What SS7 Is For
Before SS7, phone networks used in-band signaling — tones like DTMF and MF were sent in the same audio channel as the voice. This was fragile (anyone could "phreak" by playing 2600 Hz tones) and wasted voice channel capacity during call setup.
SS7 introduced out-of-band signaling — a separate dedicated data network just for control messages. Call setup, routing decisions, HLR lookups for roaming, SMS routing, and intelligent-network services (freephone, prepaid, ring-back, etc.) all happen over SS7 while the voice channel remains clean. It's the telephone network's control plane.
SS7 was first deployed by AT&T in 1976, standardized by the ITU as SS7 in the late 1970s, and went worldwide through the 1980s. It was designed for extreme reliability — carrier-grade 99.999% uptime, redundant links, automatic failover. And it's a closed trusted network — originally only major operators had access, which is why the protocol has minimal security built in (a design flaw that would haunt it decades later).
SS7 Network Elements
An SS7 network has three types of signaling points:
| Element | Abbr | Role |
|---|---|---|
| Service Switching Point | SSP | A switch (telephone exchange) that originates or terminates calls and sends SS7 signaling. Every phone switch is an SSP. |
| Signal Transfer Point | STP | A "router" for SS7 messages. Forwards packets between SSPs and SCPs based on Point Code routing. Deployed in redundant mated pairs. |
| Service Control Point | SCP | A database and application server. Holds HLRs, number translation tables, 800-number routing, prepaid balance engines, etc. Queried by SSPs via TCAP. |
Links between these are called signaling links, categorized by role (A-links from SSP to STP, B/D-links STP↔STP, C-links between mated STPs, E/F-links for alternative paths).
Point Codes
Each signaling point has a Point Code (PC) — its unique address on the SS7 network. Point codes are 14-bit (ANSI) or 24-bit (ITU) integers.
ITU Point Code format (24 bits):
┌─────────┬──────────┬─────────┐
│ zone │ area │ point │
│ 3 bits │ 8 bits │ 3 bits │
└─────────┴──────────┴─────────┘
Usually written as: 1-234-5
ANSI Point Code format (24 bits):
┌─────────┬─────────┬─────────┐
│ network │ cluster │ member │
│ 8 bits │ 8 bits │ 8 bits │
└─────────┴─────────┴─────────┘
Usually written as: 010-012-038Point codes are assigned by the national regulator in each country (e.g., Ofcom in UK, FCC in USA, TRAI in India). International point codes (for cross-border links) are assigned by the ITU.
The SS7 Protocol Stack
SS7 is a multi-layer stack, roughly mapping to OSI layers:
┌─────────────────────────────────────────────┐
│ Applications: ISUP / MAP / INAP / CAP │ Layer 7
├─────────────────────────────────────────────┤
│ TCAP (Transaction Capabilities) │ Layer 6/7
├─────────────────────────────────────────────┤
│ SCCP (Signaling Connection Control) │ Layer 4
├─────────────────────────────────────────────┤
│ MTP3 (Message Transfer Part 3) │ Layer 3
├─────────────────────────────────────────────┤
│ MTP2 (Message Transfer Part 2) │ Layer 2
├─────────────────────────────────────────────┤
│ MTP1 (Message Transfer Part 1 - physical) │ Layer 1
└─────────────────────────────────────────────┘MTP (Message Transfer Part)
- MTP1 — physical layer (56 kbps or 64 kbps DS0 links, or E1/T1).
- MTP2 — link-layer. Error detection (CRC), flow control, basic retransmission.
- MTP3 — network layer. Routes messages between point codes, handles link failure, traffic management.
SCCP (Signaling Connection Control Part)
SCCP sits on top of MTP3 to add global title routing (routing by name instead of by point code), connection-oriented services, and subsystem numbers (identifying multiple applications on one signaling point).
Why does this matter? MTP routes strictly by point code. But when you need to send a message to "the HLR for subscriber IMSI 234150123..." you don't know the point code — you only know a name (like an MSISDN). SCCP's Global Title Translation (GTT) lets STPs translate a digit string (MSISDN, IMSI, E.214) into the destination point code + subsystem number. This is essential for SMS, roaming, and mobility.
TCAP (Transaction Capabilities Application Part)
TCAP is the RPC framework of SS7 — a way to do request/response transactions between distributed applications (like an MSC querying an HLR). Every mobile application protocol (MAP, CAP, INAP) runs inside TCAP. TCAP handles dialogue IDs, transaction IDs, and component (argument) structures.
ISUP (ISDN User Part)
ISUP is the call-control protocol of SS7 — used to set up, maintain, and tear down voice calls across the network. Common messages:
- IAM (Initial Address Message) — start a new call, carries called number
- ACM (Address Complete Message) — called number accepted
- ANM (Answer Message) — callee picked up, start billing
- REL (Release) — hang up, with Q.850 cause
- RLC (Release Complete) — ack to REL
If you've ever looked at Q.850 cause codes, they come from ISUP REL messages. A SIP BYE with Reason: Q.850;cause=16 is just the SIP-side representation of an ISUP REL.
MAP (Mobile Application Part)
MAP is the mobile equivalent of ISUP — it handles everything specific to mobile networks:
- Subscriber location updates (VLR ↔ HLR)
- Authentication (triplets/quintuplets)
- SMS routing via
MT-ForwardSM/MO-ForwardSM/SRI-SM - Supplementary services (call forwarding, call waiting, etc.)
