Message Transfer Part carries SS7 signals between nodes.
  • Telephone User Part carries voice calls between users.
  • Data User Part carries digital data between users.

Integrated Services Digital Network (ISDN) could also be used, enabling digital voice or data service at a relatively high speed, for the time, of up to 128 Kbps or 1.5 Mbps for a full T1 line. ISDN did not see wide adoption in the consumer market because, by the time it was widely available, 56.6 Kbps modems were becoming available as well. Asymmetric Digital Subscriber Line service widely superseded ISDN data service.

SS7 vulnerabilities and security implications

The telecommunications (telecom) industry developed Signaling System 7 before digital encryption and authentication were widely adopted. This means that SS7 messages and service can be relatively easily listened in on and forged.

The primary security on the SS7 network is that it is a closed system; only telecom operators have access to it. End users and most hackers cannot access the system as a whole. Unfortunately, telecom providers operating as bad actors or governmental agencies with legal access have relatively unrestricted access to all the information available in the SS7 network. Telecom providers can also monitor the SS7 network for threats or intrude and identify them, but this does not prevent passive exploitation.

Given the rich feature set and nonexistent security of SS7, this gives these threat actors unprecedented access to user information. It also gives governments the ability to track mobile users' location anywhere in the world, even without the use of the Global Positioning System.

While Global System for Mobile communication (GSM) calls are encrypted over the air, the decryption key can be requested from the SS7 network for later decryption. SMS messages are sent unencrypted over the SS7 network and can be easily read. This type of snooping is called a SS7 probe or international mobile subscriber identity catcher. Attackers have used call forwarding to redirect calls or SMS multifactor authentication codes to ones controlled by an attacker to steal from bank accounts.

gsm network organization
Diagram of the organization of a GSM network

With the underlying vulnerability of the SS7 network, the only way not to be at risk is to not use telephone service. This would entail disabling telephone and mobile data service on a cellphone to prevent tracking. Voice and text messages should be sent using encrypted IP-based services, such as iMessage, WhatsApp, Telegram or Signal.

This was last updated in June 2021

Continue Reading About Signaling System 7 (SS7)

Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center