============================================================================= /// NETTWERKED.ORG // INTEL FEED /// AUTHOR: The Clone DATE: 23-MAR-2026 SUBJECT: THE UNDEAD PROTOCOL: Why SS7 Is Still Eating Your OpSec ============================================================================= It’s 2026. The telcos are busy trying to sell you on the utopian promises of their "standalone" 5G networks, but underneath the shiny marketing, the global telecommunications backbone is still rotting from the inside out. Signaling System No. 7 (SS7) was designed in the 1970s. It was built for a time when telecom operators operated as a highly exclusive, implicitly trusted club. Fast forward to today, and that implicit trust model is the biggest, most glaring vulnerability in our global communications infrastructure. The protocol has no native encryption and no real authentication. If a threat actor buys access to an SS7 node on the darknet—or compromises a regional operator with poor security—they are inside the wire. Period. Here is the ground truth on the SS7 threat landscape as we see it today. --------------------- THE UNPATCHED REALITY --------------------- We’ve been screaming about this for over a decade, but because SS7 is the literal glue holding global interoperability together, you can't just "patch" it without breaking international roaming. The classic attacks are still fully operational in the wild: - Ghosting Your Coordinates: Attackers are still manipulating ProvideSubscriberInfo (PSI) commands to ping cell tower radii. If your phone is on, they know what city block you're standing on. - The 2FA Bypass: Rerouting SMS messages to intercept 2FA tokens is still the go-to method for draining crypto wallets and taking over high-value targets' bank accounts. - Man-in-the-Middle Calls: Voice traffic is easily hijacked and rerouted through attacker-controlled infrastructure before it reaches you. - Network Deregistration (DoS): Simply booting your device off the network so you drop off the grid entirely. -------------------------- WHAT CHANGED IN 2025–2026? -------------------------- The script kiddies and financial fraudsters are still playing with SS7, but over the last twelve months, the exploitation of this protocol has evolved into high-stakes espionage and advanced evasion. - TCAP Layer Evasion: Traditional rule-based SS7 firewalls are officially obsolete. In mid-2025, we saw surveillance vendors successfully bypassing telco defenses by manipulating the encoding of the protocol's TCAP layer. By injecting extended tags and invalid lengths, they slipped malicious routing requests right past the gatekeepers undetected. - State-Sponsored Hunting: Early 2026 reports confirmed what we already suspected: nation-state operatives are using regional SS7 interconnects to track the movements and digital signatures of military personnel. If you've been following the EPIC v. CISA transparency lawsuit, you’ve seen the unsealed docs confirming multiple APT groups are actively weaponizing this against global targets. - The 5G Illusion: Think you're safe because your screen says "5G"? Think again. Standalone 5G uses HTTP/2, which is better, but cross-protocol interworking kills that security. The second you text someone on a legacy network, or your phone drops to 3G while traveling abroad, your traffic is translated back to SS7. The attack surface opens right back up. -------------------------- THE INDUSTRY'S "BAND-AIDS" -------------------------- The telcos know they can't rip out the protocol yet, so they are throwing mitigation tactics at the wall to see what sticks: - AI Signaling Analytics: Instead of static firewalls, Tier 1 operators are deploying machine-learning heuristics. They are looking for impossible geographic hops. It catches the noisy actors, but the quiet ones still slip through. - Network Sunsetting: Regulators are forcing the shutdown of 2G and 3G networks to physically kill the attack surface. - Killing SMS 2FA: CISA and the infosec community have drawn a line in the sand. If you are still using SMS for multi-factor authentication in 2026, you are volunteering to get owned. Hardware keys (FIDO2) and localized authenticator apps are the absolute baseline now. ============================================================================= /// NETTWERKED.ORG // INTEL FEED // DEEP DIVE /// SUBJECT: UNDER THE HOOD: Weaponizing the TCAP Layer ============================================================================= The problem isn't just that SS7 is old; it's that the security bolted onto it—the SS7 Firewalls using Deep Packet Inspection (DPI)—are fundamentally flawed in how they parse legacy data structures. To understand the bypass, you have to understand the stack. When an attacker wants to track your phone or intercept your SMS, they send a Mobile Application Part (MAP) command (like ProvideSubscriberInfo or UpdateLocation). But that MAP payload doesn't travel naked. It's wrapped in the Transaction Capabilities Application Part (TCAP), which handles the session, and the Signaling Connection Control Part (SCCP), which handles the routing. Here is what that looks like when it hits the wire: THE SS7 SMUGGLING VECTOR (2025/2026) ----------------------------------------------------------------------------- [ROGUE NODE] [VICTIM NETWORK] (Attacker) (Target HLR) | | | 1. Craft Malicious MAP Payload (e.g., Intercept SMS) | | 2. Wrap in TCAP using malformed ASN.1 BER encoding | | 3. Spoof SCCP Calling Party Address (CgPA) | | | |------- [SPOOFED SCCP] + [MANGLED TCAP] + [MALICIOUS MAP] -->| | | [SS7 FIREWALL] | - DPI Engine tries to read MAP | - Chokes on malformed TCAP | - Fails OPEN to prevent network drops | | | |------------------------------->| [HLR/VLR] - Legacy parser is lenient - Reconstructs the packet - Executes MAP command - Routes SMS to Attacker ----------------------------------------------------------------------------- ----------------------------------------- THE