April 25, 2016

Major security flaw in SS7 – how SMS Home Routing can plug the gap

With the current buzz regarding SS7 network vulnerabilities and the exploitation of standard SMS methodologies to obtain confidential subscriber information I thought it would be interesting to discuss the 3GPP document “TR 23.840, V7.1.0 (2007-03)”.  This document written in 2006 and published in 2007 describes a solution to SMS fraud commonly referred to as SMS Home Routing.  Perhaps it seems strange that now, in 2016, we are talking about the vulnerabilities of SS7… Well, 90% of subscribers are still on SS7. And it’ll be many, many years until those percentages are reversed.

TR 23.840 states “It has been identified that the current architecture of the MT SM transfer procedure, although more than fit for purpose at the time of its conception, has a number of limitations and drawbacks in the current day. These include issues that were known but thought to not be of any significance (such as the receiving MS roaming in a PLMN inaccessible to the originating MS’s HPLMN), issues that have only become apparent recently (such as the fraud issues of SMS faking and the distribution of Spam) ”


Background info – the regular, pre-solution call flow

Before we delve into the solution we should have a basic understanding of the normal/pre solution call flow. When a subscriber enters an SMS Message it is transported over the air interface to the base station. The base station then sends the message to the serving MSC. The serving MSC embeds the message in a MAP Mobile Originating Short Message Transfer message (MO-Forward-SM) and sends it to the Short Message Service Centre (SMSC). A subsequent acknowledgement is sent from the SMSC to the MSC indicating the SMSCs receipt.

Since the SMSC does not know the location of the terminating subscriber, the SMSC requests this information from the HLR containing the information pertinent to the terminating subscriber. This is accomplished using the MAP-Send-Routing-Info-For-SM query message (SRI-For-SM). The terminating subscribers’ Mobile Station International Directory Number (MSISDN) is included in the SRI-For-SM to be used in the HLR query.

After the lookup – the HLR returns a SRI-For-SM response to the requesting SMSC. At the MAP level this message includes the:

  • Point Code (address) of the current MSC/VLR serving the recipient subscriber.
  • International Mobile Subscriber Identity (IMSI) of the recipient Subscriber

SMS Home Routing 01
Figure 1 – SMS Mobile Terminating call flow


Figure 2 shows a subscriber “B” who is in their home network sending an SMS to Subscriber “A” who is in their home network “A”.

SMS Home Routing 02
Figure 2 – Normal Home Scenario


Figure 3 shows a subscriber “B” who is in their home network sending an SMS to Subscriber “A” who is currently roaming in network “C”.

SMS Home Routing 03
Figure 3 – Normal Roaming Scenario


3GPP’s Proposal for Security (and for value-add services)

OK, enough talk about call flows and network diagrams of the original SMS procedures.

3GPP TR 23.840 introduces a proposed solution that enables the home network of the recipient subscriber to be in control of delivering the SMS message so that both Value-added services and security can be provided to subscribers. This holds true if the subscriber is in the home network or they are roaming to a foreign network. This proposed solution introduces a new node type referred to as an “SMS Router”. Figure 4 shows the Mobile terminating call flow.

In this case the HLR does not respond to the SRI-For-SM sent by the SMSC, rather it sends an SRI-For-SM to the SMS Router. The SMS Router responds immediately to the HLR with a SRI-For-SM. This message is formulated with information received from the HLR. The HLR responds with an SRI-For-SM acknowledgement message with the requested information. Once this sequence is complete the SMS Router formulates a SRI-For-SM Acknowledgement and sends it to the SMSC. One might validly ask – We have inserted an extra node (SMS Router) in the process but isn’t everything else basically the same? We still respond to the SRI-For-SM sent by the SMSC with a SRI-For-SM Ack. – It just comes from the SMS Router rather that the HLR.  The short answer is “Yes” however, the information contained in the SRI-For-SM sent by the SMS router is quite different.

There are two major differences in the contents of the SRI-For-SM Ack.:

  1. Rather than sending the IMSI of the recipient subscriber the SMS Router inserts a Correlation ID. Thus keeping the IMSI confidential so it cannot be used in fraudulent scenarios.
  2. The SMS Router sends its address as serving the recipient subscriber rather than the subscriber’s location. This information forces the requesting SMSC to send the SMS Message to the SMS Router for delivery keeping the SMS Router in the SMS delivery path. This capability enables the SMS Router to perform value added and security functions including the prevention of Spamming, Spoofing and Faking.

SMS Home Routing 04
Figure 4 – SMS Mobile Terminating call flow with SMS Router

Now that we have discussed the call flows of Mobil terminating SMS messages let’s see what the networks and call flows shown in Figures 2 and 3 would look like with the inclusion of an SMS Router.


As you can see in Figure 5 the SMS Router responds to the SMSC with the requested routing information.  Additionally, the SMS Router is in the delivery path of the messages enabling it to deliver value added and security services to the recipient subscriber.

SMS Home Routing 05
Figure 5 – Home Scenario with SMS Home Router in place


As you can see in Figure 6 the SMS Router responds to the SMSC with the requested routing information.  Additionally, the SMS Router is in the delivery path of the messages, even if the recipient subscriber is roaming, enabling it to deliver value added and security services to the recipient subscriber.

SMS Home Routing 06

Figure 6 – Roaming Scenario with SMS Home Router in Place


Without the implementation of SMS home routing, mobile subscribers are not covered by security and message management mechanisms of their home network. The subscriber may find that their Quality of Experience (QoE) is severely impacted especially as it is related to SMS Spam and Fraud.  This reduction in QoE can lead to dissatisfied customers who are more likely to investigate moving to another network provider. The implementation of Home Routing using the SMS Router methodology defined by 3GPP TR 23.840 provides an efficient means of providing security services, value added services and plugging one of the largest vulnerabilities in the SS7 network.

For more information on SMS Security and Home Routing check our Security Solutions.

Categorised in:

April 25, 2016