- USSD messages
- Handover between MSCs
- Number portability queries
MAP is also what HLR Lookup services use — specifically MAP-SEND-ROUTING-INFO-FOR-SM to discover subscriber home network and current roaming state.
CAP (CAMEL Application Part) and INAP
CAP is part of the CAMEL (Customized Applications for Mobile network Enhanced Logic) framework — essentially IN services (prepaid billing, roaming rules, voice prompts) for mobile networks. It's how prepaid subscribers get their balance checked mid-call and why prepaid roamers experience voice prompts.
INAP (Intelligent Network Application Part) is the equivalent for fixed-line IN services — freephone numbers, 900 premium rate, ring-back, call screening.
SIGTRAN — SS7 over IP
From the mid-2000s, operators started migrating SS7 from dedicated TDM links onto IP networks. This is SIGTRAN — a suite of IETF protocols that carry SS7 messages over IP while preserving the upper layers unchanged. Why? TDM is expensive, inflexible, and doesn't scale for mobile data growth.
| SIGTRAN Layer | Role |
|---|---|
| SCTP | Stream Control Transmission Protocol — the IP transport (not TCP). Supports multi-homing, multiple streams, message-oriented delivery. Defined in RFC 4960. |
| M3UA | MTP3 User Adaptation — carries MTP3 payload (SCCP, ISUP) over SCTP. Most common for SS7 over IP. |
| M2UA / M2PA | MTP2 adaptation — used when you need to preserve lower SS7 layers (e.g., for legacy gateway use). |
| SUA | SCCP User Adaptation — carries SCCP-User traffic (TCAP) without MTP3. Used for direct HLR/SCP access over IP. |
| IUA | ISDN Q.921 User Adaptation — for ISDN signaling over IP. |
Today, almost all SS7 traffic in operator networks runs over SIGTRAN (M3UA + SCTP). Classic TDM links are mostly decommissioned except in some rural exchanges and legacy interconnects.
SS7 Security — The Elephant in the Room
Warning: SS7 was designed in 1975 for a closed trust zone of maybe 100 national monopoly operators. There's no authentication between elements, no encryption, and no built-in access control. Any attacker with SS7 access can query any HLR in the world, track any subscriber, intercept any SMS, and redirect any call.
Since roughly 2014 when security researchers (Tobias Engel, Karsten Nohl) publicly demonstrated SS7 attacks, regulators and operators have scrambled to add defenses:
- SS7 firewalls — filter inbound MAP/CAP messages based on allowed sources, known fraud patterns, and legitimate traffic baselines.
- GSMA FS.11 / FS.19 — categories of SS7 messages by risk level, with recommendations on which to block at network boundary.
- Diameter for 4G — replaces SS7 for LTE core, includes built-in authentication and encryption via TLS/IPSec.
- HTTP/2 + OAuth2 for 5G SBA — 5G Standalone replaces Diameter with a service-based architecture using HTTP/2 with mutual TLS.
But as long as 2G/3G networks exist somewhere, SS7 connectivity exists, and the vulnerabilities are still exploitable. This is one reason regulators push for 2G/3G sunsets.
SS7 vs Diameter vs HTTP/2 SBA
| Generation | Signaling Protocol | Transport |
|---|---|---|
| 2G / 3G | SS7 (ISUP, MAP, CAP) | MTP1/2/3 or SIGTRAN (M3UA/SCTP) |
| 4G LTE (EPC) | Diameter (S6a, S6d, Gy, Rx, Sh) | TCP or SCTP, with TLS/IPsec |
| 5G Standalone (5GC) | HTTP/2 + JSON (Service-Based Architecture) | HTTP/2 over TLS |
Each generation's protocol is a reaction to the previous generation's weaknesses. Diameter fixed SS7's lack of security. 5G SBA fixed Diameter's complexity and bolted-on cloud-hostility.
Why SS7 Still Matters in 2026
- 2G/3G interworking — every LTE/5G roamer returning to a 2G/3G-only region still needs SS7 for authentication and SMS.
- Legacy IoT — millions of M2M modules deployed between 2005 and 2018 still use 2G/3G with SS7.
- SMS routing — even in 5G networks, SMS inter-operator routing still goes through SS7 MAP until SMS-over-IP (SMSoIP) reaches full coverage.
- Number portability — many countries' portability databases use SS7-based queries.
- Sunset timeline — GSMA timeline targets SS7 phase-out around 2030–2035 in most markets, but not before.
Key Takeaways
- SS7 is the control plane of traditional telephone networks — out-of-band signaling since 1975.
- Architecture: SSPs (switches), STPs (routers), SCPs (databases) connected via signaling links.
- Stack: MTP (transport) → SCCP (global title routing) → TCAP (transactions) → ISUP (calls) / MAP (mobile) / CAP (IN).
- SIGTRAN (M3UA + SCTP) moved SS7 onto IP without changing the upper protocols.
- SS7 has critical security weaknesses from its closed-trust-network origins — firewalls are now mandatory.
- Being replaced by Diameter (4G) and HTTP/2 SBA (5G SA), but will remain operational through the 2030s.