SS7 (Signaling System No. 7) is the protocol used by telecommunications networks worldwide to route calls and SMS messages. Designed in 1975 when only trusted telecoms had network access. That assumption is no longer valid.
SS7 contains fundamental vulnerabilities allowing anyone with network access, including state actors and criminal groups, to intercept SMS messages, track phone location, and redirect calls in real time.
This is why SMS-based 2FA can be intercepted without physical device access. There is no user-level fix. Solution: avoid SMS for sensitive authentication entirely.
What it means in practice
SS7 vulnerabilities are exploited by state-level actors and some criminal groups to intercept SMS messages and track phone locations in real time, without the carrier’s involvement. This makes SMS-based 2FA and SMS communications unreliable for anyone facing a sophisticated adversary. The fix is not a consumer tool — it is avoiding SMS for anything sensitive and understanding that your phone number is a persistent identifier regardless of what you do with it.
Related articles
Your phone carrier sells your location data. — Digital privacy guide for NGO workers abroad. — Digital security for diplomats and expats.