Here is a sentence you probably never expected to read: the entire global cellular network has been running, for the last forty-five years, on a protocol nobody wants to secure because everyone is waiting for someone else to go first.

That is not a metaphor. That is the actual situation.

But we are getting ahead of ourselves. Let's start somewhere better. Let's start with two guys in a garage who called the Vatican and pretended to be Henry Kissinger.

The Part Where Two Nerds Hack the Pope

In the early 1970s, before Apple existed, before the personal computer was even a concept, Steve Jobs and Steve Wozniak ran a small and deeply illegal operation out of Berkeley, California. Their product was a small electronic box — the Blue Box — and what it did was hack the telephone network.

Long distance calls at the time were genuinely expensive. Adjusted for inflation, a call from New York to London could run you around twenty-five dollars a minute. So the pair found a vulnerability: the telephone switching system used audible tones to control call routing. Send the right tones and you could trick the network into thinking a call had been disconnected, then re-establish a connection to anywhere in the world, for free, while the system believed you were still on a toll-free number.

One such tone happened to be 2600 Hz. One such object capable of producing exactly that tone happened to be the cheap plastic whistle included in boxes of Cap'n Crunch cereal. The hacker who discovered this particular property was thereafter known, reasonably enough, as Captain Crunch.

Wozniak and Jobs, not content to merely save money on calls, rang the Vatican, with Wozniak impersonating Henry Kissinger and requesting an audience with the Pope. They got far enough up the hierarchy that cardinals were being woken up before they burst out laughing and blew their cover. In a later interview, Jobs would say that without the Blue Box, there would never have been an Apple Computer. Learning that two people in a garage could control billions of dollars worth of infrastructure — that was the revelation.

The phone companies, unimpressed by this adventure in papal phreaking, drew the obvious conclusion: don't route control signals down the same lines as voice. So they built a separate digital signaling network running parallel to the voice network. You could no longer hack the calls by whistling at them. The new protocol was called Signaling System No. 7, or SS7.

Introduced in 1980, SS7 was brilliant. It is still, right now, the backbone of global telecommunications. And it has been comprehensively, demonstrably, repeatedly hackable for at least a decade, and the industry has not managed to fix it.

What SS7 Actually Does (and Why It Matters That You Understand This)

Every time you make a call that crosses a network — roaming abroad, calling a different carrier, sending an international text — SS7 is working behind the scenes. It's the global switchboard that lets your Australian carrier talk to a German carrier, verify you're a legitimate customer, route your call, handle billing, and locate your phone for emergency services.

To do all of this, every network on the planet is issued what's called a Global Title (GT) — essentially an address on the SS7 network. Telcos form agreements with each other, accept messages from GTs they recognise, and the whole thing functions as what's called a walled garden: a closed, trusted network of operators.

When SS7 was designed, this made sense. The telecommunications landscape in 1980 was dominated by a small number of large, regulated national carriers who had every reason to play by the rules. The garden was small and the walls were high.

Then everything changed.

Today there are over 1,200 operators and around 4,500 networks. Virtual network operators, mass-SMS platforms, roaming brokers, IoT providers — all of them need access to SS7. Many have established agreements with established carriers. Those agreements are, in turn, honoured by every other carrier those partners have agreements with. The garden has become a city. And not everyone in it is trustworthy.

As Berlin-based cybersecurity researcher Karsten Nohl of Security Research Labs has put it, some of these companies sell services to third parties, some can be bribed, and some can be hacked. There are probably thousands of routes into SS7 at what he calls "reasonable effort or cost." A single SS7 connection has been known to lease for a few thousand dollars a month. The incentive is simple: money.

The Three-Step Attack

In 2024, Nohl and his colleague Alexandre De Oliveira worked with YouTube channel Veritasium and Linus Tech Tips to demonstrate, live, what an SS7 attack against an ordinary person looks like. They chose Linus Sebastian — the Linus Tech Tips host, a recognisable public figure — as their target, with his consent. The demonstration is one of the more unsettling things you can watch on the internet, and the full video is worth your time.

Their method broke down into three steps.

Step one: infiltrate SS7. For the demonstration, they paid for legitimate SS7 access — the kind security researchers use to replicate real-world attack conditions. In the wild, bad actors achieve this the same way: renting a GT, bribing someone inside a smaller operator, or compromising a less-security-conscious network provider. One invoice cited in the demonstration showed a valuable US-based GT being leased illegally for $13,000 a month. Pricey, but well within the budget of organised crime or a state intelligence service.

Step two: gain trust. A phone number alone isn't sufficient to conduct an SS7 attack. You need the target's International Mobile Subscriber Identity (IMSI) — a unique 15-digit number associated specifically with their SIM card. The way you collect it is by sending messages that appear to come from a legitimate roaming inquiry, such as a send routing info request. These are messages the network sends routinely when a phone roams onto a foreign network. If your GT is trusted, many networks will answer.

