Protect your network against severe vulnerabilities in the Signalling System #7 core infrastructure

Presenting the first cellular network firewall.

The SS7 core infrastructure can no longer be trusted

Our multi-year research has identified a number of severe vulnerabilities in the Signalling System 7 core infrastructure protocols for voice networks

Track Users

Track subscribers down to street level

Billing Fraud

Modify subscriber data for billing fraud

Intercept Calls

Remote interception of telephone calls



What is SS7?

Short for Signaling System 7, SS7 creates an international roaming infrastructure, that by it’s nature, transmits confidential customer data between networks and countries to support the seamless roaming services subscribers expect.

SS7 Network Diagram



The Public Is Becoming Aware

The assumption that national telecom networks offer a safe haven against foreign espionage has long been falsified.

SS7: Locate. Track. Manipulate.

  • Speaker: Tobias Engel
  • Event: Chaos Communication Congress [31c3]

Companies are now selling the ability to track your phone number whereever you go. With a precision of up to 50 meters, detailed movement profiles can be compiled by somebody from the other side of the world without you ever knowing about it.

Watch Video



Worldwide Tracking Services

Not just for Governments and Intelligence Agencies

SS7 network has been used by Intelligence agencies and various entities to track location of customers and help in the interception of calls and SMS.

Cellular carriers, VoIP providers, and third-party SMS services that piggyback on the global cellular network all have access to SS7, and some choose to share or sell that access with others.

Learn More

Commercial Tracking Services


How are the networks vulnerable?

We can demonstrate a variety of ways SS7 is used for street-level mobile phone localization, data theft, remote interception of calls, and more…
Here are some basic examples.

Cell-Level Tracking

In cities, it is possible to track subscribers down to street level.

HLR block/filter bypass

Circumvent this by querying the Visitors Location Register instead and still obtain the global cell ID.

One method of billing fraud is via USSD codes

Execute Remote Commands

USSD codes can be executed on behalf of the subscriber

Prepaid Credits

Some carriers offer transfer of prepaid credits via USSD

Call Forwarding

Call forwarding can be set/deleted without the users knowledge

Remote interception of telephone calls

Call is routed to attacker’s system. Attacker bridges call to original called party and records the conversation


The Solution


The First Cellular Network Firewall



  • Analysis of protocol data and alarm/logging of events
  • No network interference (passive connection via network tap)



  • Active firewall solution



ESD Oversight Server

SS7 Network Penetration Testing

The Oversight SS7 testing & consulting offering is designed to assist a mobile network operator in finding out up to what extent network elements (HLR, VLR/MSC, SGSN) under the client’s management are vulnerable against certain known SS7/MAP attack vectors.

Penetration tests are being carried out for a selection of cellular carriers around the world who have recognised the need to ensure their networks and their subscribers are protected from the potential damaged these vulnerabilities expose.

Download Brochure


ESD Oversight SS7 Penetration Testing

Benefits for Network Providers

The first deployments of ESD Oversight have provided immediate benefits

Less Foreign Surveillance

Reduced foreign surveillance activity on cellular networks

Safer Network

Reduced unrecognized SS7 traffic requests

Reduced Costs

Immediate reduction in billing fraud

ESD America is a proud supplier of technology and services to the US Department of Homeland Security.