Mobile networks don’t run on magic — they run on protocols. These are the signaling languages that connect base stations to cores, operators to operators, and users to services. Without them, you don’t get calls, SMS, or data. But protocols also come with a fatal flaw: they were designed with function first, security second.
Attackers know this, and they’ve turned protocol misuse into a full-time business. Fraud rings, espionage actors, and even nation-states have exploited signaling vulnerabilities for years, often without detection. Let’s take a closer look at the most notorious protocol misuse case studies and what they tell us about the fragile trust model in telecom.
SS7: The Granddaddy of Protocol Abuse
SS7 (Signaling System No. 7) is the poster child of protocol misuse. Born in the 1970s, SS7 assumed all connected parties were “friends” — operators trusted each other by default. Unfortunately, the modern telecom ecosystem is anything but friendly.
- Case Study: Location Tracking at Scale
Attackers abused SS7 “Provide Subscriber Info” messages to query the location of mobile subscribers. Real-world investigations revealed that individuals — including politicians, journalists, and activists — were tracked across borders. Lawful intercept systems had built-in features to query location, but when exposed to third parties via SS7 access resellers, the system became a global spy tool. - Case Study: Intercepting SMS Authentication Codes
Bank accounts were drained when criminals exploited SS7 to redirect SMS one-time passwords (OTPs). By sending “Update Location” messages, attackers tricked networks into routing victim SMS messages to rogue destinations. Financial institutions learned the hard way: SMS-based 2FA is only as secure as the telecom protocols carrying it.
The damage? Billions in fraud and a permanent dent in user trust.
Diameter: A Modern Protocol with Legacy Weaknesses
Diameter was supposed to be the “secure, modern” replacement for SS7 in 4G networks. But when you inherit weak trust assumptions and expose interfaces to untrusted peers, you repeat history.
- Case Study: Unauthorized Roaming Access
Operators discovered that poorly filtered Diameter messages allowed rogue networks to authenticate fake roaming subscribers. This effectively granted free data and calls, bypassing billing systems. Fraud groups monetized the loophole while operators paid the bill. - Case Study: Information Disclosure
Diameter messages designed for legitimate subscriber management were misused to request sensitive data, such as IMSI or device capabilities. In some documented breaches, this information was used for targeted surveillance and identity theft.
Lesson learned? Wrapping SS7’s problems in XML and TLS doesn’t solve them.
GTP: When Tunnels Become Attack Vectors
The GPRS Tunneling Protocol (GTP) makes mobile data work. Every time your phone connects, a GTP tunnel establishes your data session. The problem? GTP wasn’t designed with the idea that hostile entities might send traffic at your core. Operators eventually exposed GTP interfaces to roaming partners, and attackers followed.
- Case Study: Fake Subscriber Injection
By crafting malicious GTP-C “Create Session” requests, attackers injected fake subscribers into the network. This enabled unauthorized traffic flows, effectively allowing attackers to hide malicious or unbilled traffic inside legitimate-looking sessions. In some cases, attackers used this to tunnel malware C2 traffic through mobile infrastructure. - Case Study: Denial of Service via GTP Flooding
GTP interfaces have been overwhelmed by massive floods of bogus requests, taking down core network elements. Since many operators lacked GTP firewalls or anomaly detection, attacks went unnoticed until services failed. The impact: large-scale outages, reputational damage, and revenue loss.
When your data plane protocol doubles as an attack surface, “misuse” doesn’t begin to describe the risk.
SIP and IMS: Telecom Meets the Internet
The IP Multimedia Subsystem (IMS) and its signaling backbone, SIP (Session Initiation Protocol), bring telecom into the IP age. But with IP heritage comes IP insecurity.
- Case Study: VoLTE Eavesdropping
Improper SIP header handling in some VoLTE deployments allowed attackers to manipulate call sessions. By injecting themselves as “man in the middle,” attackers could eavesdrop on voice calls. Unlike SS7 or GTP attacks, this one hit end-users directly, breaking confidentiality. - Case Study: IMS Registration Hijacking
Attackers spoofed SIP REGISTER requests to impersonate subscribers. Once registered, all calls and messages intended for the victim were delivered to the attacker. Telecom-grade identity theft, executed through protocol misuse.
When IMS is misconfigured, it inherits all the classic SIP vulnerabilities — now scaled to hundreds of millions of mobile subscribers.
Real-World Impacts Beyond the Lab
These aren’t hypothetical attacks. They’ve been used in:
- Espionage operations, where governments tracked dissidents.
- Financial fraud, draining bank accounts through redirected OTPs.
- Telecom bypass fraud, where rogue actors abused roaming to deliver services without billing.
- Mass outages, caused by denial-of-service attacks on GTP.
The business impact is measurable: revenue loss, churn from angry subscribers, regulatory fines, and reputational harm. For governments, it goes deeper — undermining national security and privacy at scale.
Why Protocol Misuse Happens
The root causes of protocol misuse are surprisingly consistent:
- Protocols designed for trust, not zero-trust
SS7, GTP, and Diameter assumed closed ecosystems, not today’s hostile interconnects. - Legacy compatibility
Operators can’t just turn off 2G, SS7, or GTP, so attackers exploit the weakest link. - Poor border controls
Interfaces exposed to roaming or interconnect partners often lack proper filtering and monitoring. - Misconfiguration and complexity
Even secure-by-design protocols like 5G SBA can be misused if not correctly implemented.
Defending Against Protocol Misuse
The playbook for operators isn’t complicated — but it requires commitment:
- Deploy signaling firewalls (SS7, Diameter, GTP).
- Implement intrusion detection systems tuned for telecom protocols.
- Audit configurations regularly and test with red/blue team exercises.
- Treat every interconnect as hostile until verified — zero-trust at the protocol layer.
- Monitor traffic for abnormal signaling patterns, not just volumetric DDoS.
Attackers thrive on blind spots. Closing them means watching, filtering, and testing relentlessly.
Final Thoughts
Protocol misuse is the telecom equivalent of insider trading: using the rules of the system against itself. It doesn’t require magic, just creativity and access. From SS7 espionage to GTP flooding, these case studies show one uncomfortable truth: mobile networks are only as secure as their weakest protocol implementation.
Operators who ignore protocol misuse aren’t just risking fraud — they’re risking their role as trusted providers of critical infrastructure. Attackers will continue to misuse what networks expose. The only question is whether operators will shut the gates or leave them wide open.
