SS7 Attacks Explained: How Hackers Intercept Your SMS and Calls
Most people assume a text message travels in a straight line from sender to phone. In reality it passes through a decades-old signalling network called SS7 — a system built in the 1970s when only a handful of trusted state telecom monopolies were connected. That trust-by-default design is now a serious security problem: researchers have shown that anyone with SS7 access can locate a phone, intercept its calls, and read its text messages, including two-factor codes. This guide explains what SS7 is, how the attacks work, and what actually protects you.
What is SS7?
Signalling System No. 7 (SS7) is the set of protocols carriers use to talk to each other behind the scenes: setting up calls, routing texts, and handing your phone between towers as you move. It is the plumbing that makes roaming and interconnection work. Crucially, SS7 was designed for a closed club of trusted operators, so it has almost no authentication — a request that looks like it comes from a legitimate carrier is generally honoured, no questions asked.
How SS7 attacks work
An attacker who has bought or rented access to the SS7 network (it is more available than it should be) can send signalling messages that impersonate a carrier. Three attacks stand out:
Location tracking
By querying the network for routing information about a number, an attacker can determine which cell the target is connected to — effectively tracking someone’s location without any spyware on their phone.
SMS interception
The attacker tells the network that the target’s phone has “roamed” onto their equipment. Incoming texts — including one-time verification codes — are then routed to the attacker instead of the victim. This is how SS7 defeats SMS-based 2FA.
Call interception
The same roaming trick can redirect or eavesdrop on voice calls. In a widely reported 2017 case, criminals used SS7 to intercept the SMS codes banks send and drained victims’ accounts.
You cannot detect it. Unlike SIM swapping, an SS7 attack leaves your SIM working normally — you keep signal and never lose service. The interception happens inside the carrier network, invisibly, which is precisely what makes it dangerous.
Who is actually at risk?
SS7 attacks require access to the signalling network, which is not trivial to obtain, so this is not a mass-market threat like phishing. The realistic attackers are nation-states, well-resourced criminal groups, and surveillance vendors. If you are a journalist, executive, activist, or crypto holder, you are a plausible target. For everyone else, SS7 is a reason to distrust SMS as a security channel rather than a daily danger.
How to protect yourself
You cannot patch SS7 yourself — it lives inside carrier infrastructure. What you can do is stop relying on SMS for anything sensitive. Move your two-factor authentication to an authenticator app or a passkey, both of which never touch the SS7 network. Use end-to-end encrypted messaging (Signal, WhatsApp) so intercepted traffic is unreadable. And keep your most valuable accounts — email, banking, crypto — off SMS entirely.
The pattern is consistent across every guide on this site: if the code travels over the phone network, it can be intercepted. Codes generated on your own device cannot.
Try temporary numbers, free
Receive SMS online with a disposable phone number from 40+ countries — no registration. Best for testing and low-risk signups.
Use the Free ToolAuthoritative sources & further reading
- Wikipedia: Signalling System No. 7 — technical overview and known vulnerabilities
- NIST SP 800-63B — why SMS is a restricted authenticator
- CISA: More Than a Password — guidance to move beyond SMS 2FA
- GSMA Security — mobile industry security resources
Frequently asked questions
Can SS7 attacks read my text messages?
Yes. By impersonating a carrier over the SS7 network, an attacker can have your incoming SMS, including 2FA codes, routed to their equipment.
How do I know if I am being targeted via SS7?
You usually cannot — your SIM keeps working normally and there is no visible sign, which is why moving sensitive 2FA off SMS is the only reliable defence.
Does an authenticator app stop SS7 attacks?
Yes. TOTP codes and passkeys are generated on your device and never travel over the phone network, so SS7 interception does not apply to them.