Step three: attack. With an IMSI and a trusted GT, the network becomes remarkably cooperative. By convincing the network that the target's phone is roaming — even when it isn't — attackers can rewrite what happens to calls and texts destined for that phone number.

In the demonstration, James from the Hacksmith channel rang Linus's number. Linus's phone never rang. Derek from Veritasium picked up the call instead, had a full conversation with James, and Linus — sitting in the same room — had no idea until they told him. There was nothing on James's end to indicate anything was wrong. He had dialled the right number. The network had simply redirected it.

"My phone still works," Linus observed. "There's absolutely nothing here to indicate I was supposed to receive a call."

That is precisely the point.

SMS Two-Factor Authentication Is Not Your Friend

The call interception is impressive, but the more practically dangerous attack is against text messages — specifically the SMS-based two-factor authentication codes that most online services, and most banks, still use by default.

The method is the same: convince the network the target is roaming, reroute their messages to a GT you control. You then need the target's username and password — available from a data breach, a phishing attack, or a keylogger — and you request a password reset. The two-factor code arrives on your device instead of theirs. The window is short, but it only needs to be a few seconds.

In the Veritasium demonstration, the team set up a dummy YouTube channel in Linus's name. They had the credentials. They triggered a two-factor authentication request. Linus's phone received nothing. The code — 820299 — arrived on Alexandre De Oliveira's screen. They were in.

"He would never have known he missed that message," De Oliveira said.

This is not a theoretical scenario. In 2017, hackers exploited SS7 weaknesses to drain funds from mobile bank accounts in Germany, stealing victims' online banking credentials first via malware and then intercepting SMS-based two-factor authentication codes via SS7 to authorize fraudulent transactions. In 2024, a sophisticated cybercrime group intercepted SMS messages from thousands of banking customers across Europe, draining accounts of millions of euros within hours — and the attack required no malware installation whatsoever.

The EFF submitted comments to the FCC in May 2024 demanding investigation of SS7 and Diameter security, noting that even users who don't roam internationally or use legacy 2G and 3G networks remain vulnerable, because most telecommunications providers stay connected to SS7 to support international roaming.

Congressman Ted Lieu Finds Out

This is not a problem that only affects ordinary people.

In 2016, Nohl and his team at SR Labs demonstrated a live SS7 attack against US Congressman Ted Lieu for CBS's 60 Minutes — conducted entirely from Berlin. They tracked Lieu's location as he moved around California. They listened to his phone calls. They did this with his knowledge and consent, to make a point.

The point was made. Lieu subsequently called for faster investigation of cell phone hacking vulnerabilities in connection with the DCCC breach later that year. The demonstration at the 31st Chaos Communication Congress in December 2014, where Nohl and Tobias Engel jointly presented, showed that any operator with SS7 access could track and listen to a cell phone user — and that operators were relying on trust alone to ensure network security.

The response from German telcos was immediate: they blocked the most egregious SS7 commands overnight. The response from the rest of the world's 4,500 networks was considerably more varied.

A Princess at Sea

The highest-stakes real-world demonstration of SS7 as a weapon was not a security conference. It was an act of state violence.

In February 2018, Sheikha Latifa bint Mohammed Al Maktoum — daughter of Sheikh Mohammed bin Rashid Al Maktoum, the ruler of Dubai — made a carefully planned escape. She crossed into Oman by car, jet-skied out to international waters, and boarded a 100-foot yacht called the Nostromo, captained by former French intelligence officer Hervé Jaubert. Her plan was to reach India and apply for asylum in the United States. She had been planning it for seven years.

On 4 March 2018, while the Nostromo was approaching Goa, Sheikha Latifa, Jaubert, and her Finnish instructor Tiina Jauhiainen were intercepted by Indian authorities. An investigation by The Guardian and the Bureau of Investigative Journalism later revealed that on the same day, SS7 protocol was exploited in an apparent attempt to locate Jaubert's phone.

The investigation identified the Israeli private intelligence firm Rayzone Group as having rented access to a global title through an operator in the Channel Islands. Signals were sent via mobile networks in Jersey, Guernsey, Cameroon, Israel, Laos, and the United States as part of what appeared to be a coordinated effort to locate the yacht.

Rayzone had made location inquiries targeting Hervé Jaubert's US cell phone subscription. The night after the attempted location of his phone, Indian special forces attacked the ship, captured the entourage and crew, and handed them over to UAE authorities.

Whether SS7 was the decisive factor in locating the Nostromo remains unconfirmed — the Emiratis also deployed surveillance aircraft, physical boats, and Pegasus spyware against people in Latifa's circle. But the pattern of SS7 requests in that five-minute window, documented because most were blocked by firewalls, is damning. The ones that weren't blocked left no record.

Latifa was tranquilised, handcuffed, and flown back to Dubai. She is believed to still be there.

