Signalling System No. 7 - Wikipedia https://en.wikipedia.org/wiki/Signalling_System_No.

_7

Signalling System No. 7

Signalling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975, which is used to set
up and tear down most of the world's public switched telephone network (PSTN) telephone calls. It also performs
number translation, local number portability, prepaid billing, Short Message Service (SMS), and other mass
market services.

In North America it is often referred to as CCSS7, abbreviated for Common Channel Signalling System 7. In the
United Kingdom, it is called C7 (CCITT number 7), number 7 and CCIS7 (Common Channel Interoffice Signaling
7). In Germany, it is often called N7 (Signalisierungssystem Nummer 7).

The only international SS7 protocol is defined by ITU-T's Q.700-series recommendations in 1988.[1] Of the many
national variants of the SS7 protocols, most are based on variants of the international protocol as standardized by
ANSI and ETSI. National variants with striking characteristics are the Chinese and Japanese (TTC) national
variants.

The Internet Engineering Task Force (IETF) has defined the SIGTRAN protocol suite that implements levels 2, 3,
and 4 protocols compatible with SS7. Sometimes also called Pseudo SS7, it is layered on the Stream Control
Transmission Protocol (SCTP) transport mechanism.

Contents
1 History
2 Functionality
2.1 Signaling modes

3 Physical network
4 SS7 protocol suite
5 Protocol security vulnerabilities
6 See also
7 References
8 Further reading

History
SS5 and earlier systems used in-band signaling, in which the call-setup information was sent by playing special
multi-frequency tones into the telephone lines, known as bearer channels. As the bearer channel was directly
accessible by users, it was exploited with devices such as the blue box, which played the tones required for call
control and routing. As a remedy, SS6 and SS7 implemented out-of-band signaling, carried in a separate signaling
channel,[2]:141 thus keeping the speech path separate. SS6 and SS7 are referred to as common-channel signaling
(CCS) protocols, or Common Channel Interoffice Signalling (CCIS) systems.

Since 1975, CCS protocols have been developed by major telephone companies and the International
Telecommunication Union Telecommunication Standardization Sector (ITU-T); in 1977 the ITU-T defined the first

1 of 6 10/17/2017, 1:01 PM
Signalling System No. 7 - Wikipedia https://en.wikipedia.org/wiki/Signalling_System_No._7

international CCS protocol as Signalling System No. 6 (SS6).[2]:145 In its 1980 Yellow Book Q.7XX-series
recommendations ITU-T defined the Signalling System No. 7 as an international standard.[1] SS7 replaced SS6 with
its restricted 28-bit signal unit that was both limited in function and not amendable to digital systems.[2]:145 SS7
also replaced Signalling System No. 5 (SS5), while R1 and R2 variants are still used in numerous countries.

The Internet Engineering Task Force (IETF) defined SIGTRAN protocols which translate the common channel
signaling paradigm to the IP Message Transfer Part (MTP) level 2 (M2UA and M2PA), Message Transfer Part
(MTP) level 3 (M3UA) and Signalling Connection Control Part (SCCP) (SUA). While running on a transport based
upon IP, the SIGTRAN protocols are not an SS7 variant, but simply transport existing national and international
variants of SS7.[3]

Functionality
Signaling in telephony is the exchange of control information associated with the setup and release of a telephone
call on a telecommunications circuit.[4]:318 Examples of control information are the digits dialed by the caller and
the caller's billing number.

When signaling is performed on the same circuit as the conversation of the call, it is termed channel-associated
signaling (CAS). This is the case for earlier analogue trunks, multi-frequency (MF) and R2 digital trunks, and
DSS1/DASS PBX trunks.

In contrast, SS7 uses common channel signaling, in which the path and facility used by the signaling is separate
and distinct from the telecommunications channels that carry the telephone conversation. With CCS, it becomes
possible to exchange signaling without first seizing a voice channel, leading to significant savings and performance
increases in both signaling and channel usage.

Because of the mechanisms used by signaling methods prior to SS7 (battery reversal, multi-frequency digit
outpulsing, A- and B-bit signaling), these older methods could not communicate much signaling information.
Usually only the dialed digits were signaled, and merely during call setup. For charged calls, dialed digits and
charge number digits were outpulsed. SS7, being a high-speed and high-performance packet-based
communications protocol, can communicate significant amounts of information when setting up a call, during the
call, and at the end of the call. This permits rich call-related services to be developed. Some of the first such
services were call management related, call forwarding (busy and no answer), voice mail, call waiting, conference
calling, calling name and number display, call screening, malicious caller identification, busy callback.
[4]:Introduction xx

The earliest deployed upper layer protocols in the SS7 suite were dedicated to the setup, maintenance, and release
of telephone calls.[5] The Telephone User Part (TUP) was adopted in Europe and the Integrated Services Digital
Network (ISDN) User Part (ISUP) adapted for public switched telephone network (PSTN) calls was adopted in
North America. ISUP was later used in Europe when the European networks upgraded to the ISDN. As of 2015
North America has not accomplished full upgrade to the ISDN, and the predominant telephone service is still the
older Plain Old Telephone Service. Due to its richness and the need for an out-of-band channel for its operation,
SS7 is mostly used for signaling between telephone switches and not for signaling between local exchanges and
customer-premises equipment.

