SS7 & Mobile Geolocation – How your phone can be tracked without you knowing

The Ghost in the Mobile Machine

How is it possible that someone can track your location anywhere in the world with just your phone number? While the apps on your phone are asking for GPS access, an older, invisible part of the global telecom infrastructure has quietly allowed such tracking for decades. This is SS7 (Signaling System No. 7).

Developed in the 1970s, SS7 was never designed with security in mind. Today, despite being perhaps outdated, it still underpins most global mobile communications. As a result, it has become a go-to tool for both legitimate intelligence work and unauthorized surveillance. In this article, we investigate SS7’s role in mobile phone geolocation, who uses it today, how it works, and what it means for privacy and corporate security in Europe and Asia.

1. What Is SS7 and Why Is It Still Around?

SS7 is a signaling protocol that allows mobile networks to communicate across the globe. It handles tasks like call setup, SMS routing, number portability, and roaming. In essence, when your phone connects to another country’s network, it uses SS7 to authenticate and route data.

Originally designed in an era of trust between telecom operators, SS7 lacks modern security protections. As cybersecurity researcher Karsten Nohl famously demonstrated at the Chaos Computer Club conference in 2014, vulnerabilities in SS7 allow an attacker to intercept calls and track users globally (source: Chaos Communication Congress 31C3, Berlin, 2014).

Even with the introduction of newer protocols like Diameter for 4G and 5G, SS7 remains embedded in the system for backward compatibility, especially in regions where 2G and 3G are still prevalent. This is particularly true in parts of Southeast Asia and Eastern Europe.

2. How SS7 Enables Geolocation

Tracking a phone via SS7 doesn’t require GPS. Here’s how it works:

An attacker sends a “silent SMS” or similar command to trigger a location update from the target’s phone.
The attacker queries the Home Location Register (HLR) to determine the current Mobile Switching Center (MSC).
The MSC ID gives away the approximate location of the user, often down to the nearest city or even a specific cell tower region.

According to a 2021 report by Positive Technologies, attackers can achieve accuracy of a few hundred meters, especially when making repeated queries to triangulate a more exact position (source: Positive Technologies, “SS7 Network Attacks”, 2021, https://www.ptsecurity.com).

3. Who Uses SS7 Geolocation Today?

Legitimate Use

Law Enforcement Agencies (LEAs): Often use SS7 via telecom cooperation or lawful intercept arrangements, typically under judicial oversight.
Corporate Security Teams: Some high-level corporate investigators use licensed access to geolocation services for fraud prevention or internal risk assessments.

Private Intelligence & Surveillance Firms

Companies such as Rayzone Group (Israel), Circles (linked to NSO Group), and SecurCube (Italy) have been documented selling access to SS7-based location and interception tools. According to investigations by The Guardian and CitizenLab, these services are often bundled with social engineering, phishing, and IMSI catcher solutions (source: The Guardian, Dec 2020; CitizenLab reports 2018–2022).

Pricing varies. A single geolocation lookup can cost from $500 to $2000 USD, depending on provider and success rate. More comprehensive monthly packages (“unlimited ping plans”) can range from $20,000 to $100,000 USD (source: Privacy International, Surveillance Industry Index, 2020).

Grey and Illegal Markets

Cybercriminal Groups: Buy access via shell telecom companies in weakly regulated jurisdictions (e.g., Balkans, Southeast Asia).
Dark Web Markets: Offer tracking-as-a-service using compromised SS7 access. This is often advertised through encrypted channels like Telegram.

4. Real-World Case Studies

Karsten Nohl’s Demonstration (2014): Demonstrated real-time tracking of German MP using only their mobile number.
EncroChat & Sky ECC Investigations (2020-2021): Europol used SS7 exploits in combination with malware to infiltrate criminal networks (Europol press release, July 2021).
Thailand & Southeast Asia: Due to high roaming usage and under-regulated telecom backbones, experts note the region is vulnerable to SS7 manipulation. Telecom gateways can be exploited by foreign surveillance actors under the radar of local regulators (Asia Centre for Cybersecurity, 2022).

5. The Economics of SS7 Tracking

Service Level	Estimated Price Range
Single Location Ping	$500 – $2000
Monthly Access Package	$20,000 – $100,000
Full Surveillance Bundle	$50,000 – $250,000+

Most of these services are marketed to state clients, but the absence of global regulation means access occasionally slips into private hands.

