SS7 Attack
Also known as: SS7 exploit, SS7 hack, Signaling System 7 attack, SS7 interception, SS7 location tracking
An SS7 attack abuses Signaling System 7, the trusted global telecom signaling network that routes calls and texts between carriers, to intercept SMS, eavesdrop on calls, and locate a phone using only its number. Because SS7 was built in the 1970s with no authentication between operators, anyone with network access can impersonate a carrier node, reroute one-time passcodes, and silently track a target worldwide.
Signaling System 7 (SS7) is the behind-the-scenes protocol suite, dating to 1975, that lets phone networks set up calls, deliver text messages, and hand your phone between cell towers as you move. It was designed as a closed club of a few trusted national carriers, so it has essentially no authentication: any node that can reach the network is assumed to be a legitimate operator.
That assumption collapsed once thousands of operators, resellers, and femtocell vendors gained SS7 access. An attacker who buys or rents a connection can spoof the Point Code of a legitimate Mobile Switching Center or Visitor Location Register and send queries about any subscriber. Using normal SS7 functions intended for roaming, they can ask the network "which tower is this number on?" to geolocate a target, or instruct the network to route that subscriber's SMS and calls through attacker-controlled equipment.
The consequences became public in December 2014, when researchers Tobias Engel and Karsten Nohl demonstrated live tracking and call interception at the 31C3 conference. In 2017, criminals used SS7 to intercept banking one-time passwords and drain German bank accounts. The attacker needs only your phone number, and you get no warning. This is precisely why phone-number-based identity and SMS two-factor authentication are dangerous: anything tied to your number can be hijacked by someone who never touches your device. The successor protocol, Diameter (used in 4G/5G), inherits many of the same trust problems.
How it works
1. The attacker obtains SS7 (or Diameter) network access, often via a small operator, reseller, or compromised equipment.
2. They spoof the identity of a legitimate network element such as an MSC or VLR by forging its Point Code.
3. To locate a target, they send a roaming/location query for the victim's number and read back the serving cell, narrowing position to a tower or sector.
4. To intercept, they update the network's routing so the victim's SMS or calls are delivered to attacker-controlled infrastructure, then optionally relay them on so the victim notices nothing.
5. A common payoff is capturing an SMS one-time passcode to defeat 2FA on a bank or email account.
Frequently asked questions
Can an SS7 attack read my RVNT messages?
No. SS7 attacks operate on the carrier's call and SMS signaling network, which RVNT never touches. RVNT messages are end-to-end encrypted and routed over Tor, so there is no SMS or carrier-routed traffic for an SS7 attacker to intercept.
Why is SMS two-factor authentication considered unsafe?
Because SS7 flaws let an attacker reroute or copy the SMS containing your one-time code without touching your phone. CISA, the FBI, and NIST now advise against SMS 2FA, recommending phishing-resistant options like FIDO security keys or authenticator apps instead.
Do I need a special phone number to be tracked via SS7?
No special setup is needed. An attacker only needs your regular phone number and access to the SS7 network; the location and interception functions they abuse are normal roaming features built into the protocol.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.