Because SS7 signaling does not require seizure of a channel for a conversation prior to the exchange of control
information, non-facility associated signalling (NFAS) became possible. NFAS is signaling that is not directly
associated with the path that a conversation will traverse and may concern other information located at a
centralized database such as service subscription, feature activation, and service logic. This makes possible a set of
network-based services that do not rely upon the call being routed to a particular subscription switch at which

2 of 6 10/17/2017, 1:01 PM
Signalling System No. 7 - Wikipedia https://en.wikipedia.org/wiki/Signalling_System_No._7

service logic would be executed, but permits service logic to be distributed throughout the telephone network and
executed more expediently at originating switches far in advance of call routing. It also permits the subscriber
increased mobility due to the decoupling of service logic from the subscription switch. Another ISUP characteristic
SS7 with NFAS enables is the exchange of signaling information during the middle of a call.[4]:318

SS7 also enables Non-Call-Associated Signaling, which is signaling not directly related to establishing a telephone
call.[4]:319 This includes the exchange of registration information used between a mobile telephone and a home
location register database, which tracks the location of the mobile. Other examples include Intelligent Network and
local number portability databases.[4]:433

Signaling modes
Apart from signaling with these various degrees of association with call set-up and the facilities used to carry calls,
SS7 is designed to operate in two modes: associated mode and quasi-associated mode.[6]

When operating in the associated mode, SS7 signaling progresses from switch to switch through the Public
Switched Telephone Network following the same path as the associated facilities that carry the telephone call. This
mode is more economical for small networks. The associated mode of signaling is not the predominant choice of
modes in North America.[7]

When operating in the quasi-associated mode, SS7 signaling progresses from the originating switch to the
terminating switch, following a path through a separate SS7 signaling network composed of signal transfer points.
This mode is more economical for large networks with lightly loaded signaling links. The quasi-associated mode of
signaling is the predominant choice of modes in North America.[8]

Physical network
SS7 separates signalling from the voice circuits. An SS7 network must be made up of SS7-capable equipment from
end to end in order to provide its full functionality. The network can be made up of several link types (A, B, C, D, E,
and F) and three signaling nodes - Service Switching Points (SSPs), Signal Transfer Points (STPs), and Service
Control Points (SCPs). Each node is identified on the network by a number, a signalling point code. Extended
services are provided by a database interface at the SCP level using the SS7 network.

The links between nodes are full-duplex 56, 64, 1,536, or 1,984 kbit/s graded communications channels. In Europe
they are usually one (64 kbit/s) or all (1,984 kbit/s) timeslots (DS0s) within an E1 facility; in North America one
(56 or 64 kbit/s) or all (1,536 kbit/s) timeslots (DS0As or DS0s) within a T1 facility. One or more signaling links
can be connected to the same two endpoints that together form a signaling link set. Signaling links are added to
link sets to increase the signaling capacity of the link set.

In Europe, SS7 links normally are directly connected between switching exchanges using F-links. This direct
connection is called associated signaling. In North America, SS7 links are normally indirectly connected between
switching exchanges using an intervening network of STPs. This indirect connection is called quasi-associated
signaling, which reduces the number of SS7 links necessary to interconnect all switching exchanges and SCPs in an
SS7 signaling network.[9]

SS7 links at higher signaling capacity (1.536 and 1.984 Mbit/s, simply referred to as the 1.5 Mbit/s and 2.0 Mbit/s
rates) are called high speed links (HSL) in contrast to the low speed (56 and 64 kbit/s) links. High speed links are
specified in ITU-T Recommendation Q.703 for the 1.5 Mbit/s and 2.0 Mbit/s rates, and ANSI Standard T1.111.3 for
the 1.536 Mbit/s rate.[10] There are differences between the specifications for the 1.5 Mbit/s rate. High speed links
utilize the entire bandwidth of a T1 (1.536 Mbit/s) or E1 (1.984 Mbit/s) transmission facility for the transport of

3 of 6 10/17/2017, 1:01 PM
Signalling System No. 7 - Wikipedia https://en.wikipedia.org/wiki/Signalling_System_No._7

