Locating Mobile Phones

using Signalling System #7

Tobias Engel <tobias@ccc.de>
Locating mobile phones using SS7 2
hat is Signalling System #7!

protocol suite used by most telecommunications operators

throughout the world to talk to each other

standardized in ITU-T Q.700 series

when it was designed, there were only ew telecoms operators,

and they were either state controlled or really big corporations

trusted each other, so no authentication built in

today, e!erybody can be an operator "e.g. #oI$%, so &&7 access

is easier to get
Locating mobile phones using SS7 "
Mobile #pplication Pa$t %M#P&

part o &&7 that speciies additional signalling that is re'uired or

mobile phones to work "roaming, &(&, etc.%

standardized in )*$$ T& +,.00+

in order or two network operators to talk (-$ to each other they

usually need a roaming agreement
Locating mobile phones using SS7 '
.ome /ocation
0egister1 the
database that knows
your phonenumber
and which network
you are currently
!isiting
(obile &witching
2enter1 a switch that
routes calls and
messages rom and to
your phone and other
switches
#isitor /ocation
0egister1 a database
close to your current
location that has a
copy o your
subscription data
rom the ./0
3ase &tation &ubsystem1
the radio stu "cell towers
etc.%
Locating mobile phones using SS7 (
hat does the net)o$* *no) about you$
location!

the location o the cell tower is also a pretty good appro4imation

o your location

but that inormation is only known to the network you are

currently logged into

restricted to technical operation o the network - e4ceptions1

5/ocate my phone5 ser!ices

ha!e to assure the operator that they ha!e the consent o the phone6s
owner

doesn6t work anymore as soon as you are logged into a network that
is not your home network

/aw enorcement

ha!e to call the operator o the network you are currently logged into
"not your home network operator%
Locating mobile phones using SS7 +
,an somebody )ith SS7-M#P access .ind out
you$ location!

ser!ices that can be initiated to your phone number rom almost

anywhere in the global &&7 network are

!oice calls

short messages
/et6s see i these ser!ices gi!e any indication o your location...
Locating mobile phones using SS7 7
,all setup
#isited network "#$/(7% .ome network ".$/(7%
&&7
*ateway
switch
"*(&2%
.ome 83
"./0%
&witch
"(&2%
#isitor
83 "#/0%
2all setup
message
"I-(%
(-$9&:789
0;UTI7*9
I7<;0(-TI;7
(-$9$0;#I8:9
0;-(I7*97U(3:0
(-$9$0;#I8:9
0;-(I7*97U(3:0
-ck
(-$9&:789
0;UTI7*9
I7<;0(-TI;7 -ck
2all setup message "I-(%
= + )
> ? @
7 A ,
B 0 C
0adio
interace
"3&&%
2all setup "&:TU$%
Locating mobile phones using SS7 /
Sending a sho$t message
#isited network "#$/(7% .ome network
".$/(7%
&&7 .ome 83
"./0%
&witch
"(&2%
#isitor
83 "#/0%
(-$9&:789
0;UTI7*9
I7<;9<;09&(
(-$9&:789
0;UTI7*9
I7<;9<;09&( -ck
(-$9(T9<;0D-089&.;0T9(:&&-*:
= + )
> ? @
7 A ,
B 0 C
0adio
interace
"3&&%
(essage transer
Locating mobile phones using SS7 0
.ome network
".$/(7%
Sending a sho$t message
#isited network "#$/(7%
&&7 .ome 83
"./0%
&witch
"(&2%
#isitor
83 "#/0%
(-$9&:789
0;UTI7*9
I7<;9<;09&(
(-$9&:789
0;UTI7*9
I7<;9<;09&( -ck
(-$9(T9<;0D-089&.;0T9(:&&-*:
= + )
> ? @
7 A ,
B 0 C
0adio
interace
"3&&%
(essage transer
Locating mobile phones using SS7 12
M#P3SE453678T94:394;73;763SM
%":PP TS 20.222&

no correlation between re'uesting routing ino or a message

and actually sending a message

&(& are sent directly rom the &(&2 o the sender to the (&2
that you are currently using

