Most people assume that a phone call and a text message are reasonably private, protected by the phone company if nothing else. They’re not, and the reason is a piece of plumbing from the 1970s called SS7. Understanding it explains why security professionals treat ordinary calls and texts as open channels, and why your bank’s habit of texting you a login code is a worse idea than it looks.
What SS7 is
SS7, or Signaling System 7, is the behind-the-scenes protocol that phone networks use to talk to each other. When you call someone on a different carrier, when your phone roams onto a network abroad, when a text finds its way to the right person, SS7 is the signaling that makes it happen. It’s the connective tissue between the world’s carriers.
It was designed in an era when the only entities on the network were a handful of large, government-sanctioned phone companies that all trusted each other. So it was built with almost no authentication. The assumption was that anyone speaking SS7 was, by definition, a trusted carrier. That assumption has not been true for a long time.
Why that is a problem now
Today, access to the SS7 network is far more widely available than its designers imagined, through smaller carriers, leased connections, and in some cases through access that was never meant to be granted at all. And because the protocol trusts whoever is speaking it, someone with SS7 access can do alarming things from anywhere in the world, without ever touching your phone.
With SS7 access, a party can locate a phone by querying the network for the tower it’s near. They can reroute or intercept calls and text messages. And critically, they can intercept the one-time codes that banks and other services send by SMS, which is the thread that lets an attacker step into accounts that looked protected. None of this requires malware on your device, because the attack happens out in the network, not on the handset. There’s nothing you can install or toggle on your phone to fix SS7, because the weakness isn’t on your phone.
What you can actually do
If you can’t fix the network, the answer is to stop trusting it with anything sensitive. That turns out to be straightforward.
For messages and calls, use an end-to-end encrypted app like Signal instead of standard SMS and the regular dialer. Encrypted apps ride over the internet and protect the content cryptographically, so even an attacker sitting in the middle of the carrier network gets nothing readable. The SS7 weaknesses simply don’t reach inside that tunnel.
For two-factor authentication, get off SMS codes. SMS was always the weakest form of two-factor, and SS7 is a big part of why. Use an authenticator app or, better, a hardware security key, both of which keep the second factor out of the carrier network entirely. This one change closes the most damaging everyday consequence of SS7.
The takeaway isn’t that the phone network is about to be turned against you personally. For most people it never will be. The takeaway is that calls and SMS run over infrastructure that was never built to be private, so you shouldn’t place private things there. Move your real conversations and your account security onto channels that protect themselves, and SS7 becomes someone else’s problem.
Related reading
- How IMSI Catchers Work (and How to Spot One)
- Carrier Cooperation: What Your Phone Company Actually Shares
- How to Vet a Secure Messenger
- What “End-to-End Encrypted” Really Means
SovereignOS is a hardened, de-Googled phone, set up the way we would build one we had to rely on ourselves. One-time price, no subscription, no account required.
See SovereignOSRecent Comments
Post Widget
Should You Trust Signal?
Social Media Widget
Customer service
Real people, ready to help. Reach our team anytime at hello@spicycorp.com.
Fast Free Shipping
Get free shipping on orders of $150 or more (within the US)
Returns & Exchanges
We offer free returns and exchanges within 30 days of purchase.