SS7 signaling messages.[10]

SIGTRAN provides signaling using SCTP associations over the Internet Protocol.[4]:456 The protocols for SIGTRAN
are M2PA, M2UA, M3UA and SUA.[11]

SS7 protocol suite

The SS7 protocol stack may be partially mapped to the OSI Model of
SS7 protocol suite
a packetized digital protocol stack. OSI layers 1 to 3 are provided by
the Message Transfer Part (MTP) and the Signalling Connection SS7 protocols by OSI layer
Control Part (SCCP) of the SS7 protocol (together referred to as the Application INAP, MAP, IS-41...
Network Service Part (NSP)); for circuit related signaling, such as
the BT IUP, Telephone User Part (TUP), or the ISDN User Part TCAP, CAP, ISUP, ...
(ISUP), the User Part provides layer 7. Currently there are no Network MTP Level 3 + SCCP
protocol components that provide OSI layers 4 through 6.[1] The
Data link MTP Level 2
Transaction Capabilities Application Part (TCAP) is the primary
Physical MTP Level 1
SCCP User in the Core Network, using SCCP in connectionless
mode. SCCP in connection oriented mode provides transport layer
for air interface protocols such as BSSAP and RANAP. TCAP provides transaction capabilities to its Users (TC-
Users), such as the Mobile Application Part, the Intelligent Network Application Part and the CAMEL Application
Part.

The Message Transfer Part (MTP) covers a portion of the functions of the OSI network layer including: network
interface, information transfer, message handling and routing to the higher levels. Signalling Connection Control
Part (SCCP) is at functional Level 4. Together with MTP Level 3 it is called the Network Service Part (NSP). SCCP
completes the functions of the OSI network layer: end-to-end addressing and routing, connectionless messages
(UDTs), and management services for users of the Network Service Part (NSP).[12] Telephone User Part (TUP) is a
link-by-link signaling system used to connect calls. ISUP is the key user part, providing a circuit-based protocol to
establish, maintain, and end the connections for calls. Transaction Capabilities Application Part (TCAP) is used to
create database queries and invoke advanced network functionality, or links to Intelligent Network Application
Part (INAP) for intelligent networks, or Mobile Application Part (MAP) for mobile services.

Protocol security vulnerabilities

Several SS7 vulnerabilities that allow cell phone users to be secretly tracked were publicized in 2008.[13] In 2014,
the media reported a protocol vulnerability of SS7 by which anybodyfrom government agencies to "hackers,
sophisticated criminal gangs and nations under sanctions"can track the movements of cell phone users from
virtually anywhere in the world with a success rate of approximately 70%.[14] In addition, eavesdropping is possible
by using the protocol to forward calls and also facilitate decryption by requesting that each caller's carrier release a
temporary encryption key to unlock the communication after it has been recorded.[15] Karsten Nohl created a tool
(SnoopSnitch[16]) which can warn when certain SS7 attacks occur against a phone, and detect IMSI-catchers that
allow call interception and other activities.[17][18]

In February 2016, 30% of the network of the largest mobile operator in Norway, Telenor, became unstable due to
"Unusual SS7 signalling from another European operator".[19][20]

In April 2016 US congressman Ted Lieu called for an oversight committee investigation, saying:

The applications for this vulnerability are seemingly limitless, from criminals monitoring individual

4 of 6 10/17/2017, 1:01 PM
Signalling System No. 7 - Wikipedia https://en.wikipedia.org/wiki/Signalling_System_No._7

targets to foreign entities conducting economic espionage on American companies to nation states
monitoring US government officials. ... The vulnerability has serious ramifications not only for
individual privacy, but also for American innovation, competitiveness and national security. Many
innovations in digital security such as multi-factor authentication using text messages may be
rendered useless.[21]

In May 2017, O2 Telefnica, a German mobile service provider, confirmed that cybercriminals had exploited SS7
vulnerabilities to bypass two-factor authentication (2FA) to make unauthorized withdrawals from users' bank
accounts. The criminals first installed malware on people's computers, allowing them to steal online banking users'
account credentials and phone numbers. Then the attackers purchased access to a fake telecom provider and set up
redirects from the victims' phone numbers to lines controlled by them. Finally, the attackers logged into victims'
online bank accounts and transferred money from them to accounts of their own. 2FA confirmation calls were
made, but had been routed to phone numbers controlled by the attackers.[22]

