Mobile networks are facing a new cybersecurity headache as researchers reveal a new way attackers are bypassing SS7 protections. The research, detailed by the Enea threat intelligence titled “The Good, the Bad, and the Encoding,” explains how attackers are using encoding methods to bypass security and carry out exploits without being detected.
SS7, or Signaling System 7, is the decades-old protocol that allows mobile carriers to connect calls, send text messages, and manage roaming between networks. While it underpins global telecommunications, it was never designed with modern security in mind.
Despite ongoing efforts to patch and monitor SS7 traffic, attackers continue to find ways to exploit its vulnerabilities. Enea’s findings show how encoding manipulation can be used to bypass standard detection techniques, giving cybercriminals a chance to intercept communications or conduct malicious activities.
According to researchers, the real problem is how the attack can happen without drawing attention. For example, by adjusting the way messages are encoded, malicious traffic can appear harmless to existing SS7 firewalls and monitoring tools. In practice, this means suspicious activity can slip through without raising immediate alarms, leaving operators exposed to threats like data interception, call rerouting, and location tracking.
Evidence of Exploitation
Enea’s researchers found evidence that a surveillance vendor has already used this exact encoding technique in the wild. The attack, which first appeared in late 2024, was used to request mobile subscriber location data from certain operators.
According to researchers, the attackers were able to hide key fields from detection systems by tweaking how specific signaling messages were formatted, allowing the request to go through without being blocked or flagged.
“The source of the attacks matched a surveillance company that we have tracked for many years, and we believe that this was identified and used by them,“ the company said. “We don’t have any information on how successful this attack method has been worldwide, as its success is vendor/software specific, rather than being a general protocol vulnerability, but its use as part of a suite indicates that it has had some value.“
Enea’s researchers warn that the issue persists because SS7 remains widely in use for roaming and interoperability, even as newer technologies like Diameter and 5G signaling gain ground. Completely abandoning SS7 is not an option for most mobile operators, so network defenders must take a different approach to mitigate these threats.
The company advises operators to monitor irregular encoding patterns, strengthen their signaling firewalls, and combine threat intelligence with behavioural analytics to detect bypass attempts early.
Waqas