Here is the expanded and clarified version of Section 6, as requested. It keeps your professional tone while offering clearer, more detailed explanations:

6. Can This Be Stopped?

Securing SS7 is notoriously difficult. This is not due to a lack of awareness, but because of how fundamentally the protocol is embedded in global mobile communications.

Why It’s Hard to Secure

Legacy Infrastructure
SS7 is still used to support 2G and 3G networks, which remain active in many parts of the world. In Southeast Asia, for example, large rural populations and legacy enterprise systems still depend on these older networks. This makes retiring SS7 impractical without significant financial and logistical investment.
Global Roaming Requires Compatibility
Even in countries where 4G and 5G dominate, international roaming still relies on SS7 for compatibility with networks in other countries. This backward compatibility creates an entry point for abuse.
A Trust-Based System
The SS7 network operates on a model of mutual trust between telecom operators. Once a telecom company is granted access to the SS7 network, it can send queries to any other network worldwide. If a rogue operator, or a legitimate one compromised by hackers, sends malicious commands (such as location requests), other networks may accept them without further verification.

According to a 2021 Kaspersky analysis, this trust model has been one of the protocol’s largest weaknesses, as it assumes all telecom operators behave responsibly, a dangerous assumption in today’s world of cybercrime and espionage.

What Can Be Done: Realistic Mitigations

SS7 Firewalls
Telecom companies are increasingly deploying dedicated SS7 firewalls. These work similarly to internet firewalls, blocking or flagging suspicious signaling messages. For example, a firewall might block a location request if it originates from a suspicious or unknown foreign carrier.
Signaling Anomaly Detection Systems (SADS)
These systems use machine learning and behavioral analysis to detect unusual signaling patterns like repeated silent pings to the same number or malformed packets meant to exploit vulnerabilities. According to AdaptiveMobile Security, such analytics can significantly reduce the risk of targeted attacks.
Restricting Access
Many telecom operators are tightening their interconnection policies, reducing the number of external carriers allowed to send them SS7 messages. Some now require additional verification or formal partnerships before accepting traffic.
Network Segmentation and Authentication
Segregating SS7 traffic from newer Diameter traffic and applying strict internal access controls can limit damage if an intruder gains access.
Phasing Out Legacy Networks
Countries like Australia, South Korea, and parts of Scandinavia have shut down their 2G/3G networks, removing the need for SS7 entirely. The European Union has encouraged its member states to sunset these older technologies by 2025. However, in regions like Southeast Asia, the economic and regulatory conditions make this a slower process.
Centralized Oversight and Regulation
In Europe, telecom regulators often coordinate with intelligence and cybersecurity agencies. In contrast, Southeast Asia’s regulatory environment remains fragmented. For example, Thailand and Indonesia do not yet have a central authority that actively audits or enforces SS7 compliance across all mobile operators.
GSMA Guidelines
The GSMA (the global association of mobile operators) has published SS7 security best practices and maintains a compliance program. However, adherence is voluntary. While large European carriers have generally aligned with these standards, many smaller or state-run telecoms in other regions have not.

So, Can SS7 Be Made Safe?

Not entirely, nonetheless it can be made safer. The protocol is unlikely to disappear overnight but with coordinated global efforts, its attack surface can be reduced. The key is not just technical fixes, but cross-border cooperation, clear auditing, and a stronger regulatory push.

In the meantime, corporate security teams and high-risk individuals must assume that mobile networks cannot be fully trusted and take precautions accordingly: for instance, using encrypted communication apps, avoiding SMS-based authentication and limiting exposure of personal numbers.

7. Why We Are Sharing This

We are a young, investigative security firm based in Thailand, with roots in both Europe and Asia. Our mission is not to sell fear but to bridge awareness between regions, sectors, and cultures.

Our clients in corporate affairs come to us because we are:

Technically capable
Ethically grounded
Regionally fluent

We believe transparency breeds trust. By demystifying technologies like SS7, we help our partners navigate risks, not with panic, but with clarity and strategic insight.

We are not disclosing these vulnerabilities to encourage misuse. On the contrary, we highlight them to empower better cybersecurity planning, fraud protection, and executive risk management.

8. Final Thoughts: Legacy Tech, Current Risks

SS7 is the kind of legacy infrastructure that no one really notices until it causes real-world impact. It sits quietly beneath the surface of mobile communications, offering convenience and vulnerability in equal measure.

As companies expand across borders, and as mobile risk becomes a board-level issue, awareness of these systems is no longer optional.

Whether you are protecting your executives, assessing exposure to corporate espionage, or managing cross-border operations, understanding the SS7 landscape can be the difference between being proactive and being blindsided.