See also
SS7 probe

References
1. ITU-T Recommendation Q.700 (http://www.itu.int/rec/T-REC-Q.700/en)
2. Ronayne, John P (1986). The Digital Network Introduction to Digital Communications Switching (1 ed.).
Indianapolis: Howard W. Sams & Co., Inc. ISBN 0-672-22498-4.
3. RFC 2719 (http://www.ietf.org/rfc/rfc2719.txt) - Framework Architecture for Signaling Transport
4. Russell, Travis (2002). Signaling System #7 (4 ed.). New York: McGraw-Hill. ISBN 978-0-07-138772-9.
5. ITU-T Recommendation Q.700,03/93 (http://www.itu.int/rec/T-REC-Q.700-199303-I/en/), Section 3.2.1, p. 7.
6. ITU-T Recommendation Q.700 (http://www.itu.int/rec/T-REC-Q.700-199303-I/en/), p. 4.
7. (Dryburgh 2004, pp. 2223).
8. (Dryburgh 2004, p. 23).
9. ITU-T Recommendation Q.700 (http://www.itu.int/rec/T-REC-Q.700-199303-I/en/), Section 2.2.3, "signalling
modes", pp. 4-5.
10. "ITU-T Recommendation Q.703, Annex A, Additions for a national option for high speed signalling links"
(http://www.itu.int/rec/T-REC-Q.703-199607-I/en/). International Telecommunication Union. pp. 8186.
11. "Understanding the Sigtran Protocol Suite: A Tutorial | EE Times" (http://www.eetimes.com
/document.asp?doc_id=1203417). EETimes. Retrieved 2016-06-30.
12. ITU-T Recommendation Q.711 (http://www.itu.int/rec/T-REC-Q.711-200103-I/en/), Section 1, "Scope and field
of application", pp 1-2.
13. Engel, Tobias (27 December 2008). "Locating Mobile Phones using SS7" (https://www.youtube.com
/watch?v=OEcW4HlrpYE) (Video). Youtube. 25th Chaos Communication Congress (25C3). Retrieved 19 April
2016.
14. Timburg, Craig (24 August 2014). "For sale: Systems that can secretly track where cellphone users go around
the globe" (https://www.washingtonpost.com/business/technology/for-sale-systems-that-can-secretly-track-
where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html).
The Washington Post. Retrieved 27 December 2014.
15. Timburg, Craig (18 December 2014). "German researchers discover a flaw that could let anyone listen to your
cell calls." (https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/german-researchers-discover-
a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/). The Washington Post. Retrieved
19 December 2014.

5 of 6 10/17/2017, 1:01 PM
Signalling System No. 7 - Wikipedia https://en.wikipedia.org/wiki/Signalling_System_No._7

16. SnoopSnitch is for rooted Android mobile phones with Qualcomm chip
17. Karsten Nohl (2014-12-27). "Mobile self-defence" (https://events.ccc.de/congress/2014/Fahrplan/system
/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf) (PDF). Chaos Communication
Congress.
18. "SnoopSnitch" (https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch). Google Play. August 15,
2016.
19. "Feilen i mobilnettet er funnet og rettet" (http://www.mynewsdesk.com/no/telenor/pressreleases/feilen-
i-mobilnettet-er-funnet-og-rettet-1322239) (in Norwegian). Telenor ASA.
20. "SS7 signalering Et ondsinnet angrep mot Telenor ville hatt samme konsekvens" (http://www.digi.no/tele-
kommunikasjon/2016/02/22/-et-ondsinnet-angrep-mot-telenor-ville-hatt-samme-konsekvens) (in Norwegian).
digi.no / Teknisk Ukeblad Media AS.
21. "US congressman calls for investigation into vulnerability that lets hackers spy on every phone"
(https://www.theguardian.com/technology/2016/apr/19/ss7-hack-us-congressman-calls-texts-location-
snooping). The Guardian. April 19, 2016.
22. Khandelwal, Swati. "Real-World SS7 Attack Hackers Are Stealing Money From Bank Accounts"
(http://thehackernews.com/2017/05/ss7-vulnerability-bank-hacking.html). The Hacker News. Retrieved
2017-05-05.

Further reading
Dryburgh, Lee; Hewitt, Jeff (2004). Signalling System No. 7 (SS7/C7): Protocol, Architecture, and Services.
Indianapolis: Cisco Press. ISBN 1-58705-040-4.
Ronayne, John P. (1986). "The Digital Network". Introduction to Digital Communications Switching (1st ed.).
Indianapolis: Howard W. Sams & Co., Inc. ISBN 0-672-22498-4.
Russell, Travis (2002). Signaling System #7 (4th ed.). New York: McGraw-Hill. ISBN 978-0-07-138772-9.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Signalling_System_No._7&oldid=800321601"

This page was last edited on 12 September 2017, at 20:14.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By
using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia is a registered trademark of the
Wikimedia Foundation, Inc., a non-profit organization.

6 of 6 10/17/2017, 1:01 PM