successul re'uest returns1

your I(&I "5real5 phone number%

global title o (&2 you are using

user error "e.g. 5-bsent subscriber5 EE your phone is o%

Locating mobile phones using SS7 11
Mobile S)itching ,ente$ %MS,&

handles calls and &(&

can only handle a certain amount o calls, so in big cities there

might be more than one (&2 or each network, while in the
countryside one (&2 might ser!e a really large area

global title o the (&2 tells us which country you are currently in,
because it starts with the country code

maybe also the network, i mobile networks in that country can

be identiied by their area code

other than that1 numbering is operator internal

... but that doesn6t mean that we cannot get urther inormation
rom the number by looking at it long enough
Locating mobile phones using SS7 12
MS, global title %e<amples&
T-(obile *ermany #odaone *ermany
3erlin F>,=7=0)@0000 F>,=7+00=+0,7
.amburg F>,=7=0>00000 F>,=7+00++0,7
<rankurt F>,=7=0@?0000 F>,=7+00@=0,7
&tuttgart F>,=7=0700000 F>,=7+007@0,7
(Gnchen F>,=7=0A70000 F>,=7+00A+0,7
Locating mobile phones using SS7 1"
MS, global title %e<amples&
T-(obile *ermany #odaone *ermany
3erlin F>,=7=0)@0000 F>,=7+00=+0,7
.amburg F>,=7=0>00000 F>,=7+00++0,7
<rankurt F>,=7=0@?0000 F>,=7+00@=0,7
&tuttgart F>,=7=0700000 F>,=7+007@0,7
(Gnchen F>,=7=0A70000 F>,=7+00A+0,7
<irst digit o area code <irst digit o HI$ code
Locating mobile phones using SS7 1'
#utomated app$oach to na$$o) do)n the a$ea
an MS, is se$=ing %1-2&

0op had a great idea1 i we ha!e a lot o mobile phone numbers

and already know their location, we could 'uery the network or
the current (&2 o these numbers, thus creating a (&2 I
geolocation mapping

thanks to erdgeist, we ha!e a decoded copy o the 58as

Teleonbuch5 28

sent tens o thousands o

(-$9&:7890;UTI7*9I7<;9<;09&( re'uests or numbers
rom the phonebook

re'uests where done at night, when most people are at home

remo!ed the ob!ious errors

Locating mobile phones using SS7 1(
>'01712"+2222
Locating mobile phones using SS7 1+
>'01712"12222
Locating mobile phones using SS7 17
>'01722222207
Locating mobile phones using SS7 1/
>'017+22222"1
Locating mobile phones using SS7 10
>'017+2222"7(
Locating mobile phones using SS7 22
#utomated app$oach to na$$o) do)n the a$ea
an MS, is se$=ing %2-2&

big thanks to itsme, who created such a mapping or the

7etherlands

other countries also possible i there are phone books a!ailable

Locating mobile phones using SS7 21
?4o one 9 *no) is a net)o$* ope$ato$ 3 so 9 can
be p$etty su$e that no one )ho )ould ca$e
.inds out my location@ $ight!?

wrong1 there are se!eral companies oering a lookup ser!ice

where you send them an (&I&87, they perorm a (-$-&:78-
0;UTI7*-I7<;-<;0-&( re'uest and send the I(&I and (&2
they recei!e rom the ./0 back to you

cost per re'uest is in the low single euro cent area

Locating mobile phones using SS7 22
hat is the business case .o$ selling this
se$=ice!