VULNERABILITY: ASN.1 BER MANIPULATION ----------------------------------------- SS7 firewalls are basically bouncers looking at IDs (MAP commands) at the door. If they see an unauthorized node asking for your location, they drop the packet. To blind the bouncer, attackers started targeting the TCAP layer. TCAP messages are encoded using a telecom standard from the 1980s called ASN.1 BER (Abstract Syntax Notation One, Basic Encoding Rules). It dictates how data types, lengths, and values are structured. In mid-2025, researchers and threat actors realized that SS7 firewalls and actual telecom network nodes (like the Home Location Register, or HLR) parse ASN.1 BER very differently: - The Firewall DPI: Built to be fast. It expects strict, standard formatting. - The HLR (Target Node): Built to be resilient. It is extremely lenient and will auto-correct or ignore garbage data to keep the network alive. ------------- THE EXECUTION ------------- Attackers exploit this parsing discrepancy using a few specific techniques to smuggle the malicious MAP payload right past the firewall: 1. Indefinite Length Encoding: Normally, a TCAP tag tells the parser exactly how many bytes follow. Attackers swap this to "indefinite length" encoding. The firewall's DPI engine, unable to allocate the correct memory buffer on the fly, panics. Because telcos prioritize network uptime over security, the firewall is configured to "fail open." It shrugs and lets the packet through. 2. Extended Tag Padding: Attackers pad the TCAP layer with garbage extended tags (e.g., injecting a string of 0x00 padding before the actual data). The firewall reads the garbage, assumes the packet is corrupted or empty, and ignores it. The destination HLR, however, seamlessly strips the padding, finds the hidden UpdateLocation command, and executes it. 3. SCCP Spoofing (The Getaway): To ensure the target network sends the intercepted data (like your 2FA SMS) back to them, the attacker spoofs the Global Title (the SS7 equivalent of an IP address) in the SCCP layer. They use a legitimate-looking Calling Party Address (CgPA) to pass basic routing checks, but manipulate the lower-level Point Code so the victim's network hands the return data right back to the attacker's rogue gateway. --------------- THE BOTTOM LINE --------------- You can deploy all the static firewalls you want, but as long as legacy systems prioritize connectivity over strict packet validation, protocol smuggling will keep working. This is exactly why the industry is scrambling to deploy AI heuristics—they have to stop looking at how the packet is built and start looking at how it behaves. ============================================================================= /// NETTWERKED.ORG // INTEL FEED // ACTIONABLE /// SUBJECT: LOCKING THE DOORS: Baseband Auditing & FIDO2 ============================================================================= -------------------------------------------------------- PART 1: Staring into the Black Box (Baseband Monitoring) -------------------------------------------------------- Monitoring your own baseband traffic is not for the faint of heart. The baseband processor is a proprietary, closed-source black box. However, the open-source community has built bridges to pull signaling data out of the diagnostic ports. - The Hardware: You need an Android device with a Qualcomm chipset that can be rooted to expose the diagnostic (Diag) interface. - The Software: Install MobileInsight or use the Signaling Collection and Analysis Tool (SCAT). These tools parse the raw cellular signaling logs over USB. - The Analysis: Pipe the output into Wireshark. You will need to filter for specific protocols depending on your network (RRC, NAS for 4G/5G, or MAP/TCAP if you are capturing broader interconnect traffic via a software-defined radio). - What to Look For: You are hunting for anomalies in the Non-Access Stratum (NAS) messages. Watch for silent SMS (Type 0 messages), unexpected downgrades from 5G/4G to 3G/2G, or sudden LocationUpdate requests when you haven't moved. The Reality Check: Monitoring baseband traffic is reactive. By the time Wireshark tells you a silent SMS just hit your device, the attacker already has your location. ---------------------------- PART 2: The FIDO2 Killswitch ---------------------------- The only foolproof way to defeat SS7 interception is to stop sending authentication secrets over the airwaves. FIDO2 and WebAuthn achieve this by replacing interceptable codes with asymmetric public-key cryptography. When you log in, the server sends a cryptographic challenge. Your FIDO2 hardware key signs the challenge locally using a private key that never leaves the physical chip. If a threat actor intercepts your traffic, they get nothing but cryptographic noise. The Migration Protocol: 1. Acquire Hardware: Buy at least two physical FIDO2 keys (e.g., YubiKey, Google Titan). One stays on your keychain; the other goes in a safe as a backup. 2. Register the Keys: Go to the security settings of your high-value targets. Register both keys under the hardware token/WebAuthn section. 3. Burn the Bridge: This is the most critical step. Once your keys are registered, you must delete your phone number from the account's 2FA recovery options. If you leave SMS as a fallback, an attacker will simply trigger a "forgot my hardware key" workflow, intercept the SMS via SS7, and bypass the FIDO2 key entirely. ============================================================================= /// GREETS & SHOUT-OUTS /// ============================================================================= Massive respect and shout-outs to the ones keeping the signal alive: The Question, Alan, Magma, Cenobyte, WarVamp, and the entire crew at 2600. Keep watching the wire. ============================================================================= END TRANSMISSION =============================================================================