Why We Still Have SS7 in 2025

This is the part that should make you quietly furious.

SS7 was not designed with security in mind because when it was designed, it didn't need to be. The network was a small club of large, regulated operators with mutual interests. There was no adversarial internet. There were no virtual operators, no mass-SMS platforms, no criminal enterprises with $13,000 a month to spend on a Global Title lease.

Over time, newer protocols such as the Diameter protocol used in 4G and 5G networks were developed to replace SS7. But most mobile providers are still connected to SS7 for roaming or call routing, even while operating on more advanced 4G and 5G networks — which means the dependence keeps users exposed even if they don't use 2G or 3G directly.

There are also hardware complications. Since 2018, cars in the EU have been required to carry emergency call systems with SIM cards. To cut costs, auto manufacturers frequently use 2G and 3G SIM cards — running on SS7. Decommission 2G and 3G and you silence every emergency beacon in every modern car on European roads. These are the kinds of legacy dependencies that make infrastructure transitions take twenty years.

The economics of the transition are also perverse. The 5G signaling protocol can stop these attacks. But adopting it only gives you full benefit once everyone else has also adopted it — the classic problem of first-mover disadvantage. You bear the cost of migration and get almost none of the security benefits until the rest of the world catches up. So everyone waits.

SR Labs has noted that the 2014 research was a wake-up call to the industry, but that the solution — well-configured SS7 firewalls — has been deployed inconsistently, and that over 150 SS7 message types beyond the most obvious abuses still need to be blocked to achieve meaningful security.

In the meantime, millions of malicious SS7 requests are sent every year. One expert cited by the Veritasium team found evidence of more than two and a half million location-tracking attempts annually. Another tested a foreign network and found twenty to thirty VIPs under constant surveillance, including that country's own chief of cybersecurity.

What You Can Actually Do

The honest answer is: not much, if someone with government resources and an SS7 connection has decided to target you. Location tracking via SS7 is essentially invisible and unstoppable at the consumer level as long as you carry a SIM card.

But the more common attack — the SMS two-factor interception — is something you can meaningfully protect against.

Stop using SMS-based two-factor authentication wherever you can. Use an authenticator app (Google Authenticator, Aegis, Authy) or a hardware security key (YubiKey). These generate codes locally, on your device, with no involvement from the cellular network. No SS7 attack can intercept them.

For voice calls, use encrypted VoIP. Signal, for example, routes your calls over the internet with end-to-end encryption. An SS7 attacker redirecting your phone number gets nothing useful from a Signal call.

Be aware of what two-factor method your bank uses. If your bank offers only SMS-based 2FA and you have a substantial amount of money in that account, it is worth calling them and asking what alternatives exist. Some banks offer authenticator app support or hardware tokens. Push them.

SIM swapping is a related but distinct attack. SS7 attacks require no interaction with your carrier and leave your phone working normally. SIM swapping — where an attacker socially engineers your carrier into transferring your number to a new SIM — is detectable because your phone loses service. Both attacks intercept your SMS codes. SS7 is harder to detect and requires more infrastructure. SIM swapping is cheaper and more common. Both are worth defending against by moving away from SMS 2FA entirely.

The Bigger Picture

Karsten Nohl, speaking in the Veritasium documentary, put the philosophical stakes more plainly than most security researchers allow themselves to:

Someone who grew up in the Berlin tradition of the Chaos Computer Club, he said, strongly believes that privacy — the ability to form your own thoughts without being observed — is a prerequisite for democracy.

The Latifa case makes this concrete in a way that goes beyond abstract principle. A woman with a phone. A father with money and connections and access to a private intelligence firm. A forty-five-year-old protocol nobody has gotten around to replacing. A yacht boarded in international waters in the middle of the night.

The Blue Box was funny. The Pope prank was charming. Two kids in a garage discovering they could reach around the world with a whistle and a circuit board — that is a good story, and it gave us Apple.

SS7 is the same story, forty years later, and it is not funny anymore.

Sources: Veritasium / Linus Tech Tips, "I Hacked Linus' Phone" (2024); Security Research Labs (srlabs.de); The Guardian / Bureau of Investigative Journalism (Crofton Black, Stephanie Kirchgaessner, Dan Sabbagh); Electronic Frontier Foundation FCC filing (May 2024); Threatpost, "Cellular Privacy, SS7 Security Shattered at 31C3" (January 2015); Congressman Ted Lieu's office; Wikipedia: Latifa bint Mohammed Al Maktoum; TerraZone SS7 Security Guide (2025); SOCRadar.

Jonathan Brown writes about cybersecurity infrastructure, privacy systems, the politics of AI development and many other topics at bordercybergroup.com and aetheriumarcana.org. Border Cyber Group maintains a cybersecurity resource portal at borderelliptic.com

If you wish to support our work, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support