:!il9&pammer wants to send spam &(& without paying

he has &&7 access, and can also send (-$ re'uests, but o course
he has no roaming agreements with any other operators, so they don6t
answer his re'uests

but1 sending a message !ia

(-$9(T9<;0D-089&.;0T9(:&&-*: does not e!en re'uire an
answerJ

:!il9&pammer Kust needs to know, to which (&2 the message should

be sent, so he uses one o these ser!ices...

then he sets the sender address o the &(& re'uest to that o another
networks short message center

the recei!ing network bills the &(& to that other network L ree spam
&(&J
Locating mobile phones using SS7 2"
9 donAt )ant to be located 3 )hat can 9 do! %1-2&

&(& 5home routing5 ")*$$ T0 +).A>0% will i4 the problem

all messages to your phone are routed to an &(& router in your

home network

that router will then deli!er the message to your phone

(-$-&:78-0;UTI7*-I7<;-<;0-&( only returns the I&87

number o the &(& router

instead o the I(&I, a random 5correlation id5 will be returned

operators will implement this to

pre!ent raud

enable 5#-&5

enable 5lawul interception5 o &(& sent to you when you are in

another country
Locating mobile phones using SS7 2'
SMS ?home $outing? %":PP T6 2"./'2&
#isited network "#$/(7% .ome network ".$/(7%
&&7 .ome 83
"./0%
&witch
"(&2%
#isitor
83 "#/0%
(-$9&:789
0;UTI7*9
I7<;9<;09&(
"=%
(-$9&:7890;UTI7*9
I7<;9<;09&( -ck "=%
(-$9(T9<;0D-089
&.;0T9(:&&-*:
= + )
> ? @
7 A ,
B 0 C
0adio
interace
"3&&%
(essage transer
&(&
0outer
(-$9(T9
<;0D-089
&.;0T9
(:&&-*:
(-$9&:7890;UTI7*9
I7<;9<;09&( "=%
(-$9&:7890;UTI7*9
I7<;9<;09&( "+%
(-$9&:7890;UTI7*9
I7<;9<;09&( -ck "+%
Locating mobile phones using SS7 2(
9 donAt )ant to be located 3 )hat can 9 do! %2-2&

until home routing is in use1

some networks oer multiple &I(s or one phone number and use
an &(& router to decide which &I( will recei!e the &(& "e.g. o+
*ermany%

let your operator block incoming &(& or your phone number

switch your phone o

Locating mobile phones using SS7 2+
hatAs ne<tB 7ptimal $outeing

&peciied in )*$$ T& +).07,

makes it possible to route calls directly to the network you are

currently logged into

this can only work i the entity that sets up the call has a way o
inding out, which (&2 you are currently using...

;0 is currently not widely in use

charging issues ha!e to be worked out

Locating mobile phones using SS7 27
,all setup )ith 7ptimal 6outeing
#isited network "#$/(7% .ome network
".$/(7%
&&7 .ome 83
"./0%
&witch
"(&2%
#isitor
83 "#/0%
(-$9&:789
0;UTI7*9
I7<;0(-TI;7
(-$9$0;#I8:9
0;-(I7*97U(3:0
(-$9$0;#I8:9
0;-(I7*97U(3:0
-ck
(-$9&:789
0;UTI7*9
I7<;0(-TI;7 -ck
I-(
= + )
> ? @
7 A ,
B 0 C
0adio
interace
"3&&%
&:TU$
Locating mobile phones using SS7 2/
Cuestions!
Cuestions!
Locating mobile phones using SS7 20
6e.e$ences

&ignalling &ystem C7, ITU-T Q.700 series1

http1MMwww.itu.intMrecMT-0:2-QMe

(obile -pplication $art "(-$% speciication, )*$$ T& +,.00+1

http1MMwww.)gpp.orgMtpM&pecsMarchi!eM+,9seriesM+,.00+M

0e!erse-:ngineering Gr ;rtsremde, 8atenschleuder C77 "&eite +@%1

http1MMds.ccc.deMpdsMds077.pd

/eichtes &piel mit symboltables, 8atenschleuder CA@ "&eite @)%1

http1MMchaosradio.ccc.deMmediaMdsMds0A@.pd

&tudy into routeing o (T-&(s !ia the .$/(7, )*$$ T0 +).A>01

http1MMwww.)gpp.orgMtpM&pecsMarchi!eM+)9seriesM+).A>0M

&upport o ;ptimal 0outeing "&;0%, )*$$ T& +).07,1

http1MMwww.)gpp.orgMtpM&pecsMarchi!eM+)9seriesM+).07,M